[Sargerras]

For registry you can use NT Registry Editor tool. to remove native registry from Run. At the moment found ransomware that is bundle with this rootkit and block's access to Change shell back

[B-boy/StyLe/]

Easiest way so far that I've found to disable and delete the service is by using XueTr -- http://www.xuetr.com/download/XueTr.zip
Detects the service as hidden and this should be differentiated from Google's legitimate service name which isn't hidden + different File Corporation (Company Name).
Downside is that this program only works on x86 systems.

XueTr is now called PC hunter and have versions for both x86 and x64.

[thisisu]

For (A) - go to PROGRAMFILES\Google\Desktop\Install, take ownership (replacing ALL access list) and erase directory.

Yes.

Just providing an example:

Code: Select all

swxcacls "c:\program files\Google\Desktop\Install" /reset

swxcacls can be downloaded from here: http://fstaal01.home.xs4all.nl/swxcacls-us.html

But any brute force removal tool (Avenger, Blitzblank, ComboFix, etc..) should do the job.

[Tigzy]

Thanks EP_X0FF

sUBs gave me that Dr. Web link, which is beautiful :)

http://www.drwebhk.com/en/virus_techinf ... 26238.html

[kmd]

would be nice if you can give more info about registry trick

[EP_X0FF]

would be nice if you can give more info about registry trick

Code: Select all

WCHAR *ServicesPath = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\";
WCHAR wParameters[] = {'P', 'a', 'r', 'a', 'm', 'e', 't', 'e', 'r', 's', 0, '.', 'd', '\''};
BYTE KeyName[] = {0x2E, 0x20, 0x65, 0x00, 0x74, 0x00, 0x61, 0x00, 0x64, 0x00, 0x70, 0x00, 0x75, 0x00, 0x67}; //<-[0][1] Unicode LRO
BYTE Key[MAX_PATH];

Code: Select all

VOID SfSetStartupEntry(
	LPWSTR lpFileName
	)
{
	UNICODE_STRING usTmp, usParams;
	OBJECT_ATTRIBUTES obja;
	NTSTATUS Status;
	HANDLE hKey, hSubKey;
	ULONG bytesIO = 0;

	UNREFERENCED_PARAMETER(lpFileName);

	_strcpyW((PWSTR)&Key[0], ServicesPath);
	_strcatW((PWSTR)&Key, (PWSTR)&KeyName);
	RtlInitUnicodeString(&usTmp, (PCWSTR)&Key);
	InitializeObjectAttributes(&obja, &usTmp, OBJ_CASE_INSENSITIVE, NULL, NULL); 

	Status = NtCreateKey(&hKey, KEY_ALL_ACCESS, &obja, 0, 0, 0, &bytesIO);
	if (NT_SUCCESS(Status)) {

		usParams.Buffer = wParameters;
		usParams.Length = 14 * sizeof(WCHAR);
		usParams.MaximumLength = usParams.Length + sizeof(WCHAR);
		obja.RootDirectory = hKey;
		obja.ObjectName = &usParams;

		Status = NtCreateKey(&hSubKey, KEY_WRITE, &obja, 0, NULL, 0, NULL);
		if (NT_SUCCESS(Status)) {
			NtSetValueKey(hSubKey, &usParams, 0, REG_DWORD, &hKey, sizeof(DWORD));
			NtClose(hSubKey);
		}

		/*
		
		put service values here
	
		
		*/


		NtClose(hKey);
	}
}

use this to remove

Code: Select all

VOID SfRemoveStartEntry(
	LPWSTR lpFileName
	)
{
	UNICODE_STRING usTmp, usParams;
	OBJECT_ATTRIBUTES obja;
	NTSTATUS Status;
	HANDLE hKey, hSubKey;
	ULONG bytesIO = 0;

	UNREFERENCED_PARAMETER(lpFileName);

	_strcpyW((PWSTR)&Key[0], ServicesPath);
	_strcatW((PWSTR)&Key, (PWSTR)&KeyName);
	RtlInitUnicodeString(&usTmp, (PCWSTR)&Key);
	InitializeObjectAttributes(&obja, &usTmp, OBJ_CASE_INSENSITIVE, NULL, NULL); 

	Status = NtOpenKey(&hKey, KEY_ALL_ACCESS, &obja);
	if (NT_SUCCESS(Status)) {
		usParams.Buffer = wParameters;
		usParams.Length = 14 * sizeof(WCHAR);
		usParams.MaximumLength = usParams.Length + sizeof(WCHAR);
		obja.RootDirectory = hKey;
		obja.ObjectName = &usParams;
		Status = NtOpenKey(&hSubKey, KEY_ALL_ACCESS, &obja);
		if (NT_SUCCESS(Status)) {	
			NtDeleteKey(hSubKey);
			NtClose(hSubKey);
		}
		NtDeleteKey(hKey);
		NtClose(hKey);
	}
}

[Tigzy]

To remove files/folders, just use Short path name in APIs. That works.

[spandexednaps]

Sha256:
b708b17b42962fa14dd06b693ec1eb5ff99e9e5b399f85956bbfafa09c0b32ab
File Name:
csrss.exe
Detection Ratio:
11/46

https://www.virustotal.com/en/file/b708 ... /analysis/

[EP_X0FF]

Payload equal to http://www.kernelmode.info/forum/viewto ... 271#p20271

Notice amount of idiots marking fp32.exe (flash player installer abused by Sirefef) as malware https://www.virustotal.com/en/file/672e ... /analysis/

[unixfreaxjp]

Payload equal to http://www.kernelmode.info/forum/viewto ... 271#p20271
Notice amount of idiots marking fp32.exe (flash player installer abused by Sirefef) as malware https://www.virustotal.com/en/file/672e ... /analysis/

We need them, friend. They're willing to help, they did the best they can help and this is the quality that actually exists.
It reflected how poor the level on malware awareness in the actual IT people...
Let's educate and guide them to make good verdict in the future. Like you assist us with your great knowledge in here.
Only us and AntiVIrus industry is not enough in resource to battle these Sireref and other malware morons, is time to share more.

#MalwareMustDie!