Symptoms:
Unable to change desktop background due malware infection
Continuous notifications about malware infection that prompts to buy security software.
Issue:
Fake Antivirus infection
Resolution:
1. Generate autorunsc log.
a. Download Autorunsc tool by clicking here. Save to your Desktop.
b. Extract Autorunsc.zip.
c. Open the extracted folder named autorunsc.
d. Double click "clickme.bat" to start log collection.
Autorunsc.csv file will be added in the folder.
2. Check for suspicious entries in the autorunsc log. (e.g. seemingly legitimate files in different locations or files with unknown publisher)
c:\windows\system32\sbwltbxa.exe
autoload c:\documents and settings\localservice\local settings\application data\cftmon.exe
ntuser c:\windows\system32\drivers\spools.exe
3. Delete malicious files.
a. Restart in Safe Mode.
b. Remove permissions of the malicious files.
i. Right click the malicious file.
ii. Click on Properties > Security tab > Advanced tab.
iii. Uncheck "Inherit from parent the permission entries that apply to child object..."
iv. Click Remove on the pop-up window.
v. Click OK > Yes > OK.
c. Delete the files using Unlocker tool.
i. Download and install Unlocker in Normal mode.
ii. Right-click the malicious file and select Unlocker from the menu. If the file is locked by other programs, Unlocker will show you which ones.
iii. Select the delete option from the drop-down menu.
iv. Hit “Unlock All” button.
Note: You will receive a message that it was successfully deleted. If Unlocker still has problems deleting the file, it will ask you if you want to delete the file on reboot.
References:
http://ishare.trendmicro.com/department/TS/GSIP/consumer/sd/Lists/SIR/DispForm.aspx?ID=596
http://esupport.trendmicro.com/
http://support.microsoft.com/
http://www.bleepingcomputer.com/tutorials
http://download.softpedia.com/
Unable to change desktop background due malware infection
Continuous notifications about malware infection that prompts to buy security software.
Issue:
Fake Antivirus infection
Resolution:
1. Generate autorunsc log.
a. Download Autorunsc tool by clicking here. Save to your Desktop.
b. Extract Autorunsc.zip.
c. Open the extracted folder named autorunsc.
d. Double click "clickme.bat" to start log collection.
Autorunsc.csv file will be added in the folder.
2. Check for suspicious entries in the autorunsc log. (e.g. seemingly legitimate files in different locations or files with unknown publisher)
c:\windows\system32\sbwltbxa.exe
autoload c:\documents and settings\localservice\local settings\application data\cftmon.exe
ntuser c:\windows\system32\drivers\spools.exe
3. Delete malicious files.
a. Restart in Safe Mode.
b. Remove permissions of the malicious files.
i. Right click the malicious file.
ii. Click on Properties > Security tab > Advanced tab.
iii. Uncheck "Inherit from parent the permission entries that apply to child object..."
iv. Click Remove on the pop-up window.
v. Click OK > Yes > OK.
c. Delete the files using Unlocker tool.
i. Download and install Unlocker in Normal mode.
ii. Right-click the malicious file and select Unlocker from the menu. If the file is locked by other programs, Unlocker will show you which ones.
iii. Select the delete option from the drop-down menu.
iv. Hit “Unlock All” button.
Note: You will receive a message that it was successfully deleted. If Unlocker still has problems deleting the file, it will ask you if you want to delete the file on reboot.
References:
http://ishare.trendmicro.com/department/TS/GSIP/consumer/sd/Lists/SIR/DispForm.aspx?ID=596
http://esupport.trendmicro.com/
http://support.microsoft.com/
http://www.bleepingcomputer.com/tutorials
http://download.softpedia.com/
No comments:
Post a Comment