New Malware Locks You Out of Safe Mode w/ Explorer

by ¤ᴙшдЯ¤
Talk about recent events or news here.
User avatar


¤ᴙшдЯ¤
Forum Council
Forum Council
Posts: 1396
Joined: May 2013

New Malware Locks You Out of Safe Mode w/ Explorer

Postby ¤ᴙшдЯ¤ » July 18th, 2013, 6:36 am


Typical rogues are annoying, but relatively easy to take care of. Previously, all you had to do was boot into safe mode with networking and remove the files and registry entries (or install Webroot). Support forums everywhere use safe mode with networking as the “go to” mode for virus removal as non-core components are not loaded at start up and it’s easier to isolate problems. In the vast majority of the rogues we see, they are not loaded in the few modules which start up in safe mode. Antivirus System does, however, and it also applies some new and improved social engineering tactics to fool you into thinking it’s a real program trying to help you.


Most experienced users would immediately go into safe mode with networking after seeing this. This won’t work, as the rogue is attached to the explorer shell, which is a module loaded in safe mode, and it will lock you down after you launch any executable (regedit, task manager, standalone virus removal tools, ect.). This is probably the point where most people have run out of options and consider taking their PC to a 3rd party technician where you’ll likely pay double the ransom cost of the Rogue. There is no need to do this as there are plenty more tricks to get around these rogues.


[Reveal] Spoiler: Removal Information
Boot into Safe mode with Command Prompt (doesn’t launch explorer shell)
The first screen that comes up is cmd.exe, type: “control nusrmgr.cpl” to launch the user account screen
On the user account screen click on “Manage another account”
On the Manage Account screen click on “Create new account”
Call this account whatever you want and then create the account (just make sure it has administrator privileges)
Reboot the computer and then log into that new account (safe mode or normal mode)
This new account won’t have those policies the virus created and you should be able to use this account freely You can install Webroot to scan and remove the virus, or you can just delete the files and registry entries associated:
DELETE:
C:\Users\All Users\pavsdata
C:\Users\All Users\pavsdata\21.4.exe
C:\Users\All Users\pavsdata\app.ico
C:\Users\All Users\pavsdata\cache.bin
C:\Users\All Users\pavsdata\support.ico
C:\Users\All Users\pavsdata\uninst.ico
C:\Users\All Users\pavsdata\vl.bin
C:\ProgramData\pavsdata
C:\ProgramData\pavsdata\21.4.exe
C:\ProgramData\pavsdata\app.ico
C:\ProgramData\pavsdata\cache.bin
C:\ProgramData\pavsdata\support.ico
C:\ProgramData\pavsdata\uninst.ico
C:\ProgramData\pavsdata\vl.bin
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “avsdsvc” = “%CommonAppData%\pavsdata\21.4.exe /min”
MODIFY:
[HKEY_CLASSES_ROOT\.exe\shell\open\command]
Default=”C:\\ProgramData\\pavsdata\\21.4.exe\” /ex \”%1\” %*
to
[HKEY_CLASSES_ROOT\.exe\shell\open\command]
Default=”%1\” %*


Watch out. ;Angl ...
Puts itself inside of explorer.
/fear ;Cold
Note to self: Learn DOS command line. ;Etc

via. Webroot Blog

Hello.
I hardly exist.
Stuck in the Voltex.
  Top

User avatar


Monoxi
Forum Council
Forum Council
Joined: May 2013

Re: New Malware Locks You Out of Safe Mode w/ Explorer

Postby Monoxi » July 18th, 2013, 7:24 am

Oh Wow......o-o
үσυя ιттε мαcαяxη
14.::.02.::.17
1032
  Top

User avatar


tgfcoder
Owner and Creator of Tgforums
Premium Donator
Owner and Creator of Tgforums
Posts: 4378
Joined: Jan 2013

Re: New Malware Locks You Out of Safe Mode w/ Explorer

Postby tgfcoder » July 19th, 2013, 1:52 am

I've seen some pretty nasty malware ;A; Wouldn't be the first time I've seen a virus hook into when executable files are opened.
  Top


Return to News

Who is online

Users browsing this forum: No registered users and 1 guest