For the last several months, Fake Virus/Spyware scanner type infections seems to be getting more and more commonplace, so I decided to tweak the last CleanupXP+ script to handle these ransom/extortion-ware type infectors.
From a recent research I have done, there are mainly 2 types of ransom wares I encountered:
1) Type A: Single aggressive executable that when active, intercepts all system calls to open any of the executable file types it monitors (.exe, .com, .bat, etc.) and immediately shuts it down and runs itself and pretends the file/program that was being launched was infected. This infection does create and modify some of the registry keys but the infection is typically limited to the standalone executable itself. Executable is active from the moment system loads. In normal mode, the only way to take control is to forcefully terminate the executable but since the user cannot even run any programs Windows based or 3rd party, it becomes a catch-22. To clean, boot the system in Safe Mode and delete the executable -typically- located in the "%userprofile%\Local Settings\Application Data" directory. On Windows XP and up, you can copy/paste the bold line in the Start > Run box.
2) Type B: Once active, the ransom-ware simply changes file associations to most file types, then the executable itself is no longer running in the background. You actually will not notice this executable unless you try to open one of the file types it associates itself with. Even for an experienced user or IT pro, taking control and accessing registry or running an executable to fix this would be quite challenging to say the least. For a novice home user, I can only imagine the frustration.
This fella only makes changes to Windows registry. it has no startup entry points since it waits for an associated file type to be launched.
Both types also have residue in the Temp locations which need to be emptied out. When they are active, cleaning up the system is pretty much impossible.
Anyhow, I wrote a batch script that seemed to have had success with both types with no derogatory effects. I tested it both under a standard user profile and the Admin profile on a virtual machine, it worked. I have to fine tune it a bit more and also make it Win 7 compatible. Of course, it is impossible to predict how it would do with every system but I believe it would be worth a shot.
For type A, script looks for the common location for .exe files where normally there should be none. It lists the executable it finds. User is prompted to enter the full file name (khq.exe), the included process killer "kills" the executable and then deletes it along with all common temp file locations and internet cache. User at this point has full control of the system. Further scans and cleaning might be useful.
For type B, cleans up all common temp file locations which should take care of the malicious executable but it also prompts for registry patching to correct file associations. Afterwards, user have full system control but further scans to clean and correct leftovers might be necessary.
I am doing final touches on the draft version of the script which will be ready soon.
~TL
PS. Even though I have personally test it a few times, I am offering it with no promises or guarantees. You are welcome to use it at your own risk.
