Jump to content
Usr6

Turkojan 4 - eliminare manuala

By Usr6, in Reverse engineering & exploit development

Recommended Posts

Usr6 Newbie

Usr6

Posted
Posted

Utilitare necesare:

Process explorer: Process Explorer

Dll unloader: NoVirusThanks DLL UnInjector: unload DLLs within a selected process

Autoruns: Autoruns for Windows

Sample:

(obtinut via https://rstforums.com/forum/76543-intrebare.rst#post492576 )

Program de dat flood ip adress.exe

MD5: 5acd5a6130b43c94ddb3418959f4c39c

~110K

process:

C:\WINDOWS\mstwain32.exe

dropped files:

c:\WINDOWS\mstwain32.exe ~110K MD5: 5acd5a6130b43c94ddb3418959f4c39c

c:\WINDOWS\cmsetac.dll ~33K MD5: 034e1f7e1d643572dc843ab535f6d60e

c:\WINDOWS\ntdtcstp.dll ~7K MD5: 67587e25a971a141628d7f07bd40ffa0

persistence:

initial nu apare listat in autoruns sau regedit

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

mstwain32 C:\WINDOWS\mstwain32.exe

Eliminare:

pasul 1

process explorer> suspend mstwain32.exe

9ecb8b0e2621f7ea8dfb63a10054fa46.png

pasul 2

rename mstwain32.exe to mstwain32.ex

pasul 3

unload and delete dlls

c:\WINDOWS\ntdtcstp.dll

c:\WINDOWS\cmsetac.dll

c0a0b7cb3608bf1135d30689e877c045.png

pasul 4

process explorer> kill mstwain32.exe

pasul 5

delete mstwain32.ex

pasul 6

remove persistence> autoruns

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

mstwain32 File not found: C:\WINDOWS\mstwain32.exe

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...