Marc Lognoul's IT Infrastructure Blog

Cloudy with a Chance of On-Prem


Cleaning-Up Fake MS Removal Tool using Sysinternals tools

Sysinternals

I was recently asked by a friend to help him fixing his Windows 7 PC constantly reporting all EXE’s as malware while displaying pop-ups such as the one below.

Fake MS Removal Tool

Obviously this was not the genuine MS Windows Defender nor MS Security Essentials doing some over-zealous job. No second PC at hand to download anti-malware tools/boot cd, I was left with the contaminated computer blocking the execution of all EXE’s including the task manager except MS Internet Explorer or Windows Explorer. With the help of well know Sysintals Tools, here is how I got rid of that malware easily:

  1. On the right of the screen, right-click on the hyperlink showing Run Process Explorer then click Save target as
  2. Save is under an alternate name on you desktop: iexplore.exe instead of procexp.exe
  3. Start iexplore.exe from you desktop, which is actually Process Explorer. It will not get blocked by the malware since the malware simply looks at the EXE’s name for preventing its execution
  4. From the process tree, locate a program whose name starts with PkN….exe (example: PkNVeZgVe.exe). Edit its properties and take note of its actual location. on Windows 7, it was under C:ProgramData
  5. Kill that EXE using Process Explorer
  6. Open a Windows Explorer and delete the file from the located noted at step 5
  7. Open Inter Explorer and navigate to http://technet.microsoft.com/en-us/sysinternals/bb963902
  8. On the right of the screen, click on the hyperlink Run Autoruns now from Live.Sysinternals.com
  9. Once Autoruns has started, go to the menu File and click on Run as Administrator
  10. Click on the tab Logon
  11. Inspect all entries in particular Run and RunOnce entries under both HKLM and HKCU registry paths and remove references to the EXE noted at step 5
  12. The system should be clean from now
  13. Ideally perform a full scan with a decent Anti-virus/anti-malware software…

Some thoughts:

  • Sysinternals tools remain a must have for any serious technical work on a Windows platform
  • Strange that this malware did not get detected and erased by MS Security Essentials with an up-to-date definition
  • Strange too that with UAC configures to notify user of every change, no UAC pop-up was apparently shown when the malware installed. Note: OK I agree, not a good idea to run your daily account as admin…

I hope it will help someone out there…

Marc