tag:blogger.com,1999:blog-6348799822268982633.post8962931475992761238..comments2024-02-03T11:17:04.855+05:30Comments on Reverse Shell: Manual Removal of sguza.exe and shey.exe wormsk3w13rhttp://www.blogger.com/profile/12416647679178002935noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-6348799822268982633.post-56110813665599246172010-06-25T02:22:16.317+05:302010-06-25T02:22:16.317+05:30thanks, helped a lot.thanks, helped a lot.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6348799822268982633.post-80881924875814271522010-06-13T17:13:35.242+05:302010-06-13T17:13:35.242+05:30This was ver useful. Thank you for the info. Altho...This was ver useful. Thank you for the info. Although I couldn't find the autorun.inf with the Handle thingy.<br /><br />Booted in safe mode, searched for all the instances via regedit, then removed all mrpky.exe occurances and so on and so on. Then cleaned temp folders and registry with ccleaner.<br />This site also helped a lot http://comprolive.com/remove/harmful/1/mrpky-exeAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-6348799822268982633.post-54211052953917694492010-06-10T14:24:13.683+05:302010-06-10T14:24:13.683+05:30Great to know, that your problem is solved. And I ...Great to know, that your problem is solved. And I am glad you mentioned why it didnt work for the first time. This gives a clue on how to remove it correctly. Even I made the same mistake while removing it for the first time. I have seen this trend in most of the malwares, they hide inside the memory of explorer.exe, so that they are hard to find using task manager processes.k3w13rhttps://www.blogger.com/profile/12416647679178002935noreply@blogger.comtag:blogger.com,1999:blog-6348799822268982633.post-57840046583568750952010-06-10T13:38:49.838+05:302010-06-10T13:38:49.838+05:30@k3w13r : yes, the problem is solved. Actually i w...@k3w13r : yes, the problem is solved. Actually i wasn't deleting the mrpky.exe that was in the Application Data. Thats why the muza and carpet folders reappeared on plugging the external. After killing the process and deleting the .exe, the folders stopped appearing....Thanks a lot.UMitrahttps://www.blogger.com/profile/13315840316377186266noreply@blogger.comtag:blogger.com,1999:blog-6348799822268982633.post-3146137549945061102010-06-09T22:40:35.939+05:302010-06-09T22:40:35.939+05:30@utsab: You cant delete the folder and you also ca...@utsab: You cant delete the folder and you also cannot clean the registry unless all malware instances are stopped. kill the explorer.exe and start it. This should kill the malware. Try deleting the muza folder, if it gets deleted then it means the malware is stopped. But it may reappear on a windows restart. Thats why you need to delete those entries from the registry, and then delete the malware exe from application data as well. Let me know if it helps.k3w13rhttps://www.blogger.com/profile/12416647679178002935noreply@blogger.comtag:blogger.com,1999:blog-6348799822268982633.post-55644614005686804512010-06-09T21:40:16.760+05:302010-06-09T21:40:16.760+05:30I am having a problem....i have done what has been...I am having a problem....i have done what has been said above, and still after unplugging and then plugging my hard-drive, the muza folder reappears. It seems i cannot delete the folder...HELP.UMitrahttps://www.blogger.com/profile/13315840316377186266noreply@blogger.comtag:blogger.com,1999:blog-6348799822268982633.post-46761590864244263652010-06-09T20:10:45.779+05:302010-06-09T20:10:45.779+05:30thanks for the help. :)thanks for the help. :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6348799822268982633.post-90049599782755362882010-06-09T17:46:00.145+05:302010-06-09T17:46:00.145+05:30Thanks for the comments, the malware uses multiple...Thanks for the comments, the malware uses multiple names to hide itself, like in my case it was MRPKY.EXE, and from the prevx link, there are other names as well. MRPKY.EXE, KITA375[1].EXE, SGUZA.EXE,194.EXE, 21782259.EXE. So even if we delete all files with the name SGUZA.EXE, any other instance may still run upon a system restart. These names can be discovered by reverse engineering the malware. And thats something for which we rely on AV infos. :(k3w13rhttps://www.blogger.com/profile/12416647679178002935noreply@blogger.comtag:blogger.com,1999:blog-6348799822268982633.post-78900011673193560622010-06-09T17:29:59.631+05:302010-06-09T17:29:59.631+05:30Very good advice, although might be easier, having...Very good advice, although might be easier, having gone to 'my computer', select the drive and then right click a search to chase the shey or sguza executables. The other detail worth mentioning is, after deleting offending Carpet and Muza folders...and the content of the recycle bins, is to go to the start menu and select 'run' and type in the word 'regedit' to get to edit the registry. From there, simply go to the 'edit' menu and select 'find', then enter 'shey.exe' and 'sguza.exe'. <br />Naturally you remove the autoplay.inf file.<br />I then rebooted and ...hey presto, no more double explorer prompt when opening the thumb drive.<br />Many thanks!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6348799822268982633.post-92218384862207679212010-06-09T17:25:23.259+05:302010-06-09T17:25:23.259+05:30Great help. Made a collegue very happy. Hid drive ...Great help. Made a collegue very happy. Hid drive icon had changed into a folder icon and it was inaccessible. Deleted regkey ant autorun.inf.Anonymousnoreply@blogger.com