Manual Clean Removal Instruction for Worm.Pabug.ck or Worm.Pabug.co
Worm.Pabug.ck is a computer virus also known as Worm.Pabug.co, Dropper/QQPass.48436, Trojan-PSW.Win32.QQPass.jh or DeepScan.Generic.Malware.SP!dldPk!g.01C03DEE. The virus carries high system risk as the malicious dropper will disable some commonly used anti-virus software and unable to open security applications. Other reported infected symptoms include unable to update virus signatures, unable to access or load antivirus websites or forums. All these effects caused the removal or disinfection process for Worm.Pabug.ck/co virus a little bit harder.
The worm can’t self-propagate. It is likely that the system could be infected when a user downloads an executable file from email, messenger, board, and download centers and run the file. Or, it is possible that it is installed by other malicious codes (worms, viruses and Trojan horses). The worm which is a dropper, when executed, will create the following files:
%systemroot%\system32\gfosdg.exe or jusodl.exe %systemroot%\system32\gfosdg.dll or jusodl.dll %systemroot%\system32\severe.exe %systemroot%\system32\drivers\mpnxyl.exe or pnvifj.exe %systemroot%\system32\drivers\conime.exe %systemroot%\system32\hx1.bat %systemroot%\system32\noruns.reg X:\OSO.exe X:\autorun.inf
X represents non-system hard drive. %systemroot% folder is usually C:\Windows on most systems (so the path to the infected files are C:\Windows\System for Windows 95/98/ME, C:\WinNT\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP).
Beside, the dropper also adds the following value to Windows registry key entries by executing noruns.reg and then delete the file once done to run itself automatically whenever Windows starts.
The above registry value is for the child registry key which based on the executables file names of the security programs, so that when these security software are been double clicked, the virus file that is been run. The child registry keys include:
The worm terminates following running process(es). Targets (listed below) are antivirus software, firewall, system process, and other malicious codes. The command used in ‘net stop’ and using sc.exe to configure forbid usage of these services with the command “config [service_name] start=disabled”
It also modifies HOSTS file to keep the user from connecting specific addresses. Generally, the addresses are homepages of Internet security sites and antivirus engine updates servers. So the infected system’s user can’t get information or engine updates to scan and remove the malicious code.
The virus is may also affect USB flash drive or portable hard disk, by autorun OSO.exe. All non system partition will contains OSO.exe and autorun.inf virus files too. Beside, system time may be changed too to cause some anti virus programs to expire.
How to Remove and Disinfect Worm.Pabug.ck or Worm.Pabug.co Manually
To run antivirus program that has been disabled, you can try to rename the antivirus executable file name to another file name, and then run the new file name.
Terminate and end the following processes (tasks) using Task Manager (alternative you can use procexp):
Remove the registry key added by virus under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options registry key using Registry Editor or Autoruns (for Autoruns, remember to first select Options -> Hide Microsoft Entries to avoid mistaken delete valid entries). This process will allow anti virus or security software or system utilities such as IceSword, SREng and etc to be able to function properly again:
Remove the following auto run on Windows startup registry entries located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run registry key by using Registry Editor or SREng (System Repair Engineer)
Also navigate to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon registry key, double click on it and remove the text behind “Explorer.exe” in the value data, so that it will become looked like as below:
“shell”=”Explorer.exe”
Next delete all files planted by the virus. Note that even if you right click on these infected files may trigger the infection process, so it’s recommended to use IceSword or WinRAR to delete these files:
X mean all non system partitions, including your USB flash drive and portable hard disk.
System Recovery and Clean Up
Navigate to the following registry keys and add back the original value.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL] “CheckedValue”=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] “NoDriveTypeAutoRun” value is vary depending on system, normally by default it will set as 91 (in HEX value)
Next remove all contents added by the worm in Hosts file. Use Notepad to open %systemroot%\system32\drivers\etc\hosts, and remove the entries or lines specified above. If you’re using SREng, simply click on “System Recovery” -> “Hosts file”, then click “Replace” and then “Save”.
Finally, you will need to recover or repair or reinstall the anti virus program, if it has been damaged.
LK is a technology writer for Tech Journey with background of system and network administrator. He has be documenting his experiences in digital and technology world for over 15 years.Connect with LK through Tech Journey on Facebook, Twitter or Google+.
