Status of Kirei Cake & How to Properly Fix Trojan.Necurs.A

Lately, I’ve been a ghost and haven’t been online much. Nobody’s seen me, not even my own members.

And for that, I’m sorry for delaying everybody needlessly. Not much progress has been made since I last posted.

Lately, I’ve just been busy watching tons of movies and playing Dark Souls PC. Yeah, that’s about it.

Day in and day out has just been movies and Dark Souls. Nothing really much else. SOME Calculus, but that’s it.

Anyways, I’ll see to it that something gets released soon, so just hold your horses and wait a bit. Sorry again.

On a side note, a new trojan virus has come out recently and installs itself to your system via an unpatched browser exploit.

If you have Necurs.A, or have not checked your system lately for viruses, I suggest you do so now to see if you have it.

There is no automatic fix for Necurs.A at the moment, so if you have Necurs.A, follow the steps below to fix it.

.

————————————————————————————————

.

Now on another note. Trojan Necurs.A or Win64/Necurs.A.

My Windows 7, however the hell possible, got infected with this trojan. However, I consider myself lucky.

If any of you are infected with this virus (just check with Microsoft Security Essentials), here is the proper fix.

Don’t bother with Google; just hundreds of corporate-sponsored links and guides that make no sense whatsoever.

This trojan is really new and you may not even know if you’ve been infected with it. It only came out in the last 1-2 months.

All anti-virus programs will DETECT the trojan, HOWEVER, will be UNABLE to cure it at this time.

I repeat.

All anti-virus programs will DETECT the trojan, HOWEVER, will be UNABLE to cure it at this time.

So anybody, whether you read my manga scanlations or are just a random person searching off Google, here’s your cure.

.

1. How the trojan basically works

I essentially figured out how the trojan works because I managed to catch it EXACTLY when it started happening. Seriously.

If you didn’t catch it early and restarted your computer, you would have left it unnoticed and it would’ve installed all the way.

Basically, it first gets downloaded silently to your computer via a browser exploit. I was using Firefox at the time.

Next thing I noticed was a random advertisement playing in the background. I thought this was weird.

I thought it might’ve been a viral advertisements on Firefox. Okay, no problem. I closed Firefox, but it kept playing. What?

So I thought, “well, Firefox sometimes lies dormant in the background even after closing, so I should close it in Task Manager.”

Okay, so I opened up Task Manager, and checked for Firefox that might still be running, but nope, it was already closed.

So I opened up Window’s Mixer at the bottom left for volume control, and guess what: An untitled service was playing sounds.

At this point, it clicked. “Crap! A virus! Bloody ****!”

I really only noticed it because I am quite careful about what I do, and I know when something’s just out-of-place. Like that ad.

I promptly ran Microsoft Security Essentials, and what’ll you know? Necurs.A and a few other minor malware (those were easy).

And of course, I tried to remove them, but MSE gave back a failure message. Ouch.

Cutting out some of the unimportant story, basically, the trojan works by first preparing your system to install an unsigned driver.

Of course, with Window 7’s built-in protection mechanisms, getting an unsigned driver to install straight from a browser exploit isn’t easy.

Necurs first gets placed onto your system, waits for a restart, sets up startup entries and places your system into Test Mode, and waits for another restart.

Remember: Waits for a restart. At this point, you can still fix the computer even before it installs fully. Which is what I did, just now.

The reason why Test Mode is necessary is because unsigned drivers need human verification to install, which I guess Necurs couldn’t bypass.

1. Download from Browser. Wait for restart to install to system to prepare step three.

2. After system restart, runs the command to put the system into Test Mode, which needs another restart.

3. After system restart again, system is in Test Mode, and can now freely install unsigned drivers.

4. I didn’t reach this point as I fixed the issue before this, but assume that the trojan installs and activates itself.

It’s been noted online that the name of the trojan constantly changes, so you might want to do this early.

.

2. How to get rid of the trojan

The best, best way is to have an alternative operating system to boot to.

Even on Safe Mode, various things may run that could prevent anti-virus software from working.

However, if your system only has one operating system, you’ll still need to take your chances with Safe Mode.

Software you’ll need is the File Shredder from Spybot (or your own, but I’ve used theirs for years and it works great).

And that’s really about it. Anti-virus and anti-malware software won’t work on this trojan at this time. It’s all manual.

Essentially, you want to run Microsoft Security Essentials again. Do a custom scan, and check these locations:

#\Windows\System32\drivers\

#\Windows\Installer\   — This one may be hidden from view, if so, just search the Windows folder.

It should detect two files. One that’s just random numbers and letters as a sys file, like 7f19eae6252757a.sys (mine)

And the other is syshost.exe inside the Installer folder.

Run File Shredder and throw those two files into the program, cutting it at 35 pass just to vent your rage at it.

The reason why you shouldn’t just delete it is because it’ll still remain in your system, which isn’t desirable.

Next, go to your Control Panel, Administrative Tools, Services.

Look for these two entries: syshost and xsherlock. Look also for any other no-description, suspiciously named services.

If you check their properties, syshost should already be dead, but xsherlock.xem may still be alive.

Go to folder options, untick all the options preventing files from being hidden, and check the System32 folder for that file.

Chances are, if you managed to remove the trojan prior to running the system in Test Mode, it won’t be there.

At this point, open up Command Prompt as an Administrator, and use the command “sc delete ServiceName” to remove them.

sc delete syshost

sc delete xsherlock

…And any other suspicious services.

Finally, take your system back out of Test Mode by typing this: “bcdedit /set testsigning off“

Before you restart, once again, use any anti-virus and anti-malware software you prefer to double-check your system. Full scan.

Microsoft Security Essentials will still say that Necurs.A is still there. Just select Allow and apply. That’s just how MSE works.

Remove/quarantine any other virus/malware those two programs detect. Shredding is a good way to remove it permanently.

Now you can restart your computer. Your computer should be cured of this trojan.

.

Update: It turns out that soon after you fix this trojan, your computer will be rendered unable to update.

To fix this, please follow the instructions here: http://www.doitscared.com/1259/recover-from-the-sirefef-y-virus-infection/