JBLCF_scandal.exe and MSUPDTE.exe Malware

Recently, the computers of the staff I support were plagued by JBLCF_scandal.exe and msupdte.exe. These kind of malwares are in a form of bat files that runs as start-up processes in Windows. Anti-virus scanners and spybot destroyers were not able to detect them.

It was quite tricky especially with the JBLCF_scandal.exe because I have startup bat scripts on these computers. What happens is that the moment you run cmd.exe, JBLCF_scandal.exe along with pc_off.bat forces the computers to restart after log-on. It was a real headache because I cannot get past the log-on process.

I know with JBLCF_scandal.exe that there is a script running it but it took me a while to locate where it was located. It has conveniently modified the registry so that you cannot view the hidden files or edit the properties.

As with msupdte.exe, by the name itself, it sure is a deceitful malware because of its clever name. One would find it as a legitimate Windows process at first. With this malware, what you get is a warning message after logging in. A window appears with the following message:

"C:\WINDOWS\system32\msupdte.exe
The NTVDM CPU has encountered an illegal instruction."

To resolve these issues, I did the following:

On JBLCF_scandal.exe
1. Logged on to a User Profile which do not have startup bat files running.
2. Run Task Manager, look for JBLCF_scandal.exe and kill the process.
3. Run regedit, back up the registry first.
4. Ctrl+F and find JBLCF_scandal.exe.
5. Delete the registry key.
6. Ctrl+F again, this time find pc-off.bat.
7. Delete the registry key.
8. Run WinRaR or WinZip, browse to C:\Windows and look for the 2 files mentioned and delete them.

On msupdte.exe
1. Click Close on the window showing the error.
2. Run Task Manager, look for msupdte.exe. Make sure you get the correct name because as I have said, it is almost identical to the legitimate process.
4. Run regedit and find msupdte.exe. Make sure the name is correct!
5. Delete the registry key.
6. Run WinRaR or WinZip, browse to C:\Windows\system23 and look for msupdte.exe.
7. Delete it.

No comments:

Post a Comment