What is BlackShades:
Threat Classification: Rootkit/worm
BlackShades is a very dangerous piece of malware and it is considered to be one of the most dangerous RAT (Remote Administration Tools) in the wild. BlackShades is capable of taking over the control of your computer. Once installed, BlackShades will initiate a scan to collect personal information such as social security number, email accounts, passwords, financial information like bank accounts, credit card numbers, PayPal accounts etc.
BlackShades is distributed through P2P and Social Media networks, using malicious links. Also Phishing e-mails and drive-by-downloads are a common way to distribute this particular malware.
!!! Please note that these infections could potentially bring up other malware to your computer and even cause a loss of data. Please do not underestimate such threats.
There are two ways to remove this infection. It is totally up to you to decide which way you want to go:
1. Automatic Removal Method (recommended for regular or novice users) using a Professional Malware Removal Software.
2. Manual Removal (recommended for PC Experts or Enthusiasts).
Automatic BlackShades Removal:
We recommend using SpyHunter Malware Security Suite.
You can download and install SpyHunter to detect BlackShades and remove it, by clicking the button below. Once installed, SpyHunter will automatically scan and detect all threats present on your system, but in order to use it as a removal tool, you need to purchase a subscription.
SpyHunter will automatically scan and detect all threats present on your system.
Learn more about SpyHunter (EULA). You can find Install Instructions here: (LINK) SpyHunter`s free diagnosis offers free scans and detection. You can remove the detected files, processes and registry entries manually, by yourself, or purchase the full version to perform an automatic removal and also to receive free professional help with any malware related queries by their technical support department.
Manual BlackShades Removal:
!!! Please note: You can remove BlackShades Rootkit/Worm manually. However, you should proceed at your own risk. Any of these interventions might render your system inoperable. Therefore this manual removal method is highly recommended for PC Experts or Enthusiasts. For regular users, MalwareKillers.com recommends using SpyHunter or any other reputable security application.
1. Remove BlackShades by restoring your system to a previous state.
1. Reboot your computer into Safe Mode with Command Prompt. To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard.
***For Windows 8:
If you are using Windows 8, you need to hold the Shift button and tap the F8 key repeatedly, this should boot you into the new advanced “recovery mode”, where you can choose the advanced repair options to show up. On the next screen, you will need to click on the Troubleshoot option, then select Advanced Options and select Windows Startup Settings. Click on the Restart button, and you should now be able to see the Advanced Boot Options screen.
2. Using the arrow keys on your keyboard, select the option “Safe Mode with Command Prompt” and press Enter on your keyboard.
3. When the command prompt loads up, type:
Windows XP: C:\windows\system32\restore\rstrui.exe and press Enter
Windows Vista/7/8: C:\windows\system32\rstrui.exe and press Enter
4. System Restore should initialize, and you will be displayed a list of restore points. Try using a restore point created just before the date and time before the Your-computer-has-been-locked virus has infected your computer.
When System Restore has completed its task, start your computer in Windows normal mode, you would need to perform a scan with anti-spyware software as the infection might still be on the system.
2. Remove BlackShades under Safe Mode or Offline using a Rescue Disc:
1. Reboot your computer by using the information above but select Safe Mode with networking. Alternatively, you can boot the computer from a Rescue CD that you need to prepare before the removal process.
2. *If you are under Safe Mode or Normal Mode, check for the following process in memory and kill it:
3. Search for these files on your hard drive – click the Start menu and type each file name in the search field. If the search yields positive matches for one or more of these files, make sure you delete them all.
4. Open Registry Editor (If using Rescue CD -> load the registry hive.)
5. Check the following registry keys for any entries related to the infection and remove them, if any found:
HKEY_CURRENT_USER\Software\VBandVBA Program Settings\SrvID\ID\[random string of letters and numbers]
*Default entry must be: Explorer.exe
*Default entry must be: C:\WINDOWS\system32\userinit.exe,
*Default entry must be:
Windows XP: rundll32 shell32,Control_RunDLL “sysdm.cpl”
Windows Vista/7/8: SystemPropertiesPerformance.exe /pagefile
*Please be extremely careful of modifying the default entries of Shell; UserInit and AppInit as you can break your system.
6. Check and remove/modify the following entries/values:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce “<random numbers and chars>”
7. Uninstall BlackShades from Control Panel (if entry found)
Go to Control panel and click on Programs and Features (Windows Vista/7/8/10) or Add/Remove Programs (Windows XP) and check the Uninstall Programs` List for any entry related to BlackShades. If you find such, double-click on it and try to remove it. Although, bear in mind that you might not be able to remove it directly from the list.
*(Start -> Control Panel -> Programs and Features or Add/Remove Programs).
8. Delete any files or folders related to BlackShades by checking the following locations:
Look for the following files or similar:
%CommonAppData%\<random numbers and chars>\
%CommonAppData%\<random numbers and chars>\<random numbers and chars>
%CommonAppData%\<random numbers and chars>\<random numbers and chars>.exe
%CommonAppData%\<random numbers and chars>\<random numbers and chars>.ico