Literally yesterday we wrote about the previous iteration of this pest – JoopApp. NoqotApp by Haye Cosq is a fake app that swaps names every week. It exists only to use system resources to mine bitcoins and other digital currencies, and to introduce more malware to your system.
I think that’s enough of an explanation; you get it. The important thing to note is that this malware will try to prevent you from removing it at every turn, but it’s otherwise safe, as in, you can safely attempt to remove it and nothing bad will happen. Just follow the guide explicitly.
NoqotApp Removal Instructions
Since the given official uninstaller for NoqotApp doesn’t work (no surprise there), you’ll need to visit and delete several folders or files on your PC, sometimes in system locations. Don’t skip any of the steps outlined below; they are there for a reason.
SUMMARY:
OFFERBe warned: NoqotApp’s creators change things a little bit each time. We created this guide with a lot of data from the previous iterations, but there might be (or not) something slightly different each time around. This can complicate the manual removal. If you don’t want to spend the necessary time, we recommend downloading the app from our ads, SpyHunter 5.
Preparing for the Removal
You need to install 1 free utility called Lock Hunter. This is necessary so as not to overcomplicate things with the removal. There may (and probably will) be several instances where files are inaccessible to you and this is the most painless way to get around that. I understand most people don’t want to download anything – if you really insist on this after reading the explanation, then unfortunately this page isn’t for you, as several of the steps can’t be performed.
Uninstall the NoqotApp Virus App
Open the Start Menu. Type “Apps & Features“. Sort by installation date and review the list. If anything appeared around the date you started experiencing problems, so quite recently, it’s under suspicion. This can’t be modified to include a back date. You’ll have to look the last 5 or 10 entries at most. If something is suspicious, meaning yu don’t know why it’s there, uninstall it. You can always restore it later if it’s safe.
NoqotApp will appear in this list, but nothing will happen when you try to uninstall it. Don’t stress out, this is expected at this point.
Revealing Hidden Files
You’ll need to reveal some of NoqotApp’s files. You can skip this part if you already have revealed the hidden system files and folders in your options.
Open the Start Menu. Type “Folder Options”. Press Enter.
View tab> “Show hidden files, folders, and drives”> OK.
Now the hidden files in your system will be visible.
Get Rid of NoqotApp in the Task Manager
This step requires you to perform a little bit of personal decision-making. We’ll give you a list of processes NoqotApp creates, but something might differ on your PC. Just carefully look at everything.
Open the Task Manager with Ctrl + Shift + Esc > More Details
These are the processes NoqotApp creates:
“C:\Windows\system32\msiexec.exe” /I “C:\Users\<USER>\Desktop\installer.msi” /qb ACCEPTEULA=1 LicenseAccepted=1
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\services.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6CBBDE8C67B0E1EE7AF7FB9E96370864
“C:\Windows\System32\msiexec.exe” /i “C:\Users\user\Desktop\install.msi”
“C:\Windows\System32\msiexec.exe” /i “C:\Users\user\Desktop\installer.msi”
C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 595D1191C36995804CF71467D921FB64
C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B9E2218A25A507AA0E0D52BA34703758
C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
End each process you think is suspicious. To determine if something is really sus, right click it > Properties. Ther should be a shot description of what it does if something is legitimate.
If you are afraid you’ll mess something up badly, we recommend creating a system restore point – just type that in the windows start menu, and you’ll easily be able to return to this state.
Delete NoqotApp’s Files and Folders
Navigate to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup and delete any suspicious files that seem linked to NoqotApp. In case you aren’t sure what to eliminate, just delete everything in that folder except the desktop.ini file.
Then do the exact same thing in this folder: C:\Users\YourUsername\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
Next, go to C:\Users\USERNAME\AppData\Roaming\Haye Cosq\NoqotApp\ – This is obviously the main folder belonging to the malware. If you are prevented from deleting it, user Lock Hunter – right click – What is locking…? > you’ll be able to delete the folder in the menu.
Finally, go to the Temp folder by typing “%TEMP%” in the Start Menu and hitting Enter. Then delete everything there.
These are temporary files and folders so it’s safe to remove them all and there could be leftover files from the malware left among them.
Checking the Task Scheduler
Scheduled tasks may resurrect NoqotApp. You must prevent it.
Open the Start Menu. Type “Task Scheduler.” Press Enter.
Examine the items listed in the Task Scheduler Library.
Unfamiliar tasks? Right-click, select Properties.
Actions tab: if the task points to AppData or Roaming or executes some suspicious .exe file or script, it’s likely tied to NoqotApp, so it must go.
Cleaning the Registry
Lastly, it’s time to clean the Registry. This is a very important step, but you must be careful not to delete the wrong thing or else your system may become unstable. If you aren’t sure you can do this on your own, consider using SpyHunter to take care of the malware for you.
If you are determined to do this manually, here’s how:
Search for the Registry Editor in the Start Menu and open it with Admin rights.
Open the Edit Menu, then click Find, and type NoqotApp.
Search for related entries and if anything is found, delete the key (folder) in the left panel that contains it. Do one more search after each deletion to ensure there’s nothing else left.
Then also search for items related to the program (or programs) you uninstalled earlier. This is why you had to take note of their names.
Once all rogue keys are deleted, there will hopefully be nothing left from the malware in your Registry and your system.
This is a list of all the registry keys NoqotApp creates:
HKEY_CURRENT_USER\Software\Haye Cosq\NoqotApp\Path
HKEY_CURRENT_USER\Software\Haye Cosq\NoqotApp\Version
HKEY_CURRENT_USER\Software\Haye Cosq\{10600033-A088-43AB-8B0A-E5B5B72293BD}
HKEY_CURRENT_USER\Software\Haye Cosq\{10600033-A088-43AB-8B0A-E5B5B72293BD}\LanguageIdent
HKEY_CURRENT_USER\Software\Microsoft\RestartManager
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Owner
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\Sequence
HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000\SessionHash
HKEY_CURRENT_USER\Software\Microsoft\Windows Script
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings\JITDebug
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Config.Msi\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Users\user\AppData\Roaming\Haye Cosq\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\Required\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\bin\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Users\user\AppData\Roaming\Haye Cosq\NoqotApp\git\cmd\
Leave a Comment