Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

*2012* Malware Variants

younghv
CERTIFIED EXPERT
Published:
Updated:
Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title.

Examples:
XP Antispyware 2012
XP Antivirus 2012
XP Security 2012  
XP Home Security 2012
XP Internet Security 2012  

Vista Antispyware 2012
Vista Antivirus 2012
Vista Security 2012
Vista Home Security 2012
Vista Internet Security 2012

Win 7 Antispyware 2012
Win 7 Antivirus 2012
Win 7 Security 2012
Win 7 Home Security 2012
Win 7 Internet Security 2012  

Proper repair of this malware is a 3-step process, using automated tools that are readily downloadable from the Internet.
1.      Fix the registry.
2.      Kill the rogue processes spawned by the malware.
3.      Run the scanner to find/repair/delete the infection.

Links to the tools are:
1.      FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)
2.      RogueKiller (http://www.geekstogo.com/forum/files/file/413-roguekiller/)
3.      Malwarebytes (http://www.malwarebytes.org/) and
                TDSSKILLER (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)

Your first step is to fix the Windows registry to make sure that the applications (.exe files) you select to run will work properly. If you don’t fix this first, the infection will launch itself instead to the tool/scanner you are trying to run.

Next you have to stop the rogue processes that have taken control of your system. A related EE Article is here: https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

The third step is to run a reliable scanner application. My scanner tool of choice is “Malwarebytes” (MBAM). The free version linked above is available to anyone wanting to scan/repair their personal computer(s) – although I recommend the PRO version as a terrific layer of protection on top of your normal AV program. A PRO version is available for enterprise/network deployment, with significant discounts for multiple licenses.

After downloading and installing MBAM, click on the “Update” tab and make sure you have the latest definition files. These are updated several times a day, so you should always run the ‘update’ immediately prior to starting the scan. It is normally sufficient to just run the "Quick Scan" to clear away the malware, but I always run the “Full Scan” (as a precaution) before returning the computer to a customer.

Many malware variants are also carrying the "TDSS" payload which we need to check for as a matter of course. TDSSKILLER does a good job of this and is fairly simple to use.

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...

RogueKiller, Malwarebytes, and TDSSKILER will all generate log files upon completion. If you are working with the EE Experts in a question, be sure to attach these log files to your question for them to review.

I am tempted to say that repairing this malware variant is as easy as “1, 2, 3”, but have been in the business way too long to make that kind of claim.

Although it is true that about 80% of the infected computers I repair ARE fixed with these 3 steps, there are times when I have to run additional scanners – and even post an Experts-Exchange question of my own and get some additional help.

For additional reading on malware repair, please see these other articles:

MALWARE - "An Ounce of Prevention..."
Basic Malware Troubleshooting
Rogue-Killer-What-a-great-name
Stop-the-Bleeding-First-Aid-for-Malware
Latest-Malware-Threat-Windows-Stability-Center


***Edit on 12/30/2011***

Please review the detailed comments down below  (http:#c34001)

Depending on the variant of this malware you are trying to repair, the work may be much more extensive than what is detailed in this article.
26
9,873 Views
younghv
CERTIFIED EXPERT

Comments (32)

Kudos to younghv, for dedicating time and effort into investigating and analyzing malicious code. Congratulations on being the Author of the Year!
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Author

Commented:
rrjmin0 -
Thank you for saying that.

In all honesty, it was a more than a little embarrassing. My articles reflect the efforts of a whole bunch of good guys who create the tools that help us fight malware - not my own work. I'm a pretty good mechanic, but they are the engineers.

The articles are popular because malware is ubiquitous and we have so many EE Members looking for help on the topic.

For really technical advice, follow the posts of rpggamergirl and Russell_Venable

Thank you again. I do appreciate the compliment.
You have done pretty well yourself, Youngv! Good motivation along with good intentions go a long way. The contributions you make are invaluable. Never forget this.
Oops, sorry mate I didn't mean to embarass you, and I'm well aware of the efforts of Russel Venable and rpggamergirls excellent contributions.
I've been out of the industry for a couple of years and its refreshing to come back to well documented information that is relevent to these current issues. I was impressed as it has helped me to get back up to speed in a relatively short time.
CERTIFIED EXPERT
Author of the Year 2011
Top Expert 2006

Author

Commented:
rrjmin0 - Your comments were very flattering - as were Russell's. I guess I just need to enjoy it. As an aside, I just found out that I (or my grandsons) will be getting a new EE T-Shirt...which is always a cool thing.

The whole EE Articles concept has been a great idea. I will sometimes wander through some of the non-malware Zones and it is amazing to see the variety of 'right here, right now' usable advice that is posted.

Thank you for the comments.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.