<

*2012* Malware Variants

Published on
38,889 Points
8,289 Views
26 Endorsements
Last Modified:
Awarded
Some of the most commonly posted questions in the "Virus & Malware" Zones are related to the family of rogue malware with the date "2012" somewhere in the title.

Examples:
XP Antispyware 2012
XP Antivirus 2012
XP Security 2012  
XP Home Security 2012
XP Internet Security 2012  

Vista Antispyware 2012
Vista Antivirus 2012
Vista Security 2012
Vista Home Security 2012
Vista Internet Security 2012

Win 7 Antispyware 2012
Win 7 Antivirus 2012
Win 7 Security 2012
Win 7 Home Security 2012
Win 7 Internet Security 2012  

Proper repair of this malware is a 3-step process, using automated tools that are readily downloadable from the Internet.
1.      Fix the registry.
2.      Kill the rogue processes spawned by the malware.
3.      Run the scanner to find/repair/delete the infection.

Links to the tools are:
1.      FixNCR.reg (http://download.bleepingcomputer.com/reg/FixNCR.reg)
2.      RogueKiller (http://www.geekstogo.com/forum/files/file/413-roguekiller/)
3.      Malwarebytes (http://www.malwarebytes.org/) and
                TDSSKILLER (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)

Your first step is to fix the Windows registry to make sure that the applications (.exe files) you select to run will work properly. If you don’t fix this first, the infection will launch itself instead to the tool/scanner you are trying to run.

Next you have to stop the rogue processes that have taken control of your system. A related EE Article is here: http://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

The third step is to run a reliable scanner application. My scanner tool of choice is “Malwarebytes” (MBAM). The free version linked above is available to anyone wanting to scan/repair their personal computer(s) – although I recommend the PRO version as a terrific layer of protection on top of your normal AV program. A PRO version is available for enterprise/network deployment, with significant discounts for multiple licenses.

After downloading and installing MBAM, click on the “Update” tab and make sure you have the latest definition files. These are updated several times a day, so you should always run the ‘update’ immediately prior to starting the scan. It is normally sufficient to just run the "Quick Scan" to clear away the malware, but I always run the “Full Scan” (as a precaution) before returning the computer to a customer.

Many malware variants are also carrying the "TDSS" payload which we need to check for as a matter of course. TDSSKILLER does a good job of this and is fairly simple to use.

* Download the file TDSSKiller.zip and extract it into a folder on the infected (or potentially infected) PC.
* Execute the file TDSSKiller.exe.
* Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.

If the tool finds a hidden service it will prompt you to type "delete",  you can also just hit "Enter" without typing in and the scan will continue...

RogueKiller, Malwarebytes, and TDSSKILER will all generate log files upon completion. If you are working with the EE Experts in a question, be sure to attach these log files to your question for them to review.

I am tempted to say that repairing this malware variant is as easy as “1, 2, 3”, but have been in the business way too long to make that kind of claim.

Although it is true that about 80% of the infected computers I repair ARE fixed with these 3 steps, there are times when I have to run additional scanners – and even post an Experts-Exchange question of my own and get some additional help.

For additional reading on malware repair, please see these other articles:

MALWARE - "An Ounce of Prevention..."
Basic Malware Troubleshooting
Rogue-Killer-What-a-great-name
Stop-the-Bleeding-First-Aid-for-Malware
Latest-Malware-Threat-Windows-Stability-Center


***Edit on 12/30/2011***

Please review the detailed comments down below  (http:#c34001)

Depending on the variant of this malware you are trying to repair, the work may be much more extensive than what is detailed in this article.
26
Author:younghv
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free