Fake Antivirus: XP Internet Security 2011 disables .exe

The Malware was send by email. A message from DHL (package courier) says that you get a package and asks you to click a link, that’s how the malware being installed.

This is the symptoms:

1. XP Internet Security 2011 window, ask you to click for scanning and remove the viruses detected.
2. You can’t open any file, each time you click, that malware window comes.  It disabled your Antivirus.  If you click and click, sometimes the file/program run after the malware’s window. You can’t close the malware’s window by clicking the cross sign in the top-right corner. So, let it be and do the work in multi windows.
3. You can’t go to internet. If you click the browser, it shows a warning if your computer is infected etc.

Solution:

1. Try to run Hijackthis, and locate the virus. You might not able to ask for analyzing to www.hijackthis.de since you might not able to go to internet. You have to be careful here.  I found the virus :  %user profile%\Local Settings\Application Data\sbp.exe
2. Use Unlocker to delete it.  It deletes only with re-boot. I couldn’t find the process in Task Manager.
3. After delete that virus, you might be frustrated since you can’t run any program.  Seems the virus have changed the registry for running .exe; Everytime you click an .exe, a dialog box comes asking what application to open. So, we have to repair the registry:
4. Use Regedit through DOS command. You can’t use directly Start -> Run -> Regedit as ussual.
5. •    Click Start, Run and type Command
   •    Type the following commands :
   cd\windows (click “Enter”)
   regedit (click “Enter”)
   •    If Registry Editor opens successfully, then navigate to the following key:
   HKEY_CLASSES_ROOT \ exefile \ shell \ open \ command
   •    Double-click the (Default) value in the right pane
   •    Delete the current value data, and then type:
   “%1″ %*
   (quote-percent-one-quote-space-percent-asterisk.)
   •    Navigate to:
   HKEY_CLASSES_ROOT\.exe
   •    In the right-pane, set (default) to exefile
   •    Exit the Registry Editor.
6. After step 5, you will be able to run Malwarebyte. Let it clean up the rest.
7. Finally, use CCleaner to clean the temporary files and registries.

Fake Antivirus: “Windows Restore”

After clicking “something”, the Fake Software installed, then dialog box and windows come and come again. Clicking whatever program will produce that windows, saying that the computer is infected and destroyed and should run the program named “Windows Restore”. The horrible warning window came non stop.  It disabled Task Manager, and hide all programs and files.  My favorite tool, Malwarebytes Antimalware couldn’t run.  By experience, I didn’t click the button “Cancel”; but click the cross sign in top-right corner.

This is the steps I did to solve the problem:

1. Using HijackThis, I found two .exe files of the virus. It was in C:\Documents and Settings\All Users\Application Data\Microsoft; I couldn’t easily deleted. I used Unlocker to delete them (deleted after re-boot)
2. After re-boot, the windows of  “Windows Restore” didn’t come out anymore, but all file & programs still hidden. After start up, an error message  came out saying it failed to find C:\WINDOWS\iS-2REFT.exe; The computer couldn’t shut down, hang in “Windows is shutting down”.
3. At that point, I could run Malwarebyte, so I run full scan. Caught 9 infected registries and files. But it didn’t solve the symptoms : all files in desktop were hidden.  Finally I change the attributes of the files manually.
4. The Symantec Endpoint AV caught Bloodhound.MalPE;  after being quarantined, the next day it caught again.
5. I downloaded and installed the newest version of CCleaner and did cleaning files and registries. The registries cleaning solve the error message in start up problem. But suddenly, I couldn’t open Add/Remove Software.
6. I run once more Malwarebyte, this time it repair the registry for enabling Task Manager.
7. For shutting down problem, I solved using Regedit (Start -> Run -> Regedit), then search Registry (using menu Edit -> Find) “WaitToKill” and set the value to 2000 (originally 20000)
8. Finally I “Turn off  System Restore”.  Setting through right click “My Computer”, click Properties, then tab “System Restore”

After that steps, the computer works normal and Symantec Endpoint gets no virus anymore. I will come back after several days to turn on the System Restore if there is no more problem.