Saturday, March 26, 2011

Malware: Windows Enterprise Defender and Windows Diagnostics

A recent PC malware virus I solved had the Windows Enterprise Defender and Windows Diagnostics.

This is a well known malware (Google it!) where the PC suddenly pops up a dialog that looks like it is scanning your PC and finds many virus or spyware. In fact, the idea is to scare people into clicking on something, whether to buy or to let more malware into the computer. There are many search found on this from Google (see References below) but here is what worked for me.

Disconnect from Internet - No LAN, No WAN.

Any software mentioned below is actually downloaded on another PC, burned into DVD and then used on the infected PC. To be safe I even avoided hooking any USB key or USB portable drive to the infected PC. The main idea is that: nothing goes in or out of the infected PC while you are trying to cure it.

Install WinPatrol 2011

Install Malware Bytes 1.5.0, then run and scan. Remove anything suspicious it can find.

Install free version of Avira Antivirus. Before run and scan, go to
http://www.avira.com/en/support-vdf-update-info and download the relevant updates for Avira Antivirus.
Then open Avira, go to Update menu and do Manual Update.
It will ask where the file is, you should point it to the update file which you manually downloaded from above.
After the Avira update, run several types of scan, such as scan all drives and Complete System Scan.
Remove anything which Avira found suspicious.

If you are unable to scan in any way, Reboot Windows in safe mode and run the scans if possible.

Install the following software just to double check that there are no more surprises:
- Kaspersky Virus Removal Tool 2010
- Prevx Free 3.0
- TDSS Killer (also from Kaspersky)
- IObit 360
- Spybot Search and Destroy.

I found that I did not had to manually change any registry settings so far.
The following registry entries stated in 2-spyware site below are not on my computer:
HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_CLASSES_ROOT\WindowsEDefender.DocHostUIHandler
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" => "http://search-gala.com/?&uid=7&q={searchTerms}"
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes "URL"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "[xSP_2:61a6083b6194a2314e3dd54cf9615e36_7]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "876902803"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Enterprise Defender"



References:
http://www.2-spyware.com/remove-windows-enterprise-defender.html
Seems to have very good instructions to remove Windows Enterprise Defender.


http://www.bleepingcomputer.com/forums/topic385402.html
Many searches point to this site. I have read this but have not actually tried the methods suggested there. The first step involve TDSS Rootkit Removal Tool. The second step involved ComboFix. The reason I did not even start following this advice is that the ComboFix tool which they suggest to use, appears to be produced or hosted by the same website bleepingcomputer. Apart from a potential conflict of interest, something just made me be careful of using a software ComboFix, recommended by a blog that is from the same company as the blog.

The TDSSKiller.exe from Kaspersky may be worth a look.


http://answers.yahoo.com/question/index?qid=20110320101354AAZ6G8Y

No comments: