The infection got into the system from an infected windows media audio file (.wma). With lack of competent protection and outdated Windows XP SP2 OS (XP is on SP3 at time of writing with about 90 updates on top of it) the virus was able to easily exploit a vulnerability in media player and get into the system.

One unusual thing about this one is that the computer does not display anything on the C drive (C drive shows up empty) Also, “All programs” in the start menu shows empty:

Clearly the files in the C drive must be there since Windows is running (the Windows folder resides in the C drive) and further you can see that the files are there by executing a program using the run command. This tips us off that the files are made “hidden” by the malware. I will go over how to fix this problem after the infections are removed.

The cleaning:

I will use:

Malwarebytes (http://www.malwarebytes.org)

Spybot-S&D (http://www.safer-networking.org/en/download/index.html)

I downloaded the latest version of the programs on a clean computer. I also downloaded the latest offline definition files (I don’t usually like to allow infected computers to go on the internet). Spybot lists the includes (offline definitions) right below the program download.

Malwarebytes has the offline definitions at the following URL: http://malwarebytes.gt500.org.

I saved the four files (two program setups and two update executables) on a flash drive. Once you plug in the flash drive in the infected computer it will not show up in My Computer (remember the system does not display anything).

Get past this inconvenience by: Right clicking My Computer → click Manage. Under Computer Management select Disk Management → right click the volume on the right side → click Open. This will bring up the explorer window with your flash drive contents.

Note: Sometimes the malware prevents you from executing and installing a program. To get the install going you need to right click on the setup program → click Run as… → select “The following user” (administrator is usually already selected for you) if you have administrator password type it here if; you don’t then just leave the password field blank. This will allow you to install the program and updates.

Run the scan with both programs and let them identify the malware:

Once the scans are complete remove the detected files, restart the computer, connect to the internet and check for any updates for Malwarebytes and Spybot. After the program update is complete run another scan (many times the programs detect some leftover files or another malware on the second scan).

When you are finally done scanning and removing the infections the only thing left is to get your files to show up under Windows (the cleaning will not restore this).

We know that the malware made all files hidden. To make windows change the attribute back to normal, do the following:

Click Start → Run

type “cmd” in the run dialog (without the quotes) and press enter

At the Command Prompt dialog that opens type:

attrib -H C:\*.* /S /D

NOTE: FYI; this command tells Windows to remove the hidden attribute (that’s -H) in the C drive (C:\) for all files (that’s *.*) processes files in all directories in the specified path (/S) and all folders (/D). If you have any other drives affected by this you needs to change C:\ to the appropriate drive letter.

Here is the full reference from Microsoft:

________________________________________________________________________________________

Attrib

Displays, sets, or removes the read-only, archive, system, and hidden attributes assigned to files or directories. Used without parameters, attrib displays attributes of all files in the current directory.
Syntax:

attrib [{+r|-r}] [{+a|-a}] [{+s|-s}] [{+h|-h}] [[Drive:][Path] FileName] [/s[/d]]

Parameters

+r : Sets the read-only file attribute.

-r : Clears the read-only file attribute.

+a : Sets the archive file attribute.

-a : Clears the archive file attribute.

+s : Sets the system file attribute.

-s : Clears the system file attribute.

+h : Sets the hidden file attribute.

-h : Clears the hidden file attribute.

[Drive:][Path] FileName : Specifies the location and name of the directory, file, or set of files for which you want to display or change attributes. You can use wildcard characters (that is, ? and *) in the FileName parameter to display or change the attributes for a group of files.

/s : Applies attrib and any command-line options to matching files in the current directory and all of its subdirectories.

/d : Applies attrib and any command-line options to directories.

/? : Displays help at the command prompt.

_________________________________________________________________________________________

I have used the above method with success for many different infections of similar nature like XP Home Security 2011:

So here are few simple steps for adding a watermark to your image with Paint.NET:

• Open your image
• Click Layers in the menu bar and Add New Layer
• With the new Layer selected (the Layers window in Paint.NET is on the bottom right by default. If you turned it off you can get it back by going to Window->Layers). Click the text tool and type the text of your watermark.
   
  • NOTE: White color text is usually the best for watermarks
• Now double click the new Layer (in the Layers window) this brings up Layer Properties.
• In Layer Properties change the Mode to Overlay and adjust the Opacity to your liking (about 110 is usually what I pick).

• Save your image and you are done.

You will need to flatten the image. Don’t worry Paint.NET will prompt you to do this when you try to save the image in any standard format like .jpg (or you can always select your Layer and click Layers and Marge Layer Down from the menu).

• Side NOTE: If you have a server with good specs this is a great candidate for a Virtual Machine, in my case I don’t really have anything to spare at the moment.

With Windows 2008 SP2 I don’t fear loading Windows Server on a workstation anymore. In the past you did not even want to attempt this because workstations did not have any drivers for Windows Server. You ware stuck searching forever trying to find something compatible (sometimes with no luck). With Windows 2008 SP2 most drivers are there out of the box (specifically the ones for networking). In my case on a Dell GX520 I only need the audio and video drives (without any video drivers I can still set my resolution as high as 1600×1200 with 32bit). Another good thing is that most Windows 7 drivers work just fine in Windows Server 2008 SP2 (In my case the chip-set and Video drivers).

• Windows 2008 Install is very straight forward. I wiped the drive and let the system install (the install itself is about 30min on Intel Duo 3.2 with 4gb ram and SATA 7200 drives).
• The first thing I do on a clean install of Windows Server is load Firefox. I can’t stand IE even without the pointless Enhanced Security Configuration. Microsoft made IE block every single website (including their own) by default and called it a security feature; I suppose you can’t except much from a company with the security track record like theirs (I do think the rest of Windows Server 2008 is a big improvement over the past so at least that’s a step in the right direction). I also disable account control (anything that pops up for every single program is not a security measure, because you will get in habit of clicking continue every time anyway).
• Second step is updates (over 400MB at this point plus Service Pack 2). One of the most important things with servers is keeping them up to date. There are some exceptions to this rule (if you run old software on the server and you know updates will break it, or must wait for the updates to be approved by the vendor of the applications you are running. RIM has been known to do this).
• After this step I usually take care of the basic configurations.This includes:
  • Setting the time zone (unless Pacific works for you), put in the static IP, join the computer to the domain, and enable Remote Desktop. Microsoft makes this very easy by showing you a dialog with Initial Tasks.
  • Install Anti Virus

• Adding Server Role – After the server is configured, fully updated and running without any issues, the server roles are added (there is a link to it in the Initial Tasks dialog). In this case we choose Web Server (IIS). The features chosen for this install are: Common HTTP Features, Application Development, I also select Windows Authentication and Digest Authentication in security (the other check marks are left as they come by default).
• NOTE:- Windows will not say anything after the roles are installed, but you may need to restart your server to see the security roles under Authentication and also some of other features you may have selected.
• Configure IIS 7 to work with Active Directory
  • In Active Directory – create a global security group that you will use for access control to the website.
  • In IIS – (Windows Authentication must be installed for Active Directory)  Click the name of the website in the IIS Manager. This will display the home page:

  

  • Under Authentication make sure that Anonymous is disabled and Windows Authentication is enabled.
  • Under Authorization Rules you only need one rule. Click Add Allow Rule from the right hand side. In the next dialog select the third option (Specified roles or user groups), type in the name of the Active Directory group you created and click OK. All users that are in the group will have access to the server.

Now you are ready to publish forms from Visual Studio (if you are on another machine you need to put the name of the server in the properties before you publish).

Since I do not require anything special on my site. I will use the default site that comes pre-configured with the installation of the Web Server role.

If you want to read in detail about configuring a new site from scratch check out this blog:

http://mvolo.com/blogs/serverside/archive/2007/07/12/Creating-IIS7-sites_2C00_-applications_2C00_-and-virtual-directories.aspx

TechNet for IIS 7 is found here:

http://technet.microsoft.com/en-us/library/cc753433%28WS.10%29.aspx