The computer boots into Windows and greets you with the fake WindowsRepair software:
The infection got into the system from an infected windows media audio file (.wma). With lack of competent protection and outdated Windows XP SP2 OS (XP is on SP3 at time of writing with about 90 updates on top of it) the virus was able to easily exploit a vulnerability in media player and get into the system.
One unusual thing about this one is that the computer does not display anything on the C drive (C drive shows up empty) Also, “All programs” in the start menu shows empty:
Clearly the files in the C drive must be there since Windows is running (the Windows folder resides in the C drive) and further you can see that the files are there by executing a program using the run command. This tips us off that the files are made “hidden” by the malware. I will go over how to fix this problem after the infections are removed.
The cleaning:
I will use:
Malwarebytes (http://www.malwarebytes.org)
Spybot-S&D (http://www.safer-networking.org/en/download/index.html)
I downloaded the latest version of the programs on a clean computer. I also downloaded the latest offline definition files (I don’t usually like to allow infected computers to go on the internet). Spybot lists the includes (offline definitions) right below the program download.
Malwarebytes has the offline definitions at the following URL: http://malwarebytes.gt500.org.
I saved the four files (two program setups and two update executables) on a flash drive. Once you plug in the flash drive in the infected computer it will not show up in My Computer (remember the system does not display anything).
Get past this inconvenience by: Right clicking My Computer → click Manage. Under Computer Management select Disk Management → right click the volume on the right side → click Open. This will bring up the explorer window with your flash drive contents.
Note: Sometimes the malware prevents you from executing and installing a program. To get the install going you need to right click on the setup program → click Run as… → select “The following user” (administrator is usually already selected for you) if you have administrator password type it here if; you don’t then just leave the password field blank. This will allow you to install the program and updates.
Run the scan with both programs and let them identify the malware:
Once the scans are complete remove the detected files, restart the computer, connect to the internet and check for any updates for Malwarebytes and Spybot. After the program update is complete run another scan (many times the programs detect some leftover files or another malware on the second scan).
When you are finally done scanning and removing the infections the only thing left is to get your files to show up under Windows (the cleaning will not restore this).
We know that the malware made all files hidden. To make windows change the attribute back to normal, do the following:
Click Start → Run
type “cmd” in the run dialog (without the quotes) and press enter
At the Command Prompt dialog that opens type:
attrib -H C:\*.* /S /D
NOTE: FYI; this command tells Windows to remove the hidden attribute (that’s -H) in the C drive (C:\) for all files (that’s *.*) processes files in all directories in the specified path (/S) and all folders (/D). If you have any other drives affected by this you needs to change C:\ to the appropriate drive letter.
Here is the full reference from Microsoft:
________________________________________________________________________________________
Attrib
Displays, sets, or removes the read-only, archive, system, and hidden attributes assigned to files or directories. Used without parameters, attrib displays attributes of all files in the current directory.
Syntax:
attrib [{+r|-r}] [{+a|-a}] [{+s|-s}] [{+h|-h}] [[Drive:][Path] FileName] [/s[/d]]
Parameters
+r : Sets the read-only file attribute.
-r : Clears the read-only file attribute.
+a : Sets the archive file attribute.
-a : Clears the archive file attribute.
+s : Sets the system file attribute.
-s : Clears the system file attribute.
+h : Sets the hidden file attribute.
-h : Clears the hidden file attribute.
[Drive:][Path] FileName : Specifies the location and name of the directory, file, or set of files for which you want to display or change attributes. You can use wildcard characters (that is, ? and *) in the FileName parameter to display or change the attributes for a group of files.
/s : Applies attrib and any command-line options to matching files in the current directory and all of its subdirectories.
/d : Applies attrib and any command-line options to directories.
/? : Displays help at the command prompt.
_________________________________________________________________________________________
I have used the above method with success for many different infections of similar nature like XP Home Security 2011:
