Playing remote tech support for a friend who opened a zip file (with an executable) included with the email below. I'm at a loss where to start.
Based on research, there are 25-30 variants of this reported 'trojan'
Variant I'm dealing with
-Hides the desktop
-Hides the task manager (and administratively disables access)
-Hides all programs under Start -> All Programs - folders appear empty
-When I boot in Safe Mode there is an additional 'Administrator' account.
-I have access to the registry
-Ran Malware Antibytes and it identified the hidden desktop, program folders, control panel, etc (as changed registry setting)
-No system restore point available
-Zone Alarm shows no threats or problems with the system
-Believe the file has made registry changes, written itself to the Windows and System32 folders,
Problem: Don't know what this is called to know where to start the removal process...
Questions:
How to figure out what it's called to target the exact removal process?
Is there a way to safely open the exe to view its instructions and understand where it's dumping itself?
_____________________________
From: [email protected]
To:
Sent: 1/31/2012 1:12:11 A.M. Pacific Standard Time
Subj: USPS service. Get your parcel NO6429
FedEx notification,
Your package has been returned to the FedEx office.
The reason of the return is - Incorrect delivery address of the package.
Please print out the invoice copy attached and collect the package at our office.
FedEx Global.
Based on research, there are 25-30 variants of this reported 'trojan'
Variant I'm dealing with
-Hides the desktop
-Hides the task manager (and administratively disables access)
-Hides all programs under Start -> All Programs - folders appear empty
-When I boot in Safe Mode there is an additional 'Administrator' account.
-I have access to the registry
-Ran Malware Antibytes and it identified the hidden desktop, program folders, control panel, etc (as changed registry setting)
-No system restore point available
-Zone Alarm shows no threats or problems with the system
-Believe the file has made registry changes, written itself to the Windows and System32 folders,
Problem: Don't know what this is called to know where to start the removal process...
Questions:
How to figure out what it's called to target the exact removal process?
Is there a way to safely open the exe to view its instructions and understand where it's dumping itself?
_____________________________
From: [email protected]
To:
Sent: 1/31/2012 1:12:11 A.M. Pacific Standard Time
Subj: USPS service. Get your parcel NO6429
FedEx notification,
Your package has been returned to the FedEx office.
The reason of the return is - Incorrect delivery address of the package.
Please print out the invoice copy attached and collect the package at our office.
FedEx Global.