Fedex / UPS Virus - Spoof Email - Headache

[tallman23]

Playing remote tech support for a friend who opened a zip file (with an executable) included with the email below. I'm at a loss where to start.

Based on research, there are 25-30 variants of this reported 'trojan'
Variant I'm dealing with
-Hides the desktop
-Hides the task manager (and administratively disables access)
-Hides all programs under Start -> All Programs - folders appear empty
-When I boot in Safe Mode there is an additional 'Administrator' account.
-I have access to the registry
-Ran Malware Antibytes and it identified the hidden desktop, program folders, control panel, etc (as changed registry setting)
-No system restore point available
-Zone Alarm shows no threats or problems with the system
-Believe the file has made registry changes, written itself to the Windows and System32 folders,

Problem: Don't know what this is called to know where to start the removal process...
Questions:
How to figure out what it's called to target the exact removal process?
Is there a way to safely open the exe to view its instructions and understand where it's dumping itself?

_____________________________
From: [email protected]
To:
Sent: 1/31/2012 1:12:11 A.M. Pacific Standard Time
Subj: USPS service. Get your parcel NO6429

FedEx notification,

Your package has been returned to the FedEx office.
The reason of the return is - Incorrect delivery address of the package.
Please print out the invoice copy attached and collect the package at our office.

FedEx Global.

 

[Ranma_Sao]

http://www.microsoft.com/security/scanner/en-us/default.aspx

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[YeuEmMaiMai]

I typically take the drive out and install it into an external enclosure and then scan it on a pc that is up to date and clean it that way.

 

[bigdogchris]

I get these once in awhile. The email I use (Yahoo) has the ability to scan the attachments for viruses before you download them. They are typically always detected as viruses. Maybe he could move to a new email provider so he has the ability to scan the attachments if he really has the itch to download them.

 

[Monkey34]

-Hides the desktop
-Hides the task manager (and administratively disables access)
-Hides all programs under Start -> All Programs - folders appear empty
-When I boot in Safe Mode there is an additional 'Administrator' account.
-I have access to the registry
-Ran Malware Antibytes and it identified the hidden desktop, program folders, control panel, etc (as changed registry setting)
-No system restore point available
-Zone Alarm shows no threats or problems with the system
-Believe the file has made registry changes, written itself to the Windows and System32 folders,

I usually pull the drive and add it onto my bench rig and AV scan from there.
You can use Unhide to change the Hide attribute back to normal.
You don't say what os, but in XP you always will see the true built-in admin account listed in safe mode.
I hate ZoneAlarm.

READ THIS: http://hardforum.com/showthread.php?t=1426658

 

[tallman23]

You can use Unhide to change the Hide attribute back to normal.

READ THIS: http://hardforum.com/showthread.php?t=1426658

Unhide and the guide on the other HF thread were major helping points. System seems to be running fine, thanks to all!