Got the "2012 security suite" infection? This should fix it

I heard from colleagues who’ve been infected with the “2012 security suite” – yet another in a long line of malware that pretends to be an antivirus program, able to shut down legitimate antimalware like McAfee, and gets itself embedded deeply in your system.

Another colleague posted the following instructions on how they got rid of the “2012 security suite” infection.  I’m posting as-is with no firsthand knowledge of how well this would work for others, but in the spirit of sharing whatever smarter people have tried in hopes it helps a few others.

“I had to fix this one for a friend recently.  I had to use 3 different tools and it took several passes to get in entirely cleaned out.  Here’s what worked in the end (I make no guarantees of course):

  1. Download, install, and update Malwarebytes and SpyBot Search & Destroy.  They are free. Do this on two computers, the one that’s infected and another one.
  2. Remove the drive from the system and connect it to the other system as a secondary drive. Boot that system into Safe Mode with Networking.  Scan with Malwarebytes and allow it to remove anything it finds.  Reboot into Safe Mode with Networking and run SpyBot and allow it to remove anything it finds.
  3. DO NOT REBOOT YET (if you reboot at this point you will be re-infected).  First delete the following:
    • %AllUsersProfile%\Application Data\ LocalAppData\kdn.exe
    • %LocalAppData%\Temp\%UserProfile%\Templates
    • All files in c:\windows\temp (Yes you will lose your browsing history and cookies, sorry)
    • Your Temporary Internet Files (on the infected drive, not the system you’re running on)
  4. Now remove the drive from the second computer and put it back in the original computer.
  5. Boot into Safe Mode with Networking
  6. Turn off System Restore.
  7. 7. Delete the following registry keys if they exist:
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation “TLDUpdates” = ‘1’
    • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “%1” %*’
    • HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “%1” %*’
    • HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “%1” %*’
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe”‘
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode’
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “C:\Program Files\Internet Explorer\iexplore.exe”‘
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = ‘1’
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = ‘1’ 
  8. Run Malwarebytes and allow it to clean anything it finds.
  9. Reboot into Safe Mode with Networking
  10. Run Spybot and allow it to clean anything it finds.
  11. Assuming you are able to run your antivirus software, run a full scan of your system.
  12. Reboot normally.
  13. Scan with both tools and your anti-virus software.
  14. Re-enable system restore.

NOTE: If at any time during this process you find you can no longer start your applications, follow the instructions here: http://www.techerator.com/2010/03/virus-blocks-exe-files-from-opening-2/ You’ll find a fix that you can download and run.”

Advertisements

One thought on “Got the "2012 security suite" infection? This should fix it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s