I heard from colleagues who’ve been infected with the “2012 security suite” – yet another in a long line of malware that pretends to be an antivirus program, able to shut down legitimate antimalware like McAfee, and gets itself embedded deeply in your system.
Another colleague posted the following instructions on how they got rid of the “2012 security suite” infection. I’m posting as-is with no firsthand knowledge of how well this would work for others, but in the spirit of sharing whatever smarter people have tried in hopes it helps a few others.
“I had to fix this one for a friend recently. I had to use 3 different tools and it took several passes to get in entirely cleaned out. Here’s what worked in the end (I make no guarantees of course):
- Download, install, and update Malwarebytes and SpyBot Search & Destroy. They are free. Do this on two computers, the one that’s infected and another one.
- Remove the drive from the system and connect it to the other system as a secondary drive. Boot that system into Safe Mode with Networking. Scan with Malwarebytes and allow it to remove anything it finds. Reboot into Safe Mode with Networking and run SpyBot and allow it to remove anything it finds.
- DO NOT REBOOT YET (if you reboot at this point you will be re-infected). First delete the following:
- %AllUsersProfile%\Application Data\ LocalAppData\kdn.exe
- All files in c:\windows\temp (Yes you will lose your browsing history and cookies, sorry)
- Your Temporary Internet Files (on the infected drive, not the system you’re running on)
- HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation “TLDUpdates” = ‘1’
- HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “%1” %*’
- HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “%1” %*’
- HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “%1” %*’
- HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe”‘
- HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode’
- HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “C:\Program Files\Internet Explorer\iexplore.exe”‘
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = ‘1’
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = ‘1’
NOTE: If at any time during this process you find you can no longer start your applications, follow the instructions here: http://www.techerator.com/2010/03/virus-blocks-exe-files-from-opening-2/ You’ll find a fix that you can download and run.”