Tuesday, November 12, 2013

AFP Virus - Taskbar not appearing after clean

A virus with the same visual style can be very different under the hood. A client had the AFP virus which shows the typical white screen with black writing warning the user that they will be turned over to the Australian Federal Police unless the pay usually $100 via UKASH.

They delivered the computer last Saturday afternoon and I thought I could clean the machine in an hour as I normally do. The computer gave me access via Safe Mode and I tried to run Combofix (I downloaded it on another computer). Unfortunately Combofix froze and then I tried Malware Bytes which didn't pick up any issues.

I then manually cleaned the machine. I used msconfig to identify the virus components. I unclicked them and then went to the folders and removed the files.

As it was an XP machine I looked for files in "Program Files" and in the settings area in "c:\programs and settings\\local\application settings".

These viruses also usually install a driver so I started up device manager and clicked on "Show Hidden Devices" and in the non-plug and play section I recognised the virus driver and removed it.

This allowed me to start the computer normally except the taskbar did not come up. This is usually a problem with explorer. After trying a few things I went in the registry and noticed that the setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon/Shell

had cmd.exe instead of explorer.exe. I fixed this setting and the computer booted normally. As for Combofix, I think that it froze because the client had 3 anti-virus programs running simultaneously.

No comments: