First, I would like to thank the proprietors and members of this site; without your guidance and tools I would not have been able to rid myself of this nasty virus. I found this forum topic
and this article
particularly helpful. Because this virus so easily infected my computer (Win XP Pro Ver. 5.1.2600 SP 3 Build 2600; IE Ver. 8.0.6001.18702 Build 86001; Java Ver. 6 Update 21) and was so devastating, I am sharing my story as a cautionary tale. Also I used a slight variation on the removal instructions contained in the above forum topic and article to rid myself of this virus. I should also mention that my computer is running Kaspersky Anti-Virus 6 (22.214.171.1242) with an upto date database. Kaspersky completely failed to detect or protect my computer from this virus. For what it was worth, Kasperksy's event log noted the virus' attempt to infect Kaspersky and that Kaspersky's self-defense feature protected it. But this bit of protection was not worth much, since Kaspersky was wholly worthless in the prevention and removal of this virus.
This started yesterday morning when I was searching for information on a fireproof safe. I did a Google search for "Safe Reviews". In the top five search results was a site with the url "safesblog.com". This was the infected website. I clicked on the link in the Google search results and was taken to the site. This was all it took for the virus to infect my computer. Once the website loaded my computer was infected; there was no clicking a link, false dialog box, control or other action required. The first sign of the infection was a small shield icon with the four Windows colors in the System Tray. The icon presented a warning bubble with a fake virus warning. Almost immediately thereafter the fake virus scanning window appeared (a picture of this window can be found in the article cited above). The virus had already altered the registry to prevent Windows Explorer from launching any exe files. The default action for all exe files was "Open". Malware Bytes exe was disabled altogether (Not even an Open dialog). Internet Explorer was also hijacked so that it presented a "virus" warning page.
Fortunately, I had access to another computer and I was able to locate this site and its advice and tools. I downloaded those tools to a thumbdrive and proceeded with the following steps to get rid of the virus:
1. Download the files identified in the above-cited article including the FixNCR registry export, xp_exe_fix registry export, all flavors of the Rkill program, and the Malware Bytes installer. Preferably to a thumbdrive using another computer if you have that option.
2. Shut down the infected computer and re-boot in Windows Safe Mode (My computer is on a network that requires domain authentication, so I used Windows Safe Mode with Network Support).
3. Insert the thumbdrive with the removal tools into a USB port on the infected computer.
4. Using Windows Explorer navigate to the thumbdrive (Windows Explorer is not Internet Explorer, it is the window that shows files and folders that opens when you click on a folder or the My Computer icon, etc.)
5. Right-click on the xp_exe_fix file. On the pop-up menu that appears click on Merge. This will apply the fix to the Windows registry for the problem Windows Explorer is having running exe files. This fix will not resolve the problem until you reboot the computer -- BUT DO NOT DO THAT NOW -- REPEAT DO NOT REBOOT YOUR COMPUTER AT THIS POINT. Applying this fix at this point appeared to correct an issue with the Malware Bytes installer launching Malware Bytes after installing it.
6. Right-click on the FixNCR file. This will apply further repairs to the Windows registry.
7. (This is where I deviate from the prior instructions) Minimize the Explorer window showing your thumbdrive. Click on the Start Button. On the Start Menu click on Run. In the Run dialog box type "command" (do not type the quotations marks). This will launch the Command prompt (DOS prompt for those of you old enough to remember).
8. In the Command prompt navigate to your thumbdrive, in my case it was drive f:. Do this by typing "f:" (do not type the quotation marks -- this is also true for later typing instructions as well) at the prompt and hitting the Enter key on your keyboard. If you thumbdrive has a different drive letter use that letter instead. To confirm your in the right location type "dir" and hit the Enter key. This should show a listing of the files on your thumbdrive, including the various rkill programs and mbam-setup.
9. At the Command prompt type the name of one of the rkill programs. I found that I had to use one of the pseudonym files, and I ran it twice in a row. Once Rkill has finished running close its log window.
10. At the Command prompt type the name of the Malware Bytes install program -- the name will be mbam-setup followed by a version number, type it exactly as it appeared in the directory listing above. This will launch the Malware Bytes install program follow its instructions and make sure it is set to launch Malware Bytes after finishing the install. If you already have Malware Bytes installed on your computer and do not want to install it again, then in the Command prompt window navigate to the Malware Bytes program folder -- likely c:\progra~1\malwar~1 and type mbam.
11. Have Malware Bytes perform a full scan and remove the infected files it finds.
12. Once Malware Bytes is done you may reboot your computer in normal mode. The virus should now be gone.
When I rebooted I found a condition where Windows Automatic Update was turned off and it could not be turned back on. I assume this was some left over registry damage from the virus. I used Microsoft's Fix It utility to repair this issue (MS Knowledgebase Fix It
I hope that nobody else has to deal with this virus. But if you do I hope the above is helpful. Also, stay away from the "safesblog.com" website like the plague (pun intended).
p.s. If anyone knows of the vulnerability this virus exploits to load itself by simply navigating to a website, I would be interested in hearing about. I have not had the courage to venture back to the infected website with a newer version of Windows (Vista or 7) or Internet Explorer 9.