This is NOT funny

July 15, 2008

My husband got a malware virus thingy today, and we’ve spent at least half a day already trying to clean this thing off, with some help from the great guys at PC Guru. As at now we’re only about step 2 of about a 6 step process, and already we’re five hours in. If the steps don’t work, we’ll have to take or send the PC to Perth for the PC Gurus to clean up using their special boot processes etc. They can’t do this remotely as they can’t access the machine (one of the nasty things this thing does) and they have special boot disks which mean they need physical access to the machine.

This thing is classic malware—it’s malicious and tenacious, and whoever made it thought it would be really funny to scare the bejesus out of anyone who gets it. So how is it malicious? Let me count the ways…

  • No executables will run from any of the standard links, or even from the Program Files EXE files. Trick: Rename the EXE to something meaningless and run it from Program Files. That seems to have worked for the programs we’ve tried to run. Of course, once the machine’s all cleaned up, we’ll have to remember to rename these files back.
  • The machine cannot get out to the internet, and I cannot see it across the network. No solution to that yet until after we’ve removed all traces of this nasty piece of work and we reboot and retest. And possibly run more scans for spyware, malware, and viruses.
  • It installs its own desktop wallpaper, which is a bright blue screen with “Your system is infected” or similar written on it.
  • It installs its own screen saver and overwrites your screen saver’s settings. Now here’s the killer (NOT!)—the ‘screen saver’ is a blue screen of death (BSOD) with a plausible Windows error on it, followed a few seconds later by an animated graphic that makes it appear that Windows is restarting. This is followed by another BSOD message and another apparent reboot, ad infinitum. But it’s not—it’s a screen saver. Moving the mouse didn’t appear to disable it, but pressing a key did, and we got back to the normal screen where we can see the virus scanner still running. All I can say is that by the time we saw that first BSOD, we were already worried, and that just made an uncomfortable situation downright scary. And ANGRY. Angry at the toe-rags who think that writing this stuff is funny, who think that disabling someone’s machine is funny, who think that a BSOD and restart graphic are funny, and who have obviously never wasted hours of valuable work time trying to get a machine back to a useable state. A pox on all of them! (actually, our words were much nastier and ruder than that…)
  • It installs all sorts of nasties on your machine without your permission—system tray icon, desktop icon, link in the list of programs, and although we haven’t tried rebooting yet, I’ve read that it also installs stuff in the startup folder, and that some of this stuff looks legitimate (e.g. rundll32.exe) when it’s not.
  • It looks like a legitimate Microsoft program for a while, and uses icons similar to Windows Defender.
  • It runs a fake scan that reports that your machine is infected with hundred or thousands of virus, spyware or malware files, when the REAL culprit is this application.

So what is this nasty piece of work? It’s a program called “Antivirus XP 2008”. Google it.

If you see it, run, don’t walk, to your nearest system admin or computer guru to help get it cleaned off your machine. We’re trying these steps:

  1. Run a spyware catcher and delete everything it finds.
  2. Run the virus scanner and do a full, deep scan, which is taking much longer than expected as it includes the external 500 GB hard drive.
  3. Clean out the startup folder of some of the nasty files it adds.
  4. Rename the browser executable to see if we can run it and thus access the internet. If so, run the a virus scanner from the internet.
  5. Reboot and pray.
  6. If necessary, rerun all the above…
  7. If absolutely necessary, drive 3 hours to Perth (and back—a 6 hour round trip that will be about $100 just in fuel) to drop off the machine to be purged of this horrible thing. Then a few days later when they’ve cleaned it up, drive another 6 hours to pick up the machine and bring it home, or get it shipped back to us.
  8. Pay the PC Guru invoice (they have to be paid for their labour) and fume about the cost of the malware removal and the cost of the lost productive work hours that this software has wreaked.

All because someone thought that creating this was a good idea. If they’re that clever, why not put those brains to work to produce something amazing for the world.

I hope there’s a special place in Hell for those who have nothing better to do with their time than create this stuff. Am I angry? You bet!

Update 16 July 2008: After the keyboard froze at some point during the virus scan, rebooting, and rerunning the virus scan (just on the C drive this time!), as well as changing the screen saver and wallpaper, we FINALLY got to bed at 3:30am last night. This morning we’ve spent a couple of hours manually removing files and hacking the registry to get this thing off the machine. We still have a couple of issues:

  • Firefox will not open when it’s called firefox.exe—changing the name to something else allows it to run.
  • IE crashes on opening. Changing its name to something else allows it to run too.
  • Trying to get to an online virus scanner like Trend House Calls brings up a ‘problem loading page’ page. Same for trying to get to other virus and spyware removal websites. Other websites seem to work fine.

So this thing still has its hooks in somewhere. Someone who didn’t have access to another PC would be shot as they can’t run their browser, and, even if they figure out how to, they can’t access the sites that might allow this malware to be removed. They’d probably be forced into clicking this malware’s link and paying over money to get the so-called spyware it found removed. According to some forums, that’s a recipe for disaster as this thing just takes your money and does little or nothing.

I’ve reported these issues to my PC guys, they’re investigating and will try and come in remotely to remove the last of these hooks, assuming they can get remote access. Otherwise, we will have to make that trip to Perth…

Update 19 July 2008: I’m bushed! The PC Guru guys tried to access the computer remotely while we were away on Thursday, but couldn’t get in. Was this the malware or something else? Meantime, they told me that they had another machine on their workbench with this thing on it that was in a slightly more advanced stage than our machine—they were monitoring what it did and were using that machine to throw all sorts of solutions at it. So far, with little effect. Just when they thought they’d cleaned off all vestiges of it, it would replicate itself under other names.

We left my folks’ place early on Friday morning to get home early enough to check the machine and see if the guys could get in remotely with my help. Yep. But again, they could only remove so much of this thing without it coming back in another guise on reboot. The prognosis and recommendation from them? Reinstall Windows XP and reformat the hard drive in the process. Drastic steps, especially when I’ve never done this before. So we removed as much data as we thought my husband still needed (most was on an external hard drive and the server, so there wasn’t too much—but we completely forgot his Word templates as we found out later…).

I had to go to the storage unit (!) to get the Windows XP SP2 disk out of my old Microsoft Action Pack Subscriber (MAPS) disks, then start the LONG process of reformatting and reinstallation, fortunately with the help of the PC Guru guys on the other end of the phone (I think my pre-paid support plan with them has now run out…). One of the first hurdles was that the Microsoft product keys on the back on the MAPS XP disk were deemed invalid! I must’ve spent some 2 hours on various phone calls to Microsoft to get that sorted. It seems the product keys I was given for the XP disk I had were for OEMs, which is why they didn’t register even though they were valid keys (no, I don’t know what that means either). Anyhow, after confirming the information on the CD (did you know that there’s a part # inscribed on the inside ring of the data side of the CD?), the very helpful Zar in Microsoft’s Tech Support Centre in Malaysia generated me a new product key—which worked.

Once I got the OS reinstalled, it was time to download and install SP3 (Zar advised me that doing so BEFORE installing any non-Microsoft software would cause the least problems; installing SP3 after installing non-MS software “could cause problems”, he admitted). Then I had to find things like the audio driver and install it (“It’ll be on the CD that came with the motherboard… Use the DirectX Diagnostic Tool to find out what motherboard you’ve got” Huh? [Start > Run > dxdiag—a neat little tool, BTW]).

Next step was getting the PC re-attached to the domain and the network (Hint: If you’re using Windows Small business Server 2003 you can do this via the browser: http://<servername>/connectcomputer). Some of that ended up being pretty simple (meaning there were few problems), and I was able to remap network drives, successfully send a test page to the printer, etc.

We went out for a meal last night, then came home and watched the football—I was well and truly done with computers!

Today it was time to reinstall the software, starting with the Microsoft Office 2003 and SP1 disks. Then came the usual tools—WinZip, Adobe Reader, Firefox, PaintShop Pro, etc. That took much of the morning. With the help of the PC Guru guys, I’ve learned how to force a System Restore point (Start > Programs > Accessories > System Tools > System Restore), so I created several of them at critical points along the way—just in case…

One of the last things to do was to install and configure the antivirus software I bought for my laptop (a 3-user copy of Trend Internet Security). As an aside: What a pleasant, helpful interface Trend has! And all in plain English that tells you what effect each of the settings has; also, all the user assistance is right there where you need it, not locked away in a Help file. I ran a virus scan after installing Trend, and was amazed that some 80,000 files were installed as part of the OS and the basic software! BTW, no viruses or other nasties were found.

Last, I installed SpyBot—the helpful program we used to identify and clean some of this malware’s files. After installing SpyBot, we did another scan and found a couple of browser cookies (advertising gumpf) from websites we’d visited using Firefox, but that was all. Another system restore point was created at the end of all this.

It was time to let my husband loose on his ‘new’ computer…

PS: When I finished talking to the PC Guru guys late on Friday, they told me that this malware was starting to ‘eat’ data files… It’s damned nasty and has cost me nearly four days of my life.

Special thanks go to Nathan at PC Guru, and to Zar at Microsoft (Malaysia). With their assistance, knowledge, and patience, I’m now breathing much easier.

Tomorrow (Sunday) I’ll open up *my* shiny new laptop and start installing software, something I had hoped I’d be doing on Thursday and Friday… At least the whole process is fresh in my mind and so shouldn’t be unfamiliar to me (except for Vista, but that’s another story…)

Update 28 August 2008: Jesper Johansson, a Microsoft Windows Security MVP, has written a long article about this nasty piece of malware: Anatomy of a malware scam: The evil genius of XP Antivirus 2008. He loaded it on a virtual machine and watched it go through its paces—and he documented the steps. The full article is here:

Thanks Char, for alerting me to this article.

[Links last checked August 2012]


  1. Rhonda:
    You have my fullest sympathies.
    I have staggered and crawled all the way through that bleak, foul, noisome valley. And finally, like you, rising through the waters, up and out in a kind of born-again cleansing that feels more real than symbolic. (Including “where in the #@$%^!%$ did I put that program CD?”)
    Beginning July 15: you say only that your husband “got” the malware. At this point do you folks have any recollection of what may have promptd or allowed the malefactor to gain entrance? Opening an email from a friend with an innocuous subject line (and because innocuous and not specific and unique to that person, maybe, in retrospect, suspect). Or a click on a link? Or something else?

  2. Hi David

    Yep, we know how he got it. He was on a BitTorrent site, had downloaded some MP3s, and a “bonus tracks” EXE. He asked me before clicking on the EXE—I told him to right-click on it and check it with the virus scanner. Nothing was found. Had we had SpyBot installed and checked it with that too, it’s likely that he would have been alerted and thus not opened the EXE. As soon as he double-clicked the EXE, the infection was immediate.

  3. […] 26 July 2008: Better late than never… After dealing with the malware crisis and getting my new laptop, I FINALLY got to install Acrobat 9 on Vista on the new laptop. It works […]

  4. Hi Ronda,

    I don’t know any of the details of this particular malware, but the general advice these days is: get all the data you can off the machine (perhaps into a non-bootable partition at worst case case), and then delete the boot partition and re-intsall. It just becomes too hard otherwise.

    The Sysinternals guys give us a clue as to how hard it can be to remove malware. Check out all the possible start up locations in Autoruns. Rootkits are completely hidden from the Operation system, Mark uses some tricks to try to scan for them. (Reg settings can also hide by writing zeros before the end of strings).

    RootkitRevealer and
    AutoRuns for Windows

    I am not sure how mere mortals cope as you say. My advice to them is never to run attachments, never download anything of the web unless you are sure it is safe and really need it. Keep you machines fully patched, run Spybot an anti Virus, and a personal firewall especially if you are not behind a NAT router. AND disable ALL scripting for the web (except for trusted sites).

  5. […] in me stopping some malware from taking over my husband’s computer. It was a variation on the malware he got a few years ago. Again, it was dressed up to look like a legitimate Microsoft security message/warning for […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: