King of Excellent (according to Scaryduck)

Thursday, October 23

XP Antivirus/Antivirus 2007/Antivirus 2008/XP Antispyware

Yesterday I had a call, not for the first time in the past couple of months, but this time the customer had been taken, hook, line and sinker. The call was something along the lines of "I have a virus, would you mind popping down."
"How do you know you have a virus?" I enquired.
"This XP Antivirus is telling me I have."
"Oh... shit."

This is a well known piece of malware. It starts off as a pop up, that looks legit enough.

The customer then clicked "Remove All." Yes, he knows not to now...
This then installed XP Antivirus onto his PC. It does a 'full scan' finding so-many hundreds of viruses on the PC (whereas there weren't any anyway), and then offers to remove them for you. Clicking ok informs you that you need to paid for version, and to go to a webpage to buy the full version for $49. Yes, he knows not to now...
After buying the software, (in which he was actually billed £104) it then crashes his PC. That's when he calls me.
The problem I have is the PC with the dead version of Windows on it is the staff wages PC, and they have until 7pm that night to get it working.
I boot into safe mode, fire up my magic toolbox (an 80gb USB drive) and run hijackthis. Or I would, if the virus allowed me to. It would do nothing. The same with AVG, the same with Spybot. I can't get into the control panel, admin privileges have been removed, all in all the PC's cattled.
So I install XP alongside itself. I then install AVG and Spybot, do a full scan with both. AVG finds 137 viruses, and removes them, and Spybot finds another 3 dodgy files that need removing. Meanwhile, the customer cancels his credit card.
I then reboot back into the old windows, and after log in, it freezes without a taskbar/star menu. I give it a three finger salute, then run (open, new task) hijackthis, which then runs. I can see that a few stray programs are listed, but have "(file missing)" listed behind them, so I remove these lines. I then run spybot, which finds loads of registry changes that are caput, and fixes them. On a reboot, everything (and for the first time ever) is back to normal. I have successfully brought XP back from the brink. I can't tell you how satisfying it is, after tackling this virus 6 times before and ending up just wiping and reinstalling everything.
And the customer now has AVG on his PC, that believe it or not had no protection whatsoever on before. Yes, he knows now...