Well, I just spent the better part of four hours (split between today and yesterday) attempting to remove various pieces of suckware from my brother’s computer.
I had him uninstall Avast so he could install NOD32, which I have found is much better and consumes less resources (important for a 1.8 gigahertz Pentium 4). For some reason, he couldn’t install it.
The nest day, he decided to ues Bittorrent to download Microsoft Office, because he didn’t want to wait for Openoffice.org to download. (It was already on his computer.)
The 73MB 7-zip self-extractor called “Microsoft Office 2003 Lite” was neither Microsoft Office or Lite.
Instead, it installed a downloader, which downloaded three similar scam “antivirus” programs. These popped up ads, slowed down his computer, and disabled access to the All Programs section of the Start Menu, as well as any other things except the often-used programs, the pinned programs, and the Shut Down option. It also disallowed access to the Display control panel (so that he couldn’t change the background, which had been changed to the default Windows XP “Bliss” picture with a fake virus alert on top of it), the Task Manager, and C: (from My Computer, anyway).
I started solving it by putting putting Sysinternals Process Explorer (which I now know is a valuble tool) onto a spare flash drive, and adding an autorun.inf file to automatically open it. Then I found the suspicious processes (Smart-Antivirus-2009.exe, MicroAV.exe, and a variety of randomly-named processes) and ended them, and downloaded the 30-day trial of Eset Smart Security. With Explorer.exe taking up most of the processor time (more about that later), it took most of the night to perform a full disk scan, finding 28 instances of various things in the end.
After a restart, almost all of the antivirus was gone, but it was still denying me access to the important things, as well as continuing to pop up fake “YOU NED SPYWARE PROTECTON OR YOUR COMPUDER WIL DYE” messages and Internet Explorer instances. I investigated this using the tool in Process Explorer that lets you find the process a window is attached to, and finding that they were attached to explorer.exe. Explorer was also sucking up 97% of the CPU, as well as behaving strangely (switching windows away from what I was doing randomly). I investigated its threads, and found several mentions of a very suspicious looking DLL which didn’t show up after a Google search. A look into the Windows\System32 folder (arranged by modification date) showed that some DLLs, their names consisting of random strings of letters, and a few other files had been added over the past day. I looked into one of the files and it mentioned a term (I forget what), which was revealed to be associated with a combination backdoor/downloader Trojan. I removed all the recently added DLLs, and restarted the computer. It fixed it partially (Internet Explorer stopped popping up), but everything else was still wrong.
Right now I’m reinstalling Windows. At the rates I run my computer business at, my brother would owe me $100, but I’m providing a 95% discount because I’m nice.
Whoever wrote this combination of programs, I admire your programming skills and your ability to turn a general-purpose computing device into a dedicated advertisement machine, unfixable by an ordinary user. I pity you because you felt you needed to put your programming skills to use like this, holding people’s computers for ransom.
The time is “22:37: VIRUS ALERT!”, according to my brother’s computer clock. I’m going to bed.
Happy trails.