Virus Warning: Softwarear (“Powerfull” PC Protection)

Posted by Dan | Posted in Nerd | Posted on 28-12-2010

6

Merry Christmas/Happy Hannukah/Hail Krampus/Praise Mithras/[insert other two-word-capitalised-Seasonal Greeting]

What does your family do at Christmas time?  The general tradition in our family is for everyone to get together, eat a lot of turkey, and then go: “Hey Dan, how are you?  Say, I’ve been having some trouble with my PC…” (cue me spending the next two days dismantling machines and pouring the software equivalent of bleach over family members’ hard drives.)

Being both a nerd and a pedant, I do actually take a lot of satisfaction from a repair job well done.  Most of the problems can be fixed with a healthy dose of CCleaner (‘Crap Cleaner’), TuneUp Utilities and Avast! Antivirus.  ((Or, if I can get away with it, a complete format and the latest Ubuntu distro.))  Computers have always been a hobby of mine and I enjoy fixing them, even if it does mean that while the rest of the family are sitting with their feet up sipping Bucks Fizz and playing with their new presents, I’m on my knees cleaning cigarette ash out of my grandmother’s Sony VAIO.

Today I got around to looking at the machine my teenage sister uses.  It was the first rig I built, back when I was 18, and was already well-armed with maintenance and protection software when I gave it to her so it rarely has any problems.  But I have just finished wrestling to the death with one motherbitch of a virus that crept onto the machine, and am now full of both disgust and a little bit of admiration for whoever wrote it.  As part of my catharsis, here is a brief explanation of what it is and exactly how to kill it.

The Motherbitch Virus: Softwarear

The reported problem was “everything is going slowly and it’s making weird noises from inside the case.”  I immediately saw what she meant: just turning the machine on had the CPU fan sounding like it had a dying pigeon stuck inside it, and the machine would intermittently make a weird alien bleeping sound I have never ever heard it make before.  Something weird was going on, and before I went any further I cleaned and re-seated components inside the case in case something had come loose or clogged.  Made no difference.

I booted up and got this message:

I’ll admit, I skimmed it and clicked — expecting Security Centre to pop up.  What I should have noticed from the outset was that Avast! Antivirus had been disabled (the icon to the left, with the red x) and I have never seen that white and green icon on any Windows security thing ever.  And, if you actually read the text, you’ll see the tell-tale sign of a scam: Engrish.  The fact it was a scam became apparent to me when I saw what was brought up:

  1. A bullshit website written in terrible English
  2. An unheard-of antivirus scanner rearing its ugly head

Someone who wasn’t computer savvy could easily get lured in by this.  For me, it was the bad English that gave it away.  But other things to be wary of include the fact that Windows Security (which this purported to be) wouldn’t try and make you buy a specific product to fix a problem unless it were a Microsoft product.  It was also quite odd that the website opened in Internet Explorer, which wasn’t set to the default browser.

So this virus was invented by a sneaky little capitalist: it sneaks into your system, disables your antivirus software, then makes a conscious effort to make you aware of its presence by being downright annoying — including causing your machine to emit random bleeps.  Then it directs you towards the antidote and offers to sell it to you, disguising this extortion as the recommendation of your antivirus software.  I suspect that if you buy the product, the problems subside — leaving the virus buried in your system, but making both the retailer and the clueless customer very happy.

I downloaded a different (free) virus scanner from my own PC onto a flash pen, booted the machine into Safe Mode, uninstalled all old antivirus software, installed the new and up-to-date one, and performed a full scan.  Nothing.  No virus found, even though I knew there was one.  Crap.

Thankfully I found a guide written by another victim of this virus which saved the day.  I’ve taken this guide and turned it into a slightly more user-friendly walkthrough for those who find themselves victim of this virus (or find relatives who are) and don’t know what to do.

Killing the Motherbitch Virus:

  1. Boot into Safe Mode (generally this is done by repeatedly tapping F4 or F8 as the machine boots up)
  2. Click on Start and Run (alternatively, hold down the Windows Key and press R) (alternatively alternatively, just type ‘Run’ into the Start Menu for Windows 7/Vista users)
  3. Type %Temp% into the Run command box
  4. Everything in this folder is safe to delete, but what you’re actually looking for is a folder with a nonsensical name (mine was called ‘jqnhdhats’) and a nonsensical .exe file within that (mine was ‘gqbqjewlajb .exe’).  Find and delete
  5. Back up your Registry just in case anything goes wrong during the following steps (messing with the Registry can have bad consequences if you do it wrong)
  6. Open up the Run command again, and this time type regedit
  7. Find and delete all of the following entries:
  • HKEY_CURRENT_USER\Software\[nonsensical name]
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “RunInvalidSignatures” = ’1?
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter “Enabled” = ’0?
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyOverride” = ”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyServer” = ‘http=127.0.0.1:59274?
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “ProxyEnable” = ’1?
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘.exe’
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[nonsensical name].exe”
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download “CheckExeSignatures” = ‘no’

Many thanks to TeeSupport for providing this solution.

As you can see, it’s a sneaky little bitch that I suspect will be doing the rounds on vulnerable PCs this Christmas.  Be wary.  Of course, if you keep your antivirus software up-to-date you shouldn’t ever find yourself needing to do something as drastic as manually editing the registry.  So the moral of the story is: teach your relatives how to update their antivirus, and tell them not to go on dodgy sites in the first place.

PS: I will slap the first person to write “Wouldn’t happen with a Mac. Fnar” in the comments.

Comments (6)

[…] This post was mentioned on Twitter by Daniel Grosvenor. Daniel Grosvenor said: A particularly annoying #PC #virus is doing the rounds this Xmas. Here’s how to kill it: http://bit.ly/ef9EPm #Softwarear Please RT […]

17 January 2011 – I am from the UKand have just removed this very annoying virus (it shut down my access to my files). Many thanks for posting this very valuable solution to this problem virus. DAVID

Now this Matherbitch Virus opens in the Safe Mode and can mot delete the files. Please help, what to do?

Yikes, that’s annoying.

Are you still able to open regedit? If so, just go ahead and follow the instructions.

I followed your steps up until step 7. and after I found the files, right clicked and pressed delete but it didn’t allow me to delete them. Help?

Hmm. That’s either some security thing (if you’re on Vista or Windows 7 it could be User Account Control, perhaps?) trying to be helpful and stopping you, OR some buggeringly annoying new version of the virus which has grown wise to this approach of killing it.

Google is your friend for such a problem. Whenever you have any relevant text – for instance the exact wording of the error message which comes up – type it into Google “in quotation marks” to search for the complete phrase. After that, add a few key words like ‘virus’ and with luck you may find somebody else who has had the same problem and overcome it.

If not, boot from your Windows disk and select ‘Repair Windows installation’. I can’t guarantee it will fix it, but is worth a shot. And if not, then I’m afraid you’re gonna have to use that Windows disk to completely format your drive and then re-install Windows.

ADVICE FOR ALL COMPUTER USERS: Pretty much every PC nowadays has at least 2 hard drives. The main drive – C: – is where Windows lives. Install programs and stuff to C:, but keep all your photos/music/documents on the other drive (usually D:). That way, when in a situation like this, reinstalling Windows doesn’t mean losing any of your valuable data.

Write a comment