My Most Difficult Virus Cleanup

Reading time 4

*** This event occurred in 2007, the client called me stating he had a virus. His computer was operating using Windows XP. I’m recalling the events based on my screenshots and notes. ***

One of my clients called me and stated that his computer was throwing up ads all over the place and some were pornographic.

The first thing I noticed was that his computer had a half dozen different “anti-virus” programs installed on it, and several were displaying popups from the system tray stating that the “System detected virus activities”. Ironically his McAfee Anti-Virus didn’t detect anything. This was going to be a long clean-up.

After isolating the computer (he had dial-up Internet, so that was easy), I inserted my write-protected USB drive that contained all my tools for virus removal). I then started to search the hard drive and right away I noticed a strange folder with the name “Your Company Name” and inside the sub-folder was named “Your Product Name”. Alright, that is strange, it was just after I found the folder, a pop-up window appeared. It was telling me that Spyware was installed on the computer and I can remove it by simply clicking the ‘Yes’ button and if I don’t I can click the ‘No’ button. Yeah, right, I’m falling for that one, that is what got my client into the trouble he is currently in. I am 100% sure that this warning is from a “Fake Anti-Virus” program.

A “Fake Anti-Virus” program is a computer program (what we call App today) that looks like a real ant-virus program (today we would call them “Fake Anti-Malware App”), The fake program is basically malware masquerading as a real Anti-Virus program. Often you will end up with a ton of these installed along with a bunch of other undesired programs. I launched one of the tools to help me clean up this mess, but first, it has to scan and tell me what it has discovered. I came back to check the results and a few seconds later Internet Explorer opened up with a web page to download and install Secure PC Cleaner, nope, sorry, not happening. Then another pop-up appeared.

The next pop-up was “Porn Controls Your PC!” which is an ad for Secure PC Cleaner.

I took some time to archive the results of what I discovered, including screen grabs of more ads which I will share below. Since the Fake programs were easy to remove using Add/Remove Programs, I removed 13 different fake programs and then I cleaned out a long list of entries in his hosts file and then performed a scan using a real anti-virus program and he was clean and ready to go back online again.

Here are some of the screen grabs from my clean-up.

Gee, it wants me to download and install another anti-malware tool, not!

This one claims it found adult images, movies and cookies, and traces of other illegal sites/content (I wasn’t aware that adult sites were illegal, hmmm, interesting).

Wow, 92% of all PCs are infected with threats that can’t be identified by most security programs.

If you notice that during this session, the built-in pop-up blocker for IE, blocked 1,006 pop-ups. That is a little excessive.

All said and done, it took me several hours to stop the pop-ups (for everyone that I stopped a new one would trigger), investigate the cause, and clean up the damage.

It involved seven registry changes, about 150MB of bogus programs, and data written to the computer (not including the browser cache).