It's been awhile since I've had to deal with a malware-laden PC, but my long streak of luck ran out this weekend when a family friend — who describes himself as computer illiterate — called.
"Every time I try to do anything on the computer," he told me, "I get a message saying it's infected, and I have to pay $US69 to clean it, but I tried to do that and I couldn't." He couldn't even navigate to the Mozilla site to download Firefox; Internet Explorer was completely hijacked.
So, armed with a thumbdrive loaded with Firefox and AdAware installation files, I headed over there to take a look. Here's what I found: The Norton AV trial subscription that came with Windows XP had expired and stopped protecting the machine, which was connected directly to my friend's broadband ISP with Windows Firewall turned off. Windows XP hadn't been updated since before SP2 had come out, because a friend of my friend told him not to trust any automatic updates. Because they might be spyware. Rogue software called XP AntiSpyware had taken over the machine.
XP AntiSpyware was the problem that prompted my friend to call, and it was the most hostile, insidious and difficult-to-kill malware I've ever seen. It looked completely authentic and felt impossible to stop. Masquerading as a spyware killer itself, in the system tray, its icon was an almost perfect replica of the Windows Security centre icon. When you tried to visit a website in Internet Explorer or do much of anything, XP AntiSpyware launched, and its window looked just like Windows Security Center. Once launched, it would start scanning your PC automatically, and tell you, in alarming red pop-ups, that dozens of files were infected and that you should delete them. There was no quit, there was no uninstallation available in Add/Remove Programs, and all the program's options in its Settings area were greyed out/disabled. If you tried to run the real Windows Security Center or a program like AdAware, AntiSpyware would show up instead and start scanning again. If you tried to launch the Windows Task Manager (with Ctrl+Alt+Del), a message came up saying your computer administrator had disabled it — even though I was logged on as an administrator. There was no way to tell what startup entry the program was in msconfig, and when I restarted Windows in Safe Mode (F8 during boot) and tried to launch AdAware, this software started instead.
What a mess.
To fix it, I installed Chrome (which came bundled with AdAware). While AdAware itself wouldn't launch, Chrome thankfully would, and after some Googling, I found this lifesaving article, which describes what "XP AntiSpyware" really is:
During installation, XP AntiSpyware 2010 (XP Antivirus Pro 2010) will configure itself to run automatically every time when you run any program that have "exe" extension (99% of Windows applications). The rogue also uses this method of running to block the ability to run any programs, including antivirus and antispyware applications.
When XP AntiSpyware 2010 (XP Antivirus Pro 2010) is started, it will perform a system scan and detect a large amount of infections. All of these infections are fake, so you can safely ignore them. What is more, while the rogue is running, it will display various fake security warning and notifications from Windows task bar that have "Spyware infection has been found" or "Tracking software found" header. However, all of these alerts are fake and like false scan results should be ignored.
Last but not least, XP AntiSpyware 2010 (XP Antivirus Pro 2010) will hijack Internet Explorer and Firefox and display fake warnings when you [are]opening a web site.
The solution was two-fold: first, you had to do a manual registry edit that stopped the program from starting in place of AdAware or any other spyware scanner. The lifesaving article had the registry fix-it entries, which I will reprint here for posterity.
Windows Registry Editor Version 5.00 [-HKEY_CURRENT_USERSoftwareClasses.exe][-HKEY_CURRENT_USERSoftwareClassessecfile][-HKEY_CLASSES_ROOTsecfile][-HKEY_CLASSES_ROOT.exeshellopencommand][HKEY_CLASSES_ROOTexefileshellopencommand]@=""%1" %*" [HKEY_CLASSES_ROOT.exe]@="exefile" "Content Type"="application/x-msdownload"
Here's what I did: I backed up the Windows registry, copied this text into Notepad, saved the file as fixme.reg, double-clicked it to apply the changes and restarted Windows. Only then did I get the first sign of progress: once the registry was fixed, Internet Explorer was actually able to load web pages. Sweet.
Second, you had install a real spyware killer to kill XP AntiSpyware. (Imagine me trying to explain this to my computer illiterate friend. By now his eyes were glazed over.) Microsoft Security Essentials didn't detect it. At the article's suggestion, I installed Malwarebytes Anti-Malware and scanned away, cleaning off everything it found, including AntiSpyware.
From there the machine was usable, but still not ready for primetime. I ran Windows Update and got the machine Service Pack 3 and all the updates beyond that. (That alone was an hour and a half of progress bars and restarts. Did I mention this was a slow, year-and-a-half old HP PC from Costco?) I turned on Windows Firewall and set up Microsoft Security Essentials. I uninstalled Norton AV to get rid of its nagging pop-ups, and because my friend said that Windows was slow to start up, I ran msconfig and unchecked the stuff he didn't need to start up automatically (Java, Quicktime and some other annoying "helper" apps). When I was done, the machine was speedier, usable, and not littered with both legit and malicious system tray pop-ups about infected files and software updates.
If I had more time, I would have formatted the hard drive and reinstalled Windows from scratch, and then installed a hardware router with a firewall on it between the computer and his cable modem. At any rate, I advised my friend to change all of his passwords before he did anything else on the machine.
Then, I tried to explain to him that some notifications and updates (like Windows Updates) are good and needed and he should get them, and others are malware trying to get his money (like Antispyware XP). But how does someone like him know the difference?
If you're dealing with a malware situation and simply installing a spyware cleaner like AdAware ain't working, you may have to Google the specific problem you're having, like I did.
UPDATE: I should point out that the screenshot included in this post is NOT from the machine I cleaned, and it looks slightly different. My guy's PC must have had a different version of AntiSpyware, which seems to exist in many incarnations. However, if you click on the screenshot above you'll see a pretty funny typo — "Protect your Widows PC."
How to Remove XP AntiSpyware [Smarterware]