Had a call from a client this week, describing a “Microsoft logo down by the clock with a virus alert.” It wasn’t, but that was the message. This is on a recent vintage Dell box, XP Home, fully-patched, with antivirus and antispyware packages from one of the major companies. A yellow warning flag announced that “the system will now download and install more efficient antimalware program.” The bad English grammar was a bigger clue to the customer than anything else that this wasn’t normal.
Well, the yellow box was followed by a silent install of ContraVirus 2.0, which launched and started an apparent “scan” which resulted in “finding” 27 infections. I had the customer do an online spyware scan, which found and removed the problem, but it came back within a minute or two. Also had him uninstall ContraVirus from the add/remove list. That worked, too, but the flag came back, reinstalled, rescanned, and found the same infections each time, even though the system had been fully scanned by two other programs between the two CV “scans.”
OK, in the car, down the road… I had already looked up ContraVirus online–the reports describe it as either rogue antispyware, or being installed as a drive-by download by an affiliate. RogueRemover, from MalwareBytes.com, was said to take it out, so I took that with me, along with my usual software tools.
Here’s what the screen looked like when I arrived.
Took a look… Yes, it’s really easy to remove this, or so it appears; it heals. Ewido.net’s online scan takes it out, or RogueRemover, or add/remove programs, but it won’t stay gone; it reinstalls in less than 4 minutes, immediately if an Internet Explorer window is opened; there’s a browser helper object involved.
HijackThis reported this:
O2 – BHO: IEExtension Class – {DBE5BEE8-F032-11DB-826A-C4BB56D89593}
– C:\Program Files\ContraVirus\secieaddin.dll
O3 – Toolbar: Ad-Protect Toolbar – {EA038DDD-0FE0-41f5-BA60-FC3660529E71}
– C:\Program Files\ContraVirus\ToolBand.dll
But this one appears to be the self-repair program:
O4 – HKLM\..\Run: [Windows Updater Servc]
C:\WINDOWS\system32\xpuupdate.exe
It was this xpuupdate.exe that RogueRemover and all the other cleanups missed. I ran a drive search for ‘xpuupdate’–there was also a reference in the prefetch folder. I moved the files off c:, ran one more cleanup immediately with RogueRemover and this time, the cleanup stayed cleaned.
Back to the computer owner: He recognized that the yellow popup box looked like a Microsoft message, and also thought the system tray icon was from Microsoft, but also knew that advertising message puffery and bad English isn’t quite what to expect in a legit warning message.