Had a call from a client this week, describing a “Microsoft logo down by the clock with a virus alert.” It wasn’t, but that was the message. This is on a recent vintage Dell box, XP Home, fully-patched, with antivirus and antispyware packages from one of the major companies. A yellow warning flag announced that “the system will now download and install more efficient antimalware program.” The bad English grammar was a bigger clue to the customer than anything else that this wasn’t normal.

Well, the yellow box was followed by a silent install of ContraVirus 2.0, which launched and started an apparent “scan” which resulted in “finding” 27 infections. I had the customer do an online spyware scan, which found and removed the problem, but it came back within a minute or two. Also had him uninstall ContraVirus from the add/remove list. That worked, too, but the flag came back, reinstalled, rescanned, and found the same infections each time, even though the system had been fully scanned by two other programs between the two CV “scans.”

OK, in the car, down the road… I had already looked up ContraVirus online–the reports describe it as either rogue antispyware, or being installed as a drive-by download by an affiliate. RogueRemover, from MalwareBytes.com, was said to take it out, so I took that with me, along with my usual software tools.

Here’s what the screen looked like when I arrived.

Took a look… Yes, it’s really easy to remove this, or so it appears; it heals. Ewido.net’s online scan takes it out, or RogueRemover, or add/remove programs, but it won’t stay gone; it reinstalls in less than 4 minutes, immediately if an Internet Explorer window is opened; there’s a browser helper object involved.

HijackThis reported this:
O2 – BHO: IEExtension Class – {DBE5BEE8-F032-11DB-826A-C4BB56D89593}
– C:\Program Files\ContraVirus\secieaddin.dll
O3 – Toolbar: Ad-Protect Toolbar – {EA038DDD-0FE0-41f5-BA60-FC3660529E71}
– C:\Program Files\ContraVirus\ToolBand.dll

But this one appears to be the self-repair program:
O4 – HKLM\..\Run: [Windows Updater Servc]
C:\WINDOWS\system32\xpuupdate.exe

It was this xpuupdate.exe that RogueRemover and all the other cleanups missed. I ran a drive search for ‘xpuupdate’–there was also a reference in the prefetch folder. I moved the files off c:, ran one more cleanup immediately with RogueRemover and this time, the cleanup stayed cleaned.

Back to the computer owner: He recognized that the yellow popup box looked like a Microsoft message, and also thought the system tray icon was from Microsoft, but also knew that advertising message puffery and bad English isn’t quite what to expect in a legit warning message.

Following up on the Dell commercial for Bonzi Buddy, well, OK, it’s for a “custom” notebook that apparently is only available with “all” the stuff you could want… (here)

Well, it gets stranger. The background music is fun to listen to. It’s catchy. It’s the first verse and the chorus of a song called “Catch My Disease” by Ben Lee. Now I have nothing against the song. It does make the commercial fun to watch–it wouldn’t work without the music. But the lyrics, as applied to selling a computer, are more than odd; they’re bizarre.

my head is a box filled with nothing

and thats the way i like it

OK, I’d like to buy a Dell computer filled with nothing. Just Windows, hardware drivers, please. NO, DON’T push that button!!!

Oh, and don’t forget the subliminal sales pitch, of course.

my garden’s a secret compartment
and thats the way i like it
and thats the way i like it

Um, OK, let’s add a hidden folder for my garden pictures. Yeah, that’s the ticket.

your body’s a dream that turns violent
and thats the way i like it

No, downloading that stuff is what made the Bonzi gorilla turn violet.

so please
baby please
open your heart
and catch my disease

Right. Spyware gorilla, subliminal sales pitch, catch the disease, empty head for a box. Just who is this notebook targeted at? And has the ad agency for Dell gone ape? Or maybe they’re just two bananas short of a bunch?