AntiVirus 2008 Infections Getting Pretty Sneaky
The other day I had a user call me to let me know their PC was getting an error message and that her co-worker had tried to fix it for her but couldn’t. The computer was off when I got there and when it booted up, it went to a blue screen of death with the problem listed as “Panic Stack Switch”, and, although that is an actual error message, it made me believe that it was a fake message, as I had never seen it before and had not searched for any occurrences online. While I was reading the error message though, the user hit her spacebar and the blue screen immediately went away to show me one of those your infected backgrounds that malware, such as Win Antivirus 2008 uses. You can imagine my surprise as the computer should not boot into windows after a blue screen of death, so this was yet another indicator that malware was involved, so I just went about cleaning the machine.
It was infected with the AntiVirus, or Win AntiVirus, XP 2008 malware, and was surprisingly simple to remove, certainly a lot easier than other infections I had dealt with, probably because Spybot and her antivirus software was blocking portions of it. All I had to do was delete the folder the malware was in, I believe it was called rchpcg or something similar, I used the Sysinternals program autoruns to remove any programs that were set to run automatically that shouldn’t, a couple had names something like blphctp9j0ea5.scr or lphctp9j0ea5j.exe or something similar, don’t quote me on those, and I went ahead and removed some of those programs that run in the background just to check to see if their software needs updated, etc, stuff no one really needs running all the time.
I rebooted the PC and updated Spybot and ran a scan and all it found were a couple registry entries pointing to the programs from the folder I had deleted. Then I stumbled onto how I received the blue screen of death but was able to continue. The people who made the malware had used the Sysinternals Blue Screen of Death screensaver and had just changed the message a little. They also had changed the Screensaver name to blphctp9j0ea5j and had hidden the controls to allow you to change the background image and screensaver, when I right clicked on the desktop and went into properties, the only tabs I had were themes, appearance and settings. Not sure if they used another program to do this or not, as there was one on the system that I had removed and forgot to write the name down.
These guys are definitely getting sneakier and sneakier, giving the blue screen of death error message and changing the background to look like an error message while giving all of those notifications from the task bar might have and probably has, made people purchase software that they not only did not need, but probably made their system run slower and give them more popups and error messages. Not sure if purchasing the program that they want you to buy, AnitVirus 2008, will remove all this crap or not, but if they don’t, I am sure it is really pissing some people off.
So, if you get a blue screen of death with the Panic Stack Switch error and you can hit your spacebar and go into windows, you have definitely been infected. The short set of instructions for removal:
1)Delete the folder that the screensaver is running from, if you go into task manager and look for a program with a nonsense name like blphctp9j0ea5j, or something similar, and then search for it on your hard drive, that should give you a good indication of the proper folder to delete. Just send it to the recycle been and don’t permanently delete it, just in case you delete the wrong folder.
2) Download Autoruns from the Microsoft website and look for nonsense names under the Everything tab. Uncheck the ones that don’t have a publisher and have nonsense names similar to blphctp9j0ea5j. Note: Make sure you make note of which ones you uncheck, as this is not a hard and fast rule, some programs from Mcafee and even Microsoft, Live Mesh is an example, do not list a publisher. The good thing about autoruns is you can check the box back if your computer needs the program you stopped from running.
3) Reboot and download Spybot, or any other spyware program you are currently using and scan your system and let it remove everything.
4) Right click the desktop and click on properties to change your background image back and take off the Blue Screen of Death screensaver.
I’m sure this isn’t going to work for everyone, as she had some protection already running when she was infected, so if you have had a fixed this problem and want to add to this post, just put it in a comment. I wish I had tried to track down where it came from so I could infect another machine to get the proper sequence of what it installs and the proper removal, but sometimes you just don’t think about these things.