Thursday, September 11, 2008

MS Antivirus

Today I had a small problem with my computer for a few minutes. I downloaded the Bit defender anti virus and then thought about installing Ubuntu.For that I have to repartition my hard disk. But Norton partition manager can partition my drive without the need to delete any partition. For that I had to defrag my drive. So I downloaded software from internet namely OO defrag. As I was downloading it, I installed the antivirus and thought of restarting my system after I install the OO defrag software. After finishing the download, I Installed the OOdefrag software. THERE IS NOTHING WRONG IN USING THAT SOFTWARE. But to my luck some guy had bound the setup with a malware which calls itself as MS antivirus.

I was also playing the game called FIFA 2008. When I executed that file OODefrag, it took longer than usual for the setup screen to appear. I saw the task manager and found that there was some process by numbers ex 21.2312.exe (I don’t know the actual file name). I killed it. After a few minutes, few dialog boxes started to pop-up. As I was in the middle of the game, I thought I’ll take care of it later. But that app was insisting that I have to take action on it soon. It displayed that my system is infected with virus. It closed my game and my screen went black. Knowing much I didn’t try anything else. Directly I pressed the reset button. I went into windows as usual. (Not in safe mode). Now it was causing some trouble by opening unwanted dialog boxes saying that I have to download software. For fear of misusing any of my privacy I disconnected my system from internet. So here is what the malware or Trojan did!

First it installed itself as Microsoft Antivirus i.e. MSA in "Program Files". It also created a few files in the windows folder and in windows\system32 folder. Some of the file names are YUR1.exe, yuvxx.exe where xx stands for different numbers. It had a few dll files in both the folders and also some files like ini or INF ext. It appeared to be some configuration file. As usual, I couldn’t access the task manager. Thank god I had HijackThis. I did a system scan with that and saw a few unwanted apps.

Apart from the files, this is what the malware did. I restarted again. Now I couldn’t access my desktop. I could see the files but I cannot click on them. Looked like some kind of HTML file. There was a good picture at the background. Off course something new. I used windows key to open start menu and couldn’t find run. I typed explorer and it opened the explorer window because Windows + E didn’t work. Soon windows +r also didn’t work. When I opened my computer by typing explorer in run, I couldn’t find my two drives C: and D: Wow! In my system tray there was a text displayed namely virus alert (or something) next to the clock. I couldn’t find my control panel. The malware also disabled opening regedit and also disabled modifying the registry. And one more important issue is that there was a new Username by name Bill Gates.

So I went to vista and deleted all the malware files from windows folder, from system32 folder and from program files. But the next task was I couldn’t still access anything because I had an html on my desktop. Thankfully I had quick launch. I accessed display properties by typing desk.cpl. I connected to internet and found a way to enable control panel, display properties, printers and faxes, enable the drives C: and D: in my computer, disabled the security issues and finally now my system has only one problem. I couldn’t access RUN in my start menu. I am using cmd as RUN temporarily. I tried different methods but no hope. But it really did make me spend some time!

To tell it briefly, here is what the malware did
  • Created few files in windows folder, system32 folder and also created two folders in program files namely MSA and PCHealth… I don’t remember the name properly.
  • It disabled Run, Control Panel, Regedit, Task Manager, Display Properties and also two drives C: and D: from My computer
  • It also disabled the shortcut key Windows + E
  • It installed a new HTML background so that I could not open My Computer or any other file or Folder.
  • It installed itself in system tray. It had a good icon in system tray and was displaying a lot of Warning messages such as virus detected and take action. It prompted every 30 seconds or so.
  • It displayed a text like VIRUS FOUND in the system tray next to the clock. It also disabled modifying the registry.
  • It had created another user Bill Gates for my system which I couldn’t delete normally the way we do.
I used the HijackThis and Registry Mechanic to fix all the registry problems the malware created. If u have any such problems like Trojan or malware in your system then u can post ur HijackThis in . The admins and moderators in that site are sure to help you. If anyone want to play with this malware u can download it for free from


Srini said...

Good try man. U have tried a lot to get out from that situation. U have proved that ur a Software Engg. Then tell me any good ANTIVIRUS. If u have any then post da.

Aslam said...

OODefrag..?? why do u need it..? isn't the built in Defrag good enough..?? anyway, from which site did u download it.. doing it from trashy site does sometimes come with infected files...!

Anyway, if u had Vista u cud have changed the partition from there itself.. right..? it has an in built feature i guess...!

and didn't ur AV detect the virus installation..? which one do u use currently..?

Oh nd yeah, use Ubuntu..!! Hail Linux..!

Philip Kingsley said...

hey. for partitioning, there should not be any data in the last 5 Gb or so. But builtin defrag will just combine files rather than allocating all the files from the beginning serially. i think u can see the link

Visu said...

Damn you geeks !

Philip Kingsley said...

arrey who is telling that!!!