A cute storyI've never used any Anti-Virus software on any of my home computers in my life. Why? They're usually bloated, resource-hungry hogs. They basically slow down my computer. At least that's what I tell my friends when they ask me why I don't wear protection. That, and the fact that viruses are hard to get nowadays - if you go about your internet business with just a tiny bit of common sense. You'd almost have to WANT to get a virus in order to get one, by clicking on some ridiculous spam mail or popups from shady sites.
Yesterday, two things changed: First, I realized I was wrong on the last assumption. You can in fact acquire a virus without being especially reckless. A masters degree in computer science and 18 years of Internet usage experience does definitely not make you immune. Second, I started to realize there might be another, subconscious reason for me wanting to ride the Internet bareback:
It's actually quite fun getting a virus :-)
Ok, not if they do permanent damage, but if you battle them and conquer, there's nothing more satisfying for an IT-geek than ridding a computer of an infection by using his wits and hard-acquired skills through years of late night hacking. To this date I still tell fellow geeks about my thrill of discovering that someone had been using my computer at college to distribute Dutch porn for nine months without me noticing. When I finally discovered the FTP and their file cache of .MPG files in C:\System Volume Information I was extatic. The ingeniousness! You couldn't browse that folder in Explorer! Had to revert to command line navigating to get to the files. Got to respect their cunning :-) The FTP server itself was of course also camouflaged as a non-descriptive service on a weird port. It was the network traffic that gave it away in the end. A tool like Netlimiter proved to be golden. Anyway, the last laugh was of course on me when I changed the FTP logon screen to taunt the next guys who tried to log in and of course disabling any up/download features.
"Win7 antivirus firewall alert"!Well that was then, some six-seven years ago. My computer life has been infectious-free and healthy since then. Until yesterday. I was going about my regular internet business of diverse forum browsing when suddenly both Internet Explorer and Firefox shut down and some legit-looking popups appeard, telling me I'd just been protected from a possible virus infection. Legit-looking, I say, because they were infact designed in such a way that I initially thought they might be from Microsoft. But it didn't take long until I got suspicious. Here's a couple of screen shots:
Actually I stole these screenshots from Gary Davis' blog (please don't sue me), who obviously have had the same problem as me, because I forgot to save the screenshots that I actually DID remember to take myself :-). These screenshots differ in that the header says "Vista", while mine said something about "Win 7 Antivirus firewall alert". For the record, I run Windows 7 build 7600
As you can see the design of the windows and popups are pretty well done, resembling something Microsoft could do. A couple of things that made me suspicous was the fact that I'd never heard of an anti-virus software from Microsoft, secondly, wouldn't they use the full name of the OS, "Windows 7", and not "Win7"? But I wasn't convinced just yet. After all I'm still pretty new to Windows 7, and who knows what Microsoft is up to. So my first thought is of course to do some Googling. I reopened Internet Explorer but of course the home page is replaced with more security warnings and any attempt to navigate lead me to a page selling activation for the "Anti virus software" on my desktop. At this point I'm sure I'm dealing with a browser hijack and/or virus. Luckily I've got a laptop within sliding distance of my office chair so I fire it up.
My initial Googling wasn't very successful. "Win7 antivirus firewall" gave links to legit antivirus software and googling on
Trojan-BNK.Win32.Keylogger.gen gave me links to removal tips of what is probably a real worm. My next move was to open the hijacked home page in IE and look at the source code to find out the URL of the home page (the address bar was removed by the script). I soon found a link to security-pccare2010.com, which I in turn googled and up came a Danish article, which I'm fortunately able to read, being Norwegian. From that article I read that I was dealing with a program that had installed itself in my user folder with the name "ave.exe". Now I was on the right track. I killed the running ave.exe process, deleted it from disk and rebooted my computer. Home safe?
Not even close :( Trying to open Internet Explorer after the reboot gave me the following error message:
Can't open.exe files... Are you kidding me? I tried Firefox. No deal. Explorer.exe? Nope! Notepad, paint, regedit, cmd.exe?? Negative! Windows was actually unable to launch ANY .exe file on my entire computer. At this point I almost freaked out and was almost certain this would lead to a complete reinstall of my OS. How do Microsoft allow this to happen? Why is the file association for .exe overridable? Oh well, I wasn't quite ready to give up but I had to find a way to run programs. The solution was pretty simple. When the popup came, I chose "Select a program from a list of installed programs" and selected "explorer.exe" to open "explorer.exe". Smart, huh? :)
Now I was able to work again. The Danish article gave me a couple of new keywords to google for: "ave.exe" lead me to this forum post. Reading that thread I was encouraged to try PC Tools Spyware Doctor, and that tool helped me further:
..but of course, I had to buy a registered version for the tool to remove the remains of the virus. But since the tool gave away the rogue registry keys, I thought maybe I could fix it myself. So I tried to launch regedit with my newfound .exe-launch-method, and there came a new smack in my face: When you launch regedit.exe with regedit.exe, "regedit.exe" is passed as a command line parameter (you following?). What does regedit do with command line arguments? It tries to parse them as .reg change scripts - and when it fails, it simply shuts down. Yes, I couldn't start regedit, but I wasn't giving up now. I went back to my laptop and actually hand-crafted two .reg files that were to remove and restore the registry keys. Yes - I punched the hideous number sequence in the topmost key by hand. Sliding the .reg files back to my infected computer through a USB stick I was finally able to launch and modify the registry. And you know what? It worked!! :-))
The satisfaction of cleaning up after that messy virus/hijack was greater than the best sex and more adrenalin-fuelling than climbing Mount Everest ten times in a day. Well, not really, but it was quite satisfying :-) So will I install Anti-virus software now? Of course not. But I wouldn't mind waiting a few months for the next challenge. :-)
The fixupdate (march 26):You might want to download the .reg files in step 2 and 3 and launch explorer.exe before you delete the .exe file in step 1, or else you'll have trouble starting both IE and explorer on the infected machine
1. Kill the process ave.exe. If you can't find it with regular task manager, try Process Explorer
2. Delete %LOCALAPPDATA%\ave.exe. Or maybe it was %Documents and Settings%\%YourUserName%\Local Settings\Application Data\ave.exe as the Danish article says. I don't remember because... well... I deleted the file :P Note: It is a hidden system file. You must enable explorer to show system files, alternatively run a command shell and type "attrib -h -s ave.exe" in the correct folder before deleting it.
3. Download and run fix_exe.reg. This deletes the registry key that messed up the .exe file association.
4. Download and run fix_ie.reg. This restores the shell open command in Internet Explorer.