How to Remove Fake "Antivirus XP 2008" Malware

Got a may-day call from one of my client. MD of the company think that he has got his computer infect by a certain virus, he sounded really disturb.

On arrival to his office, I observed that his computer desktop has a wallpaper that read "Virus Detected" in bold. I tried to remove this wallpaper, but found that option for changing wallpaper was disabled (probably by the malware). After a couple of seconds, a message would popup to prompt to run an anti-virus scan. And when you start the scan, it report, a few hundreds of files infected.  On the system tray, it has an item that let you launch the scanner.

As he is a senior executive, he was anxious to have it removed.  Here is what I did:

1. Right click on the program shortcut and saw the program is located in the "C:| Program Files| hcg3lj0e37e" folder.
2. Start regedit and search for "rhcg3lj0e37e" key.  Save the key and deleted it.  Repeat till all were removed.
3. Delete the offending wallpaper "C:| WINDOWS| system 32| phcl3lj0e37e.bmp".
4. Sort "C:| WINDOWS| system32" by date created and found 3 newly installed files - phcl3lj0e37e.bmp, blphcl3lj0e37e.scr, and lphcl3lj0e37e.exe. Delete them.
5. Go back to "C:| Program Files| hcg3lj0e37e", remove all the files there.
6. Key my finger crossed, and reboot the machine - all ok.
7. Start > Run and type Gpedit.msc. Navigate to User configuration, Administrative Templates, Control Panel, Display. Right click on Remove Display in Control Panel. Click on Properties and select Disabled.
8. Do the same steps to change the following attributes to disabled: Hide Desktop Tab; Prevent changing wallpaper; Hide Apperance and Themes tab; Hide Settings tab; Hide Screen Saver tab.
9. Chat with the MD a little, and remind him to renew his Norton Anti-Virus which had expired about 6 months back.

Total time spend: 45 minutes.

Did a Post-mortem, and found that it was the Fake "Antivirus XP 2008" Computer Virus & Malware that was creating the mischief.

Updated On: 08.09.30