Posted on 08/17/2008 1:24:34 PM PDT by AZFolks
Antivirus XP 2008 By: webmaster | Under: Unwanted Programs 26
Jun
Updated: July 30, 2008
Antivirus XP 2008 is a bogus antivirus application for Windows that was promoted and downloaded automatically by redirecting users internet browser to its predefined website.
Aliases: Adware.AntivirusXP2008
Risk Level: Medium
File Size: Varies
Affected System: Windows
Common Symptoms: 1. Redirects web broswser and pop-up scan results. It will then prompt the user to buy the licensed software.
I update and run Spybot S&D and Lavasoft Ad-Adware about once a week, and run my Webroot Window Washer every night on 7-pass bleach. My “resident” AV programs are the McAfee that comes free with Comcast and Webroot Spysweeper.
I never have any problems.
Did you download and install the thing, or did you just get redirected to the website. I got the redirect, but I didn’t install the thing.
The list of thing it can disable includes:
Not necessary to go through all of that. Try the Combofix utility linked in post 2.
I usually am able to clean these off without much trouble but my son’s pc was infected with a variant of this XP Antivirus that required wiping the hard drive.
The computer was so compromised that it was easier to just reinstall windows. Could not access (directly) c:\; could not access control panel; system settings; all user accounts were restricted; run command and command prompt were blocked; blocked updates from legit spyware and antivirus scanners - this thing was NASTY!
I’m dubious about the ability of any program to undo all the damage I saw. In a business environment is cheaper just to reinstall Windows. You know its clean when you’re done.
Next time I’ll have recent backups of the system state. Fortunately, mission critical documents are kept on the server and backed up.
By the way, how do you run your utility when drives don’t show up on Explorer?
Do you have a desktop- and can the unit download anything?
If no and no- download it on another machine and put it on a memory stick/thumb drive. Use CTRL+ALT+DEL to bring up the Task Manager. On the Applications tab, hit New Task and navigate to the utility, and run it from there.
You didn’t read my list of things disabled. All drives are unavailable. You can’t run programs from the start menu. That’s also true in safe mode.
Now I’m sure there’s a way to get something done from the command line, but if you are supporting a business and people are standing over your shoulder, you do what you know will get the job done without experimenting.
a windows reinstall deletes and replaces all system files and rebuilds the registry from scratch. The bad side effect is you have to reinstall all your programs. In a business environment that mostly means Office, which takes about ten minutes.
Hah, sounds like you got hit by a rootkit trojan. I got infected by one a few weeks ago. I downloaded and ran SDFix to remove it.
At my business, it is simply a matter of restoring from an image. No reinstallation needed.
But we are talking about home and personal machines here, and a reinstall is burning down the house to get rid of the mice.
Nothing is burned down. Have you looked at the list of things disabled by the latest pest? Walk me step by step through disinfecting a computer on which the start menu is gone, task manager is disabled and disk drives are not showing. We are talking here about a rootkit.
Step 1: Slave the drive to another system.
And this is going to save time? How?
I can do all those things, but a business computer has Windows, documents, Acrobat, and perhaps one or two specialized programs. Windows and the programs can be reinstalled in an hour without any special settings. When you’re done everyything is clean and working. If you use the default folders, all the documents are in place.
Now, the correct thing is to have good backups.
It depends on the specific damage this case- but in general, I disagree. I too do this stuff in a business environment- I specialize in malware eradication for an IT multinational. I typically remove this and all its rider subinfections in 2-3 hours. If I have to reimage a typical unit, with gigs of un-backed up data on it, I have to:
...and then the user isn't really happy because it's still a disruption. There will be group-specific software that the user has to reinstall, so add some time for the hand-holding that goes with that.
I usually start off with CCleaner- to clean out thousands of garbage temp files to cut down the scan time. Then I use a bootable CD- the Ultimate Boot CD for Windows" (v 3.12 by preference) and sweep with A2 Free. That gets around all of the kernel hooked DLLs that are wormed into explorer.exe and winlogon. I nuke anything it finds, less the two false-positives that it normally gets in our environment. Then I reboot normally and hit it with Combofix. I'll use Hijack This! To check to make sure nothing funny is still running and a couple of tools from Winternals if I have any doubts.
I just checked the thread again.
You didnt read my list of things disabled. All drives are unavailable. You cant run programs from the start menu. Thats also true in safe mode.
Now Im sure theres a way to get something done from the command line, but if you are supporting a business and people are standing over your shoulder, you do what you know will get the job done without experimenting.
a windows reinstall deletes and replaces all system files and rebuilds the registry from scratch. The bad side effect is you have to reinstall all your programs. In a business environment that mostly means Office, which takes about ten minutes.
Been doing this stuff professionally for going on fifteen years, and I know what I'm doing, but thanks for the advice. On the unit in question- I'd build the above linked bootable CD and do the A2 to knock it back to where you've got a usable shell, and add a pass with SFC, to make sure that XP doesn't have funny replaced files. If the operating environment is showing that much damage, there's probably a lot more than AV XP 2K8 going on.
I did an emergency 'Antivirus XP 200x' removal (I forget which variant it was) on Thursday using first Combofix (which got it entirely) and the A2 to check for subinfections. It was clean after just the Combofix. Further reading for anyone interested in other tools (there are many that are written for specific infections) and removal techniques:
Ouch! It’s all too easy for even reasonably savvy users to get nailed by this crap. Most insidious are the official-looking dialog boxes that don’t close when you pick the “Close” button, but are actually links to somewhere you don’t wanna go.
$300 seems like a lot to spend to have cleanup work done, but if I were to charge for the time I put into some of these clobbererd-up machines, it would often reach that or more. It takes a long time to root out some of these problems and then update insecure software on a machine that’s been exposed and neglected for years.
Again, this is a personal computer. We aren’t trying to save time, we are trying to save data.
Even someone who keeps good backups will have a good amount of data loss on a complete reinstall.
Businesses are different.
My method is faster and simpler. Of course, it’s nice if you already have a recent backup of the drive and data in case something goes wrong.
The problem I encountered last week was on a network without a domain controller. At my site that has a domain controller, I can substitute a spare machine. When the user logs on, all the documents and email are synchrionized from the server. Five or ten minutes.
The infected machine can then be fixed at leisure.
Reinstalling Windows doesn't lose any data.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.