Antivirus XP 2008

Threat Center- Spyware and Virus Removal ^ | 7/30/2008 | Webmaster

[AZFolks]

Antivirus XP 2008 By: webmaster | Under: Unwanted Programs 26

Jun

Updated: July 30, 2008

Antivirus XP 2008 is a bogus antivirus application for Windows that was promoted and downloaded automatically by redirecting users internet browser to its predefined website.

Aliases: Adware.AntivirusXP2008

Risk Level: Medium

File Size: Varies

Affected System: Windows

Common Symptoms: 1. Redirects web broswser and pop-up scan results. It will then prompt the user to buy the licensed software.

[Riley]

No problem.

Bleeping Computer is good, G2G I duck in to from time to time to solve some weird issue that I’m working on, and Spywarewarrior.com is a long-time trusted source for getting rid of malware.

Backing up your important stuff is of paramount importance, just in case something really bad happens. I have a 500 GB USB external drive and a copy of Acronis True Image. I do a complete bare-metal-restore capable backup about once a week. No sooner had I bought all of that stuff than I had a hard drive failure. Next day, I stopped by Microcenter on my way home from work, bought a replacement hard drive, booted off of the Acronis CD, did a full restore, and I was back in business in about an hour.

[The Spirit Of Allegiance]

From an old LangaList Standard (free version) newsletter I clipped this:

---

Most of the better disk imaging tools, and all of the file-oriented backup tools, let you restore on a file-by-file or a folder-by-folder basis. For example, my favorite imaging tool, Terabyte Unlimited’s “BootIt” ( http://www.terabyteunlimited.com/bootit-next-generation.htm ) ...

---

The online version was publicly posted but the site is reorganizing following a merger and seems not to work. (see Article 3)

http://www.langa.com/newsletters/2005/2005-01-31.htm

Here is an archived link to the entire online version.
http://web.archive.org/web/20071021044355/http://langa.com/newsletters/2005/2005-01-31.htm

[WesRM]

Ping

[The Spirit Of Allegiance]

And related to your comment, the Folding@Home stuff hardly seems worth the network risk....

[Riley]

All of the attacks weren't coming from conscious actors. It's estimated that a ridiculous amount of oblivious home users, worldwide, are running infected systems which are potentially attack vehicles for whomever happens to "pawn" their systems.

Exactly right. The Washington Post did something useful for once, and ran an article about botnets:

Invasion of the Computer Snatchers

Good intro for users.

[w1andsodidwe]

I had to remove from one at work, but luckily it was a Lenovo that backup once a week, so I just restored to the latest backup.

Another user has it on a home computer and I have been trying to help him with this also.

[MarkL]

There are a number of different "strains" of this nasty piece of work. In and of itself, it's what can be described as "Extortion-ware." However quite a few "bad guys" have grabbed it and piggybacked all sorts of nasty trojans and keystroke loggers along with it. A buddy of mine got hit by it, and it was impossible to safely remove. In fact, it even infected the HP system restore files on the hidden partition. Among other things, it locked out the Administrator's account, disabled regedit and other system utilities using policies.

The only thing I could do was boot the infected system to BARTS, and then copy the files they wanted to save to another system with functional AV... Then wipe the disk and do a fresh install off of DVDs they had to order from HP. It was UGLY.

Mark

[tutstar]

gnip...

[MarkL]

These are just a few of the things I noticed. They can be fixed by editing the registry, but how do you know if you got them all? Time for a clean reinstall.

In the strain I saw, it also disabled regedit and regedt32. I was able to bring the system up using BARTSbut what I found was that these issues were not done through the registry, but through policies. I also found that it disabled control panel, mmc, and the ability to run programs...

And like you, I did a clean install: But since this was an HP with the installation files on the hard drive, I checked out some of the cab files and noticed that a few files have been changed, so I had my buddy order the recovery DVDs from HP, and completely wiped the disk and did a fresh install.

Mark

[js1138]

If you are going to engage in unsafe browsing, best not be an administrator.

[MichiganMan]

There are a number of different "strains" of this nasty piece of work. In and of itself, it's what can be described as "Extortion-ware." However quite a few "bad guys" have grabbed it and piggybacked all sorts of nasty trojans and keystroke loggers along with it.

See, and that's why I wouldn't trust anything short of a full format and re-install (or trusted image, of course) with an infection of this nature. You can't know what extras your particular version brought with it.

Rootkit keyloggers are no joke. This particular virus is un-typical in that it makes its existence on the system abundantly clear. Most malware these days are designed specifically to lay low and only use resources in ways unlikely to alert the user that their system is compromised. Piggy-backing on a noisy decoy delivery system (this virus) would be a very plausible vector into the system for a keylogger, porn spambot or other malware to take.

[MichiganMan]

If you are going to engage in unsafe browsing, best not be an administrator.

I agree with the point about  running as an Administrator  (although for Windows users that means you're either running a crippled system that won't install or run a variety of software, especially games, in "User Mode" on XP, or you're compelled to upgrade to Vista)

But I believe that labeling browsing as "Unsafe" can be a bit of a distinction without a difference.  Consider:

Washington Post:  Three Quarter of Malicious Web Sites Are Hacked

PC Magazine: Study: 60 Percent of Top Sites Involved in Online Attacks

[js1138]

AOL, Facebook, Geocities, Google’s Blogspot and Google Pages, and Rapidshare, Hubbard said.

Most of the Web sites either hosted malicious content or silently redirected visitors from trusted pages to hostile sites. Hubbard said the redirect most favored by attackers is at DoubleClick, one of the Internet's largest online ad companies

LOL. I wouldn't go to most of these sites from a business computer, and at home I would be on my toes.

Spyware Blaster puts doubleclick and a thousand other ad servers in the restricted zone. You will never request anything from them.

[zeugma]

These are just a few of the things I noticed. They can be fixed by editing the registry, but how do you know if you got them all? Time for a clean reinstall.

Yup. The only solution when you've been rooted is reinstall from trusted media.

[MarkL]

If you are going to engage in unsafe browsing, best not be an administrator.

Actually, he wasn't browsing - He got hit by an email attachment. Using Outlook or Outlook Express, I'm not sure which. And he had the preview pane turned on, which it seems launched the installation before he could delete the email. I'm not 100% sure how he got hit, since he doesn't really know much about computers. But he did set up his computer himself, and of course, when Windows prompted him to set up a user account, it set up the account with administrative privileges.

Mark

[MarkL]

See, and that's why I wouldn't trust anything short of a full format and re-install (or trusted image, of course) with an infection of this nature. You can't know what extras your particular version brought with it.

Having once worked in an environment that required C2 level security, I'm a strong believer in the "once a system's been compromised, it can no longer be trusted."

Anytime my home computer is flagged by AV or other malware software, out comes the big guns, and I run all sorts of scans, just to play it safe.

It doesn't happen very often, and in fact, nearly all are false positives (like when I switched to Avast, it flagged a bunch of my files as false positives.)

Mark

[js1138]

A clean Windows install replaces all system files and replaces the registry. I do this, not often, but more than a dozen times so far. It leaves documents intact. Any lurking virus files are disconnected from the registry and will not run unless manually activated.

Presumably the first thing to be reinstalled would be a fresh copy of the virus scanner, which should find any malware files. It it doesn’t, you’re screwed anyway.

[Bloody Sam Roberts]

I just got finished fixing a PC after this nasty infected it. In the end, to fix the corrupted files I had to wipe her clean and reinstall Winders. What a pain.

[TexasRepublic]

Having read all the comments in this thread, I know most of the technical comments would be incomprehensible to the average computer user - the kinds of people that turn to me for help. Many of you are highly technical, but most users aren’t. They either don’t realize how bad the security problem is, or else they try to ignore the problem and keep computing until the PC won’t run. After my son’s Windows PC got clobbered a few times, I decided to make a radical change. Now he boots his PC from a Ubuntu Linux CD. There is nothing for a virus or worm to corrupt, because a CD cannot be overwritten. In the unlikely event that the Linux session was ever compromised, you turn off the PC and poof! the virus is gone. I’m running the FireFox browser on a Linux PC right now and it looks just the same as if running on a Windows PC.

[Gondring]

It asked me whether I wanted to d/l the file...does it not give the option to some people?