Page 4 of 6 FirstFirst 123456 LastLast
Results 46 to 60 of 82
  1. #46
    Joined
    May 2002
    Location
    Connecticut
    Age
    68
    Posts
    12,900

    Re: Antivirus xp 2008

    Quote Originally Posted by Mjölnir View Post
    I know XP Antivirus 2008 is doing the rounds, but I'd like to stress again that Antivirus XP 2008 is a different program. All those who have been infected, are you sure of which one you were infected by?

    In any case, tomorrow I will rewrite and post that automated fix I made for XP Antivirus 2008.
    Mine was actually Vista Antivirus XP 2008 It was a nasty one ,and though I thought I had it several times, it didn't take long for it to start screwing up ,even with several things in quarantine. Thing that got me was that Windows 1 found stuff avg didn't, and CA(Yahoo) found stuff the others didn't.At that point I wouldn't feel safe even if nothing more happened. Besides, it gave me a chance to test a sata drive I had here and double the cap. at the same time to 160 I was using XP Home. The security panel that popped up was a very good fake of the ms panel It also changed the wallpaper on the desktop to a biohazard symbol with a red background, that you could click and drag off to see your real desktop.The worst part was at one point, I was gonna click on install and buy the stupid thing.
    Last edited by BIGDADDY51; 07-11-2008 at 03:56 PM.
    http://forums.pcper.com/trading.php TRADING RULEZ!! BIGDADDY51 I've joined the QUAD CROWD! ASUS M3A78 & a 9850

  2. #47
    Joined
    Dec 2000
    Posts
    1,736

    Re: Antivirus xp 2008

    Quote Originally Posted by Mjölnir View Post
    I know XP Antivirus 2008 is doing the rounds, but I'd like to stress again that Antivirus XP 2008 is a different program. All those who have been infected, are you sure of which one you were infected by?

    In any case, tomorrow I will rewrite and post that automated fix I made for XP Antivirus 2008.

    now that is what it seems to be on this one, mine may have been the one with the flipped words for the xp one, as it seems bigdaddys was a vista version of it.Basically we all have been copmparing Blueberries to Huckleberries (very close and similiar, but no the same....) lol

  3. #48
    Joined
    Mar 2003
    Location
    Central Virginia, USA
    Age
    70
    Posts
    5,302

    Re: Antivirus xp 2008

    Actually when I first googled it, the one that killed me [XP in the middle] was tied to the Vista version of BD51's issues. Honestly think [not questioning anyone abilities] the one that was beat or "fixed" is the "older" version with XP in front? Maybe they learned from that one..........

    Why F@H?? Click me!
    As of 07/28/11
    Oz1a v2.0 >> XFX MDA72P7509 750a, PI X2 8870BE, 2 x XFX GTS250, WD 250GB, F2-8500CL5D-2GBPK, Tt TR2 600W, XP Pro SP3

  4. #49
    Joined
    Jul 2003
    Location
    Long Beach CA
    Age
    60
    Posts
    4,773

    Re: Antivirus xp 2008

    Well I wish I could be more help on the vector. I DID click on the picture of the smoking hot babe and thats when the virus hit. I don't beleive just following the link was the issue.

    To be honest the symptoms were the same as everyone is describing however it was late and I was verry tired so I didnt dig into it I simply cut myu losses and wiped the drive.

    Heck I didnt even bother to look at the phoney virus removal site it directed my browser to.

    PS. That was with a fresh updated AVG Free 8.0 running and SP3 and all the windows updates current
    Game - BIOSTAR TA785 A2+ / Phenom II X4 965 Black Edition Deneb 3.4GHz 125W / Patroit 8GB DDR2 800 CAS 4 Timing: 4-4-4-12 / Sapphire HD 6870 1GB / Antec Three Hundred Case / PC Power & Cooling S61EPS 610W / X-Fi XtremeGamer / Western Digital 640GB 7200 RPM SATA 3.0Gb/s /Windows Vista home premium 64 SP1

    Back up - Biostar 6100-939 / A64 3800 Venice(Stock 2.4) / 1.5 GB Corsair XMS 3200 / HD3870

  5. #50
    Joined
    Dec 2000
    Posts
    1,736

    Re: Antivirus xp 2008

    So you where asking what someone was doing when they get thi initial popup screen for this, well I just got one, the vista version of it.
    I was looking at this page http://linuxappfinder.com/alternatives and click "next" at the bottom right and it popped up instead of going to the next page. no idea as I do not know code of anything, (even conduct, lol) as to why when I clicked the next button on that page made it pop up....just a tidbit of info.

    I tried to replicate it and it didn't pop up the second time there.

  6. #51
    Joined
    May 2001
    Location
    MS,LA,GA,& AR
    Posts
    4,439

    Re: Antivirus xp 2008

    OK. I have skimmed all the above posts. Seems my son's lappy has it. (hehe -seems he's "not sure'' where he got it ). We tried to download the updated SuperDAT from McAfee that he had to get from them last spring for another problem. The SuperDAT did download (he thinks). After the two hour scan in DOS, his computer is worse! Popups are much more persistent now.

    Now, Nothing will download from the internet at all from any AV site.....from SafeMode.

    I am out of town so I've been working via phone with my wife. (the son is now burnt out after 3 solid days of working on it [and not calling me first! wtf?])

    Anywhoo.....She has tried IE, Mozilla and Safari - none of which will permit any downloads. (of HouseCall or anything). LOL Mozilla wont even launch now!!!

    Still in SafeMode......with networking

    Out of desperation, I've just told her to log on to my AOL account and for grins... try downloading the 14 day trial of McAfee from CNET - IT WORKED! We just finished downloading. 'Rebooted and are now scanning. I am dead tired of being on the phone for the past 4 hours with her [and him]. I am going to bed. I'll report back in the am as to whether or not it is working . If not, I'll prolly try HouseCall next. I am thinking it could be sometime next week before an updated DAT is found that will work.....so I'll be running updates daily in order to find out.....fingers crossed! Can you believe AOL was the only 'browser' that would get past that download block????? That makes no sense!
    -TMack

    "Forgive everyone for everything"

  7. #52
    Joined
    May 2002
    Location
    Connecticut
    Age
    68
    Posts
    12,900

    Re: Antivirus xp 2008

    Quote Originally Posted by TMack409 View Post
    OK. I have skimmed all the above posts. Seems my son's lappy has it. (hehe -seems he's "not sure'' where he got it ). We tried to download the updated SuperDAT from McAfee that he had to get from them last spring for another problem. The SuperDAT did download (he thinks). After the two hour scan in DOS, his computer is worse! Popups are much more persistent now.

    Now, Nothing will download from the internet at all from any AV site.....from SafeMode.

    I am out of town so I've been working via phone with my wife. (the son is now burnt out after 3 solid days of working on it [and not calling me first! wtf?])

    Anywhoo.....She has tried IE, Mozilla and Safari - none of which will permit any downloads. (of HouseCall or anything). LOL Mozilla wont even launch now!!!

    Still in SafeMode......with networking

    Out of desperation, I've just told her to log on to my AOL account and for grins... try downloading the 14 day trial of McAfee from CNET - IT WORKED! We just finished downloading. 'Rebooted and are now scanning. I am dead tired of being on the phone for the past 4 hours with her [and him]. I am going to bed. I'll report back in the am as to whether or not it is working . If not, I'll prolly try HouseCall next. I am thinking it could be sometime next week before an updated DAT is found that will work.....so I'll be running updates daily in order to find out.....fingers crossed! Can you believe AOL was the only 'browser' that would get past that download block????? That makes no sense!
    Sure it does. AOL is the master when it comes to pop ups. Windows One also downloaded when nothing else would, for me. and was the first one to find 3 of the trojans
    http://forums.pcper.com/trading.php TRADING RULEZ!! BIGDADDY51 I've joined the QUAD CROWD! ASUS M3A78 & a 9850

  8. #53
    Joined
    Jul 2003
    Location
    Long Beach CA
    Age
    60
    Posts
    4,773

    Re: Antivirus xp 2008

    It’s not that it was a good thing I got this Virus, because I lost some documents and pictures I hadn’t backed up lately, but it wasn’t a disaster. It was time to do a fresh install on that disk anyway and the old system is running better than ever now.

    I have the latest Drivers for everything, as well as fixing the problem I had run across with Zone alarm. It forced me to FINALLY update my Winamp as well as several other old apps that are now upgraded.

    One thing I ran into that other people have talked about in another thread here was the windows updater not working properly. Luckily I knew the fix (Thanks to you guys) and got that running in short order.

    The biggest pain in the butt? That would be downloading the very large game patches for WoW. I’m going to see if I can work around that by saving specific files to an external disk, or perhaps I can make a disk image on my remote USB drive and update it from time to time… Will take some thought.
    Game - BIOSTAR TA785 A2+ / Phenom II X4 965 Black Edition Deneb 3.4GHz 125W / Patroit 8GB DDR2 800 CAS 4 Timing: 4-4-4-12 / Sapphire HD 6870 1GB / Antec Three Hundred Case / PC Power & Cooling S61EPS 610W / X-Fi XtremeGamer / Western Digital 640GB 7200 RPM SATA 3.0Gb/s /Windows Vista home premium 64 SP1

    Back up - Biostar 6100-939 / A64 3800 Venice(Stock 2.4) / 1.5 GB Corsair XMS 3200 / HD3870

  9. #54
    Joined
    May 2001
    Location
    MS,LA,GA,& AR
    Posts
    4,439

    Re: Antivirus xp 2008

    Sheesh. Since the lappy is under warranty, I am just going to have the son call Dell. Nothing is making the problem any better.

    but the potential headache is that his original McAfee subscription expired last Saturday - 7/12/08. He claims the problem happened on the 10th or
    11th.

    I'd almost swear McAfee is behind this....

    Dell's "4 year warranty" [that I paid extra for] - is for system hardware only.....
    So, now that I have discovered the Ctrl+F11 keystrokes (which launches the Symantec Ghosted image of the HD when new), I am just going to simply restore the bloody mess to new.

    Sheesh!
    Last edited by TMack409; 07-19-2008 at 07:51 AM.
    -TMack

    "Forgive everyone for everything"

  10. #55
    Joined
    Dec 2000
    Posts
    1,736

    Re: Antivirus xp 2008

    Quote Originally Posted by TMack409 View Post

    I'd almost swear McAfee is behind this....

    Now that is an idea I have pondered for years about any virus.......make one so peeps will buy my software to fix it........

  11. #56
    Joined
    Jun 2008
    Age
    28
    Posts
    39

    Re: Antivirus xp 2008

    I have came accross both variants of this malware and beat it. I would not recomend this for the average user because you can screw up your system pretty bad.

    First off, get your hands on Process explorer by sysinternals, you will need it. Through this you can run and browse anything on the computer. First you must kill the viruses process, should show up highlighted in purple with the name of the program I.E - antivirus xp 2008. Figure out where the program has its main files stored and delete all of them, including its file in C:\programs. Now go to the top of procexplorer and click the 5th and 6th button in from the left, this will show the .dll's and lower pane. Then go to the top of your processes and click on the first one, let the dll's load in the bottom pane and click sort by Company name, so that everything with out a company name is on the top. Start going through all the processes and watch the bottom pane for .dll files without company names, and anything highlighted in purple. These are the files that you will want to delete, write the name and location down and continue on until you find everything. YOU WILL WANT TO RESEARCH WHAT YOU FIND BEFORE DELETING, if not your printer and some programs will probably stop working. After all of that is done, clean out all temporary files, including c:\windows\temp and windows\prefetch. Reboot your computer and you should be able to do normal functions, if so download anything needed to clean up the rest of the system, if not either attemp to back up your data and reformat or call a Technician.
    Shane Motter
    -Computer Technician

    CompTIA A+, Network +, Security +, Linux + Certified Professional.

  12. #57
    Joined
    Apr 2001
    Location
    Los Angeles
    Posts
    21,104

    Re: Antivirus xp 2008

    Quote Originally Posted by Mjölnir View Post
    I actually wrote up an automated cleaning tool for XP Antivirus 2008 only to find out that Antivirus XP 2008 is a different beast. Very little info out there on Antivirus XP 2008 - not enough to automate a removal tool. AFAICT, Antivirus XP 2008 generates random filenames, whereas XP Antivirus 2008 has a set list of files and registry keys.....
    Usually I don't fully start the system to see what the desktop looks like, takes too long and isn't really helpful, so I never really know whether it says XP antivirus or Virus Heat or what. But noticed this one the other day because of the thread, so saved some logs, in case anyone wants to look. This was Antivirus XP 2008. There are several other rogue applications mixed in, but here are some log portions that mostly concern the trojans.

    some hijackthis entries. Bunch of trojans. These look like Vundo entries.
    Code:
    O2 - BHO: (no name) - {0B042B90-348B-4A9C-A404-8218244177C8} - C:\WINDOWS\system32\nnnlkIbb.dll
    O2 - BHO: (no name) - {39D67F39-6F48-438A-80A2-F86FE363C215} - C:\WINDOWS\system32\rqRHywvu.dll
    O2 - BHO: QXK Olive - {63EE8DD1-D0EB-4A34-B133-E38B41307B27} - C:\WINDOWS\gfetqaxsqsb.dll (file missing)
    O2 - BHO: {aeb3326e-b45d-08ab-fb84-69c865b323d7} - {7d323b56-8c96-48bf-ba80-d54be6233bea} - C:\WINDOWS\system32\tbudkl.dll
    O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll
    O3 - Toolbar: gxvpsafm - {A7AD16DA-8E3D-4914-A1D3-8120A2E96BCD} - C:\WINDOWS\gxvpsafm.dll
    
    O4 - HKLM\..\Run: [lphc9b2j0eg23] C:\WINDOWS\system32\lphc9b2j0eg23.exe
    O4 - HKLM\..\Run: [SMshceb2j0eg23] C:\Program Files\shceb2j0eg23\shceb2j0eg23.exe
    O4 - HKLM\..\Run: [4418821a] rundll32.exe "C:\WINDOWS\system32\hlqibnwi.dll",b
    
    O4 - HKCU\..\Run: [WinSpywareProtect (ver. 5.1)] "C:\Documents and Settings\All Users\Application Data\Adsl Software Limited\WinSpywareProtect\WinSpywareProtect.exe" /autorun
    
    
    O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
    O4 - HKLM\..\Policies\Explorer\Run: [start] C:\Program Files\NetProject\sbmntr.exe
    
    O20 - Winlogon Notify: rqRHywvu - C:\WINDOWS\SYSTEM32\rqRHywvu.dll
    So if anyone is trying to kill these things with remote editing, be aware of random file names, that is what they look like up there. Your infection will have different names, and they probably won't show up on Google. Just about every other file in a computer will.

    http://www.google.com/search?source=...=Google+Search

    Some of the sdfix log. More randomness.
    Code:
    C:\Program Files\rhccb2j0eg23\database.dat - Deleted
    C:\Program Files\rhccb2j0eg23\license.txt - Deleted
    C:\Program Files\rhccb2j0eg23\MFC71.dll - Deleted
    C:\Program Files\rhccb2j0eg23\MFC71ENU.DLL - Deleted
    C:\Program Files\rhccb2j0eg23\msvcp71.dll - Deleted
    C:\Program Files\rhccb2j0eg23\msvcr71.dll - Deleted
    C:\Program Files\rhccb2j0eg23\rhccb2j0eg23.exe.local - Deleted
    C:\Program Files\rhccb2j0eg23\rhccb2j0eg23Skin.dll - Deleted
    C:\Program Files\rhccb2j0eg23\Uninstall.exe - Deleted
    C:\WINDOWS\SYSTEM32\PPHC9B~1.EXE - Deleted
    C:\WINDOWS\system32\rqRHywvu.dll - Deleted
    C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\privacy_danger\index.htm - Deleted
    C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\privacy_danger\images\capt.gif - Deleted
    C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\privacy_danger\images\danger.jpg - Deleted
    C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\privacy_danger\images\down.gif - Deleted
    C:\DOCUME~1\CHARLE~1\LOCALS~1\Temp\privacy_danger\images\spacer.gif - Deleted
    C:\Documents and Settings\All Users\Desktop\Online Security Guide.url - Deleted
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url - Deleted
    C:\Documents and Settings\All Users\Desktop\Security Troubleshooting.url - Deleted
    C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url - Deleted
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk - Deleted
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk - Deleted
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk - Deleted
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk - Deleted
    C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk - Deleted
    SDFix got rid of Xp 2008 and all the others, I am pretty sure that I've used Combofix lately on the same thing, it got it too.

    In this particular case, had to use a Bart PE disk to delete one last single Vundo dll that was still launching, couldn't find the entry point in doing remote registry editing. A lot of these lately have been hard to find.

    Sick Willie, I think the vector for a good portion of the systems I've been seeing lately have been through those spammed e-mails pushing videos with links ending in Video.exe or Watch.exe. But then again, have a lot of people that don't do e-mail, and say they have only been to normal web pages, like reported above. So maybe some ad servers were being attacked and compromised? It is hard to say as some trojans will wait for a while, maybe days, before actually downloading and installing something.

  13. #58
    Joined
    Jul 2003
    Location
    Australia
    Posts
    14,223

    Re: Antivirus xp 2008

    Quote Originally Posted by Senor Panadero View Post
    Usually I don't fully start the system to see what the desktop looks like, takes too long and isn't really helpful, so I never really know whether it says XP antivirus or Virus Heat or what. But noticed this one the other day because of the thread, so saved some logs, in case anyone wants to look. This was Antivirus XP 2008. There are several other rogue applications mixed in, but here are some log portions that mostly concern the trojans.
    I do start the system so that I can see what I'm working with. In many cases, they don't generate random filenames and it's easy to find removal instructions and write up an automated cleaner for use with combofix or BFU before proceeding with manual checks. Another benefit of that is that various utilities may have lost full functionality as long as the offending software is installed. There are several sites with removal instructions for XP Antivirus, although few of them list all of the files and registry changes. There are two advantages to doing it this way - you should be able to catch all the changes made by this software without having to rely on utilities to find them, reducing the chance of human error. It reduces the number of files you'll need to search for details on.

    Many of the infections I've seen were from people visiting certain sites (not ncecessarily porn or piracy sites) and having a pop-up that looks quite legitimate telling them that their PC is horribly infected.

  14. #59
    Joined
    Nov 2001
    Location
    I've moved.....I'm over here now.
    Age
    61
    Posts
    7,290

    Re: Antivirus xp 2008

    Quote Originally Posted by Senor Panadero
    Sick Willie, I think the vector for a good portion of the systems I've been seeing lately have been through those spammed e-mails pushing videos with links ending in Video.exe or Watch.exe. But then again, have a lot of people that don't do e-mail, and say they have only been to normal web pages, like reported above. So maybe some ad servers were being attacked and compromised? It is hard to say as some trojans will wait for a while, maybe days, before actually downloading and installing something.
    The website vector is where everyone is telling me they must've gotten it. No one has mentioned email at all.

  15. #60
    Joined
    Jul 2001
    Location
    UK
    Age
    51
    Posts
    20,229

    Re: Antivirus xp 2008

    Quote Originally Posted by Senor Panadero View Post
    Sick Willie, I think the vector for a good portion of the systems I've been seeing lately have been through those spammed e-mails pushing videos with links ending in Video.exe or Watch.exe. But then again, have a lot of people that don't do e-mail, and say they have only been to normal web pages, like reported above. So maybe some ad servers were being attacked and compromised? It is hard to say as some trojans will wait for a while, maybe days, before actually downloading and installing something.
    Those video.exe, watch.exe and view.exe email links doing the rounds atm are definitely storm. There was some talk a while back about other infections getting pushed with storm but I haven't really seen any evidence to support that.

    Most vundo infections appear to be coming from visiting malicious/infected websites from iFrame, javascript and SQL injections.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •