BleepingComputer.com: Antivirus 2008 Xp

Jump to content

Forum Rules

When posting your problem, do not run and post a ComboFix log. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

If you have not received help after three days, please post a link to your topic HERE.
Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Antivirus 2008 Xp Spyware Malware

#1 User is offline   beddo 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 07-August 08

Posted 07 August 2008 - 06:56 AM

Hi,

My father in law accidently installed a programme called Antivirus 2008 XP.

I have looked at tutorials for removing Antivirus XP 2008 however, this is slightly different software. It looks very similar but it doesn't have any of the same processes running. There are no obvious processes when i look in task manager.

When the PC starts it loads the Antivirus 2008 XP prompting me to buy a licence or keep using the evaluation. It goes when I end task it. When I use IE it keeps coming up with rubbish like you are browsing and it could be unsafe, buy our programme.


I ran a McAfee scan which was about as useless as I expected, it came with nothing.

I downlaoded Spybot Search and Destroy, it found some tracing cookies but nothing specifically relating to the software.

I installed Ad-Aware, it found a few things but they were mostly tracing cookies again.

I checked the startup options in Spybot and found this:

Located: HK_CU:Run, s9201 (DISABLED)
where: S-1-5-21-2797920344-609132980-2615088823-1007...
command: "C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\av2008xp.exe" /autorun
file: C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\av2008xp.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



So I disabled it from startup.

I went to: C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\av2008xp.exe and scanned the file with Spybot and McAfee but they came up with nothing.

I restarted and it didn't launch the Antivirus 2008 XP which seems good.

I decided to use Spybot's file shredder to delete all the entries in Antivirus 2008 XP. I ran regedit but couldn't find any related entries.

I think that it may be running from within IE but nothing bad is happening. I have switched to firefox now.

Is there anyway I can be sure that it has gone?

#2 User is offline   Behemoth 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 10
  • Joined: 01-August 08
  • Gender:Male
  • Location:SC, USA

Posted 07 August 2008 - 07:17 AM

Follow quietman7's instructions in this post : Malware Removal and that should make sure the Antivirus XP 2008 is removed. Hope this helps.
A+, Net+, MCP 270, 290

#3 User is offline   beddo 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 07-August 08

Posted 07 August 2008 - 09:32 AM

I'm hoping that it will work. Got this logfile in case it helps anyone else:

alwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 3

15:30:24 07/08/2008
mbam-log-8-7-2008 (15-30-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 146800
Time elapsed: 1 hour(s), 58 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{53dc8eba-f922-171c-b1ad-98d7609ffd30} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53dc8eba-f922-171c-b1ad-98d7609ffd30} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mxlivemedia (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SoftLand Ltd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{6b5b8f1f-1f37-eb89-f574-0e85c7327903} (Trojan.Clicker) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ibnjqsquwzs.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dgahwrxawnpy.exe (Malware.Trace) -> Quarantined and deleted successfully.

#4 User is offline   quietman7 

  • Bleepin' Janitor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 25,511
  • Joined: 09-July 05
  • Gender:Male
  • Location:Virginia, USA

Posted 07 August 2008 - 02:24 PM

Rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Also let me know how your computer is running and if there are any more reports/signs of infection.
Microsoft MVP - Consumer Security 2007-2012 Posted Image
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users