CNN.com Daily Top 10 and CNN Alerts: Breaking News Removal Guide (Uninstall Instructions)

Posted by Grinler on August 6, 2008 @ 01:18 PM · Views: 16,381

Add to Favorites!    Print Guide!

What this programs does:

If you use e-mail, then you know that SPAM has become an epidemic in recent years. The problem with SPAM these days is that the creators make the e-mails look so legitimate that often a user receiving the e-mail won't know it is actually SPAM until it is too late. This is shown with a new SPAM being sent with the subject of CNN.com Daily Top 10 or CNN Alerts: Breaking News. The CNN.com Daily Top 10 or CNN Alerts SPAM pretends to be a legitimate e-mail from CNN where they link to the Daily Top 10 stories or breaking news alerts. In reality, though, none of the components of this SPAM/Malware infection are related to CNN at all. Instead, when you click on any of these links, you will be taken to a site and be presented with a screen stating that your Flash player is the incorrect version and that your browser cannot display the site without you downloading the newer version first. It will then prompt you to download the get_flash_update.exe or adobe_flash.exe file, which are actually Trojans. The get_flash_update.exe and adobe_flash.exe files are detectable by most anti-malware companies as the following names:

If the get_flash_update.exe or the adobe_flash.exe file is downloaded and installed on your computer, they will proceed to download further malware that are set to start on your computer automatically when you reboot. When the whole infection process is complete, you will notice a variety of changes have occurred. The first change you will notice is that your Windows desktop background has been changed to a warning stating that Spyware was detected on your computer. Next, your screen saver will be changed to use SysInternals BlueScreen Screen Saver, which when running, emulates your operating system crashing into a blue screen of death. Some of the messages that will appear on this blue screen are:

PAGE_FAULT_IN_NONPAGED_AREA
PANIC_STACK_SWITCH
MAXIMUM_WAIT_OBJECTS_EXCEEDED
NO_MORE_IRP_STACK_LOCATIONS
BAD_POOL_HEADER
IRQL_NOT_LESS_OR_EQUAL
KMODE_EXCEPTION_NOT_HANDLED
BOGUS_DRIVER
SYSINTERNALS_GREAT_SITE
UNEXPECTED_KERNEL_MODE_TRAP

Though the screen saver will make it appear that your computer has crashed, and even make it look like your computer is rebooting, in reality it still is only a screen saver. Simply press the space bar and you will go right back to your desktop. The malware will also disable your ability to change your desktop or screen saver by modifying the Windows Registry so that the tabs to change these settings are not visible. Last, but not least, the CNN Daily Top 10 malware will also download and install a rogue anti-spyware program onto your computer. Currently the rogue being installed is one called Antivirus XP 2008. This program will automatically run and scan your computer. When done, it will display a variety of false risks on your computer that cannot be removed unless you first purchase the software. Please do not buy this software, but rather use the guide below to remove all of the malware installed by this SPAM.

CNN Daily Top 10 Spam Email Message
For more screen shots of this infection click on the image above.
There are a total of 9 images you can view.

This guide will walk you through removing the CNN.com Daily Top 10 and CNN Alerts malware pack .

Threat Classification:

• Information on Rogue Programs & Scareware
• Trojan Horses

Advanced information:

View CNN.com Daily Top 10 and CNN Alerts: Breaking News files.
View CNN.com Daily Top 10 and CNN Alerts: Breaking News Registry Information.

Entries for this program found in the Add or Remove Programs control panel:

AntivirXP08

Tools Needed for this fix:

• Malwarebytes' Anti-Malware

Symptoms that may be in a HijackThis Log:

Some of these entries are random:

O4 - HKLM\..\Run: [lphcjkrj0etfg] C:\WINDOWS\system32\lphcjkrj0etfg.exe
O4 - HKLM\..\Run: [SMrhcnkrj0etfg] C:\Program Files\rhcnkrj0etfg\rhcnkrj0etfg.exe
O23 - Service: CbEvtSvc - Unknown owner - C:\WINDOWS\System32\CbEvtSvc.exe

Guide Updates:

08/06/08 - Initial guide creation.
08/13/08 - Updated to include CNN Alerts: Breaking News spam.

Automated Removal Instructions for CNN.com Daily Top 10 and CNN Alerts: Breaking News using Malwarebytes' Anti-Malware:

1. Print out these instructions as we will need to close every window that is open later in the fix.
   
   
2. Download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:
   
   Malwarebytes' Anti-Malware Download Link
   
   


3. Once downloaded, close all programs and Windows on your computer, including this one.
   
   
4. Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MBAM onto your computer.
   
   
5. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
   
   
6. MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program as shown below.
   
   
   
   
   
   
   
7. On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer for CNN.com Daily Top 10 and CNN Alerts: Breaking News related files.
   
   
8. MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.
   
   
   
   
   
   
   
9. When the scan is finished a message box will appear as shown in the image below.
   
   
   
   
   
   
   You should click on the OK button to close the message box and continue with the CNN.com Daily Top 10 and CNN Alerts: Breaking News removal process.
   
   
10. You will now be back at the main Scanner screen. At this point you should click on the Show Results button.
    
    
11. A screen displaying all the malware that the program found will be shown as seen in the image below.
    
    
    
    
    
    
    
    You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine.
    
    
12. When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
    
    
13. You can now exit the MBAM program.
    
    
14. Now that MBAM has removed the Malware, we need to restore some of your settings back to their defaults and clean up some extra items. The first thing we are going to do is delete the rogue anti-spyware icons left in your Start Menu. To do this click on the Start button and then right-click on each of the Antivirus XP 2008 icons and select the Remove from This List option. Once you have removed the two icons, please continue with the next step.
    
    
15. Right-click on an empty portion of your desktop and left-click on the Properties menu option.
    
    
16. You should now be in your display properties at the Theme tab. In the Theme: drop down menu, select the Windows XP theme. Once selected, click on the Apply button and then the OK button. This will reset your desktop colors and background back to the original Windows XP defaults.
    
    
17. At this point you can customize your computer's display settings as you desire.
    

Your computer should now be free of the CNN.com Daily Top 10 and CNN Alerts: Breaking News program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.

If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:

Preparation Guide For Use Before Posting A Hijackthis Log

Associated CNN.com Daily Top 10 and CNN Alerts: Breaking News Files:

Some of these entries are random:

c:\Program Files\rhcnkrj0etfg
c:\Program Files\rhcnkrj0etfg\database.dat
c:\Program Files\rhcnkrj0etfg\license.txt
c:\Program Files\rhcnkrj0etfg\MFC71.dll
c:\Program Files\rhcnkrj0etfg\MFC71ENU.DLL
c:\Program Files\rhcnkrj0etfg\msvcp71.dll
c:\Program Files\rhcnkrj0etfg\msvcr71.dll
c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfg.exe
c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfg.exe.local
c:\Program Files\rhcnkrj0etfg\Uninstall.exe
c:\WINDOWS\system32\blphcjkrj0etfg.scr
c:\WINDOWS\system32\CbEvtSvc.exe
c:\WINDOWS\system32\lphcjkrj0etfg.exe
c:\WINDOWS\system32\phcjkrj0etfg.bmp
c:\WINDOWS\system32\pphcjkrj0etfg.exe
c:\WINDOWS\system32\drivers\54c70b2e.sys
c:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg
c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine
c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun
c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKCU
c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKCU\RunOnce
c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKLM
c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKLM\RunOnce
c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun\StartMenuAllUsers
c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Autorun\StartMenuCurrentUser
c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\BrowserObjects
c:\Documents and Settings\LocalService\Application Data\rhcnkrj0etfg\Quarantine\Packages

Associated CNN.com Daily Top 10 and CNN Alerts: Breaking News Windows Registry Information:

Some of these entries are random:

HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcnkrj0etfg
HKEY_LOCAL_MACHINE\SOFTWARE\rhcnkrj0etfg
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CBEVTSVC
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\54c70b2e
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\CbEvtSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CBEVTSVC
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54c70b2e
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CbEvtSvc
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "NoDispBackgroundPage"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "NoDispScrSavPage"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "lphcjkrj0etfg"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SMrhcnkrj0etfg"