Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2008 Xp


  • Please log in to reply
3 replies to this topic

#1 beddo

beddo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 07 August 2008 - 06:56 AM

Hi,

My father in law accidently installed a programme called Antivirus 2008 XP.

I have looked at tutorials for removing Antivirus XP 2008 however, this is slightly different software. It looks very similar but it doesn't have any of the same processes running. There are no obvious processes when i look in task manager.

When the PC starts it loads the Antivirus 2008 XP prompting me to buy a licence or keep using the evaluation. It goes when I end task it. When I use IE it keeps coming up with rubbish like you are browsing and it could be unsafe, buy our programme.


I ran a McAfee scan which was about as useless as I expected, it came with nothing.

I downlaoded Spybot Search and Destroy, it found some tracing cookies but nothing specifically relating to the software.

I installed Ad-Aware, it found a few things but they were mostly tracing cookies again.

I checked the startup options in Spybot and found this:


Located: HK_CU:Run, s9201 (DISABLED)
where: S-1-5-21-2797920344-609132980-2615088823-1007...
command: "C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\av2008xp.exe" /autorun
file: C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\av2008xp.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!




So I disabled it from startup.

I went to: C:\Documents and Settings\All Users\Application Data\SoftLand Ltd\Antivirus 2008 XP\av2008xp.exe and scanned the file with Spybot and McAfee but they came up with nothing.

I restarted and it didn't launch the Antivirus 2008 XP which seems good.

I decided to use Spybot's file shredder to delete all the entries in Antivirus 2008 XP. I ran regedit but couldn't find any related entries.

I think that it may be running from within IE but nothing bad is happening. I have switched to firefox now.

Is there anyway I can be sure that it has gone?

BC AdBot (Login to Remove)

 


#2 Behemoth

Behemoth

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SC, USA
  • Local time:06:13 PM

Posted 07 August 2008 - 07:17 AM

Follow quietman7's instructions in this post : Malware Removal and that should make sure the Antivirus XP 2008 is removed. Hope this helps.
A+, Net+, MCP 270, 290

#3 beddo

beddo
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:13 PM

Posted 07 August 2008 - 09:32 AM

I'm hoping that it will work. Got this logfile in case it helps anyone else:

alwarebytes' Anti-Malware 1.24
Database version: 1030
Windows 5.1.2600 Service Pack 3

15:30:24 07/08/2008
mbam-log-8-7-2008 (15-30-24).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 146800
Time elapsed: 1 hour(s), 58 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{53dc8eba-f922-171c-b1ad-98d7609ffd30} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53dc8eba-f922-171c-b1ad-98d7609ffd30} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mxlivemedia (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SoftLand Ltd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{6b5b8f1f-1f37-eb89-f574-0e85c7327903} (Trojan.Clicker) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ibnjqsquwzs.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dgahwrxawnpy.exe (Malware.Trace) -> Quarantined and deleted successfully.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,116 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:13 PM

Posted 07 August 2008 - 02:24 PM

Rescan again with MBAM (Quick Scan) in normal mode and check all items found for removal. Don't forgot to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.

Also let me know how your computer is running and if there are any more reports/signs of infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users