Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xp Antivirus 2008 - Where Does It Come From?


  • Please log in to reply
13 replies to this topic

#1 DarkHelmet46

DarkHelmet46

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bedford, MA
  • Local time:10:51 AM

Posted 24 August 2008 - 11:18 PM

I am an IT professional. I cleanup XP Antivirus 2008 on a daily basis. However, I have never been able to figure out how it gets on the user's PC in the first place.

Now I am baffled even more. I was working on my own PC when suddenly a fake dialog box popped up asking me if I want to install XP Antivirus 2008. There was no cancel button or any other way to close the program. I pulled up task manager and saw a couple .tmp files running, killed them, and it went away.

I asked my wife if she recently downloaded or installed anything, but of course she said no. I did plug my flash drive in just before the box popped up, but my gut tells me that was just a coincidence.

So, anyone have any idea where this thing comes from??? Or should I perhaps torture my wife until she talks? :thumbsup: Just kidding.

-Mike
"Fear is the mind-killer." - Excerpt from the Litany Against Fear (Dune)

"Yep, what you have there is a classic eye dee ten tee error." - Me

BC AdBot (Login to Remove)

 


#2 DarkHelmet46

DarkHelmet46
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bedford, MA
  • Local time:10:51 AM

Posted 25 August 2008 - 06:14 PM

Anyone...? Anyone...? Beuller...? Beuller...?
"Fear is the mind-killer." - Excerpt from the Litany Against Fear (Dune)

"Yep, what you have there is a classic eye dee ten tee error." - Me

#3 samuel3

samuel3

  • Members
  • 2,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:51 PM

Posted 25 August 2008 - 06:20 PM

If you type 'Antivirus' in google it will come up then advertising 'anti virus 2008' she may of click on it.

Edited by samuel3, 25 August 2008 - 06:25 PM.


#4 Queen-Evie

Queen-Evie

    Official Bleepin' G.R.I.T.S. (and proud of it)


  • Staff Emeritus
  • 16,485 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:My own little corner of the universe (somewhere in Alabama). It's OK, they know me here
  • Local time:10:51 AM

Posted 25 August 2008 - 07:06 PM

http://www.free-web-browsers.com/your-comp...-infected.shtml

http://forum.netfusionkc.com/showthread.php?t=61

Specifically #2 and #3 under Safe Computing Practices, which contains a link to a tutorial written by Grinler, which is an oldie but goodie.

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:51 AM

Posted 25 August 2008 - 07:44 PM

I have had 2 major infections on my own machine is the last year, the first brought me here and got me to studying up on malware.

The first infection, according to advice from Quietman was probably a driveby infection, the second was from a usb drive that I just happened to plug in and access after transfering tools to disinfect another computer.
Chewy

No. Try not. Do... or do not. There is no try.

#6 DarkHelmet46

DarkHelmet46
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bedford, MA
  • Local time:10:51 AM

Posted 26 August 2008 - 09:40 AM

Thanks guys, upon closer inspection she was trying to upload pictures somewhere and installed an ActiveX control.

Chewie... Your USB drive got infected by another PC? That's interesting. I didn't think that happened anymore in the days of broadband internet with everyone having an email address. Why infect one USB drive when you can email blast to a million users instead? I remember back in the day it was common for viruses to hide on floppy disks, but that's the last time I heard of a virus being transferred through removable media. Maybe it's making a comeback.

Anyone else here experience infected USB drives?

-Mike
"Fear is the mind-killer." - Excerpt from the Litany Against Fear (Dune)

"Yep, what you have there is a classic eye dee ten tee error." - Me

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:51 AM

Posted 26 August 2008 - 10:01 AM

http://www.bleepingcomputer.com/forums/ind...;hl=disinfector

http://www.bleepingcomputer.com/forums/ind...;hl=disinfector

http://www.bleepingcomputer.com/forums/ind...;hl=disinfector


http://www.bleepingcomputer.com/forums/ind...st&p=912655

we see quite a few each week

that's why I was so embarresed

Edited by DaChew, 26 August 2008 - 10:01 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#8 dl00025

dl00025

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:51 AM

Posted 26 August 2008 - 12:58 PM

Hi all,

I am new to this site and am glad to see others (not just me) are wondering the same thing about this malware. I have had it pop up on computers that are not running any antivirus software and others that run AVG free edition and yet others that are protected with Trend Micro Client/Server Security for SMB. My customers always ask, "Why doesn't the antivirus software catch this" I tell them that if they click on an executable file even without knowing so it doesn't matter. This software has to be loaded by the user executing something obviously. Either on the internet or by closing one of those rouge pop-ups with the fake close button in the top right corner. While I was writing this actually a user here came down and told me that she opened some email and now her computer has a virus. I went up and sure enough its the XP Antivirus program!! So obviously it can come from all angles. Its a pain. The best luck I've had in removing this is by manually searching for the program files on the C drive and typically the folder for this software is called rhc18ojxxx or some variation of this,. If you delete that in safe mode with networking and then go into the registry and search for and delete all keys with above filename in the string that helps. Also, if you search for and delete any registry string containing "antvir" that helps as well. After your manual removal I've had good luck with Prevx CSI. It is a free download and will scan your computer. If it finds anything you have to purchase a license which is pretty resonable in order for the software to clean up the malware it finds.

#9 DarkHelmet46

DarkHelmet46
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bedford, MA
  • Local time:10:51 AM

Posted 26 August 2008 - 07:43 PM

Thanks Chewy, good to know. I'll have to be more careful with my USB drive from now on, just in case.

DL, you and I have very similar experiences with end users! My current routine is to run combofix, and then AdAware/AVG AntiSpyware/SpyBot simultaneously. Usually works in the first pass. I am currently cleaning a PC that took severl passes of all four of the above, and I had to manually delete a few .exe's and .dll's. It is pretty rediculous that antivirus software you pay good money for won't clean any of this crap, yet free utilities will. I am seriously considering removing antivirus software from my PC altogether. Man, though, I LOVE combofix! Before that, I had to install the recovery console and do some command line wizardry to get rid of VirtuMonde, but not anymore!

Anyway, all, thanks for the input.

-Helmet
"Fear is the mind-killer." - Excerpt from the Litany Against Fear (Dune)

"Yep, what you have there is a classic eye dee ten tee error." - Me

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:51 AM

Posted 26 August 2008 - 09:50 PM

You are living dangerously, using combofix without any training or even a minimum of anti-malware experience. Your choice of weapons leaves much to be desired.

And everything seems to be in the wrong order.

I start with MBAM from normal mode or SAS and ATF cleaner from safe mode, after that I would consider SDFix if necessary or even DrWebCureit. Every infection may require something different.

Of course having a set of xp repair disks with sp3 slipstreamed makes the recovery console seems a little obsolete

Edited by DaChew, 26 August 2008 - 10:44 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#11 DarkHelmet46

DarkHelmet46
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bedford, MA
  • Local time:10:51 AM

Posted 27 August 2008 - 10:52 AM

I have a ton of anti-malware experience, but you sound obviously more superior than I am.

So far I haven't run into any problems using my method, and I have done hundreds of cleanups, but of course I admit that doesn't mean there isn't a better way to do things.

I have never heard of the tools you mention, but I will definitely check them out. I am always looking for ways to make my job easier.

Now, when you say "a set of XP repair disks", I'm not sure what you mean. Do you mean booting off the CD and running the installer in "Repair Mode"? We've been staying away from SP3 for now because it caused a few BSOD's on some of our customer's machines.

I downloaded the tools you mentioned with the exception of SAS Cleaner because I can't find it. When I Google for it, I get a bunch of cleaning products, and it's not listed here.

-Helmet
"Fear is the mind-killer." - Excerpt from the Litany Against Fear (Dune)

"Yep, what you have there is a classic eye dee ten tee error." - Me

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:51 AM

Posted 27 August 2008 - 11:14 AM

I cleanup XP Antivirus 2008 on a daily basis. However, I have never been able to figure out how it gets on the user's PC in the first place.

See Anatomy Of A Malware Scam (xp Antivirus)

I downloaded the tools you mentioned with the exception of SAS Cleaner

ATF Cleaner
SUPERAntiSpyware Free
Malwarebytes Anti-Malware (instructions provided in that link)
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:11:51 AM

Posted 27 August 2008 - 11:49 AM

Do you mean booting off the CD and running the installer in "Repair Mode"? We've been staying away from SP3 for now because it caused a few BSOD's on some of our customer's machines.


http://www.michaelstevenstech.com/XPrepairinstall.htm

malware can corrupt system files and I prefer to rewrite with the newest versions available

http://www.winsupersite.com/showcase/xpsp3_slipstream.asp
Chewy

No. Try not. Do... or do not. There is no try.

#14 DarkHelmet46

DarkHelmet46
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Bedford, MA
  • Local time:10:51 AM

Posted 27 August 2008 - 12:19 PM

Thank you for the links, Quietman.

Chewy, yep that's what I thought you meant. XP Repair Install has already saved my butt twice today! I haven't gotten around to slipstreaming SP3, but I have a slipstreamed SP2 disk.

Thanks again everyone.

-Helmet
"Fear is the mind-killer." - Excerpt from the Litany Against Fear (Dune)

"Yep, what you have there is a classic eye dee ten tee error." - Me




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users