XP Antispyware A Virus

[wulf109]

XP Antispyware suddenly appeared on my computer and is blocking access to all programs unless I buy it for $60.00 a year. Anyway to get rid of it. It will not allow me to open anything!

[aedipuss]

yeah run real a/s, a/v, a/t software you're infected.

you may need to reboot into safe mode(usually f8 at boot) or even run antimalware from a linux bootable cd.

[freebird73717]

Download rkill. reboot safemode. run rkill. run malwarebytes. run superantispyware. Purchase malwarebytes pro and not suffer from any of this crap in the future.

[wulf109]

I rebooted into safe mode in Windows XP using F5 and I'm still not able to open anything. I use SuperantispywarePRO and I can't open it because I can't open anything. This program still works when in safe mode. I was able to open Control Panel and then the Add/Delete diolog but this program doesn't appear in the list of installed programs. It only let me open Add/Delete once now that's blocked.

[freebird73717]

Is there any way you can download rkill. It comes with different versions (different extenstions) to kill running malware processes. Then you should be able to run your sas. I use sas pro and mbam pro both myself. For me mbam seems to block more crap. If that don't work try a bootable cd

[deckard8]

Dr Web 'Cure It' Bootdisk should do the job.
(at least enough that you can follow up with MalwareBytes/Hitman Pro/SuperAntiSpyware scan to remove the remnants)

http://www.freedrweb.com/livecd/?lng=en

[fatbloke88]

sorry, double post.

[fatbloke88]

I got rid of this off a friends laptop last week with unhackme/regrun warrior,malwarebytes and superantispyware found nothing as did avira.

[aedipuss]

try bringing up the taskmanager. right click on time in the lower right and kill any odd named .exe programs. then maybe you'll have enough control over the computer to run anti-malware. again maybe in safemode.

[lordsmurf]

F-secure boot disk.
Then you can control XP enough to run other stuff.

Give this a read, too: LS advice on anti-malware/virus/etc

[MJA]

how did you get infected ? didn't come from no where

[wulf109]

Not sure. I was on the CCcovers website when it happened and that site produces lots alerts from my virus software. I was running SuperantispywarePRO and Microsoft Essentials Antivirus software. When this program infected me the Microsoft software stopped working. It tuned off the firewall and activated updates. The warning boxes it puts up look like Microsoft. I suspect there's a connection to Microsoft.

[jman98]

The warning boxes it puts up look like Microsoft. I suspect there's a connection to Microsoft.

No, that's just how they designed it - so that people like you would think that.

[hech54]

Not sure. I was on the CCcovers website

Bingo.

[MOVIEGEEK]

I got this trojan last month because I was streaming and turned my firewall off(stupid I know), it blew right through Avast antivirus without being detected. I used Malwarebytes to get rid of it but it still messed up services.msc and the registry, I ended up doing a clean install of my OS.

http://forum.avast.com/index.php?topic=56576.0

[wulf109]

I've given up and installed a new HD. I'll take the infected one out and format it. Thanks for all the replies.

[budz]

I've given up and installed a new HD. I'll take the infected one out and format it. Thanks for all the replies.

Sometimes that's the best thing after spending so many hours trying to remove it.

[guns1inger]

It is done through some form of injection, and can pop up on pretty much any site if you are coming from a search engine. Most start with a warning and a page in your browser that looks a lot like your PC (hard-drive names etc). If you kill the browser at this point, you are usually safe, although you should run a scan to be sure. If, however, you allow it to install (and so far I have seen one variant that *might* be able to self install - the rest all need you to say OK/Yes etc) then you can be in all sorts of trouble. There are quite a few variants of this code floating around, and some are easier to remove than others.

[MJA]

I've given up and installed a new HD. I'll take the infected one out and format it. Thanks for all the replies.

why don't u scan the hard drive before u format it(external drive) ?

[NICEBUD]

wulf109
Just a quick note I had something similier.Did all the usal things to get ride of it/them.Put a new hd in.Bingo it CAME BACK.
Turns out it was hiding in the memory .So I took the bios battery out, and took out the memory.Then put them all back as before.
It seems to have done the trick.


You never no it might help ?

[Cornucopia]

Hiding in the MEMORY? You're kidding me right?

The whole point of RAM is that it gets wiped clean every time you reboot. That's how computers work.

If yours came back after putting in a new OS Harddrive, that tells me you are still doing the same risky behavior that leads to virii/malware.

This post shows what I would do: https://forum.videohelp.com/threads/333280-Question-about-scanning-OS-partition-using-a...=1#post2066691

Has worked for me well at the agency I administer (~150 PCs).

Scott

[deadrats]

XP Antispyware suddenly appeared on my computer and is blocking access to all programs unless I buy it for $60.00 a year. Anyway to get rid of it. It will not allow me to open anything!

look for any of the following and delete:

Files:
C:\Documents and Settings\All Users\[SET OF RANDOM CHARACTERS]

C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS]

C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe

C:\Documents and Settings\[UserName]\Templates\[SET OF RANDOM CHARACTERS]

C:\Documents And Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]

Registry values:
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open \command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" -a "%1" %*'

HKEY_CURRENT_USER\Software\Classes\exefile\shell\o pen\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exee" -a "%1" %*'

HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" -a "%1" %*'

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInter net\IEXPLORE.EXE\shell\open\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'

to delete registry values, start-> run->"regedit", look for the above keys and delete.

reboot, download microsoft security essentials, run a complete scan, take some penicillin and use protection next time before engaging in any risky behavior.

[wulf109]

Did an Internet search on XP Anti spyware and it seems to be a fairly common problem. The program has been around for 3 years using different names. Many people claimed to have a fix for it. I tried a couple but none worked. The most common seems to be to start on safe mode with networking but none of these worked. It integrates itself into numerous dll's and the windows security center. From reading I would say I got from the CCcovers website without a doubt. I'm not going to use that website again which is bad because it has so many DVD/BR covers. Most of the "cure" links turn out to be just adds for somebody's payware. I remember many years ago when searching provided answers instead commercial pay sites.

[Cornucopia]

You can still use a risky site, just make sure you use it in a "secure sandbox" (and THOROUGHLY scan any files gotten from there). AKA, browse from a virtual machine whose boot image is read-only. Upon next boot, any changes are gone.

Like I said in that previous thread, many times one cleaner won't catch all the problem, you have to use multiple cleaners. And I have found that this order works well:

1. Boot using live CD/DVD, either CLI or Linux or Windows (or multiples) depending upon your preference and choice of feature options - this way you can work with a clean (known good) boot OS & registry
2. Boot in Safe Mode (with Networking if possible) - this way you can work using the affected OS itself, but without much of the extra baggage, and be able to DL updates if needed.
3. Boot normally and check to see that everything is OK again.

Scott

[roma_turok]

From reading I would say I got from the CCcovers website without a doubt. I'm not going to use that website again which is bad because it has so many DVD/BR covers. Most of the "cure" links turn out to be just adds for somebody's payware. I remember many years ago when searching provided answers instead commercial pay sites.

CCcovers is great site, I use this site for many years, this no way you get virus directly from them.
The "cure" links come from advertising banners that they not responsible.
I never get alert from antivirus on their site, maybe because I use firefox and adblock.

[p_l]

Ditto on that. Never had any problems using that site, but I've been careful not to click on any 3rd party ads on that or just about on any site on the whole world wide web lest I catch something nasty.

[TreeTops]

Wuff, did you click on a 3rd party ad link on that site?

[fritzi93]

I've given up and installed a new HD. I'll take the infected one out and format it. Thanks for all the replies.

I hope you had a disc image to write to the new drive. That saves a lot of grief.

[wulf109]

No I never click 3rd party links,the website is dangerous enough. No I did not have a disk image,I had to install all my programs. Fortunately I keep all my data on a separate D drive,so it was only programs I lost. I will now keep a backup HD as insurance against this happening again.

[DarrellS]

I've gotten this virus about 7 or 8 times in the last three months and every time that I've gotten it, I was searching images with Google. The first time, I was able to get rid of it using the instructions that deadrats listed above and going into safe mode and running Malwarebytes. I didn't get it again until about a month later. I thought that either Google had done something to keep them from hijacking us or that Avast came up with a cure. I was wrong. Avast (and I assume any other antivirus program) is useless at stopping this attack.

Since being able to fix it the first time, I have tried running in safe mode to try and fix it, tried using live CDs and bootdisks to fix it but nothing has worked. I was able to get rid of the virus but it had corrupted the boot sector and left me with a nonbootable machine. I keep back-up images of my boot drive and that is the only way that I have been able to fix it.

Since it is a known company that is spreading this virus it seems to me that some government could do something to stop them from spreading this virus and throw their asses in prison.