Nowadays, a very annoying crapware try to disguise itself as an antivirus or antispyware. Often goes by the name XP Antivirus 2008 or XP Antispyware 2008.
As far as I know, this thing doesn’t spread through USB or network sharing. Usually it’s the wrong click at the wrong website with the wrong browser (use FireFox 
)
If you are infected by it, in some variance, it wills annoyingly popup a virus warning that some terrifying gangs of monstrous program have infected your computer. The popup will showup at almost any click, especially in you open IE or explorer.
The warning demand either you install the software to scan your computer, or scan your computer with the magically installed antivirus that you have no recollection of installing.
If it wants you to install the bogus program, it means that it does not have you yet. It already installed some kind of mini program though. In my case (in most of my cases), the culprit is a bogus dll file injected to explorer, or other system file.
If its already installed, just remove the program using add remove (it tries to disguise itself as a legitimate application, so it usually easy to remove). Or delete it the Neanderthals way, following the step in my previous post. Then follow through to get rid of the rest.
This dll file could be very tricky to delete. My previous walkthrough couldn’t catch it with Autoruns and ProcessXP. Even if you know what the culprit is, deleting it could be tricky.
Most credible antivirus has already recognized this program. I recommend you update your AV.
Nevertheless, if your AV did not recognize it, here is something worth trying.
(I cannot stress this enough, BACKUP your files prior to following my walkthrough)
Part One
Run ProcessXP and Autorun (grab the program from my previous post). Search for a suspicious process in ProcessXP (I doubt you will find it though). Run though the list of things in my previous post. Then run Autorun, search for the suspected entries, run to the list of things I have mentioned in my previous post.
If you do find suspicious dll hooked into something, don’t just delete it. It might be a legitimate dll needed by your OS. You’ll screw up your system that way.
If you can’t find anything, skip to part two.
Instead, try uncheck the entry, and press F5 (refresh). Find that entry, and see whether your change remains. If it has become checked again, you have certainly found a malicious entry (my category for a legitimate entry is that it will let you disable them).
After you’ve found the dll, the tricky part kick in.
You cannot simply delete it because it still hooked into a process that still running. You also cannot simply kill the process because it’s most likely hooked to an important system. Trying to kill winlogon.exe can get you kicked out of windows.
Try renaming it instead.
Then refresh Autoruns again, search for the entry. If it shows file not found, you win. If it not, try renaming it through Unlocker (see my previous post). If that fail, try using NTFS for DOS (download it here). Make sure the dll is neither system file or hidden. Run “cmd attrib filedir:/filepath/filename.fileextension –s –h –r “ from run or command prompt to make sure itss not hidden. Then try NTFS DOS. Go to the directory, and kill it from there (use the “del filename” command).
If you don’t have Floppy drive, you’ll have to be creative, use Linux live CD (my personal choice was Ubuntu or Puppy). It won’t mess with your windows. Delete it from there.
If you succeeded in deleting it, reboot and pray. Keep a copy of your OS and driver near you, it might come in handy.
Most hooked dll does not have the capacity to multiply itself.
If all goes well and the warning stop, congratulation.
Part Two
Try Rootkit Unhooker. This program can be useful to catch file’s hidden beyond windows capability to see it. Of course, NTFS for DOS and Linux can see it as well, but you’ll have no trace of which dll is the culprit.
I usually go straight to Code Hooks Detector. Highlighted entry show a hooked dll. In this case it was a legal dll from MS Office (I admit, I rely heavily on MS spell checker :p).
Rootkit Unhooker
If you find the file that look suspicious, right click and copy the file to a safe place (you’re going to delete it, make sure you can roll back the operation in case anything go wrong and the file actually needed by your OS). Right click and wipe the file afterward.
Scan again and see if you get rid of it.
After that run Autorun and make sure it leave no traces in registry.
AGAIN, BACKUP YOUR REGISTRY PRIOR TO CHANGE
If all goes well, restart and pray. Keep your OS, driver, NTFS DOS and Linux near you in case of emergency.
If somehow you fail to restart, boot from NTFS DOS or Linux, and restore the copied dll earlier. That should fix the thing.
Part Three
This is the ugliest part :p
Worst case scenario, you’ll need to reinstall or clean install your windows. Don’t worry about repairing / reinstalling your windows. Although it gives you warning that your document and account will be deleted, it actually not. Some of the program even work although it was not registered at start menu or installed program. Just make sure you didn’t format your HD though.
All virus guaranteed won’t run at your first execute of clean install environment, as long as you’re carefull with autorun.inf trap in your root drive. But I guess this make my writing useless since you’ll most probably know this already…
Sory to waste your time… hahaha
If you still getting that fake Virus alert wallpaper, you can just change your wallpaper.
[...] Usually it’s the wrong click at the wrong website with the wrong browser (use FireFox
). If you are infected by it, in some variance, it wills annoyingly popup a virus warning that some terrifying gangs of monstrous program have … More [...]
Pingback by » HowTo: Get Rid of That Bogus XP Antivirus — November 11, 2008 @ 12:42 am |
Prevention or Invasion of Antivirus
When you use you computer online you can easily become a victim of vicious attacks from different sources. These attacks are not limited to brand name, operating system or memory of your computer. As an online user you need to prevent invasion of Trojans, malware, adware, identity theft and many other online viruses. When your computer is not protected it similar to a house without locks on the doors. Unwelcome person can enter your home and do severe damage to your property and person.
Invasion of Antivirus
Antivirus attacks can go unnoticed for months. They perform silently and some show no signs of infection. These are the ones that simply monitor what sites you visit for data collection purposes. Then there are other than send pop up to your computer especially after visiting adult sites. Some of the
Prevention of Antivirus
Antivirus software is must-have protection. Keep it installed, enabled, and up-to-date at all times. But though antivirus software is critical, alone it’s not enough to keep you computer protected. Follow sound security practices, install a firewall, and use other protection in combination with your own common sense.
When selecting antivirus software, it’s important to keep in mind that every system and every user is unique. What works best for your neighbor may not be the best solution for you. First, only consider antivirus that has achieved certification from each of the three core testing agencies: Virus Bulletin, Checkmark, and ICSA Labs. Then determine the features that will meet your particular needs. For example, gamers may want to use an antivirus solution with special features to minimize gaming conflicts
Antispyware software can be accessed easily online. Top antivirus providers like Norton, McAfee, Kaspkersy, Noadware, Spybot and so much more. Some versions are offered as freeware, some as shareware and some others for purchase only. Others offer trial versions for a limited time. A little market research may be required to pick the right one depending on one’s needs.
Comment by Prevention or Invasion of Antivirus — November 20, 2008 @ 12:20 am |