PDA

View Full Version : Antivirus XP 2008/Smart Antivirus 2009


nonchalant
09-12-2008, 10:54 AM
Ok I know theres been a few posts on this site about this spyware/virus, but Ive just had another call from a customer who had this on his PC a month ago and he has it again. Now I put TrustPort Antivirus on his PC last time I formatted, and I know it detects this malware but what I am wondering is how it got in the first place? This particular customer claims he only visits reputable websites and is careful about what he opens in his email, so Im curious.

Someone posted here saying it comes in as an email attachment but has anyone heard of any other methods it uses to infect a system?

Jm Boyd
09-12-2008, 03:27 PM
The majority of the time it finds its way on to a machine by means of a “drive by” install from a website or by downloading it via a P2P networking thinking it to be that song they are looking for……

Joe The PC Doc
09-12-2008, 04:01 PM
I have been wondering the same thing too. This virus has really increased my business lately, and I have customers of all types calling me about this.

Not exactly sure where it's coming from, however I did notice something I though peculiar.

I was at a customer's place working on removing this virus, and I was downloading Malwarebyte's Anti-Malware I believe.

Anyways, after clicking the download link, I was redirected to download.com, brought to you by C-net right? Should be a trustworthy site.

I click the download link, and it pops open to the "wait five seconds for download to begin page" where most websites have a sponsored link for you to click while you wait... Sure enough, the sponsored link "Vista Antivirus 2008". I obviously didn't click it, but I was pretty surprised.

It seems to me that this smitfraud maker really has sunk some deep hooks in the internet if they are paying download sites to sponsor their trojan.

NYJimbo
09-12-2008, 05:26 PM
I click the download link, and it pops open to the "wait five seconds for download to begin page" where most websites have a sponsored link for you to click while you wait... Sure enough, the sponsored link "Vista Antivirus 2008". I obviously didn't click it, but I was pretty surprised.

It seems to me that this smitfraud maker really has sunk some deep hooks in the internet if they are paying download sites to sponsor their trojan.

We had a similiar problem with a customers machine recently, however it turned out that his hosts file was changed to have certain popular file sites route to fake hacker sites. Very clever.

TimeCode
09-12-2008, 06:33 PM
We had a similiar problem with a customers machine recently, however it turned out that his hosts file was changed to have certain popular file sites route to fake hacker sites. Very clever.
I think we'll all be a bit more careful when removing that one now. We'll have to check the entire HOSTS file. That could take some time if they have spybot installed and actually do the protective process. (I can't remember what its called...) It can become quite large.

compudoc
09-12-2008, 06:52 PM
this virus is a cash cow for us....get so many of these lately. everyone ive done, even removed one yesterday, was from an email link. Now not sure on all of em, but so far most users saying it poped up after checking email.:)

Blues
09-12-2008, 06:55 PM
I don't check the host file in the sense that I don't look beyond to see if it is as a normal default one would be. To me a normal host file has 1 entry for the local host so anything else can just be wiped as far as I am concerned.

iptech
09-12-2008, 08:36 PM
We had a similiar problem with a customers machine recently, however it turned out that his hosts file was changed to have certain popular file sites route to fake hacker sites. Very clever.
This is quite common with malware infections, they will either try and redirect your internet traffic to their 'sponsor' sites and they will also try to redirect you away from anti-malware/anti-virus sites so you can't download update definitions of run online scans.

Be careful about deleting all entries from the hosts file though, many anti-spyware programs such as Spybot S&D will add entries to the hosts file to prevent your browser being redirected to known malware sites and redirect any such request back to the localhost (127.0.0.1). Some ad-blockers also use the same principle.

Crgky127
09-12-2008, 10:02 PM
Maybe one of the reputable sites was a CNN fake with a video that needed a 'codec'. Gmail blocks this spam by the way.

nonchalant
09-13-2008, 12:34 AM
I was redirected to download.com, brought to you by C-net right? Should be a trustworthy site.

I click the download link, and it pops open to the "wait five seconds for download to begin page" where most websites have a sponsored link for you to click while you wait... Sure enough, the sponsored link "Vista Antivirus 2008". I obviously didn't click it, but I was pretty surprised.

I downloaded a program from download.com some years ago (before I was in my own business). After the d/l finished the webpage closed. Bit odd I thought, but not too worry, and clicked the program to run it. Fortunately my AV popped up to block it. Out of curiosity I quarantined the virus and looked up its technical details. Turned out to be the 'Jack the Ripper' virus. Apparently the very first time you execute this virus it immediately deletes the first 200mb of your hard drive. Nice. :D

And as for increasing business, yea this antivirus xp 2008 has kept me flat out this last month or so..

EDIT: Probably one thing worth mentioning also is I recall googling antiviruses a couple of weeks ago, and clicking one of the links (first main page of results interstingly) Firefox blocked the site saying it contained malicious software. Indications were it was antivirus xp 2008, so this is one other way I know that this malware infiltrates unsecure systems. It was interesting also that google was actually allowing such a site in their search results.

And heres a few posts were its also mentioned how this malware has infiltrated google and gmail http://www.dslreports.com/forum/r20915298-antivirus-xp-2008-from-gmail (http://www.dslreports.com/forum/r20915298-antivirus-xp-2008-from-gmail)and http://www.zimbio.com/Spyware/articles/1242/Antivirus+XP+2008+Sponsored+Ads+Appearing

Check out the screenshots on this one! http://swoofware.com/blog/2008/06/29/xp-antivirus-2008-and-antivirus-2009-round-2/ (amazing...)

Heres a nice BSOD screensaver it runs http://www.youtube.com/watch?v=mqOZLLp-S3k

This could be become a much bigger problem for your average home user before it gets any better..

The following quote was taken from http://ask-leo.com/c012643.html

"Don't feel alone in this scenario.
I run the IT side of things for a restaurant company and we also run Defender, Windows Firewall as well as the corporate version of Trend Micro on every workstation. We have seen this virus slip through all those layers as well as our Exchange AV solution and still infect machines that are locked down with no program install rights to the users on the machines at the time of infection. Looking at our exchange logs I see nothing to indicate that was the source of infection".

nonchalant
09-13-2008, 06:47 AM
**Update**

Well Ive finally managed to beat this little rogue :)

Picking up a system today I only formatted a month ago I figured this was an ideal opportunity to see if removal is possible w/o having to nuke the system.

Basically I just turned on a few of the AV features that are by default turned off. I selected 'scan all files', set default on-access & on-demand actions to delete, enabled heuristics analysis & sandbox, & enabled all AV & antispyware engines to scan system memory. As you can see from the screenie, the AV killed it. It seemed to detect it on memory analysis with the 'install antivirus 2008' window shutting down immediately the memory scan started. Instantly the process that reloads this malware executed in an attempt to reinfect and the AV popped up with an instant delete of the exe. The wallpaper was gone on reboot. The systems all clean.

screenshot: http://img98.imageshack.us/my.php?image=av2008pwnedrx6.jpg

Bang your dead ;)

14049752
09-13-2008, 11:05 PM
Anyways, after clicking the download link, I was redirected to download.com, brought to you by C-net right? Should be a trustworthy site.

My co-worker saw it being advertised on Amazon when he was looking up prices of antivirus packages.
He sent out an e-mail to amazon about the ad and got an e-mail saying that they're looking into it.

Bryce W
09-14-2008, 05:17 AM
Im seeing this virus getting downloaded from pages that cause pop ups on the clients screen "YOUR COMPUTER HAS VIRUSES, CLICK HERE TO RUN A SCAN" and its incredibly hard to get rid of and continue browsing so clients usually press Yes (as in, to install it) just to make it go away.

abe
09-14-2008, 08:40 AM
Hi all!

I just discovered for myself how easy it is to get infected with "antivirus xp/vista 2008". I was doing some work for a friend and googled "sprint dealer hopkinsville" the 5th search item was "click here info about... " I clicked it and the browser closed, a window saying "your computer is running slow xp vista antivirus will do a quick scan..." popped up I clicked cancel and bingo IE opens up again and xp/vista antivirus 2008 was "scanning" my computer.

I was redirected from the link (kpconnection.com) to "0scanner.com"
Is there anything one can do to keep safe from this?

BTW avg link scanner shows it’s clean and K9 web protection (content filter) blocks it as arts/and entertainment.

I've put some screenshots in my album.

markiezzi
09-14-2008, 11:33 AM
Hello all,

So we can pretty much guess where is comes from but what is everyone using to get rid of it totally? I had it on my test machine and ended up having to reformat and reinstall XP. Any help would be great.

Thanks
Mark

nonchalant
09-14-2008, 02:57 PM
Hi all!

I just discovered for myself how easy it is to get infected with "antivirus xp/vista 2008". I was doing some work for a friend and googled "sprint dealer hopkinsville" the 5th search item was "click here info about... " I clicked it and the browser closed, a window saying "your computer is running slow xp vista antivirus will do a quick scan..." popped up I clicked cancel and bingo IE opens up again and xp/vista antivirus 2008 was "scanning" my computer.


Firefox blocked it for me today just browsing website directories to add my URL. These were supposed legitimate web directories..

It seems they use a lot of different methods to inject this malware into PC's.....

Wheelie
09-19-2008, 02:16 PM
Got a call yesterday to fix an infected machine at an important client's business. It was infected with AntivirusXP2008. Every time I see this infection it is a variant (never the same). Sometimes it's a breeze to remove sometimes it has required a nuke & pave because it has done so much OS damage. Well guess what? This time it used a rootkit to infect! First time I've seen that with AntivirusXP200X so watch out.

Oh well. Another nuke & pave!

hawks5999
09-19-2008, 04:11 PM
I've seen this one quite a bit since July and I can confirm what Wheelie is saying about the rootkit. The cure every time has been malwarebytes.org antimalware. Run the free version, clean up and then put some good anti-spyware and antivirus in place. For home users I put spybot s&d, immunize, add hosts entries, use resident IE, and look through startup (just for good measure). and then put in avg and automate it all to update and full scan every night.

Andyuk2007
09-20-2008, 01:56 PM
Yesterday i had 2 cases of this and ive got another 3 to do tommorow, I just do a removal with malbytes antimalware but now i even double check with the manual method of checking the registry entries and the other steps.

Wheelie
09-20-2008, 10:36 PM
I've seen this one quite a bit since July and I can confirm what Wheelie is saying about the rootkit. The cure every time has been malwarebytes.org antimalware. Run the free version, clean up and then put some good anti-spyware and antivirus in place. For home users I put spybot s&d, immunize, add hosts entries, use resident IE, and look through startup (just for good measure). and then put in avg and automate it all to update and full scan every night.
I had a brain dump and forgot to check the PC with Malwarebytes :rolleyes: but I am not sure it would've caught it? Does it catch these types of rootkits? I'm kicking myself for not scanning it with that program!

Anyway. Here's what happened:
While on the infected PC I deleted all the temp folders under each of the 3 user profiles, emptied C:\Windows\temp, and checked C:\Windows\system32 folder for bad stuff in recent days and all was clear. I picked out what looked like a few random "bad" files in the system32 folder from recent days.

However, if I open the browser, type in any search at Google, Google's results come back, click any one of them and a new window pops open and it takes you to another random search engine with new different results. So I know I'm still infected.

So while still at the infected PC I scan itself with updated versions of AVG, Spybot & Ad-Aware and they find ----> nothing. But browser is still hijacked. :confused:

Put hard disk onto my clean bench PC as a slave drive, boot to my Windows XP, and lo and behold! There are files present that I could not see before in: C:\Windows\system32, c:\windows\temp, and C:\Docs & Settings\user name\Local Settings\temp. All the file names begin with "tdss" and AVG begins firing off warnings each time I touch one of those files with my mouse. I run a Google on the first file I run across "tdssserv.sys" (http://www.google.com/search?q=tdssserv.sys&sourceid=navclient-ff&ie=UTF-8&rlz=1B3GGGL_enUS278US278) and bingo! Rootkit.

Just for fun - I put the drive back into customer's PC and fire it up and you can't see any of the files I had just seen and the browser is still hijacked.

So I put the drive back into my bench PC and I cleaned the following files (see below) off the hard disk and put it back into the machine and the browser was no longer hijacked. I think I fixed it but it gets a nuke & pave anyway (you should've seen all the remote connections when I ran netstat /a ... wow). It's apprently using goglesyndication to forward URLs to a server at "updatemic1.cn" which appears to be located in the USA.

Here's a list of the files I cleaned off to clear the root kit: tdssserv.sys, tdssserf.dll, tdsslog.dll, tdssadw.dll, tdssmain.dll, tdssl.dll, tdssinit.dll, tdssservers.dat, tdss6334.tmp, tdssb3df.tmp, tdssb3ef.tmp, tdss602.tmp.

tdssserv.sys (this file is the rootkit)

Anyway - my policy on rootkits is a 3-step process to repair: 1) a data backup, 2) full hard drive format, and 3) windows reload. So you know the rest of the story.

Screen shots of registry before removing them:

seedubya
09-20-2008, 10:56 PM
I had this exact one last week. It was a real bitch to beat. Eventually Combofix picked up and neutralised the rootkit.

Wheelie
09-21-2008, 01:23 AM
This is beginning to make me think about virus removal a bit differently. I cleaned WinAntiVirusXP2008 off the PC and it was visibly gone. I may or may not of noticed the hijacked browser (thus the hiding rootkit).

But here's what gets me: what if it did not manifest itself as a browser hijacker? What if, instead, it was a keystroke logger and I saw no evidence but it remained after my cleaning and it sat quiet in the background and kept recording and sending keystroke logs? Or maybe some other type of silent nefarious rootkit?

Damn. I'm thinking from now on maybe I'll just pull the customer's hard drive right when I get there and scan it with my laptop. Maybe that's the safest thing to do in this day of rootkit attacks.

TimeCode
09-22-2008, 10:45 PM
but I am not sure it would've caught it? Does it catch these types of rootkits? I'm kicking myself for not scanning it with that program!
I'm working on one right now that MalwareBytes missed the rootkit but Panda Anti Rootkit picked it up as an "unknown" rootkit so I submitted it to them... This is the second time I've been on this machine and I DON'T want to come back to it.

I've run MalwareBytes Anti-Spyware and Rogue Remover, Combofix, Super Antispyware, Panda Anti Rootkit, HJT, and I tried Smitfraud Fix but it was blocked from accessing "clean.reg"... I am now running Avira.

I hope this is done! :)

Wheelie
09-22-2008, 11:43 PM
I'm working on one right now that MalwareBytes missed the rootkit but Panda Anti Rootkit picked it up as an "unknown" rootkit so I submitted it to them... This is the second time I've been on this machine and I DON'T want to come back to it.

I've run MalwareBytes Anti-Spyware and Rogue Remover, Combofix, Super Antispyware, Panda Anti Rootkit, HJT, and I tried Smitfraud Fix but it was blocked from accessing "clean.reg"... I am now running Avira.

I hope this is done! :)
That's the problem. Cleaning an infected PC FROM the infected PC is hit and miss. Panda worked on that rootkit but will not work on other types or rootkits. And who has the time to scan an infected machine with 9 different AV apps? We're playing around possibly missing the infection.

The real way to nail a rootkit is to pull the drive and scan the infected hard disk with an uninfected PC. I'm going to start doing this and see how long it takes to clean a machine compared to the way I've been doing it.

abe
09-23-2008, 02:00 PM
hi all
just met a tech who told me he can get rid of xpantivirus2008 in under "10 seconds ".
He is willing to sell me the info on how to do it for $115, personally I don't think he knows what he's talking about but would like to hear what you guys think is it possible? and is it worth $115.

Wheelie
09-23-2008, 02:27 PM
There are MANY DIFFERENT VERSIONS of AVXP200X. Some are very easy to remove. It may be as easy as simply using "Add or Remove Programs" in the control panel. Or it may require a manual removal because it evades all known programs. Some versions of it are so invasive and messy it requires a Windows reload. He's selling snake oil IMHO.

iptech
09-23-2008, 07:53 PM
START -> Run & type "Format c:"

Hey presto - virus be gone!

abe
09-23-2008, 09:28 PM
thanks iptech
now how do I send you $115 ;)

Wheelie
09-24-2008, 04:14 AM
START -> Run & type "Format c:"

Hey presto - virus be gone!

http://www.blokessportbike.com/images/smilies/crackup.gifhttp://www.blokessportbike.com/images/smilies/crackup.gifhttp://www.blokessportbike.com/images/smilies/crackup.gifhttp://www.blokessportbike.com/images/smilies/crackup.gifhttp://www.blokessportbike.com/images/smilies/crackup.gifhttp://www.blokessportbike.com/images/smilies/crackup.gifhttp://www.blokessportbike.com/images/smilies/crackup.gif

TimeCode
09-24-2008, 11:32 AM
The real way to nail a rootkit is to pull the drive and scan the infected hard disk with an uninfected PC. I'm going to start doing this and see how long it takes to clean a machine compared to the way I've been doing it.
But can they do it if there is a buried registry entry? I certainly prefer faster and more complete methods but scanning a registry on an infected PC from a clean PC, how is that done? UBCD4Win is the only way I know... And very slow.

Wheelie
09-24-2008, 01:18 PM
But can they do it if there is a buried registry entry? I certainly prefer faster and more complete methods but scanning a registry on an infected PC from a clean PC, how is that done?
Excellent questions. And - yes - ultimately you do have to clean the registry as a part of the virus removal process. That is an important step. But that is not really where the virus itself is removed. Virus removal is a 2 step process: 1) remove the bad files, and 2) remove the callouts in the registry to run the bad files. That's what Spybot, Ad-Aware and Malwarebytes do: scans the PC for bad files and scans the registry for bad callouts. They are just not perfect programs and thus they miss things or are intentionally mislead by the virus to miss things (i.e. rootkits).

The registry simply contains PC settings and configurations. It can tell the PC where to find files and when and how to run files but the registry itself does not contain files or CPU level coding per se. A virus must be executed from a file or files and the registry can only call out a file to be run. It cannot contain the virus itself.

So. If you take away all the bad files off the hard disk - when you reboot the (formerly) infected PC the registry can only lodge a complaint (i.e. an error message may pop up saying it can't run badfile.exe). After you put the hard drive back in the infected machine and scan with Spybot or Malwarebytes (or do it manually) you will finish the cleaning of the registry callouts.

Another way to look at this: if you leave all the bad virus files in place on the PC's hard disk - but you remove all the callouts to launch those viruses in the registry - the PC will not show signs of infection because the viruses cannot and will not launch even though the PC still has all the files that are the virus (technically it is still infected ... it's just not actively running).

Rootkits use the operating system against you. They can hide themselves and any files, folders, and running processes they choose. They are very good at that. That is why I am now recommending the infected hard drive be pulled and scanned on an uninfected PC. That way the rootkit cannot hide. All its files and folders will be viewable and thus removable.

Be aware that Microsoft's published method for dealing with a rootkit is to backup data, delete the partition (and thus the MBR), repartition, full format (not quick), and reload Windows. This is also the method many of the Federal government offices deal with them as well. In fact, I believe organizations like the FBI, etc are doing periodic disk re-images of the hard drive from clean sources to ensure sensitive PC's are not infected with rootkits.

SaylorComputer
10-20-2008, 08:10 AM
AV2008/2009 is keeping me busy the last few weeks as well. Got two machines here in the office that have critical data on them, and I havent been able to clean them with any of my usual ways. My normal way of handling it is a nuke/pave also like everyone else has mentioned. Its the worse I have dealt with since the Kama Sutra outbreak in 2004/05. Has anyone had luck with a removal tool?

Wheelie
10-20-2008, 01:52 PM
As others here have posted - Malwarebytes does a good job on this infection. However, I have now seen 2 cases in the last 30 - 40 days of PC's infected with rootkits by AV XP 2008/09. I ran Malwarebytes on case #2 and it detected but could not remove it.