Windows XP 2008 antivirus spyware

StreamOfTheSky · 23rd August 2008, 03:49 AM

Has anyone else encountered this horrible pest? It's called Windows XP 2008 Antivirus, and it is some kind of spyware. It left my background plain blue with an error message that won't go away advising me to use my antivirus software to get rid of two files, win32/Adware.Virtumonde and win32/Privacy Remover.M64, it claims I have. It also seems to have blocked my access to windows update, stopped my ability to install spybot (which I saw on a youtue video comment -- more below -- could fix it), makes it so if you do a search engine search on it, it spits out useful-sounding links that bring you to nowhere, fouls up text size on other pages, and other annoyances.

Thanks to youtube, I was able to at least learn a bit on it, but all the suggestions I've seen there haven't be an option for me so far. For example, using System Restore to rid myself of it would be a great idea...if the spyware hadn't wiped out every single restore point prior to getting infected.

So, I'm getting desperate now. Anyone have solutions I could try? I never even clicked to accept the stupid thing when it prompted me to, yet I still got it. I was under the impression these sorts of tings required you to at least click on a bad link or some such.

Aus_Snow · 23rd August 2008, 10:31 AM

Do you already have an antivirus program installed? Antispyware/antimalware? If so, you might need to update, or even replace them with better options. If not, well, you should've.

But you probably still can anyway - for example, if you go to http://pack.google.com and select just Spyware Doctor (you could add more free stuff at a later point if you wanted to) you'll have a pretty decent antispyware program ready to go in no time.

If you have genuine Windows installed, you could've got Windows Defender from Microsoft/Windows Update. I suggest doing so in future, should you get the opportunity.

Other ones I've tried include SuperAntiSpyware (from http://www.superantispyware.com), and Spybot - Search & Destroy (from http://www.safer-networking.org/en/spybotsd/index.html).

With one or two of these, you might have to specify that no, you don't want such and such a toolbar or whatever (can't remember which ones sorry, just keep an eye out during installation - and this goes for any program ever - if you decide to give them a go); these are *optional* bits of *ad*ware, not unavoidable, let alone spyware themselves.

I would suggest having two or three antispyware/antimalware programs installed, in total, and running them one at a time immediately upon installation (they'll generally offer this option, IIRC). Update straight away and then scan, or vice versa - again, they'll probably offer up one of these options by default.

My favourite free antivirus program for Windows XP is 'Avast!'. You can get that from http://www.avast.com - again, with no strings attached. Just make sure you don't have any other real antivirus installed, before adding another one!

Just my 2c. If you can't download anything helpful, or install them, or run them, I did come across soem manual removal instructions for the spyware you've got, and they might work.

Thanee · 23rd August 2008, 01:28 PM

No idea, if this is actually helpful...

http://www.xp-vista.com/spyware-remo...antivirus-2008

If all things fail... Backup -> Format -> Reinstall.

Bye
Thanee

StreamOfTheSky · 23rd August 2008, 07:55 PM

Double post

StreamOfTheSky · 23rd August 2008, 07:56 PM

I had a Mcaffee antivirus from my college, which I recently graduated from, but it probably wouldn't work, I haven't updated it in a few months, and if I still can get updates, I'd have to do it through the campus network (still possible, I work there). I don't know what it did or how it did so so fast, but I don't think any program's going to work. I had Adaware, that found 24 files, but didn't help. I downloaded Spybot, but couldn't install the .exe file, and I saw some people saying the best program to use was malwarebyte's anti-malware program. Which I found a link to on this site http://www.bleepingcomputer.com/malw...irus-2008-2009

Of course, I found it on a different computer, as mine won't let me access most pages with helpful info. I need to try and get it to my computer by flash drive, I guess. I'm just worried if I could ruin my flash drive too, and for no gain. When I try to instal things now, it says files are corrupted, and won't let me. I'm not sure if trying to do it from a USB port would matter or not.

And yes, Thanee, I've been to that site. Interestingly, I can't follow links to it from my computer, but manually typing in the address worked. Some of the pages that link off of that (like the "how do I do this?" ones) work, but the text is spread out of place overlapping with things.

Aus, please tell me anything to manually remove them. I found this site http://wehackvirus.blogspot.com/2008...s-xp-2008.html and tried to follow the directions, but could only find one of those 12 character file names, and got as far as deleting everyhing in my recycle been, only to get stuck on the step of going into HKEY_LOCAL_MACHINE because i only had the one file name, and there was nothing suspicious looking under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run (step #8)

My friend works on tech support for the local cable company, so he's going to look at it late tonight when he's out of work. I really hope I don't need to wipe my whole hard drive, like a rep from said cable company told me on the phone. it really sucks -- my computer's 5 years old, I had been starting to look into getting a new one, and now this happens. I'd really like to not lose 5 years of stuff.

Aus_Snow · 24th August 2008, 03:03 PM

Have you had any luck so far, SotS? The tech support guy helpful? I hope so. Gotta say, it sounds like a particularly nasty bit of malware. Basically - if what little I've read is accurate at all - a package containing (among other things) several trojans.

No wonder it's [/they're] a bit tricky to remove. At first, I just assumed it was like most other trojans/similar programs. Hadn't heard of it.

Still, even if things continue to look bad at this stage, if you could get a list of processes running on your PC, that might help. If even some of them can be terminated, doing so *might* give you the opportunity to uninstall anything you need to, and install (and run) some scanning and cleaning software.

It's a thought. Please treat it with the scepticism any stranger's suggestions deserve.

I won't be offended at all, incidentally.

StreamOfTheSky · 24th August 2008, 10:37 PM

Quote:

Originally Posted by Aus_Snow

Still, even if things continue to look bad at this stage, if you could get a list of processes running on your PC, that might help. If even some of them can be terminated, doing so *might* give you the opportunity to uninstall anything you need to, and install (and run) some scanning and cleaning software.

I tried that following the wehackvirus site's instructions, and hit a roadblock, it's just so hard to remove. My friend tried last night using two programs (I think it was combofix and SDfix), but no success. He did discover it had established a root kit, though. And that it had brought other things with it. He took it to work with him today, when he gets out later tonight, I'll go back and get it from him. Worst case scenario, he said, was that he'd have to port all my files except the system ones onto his external hard drive, wipe the hard drive clean, and move them back, so I won't lose my precious files. He deals with this thing a lot at work, but mine was different. He plans to keep my system files on a flash drive to research it more on his own time for "fun."

Thanks for the help, though. If anyone else ever gets it, it's probably common sense, but DO NOT buy anything it prompts you to! I figured it was just a scam and wouldn't fix things if I complied, but commented, "If buying the program really did make it all go away, I'd even be willing to pay up to these a@@holes just to fix it." To which my friend confirmed, buying into the scam doesn't help at all. The company my friend works for, I had called on the phone. Instead of directing me to the specialist tech support he works for (which costs money), the person on the other end told me there was nothing I could do, and should just wipe the hard drive, and recommended a guy to "try" and recover most of my data for a fee. SO glad I didn't listen to him!

evilgenius8000 · 25th August 2008, 08:00 AM

I fixed it by going into Program Files and finding & deleting the folder that was a random jumble of letters (sort by date modified to find the right one). That caused the Windows XP antivirus program to terminate. Once that happened, I was able to run AVG without my computer bluescreening (Windows XP 2008 Antivirus was pretty much locking up my computer whenever i tried to run Spybot or AVG). I figured out that there were a few more virussed files in ../Windows/system32 that seemed to have showed up with the fake antivirus (i think the program was just replicating the crap into system32). I deleted those foreign files, and AVG found one other virus downloader thing (in the temporary internet files... not sure if it was connected though). Everything seems to be running fine now, though. Hope you have some luck fixing your 'puter. Just look for things that have nonsensical filenames and don't seem to belong

Firzair · 25th August 2008, 08:28 AM

Hi StreamOfTheSky,
sounds like a reinstall is in order. As there is already a root kit installed, you should just backup all data and reinstall.
After reinstallation, before connecting to the internet, you should install all xp updates. There are some tools, that let you download the updates to your harddrive for copying them to the new maschine.

Then install:
Real antivirus software
Firefox 3
NoScript extension for firefox
Desktop Firewall like zonealarm
Spybot Search & Destroy
AdAware
... your other default software

Then make a backup of the system with a drive image tool.

If you want to browse really safe, you could install Moka5, then use the fearless browser with it. It starts a virtual linux within your xp with firefox installed for browsing the internet. You are still able to download files and use them in your windows xp, but all those files are downloaded in the linux area to a shared drive.
Nothing gets automatically started in the windows environment. There you can scan all files using the antivirus software and upon confirmation of being clean you can just use them in windows.
I use this setup at home, it not too much of a hassle and the security is high.

Hope that helps.

Greetings
Firzair

Thanee · 25th August 2008, 04:54 PM

Quote:

Originally Posted by StreamOfTheSky

I really hope I don't need to wipe my whole hard drive, like a rep from said cable company told me on the phone. it really sucks -- my computer's 5 years old, I had been starting to look into getting a new one, and now this happens. I'd really like to not lose 5 years of stuff.

Backup the files!

If your computer doesn't really let you, find/build a bootable CD/DVD solution (i.e. Knoppix) and boot your computer with that one, then access and backup the files via the file system.

Bye
Thanee

Rackhir · 25th August 2008, 06:04 PM

This nasty piece of work was covered in detail in The Register recently.

http://www.theregister.co.uk/2008/08...omy_of_a_hack/

They are quite clever about how they go about tricking you if you aren't very careful.

For this reason, if you get something like this popping up.

Close the window, don't click on cancel or something like that.

Those buttons can be made to say what ever it is they want. Rather than what they actually do.

StreamOfTheSky · 25th August 2008, 09:34 PM

Thanks for the link, Rackhir! It was very imformative, though some of those things never happened to me (and I never chose 'yes' to anything, though apparantly that's part of the scam), and some other things happened to me not in the article. Including the blue screen of not-death, which happened any time I let my computer go idle. This guy talks about it, and his comment in general intrigued me:

Spoiler:

As for me, my friend didn't need to reinstall everything. He got the root kit out with SDfix, then multiple scans with other programs got all the hidden system files. He left me with SuperAntispyware, Malwarebytes, and Spybot S&D, telling me to scan with Spybot and then download/install Avast at home. I've done so, Spybot caught 7 items, and got rid of all except a keyboard hacker, which multiple reboots and retries have failed to remove. I'll have to ask him later today, kinda worrying me. Other than that, everything's fine now.

Bront · 29th August 2008, 03:45 AM

If you can find the process of the spyware, you can usually shut it down and then get it with spybot.

I had to remove Antivirus 2008 from my step-daughter's PC. Required several registry edits and manual file removals, but wasn't too hard once i killed the process.

Energy Recruitment · 7th September 2008, 02:13 PM

Except there are several other powers that use the same mechanic. If that ranger also has Sweeping Whirlwind (Enc 7), Swirling Leaves of Steel (Daily 9), Cheetah's Rake (Enc 17), and Clearing the Ground (Stormwarden Enc 11) they are now benefitting from an oversized weapon on several attacks, typically with multiplied [W]. (Note: Two other similar attacks - Wounding Whirlwind and Cold Steel Hurricane - have the requirement for two weapons and target a close burst 1, but they specify one attack with each hand on each target, and so avoid this issue. And every other power that specifies that they must have two weapons also specifies an attack with each weapon.).

Calico_Jack73 · 8th September 2008, 06:10 PM

Try Sunbelt Software's CounterSpy. You can download a free, fully functioning demo and use it for 15 days. It has found and removed stuff that AdWare, Norton, and McAfee have missed.

http://www.sunbeltsoftware.com/Home-.../Anti-Spyware/

StreamOfTheSky · 10th September 2008, 04:21 AM

Quote:

Originally Posted by Energy Recruitment

Except there are several other powers that use the same mechanic. If that ranger also has Sweeping Whirlwind (Enc 7), Swirling Leaves of Steel (Daily 9), Cheetah's Rake (Enc 17), and Clearing the Ground (Stormwarden Enc 11) they are now benefitting from an oversized weapon on several attacks, typically with multiplied [W]. (Note: Two other similar attacks - Wounding Whirlwind and Cold Steel Hurricane - have the requirement for two weapons and target a close burst 1, but they specify one attack with each hand on each target, and so avoid this issue. And every other power that specifies that they must have two weapons also specifies an attack with each weapon.).

Welcome to ENWorld, I believe you posted to the wrong thread.

Dr. Talos · 12th September 2008, 02:30 AM

Try malwarebytes...worked great when i got this pest

Geoff Watson · 13th September 2008, 01:43 PM

I got the AntiVirus Spyware, it was very annoying (screwed up a lot of websites that I tried to use to find information on how to get rid of it).

I used HijackThis! to get rid of the main program, then Avast to get rid of the remnants.

Be very careful when using HijackThis, you can easily remove stuff you don't want to.

Geoff.