Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: tbint on February 24, 2010, 08:11:34 PM

Title: XP Guardian 2010
Post by: tbint on February 24, 2010, 08:11:34 PM
A Customers IBM laptop got this  XP Guardian 2010 mal, ad, spy, rogue, hostage ware. Here's a link to a description of the evil little thing. Simple enough to get rid of I think.

I don't suppose Avast looks for this kind of ware. (laptop has Avast home 4.x) It seems to me it shuts anti virus protection down.

Code: [Select]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = “1″
" Is Avast 5.0 set up to handle this little hostage taker? "
Would Avast be interested in making a definition for it? If there is a way for me to zip the little rascal up, or something. Before I give the laptop an exorcism.     
Title: Re: XP Guardian 2010
Post by: Pondus on February 24, 2010, 08:42:09 PM
I think it was uploaded to avast yesterday http://forum.avast.com/index.php?topic=56136.0


How to remove XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010





What this programs does:

Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 are new rogues that are exactly the same program, but are shown with different names and interfaces depending on the version of Windows that it is run on. After I wrote this guide, I was told that this rogue goes under quite a few different names, which I have listed below:

•Antivirus Vista 2010
•Vista Antispyware 2010
•Vista Guardian
•Vista Antivirus Pro
•Vista Internet Security
•Vista Internet Security 2010
•XP Guardian
•XP Antivirus Pro
•XP AntiSpyware 2010
•XP Internet Security
•XP Internet Security 2010
•Antivirus XP 2010
•Antivirus Win 7 2010
•Win7 Guardian
•Win 7 Antivirus Pro
•Win 7 Antispyware 2010
•Win 7 Internet Security
•Win 7 Internet Security 2010

When installed, this rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as a single executable called AV.exe that uses very aggressive techniques to make it so that you cannot remove it. First, it makes it so that if you launch any executable it instead launches Antivirus Vista 2010, Win 7 Antispyware 2010, or XP Internet Security 2010. If the original program that you wanted to launch is deemed safe by the rogue, it will then launch it as well. This allows the rogue to determine what executables it wants to allow you to run in order to protect itself. It will also modify certain keys so that when you launch FireFox or Internet Explorer it will launch the rogue instead and display a fake firewall warning. Last, but not least, when try to browse to a web site, it will hijack your browser and state that the site is a security risk and not allow you to visit it.
Title: Re: XP Guardian 2010
Post by: tbint on February 24, 2010, 09:55:46 PM
Thanks for the reply. I would love to try the bleeping computer removal but.

I shutdown My home network and gave that laptop connectivity to Internet. Wrong move!! I thought I could get rid of it. But the little ba*terd shut down everything. control panel, browsers, msconfig, taskmanger, etc.

" It would not let me execute a program from a usb pen drive. "

Now what? The little hostage taker killed the hostage. The XP Guardian 2010 stop launching also. I guess its time to delete partition. Hope that will get rid of it.

Really don't want to delete, But I guess. 
Title: Re: XP Guardian 2010
Post by: essexboy on February 24, 2010, 09:58:45 PM
Deletion is not necessary - do you have a cd burner ?

OK this file is big about 276.7Mb, print these instruction out so that you know what you are doing

File details
Bytes - 290,236,416
MB - 276.7
MD5 - 910CBB8EA943B17ABCEDD09610664342

Two programmes to download

First

ISOBurner (http://www.ntfs.com/iso-burning.htm) this will allow you to burn OTLPE.iso to a CD and make it bootable.  Just install the programme, from there on in it is fairly automatic.  Instructions  (http://www.ntfs.com/iso_burner_free.htm)

Second

Note : If you do not know how to set your computer to boot from CD follow the steps here (http://www.hiren.info/pages/bios-boot-cdrom)
Note : as you are running from CD it is not exactly speedy
Title: Re: XP Guardian 2010
Post by: tbint on February 24, 2010, 10:34:23 PM
This is a way to remove XP Guardian? I mean the OTLPE scan is removal also?
Title: Re: XP Guardian 2010
Post by: essexboy on February 24, 2010, 10:36:55 PM
No it is manual removal but from outside of windows - the logs shows the start files and their location.  Once found then OTLPE will, when given the fix instructions remove them from the hard drive and registry.  The system should then boot normally and allow the use of other malware removal tools
Title: Re: XP Guardian 2010
Post by: tbint on February 25, 2010, 07:40:17 PM
Oh very cool desktop, I will use this iso for the rest of my life.

I want to click on run fix so bad! But heres the log.
could someone please let me know what to do next before I get exited and click that run fix button.

Well the content was to big. I attached it.
Title: Re: XP Guardian 2010
Post by: Pondus on February 25, 2010, 07:51:24 PM
essexboy will be here soon, be patient he works in several forums
Title: Re: XP Guardian 2010
Post by: tbint on February 25, 2010, 08:17:34 PM
Ok not meaning to rush, just hanging. This Reatogo desktop is so cool. I feel I should help support with the help everyone is giving. I know that file is large.  I could come up with 10 bucks USD if essexboy is into that for his time going threw that file. I wish I new what I was looking for. I wouldn't mind learning but man there has to be a lot of different virus def. I don't see how he does it.
Title: Re: XP Guardian 2010
Post by: Pondus on February 25, 2010, 08:21:58 PM
Quote
I don't see how he does it.
Most of us don`t, but it is very intersting to look at him work...... ;)
Title: Re: XP Guardian 2010
Post by: tbint on February 25, 2010, 08:53:10 PM
just reading threw I found the AV file. I know thats the evil one. I think I'm going to get to kill it. I gave up hope yesterday, but I did not delete. I have Hughesnet ISP 200 MB download threshold. had to download otlpe in the middle of the night. but it was worth it.

\av.exe
[2010/02/19 02:25:11 | 000,001,547 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\MSKeyViewer Plus.lnk
[2010/02/19 02:25:11 | 000,001,535 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\RegistryEditorPE.lnk
[2010/02/19 02:25:11 | 000,001,479 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Undelete Plus.lnk
[2010/02/19 02:25:11 | 000,001,475 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Magical Jelly Bean Keyfinder.lnk
[2010/02/19 02:25:11 | 000,001,437 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\notepad++.lnk
[2010/02/19 02:25:11 | 000,001,343 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Windows Registry Recovery.lnk
[2010/02/19 02:25:10 | 000,001,483 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\HandyRecovery 1.lnk
[2010/02/19 02:25:10 | 000,001,469 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\DiskPartitioner.lnk
[2010/02/19 02:25:10 | 000,001,465 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Agent Ransack.lnk
[2010/02/19 02:25:10 | 000,001,427 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\2xExplorer.lnk
[2010/02/19 02:25:10 | 000,001,371 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\ImgBurn.lnk
[2010/02/19 02:25:10 | 000,001,353 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\DriveImage XML.lnk
[2010/02/19 02:25:10 | 000,001,347 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\A43 File Management Utility.lnk
[2010/02/19 02:25:10 | 000,001,347 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\7-Zip File Manager.lnk
[2010/02/19 02:25:10 | 000,001,313 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Disk Investigator.lnk
[2010/02/19 02:25:10 | 000,001,261 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Internet Explorer.lnk
[2010/02/18 08:14:33 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\fogled\Desktop\Facilitator 2010 (a).doc
[2010/02/15 11:00:48 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\fogled\Desktop\Microsoft Office Word 2003.lnk
[2010/02/14 06:44:30 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\fogled\Desktop\Facilitator 2010.doc
[2010/02/08 09:32:20 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\fogled\Desktop\PaltalkScene.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\fogled\*.tmp files -> C:\Documents and Settings\fogled\*.tmp -> ]
Title: Re: XP Guardian 2010
Post by: essexboy on February 25, 2010, 09:07:19 PM
There are also a few friends there

Start OTLPE as you did previously from CD
Copy the attached Fix.txt to a USB

Title: Re: XP Guardian 2010
Post by: tbint on February 25, 2010, 10:11:30 PM
Now after I Ran Fix, Boot to windows, then boot the iso again ran a scan no LOP and Purity. Could not run scan while booted into windows. Not to be dumb just checking.

Are these infected files in your head, or is there a place to check, besides googling each one by one. if you don't mind me asking.


heres the new log.
Title: Re: XP Guardian 2010
Post by: essexboy on February 25, 2010, 11:14:42 PM
My knowledge is the result of a years training and about three years hands on experience, using tools - google - memory and knowledge of known bad boys, plus access to several closed forums  ;D

Could you now boot to normal windows and run MBAM please

 (http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Please download Malwarebytes' Anti-Malware from Here (http://www.malwarebytes.org/mbam-download.php).

Double Click mbam-setup.exe to install the application.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
Title: Re: XP Guardian 2010
Post by: tbint on February 25, 2010, 11:47:27 PM
it will not let me execute the setup, prompts me with "open with" window

tried control panel opens but if I try add remove a get c:/windows/system32/rundll32.exe application not found.

i can open explore with my computer nav to win sys 32 and see the file.
Title: Re: XP Guardian 2010
Post by: essexboy on February 25, 2010, 11:50:58 PM
Could you rename the MBAM extension from .exe to .com and then retry
Title: Re: XP Guardian 2010
Post by: essexboy on February 25, 2010, 11:55:03 PM
If that should fail then download this Programme (http://securityresponse.symantec.com/avcenter/UnHookExec.inf) to your desktop, right click and select install, nothing will appear to happen it will just do its job
Title: Re: XP Guardian 2010
Post by: tbint on February 26, 2010, 12:41:24 AM
.com worked but when it updated it updated the program and would not exe the setup file, I did a search for it in temp and copy to desktop change file extention and thank god. scanning now.


heres the mbam log
Title: Re: XP Guardian 2010
Post by: Pondus on February 26, 2010, 01:30:31 AM
Your log says " no action taken " you should scan again and click the button REMOVE SELECTED to quarantine the infections
Title: Re: XP Guardian 2010
Post by: tbint on February 26, 2010, 02:14:05 AM
ran scan again said no infections found, upgraded to avast 5, found some, wanted boot scan doing now. things are working again at least, have not connect to Internet yet, after boot scan going to update avast date base and scan again. then update to xpsp3, disk clean. defrag, etc. post back after awhile.
Title: Re: XP Guardian 2010
Post by: essexboy on February 26, 2010, 06:57:13 PM
Nice - did you need to run the .inf file ?
Title: Re: XP Guardian 2010
Post by: tbint on February 26, 2010, 09:10:15 PM
no the com worked. till it up dated.

Ok I ran mbam till clean. then avast 5. shutdown woke up this morn, ran avast found av.exe. moved to chest, ran again found some 2 trogin, moved to chest. then I deleted them ran avast one more time found 1 malware32 something. avast says its clean now. running a full with mbam right now. then going to reboot and run again. Do you think there mite be something these two programs don't know about.

have not put the laptop on Internet after updated, as not to let it loose.
Title: Re: XP Guardian 2010
Post by: essexboy on February 26, 2010, 10:11:19 PM
Possibly I would like to see a GMER run

Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.Once the scan is complete, you may receive another notice about rootkit activity.
Post the contents of GMER.txt in your next reply.
Title: Re: XP Guardian 2010
Post by: tbint on February 26, 2010, 10:28:41 PM
it was not a very long scan time.

i have had 2 clean scans from both avast and mbam after reboot. I felt safe enough to connect to internet.

heres the file
Title: Re: XP Guardian 2010
Post by: essexboy on February 26, 2010, 10:40:50 PM
Looks good - all problems clear now ?
Title: Re: XP Guardian 2010
Post by: tbint on February 26, 2010, 10:52:22 PM
Looks good - all problems clear now ?

Thank you essexboy for the easy instructions, live win disk, mbam, the information, I will know were to start. Hope to give something back to you, and this forum.

I would like to become a member of UNITE. But I have a lot to learn

cheers
Title: Re: XP Guardian 2010
Post by: essexboy on February 26, 2010, 11:01:35 PM
My pleasure - apart from Virut most computers can be recovered intact if you have the right tools

Do you repair computers for a living ?
Title: Re: XP Guardian 2010
Post by: tbint on February 27, 2010, 01:01:00 AM
Not main income, Started out Building my own pc's got into Satellite Internet (Hughes). Then Web sites. Quiet Shine (http://www.quietshine.com) is my newest site not sure just what to do with it. Maybe protection tips or something. I have a few more. The first site I sold is Kim's Kitchen (http://www.kims-kitchen.net). Good BBQ source. all html not very well coded but it works. I have improved since then.  But from collecting parts from dead PC and Making a working PC and selling, I get a few infected and broke repairs. Hobby I guess, self learned. I make a little money.

Viruses or malware.  That gets me. I mean people just browsing the web and then there pc taken hostage for ransom. They have to pay to get rid of it, pay to hopefully stay protected. Or learn how to their self. Someone like you is a blessing to have met. I find it worth the effort to learn, and interesting.

         "Virut" Have to look that up.

Thanks again for the help essexboy, thanks Pondus .  
Title: Re: XP Guardian 2010
Post by: essexboy on February 27, 2010, 01:47:59 PM
have a read of miekiemoes blog here (http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html).
Title: Re: XP Guardian 2010
Post by: tbint on February 27, 2010, 03:24:25 PM
Very interesting. But leads to so many questions. I had dun a search earlier, and obviously came up with a lot of different removal tools. A definition on Virut, and some others. These questions can be rhetorical. Because I think the answers could be different in different cases. But,
is it limited to .EXE and .SCR files? I saw the html iframe way to spread.

Does the writer attach home users? I don't have any finances to profit from. That just mean and destructive.

I have 4 drives. 2 for storage, xp, 7. Will it hide? Man to lose all 4 of my drives.

can it be detected real time? So you would know not to backup after that point.

Why would someone need a virus like that, Kicks? What if the virus activated on the writers pc and he lost all his data, that was a dumb question.

Same precautions be taken to protect from infection or is it total hopeless to protect from infection? Sounds hopeless if infected.       
Title: Re: XP Guardian 2010
Post by: essexboy on February 27, 2010, 03:38:45 PM
The idea behind virut is to make a spambot that hides within the system - but the code writers are not quite up to scratch. At a penny for 10 spam e-mails it will add up

It can be caught before it runs, I have had some cases where it was stopped dead in its tracks and there was no harm to the computer, but once it has infected one file then it is game over

These are the known infection vectors


DO NOT backup any applications or installers and DO NOT backup any files with the following extensions:If a file is not run then it will not get infected, but once run it is open season.  Virut is mainly spread by infected P2P downloads, cracks and keygens, keep away from those and you survival chances increase greatly 
Title: Re: XP Guardian 2010
Post by: YoKenny on February 27, 2010, 04:01:58 PM
@  tbint

If you are serious about learning to become a malware fighter
Quote
The following are websites who host training facilities. The mission of these facilities is to teach normal people how to become malware fighters (in random order).
 
http://forums.malwarebytes.org/index.php?s=&showtopic=40872&view=findpost&p=203443

United Network of Instructors and Trained Eliminators
http://www.uniteagainstmalware.com/schools.php

Title: Re: XP Guardian 2010
Post by: Pondus on February 27, 2010, 04:10:34 PM
Quote
Thanks again for the help essexboy, thanks Pondus .  
Your wellcome.... ;)

Moore virut info

Virus:W32/Virut http://www.f-secure.com/v-descs/virus_w32_virut.shtml
http://en.wikipedia.org/wiki/Polymorphic_code
http://blog.avast.com/2009/07/14/buggy-file-infectors/
http://blog.avast.com/2010/01/08/file-infectors-part-2/
Title: Re: XP Guardian 2010
Post by: essexboy on February 27, 2010, 04:30:19 PM
Being totally biased I would recommend GeeksToGo as I am teaching there  ;D