WARNING TO ALL USERS!

[PotatoMan]

NOTE: Please make this sticky.

Recently, the commonness of XP Antivirus 2008/Antivirus XP 2008 is rising considerably.

Most recently. email spam telling of a critical Windows update contains links to a .swf hosted on imageshack.us that after being loaded, will prompt user to download Xp Antivirus 2008.

Also, spam being sent through Windows Messanger, MSN, AIM, and Yahoo! Messanger IM Clients have been attacked also by this malicious program.

Please, if you receive any warnings telling you that your computer needs a critical update, or that you need to install XP Antivirus 2008, please do NOT fall for this HUGE scam.

Matt from remove-malware.com has said most of his client calls in the last week have been about Xp Antivirus 2008, and he had one particular customer who had it, having his Turbo Tax files being uploaded to the web because of XP Antivirus.

Just please be aware.

And all of our wonderful experts who help remove malware everyday, in this time of internet crime, and malware, we must be the best we can be to prevail over this scam.

Thank You All,
David

[N@URINE]

thank you PotatoMan !
XP Antivirus 2008 is detected by Avast, but Avast can't remove it. according to my experience, I Combofix got it.

[PotatoMan]

thank you PotatoMan !
XP Antivirus 2008 is detected by Avast, but Avast can't remove it. according to my experience, I Combofix got it.

Problem is, CF wont run on any other os but XP

[polonus]

Hi PotatoMan,

Yes this scam is hurting a lot of "click now, think later" users, that think that every pop-up message comes from their computers and is secure to react to. Malwarebytes'-Anti-Malware is a program that can remove this malware, see to it that you update it to the latest version and signatures.
I agree with your conclusion that in these days of combined CyberCrime threat and Malware Galore we as malware fighters have to closely stick together to fight malware and educate the unaware to be informed about better protection of their data and Internet experience,

polonus aka Damian (malware fighter)

P.S. This year is the U.N. "Year of the Potato", did you know?

[wyrmrider]

IMHO follows

agree with Polonus

Combofix is overkill for most versions of the infection
try Malware Bytes Anti Malware first as it does not require a special script as combofix might and will also clean up other crap on subject computer

I'd then try SUPERANTISPY
if those two do not get it then the version with the ZLOB variant may be present

try a Kaspersky or other On line AV scan (assuming that a boot time avast scan has already been done)
You do NOT want a virus (or another virus) around while running Combofix

If Smitfraud fix or SDfix is called for run them first (Or Microsoft Malicious removal tool or other tools, Rogue Remover, Stinger, etc)

Now try/ recommend Combofix only if you are qualified to write the batchfiles that are frequently needed, otherwise refer the poster to someone/ or (a Malware removal site) who is

Incidentally it was posted that additional Avast detections are coming today or tomorrow.

A handy tool is upload the sample to virus total and get a positive ID before bringing out the heavy artillery.  Who detects can be a guide to who might remove with conventional means.

Not to minimize- the later versions of this software are tough
and even after combofix, MBAM and SAS scans are warranted along with a HJT.

[polonus]

Hi wyrmrider,

Nice sum up there of measures to take against the various forms of this threat, but let us not forget sometimes we need to start up in SafeMode or temporarily disable System Restore during the cleansing process, because some of these nasties can "raise from the dead - so to say". The malcreant today is a formidable opponent, guys and gals,

polonus

[wyrmrider]

Amen to that Polonus

I also agree with Tech's approach when he "suggests"
anyone who works through that list should be much easier to help if Extreme measures are required

following quotes from this thread
http://forum.avast.com/index.php?topic=38345.0

I also agree with Potato Man when he comments on "The next step would be Combofix"

"No, ComboFix can be dangerous if a computer is not infected Same as with SmitFraudFix and VundoFix

Tech: Yes, downloading unnecessary programs and disabling system restore is for diagnosis, even when MBAM did not report anything.
You shouldn't tell people to take certain medicine when they aren't diagnosed."

and
"Second, ComboFix IS DANGEROUS as it can damage the registry and in some cases MAKE THE SYSTEM UNBOOTABLE."

and with Tarq57
"Some fairly good ideas, here, guys, but it does seem to me that some respondents are leaping to worst-case-scenario-type responses, which may or may not be appropriate, and, as indicated, one or two of them could do harm without the appropriate guidance.

What's needed first is a proper diagnosis."

Many of the posters do not have the experience to run combofix unsupervised

[polonus]

Hi wyrmrider,

You are so right my friend. First establish IF there is malware infection. If so, update to virustotal to have the virus or infector identified. Or do a read up with the help of Google and the Internet.
Then like you yourself note: follow an appropriate approach, that could be scanning with various run-of-the-mill anti-malware scanners and run these.
If that does not deliver more drastic methods can be appropriate, but always under the guidance of someone that knows what he or she does. First again use forensics like  hijackthis, a StartDreck scan, or silent runners- that cannot harm your computer.
And in the case of an established infection we give the right antidote in the form of a fix (hijackthis, comboscript, SmitfraudFix, and the various latest Hogwart-tools there are), and these also under strict guidance of someone who knows what is going on,

polonus

[PotatoMan]

Hi wyrmrider,

You are so right my friend. First establish IF there is malware infection. If so, update to virustotal to have the virus or infector identified. Or do a read up with the help of Google and the Internet.
Then like you yourself note: follow an appropriate approach, that could be scanning with various run-of-the-mill anti-malware scanners and run these.
If that does not deliver more drastic methods can be appropriate, but always under the guidance of someone that knows what he or she does. First again use forensics like  hijackthis, a StartDreck scan, or silent runners- that cannot harm your computer.
And in the case of an established infection we give the right antidote in the form of a fix (hijackthis, comboscript, SmitfraudFix, and the various latest Hogwart-tools there are), and these also under strict guidance of someone who knows what is going on,

polonus

Agreed Polonus,

Another big step is too gain help from experienced experts on forums like these or BeelpingComputer so you dont have to pay a Computer Tuner, which can be very costly!

Also, never reformat unless you have tried everything as it might not even be malware, it could be a damaged system file. REFORMATING IS THE LAST OPTION!!

Excellent Programs to help remove malware that are free!

avast! antivirus
Avira Antivir
AVG Free 8.0
MalwareBytes
SUPERAntispyware
Spybot - Search and Destroy
Lavasoft Ad-Aware 2008

Or you could use a bootable antivirus disk

Also, MOZILLA FIREFOX is an excellent browser that is WAY safer than Windows Internet Explorer and in some cases, faster, and less resource consuming. You can download that here, www.mozilla.com, and you can have awesome addons such as AdBlock and NoScript to keep protected even more!

Also, a firewall is STRONGLY recommended, some good ones:

Comodo
Sunbelt
PC Tools Firewall Plus

Or if you want to pay. here are some excellent ones!

Norton Antivirus (Excellent Malware removal, BUT BULKY AND RESOURCE CONSUMING)
Kaspersky Antivirus 2009
NOD32
AVG Internet Security
ZoneAlarm
BitDefender

Excellent Advice Everyone!

Dave

[Sam Hobbs]

I am confused. Is this something that everyone gets or is this something that systems get only if their users respond to a message saying that there is a critical update that they must obtain by clicking on something? I only see instructions in this thread explaining how to get rid of it. If the infection does not occur unless someone foolishly follows the false notification, then I think people should place emphasis on avoiding the problem, instead of emphasizing the fix.

Does anyone have a link to the Microsoft instructions for avoiding such things? I am sure they have made a statement saying that updates would only be made available through Windows Update, or something like that. The link to that and such would be relevant here and all future similar attacks. Emphasis of the correct procedure for responding to the messages now and in the future is the best fix.

[oldman]

Problem is, CF wont run on any other os but XP

I've used it on Win2K and Vista. Something change in the last few weeks?

[raman]

IMO Cf is as secure as other Programms. If you do something you alwayse have to know, that there are probably Bugs/failure.
There is no Program which is totaly secure. Avast had to fix several Security that result in executing files while unpacking, Antivir(and others) false alarm on Systemfiles, if deleted the
system won´t start anymore. Symantec, Mcafee, Mbam had an critical bug too, and so on.
Even DSS had a bug, that forces Deckard to put it from all official mirrors.

You can never be sure that everything goes perfect if using programs we are talking about.

@ oldman, CF works fine on NT Systems (besides 64 Bit)

[oldman]

Thanks raman. I didn't think it was  my imagination. 

[wyrmrider]

Spybot added lots of definitions for XP-antivirus and friends today

[PotatoMan]

Spybot added lots of definitions for XP-antivirus and friends today

I am dissapointed. Thought this topic would make some buzz, or atleast get sticky .