Author Topic: Antivirus XP 2010  (Read 7213 times)

0 Members and 1 Guest are viewing this topic.

RobertDL

  • Guest
Antivirus XP 2010
« on: February 23, 2010, 11:26:23 AM »
I receive an e-mail with a zip-file, from what I thought were an e-mail from the freight company DHL.com. Now my PC is infected and I can only use my labtop.
I'm running home edition of Avast, but it did not protect the PC when the PC were attacked.
Can anyone help me with this problem? I want to know how I eliminate the virus.
I tried to use PC Netdoctor, but that only made the problem worse.
Someone please help?

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Antivirus XP 2010
« Reply #1 on: February 23, 2010, 11:42:29 AM »
Hello,
if you have the original email, please send it to virus@avast.com to analyze, put "Undetected DHL" to subject .

Thank you,
Milos

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Antivirus XP 2010
« Reply #2 on: February 23, 2010, 12:17:23 PM »
How to remove XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010



What this programs does:

Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 are new rogues that are exactly the same program, but are shown with different names and interfaces depending on the version of Windows that it is run on. After I wrote this guide, I was told that this rogue goes under quite a few different names, which I have listed below:

•Antivirus Vista 2010
•Vista Antispyware 2010
•Vista Guardian
•Vista Antivirus Pro
•Vista Internet Security
•Vista Internet Security 2010
•XP Guardian
•XP Antivirus Pro
•XP AntiSpyware 2010
•XP Internet Security
•XP Internet Security 2010
•Antivirus XP 2010
•Antivirus Win 7 2010
•Win7 Guardian
•Win 7 Antivirus Pro
•Win 7 Antispyware 2010
•Win 7 Internet Security
•Win 7 Internet Security 2010

When installed, this rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as a single executable called AV.exe that uses very aggressive techniques to make it so that you cannot remove it. First, it makes it so that if you launch any executable it instead launches Antivirus Vista 2010, Win 7 Antispyware 2010, or XP Internet Security 2010. If the original program that you wanted to launch is deemed safe by the rogue, it will then launch it as well. This allows the rogue to determine what executables it wants to allow you to run in order to protect itself. It will also modify certain keys so that when you launch FireFox or Internet Explorer it will launch the rogue instead and display a fake firewall warning. Last, but not least, when try to browse to a web site, it will hijack your browser and state that the site is a security risk and not allow you to visit it.

ToastMaster

  • Guest
Re: Antivirus XP 2010
« Reply #3 on: March 07, 2010, 05:26:23 PM »
I'm also suffering from this - picked up while browsing. Avast didn't stop it and after a search, there are lots of recomendations for malwarebytes (including the bleepingcomputer.com link someone posted above). Malwarebytes manages to detect and says it removes it, but after a reboot it's back again. Part of the problem may be it's blocking Malwarebytes from updating it's virus database.

I'm running XP btw.

Any help greatly appreciated! It's driving me crazy. Thanks

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Antivirus XP 2010
« Reply #4 on: March 07, 2010, 06:03:30 PM »
Malwarebytes will get the majority of it - but as the programme files change daily it is always playing catch up

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

THEN

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
    • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav


    • Now click the Run Scan button on the toolbar.
    • Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
    Please attach the log in your next post.



    bran34

    • Guest
    Re: Antivirus XP 2010
    « Reply #5 on: March 08, 2010, 12:07:06 AM »
    ARgh.
    Actually, I find that you CAN get around the firewall and constant security alerts, as for some reason or another, it seems that the program can only hijack IE. I'm currently on the infected computer, but I have to use firefox. I seem to have been able to get around the firewall thing and launch firefox, but your internet explorer is probably hijacked.

    astrotrain

    • Guest
    Re: Antivirus XP 2010
    « Reply #6 on: March 08, 2010, 06:02:00 PM »
    Yep ran into this Avast 5 just allowed the "av.exe" to run, and didn't detect it.

    I'm running XP, luckily my firewall (sygate personal firewall) caught av.exe trying to get out, and I was able to block it.

    Disconnected my system from the network, rebooted into Safe mode, downloaded a clean copy of Malware Bytes and its def file on another clean system and dropped it to a thumb drive, and was able to clean in Safemode.

    Then re-ran MWB again in normal mode, and ran Spybot behind it to clean the rest of it up.

    Super Antispyware (SAS) Free Edition also catches this version, and at this time the XP Antivirus 2010 variant does not know of this process and allows SAS to run. It kills Malwarebytes and Spyware if executed in normal mode.

    If your not running Sygate and have XP I suggest you do so. If your running Vista/Win7 grab Comodo Free Firewall, that also does a great job of catching 'av.exe' beofore it gets out (plus sygate will not run under Vista or Win7).
    « Last Edit: March 08, 2010, 06:12:36 PM by astrotrain »

    r.gordon

    • Guest
    Re: Antivirus XP 2010
    « Reply #7 on: March 16, 2010, 02:53:25 PM »
    Before installing any anti-spyware tool, make sure you fix bad Windows Registry values by downloading ExeRepair.reg file (Antivirus XP 2010)

    Use Malwarebytes Antimalware program instead of Spyware Doctor, which can be downloaded from http://www.malwarebytes.org/mbam-download.php
    - Install program by double clicking mbam-setup.exe setup file.
    - Stick to the guidelines when installing the program.
    - Make sure you update the program with latest entries.
    - Start computer scan by launcing the program and pressing "Scan" button.
    - After the scan has been completed, click "Show Results", then "Remove Selected".
    - Computer restart might be necessary.