Author Topic: XP Guardian 2010  (Read 12685 times)

0 Members and 1 Guest are viewing this topic.

Offline tbint

  • Jr. Member
  • **
  • Posts: 50
XP Guardian 2010
« on: February 24, 2010, 08:11:34 PM »
A Customers IBM laptop got this  XP Guardian 2010 mal, ad, spy, rogue, hostage ware. Here's a link to a description of the evil little thing. Simple enough to get rid of I think.

I don't suppose Avast looks for this kind of ware. (laptop has Avast home 4.x) It seems to me it shuts anti virus protection down.

Code: [Select]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = “1″
" Is Avast 5.0 set up to handle this little hostage taker? "
Would Avast be interested in making a definition for it? If there is a way for me to zip the little rascal up, or something. Before I give the laptop an exorcism.     

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36993
Re: XP Guardian 2010
« Reply #1 on: February 24, 2010, 08:42:09 PM »
I think it was uploaded to avast yesterday http://forum.avast.com/index.php?topic=56136.0


How to remove XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010





What this programs does:

Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 are new rogues that are exactly the same program, but are shown with different names and interfaces depending on the version of Windows that it is run on. After I wrote this guide, I was told that this rogue goes under quite a few different names, which I have listed below:

•Antivirus Vista 2010
•Vista Antispyware 2010
•Vista Guardian
•Vista Antivirus Pro
•Vista Internet Security
•Vista Internet Security 2010
•XP Guardian
•XP Antivirus Pro
•XP AntiSpyware 2010
•XP Internet Security
•XP Internet Security 2010
•Antivirus XP 2010
•Antivirus Win 7 2010
•Win7 Guardian
•Win 7 Antivirus Pro
•Win 7 Antispyware 2010
•Win 7 Internet Security
•Win 7 Internet Security 2010

When installed, this rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as a single executable called AV.exe that uses very aggressive techniques to make it so that you cannot remove it. First, it makes it so that if you launch any executable it instead launches Antivirus Vista 2010, Win 7 Antispyware 2010, or XP Internet Security 2010. If the original program that you wanted to launch is deemed safe by the rogue, it will then launch it as well. This allows the rogue to determine what executables it wants to allow you to run in order to protect itself. It will also modify certain keys so that when you launch FireFox or Internet Explorer it will launch the rogue instead and display a fake firewall warning. Last, but not least, when try to browse to a web site, it will hijack your browser and state that the site is a security risk and not allow you to visit it.
« Last Edit: February 24, 2010, 08:45:02 PM by Pondus »

Offline tbint

  • Jr. Member
  • **
  • Posts: 50
Re: XP Guardian 2010
« Reply #2 on: February 24, 2010, 09:55:46 PM »
Thanks for the reply. I would love to try the bleeping computer removal but.

I shutdown My home network and gave that laptop connectivity to Internet. Wrong move!! I thought I could get rid of it. But the little ba*terd shut down everything. control panel, browsers, msconfig, taskmanger, etc.

" It would not let me execute a program from a usb pen drive. "

Now what? The little hostage taker killed the hostage. The XP Guardian 2010 stop launching also. I guess its time to delete partition. Hope that will get rid of it.

Really don't want to delete, But I guess. 

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: XP Guardian 2010
« Reply #3 on: February 24, 2010, 09:58:45 PM »
Deletion is not necessary - do you have a cd burner ?

OK this file is big about 276.7Mb, print these instruction out so that you know what you are doing

File details
Bytes - 290,236,416
MB - 276.7
MD5 - 910CBB8EA943B17ABCEDD09610664342

Two programmes to download

First

ISOBurner this will allow you to burn OTLPE.iso to a CD and make it bootable.  Just install the programme, from there on in it is fairly automatic.  Instructions

Second

  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 276.7Mb in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
  • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads  :) 
  • Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
  • Double-click on the OTLPE icon.
  • Select the Windows folder of the infected drive if it asks for a location
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start.
  • Press Run Scan to start the scan.
  • When finished, the file will be saved  in drive C:\OTL.txt
  • Copy this file to your USB drive if you do not have internet connection on this system.
  • Right click the file and select send to : select the USB drive. 
  • Confirm that it has copied to the USB drive by selecting it
  • You can backup any files that you wish from this OS
  • Please post the contents of the C:\OTL.txt file in your reply.

Offline tbint

  • Jr. Member
  • **
  • Posts: 50
Re: XP Guardian 2010
« Reply #4 on: February 24, 2010, 10:34:23 PM »
This is a way to remove XP Guardian? I mean the OTLPE scan is removal also?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: XP Guardian 2010
« Reply #5 on: February 24, 2010, 10:36:55 PM »
No it is manual removal but from outside of windows - the logs shows the start files and their location.  Once found then OTLPE will, when given the fix instructions remove them from the hard drive and registry.  The system should then boot normally and allow the use of other malware removal tools

Offline tbint

  • Jr. Member
  • **
  • Posts: 50
Re: XP Guardian 2010
« Reply #6 on: February 25, 2010, 07:40:17 PM »
Oh very cool desktop, I will use this iso for the rest of my life.

I want to click on run fix so bad! But heres the log.
could someone please let me know what to do next before I get exited and click that run fix button.

Well the content was to big. I attached it.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36993
Re: XP Guardian 2010
« Reply #7 on: February 25, 2010, 07:51:24 PM »
essexboy will be here soon, be patient he works in several forums

Offline tbint

  • Jr. Member
  • **
  • Posts: 50
Re: XP Guardian 2010
« Reply #8 on: February 25, 2010, 08:17:34 PM »
Ok not meaning to rush, just hanging. This Reatogo desktop is so cool. I feel I should help support with the help everyone is giving. I know that file is large.  I could come up with 10 bucks USD if essexboy is into that for his time going threw that file. I wish I new what I was looking for. I wouldn't mind learning but man there has to be a lot of different virus def. I don't see how he does it.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36993
Re: XP Guardian 2010
« Reply #9 on: February 25, 2010, 08:21:58 PM »
Quote
I don't see how he does it.
Most of us don`t, but it is very intersting to look at him work...... ;)

Offline tbint

  • Jr. Member
  • **
  • Posts: 50
Re: XP Guardian 2010
« Reply #10 on: February 25, 2010, 08:53:10 PM »
just reading threw I found the AV file. I know thats the evil one. I think I'm going to get to kill it. I gave up hope yesterday, but I did not delete. I have Hughesnet ISP 200 MB download threshold. had to download otlpe in the middle of the night. but it was worth it.

\av.exe
[2010/02/19 02:25:11 | 000,001,547 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\MSKeyViewer Plus.lnk
[2010/02/19 02:25:11 | 000,001,535 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\RegistryEditorPE.lnk
[2010/02/19 02:25:11 | 000,001,479 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Undelete Plus.lnk
[2010/02/19 02:25:11 | 000,001,475 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Magical Jelly Bean Keyfinder.lnk
[2010/02/19 02:25:11 | 000,001,437 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\notepad++.lnk
[2010/02/19 02:25:11 | 000,001,343 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Windows Registry Recovery.lnk
[2010/02/19 02:25:10 | 000,001,483 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\HandyRecovery 1.lnk
[2010/02/19 02:25:10 | 000,001,469 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\DiskPartitioner.lnk
[2010/02/19 02:25:10 | 000,001,465 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Agent Ransack.lnk
[2010/02/19 02:25:10 | 000,001,427 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\2xExplorer.lnk
[2010/02/19 02:25:10 | 000,001,371 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\ImgBurn.lnk
[2010/02/19 02:25:10 | 000,001,353 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\DriveImage XML.lnk
[2010/02/19 02:25:10 | 000,001,347 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\A43 File Management Utility.lnk
[2010/02/19 02:25:10 | 000,001,347 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\7-Zip File Manager.lnk
[2010/02/19 02:25:10 | 000,001,313 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Disk Investigator.lnk
[2010/02/19 02:25:10 | 000,001,261 | ---- | M] () -- B:\Documents and Settings\Default User\Desktop\Internet Explorer.lnk
[2010/02/18 08:14:33 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\fogled\Desktop\Facilitator 2010 (a).doc
[2010/02/15 11:00:48 | 000,002,497 | ---- | M] () -- C:\Documents and Settings\fogled\Desktop\Microsoft Office Word 2003.lnk
[2010/02/14 06:44:30 | 000,027,648 | ---- | M] () -- C:\Documents and Settings\fogled\Desktop\Facilitator 2010.doc
[2010/02/08 09:32:20 | 000,001,620 | ---- | M] () -- C:\Documents and Settings\fogled\Desktop\PaltalkScene.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\Documents and Settings\fogled\*.tmp files -> C:\Documents and Settings\fogled\*.tmp -> ]

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: XP Guardian 2010
« Reply #11 on: February 25, 2010, 09:07:19 PM »
There are also a few friends there

Start OTLPE as you did previously from CD
Copy the attached Fix.txt to a USB

  • Insert your USB drive with fix.txt on it
  • Start OTLPE
  • Drag and drop fix.txt into the Custom scans and fixes box
  • If you cannot drag and drop for some reason.  Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive 
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done to normal mode if possible
  • Then post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )

Offline tbint

  • Jr. Member
  • **
  • Posts: 50
Re: XP Guardian 2010
« Reply #12 on: February 25, 2010, 10:11:30 PM »
Now after I Ran Fix, Boot to windows, then boot the iso again ran a scan no LOP and Purity. Could not run scan while booted into windows. Not to be dumb just checking.

Are these infected files in your head, or is there a place to check, besides googling each one by one. if you don't mind me asking.


heres the new log.
« Last Edit: February 25, 2010, 10:40:58 PM by tbint »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40627
  • Dragons by Sasha
    • Malware fixes
Re: XP Guardian 2010
« Reply #13 on: February 25, 2010, 11:14:42 PM »
My knowledge is the result of a years training and about three years hands on experience, using tools - google - memory and knowledge of known bad boys, plus access to several closed forums  ;D

Could you now boot to normal windows and run MBAM please

  Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Offline tbint

  • Jr. Member
  • **
  • Posts: 50
Re: XP Guardian 2010
« Reply #14 on: February 25, 2010, 11:47:27 PM »
it will not let me execute the setup, prompts me with "open with" window

tried control panel opens but if I try add remove a get c:/windows/system32/rundll32.exe application not found.

i can open explore with my computer nav to win sys 32 and see the file.
« Last Edit: February 25, 2010, 11:56:54 PM by tbint »