Thread: Security warning

Anything related to that Antivirus 2008 is NASTY.

It gets downloaded onto your machine from various hijacked websites and is a REAL PAIN to get rid of.

It's a bogus antivirus program that installs, then wants you to pay money to get rid of it's bogus messages. I've had it totaly trash a couple customers machines (Format and reload windows)

Hopefully you dodged the bullet,

If anyone else sees it come up - CLOSE IT.

Ian

As Ian said, WAV 2K8 is a nasty, nasty trojan.

I've also had the misfortune of having to remove it from other's systems and I'm really not looking forward to doing it again... but I probably will.

Originally Posted by Skew ChiDAMN!!

As Ian said, WAV 2K8 is a nasty, nasty trojan.

I've also had the misfortune of having to remove it from other's systems and I'm really not looking forward to doing it again... but I probably will.

Are you offering . I ran hijackthis but can't make head nor tail of the results.

Andy, does this look genuine to you, I'm paranoid about doing more damage?

http://www.technibble.com/how-to-rem...om-w32myzorfk/

I dunno 'bout that one, but this is the process I've followed (I do it manually):

http://www.removal-instructions.com/...virus2008.html

Originally Posted by Skew ChiDAMN!!

http://www.removal-instructions.com/...virus2008.html

Been there, done that. Searched for programs/Other files, nothing, Checked processes, nothing. searched registry, nothing. This thing's buried deeeeeeep.

Honestly - with some of those deeply embedded virii - it's less hassle to just to save your important stuff and do a nuke from orbit re-install. Means you are not plagued by 'did I get rid of all of it' thoughts!

Originally Posted by Grumpy John

Been there, done that. Searched for programs/Other files, nothing, Checked processes, nothing. searched registry, nothing. This thing's buried deeeeeeep.

All I can offer is this list of files, etc. that I've compiled to help me crack this mongrel.

First thing, I use the Task manager to disable any and all of these processes:

• %program_files%/xpantivirus/xpantivirusupdate.exe
• xpantivirus.exe
• download.exe
• %program_files%/xpantivirus/sysbackup/ntoskrnl.exe
• install_xp.exe
• %program_files%/xpantivirus/sysbackup/ntoskrnl.exe.md5
• %program_files%/xpantivirus/sysbackup/explorer.exe.md5
• %program_files%/xpantivirus/unins000.exe
• xpantivirusupdate.exe
• %program_files%/xpantivirus/sysbackup/explorer.exe
• %program_files%/xpantivirus/unins000.exe
• install_xp.exe
• %program_files%/xpantivirus/xpantivirusupdate.exe
• %program_files%/xpantivirus/sysbackup/ntoskrnl.exe
• %program_files%/xpantivirus/sysbackup/explorer.exe
• %program_files%/xpantivirus/xpantivirus.exe
• %program_files%/xpantivirus/xpantivirus.exe.MD5

..and then delete these DLLs:

• %program_files%/xpantivirus/sysbackup/wininet.dll
• %program_files%/xpantivirus/sysbackup/shlwapi.dll.md5
• %program_files%/xpantivirus/sysbackup/shlwapi.dll
• %program_files%/xpantivirus/sysbackup/wininet.dll.md5
• %program_files%/xpantivirus/sysbackup/wininet.dll
• %program_files%/xpantivirus/sysbackup/shlwapi.dll

...and these program files:

• %program_files%/xpantivirus/xpantivirus.url
• %program_files%/xpantivirus/xpantivirus_log.txt
• %program_files%/xpantivirus/unins000.dat
• xpantivirus.lnk
• xpantivirus.url
• %program_files%/xpantivirus/backup.lst
• %program_files%/xpantivirus/helper.sys
• %program_files%/xpantivirus/pn.cfg
• %program_files%/xpantivirus/ver.dat
• %program_files%/xpantivirus/whitelist.cfg
• %program_files%/xpantivirus/spyware.dat
• %common_programs%/xp antivirus/uninstall xpantivirus.lnk
• %common_programs%/xp antivirus/xpantivirus on the web.lnk
• %common_programs%/xp antivirus/xpantivirus.lnk
• %desktopdirectory%/xpantivirus.lnk
• %profile%/application data/microsoft/internet explorer/quick launch/xpantivirus.lnk

...and these folders:

• %program_files%/xpantivirus
• %program_files%/xpantivirus/sysbackup
• %common_programs%/xp antivirus
• %program_files%/xpantivirus/quarantine

...and then edit the Registry to remove these Keys:

HKEY_CURRENT_USER/softwaremicrosoftwindowscurrentversionrun xp antivirus
HKEY_CURRENT_USER/softwarexp antivirusoptions lastscan
HKEY_CURRENT_USER/softwarexp antivirusoptions afterregisterurl
HKEY_CURRENT_USER/softwarexp antivirusoptions autoscanonstartup
HKEY_CURRENT_USER/softwarexp antivirusoptions
HKEY_CURRENT_USER/softwarexp antivirusfirstrun
HKEY_CURRENT_USER/softwarexp antivirusoptions helpurl
HKEY_CURRENT_USER/softwarexp antivirusoptions labelurl
HKEY_CURRENT_USER/softwarexp antivirusoptions minimizetotray
HKEY_CURRENT_USER/softwarexp antivirusoptions offsiteurl
HKEY_CURRENT_USER/softwarexp antivirusoptions programversion
HKEY_CURRENT_USER/softwarexp antivirusoptions startwithwindows
HKEY_CURRENT_USER/softwarexp antivirusoptions totalscans
HKEY_CURRENT_USER/softwarexp antivirusoptions transactionkey
HKEY_LOCAL_MACHINE/systemcurrentcontrolsetservicesxpantivirusfilter displayname
HKEY_LOCAL_MACHINE/systemcurrentcontrolsetservicesxpantivirusfilter errorcontrol
HKEY_CURRENT_USER/softwarexp antivirusoptions firstrunminimize
HKEY_LOCAL_MACHINE/softwaremicrosoftwindowscurrentversionuninstallxp antivirus_is1 inno setup: user
HKEY_LOCAL_MACHINE/softwaremicrosoftwindowscurrentversionuninstallxp antivirus_is1 installdate
HKEY_LOCAL_MACHINE/softwaremicrosoftwindowscurrentversionuninstallxp antivirus_is1 installlocation
HKEY_CURRENT_USER/softwaremicrosoftwindowscurrentversionexplorermenuorderstart menuprogramsxp antivirus
HKEY_CURRENT_USER/softwaremicrosoftwindowscurrentversionrun xp antivirus
HKEY_CURRENT_USER/softwarexp antivirusoptions autoupdate
HKEY_CURRENT_USER/softwarexp antivirusoptions billingurl
HKEY_CURRENT_USER/softwarexp antivirusoptions enableantirootkit
HKEY_LOCAL_MACHINE/softwaremicrosoftwindowscurrentversionuninstallxp antivirus_is1 urlupdateinfo
HKEY_LOCAL_MACHINE/systemcurrentcontrolsetservicesxpantivirusfilter
HKEY_LOCAL_MACHINE/softwaremicrosoftwindowscurrentversionuninstallxp antivirus_is1
HKEY_LOCAL_MACHINE/softwaremicrosoftwindowscurrentversionuninstallxp antivirus_is1 displayname
HKEY_LOCAL_MACHINE/softwaremicrosoftwindowscurrentversionuninstallxp antivirus_is1 helplink
HKEY_LOCAL_MACHINE/softwaremicrosoftwindowscurrentversionuninstallxp antivirus_is1 inno setup: app path
HKEY_LOCAL_MACHINE/softwaremicrosoftwindowscurrentversionuninstallxp antivirus_is1 inno setup: icon group
HKEY_LOCAL_MACHINE/softwaremicrosoftwindowscurrentversionuninstallxp antivirus_is1 inno setup: setup version
HKEY_CURRENT_USER/softwarexp antivirusoptions firstrunurl
HKEY_CURRENT_USER/softwarexp antivirusoptions billingurlapproved
HKEY_CURRENT_USER/softwaremicrosoftwindowsshellnoroammuicache crogram filesxpantivirusxpantivirus.exe
HKEY_LOCAL_MACHINE/softwaremicrosoftwindowscurrentversionuninstallxp antivirus_is1 publisher
HKEY_CURRENT_USER/softwarexp antivirusoptions updateurl
HKEY_LOCAL_MACHINE/systemcurrentcontrolsetservicesxpantivirusfilter imagepath
HKEY_LOCAL_MACHINE/systemcurrentcontrolsetservicesxpantivirusfilter start
HKEY_LOCAL_MACHINE/systemcurrentcontrolsetservicesxpantivirusfilter type
HKEY_LOCAL_MACHINE/systemcurrentcontrolsetservicesxpantivirusfilterenum
HKEY_LOCAL_MACHINE/systemcurrentcontrolsetservicesxpantivirusfilterenum count
HKEY_LOCAL_MACHINE/softwaremicrosoftwindowscurrentversionuninstallxp antivirus_is1 nomodify
HKEY_CURRENT_USER/software/xp antivirus/options aff
HKEY_CURRENT_USER/software/xp antivirus/options registerurl
HKEY_CURRENT_USER/softwarexp antivirus/options startminimized
HKEY_LOCAL_MACHINE/system/current/control/set/services/xpantivirus/filter/enum initstartfailed
HKEY_CURRENT_USER/software/xp antivirus/options enablesysbackup
HKEY_CURRENT_USER/software/xp antivirus
HKEY_CURRENT_USER/software/xp antivirus/options checkhidden
HKEY_CURRENT_USER/software/xp antivirus/options enableadvanced
HKEY_LOCAL_MACHINE/software/microsoft/windows/current/version/uninstall/xp antivirus_is1 norepair
HKEY_CURRENT_USER/software/xp antivirus/options versionurl
HKEY_CURRENT_USER/software/xp antivirus/register
HKEY_LOCAL_MACHINE/software/microsoft/windows/current/version/explorer/browser helper objects{9a19966f-ae0e-4699-8cce-9b6f5f1c352c}
HKEY_LOCAL_MACHINE/software/microsoft/windows/current/version/uninstallxp antivirus_is1 quietuninstallstring
HKEY_LOCAL_MACHINE/software/microsoft/windows/current/version/uninstallxp antivirus_is1 uninstallstring
HKEY_LOCAL_MACHINE/software/microsoft/windows/current/version/uninstallxp antivirus_is1 urlinfoabout
HKEY_LOCAL_MACHINE/system/current/control/set/services/xpantivirus/filter/enum nextinstance
HKEY_LOCAL_MACHINE/system/current/control/set/services/xpantivirus/filter/security
HKEY_LOCAL_MACHINE/system/current/control/set/services/xpantivirus/filter/security security
HKEY_CURRENT_USER/software/microsoft/windows/current/version/run xp antivirus

...and if it's still there after all that work, spit the dummy!

I gather you're up to the dummy stage?

Ohh... %^@&#!! The formatting of that list is all up the crapper.

I've re-edited most of it, and what I haven't I'm sure you can work out.

mmmmm - a full reinstall sounds quicker....

Yup. That's the dummy spit stage.

Sadly, for some things it doesn't work without a full reformat as well.

Main problem is that the thing seems to be re-written every few weeks

So any removal instructions or AV program is usually out of date. It also downloads other trojans, or is downloaded by other malware, so it's often not just a single infection. You remove one component, reboot and some other hidden trojan re-installs everything.

Lots of messing about in safe mode, or even with the hard disk out and slaved to a test machine.

Just bad news.

The ones I have cleaned I could probably have backed up the data and reloaded windows quicker.

Ian

Originally Posted by Ianab

..........
The ones I have cleaned I could probably have backed up the data and reloaded windows quicker.

Ian

I have Acronis True Image and it is set to do full incremental backup to my USB external HD. Trouble is if I reformat my HD and restore from the external HD won't I just be reinfesting my HD again?

www.ubuntu.com

Install and never worry about a virus again