Remove Antivirus XP 2008

drwho07 · Joined: Nov 29, 2007 Posts: 1134 Location: Central FL, USA

This is copied from a recent Newsletter:

Quote:

There is a nasty virus out there that seems to be making the rounds called â€œAntivirus XP 2008â€. It may also be called XP 2008 Antivirus, 2008 Antivirus XP or some other variant. This virus seems to be a particularly tricky one to remove and masks itself as what appears to be a legitimate windows application. You will be prompted to buy a piece of software with the same name as one of the variants listed above. It is being sold as a way to remove a virus on your system. Doesnâ€™t it seem ironic that a virus is telling you that you have a virus and that it needs to be removed? They claim that the only way the virus can be removed is to buy their software. This is not true. Follow the instructions below to remove this virus from your system:

Unregister the following DLLs: shlwapi.dll and wininet.dll (This can be done from a command prompt by typing in regsvr32 /u and then the filename.dll).
Kill the following processes if running in Task Manager: XPAntivirus.exe, XPAntivirusUpdate.exe, xpa.exe, xpa2008.exe.
Search for and delete the following files: xpa.exe, xpa2008.exe, XPAntivirus.exe, XPAntivirusUpdate.exe, shlwapi.dll, wininet.dll, XPAntivirus.lnk, Uninstall XPAntivirus.lnk, XPAntivirus on the Web.lnk, XPAntivirus.url, XP Antivirus 2008.lnk, Un-install XP Antivirus 2008.lnk.
Remove the Following key in your registry: HKEY_USERS\Software\XP antivirus

People complaining about this virus have shown up on just about EVERY internet forum. This removal procedure seems pretty simple and easy to do.

Cheers mates!
The Doctor Cool

BudDurland · Joined: Dec 05, 2002 Posts: 426

The last couple of computers I worked on that were infected with this malware, AVG 8 free edition took care of it. I downloaded the updates on a different computer & copied them to a flash drive for installation on the victim. One variant was a bit stubborn -- I had to boot the machine in safe mode & run the AVG scan.

drwho07 · Joined: Nov 29, 2007 Posts: 1134 Location: Central FL, USA

It seems like maybe I've had a similar experience, but I'm not sure.

However, there are folks out there that wouldn't use AVG FREE if you went to their house, installed it for them, cleaned up their computer, washed their car and mowed their lawn. Wink

In the four years, or more, since I started using AVG, I've not had one virus get a foothold on my PC. Now it's even more powerful with improved Spyware and Trojan detection and removal. God, I love FREE!

Cool

zlim · Joined: Mar 11, 2005 Posts: 2422

I'm told that MalwareBytes will also remove it.

I waited until AVG got their act a bit more together with v8 before I attempted an install. I'm glad I waited because I did a custom install and did not allow the slowdown causing parts to install. Previously, if you didn't want the safe site search and the toolbar, you had to pick through the registry. I would do that but I'd prefer a decent installer that gives me the proper choices.
I'm running it on a 7 year old computer (laptop @1GHz) which isn't fast by today's standards and I haven't noticed any drag on the computer.

drwho07 · Joined: Nov 29, 2007 Posts: 1134 Location: Central FL, USA

I'm running AVG 8.0 FREE on two computers that I've resurrected from the Bone Yard..................neither are anywhere near "Super Computers" and I see no slowdown due to AVG.
They just chug along as happy as their clock speed will allow. Rolling Eyes

I really hate it when I pull a PC out from under one of my workbenches and I can't remember where it came from.
I did that last night with a little eMachine. I can see were I installed XP on it and all my other standard programs and a 200 gig hard drive. But for the life of me, I can't remember where it came from. ????

That's a rhetorical question and does not require an answer. Rolling Eyes

But, if your in my neighborhood, and you need a nice little computer, real cheap, stop in. Wink

The Doctor Cool

goretsky · Posted: Wed Oct 01, 2008 1:13 am Post subject:

Hello,

The WININET.DLL and SHLWAPI.DLL library files are legitimate components of Microsoft Windows. Removing them from a system could cause problems with network access and program execution.

Perhaps the newsletter meant files that have these names but are stored in different locations than the actual components Microsoft ships with Windows?

Regards,

Aryeh Goretsky

Lacmagick · Joined: Jul 12, 2007 Posts: 5

this virus is capable of changing: your desktop, your access to regedit, removing the system restore tab from your systems properties, getting itself into your pagefile.sys, and so on and so on. not just one method of removing or 'disinfecting is helpful. it is a tough one to crack. everytime i have had to deal with it on a clients computer, it acts and reacts differently than any infection prior.

drwho07 · Joined: Nov 29, 2007 Posts: 1134 Location: Central FL, USA

At times like that, it's a good time to break out your Backup Boot Disk and restore the last backup you made of that HD. Confused

donrc · Joined: Feb 16, 2003 Posts: 762

This virus is vicious. I'm trying to remove it from a friends computer. From the start menu it removes all access to such things as control panel, the programs list and accessories.
When it presents (bogus) warnings about viruses and you close the warnings they reappear in about ten seconds. It does not appear in add/remove programs This thing makes a computer completely unusable.
I have searched the web and haven't found a way that works to remove it. If I find one I'll post it.

drc

drwho07 · Joined: Nov 29, 2007 Posts: 1134 Location: Central FL, USA

Knowing what files drive that bxxxh, I can boot up the PC with my DOS boot CD, run NTFS4DOS to open up the C: drive to access from a DOS prompt, then navigate to the location of the bad files and delete them.

You may even be able to do some of that running the PC in SAFE mode.

Another possibility is to remove the hard drive and make it a slave on a system that's virus free and running AVG 8.0. Then use AVG to scan and clean the infected drive.

I can go beyond that with a whole battery of Anti-Trojan and anti-spyware programs.
SpyHunter trial, for instance, won't take out anything, but will show you exactly what needs to be removed to clean up the infected HD, including registry entries to delete.
Before I bought the program, I used the free trial version to clean up some pretty badly infected PC's.

Keep at it.....it's 100% do'able.

Cheers mate!
The Doctor Cool

louis-the-cat · Joined: May 13, 2006 Posts: 264

just for info:

i stumbled upon this piece of nastiware myself today.
and yes, it does try to imitate legitimate windows processes/applications.
( and in places quite convincingly)

I very nearly fell for it because i was actually running a scheduled AVG scan at the time......and very nearly hit the download and fix button thinking I'd been prompted to do so by AVG and/or Windows/Microsoft.

Incidently the version I got called itself XP/Vista Antispyware 2009. It was the 2009 bit that made me stop a just do a double take.

Needless to say I'm doing a spring clean to check for any "little presents" it might have been left behind.

drwho07 · Joined: Nov 29, 2007 Posts: 1134 Location: Central FL, USA

Old saying:
"An ounce of protection is worth a pound of cure".

Explanation:
A clean and well protected PC will never get infected with CrapWare like those programs mentioned here.

So, what does well protected mean?
Well, it means NOT letting your browser go to WELL Known BAD web sites, or open Adware boxes and banners on your screen.

I use a whole battery of protection programs to keep me and my computer 100% safe from malware.
First and foremost, of course, is my Anti-Virus program (AVG 8.0) that updates and scans automatically every day. Did I mention......It's FREE!!!

Then there's Spybot Search & Destroy, (also FREE) that gets updated by me every Wednesday when they post their new updates, then I run a full scan.

ALWAYS use the Immunize function after getting updates, to protect your browser from ever going to bad sites, or opening ad boxes from bad sites.

Then there's "Spyware Blaster" which is another great Immunizer program.
It too, is FREE. Are you getting the pattern here?

Then there's Trojan Hunter, SpyHunter, Hazard Shield and finally Hosts Manager that keeps my hosts file up to date. All are FREE except "Trojan Hunter".
It's RETAIL Software, but so good that I bought a two-year subscription. Laughing

Hazard Shield is the only Anti-Spyware program, that I use, that runs a live-scanner. The program is FREE.

At least once a week, I manually go thru all my programs and check for updates and run scans where applicable.
Then I do a full backup of C: to a second HD, using Ghost 2003.

I go to some pretty questionable web sites in some pretty disreputable countries and I NEVER get any malware on my PC.
If I try to go to a known bad site, it gets blocked. And if I try to download a file that's infected, it's quarantined or just deleted before it can get a foothold in my PC. (the ounce of protection)

Staying safe is relatively simple.......removing some malware after it's got a foothold on your PC, can be a real nightmare.

Stay Safe!

The Doctor Cool

louis-the-cat · Joined: May 13, 2006 Posts: 264

Doc, i really must thank you for bring this threat to my attention...I have no doubt that the recollection of your post contributed to saving my bacon.

However while I agree .....an ounce of prevention etc, I do have AVG, Spybot and Spyware Blaster and my host files are updated ( at least weekly) ..... i'm running behind a router and i've got a( software) firewall too. I'm using Firefox and i've got McAfee Site Advisor plugged in for good measure.

I'm sure i don't surf in the dangerous and exotic nether regions of the internet that you do Shocked

, but seriously, I was actually browsing about in some dry and dusty academic/scientific stuff......and it looks to me as though one of these sites is either a fake or has been hi-jacked.

All the software in the world won't help.......unless you add a pinch of common sense to that ounce of prevention.

As i said, what threw me this time was the fact that the rogue warning about system infection appeared when I was expecting a (legitimate/scheduled) AVG scan report.

Anyway....all's well that ends well....so far my system appears to be running ok and all my checks and scans are coming up clean.

drwho07 · Joined: Nov 29, 2007 Posts: 1134 Location: Central FL, USA

Meaning NO disrespect at all, but anyone with an ounce of sense would not have McAfee on their PC. Rolling Eyes

That program is as big a looser as Norton. Bloatware to say the least.
Get it off of your PC asap.

It will inhibit the effectiveness of legitimate Anti Malware programs like AVG.

OK?

I offer this advise in deepest respect!

The Doctor Cool

Baby_Tux · Joined: Mar 06, 2007 Posts: 808

drwho07 · Joined: Nov 29, 2007 Posts: 1134 Location: Central FL, USA

Out of a litter of six pups, which FOX will eat your chickens?

Keep all the little foxes away from your chickens and you'll not have to worry about which one is the worse of the litter.

I install new PC's for people every week. About half the PC's that I install have Norton (something or another) on them. The other half have McAfee (something or another) on them.

Just as a matter of giving my customers the best service I can, I remove both Norton and McAfee from those new computers.

Those two programs are the only ones I know of that were forced to provide their customers with a "Uninstall and cleanout" program.

I can't prove it, sitting here today, but it's always been my suspicion that those removal programs are the result of Law Suites that resulted in a Federal Court ordering those companies to provide a Removal Tool, to totally remove their programs from users PC's.

However it happened, I'm just thankful that we DO have those removal tools to clean out those programs when their own Un-Install programs or Windows can't get the job done.

Neither program is FREE. They charge people for their programs that just don't get the job done. I find it ironic, that a FREE program does what those PAID programs can't seem to do......and that is to keep a PC malware free.

Forgive the rant, but this is a battle I fight every week in my own business and a battle I've been fighting for way too many years now. I'm getting tired of it!!!

G'nite all!

The Doctor Cool

goretsky

Hello,

Actually, quite a few anti-virus software companies provide such utilities, however, not all of them are readily available. Sometimes, you have to contact their technical support department in order to receive a copy.

The reason for providing them has more to do with support costs than lawsuits. The most common usage for such tools is not remove the existing security software so it can be replaced with different vendors, but to remove it so that the same (or a newer) version of the software can be reinstalled. Telling a user to run a utility and the reinstall the software is much less expensive than paying a technician to help them unregister .DLLs, deletet services, edit the registry and so forth.

One thing to keep in mind is that programs such as Avast, AVG and Avira are free only for home (that is, personal non-commercial) use. If you are running a business, you need to obtain a license, and if you have received some value from the program, then you could always purchase a license to support their efforts.

Regards,

Aryeh Goretsky

louis-the-cat · Joined: May 13, 2006 Posts: 264

I've never found a problem with McAfee site advisor.....all it does is rate sites that you might visit , say when you Google something and google comes back at you with a list........all site advisor does is rate the sites.......if it's a known baddy it lets you know with a traffic light system of icons which appear next to the site name( whether you visit or not is up to you).

I'm sure their database has lots of known knowns, unknown unknowns etc etc..but hey it doesn't appear to slow down or restrict functionality in any way, unlike say AVG Link Scanner....which brings my system to a virtual standstill, so I've switched it off, ( as advised in forums, including lockergnome).

As always, I really appreciate the comments and advice......and I am re-evaluating my protection and risk ( software and behaviour).

At the moment I'm focusing on privacy and considering things like
TOR
IRON
IXQUICK

we'll see, time allowing...time will tell.

drwho07 · Joined: Nov 29, 2007 Posts: 1134 Location: Central FL, USA

In my own defense, I may miss a detail here or there, but I get the big picture.
I hope that people reading these forums will get the "Big Picture" too. Wink