XP Antivirus 2008 is a Trojan!

I had surfing the net when a red alert in Tray menu started to appear. It read Windows Seciruty has to be updated.

It offered me a site with “XP Antivirus 2008”

As I tought it is Microsoft security center alert, entered the site  http://s c a n n e r . a n v i-s c a n n e r . c o m / 3 4 /? a d v i d  =  0 0 0 0 0 0 4 6 8 3 & H T T &  /Attention – better do not try to open/

When I saw the fake system scanning and $20 price to “clean my system” I quickly left but was too late.

Then Avira Antivir  started to alert about viruses detected. The computer became very slow.

I restarted in Safe Mode /F8/ and  ran Spyware Doctor – it found more than 20 viruses and 30 infected files. Spyware Doctor cleaned them. I had disabled System Restore in advance. /Important!/

Then ran Avira Antivir again and cleaned  17 trojans.

Open Task manager /alt+ctrl+del/ and stop the following processes:

vav.exe
XPAntivirus.exe
XPAntivirusUpdate.exe
xpa.exe
xpa2008.exe

Then Remove following XP Antivirus 2008 Registry Values:

HKEY_USERS\Software\XP antivirus
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c uninstallstring
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c advid
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c automaticallyupdates
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscan
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscantimeout
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c databaseversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c daysinterval
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c domain
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c engineversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c guiversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c installdir
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c minimizeonstart
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c programversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyname
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyport
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationdiscurl
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationurl
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scandepth
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scanpriority
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scansystemonstartup
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c softid

This way I cleaned my system from that annoying malware.

Advertisements

4 Responses

  1. The company I worked for had this, and it is extremely difficult to get rid of… you must have backward hacked the virus to find out which registry entries to get rid of? Or run filemon? How did you know which registry entries were made by the malware?

  2. I’ve just been looking in Google for websites still containing this malware, and immediately found one, though not on the 1st page of results. I’m surprised that Google still lists websites that are way more dangerous than most adult sites banned by G.

  3. Tho this was written in 08, you are still right.. how to fix it

  4. The above tut didn’t work out.. 😦

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: