Dave Henrie's blog
xp2008_Anti_virus VIRUS
05:46 AM on Jun 11, 2008

My ex-neighbor had a computer problem and wanted me to take a look, that was this morning.
Her family photo desktop background was replaced by a RED fullscreen DeathSkull VIRUS warning. Every minute a new horrible virus warning popped up. Most of her desktop icons disappeared. She could not access much of the web, she could not get emails, she could only get IM messages.
Trend Micro could not find the virus or the 30+ viri that this super duper program was constantly warning her about.
But then, the Trend Micro program could not update either.
The trojan is called XP 2008 Antivirus. And it's NASTY!!!
IT has taken over her system as Administrator, so she cannot use the taskmanager, she cannot change desktop properties, she cannot search or find files, run regedit...etc etc. This is the most well protected virus I have ever seen.

I did find, after coming back home, a supposedly free util that would remove the XP 2008 Antivirus program, but here's the rub...ONLY the detection was free, getting the virus removed required BUYING the program online. Great...but how do you buy something online when the virus is CHOKING the NET?? STOOOOOPID
So I get some 'manual' instructions on which files to find and remove, which registry entries to delete and what processes to stop. Trouble is....You can't do those in windows. All the files supporting the virus are protected by the Admin...which is the virus.
FInally I got to safe mode and was able to rename and remove some of the offending files. Trouble was...when I went to re-boot, windows xp would not start. Two error messages popped up saying winlogon could not start due to a missing dll. Perhaps if I re-installed the program it would be replaced. Phooey! So I ask the gal if she had a startup disc, nooooo, I asked if she had a full installation disk, nooooo, she did have a win98 restore disc that works by formatting the drive. Great solution there.

So I've brought the Harddrive back to my house, I'm gonna plug it into my system and attempt to replace the two files with 'clean' copies from my system. Before I do this, I'm gonna unplug from the net incase I transfer this bugger over to my box.
this may be Adios Amigos!!!
dave henrie




Posted by Andrew Carson at 05:56 AM on Jun 11, 2008
 Comment #1

Had the same virus in the past. Scary as hell to see how much control it can have. The one I had even throttled the CPU. Terrible.

Posted by Jon Weal at 11:39 AM on Jun 11, 2008
 Comment #2

Nuke the site from orbit.

It's the only way to be sure.

Posted by Enis Dauti at 11:46 AM on Jun 11, 2008
 Comment #3

Couldn't you set PC to boot from CD, and then (after you have removed offending files) just select to repair Windows?

Posted by Johan Nilsson at 12:01 PM on Jun 11, 2008
 Comment #4

Full reinstall of XP - just do it.

Posted by Dave Henrie at 11:08 PM on Jun 11, 2008
 Comment #5

yes, THAT would be the best way, a Total re-install of windows XP, but this is the real world and this is a second-hand box they have had for 4 years and nowhere is a proper XP disk to be found.

dh


CATEGORIZED IN: