WARNING TO ALL USERS!

NOTE: Please make this sticky.

Recently, the commonness of XP Antivirus 2008/Antivirus XP 2008 is rising considerably.

Most recently. email spam telling of a critical Windows update contains links to a .swf hosted on imageshack.us that after being loaded, will prompt user to download Xp Antivirus 2008.

Also, spam being sent through Windows Messanger, MSN, AIM, and Yahoo! Messanger IM Clients have been attacked also by this malicious program.

Please, if you receive any warnings telling you that your computer needs a critical update, or that you need to install XP Antivirus 2008, please do NOT fall for this HUGE scam.

Matt from remove-malware.com has said most of his client calls in the last week have been about Xp Antivirus 2008, and he had one particular customer who had it, having his Turbo Tax files being uploaded to the web because of XP Antivirus.

Just please be aware.

And all of our wonderful experts who help remove malware everyday, in this time of internet crime, and malware, we must be the best we can be to prevail over this scam.

Thank You All,
David

thank you PotatoMan !
XP Antivirus 2008 is detected by Avast, but Avast can’t remove it. according to my experience, I Combofix got it.

Problem is, CF wont run on any other os but XP

Hi PotatoMan,

Yes this scam is hurting a lot of “click now, think later” users, that think that every pop-up message comes from their computers and is secure to react to. Malwarebytes’-Anti-Malware is a program that can remove this malware, see to it that you update it to the latest version and signatures.
I agree with your conclusion that in these days of combined CyberCrime threat and Malware Galore we as malware fighters have to closely stick together to fight malware and educate the unaware to be informed about better protection of their data and Internet experience,

polonus aka Damian (malware fighter)

P.S. This year is the U.N. “Year of the Potato”, did you know?

IMHO follows

agree with Polonus

Combofix is overkill for most versions of the infection
try Malware Bytes Anti Malware first as it does not require a special script as combofix might and will also clean up other crap on subject computer

I’d then try SUPERANTISPY
if those two do not get it then the version with the ZLOB variant may be present

try a Kaspersky or other On line AV scan (assuming that a boot time avast scan has already been done)
You do NOT want a virus (or another virus) around while running Combofix

If Smitfraud fix or SDfix is called for run them first (Or Microsoft Malicious removal tool or other tools, Rogue Remover, Stinger, etc)

Now try/ recommend Combofix only if you are qualified to write the batchfiles that are frequently needed, otherwise refer the poster to someone/ or (a Malware removal site) who is

Incidentally it was posted that additional Avast detections are coming today or tomorrow.

A handy tool is upload the sample to virus total and get a positive ID before bringing out the heavy artillery. Who detects can be a guide to who might remove with conventional means.

Not to minimize- the later versions of this software are tough
and even after combofix, MBAM and SAS scans are warranted along with a HJT.

Hi wyrmrider,

Nice sum up there of measures to take against the various forms of this threat, but let us not forget sometimes we need to start up in SafeMode or temporarily disable System Restore during the cleansing process, because some of these nasties can “raise from the dead - so to say”. The malcreant today is a formidable opponent, guys and gals,

polonus

Amen to that Polonus

I also agree with Tech’s approach when he “suggests”
anyone who works through that list should be much easier to help if Extreme measures are required

following quotes from this thread
http://forum.avast.com/index.php?topic=38345.0

I also agree with Potato Man when he comments on “The next step would be Combofix”

"No, ComboFix can be dangerous if a computer is not infected Same as with SmitFraudFix and VundoFix

Tech: Yes, downloading unnecessary programs and disabling system restore is for diagnosis, even when MBAM did not report anything.
You shouldn’t tell people to take certain medicine when they aren’t diagnosed."

and
“Second, ComboFix IS DANGEROUS as it can damage the registry and in some cases MAKE THE SYSTEM UNBOOTABLE.”

and with Tarq57
"Some fairly good ideas, here, guys, but it does seem to me that some respondents are leaping to worst-case-scenario-type responses, which may or may not be appropriate, and, as indicated, one or two of them could do harm without the appropriate guidance.

What’s needed first is a proper diagnosis."

Many of the posters do not have the experience to run combofix unsupervised

Hi wyrmrider,

You are so right my friend. First establish IF there is malware infection. If so, update to virustotal to have the virus or infector identified. Or do a read up with the help of Google and the Internet.
Then like you yourself note: follow an appropriate approach, that could be scanning with various run-of-the-mill anti-malware scanners and run these.
If that does not deliver more drastic methods can be appropriate, but always under the guidance of someone that knows what he or she does. First again use forensics like hijackthis, a StartDreck scan, or silent runners- that cannot harm your computer.
And in the case of an established infection we give the right antidote in the form of a fix (hijackthis, comboscript, SmitfraudFix, and the various latest Hogwart-tools there are), and these also under strict guidance of someone who knows what is going on,

polonus

Agreed Polonus,

Another big step is too gain help from experienced experts on forums like these or BeelpingComputer so you dont have to pay a Computer Tuner, which can be very costly!

Also, never reformat unless you have tried everything as it might not even be malware, it could be a damaged system file. REFORMATING IS THE LAST OPTION!!

Excellent Programs to help remove malware that are free!

avast! antivirus
Avira Antivir
AVG Free 8.0
MalwareBytes
SUPERAntispyware
Spybot - Search and Destroy
Lavasoft Ad-Aware 2008

Or you could use a bootable antivirus disk

Also, MOZILLA FIREFOX is an excellent browser that is WAY safer than Windows Internet Explorer and in some cases, faster, and less resource consuming. You can download that here, www.mozilla.com, and you can have awesome addons such as AdBlock and NoScript to keep protected even more!

Also, a firewall is STRONGLY recommended, some good ones:

Comodo
Sunbelt
PC Tools Firewall Plus

Or if you want to pay. here are some excellent ones!

Norton Antivirus (Excellent Malware removal, BUT BULKY AND RESOURCE CONSUMING)
Kaspersky Antivirus 2009
NOD32
AVG Internet Security
ZoneAlarm
BitDefender

Excellent Advice Everyone!

Dave

I am confused. Is this something that everyone gets or is this something that systems get only if their users respond to a message saying that there is a critical update that they must obtain by clicking on something? I only see instructions in this thread explaining how to get rid of it. If the infection does not occur unless someone foolishly follows the false notification, then I think people should place emphasis on avoiding the problem, instead of emphasizing the fix.

Does anyone have a link to the Microsoft instructions for avoiding such things? I am sure they have made a statement saying that updates would only be made available through Windows Update, or something like that. The link to that and such would be relevant here and all future similar attacks. Emphasis of the correct procedure for responding to the messages now and in the future is the best fix.

I’ve used it on Win2K and Vista. Something change in the last few weeks?

IMO Cf is as secure as other Programms. If you do something you alwayse have to know, that there are probably Bugs/failure.
There is no Program which is totaly secure. Avast had to fix several Security that result in executing files while unpacking, Antivir(and others) false alarm on Systemfiles, if deleted the
system won´t start anymore. Symantec, Mcafee, Mbam had an critical bug too, and so on.
Even DSS had a bug, that forces Deckard to put it from all official mirrors.

You can never be sure that everything goes perfect if using programs we are talking about.

@ oldman, CF works fine on NT Systems (besides 64 Bit)

Thanks raman. I didn’t think it was my imagination. ;D

Spybot added lots of definitions for XP-antivirus and friends today

I am dissapointed. Thought this topic would make some buzz, or atleast get sticky :(.

This is a good reason to update your anti-spyware (legitimate ones) programs folks.

Hi Potatoman,

A lot of users only become active if their own computer is involved, an egoistic trait of modern humans on this planet.
If you want to come and join us to fight malware (and not only the easy ones) go to bootcamp online, there are many online anti malware universities where people learn to evaluate malware forensics, unlearn a lot of things that are bad practice and can harm the victims OS.

Now also know that the malware landscape is constantly changing, to-morrows malware is not that of to-day, old concepts can be launched again in a new outfit (the floppy infestations became modern again with USB stick/ pendrive autorun malware).

So to-days special anti-malware programs and tools are not those of to-morrow.

There is an awful lot of information to help us to fight malware and on processes and dlls and manual cleansing routines to be found through our great friend Google.

I also agree that forensics is important in another way - some things taken for malware can be led back to hardware trouble, drivers, stop-errors, motherboard, cards and what have you can get busted. And do not forget the fatal results of just common dust that can ruin your precious machine. Then a lot of people do not know a cd/dvd burner only has very limited burning hours before it collapses (that is why commercial firms use other hardware for this).
Do your reading on malware cleansing and start to help others here,

polonus aka Damian (malware fighter)

Agreed Polomus,

I run my own malware removal shop over here in Ohio and I have seen a lot of XP Antivirus 2008 lately. I usually use a nice malware killing cocktail of Malware Bytes Anti Malware, and Ad-Aware 2008

But only when I know a machine is infected. I usually check for hardware failure, overheating, and even what you said, dust buildup, I have seen a lot of things on peoples machines. Like last week this guy thought he had won a free laptop and was told to click a link, and we later found out that the laptop, was none other than our old buddy Zlob.

The war against malware is never ending.

We will never stop fighting

Best Regards,
Dave AKA PotatoMan

Just a little addition here,
Turn off the messenger,
Disable auto updates.
With the huge variety of ways to communicate, the messenger is just not needed.
It is far better to check for system updates manually…(I do it once a week), than to rely
on windows automated system. If you are checking updates manually, more than likely you would
have noticed the website was wrong.
JMHO ::slight_smile:

Ohio
I would have guessed Idaho
I thought the discussion on the role of this forum for non Avast related malware removal was really useful