Antivirus Xp 2008, Antivirus Xp 2009 - Recent Trojan Threat find symptoms and fix

[BuffaloHelp 24]

I've been meaning to write this post for days but the days just got away from me.

Recently I've subjected my personal laptop for this malware which was downloaded to my clients email. The email client was Google Apps (Gmail) and the sender was from a known contact. However the beginning, the issue is that this Trojan was downloaded even through FireFox 2.0.0.16 and passed Google Apps filter. I was also told that some websites contain scripts to disable firewall and download malware without the computer user's knowledge.

The final product is called Antivirus XP 2008 and here are the symptoms: 1) you will immediately notice that your firewall is disabled 2) background has changed 3) cannot change your background 4) cannot change your screensaver 5) cannot launch Control Panel to do anything 6) cannot launch normal programs 7) cannot launch CMD or any command programs 8) cannot launch regedit 9) cannot clean spyware(s) that keeps on spawning 10) your typical antivirus does not show any alert.

The names of malware are different but they all reside under

C:\Windows\system32\lph*********.exe
C:\Windows\system32\*ph****.BMP
C:\Windows\system32\ntos.exe
C:\Windows\system32\wsnpoem\*
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll

It is still unclear to me if two applications are working together (wsnpoem, ntos and lph********.exe a.k.a. a.exe). But the solution I found was able to clear my laptop from the hijacked stage.

Trojan types reported

lph**********.exe | Trojan horse SHeur.CDRG
ntos.exe | Trojan horse PSW.Generic6.YTJ

Download SDFix.exe (also attached at the bottom of this post).

How to use SDFix

Download SDFix and extract. I recommend that you unzip and unpack (self extracting EXE file--this board will not let just EXE file to be posted) on your desktop. You will be running this fix under the SAFE mode. So it's better to have it where it can be located quick and fast.

Restart your machine and enter SAFE mode. To enter SAFE mode, simply hold down F8 during the restart. You will hear continuous beeping sound but I suggest you hold it until you see the Windows start up option screen. Select SAFE MODE.

Once you start in SAFE mode, go to the SDFix folder and double click to run RunThis.bat. A command prompt will open and will take about 10 minutes to do its own thing. Once the registry is clear from the Trojan it will ask you to restart the machine. Follow the on-screen instruction. Once restarted SDFix will run once again. This will take another 10~20 minutes. A message will appear at the end of the clean up showing Report.txt as a log. No need to save since it saves and displays at the same time.

You should be clear from this Trojan. Enable your firewall, run your usual spyware remover and virus remover.

Key registries affected by Antivirus XP 2008

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\
parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\
parameters\firewallpolicy\domainprofile\authorizedapplications\list]

SDFix file
SDFix.zip

UPDATE
============================================================================
Direct download for latest patch from original source
http://ww1.andymanchesta.com//?gtnjs=1

[jlhaslip 4]

Will this Trojan attack Linux machines? Do we need to stay away from Google Apps? Any idea how wide spread this Trojan is at present?

[rvalkass 5]

Will this Trojan attack Linux machines?

Only Microsoft Windows from 95 upwards by the looks of it. Another win for Linux! Although, I guess you could run it under WINE if you want

Do we need to stay away from Google Apps?

Same caution as with all emails. According to Symantec it has to be manually downloaded and installed, so just be your usual wary self and don't download random stuff. It's not specific to Google Apps, but I'm surprised they're not filtering it out.

Any idea how wide spread this Trojan is at present?

Fairly widespread according to Symantec.

[Saint_Michael 3]

AAh so this trojan got upgraded then because I have gotten its older brother a few times and so I just go into safe mode find the program in the win32 folder delete it and then run my computer with spybot and McAfee. So it seems that this exe pokes around in more files then the older version. Of course the quickest way to know that you got this trojan installed is opening Task Manager and you should see lph*********.exe running. I agree with rvalkass that this trojan won't affect Linux since it is windows specific or rather XP specific.

Edited August 31, 2008 by Saint_Michael (see edit history)

[-Sky- 0]

Oh great lol. I use Windows XP Home Edition, and I've had this trickster before. Quite so hard to remove aswell, especially when you don't have a good Anti-Virus. :(AVG, Kaspersky, BitDefender, and them are rubbish. I need a GOOD Anti-Virus. Can anyone also find me one? @ Michael: Yeah. It has a brother in It's infected family of code :)Thanks Buffalo! I shall keep a look at with these things. -Sky

[Saint_Michael 3]

Well its not that those anti-viruses don't work its just that some trojans are design to sneak in behind the scenes and so regardless if the major software has patches and what not to find them and delete them. So the only way to remove them is the old fashion way of finding the files and then delete them; however, that were most non tech people think a small program that removes these things will work but instead just add to the problem and what not.

[jlhaslip 4]

Has anyone tried NOD32 to whack it?

[bluedragon 0]

Thanks Buffalo, Its there in one of My College's computer. I'll try to remove it . Ppl at my college actually used to think that its an Antivirus .. LOL. .. Any Idea if this can be manually removed using 'HijackThis' to remove the registry entries and then delete the files manually ??Can this trojan spread through pen drives ?I am using Norton Inernet security 2007 on a Laptop and it has a lot of sensitive data that I cant risk loosing. Will this pass through that also ?

[iGuest 3]

Trojan virus EVERYWHERE!

Antivirus Xp 2008 - Recent Trojan Threat

 

Hi!

Please help!!

 

I have one of these trojan things currently killing my laptop and I have no clue how to get rid of it. I have AVG 7.5 anti virus software but it doesn't delete it, it just puts it in the virus vault & the folder it originates from can't be deleted...And I think there are many of the little buggers because there are many folder with weird names, but I don't want to delete them just incase they are important & not meant to be deleted! Everytime I switch the laptop on another one slips through the net! HELP!

 

Can someone please tell me (in very plain english) how to fix this!!

 

Thanks )

 

P.S I have tried to do a system restore but it won't restore to any date other than the date I got the trojan & I've even played around in safe mode but I still can't delete the folders! HELP ME!

 

-reply by sweetie

[iGuest 3]

Help with removing a Trojan

Antivirus Xp 2008 - Recent Trojan Threat

 

Replying to BuffaloHELP

Hi BuffaloHELP,

I found your post on the web and I have a Trojan that will not go away. I ran anti virus and tried manually removing suspicious files in safe mode as well as backing up to an earlier date. Still no dice. Your link for the SDFix file is not working for me. I figure I ought to try whatever I can to fix my computer before biting the bullet and bringing it somewhere to be formatted. :-( Can you re-link the SDFix?

 

-reply by Eilean

[iGuest 3]

Virus XP 2009 ????

Antivirus Xp 2008 - Recent Trojan Threat

 

Replying to iGuest

 

I just removed this virus from a friends computer. It changed the wall paper(to warning) and the screensaver (to BLiue screen of death)and then removed the settings to allow changing the settings back. Spybot SD nor Adaware, touched this. Diconnected form the internet and every thing slowed to a crawl. Did a registry edit and got the screensaver and wall paper reset and deleted all the files listed (http://www.mombu.com/microsoft/f-internet-explorer-security-283) on the internet, Ran Bart PE with adaware, spybotSD and crap cleaner "CClean" and and others. It still came back. Computer got slower.Took for ever to get settings and document saved to CD. Formated the hard drive and reinstalled windows XP and every thing is clean, but computer is SSOOOO SSSLOOOOOOOW. Will try new hard drive, but suspect it is time to up grade to a new computer. Worst I have ever seen.

 

-reply by ncwoodworker

[BuffaloHelp 24]

For guests who tried SDFix:

Try the updated link to download newest registry and spyware clean

UPDATED LINK http://ww1.andymanchesta.com//?gtnjs=1

I had several computers where this Antivirus 2008 was left in for weeks. It apparently took over registry for hardware control and permanently took over the network interface card--I could not remove the DNS redirection and pop ups were still showing random advertisements. Only thing that kept pop ups from appearing was to use Firefox instead of Internet Explorer. I am going to attempt another removal with newest SDFix patch.

To the guest that could not download SDFix from our board:

You must be a registered member to download our uploads. For your convenience I have placed links to download from the source. I hope you find it useful.

[room2593 0]

You want a fix in simple english? REBUILD YOUR COMPUTER. Get your windows disc and make that sucker spin. Back up files if you like, but get yourself an excellent virus scanner and scan everything before you put it back on your computer. If you like open source, comodore or clamwin are excellent for this.I'll tell you why one fix won't universally work: I had this trojan with TOTALLY different names under TOTALLY different circumstances.I battled this trojan for a good month. I got it off, but my computer was so ravaged that I reinstalled windows and called it done.My variation was THE MOST excellent piece of virus software I have ever seen. I'll elaborate on how I got rid of it.The trojan would start up before I even logged into my profile. IN THE WELCOME SCREEN! So I knew it was in the registry. It would sit unobtrusively in the background. But I think that this dang thing had a key logger. Every time I visited a site that might be able to help, it cut my ethernet connection. I would calmly have to ping my router to get it to recognize I existed. If you let it sit too long, it would create instances of IEXPLORE.EXE that would start eating more and more system resources.It's smart, though. It's not the IEXPLORE, it's a different program. If you watch for a long enough time in the task manager, you'll see it. I found mine; it was a jumble of letters and numbers that started with a C6 (I can't remember the rest of the crud) Point is, I looked that thing up on the internet and I couldn't find squat. And here's where the real genius comes in: I think that IT RANDOMIZES IT'S FILE NAME. That's incredibly intelligent. Whoever wrote this should be shot.More annoying things: Whenever I did a search for it in any virus software, it would cause an exception and throw my computer to the blue screen. If I did anything for too long without manually shutting this thing off, I would go to the blue screen. But it's just at the edge of annoying. You don't want to go to the lengths required to get rid of it, because you think "I can deal with this..." It's annoying, but not annoying enough to drive you to the edge. It's a masterful piece of work.The way I got rid of it: If you can still get into safe mode, then get there, for gosh's sakes. If you know what the file's name is, then go into system32 in the windows folder and delete it. I found mine there, and another one with more jibberish for a file name. Once you've gotten rid of them from there, go into your registry and use the find tool to find them there. If you don't know how to do that, then look it up (my post is too long already). Then restart your computer and hope for the best. My computer worked after that, but the drivers conflicted so much I had to rebuild anyway. It sucked.

[Echo_of_thunder 1]

I have had this virus myself, very nasty to remove too. I dd find out there are 2 antivius programs that removed it, AVG and BitDefender. Both free. took a double run of them both, but was able to remove it, along with a couple of other, spyware.

[BuffaloHelp 24]

2 antivius programs that removed it, AVG and BitDefender.

That wasn't the case for me. One of the machines had Windows XP with AVG and the others with Windows XP with Symantec corporate edition. They both were infected and both antivirus programs could not catch it in time. After I was disconnected from the internet AVG shows some sign of healing but after reboot the same warning message popped up and it was cleaning again. So each and every time machines were reboot the virus kept coming back. It was not until I ran SDFix that it picked up the recursive program that spawned the virus.

Anyway, for me SDFix worked and have been using other machines to clean them out. But the best cleaner is to make sure your computer is not infected to begin with.