XP Antivirus 2008 - Phishing bug

[boingo]

"XP Antivirus 2008" Is not part of Windows. It's a phishing program to scam people out of money by telling them they have loads of viruses and spyware on their computers.

I've just spent the past four hours trying to get this thing out of my computer, but it's still there and keeps popping up saying my computer is infected.
I've tried about five different methods to remove it, including removing it from Windows Start Up and deleting the known folder it's in: C:\Program Files\rhc72qiDevf7
Even Windows says it's removed, but all I've succeeded in doing is reducing the frequency of the pop-up. Ad Aware is pretty much useless now they've changed it and doesn't actually remove most of what it finds. Spybot Search & Destroy wasn't much help. I'm currently trying an Anti Rootkit program to see what it finds.

Any help will be greatly appreciated. Most people who've encountered "XP Antivirus 2008"

[boingo]

Update.
Fingers crossed, After five solid hours, I may have got it removed.
I used Panda Anti-Rootkit, which found and removed about five entries that looked like they may have been part of "XP Antivirus 2008".

In case anyone else's PC gets infected, here's the link for Panda Anti-Rootkit: Click here

Edit.
I should have added that apparently the scamware usually gets into our computers from legitimate software downloads, such as codec updates or even from just browsing a normal (not porn) website. Most programs like this leach onto another program download, but somehow the authors of "XP Antivirus 2008" have manged to find alternate ways to infect computers. It could be via Flash or Java, but I don't know.

[boingo]

Grrrrrrrrr
I left my computer on overnight and came back to find a blue screen of garbled messages and the damn scamware is still there!
I've used Spybot Search & Destroy, Lavasoft Ad-Aware, RogueRemover free, Panda Anti-Rootkit and System Mechanic's spyware remover.

[boingo]

I've now scanned the entire system for errors using System Mechanic 6. That program claims to have removed 1.4GB (Yes, Gigabytes) of clutter and repaired 225 errors. However, while I haven't seen the scamware ad again yet, I am still getting a blue screen of weird error messages. I think the blue screen is false because every other time I've had a Windows blue screen the computer either has to be rebooted or was in the process of booting up. This screen just goes away with a click. The blue screen only comes up if I leave my computer unattended for half an our or so. ie. If I'm typing away or doing other things on the computer, the blue screen does not come up. Just prior to the blue screen is the black windows splash screen. I think the virus/scamware is still operating and is putting up those false screens, like a screen saver would if no-one were using a computer for a while.

[boingo]

Further updates.

In case you run into it, this is what that popup windows from that fake antivirus program looks like.
http://img367.imageshack.us/my.php?image=viruspl0.jpg

The one on the right is definitely the fake antivirus program. They've obviously nicked graphics from Windows Defender.
I thought the one on the left was fake too, but I've just realised the address it gives as having a virus is the same location the Windows shortcut linked to. It also pops up now and again while the "Antivirus XP 2008" window doesn't. The fake program was also popping up a little window near the clock saying it's found over two hundred viruses, but that's an obvious lie.

I'm currently scanning my computer with AVG antivirus and after only 20 minutes, it's so far found three Trojan Horses at the address shown in the virus scan on the left. ie. C:\WINDOWS\system32\pphc32qj0evf.exe (x2)
C:\WINDOWS\system32\lpphc32qj0evf.exe
The parts in red are the scamware Trojan.

I'll update again later on. So far I've spent about seven or eight hours in total trying to get rid of this thing. I know I'm better off giving up and just rebuilding the software again, but I want to know how to get rid of it in case it comes back.


*Edit.
Five hours later and AVG is still scanning my computer (I've got about 1.5 Terabytes of hard drive space). It's discovered 15 threats, including the first three that are definitely the fake antivirus program.
I can't believe I've used at least five scanners and they have all found different infections.

[monosodium]

Personally I'd never trust a machine that has had a serious infestation like that.

If you rebuild the box properly then it won't come back, but few people set their machines up properly regardless of if they're an iPerson, penguin toucher or windozer).

Regardless of what OS flavour you like, the principle of least priviledge is the first thing you're looking for. Do not run applications as administrator/root, just use a normal limited user account. When you need to do something that needs admin rights then log in as an admin, do what you need to do then get out again.

I really should do a blog or something on it. In the meantime if you use windows xp then you should probably take a look at http://www.windowsecurity.com/articles/Windows_XP_Your_Definitive_Lockdown_Guide.html as a starting point.

[boingo]

Cheers Mono

I seem to have got rid of it now, except it's left that false Windows blue screen as a screen saver and the screen saver tab in display properties is now missing.
Basically, I think it's screwed beyond complete repair.

[micky-m8]

beware of any message that tells you that your computer is infected with a dangerous trojan or virus and demands that you download their all-conquering software to combat this imaginary threat

[boingo]

Yup. That's exactly what this software does.
I've read loads of forum postings about this particular scamware, and no-one seems to know how to completely get rid of it without reinstalling Windows.
Currently the only symptom I'm getting is that false Windows error screen which is only a screen saver, but the tab for changing screen saver and wallpaper has gone from the menu box.

[franfran]

Further updates.

In case you run into it, this is what that popup windows from that fake antivirus program looks like.
http://img367.imageshack.us/my.php?image=viruspl0.jpg

I like the cute little frog at the bottom of the picture....

[boingo]

Further updates.

In case you run into it, this is what that popup windows from that fake antivirus program looks like.
http://img367.imageshack.us/my.php?image=viruspl0.jpg

I like the cute little frog at the bottom of the picture....

That's actually part of Image Shack's page.

[PlasticAnnArbor]

and reinstalling windows may not even "fix" the box if the software got into the boot loader section of the partition . I would not even trust any peace of music or video or any file .A full and complete wipe is what i would do .Using dban ( boot& nuke) then restore from a known good back-up , from a external hdd .

[monosodium]

and reinstalling windows may not even "fix" the box if the software got into the boot loader section of the partition . I would not even trust any peace of music or video or any file .A full and complete wipe is what i would do .Using dban ( boot& nuke) then restore from a known good back-up , from a external hdd .

A repair from the CD would be fine in the short term I reckon.

If you have the time (it's worth spending the time too) - really what you need to do is make your own windows bootable cd with all the drivers & service packs you want on it (they call it slipstreaming if you want more info on how to do it). Copying the windows CD in this way is something that's permitted by your licence so long as you only use the licence key on one machine.

Then get your antivirus on and updated before you copy *anything* back from your backup of course.

[boingo]

and reinstalling windows may not even "fix" the box if the software got into the boot loader section of the partition . I would not even trust any peace of music or video or any file .A full and complete wipe is what i would do .Using dban ( boot& nuke) then restore from a known good back-up , from a external hdd .

A repair from the CD would be fine in the short term I reckon.

If you have the time (it's worth spending the time too) - really what you need to do is make your own windows bootable cd with all the drivers & service packs you want on it (they call it slipstreaming if you want more info on how to do it). Copying the windows CD in this way is something that's permitted by your licence so long as you only use the licence key on one machine.

Then get your antivirus on and updated before you copy *anything* back from your backup of course.

Thanks a lot, Mono.
There doesn't seem to be any trace left of the virus any more. After doing a monumental amount of repairs (I just left the computer to it), the screensaver tab reappeared, so my sister was able to stop the *screen saver running and give it the boot.
*The screen saver was a false Windows blue screen error intended to fool people into thinking their computer really was corrupted with viruses and thus encourage them to buy the very program that put the false error message up in the first place.

The reason why I procrastinate with doing Windows rebuilds is because of the after installation programs tweaking and set-ups. Windows itself is fine because of the Files and Settings Transfer Wizard, but I use things such as an old version of Paint Shop Pro that takes over an hour to set up the tool bar how I like it.

[kinghelfer]

...Ive got it now too...i,ll try some of that root kit thingey......