XP Antivirus 2008 - Phishing bug

by **boingo** on Sun Sep 07, 2008 8:50 am

I found a link I saved:
http://forums.microsoft.com/windowsonecare/showpost.aspx?postid=2873308&siteid=2&sb=0&d=1&at=7&ft=11&tf=0&pageid=1
There's a lot of help about the virus on that page.

Contrary to some of the advice, the folder for the virus was not called "XPAntivirus" on my PC. Apparently there's several versions of the virus. My computer had some weird alphanumeric code name. I think I posted that on page one here.

by **monosodium** on Sun Sep 07, 2008 4:23 pm

There are a number of versions and as malware goes it's quite sophisticated both in terms of the application itself and also the social engineering used to get people to install it.

There's a great article on it here: http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/

by **boingo** on Mon Sep 08, 2008 9:54 am

Cheers Mono.

by **kinghelfer** on Mon Sep 08, 2008 5:33 pm

...after not bothering with it all wekend i have decided to have a go at removing it manualy only to discover that things like the / needed to write into the relevant command box now comes up as } is this something ive done and if so how do i put it back so i can get rid of this thing......? oh yeah question marks dont work either - i am on CG,s computer...... :wink:

by **PlasticAnnArbor** on Mon Sep 08, 2008 9:57 pm

can you do this
Start / Run
and type in " regedit.exe " ( without the "")
and manually remove
[code:1]
HKEY_USERS\Software\XP antivirus
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c uninstallstring
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c
[/code:1]

by **monosodium** on Tue Sep 09, 2008 12:45 pm

kinghelfer wrote::P ...after not bothering with it all wekend i have decided to have a go at removing it manualy only to discover that things like the / needed to write into the relevant command box now comes up as } is this something ive done and if so how do i put it back so i can get rid of this thing......? oh yeah question marks dont work either - i am on CG,s computer......

Sounds like it's changed your keyboard language. You should be able to put that right in control panel.

by **kinghelfer** on Tue Sep 09, 2008 4:56 pm

...thanks to you both - i,ll have a go when it eventualy starts up properly, i have noticed another forward slash above the numbers!! :wink:

by **kinghelfer** on Tue Sep 09, 2008 10:02 pm

...I have managed to delete some of it in the registry, i was following a guide on one of the specialist removal pages but i was unable to locate it in the task managers processes, also the page i was using was on CG,s computer and she has closed it!!
I,m sure ive missed something as i still get the screensaver....... :wink:

by **PlasticAnnArbor** on Tue Sep 09, 2008 11:58 pm

look here
http://www.xp-vista.com/spyware-removal/xp-antivirus-2008-removal-instructions-xp-antivirus-2008

you might need to also use the windows install disk to repair the system reg. some entries are removed by the virus

by **boingo** on Wed Sep 10, 2008 5:01 am

I have Windows set to show all hidden files. Maybe that's how I was able to find the folder.

by **PlasticAnnArbor** on Wed Sep 10, 2008 7:01 am

i forgot about that , the hidden system files .i am so used to seeing the partly grayed out files that it is normal on win.
see
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/hiddenfiles.mspx

by **kinghelfer** on Wed Sep 10, 2008 6:06 pm

...I have set windows to show hidden files but still cant see rhc34ej0enar which is the culprit behind my version of all this. i also show an icon on the toolbar for it which says its located at C:/Program Files/rhc34ej0enar ( the forward slashes are reversed) but search wont show me where this file is - any ideas?¿? :wink:

by **PlasticAnnArbor** on Thu Sep 11, 2008 3:15 am

run regedit.exe
and see if that name is in
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run
and
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run
also look in C:\\Documents and settings\( username)\Start Menu\Programs\Startup for a link
also
Program Files/Common Files
and search the registry for " rhc34ej0enar "
in regedit do
Edit / Find rhc34ej0enar

by **boingo** on Thu Sep 11, 2008 12:00 pm

You won't believe it, but last night I clicked on a link in Google and as I watched the toolbar telling me what page was loading, I saw the first part of "XPAntivi..." coming up as the page that was loading, so I immediately closed my browser before it had a chance to fully load. A couple of pop-ups from the web page came up to try stopping me shutting down Firefox and to trick me into clicking them, but I right clicked on Firefox in the Windows Toolbar and forced it to shut down. Fortunately I got Firefox shut down just in time, so my computer didn't become reinfected. I did a bunch of scans of my computer and it came up clean.

by **kinghelfer** on Thu Sep 11, 2008 7:16 pm

...many thanks to you all for your help and advice, i,m pretty sure ive deleted it all from the registry and my machine is still working!
I downloaded AVG Free for a second time and it STILL didnt find the bits that were left in the startup folder that i cut out today - but what it does do Boingo, is scan all the google links before you click on ,em....... :wink:

XP Antivirus 2008 - Phishing bug

re

re

re

re

Who is online