XP Antivirus 2008 and Antivirus 2009 - Round 2

June 29, 2008

OK, so it was a bit premature to declare victory over the XP Antivirus 2008 / Antivirus 2009 issues that my dad was facing. Here is the email I got this morning:

I ran the full scan over night which produced one more critical item and over a hundred cookies which were removed.  At first it seemed like there were no problems.  I switched to the non-admin account and started getting the same screens we had viewed last night.  Still in the this partition, I cranked up the full scan and after running a while the interference got worse by displaying two or three new screens predicting even more dire consequences. And, periodically going into what appears to be a  rebooting of the system following which the scan proceeded as normal.

I did a little more research using some of the keywords from last night’s screen shots and ran across this xp antivirus 2008 post in the Windows Live OneCare Anti-Virus forum. Looks like people started running across variations of the virus/spyware back in February. Since then there have been over 42,000 views and over 80 replies with varying degrees of success. Most people referred to a post by ’shecut’ on page 2 as having been successful. I decided that was what we were going to try.

We got on the phone and connected via Copilot again. Again, it was immediately apparent that there was something going on with his computer. Check out these screen shots:

Hey look, there is that helpful Google Tips box. Except this time it is on the main Google search page. Same text though:

Google has detected unregistered Antivirus 2009 copy on your computer. Google recommends you to activate Antivirus 2009 to protect your PC from malicious intrusions from the internet.

And did you notice the pale yellow warning bar?

The page you are opening is probably contains spyware, adware, etc. Your system might be at risk, Click here to protect your system with Antivirus 2009.

Both the ‘Google Tips’ box and the ‘Click here’ link point to the same microsoft.browserprotectioncenter.com link.

But wait, there’s more!

Check it out. Not one, not two, but three different popups in one view! How do they do it? No wonder my dad was so irritated. Here’s the run down on each:

Antivirus 2009 - Threats detected

Unwanted software (malware) or tracking cookies have been found during last scan. it is highly recommended to remove it from Your computer.

• Lost Documents and Settings
• Permanent Data Loss
• System not starting up
• System Slowdown and Crashes
• Loss of Internet Connections
• Infecting other computers on your network

It is tempting to make fun of all of the grammar mistakes and inconsistencies but I was recently admonished about my own grammar and inconsistencies.

Antivirus 2009 Security Center

Antivirus 2009 protection has detected Spyware program Win32.Monster.fx that is trying to attack your computer. Do you want to block the attack?

Aaaahhh! Monsters are attacking! Should we try to block it or run for the hills!

Antivirus 2009

Privacy Violation alert!

Antivirus 2009 detected Privacy Violation. Some program is secretly sending your private data to untrusted internet host. Click here to block this activity by removing threats (Recommended).

Privacy violations!? Secret internet transmissions!? Untrusted internet hosts!? Wait a minute! How did the government get on my dad’s computer? Must be that damn FISA Act. I knew living in Iran in 1978 would catch up with us.

And it gets worse! Much worse if don’t have all of your wits about you. I feel sorry for those less technically literate. These guys are crazy in their attempts to convey legitimate problems! My dad had mentioned a couple times about his computer rebooting randomly but that something didn’t seem quite right. We got lucky and caught it in the act.

This is the fake BSOD:

It appeared briefly, even resizing into a pseudo-DOS mode. My Copilot port screen went from 1280×1024 to 640×480. Again, the full text for the search engines:

A spyware application has been detected and Windows has been shut down to prevent damage to your computer

SPYWARE.MONSTER.FX_WILD_0×00000000

If this is the first time you’ve seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure your antivirus software is properly installed. If this is a new installation, ask your software manufacturer for any antivirus updates you might need.

Windows detected unregistered version of Antivirus 2009 protection on your computer. If problems continue, please activate your antivirus software to prevent computer damage and data loss.

Beginning dump of physical memory.

And then came the fake reboot:

Looks pretty legit. Except for the helpful message:

Your Antivirus 2009 copy is unregistered. Microsoft Security Center recommends you to activate your antivirus protection software.

And then we were right back to where we were when it started: In IE with the same windows open. No logging in or anything. And I thought they were good.

OK, all of the above pictures and commentary are for the benefit of those who haven’t run across this yet and think that their friends and family are just blowing things out of proportion. I’m sure that the rest of you who are currently dealing with the problem just want me to get on with it and tell everyone what fixed the problem! I’m getting there, Jan!

Unfortunately, our time is up. Tune in next week for Round 3!

Just kidding!

Before we continue, I need a favor:

Register now! For only $49.95 I will hunt down and paralyse all viruses today! This is a one-time only charge. Your credit card will never be rebilled, and you will receive UPGRADES FOR FREE!

Sorry, inside joke! Those of you who are dealing with this particular issue probably get it (and probably don’t think it is funny). Those that don’t get it, try going to the microsoft.browserprotectioncenter.com site. You’ll get it (and you probably won’t like it either).

OK, where were we? Ah, I just gone done showing you all the ways this spyware was manifesting itself on a system. Now it was time to try the steps as listed by ’shecut’ on the xp antivirus 2008 post in the Windows Live OneCare Anti-Virus forum. The steps are:

1. Print out these instructions as we will need to close every window that is open later in the fix.
2. Next, please reboot your computer into Safe Mode by doing the following:
   • Restart your computer
   • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
   • Instead of Windows loading as normal, a menu should appear
   • Select the first option, to run Windows in Safe Mode.
   • Login as a user with administrator privileges.
3. When your computer has started in safe mode, and you see the Safe Mode by doing the following:
   • Restart your computer
   • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
   • Instead of Windows loading as normal, a menu should appear
   • Select the first option, to run Windows in Safe Mode.
   • Login as a user with administrator privileges.
4. When your computer has started in safe mode, and you see the desktop, continue with the rest of the instructions.
5. Click on the Start button and then select the Run option.
6. In the Open: field type C:\Program Files\ and then press the OK button.
7. When the folder appears, if it says These files are hidden, click on the Show the contents of this folder option.
8. When the C:\Program Files\ folder opens, look through the list of folders and when you find the folder named XPAntivirus left-click on it once so it becomes highlighted.
9. Then hit the Delete button on your keyboard and when it asks if you are you want to delete the folder, click on the Yes button with your mouse.
10. When the folder is deleted, reboot your computer back to normal mode.

Unfortunately, your mileage may vary.

• It was a little unclear if we were supposed to reboot into Safe Mode twice or not. I opted for not since it sounded like the second time they were letting us know how we would have gotten into Safe Mode in the first place.
  • How do I know if I am in Safe Mode or not? Good question! You will see the words ‘Safe Mode’ in all four corners of your computer screen.
• I tried to be smart and go through the msconfig screen and check the /Safeboot flag but we were running under the non-admin account so it didn’t appear to take.
• We did not have a folder called XPAntivirus. Ours was called Antivirus2009.
• We actually got stuck in Safe Mode for a while (six or eight reboots). A combination of msconfig options and not pressing F8 eventually got us out. It was scary for a few minutes because the results for "can’t get out of safe mode" all involved boot disks.
• We initially thought we were triumphant. There were no pop-ups after we got in and IE brought up his home pages fine. But as soon as we tried to go to another page, the madness started again! Aaargghh!

There were some other hints in the xp antivirus 2008 post about looking for some crazy-named files in the System32 directory or installed as applications. We struck out there. There was one post that mentioned having success with Spybot Search & Destroy.

So off we went. But wait, with IE acting up, I can’t download Spybot. I know! We need to install Firefox. It won’t be affected. Yeah, guess what? With IE acting up… So here we go again: Drop back to my computer, download FF, upload to my FTP site, get back on my dad’s computer, connect to my FTP site, download FF and install. Yay! "Hey look, Firefox doesn’t seem to be affected. Impressive." says my dad. Oh yeah, one more convert to Firefox!

Now to download Spybot with FF. We install Spybot and let it scan the system. Not surprisingly, it finds some additional items that Ad-Aware didn’t find last night. We let Spybot remove them and reboot. An initial check shows that things seem to be OK. IE isn’t acting up anymore. We try a few more things and are cautiously optimistic that they problem is solved. My dad is going to run Spybot a couple more times tonight (under different accounts).

So here we are at the end of Round 2. What are the morals of this episode?

• For the sake of your Family IT Person, run, do not walk, run and download and install Firefox right now! It is more secure than IE, and comes in handy for those times when IE is completely hosed!
• It seems there really is some truth to the rumor that you should run Ad-Aware and Spybot since they sometimes find stuff the other didn’t.

It has been five hours since I signed off with my dad. Hopefully there won’t be a Round 3!

Update!

Just received word from my dad:

After completing the scan of both the admin and non-admin accounts I’ve rambled around using both Explorer and Firefox and have encountered none of the annoying pop-ups. Will do more checking tomorrow. I’m optimistic that you’ve come up with the necessary fixes.

We’ll see what tomorrow brings. Keep your fingers crossed!

Popularity: 6% [?]

Share This

XP Antivirus 2008 and Antivirus 2009 are evil!

June 29, 2008

Wow! I just spent two hours on the phone and CoPilot with my dad to get one of his computers cleaned up. I’ve dealt with a couple of spyware infections in the past, but nothing as insidious as this. Fortunately my dad was suspicious enough to reach out for assistance before he really got took. Here is the re-cap:

I got this email from my dad earlier today:

Matt my desktop computer has been infected with Antivirus 2009.  Do you have a recommendation for software to remove it?  Spyware Hunter has been recommended but, at this point, I don’t trust anything.  Dad

I’m glad that he was suspicious. After a little Googling on the key words from his message, I was suspicious. Here was my reply:

You are right. Searching on ‘antivirus 2009′ does seem to lead you to certain tools and seems to be very confusing. I suspect that this is itself is part of the cycle. Something tells you that you have a virus and oh, by the way, try out my product.

Quick question: How do you know that your desktop has been infected? What application is telling you that? There are lots of sites that will pop up little windows telling you things like that in an effort to get you to click on them and then sell you a product. If your anti-virus/spy-ware application told you that it found a problem, I would suspect that they would also be capable of fixing it.

What I think you are dealing with is some type of spy-ware. Nothing malicious, just annoying. So, what you need is a spyware removal tool. Here is a link to download.com sorted by most popular: http://www.download.com/sort/3150-8022_4-0-1-4.html?  As you can see, Ad-Aware and SpyBot are the two most popular, by far. I have used both in the past and would recommend them. I searched through the top 100 and couldn’t find Spyware Hunter anywhere in there. So, I suggest you stay clear.

I was kind of curious about how he was being informed of all of this information. Was it legitimately coming from his anti-virus app (McAfee) or through some other means? I was thinking that it was one of those annoying pop-up windows that I run across every now and then. You know the ones: Click here because your computer is out of date and is going to explode any second now! So, I followed up the email with a call.

After the normal chit-chat, we got around to the issue. He was saying that he was running into the messages all over the place. When he logs in, browsing the internet, Google, etc. I had to see for myself so I fired up CoPilot (its now free on the weekends, you know!). I told my dad to fire up IE (I know, they should be on Firefox but I haven’t wanted to go there yet.) and go to copilot.com. He said that the site briefly flashed up but then was replaced by an IE warning message that said, "Visiting this web site may harm your computer!" WTF!

OK, so let’s do the run-around. How about we Google ‘copilot’ and then click the link? So we did that. This time my dad tells me that Google is giving him a message about his computer being unprotected/unregistered/whatever. Why/how does Google know? At this point, I was thinking that he was telling me about the warning/message bar that IE and FF now use to communicate to the user. Anyway, we finally get connected through CoPilot.

I won’t bore you with anymore play-by-play but as soon as I got into IE, I could see that there were issues (you’ll see in just a second). He has McAfee and keeps it current so I wasn’t too worried about it being a virus. However, I’m pretty sure that he did not have any type of anti-spyware tools running on his system. So we were going to run out and download Lavasoft’s free Ad-Aware anti-spyware app. Here is what I ran into:

Interesting. I’ve never heard of Google Tips before (neither has Google). For the benefit of the search engines, here is what the tips says:

"Google has detected unregistered Antivirus 2009 copy on your computer. Google recommends you to activate Antivirus 2009 to protect your PC from malicious intrusions from the Internet."

However, I was pretty suspicious once I saw the URL that the whole box was linked to: microsoft.browserprotectioncenter.com. OK, we’ll ignore that for now and continue on to get Ad-Aware. So I clicked the link that you see below the Google Tips box. This is what we got back:

A couple things to point out:

• This appears to be the standard IE warning about malicious sites (I’m guessing. I’ve never actually run across it since I use FF (but not at work because we aren’t allowed - don’t ask)).
• The Lavasoft site page was briefly displayed before this was displayed.
• The url changed to about:blank.
• All three links list the same microsoft.browserprotectioncenter.com page.
• This was actually happening for a lot of pages, not just the Lavasoft page. I actually ran across this as soon as I got on his computer and was the first thing that tipped me off that something was amiss.

Since the Lavasoft page briefly displayed, that suggested to me that it was still in the browser history. So I clicked Back. The Lavasoft page did display, but it was severely mangled.

Notice the yellow bar? Here is what it says:

The page you are opening is probably contains spyware, adware, etc.. Your system might be at risk, Click here to protect your system with Antivirus 2009.

Want to guess where the link goes? You got it! And guess what? We had to run the same gauntlet for each page we clicked on to try to download Ad-Aware. Once we got to the download, we were still hosed since the spyware seemed to have control over the pop-up window too. I had to drop back to my computer, download Ad-Aware, upload it to my FTP site, then go back on his computer and download from my FTP site. What a PITA!

So we finally fired up Ad-Aware and let it scan his system. When all was said and done, it found (sorry, no screenshots):

• 2 critical registry key entries
• 225 privacy cookies

We nuked them all. Ad-Aware needed to restart the computer in order to completely remove everything but we decided to check IE to see how it was doing. We were able to pull it up and access all of the previous pages without any of the issues! Yay!

Moral(s) of the story:

• Make sure your family and friends are running a reputable anti-spyware tool in addition to their anti-virus tool.
• Have your family and friends switch from IE to Firefox.
• Try to get them to run under the non-admin account (although this can cause problems with some apps).
• Tell them to trust their instinct when something doesn’t seem right.
• Take advantage of free CoPilot on the weekends. Thanks Joel!
• Make sure that at least one of your kids is technically-literate to bail you out when you can no longer keep up with technology.

Now if only we could get this to bubble up a little in the search engines to help other unsuspecting people. Spread the word with the Share This link below.

Popularity: 7% [?]

Share This

SpeedStream 5260 ADSL Ethernet Modem

June 28, 2008

Knock on wood. I probably shouldn’t be writing about this but I will anyway.

Since the family is out of town, I’m taking the opportunity to clean up my little corner of the computer/guest room and get rid of a few things. I found a box from the SBC DSL Fulfillment Center. Inside was the original box that my SpeedStream 5260 ADSL Ethernet Modem came in.

I agree. Who cares? The only reason I’m posting about it is because this thing is pretty old in terms of Internet years. The packing slip that came with the box is dated May 8th, 2000. Do the math. The modem is over eights years old now. I’ve been through a bunch of computers, monitors, routers, etc. in the past eight years. Good to see something last.

Is there an equivalent calculation for internet-to-human years like there is for dog-to-human years?

Popularity: 2% [?]

Share This

• Sponsored Links

• Recent Posts

  • XP Antivirus 2008 and Antivirus 2009 - Round 2
  • XP Antivirus 2008 and Antivirus 2009 are evil!
  • SpeedStream 5260 ADSL Ethernet Modem
  • New CSS eBay auctions
  • Performing code reviews via internal forums
  • New host, new theme, new links
  • Not dead yet!
  • What happened to my PageRank?
  • Unexpected Passport To Fun and Shopping Essentials Charges
  • Mattress Disposal

• Sponsored Links

• Categories

  • .Net
  • AJAX
  • ASP.Net
  • CSS
  • eBay
  • General
    • Google
  • IIS
  • Microsoft
  • Projects
    • DynamicImage
  • Recommended
  • Spam
  • WordPress
    • Plugins

• Archives

  • June 2008
  • August 2007
  • April 2007
  • January 2007
  • December 2006
  • November 2006
  • October 2006
  • September 2006
  • August 2006
  • July 2006
  • April 2006
  • March 2006
  • February 2006
  • January 2006
  • December 2005
  • November 2005
  • October 2005
  • May 2005
  • December 2004
  • November 2004
  • October 2004
  • September 2004
  • August 2004

• Links

  • 
  • Alex King
  • alexking.org: Blog > E-mail Signature?
  • Community Server 2.0 Beta 2 — now available!
  • CS 2.0 Beta 3 is now available…..
  • Gadgetopia
  • HALT data for P1130 21″ Trinitron monitor - Monitors - Dell Community Forum
  • Joel on Software
  • Looking for an adequate BitTorrent client to replace Azureus
  • Mike Industries
  • MyHomePoint
  • Optimus Keyboard | Gadgetopia
  • PhotoMatt
  • Scobleizer - Microsoft Geek Blogger » I made Phil Ripperger stand in line for an Xbox 360
  • SimpleBits
  • Smcculloch.Net - Modules, Skins, Skin Objects > Forums > AVCalendar Foster Home?
  • Smitty.net
  • Solutions Design::TinyForum::List all messages of thread: MyHomePoint.com
  • Solutions Design::TinyForum::List all messages of thread: Ruby on Rails
  • The Post Money Value: The New Digital Life
  • WordPress
  • Zawodny: Slashdot Will Die in 2006 | Gadgetopia
  • Zeldman

• Subscribe

  • Subscribe to RSS
  • Comments

• Meta

  • Log in
  • WordPress
  • XHTML