Need help cleaning up after a Christmas virus - Bah Humbug

[datagirl]

Not the way I wanted to spend a holiday weekend. Sigh!

Windows XP sp 2 or 3.  I managed to kill the virus, which of course zaps all the restore points as it's first order of business.  Somehow in the melee' the program that allows changing the desktop background no longer works.  All the other desktop property settings update okay.  If I knew the name of the specific file(s) involved, I could overwrite the corrupt copy with a fresh one.  I really don't want to go through a full restore from old backup or a system recovery, if I can avoid that.

I'm researching this other places, but thought I'd ask here, too.

BTW, this was one of those viruses that pretends to be anti-virus software, so my unsuspecting hubby hit the panic button.  Hope the jerks that write these things got coal in their stockings... well that's the g-rated version of what I hope happens to them.

Ho, ho, ho.
-DG

[Origisaurus]

Closing the barn door after the horse is stolen, I think you will be most interested in a firewall, even if you already have M$ firewall.

I have been using Zone Alarm for several years, and only one virus has got through to be detected by a virus scan (which you should also consider).

Note the company name "Check Point".  There once was a borque in Michigan named "Checkpoint", and Check Point paid them big $$ to give up the name.  Last I looked they were called "Techpoint", the founder had retired leaving the son in charge, and somehow the smart daughter was nowhere to be seen.

[datagirl]

Thanks, Dino.

I do have several products installed in memory that are updated and perform autoscans on a regular basis.  That's the thing, this virus very effectively mimics the real anti-malware warnings.

Happy New Year,
-DG

[The Gorn]

Can you tell us the name of the site or company that it wants you to subscribe to to "fix" this? Anything at all that identifies the source or whomever wants to be paid for a fix?

With that, maybe I can dig up some specific neutering information for this product.

[The Gorn]

This kind of experience tells me one thing that is important. It's saying that consumers should become increasingly gun-shy about buying products from small, relatively unknown vendors.

It seems like a miracle to me that enough people would trust some small vendors enough to even install a trial version of their application.

I think that eventually crap like this will lead to consolidation of the market for commercial software. Consumers will not trust anything unless it comes from a "name", like Microsoft, or Adobe, or Apple.

[datagirl]

GB-

Hmm, I'll have to see if I can come up with anything, having been busy getting rid of it.  I do remember a splash screen that looked a lot like MS Windows products with a name like 'Internet Security 2010' - which was a flag for me.  None of our installed software have 2010 in the name.

Except for this one issue with the desktop properties, I think I've got it handled.

Thanks,
-DG

[The Gorn]

Instructions for removing a rogue AV package named 'Internet Security 2010'.

It has specific removal instructions. It also has a link to something that will remove this package. I'd probably do it the manual way, myself. (I mean, what are they thinking...)

I wonder if it's anything like Weight Gain 4000, hmmm...

http://www.2-spyware.com/remove-internet-security-2010.html

[Origisaurus]

I think that eventually crap like this will lead to consolidation of the market for commercial software. Consumers will not trust anything unless it comes   from a "name", like Microsoft, or Adobe, or Apple.

Or a business opportunity.  "Guaranteed virus-free!  Download through us."  Also, sign up mISVs to allow a downloading intermediary.  No doubt some wrinkles to iron out, but remember you heard it here first!  

[The Gorn]

Or a business opportunity. "Guaranteed virus-free! Download through us." Also, sign up mISVs to allow a downloading intermediary. No doubt some   wrinkles to iron out, but remember you heard it here first!

That's exactly what I mean, BUT - you hear of iStore, Apple's one stop shop for iPhone, iPod, applications, music?

Microsoft could do exactly the same thing with Windows apps. The only reason they don't is probably anti-trust implications.

I believe that there is no market space for a small start up in this niche. I'm saying that most consumers who choose safety over innovation or functionality are going to want to patronize large, and not small or unknown, companies as intermediaries.

[DarkHumour]

manual method.. your mileage may vary...

I found it was loading at startup.  It didn't load while in safe mode.  You can remove it from loading using msconfig at the run line (and other junk too).

My manual method was to either do this in safe mode or from a bart/winpe boot cd.

find all the files that being with a number and end with .exe.
e.g. 0*.exe, 1*.exe, 2*.exe (and so on)

by going to c:\  and typing  dir 0*.exe /s  (and waiting to see what appears).

navigate to those folders and delete those *.exe files.  I haven't seen anything legit with a file name like 0998877.exe yet (and you could try something like del 0*.exe /s but just in case I prefer navigating)

I didn't clean up any registry entries caused by this crapware as it was a courtesy fix both times.

Spybot or other programs should function properly after that and clean out the remnants.


The worst spyware I ever dealt with (edit) was G-Buster ...and that is a legit tool and required in order to interface online with certain South American banks.  Horribly written software that is next to impossible to remove completely.

DarkHumour

(edit.. was actually 2008. time flies)

[datagirl]

Thanks, GB.

This is a great checklist of manual steps, most of which I had already done.  Our family SOP is to unplug the CPU from the DSL modem so the stinkin' virus can't phone home.  Makes clean up a lot easier.

-DG

[DarkHumour]

I think that these guys update a custom hosts file that helps out a lot with 'phoning home' issues as well.

http://www.mvps.org/winhelp2002/hosts.htm