Antivirus XP 2008 – Is It For Real?
Posted on September 6, 2008
Have you seen a pop-up or an e-mail prompting you to download a program call Antivirus XP 2008? It looks legitimate and for the uninformed, it seems like the wise thing to do. However, it is bogus. What it is doing is tricking you into thinking you have a virus and need this software to clean it. The ultimate goal of this type of attack is to get your money, not steal it from you behind your back, but prompt you to give it to them. According to the message you are given, you need to buy their legitimate looking product to clean the virus. CA explains it best here in their security advisor:
The most recent, and unfortunately most prolific, rogue security product to be installed is “Antivirus XP 2008″, but that could change. Past downloads have included rogue security products like Antivirus 2009, WinFixer 2006 and Malware Protector 2008. Most variants hijack the user’s desktop and screensaver. They also use what look like legitimate Windows alerts (balloon windows), but are actually fake alerts, to scare the user into thinking they are infected with spyware. Unfortunately, the actual infection is FakeAlert and related components. The same alerts offer a remedy to the infection, a rogue security product, that will remove the “spyware” for a fee. The entire scheme is meant to get your money. All components need to be removed to neutralize the threat.
I have heard of many instances of this virus popping up and it’s an easy sell, apparently, especially if you know you have let your anti-virus subscription lag or don’t even have AV. My pastor got it and I just finished cleaning his laptop up last night. There are basically 2 fixes:
- Make several registry edits, deleting several values that were added
- Re-image your hard drive (reformat and reinstall Windows)
Doing anything with the registry is somewhat tricky and not for the faint at heart and if you don’t know what a registry is, then don’t go there. (Unless you are wanting to learn and can follow some simple instructions. Just know that you may end up at the second fix above if you are not careful.
Here’s CA’s step by step instruction to clean this bad boy up:
This threat alters the users desktop and registry. To restore the system’s background and screensaver, the user has to manually edit the registry as below after performing a full scan with CA Anti-Spyware:
Warning: CA encourages users to back up their registry before making any changes. To backup the registry, please refer to Microsoft’s page here. The registry is critical to the proper function of the operating system and incorrect changes can result in a variety of problems like the loss data, dysfunctional programs, etc.1. Click Start
2. Click Run
3. Type regedit
4. Click OK.
5. Navigate to the following registry subkey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Delete the following registry values under this subkey:
• “NoDispBackgroundPage”
• “NoDispScrSavPage”6. Navigate to and delete the following registry subkey:
HKEY_CURRENT_USER\Software\Sysinternals\Bluescreen Screen Saver
7. Navigate to the following registry key:
HKEY_CURRENT_USER\Control Panel\Colors
And set the value data of the following value to null by clicking on it and deleting its contents:
“Background”
8. Exit the Registry Editor.
After performing the above steps, the Desktop and Screen Saver tabs should be visible in Display Properties window (Right click on desktop and then click on Properties from Context Menu). From here, the user can restore any previous wallpaper/screensaver settings.
This threat is not self replicating and it must be manually installed, which occurs when you opt in to use or buy their AV software. It sure is making the rounds though.
Have you had a run in with Antivirus XP 2008 yet?
Popularity: 50% [?]
Other posts by Jim Walton
»
Tags: Antivirus XP 2008, ChurchIT
Comments
10 Responses to “Antivirus XP 2008 – Is It For Real?”
-
Subscribe via RSS
RSS Subscribers
Comment Subscribers
Email Subscribers
I helped a friend get rid of this a couple of months ago, or something almost exactly the same. It’s nasty! I was able to use the Malwarebytes.org free anti-malware scanner and that cleaned it up really well. But I still reformatted after all just to be sure, it was such bad stuff! Bugged you about buying it every 15 seconds in about 5 different ways. Locked Task Manager from running (“administrator has blocked access to this feature”…right…).
I’m constantly amazed (I know I shouldn’t be) at the folks that fall into these traps – but am at a complete loss for folks who continue to surf without any protection – lapsed or not!
[...] post about over at Church Tech Matters about the bogus security software Antivirus XP 2008 has set me to thinking – [...]
Thanks for the post Jim! I have received many calls about this.
Two members of our pastoral staff got hit by it a few weeks ago. The fake “CNN News Alert” email was the gateway for installing it. It was quite a nasty one, but luckily we were able to alert the rest of the staff.
Yes, sadly I have seen it. Malwarebytes cleaned it right up.
Glad to see some good stuff about Malwarebytes. I seen some sites mention it when I was researching the XP Antivirus online but didn’t know if it was legit or not. To many incorrect ways of fixing stuff online anymore. Some are just as bad as XP antivirus.
dj
yup, 1 machine so far. I just did the quick fix, re-image. Start clean.
I actually just got through fixing the second computer with this on it. Not too bad of a deal to fix, but it is an annoying problem with all of the popups. I used Malwarebytes to clean it up, but I did follow through in the registry and remove things too. There were still references in startup in MsConfig left over. Reimage and reinstall is probably the right thing to do, but that makes people really nervous. Instead of that, I just buy a new hard drive and reinstall on it, that way everything is still on the old.
THANK YOU!!!! This worked perfectly!!!! I have my screensaver options back where they belong!!!