Has anyone here experienced this nasty bugger? I've seen it pop up on two of my friends rigs (both were using unpatched I.E., so big uprise) and every time I seem to successfully remove it, they end up calling me the next day... So far I have disconnected their internet access, rebooted to safe mode, installed copies of Malwarebytes and Spybot with their current updates from a CD then ran them both, booted into normal mode and rerun both applications, manually removed any registry keys I could obviously tell were not normal, deleted any file folders and their contents that I knew were related to the keys. Yesterday I had to bail so I told him to reconnect his net and update his OS and then rerun both anti-malware apps. It seems like every time they use the net they still get re-infected even though I installed FF 3.

I forgot to check for SP3 installation (they are both on XP), but I would assume the automatic updates would take care of that...

At this point I would just format my rig, but it's not an option for them. BTW, their system restore is useless as it wont let you pick restore dates.

ive delt with that one it leaves stuff in the system restore and makes the points useless i tried to clean it but ended up doing a low lvl and fresh windows...

ive delt with that one it leaves stuff in the system restore and makes the points useless i tried to clean it but ended up doing a low lvl and fresh windows...

Yeah after the first re-infection that was my primary suggestion, but of course he has a $3k piece of property management software where the disks are MIA and my other buddy doesn't even have his restore CDs for his laptop!

ouch

Has anyone here experienced this nasty bugger? I've seen it pop up on two of my friends rigs (both were using unpatched I.E., so big uprise) and every time I seem to successfully remove it, they end up calling me the next day... So far I have disconnected their internet access, rebooted to safe mode, installed copies of Malwarebytes and Spybot with their current updates from a CD then ran them both, booted into normal mode and rerun both applications, manually removed any registry keys I could obviously tell were not normal, deleted any file folders and their contents that I knew were related to the keys. Yesterday I had to bail so I told him to reconnect his net and update his OS and then rerun both anti-malware apps. It seems like every time they use the net they still get re-infected even though I installed FF 3.

I forgot to check for SP3 installation (they are both on XP), but I would assume the automatic updates would take care of that...

At this point I would just format my rig, but it's not an option for them. BTW, their system restore is useless as it wont let you pick restore dates.

Doing a little research online, it appears to be an executable file that you run from a site such as pornotube :eek:

Anyhoo, if you look on your c: there should be some .dll files that have randomly appeared. And if you were running FF at the time, it will essentially execute when they run FF.

Removing the .dll's will help and, if you are running vista, apparently Windows Defender takes care of everything for you.

Read this thread as it deals with this issue quite well (I think the 3'rd post?). Was one of the threads I found myself on while on my google journey :D

http://answers.yahoo.com/question/index?qid=20070525125433AABuwNU

Good news is this seems relatively harmless, if annoying, and a complete reformat may not be needed.

Another thread.

http://www.xp-vista.com/spyware-removal/xp-antivirus-2008-removal-instructions-xp-antivirus-2008

-edit-

Another little bit.

To get rid of it I typed ‘regedit’ at the run command, then opened ‘hkey current user, software and deleted ‘xpantivirus’. Then typed msconfig at the run command. Went to startup and unchecked ‘xpa’. Then went to C:\program files and found xpantivirus and deleted it. This took care of it for me. Give this a try.

Doing a little research online, it appears to be an executable file that you run from a site such as pornotube :eek:


Hahaha! Yeah, I have been doing a lot of file searching on his drive or run commands from the start menu and I end up seeing pron links and files frequently. It's weird when they are watching over your shoulder!


Removing the .dll's will help and, if you are running vista, apparently Windows Defender takes care of everything for you.


Unfortunately they have contracted different versions than the link XP vista link. This trojan likes to rename its files regularly. Right now it looks like they are using a random scramble for their files.


Read this thread as it deals with this issue quite well (I think the 3'rd post?). Was one of the threads I found myself on while on my google journey :D

http://answers.yahoo.com/question/index?qid=20070525125433AABuwNU


Thanks I'll check out this thread.


Good news is this seems relatively harmless, if annoying, and a complete reformat may not be needed.


Yeah it's not dangerous but he has a 7 year old rig so it lags like crazy unless in safe mode.

Combofix and Smitfraudfix.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

http://siri.geekstogo.com/

EDIT - Run both in safe mode.