If you see the above message popping up on your system, you most certainly do. The creators of Antivirus 2008 have updated their system of delivering fraudulent and inaccurate alerts to users around the world, following up their 2008 money maker with Antivirus 2009:
We've been watching users get slammed by (and TF-protected from) another set of phony codec files, like "codecpack.v.1.0.0.exe", or after its download, "codecpack.v.1.0.0[1].exe". These files kick off the first of the innaccurate warnings like the ones above and download additional content. We're seeing downloads and execution of "AV2009Install_77040502.exe", leading to a slew of phony detections and messages. Don't bother paying to clean up your system with these guys. Just to persist on the system, they often cannot be removed using the standard Windows Add/Remove control applet -- there is no uninstall listing.
And don't believe the pop-up warnings like "Adult content traces found on your PC". They display warnings of adult content that is not present on our lab system as well, listing links to adult sites that do not exist:
Update (8.16.2008): Bill Mullins provides his readers with some great cleanup advice, including SmitFraudFix. You might try SpywareDoctor's cleanup capabilities too.
Update (8.19.2008): Researcher and consultant Dancho Danchev posts an exhaustive list of this group's Rogueware Urls in his "Diverse Portfolio" typo-squating postings.
11 comments:
I hit the same issue today. Generally my laptop is clean because I have a pretty good anti-virus installed.
Anyways, I couldn't wait for the full scan to complete. Started googleling.
I actually started inspecting the processes running, using Process Explorer.
Found the following processes to be fishy, 7F.tmp and 7D.tmp.exe. Did some research online. Moved them to a different directory and restarted my machine. And the icon on the task bar was gone. Stopped getting the popups.
Anyways, this solved the problem. Now I will anyways do an overnight scan to confirm it.
Hey Saurav-
Thanks for your comment. Unfortunately, we've seen that same filename (7.tmp) used by a zbot variant recently, which can have some pretty bad implications. Be sure to scan your system, and look for any directories with "wsnpoem" in them.
Hopefully, 7.tmp really is just a temp file used by the downloader/fakealert on your system.
Thanks again!
I'd like to know, if possible, what measures the research team has in mind against these types of threats. From what I've seen these trojans often exhibit very little in terms of behavior, leaving very little traces for a behavior blocker like TF to detect.
Thanks.
I have the same issue b4 and managed to completely remove the darn thing...
but it's popped up again today and I really don't know wat to do... sometimes they ask me 2 install Antivirus 2009... and sometimes another name like PersonalAntiSpy, etc.
Please help... it's annoying and I can't get any work done. Thanks.
Go to start>run>msconfig>startup>unchek an startup item called jut "a"
the red icon must not appear anymore
vicente
I think you should try start-run-msconfig-startup-and unchek the "a" the security massege disapeared
Thanks Regards
JABS SITA KZN
I do not know that much about computers but i tried the example that vicente posted and when i ran the msconfig it stated that it could not find the file. any other suggestions?
This is something i found and got rid of the problem hope will help as much as it helped me. Pay attention on how to find the file and how to delete it oh by the way if you also have a file under the name xxx8227 you should also delete it the same way you deleted xxx41
Overview
xxx41.exe is a malware-associated executable file. Legitimate executable files are used to launch programs in Windows. Malware-associated executable files are automatically run from registry autorun locations and the Windows startup folder to execute malicious code.
Location of xxx41.exe and Associated Malware
Check whether xxx41.exe is present in the following locations:
C:\Documents and Settings\UserName\Local Settings\Temp\xxx41.exe
If you find xxx41.exe in these locations, your computer is very likely to be infected with the following malware:
Win32.ExpDwnldr
Notes:
You can check if xxx41.exe is associated with the malware listed above by running a free scan in Exterminate It!.
You can easily remove all the files listed above with Exterminate It!.
IMPORTANT: Malware files can be camouflaged with the same file names as legitimate files. The xxx41.exe file is associated with malware only if found in the locations listed above.
Why Is It Important to Remove Malware Files?
It is imperative that you delete malware-associated files as soon as possible because they can be used - or are already being used - to inflict serious damage on your PC, including:
Disrupting the normal functioning of the operating system or rendering it completely useless.
Hijacking valuable private information (credit card numbers, passwords, PIN codes, etc.)
Directing all your Web searches to the same unwanted or malicious sites.
Dramatically slowing down your computer.
Gaining total control of your PC to spread viruses and trojans and send out spam.
How to Remove xxx41.exe
To enable deleting the xxx41.exe file, terminate the associated process in the Task Manager as follows:
Right-click in the Windows taskbar (a bar that appears along the bottom of the Windows screen) and select Task Manager on the menu.
In the Tasks Manager window, click the Processes tab.
On the Processes tab, select xxx41.exe and click End Process.
Using your file explorer, browse to the file using the paths listed in Location of xxx41.exe and Associated Malware.
Select the file and press SHIFT+Delete on the keyboard.
Click Yes in the confirm deletion dialog box.
Repeat steps 2-4 for each location listed in Location of xxx41.exe and Associated Malware.
Notes:
The deletion of xxx41.exe will fail if it is locked; that is, it is in use by some application (Windows will display a corresponding message). For instructions on deleting locked files, see Deleting Locked Files.
The deletion of xxx41.exe will fail if your Windows uses the NT File System (NTFS) and you have no write rights for the file. Request your system administrator to grant you write rights for the file.
Delete xxx41.exe Automatically.
Deleting Locked Files
You can delete locked files with the RemoveOnReboot utility. You can install the RemoveOnReboot utility from here.
After you delete a locked file, you need to delete all the references to the file in Windows registry.
To delete a locked file:
Right-click on the file and select Send To -> Remove on Next Reboot on the menu.
Restart your computer.
The file will be deleted on restart.
Note: In the case of complex viruses that can replicate themselves, malware files can reappear in the same locations even after you have deleted those files and restarted your computer. Exterminate It! can effectively eradicate such viruses from your computer.
To remove all registry references to a malware file:
On the Windows Start menu, click Run.
In the Open box, type regedit and click OK. The Registry Editor window opens.
On the Edit menu, select Find.
In the Find dialog box, type FILENAME. The name of the first found registry value referencing xxx41.exe is highlighted in the right pane of the Registry Editor window.
Right-click the registry value name and select Delete on the menu.
Click Yes in the Confirm Value Delete dialog box.
To delete all other references to xxx41.exe, repeat steps 4-6.
IMPORTANT: Malware files can masquerade as legitimate files by using the same file names. To avoid deleting a harmless file, ensure that the Value column for the registry value displays exactly one of the paths listed in Location of xxx41.exe and Associated Malware
HY!
I had the same problem. I went in my temp folder....c:/documents and settings/user/local settings/temp
There I loocked every file that was created that day when the messages started to apear in my case that was 10 december 2008,13:35.
There were a lot of this files like:a,b,c,d,e,f,... and they were all .exe files.
I deleted them all. I even had to kill some processes in Task manager.Success, it worked.
Youst look for strange names of folders and delete them.
I got the problem last night around 9pm. Driving me nuts. Since I've had McAfee, I really haven't had to worry about viruses and such on my computer. I'm a little computer savvy, but not enough to try and follow some of these rather complicated methods for deleting this thing. It is gone, so far. And seemed to be rather simple.
I opened my task manager, and selected the "processes" tab. Right at the very top was a process that was open which was ~tmpb.exe . I didn't want to go deleting things that I didn't know what they were. So, I went to start and Search. I typed in the file name, and it came up under "documents and settings" like a previous post mentioned. I right clicked on it, and found that it was "created" right when all this B.S. started. So, I "ended the process" in the task manager. And then right click and "deleted" it from the search result. SO far it has worked. It took the icon away instantly. If it comes back, I'll probably go look for another file just the same. Good luck.
Yeah, it came back. Is there any way in the world to get some program to remove these things for free? What good is a "free scan" if you have to pay for them to be removed. I will not pay for one of them programs, whether someone swears it works or not. I just won't. But, manually, just really isn't gonna work, plus will take SO long. I'd love it if there was actually a way to just get rid of this stupid thing.
Post a Comment