Antivirus Xp 2008, Antivirus Xp 2009 - Recent Trojan Threat - find symptoms and fix

I've been meaning to write this post for days but the days just got away from me.

Recently I've subjected my personal laptop for this malware which was downloaded to my clients email. The email client was Google Apps (Gmail) and the sender was from a known contact. However the beginning, the issue is that this Trojan was downloaded even through FireFox 2.0.0.16 and passed Google Apps filter. I was also told that some websites contain scripts to disable firewall and download malware without the computer user's knowledge.

The final product is called Antivirus XP 2008 and here are the symptoms: 1) you will immediately notice that your firewall is disabled 2) background has changed 3) cannot change your background 4) cannot change your screensaver 5) cannot launch Control Panel to do anything 6) cannot launch normal programs 7) cannot launch CMD or any command programs 8) cannot launch regedit 9) cannot clean spyware(s) that keeps on spawning 10) your typical antivirus does not show any alert.

The names of malware are different but they all reside under

C:\Windows\system32\lph*********.exe
C:\Windows\system32\*ph****.BMP
C:\Windows\system32\ntos.exe
C:\Windows\system32\wsnpoem\*
C:\Documents and Settings\LocalService\Application Data\wsnpoem\audio.dll
C:\Documents and Settings\NetworkService\Application Data\wsnpoem\audio.dll

It is still unclear to me if two applications are working together (wsnpoem, ntos and lph********.exe a.k.a. a.exe). But the solution I found was able to clear my laptop from the hijacked stage.

Trojan types reported

lph**********.exe | Trojan horse SHeur.CDRG
ntos.exe | Trojan horse PSW.Generic6.YTJ

Download SDFix.exe (also attached at the bottom of this post).

How to use SDFix

Download SDFix and extract. I recommend that you unzip and unpack (self extracting EXE file--this board will not let just EXE file to be posted) on your desktop. You will be running this fix under the SAFE mode. So it's better to have it where it can be located quick and fast.

Restart your machine and enter SAFE mode. To enter SAFE mode, simply hold down F8 during the restart. You will hear continuous beeping sound but I suggest you hold it until you see the Windows start up option screen. Select SAFE MODE.

Once you start in SAFE mode, go to the SDFix folder and double click to run RunThis.bat. A command prompt will open and will take about 10 minutes to do its own thing. Once the registry is clear from the Trojan it will ask you to restart the machine. Follow the on-screen instruction. Once restarted SDFix will run once again. This will take another 10~20 minutes. A message will appear at the end of the clean up showing Report.txt as a log. No need to save since it saves and displays at the same time.

You should be clear from this Trojan. Enable your firewall, run your usual spyware remover and virus remover.

Key registries affected by Antivirus XP 2008

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\
parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\
parameters\firewallpolicy\domainprofile\authorizedapplications\list]

SDFix file
[attachment=1281:SDFix.zip]

UPDATE
============================================================================
Direct download for latest patch from original source
http://downloads.andymanchesta.com/Removal...DFix_ReadMe.htm

 

 

 

Comment/Reply (w/o sign-up)

Will this Trojan attack Linux machines? Do we need to stay away from Google Apps? Any idea how wide spread this Trojan is at present?

Comment/Reply (w/o sign-up)

Only Microsoft Windows from 95 upwards by the looks of it. Another win for Linux! Although, I guess you could run it under WINE if you want



Same caution as with all emails. According to Symantec it has to be manually downloaded and installed, so just be your usual wary self and don't download random stuff. It's not specific to Google Apps, but I'm surprised they're not filtering it out.



Fairly widespread according to Symantec.

 

 

 

Comment/Reply (w/o sign-up)

AAh so this trojan got upgraded then because I have gotten its older brother a few times and so I just go into safe mode find the program in the win32 folder delete it and then run my computer with spybot and McAfee. So it seems that this exe pokes around in more files then the older version. Of course the quickest way to know that you got this trojan installed is opening Task Manager and you should see lph*********.exe running. I agree with rvalkass that this trojan won't affect Linux since it is windows specific or rather XP specific.

Comment/Reply (w/o sign-up)

Oh great lol. I use Windows XP Home Edition, and I've had this trickster before. Quite so hard to remove aswell, especially when you don't have a good Anti-Virus.
AVG, Kaspersky, BitDefender, and them are rubbish. I need a GOOD Anti-Virus. Can anyone also find me one?

@ Michael: Yeah. It has a brother in It's infected family of code

Thanks Buffalo! I shall keep a look at with these things.
-Sky

Comment/Reply (w/o sign-up)

Well its not that those anti-viruses don't work its just that some trojans are design to sneak in behind the scenes and so regardless if the major software has patches and what not to find them and delete them. So the only way to remove them is the old fashion way of finding the files and then delete them; however, that were most non tech people think a small program that removes these things will work but instead just add to the problem and what not.

Comment/Reply (w/o sign-up)

Has anyone tried NOD32 to whack it?

Comment/Reply (w/o sign-up)

Thanks Buffalo, Its there in one of My College's computer. I'll try to remove it . Ppl at my college actually used to think that its an Antivirus .. LOL. .. Any Idea if this can be manually removed using 'HijackThis' to remove the registry entries and then delete the files manually ??

Can this trojan spread through pen drives ?

I am using Norton Inernet security 2007 on a Laptop and it has a lot of sensitive data that I cant risk loosing. Will this pass through that also ?

Comment/Reply (w/o sign-up)

Trojan virus EVERYWHERE!
Antivirus Xp 2008 - Recent Trojan Threat

Hi!
Please help!!

I have one of these trojan things currently killing my laptop and I have no clue how to get rid of it. I have AVG 7.5 anti virus software but it doesn't delete it, it just puts it in the virus vault & the folder it originates from can't be deleted...And I think there are many of the little buggers because there are many folder with weird names, but I don't want to delete them just incase they are important & not meant to be deleted! Everytime I switch the laptop on another one slips through the net! HELP!

Can someone please tell me (in very plain english) how to fix this!!

Thanks :o)

P.S I have tried to do a system restore but it won't restore to any date other than the date I got the trojan & I've even played around in safe mode but I still can't delete the folders! HELP ME!

-reply by sweetie

Comment/Reply (w/o sign-up)

Help with removing a Trojan
Antivirus Xp 2008 - Recent Trojan Threat

Replying to BuffaloHELP
Hi BuffaloHELP,
I found your post on the web and I have a Trojan that will not go away. I ran anti virus and tried manually removing suspicious files in safe mode as well as backing up to an earlier date. Still no dice. Your link for the SDFix file is not working for me. I figure I ought to try whatever I can to fix my computer before biting the bullet and bringing it somewhere to be formatted. :-( Can you re-link the SDFix?

-reply by Eilean

Comment/Reply (w/o sign-up)