Any day you learn something new is a good day


Removing the XPAntivirus bug that's going around

, posted: 18-Aug-2008 21:44

Five laptops in one week to remove this little darling from. My, people do click some funny emails.

To kill this wee begger and it's friends (from WinXP), do this; {I take no responsiblity if you cabbage your PC though}

1) Scan the HD out of band if you can. Ie remove and use a USB-IDE/SATA adapter if you've got one, or build a Bart-PE CD with the latest version of Clam-AV on it and boot up on the CD and scan from that.

2) Once scanned out-of-band, boot back up into safe mode (F8 repeatedly while turning the pc on)

3) Run regedit; navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

4) In here is an entry 'Userinit' - It should usually only have 'C:\WINDOWS\system32\userinit.exe,' in there - if there's anything else appended to that line remove it from the entry, take it back to the trailing ',' after userinit.exe

5) Then go to HKLM\Software\Microsoft\Windows\CurrentVersion\Run. Backup this reg key and then clean out anything you think is remotely dodgy. Do the same for HKCU\Software\Microsoft\Windows\CurrentVersion\Run & HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run

6) If you weren't able to log in during (2) as the first infected user the above steps can be done as the local admin - once these are done, to get into the other accounts (network ones) reboot, go into safe mode with networking. Then you can sign in as the network users. Use regedit to clean out HKCU\Software\Microsoft\Windows\CurrentVersion\Run for each other affected user.

7) Now that the registry is clean, reboot into normal mode, and run a local virus scan. You need to download and install spybot1.60 from www.safer-networking.org and let spybot clean out some more crap from the registry.

Ta-Daa. Virus gone but not forgotten.

IMHO Symantec Enterprise 11 MR2 does a nice job of ferreting out the nasties out-of-band, and Spybot does a good job of the cleanup afterwards. AVG8 works OK too inband though haven't had to use it in anger out-of-band yet.

Other related posts:
Building A Win8.1 based Chromebook - A How To
OKI B411n & how to reset the NIC
Imaging Edubuntu






Comment by garvani, on 19-Aug-2008 09:46

Ive done at least 20 laptops this month already (have 2 on my desk at present). Different variations of it too, vista antivirus, xp antivirus 2008 and 2009 and one other. I use 2 programs that remove it, they dont require too much effort on your behalf, just a bit of waiting time for the automated scans and removal.
Combofix (awesome awesome little program, this alone pretty much nukes it!) download
And Super Antispyware (i know, what a terible name for a anti-malware program, but this really is the best program out there!) link
Any questions, pm me!


Author's note by nzsouthernman, on 19-Aug-2008 13:17

Excellent - I'll have to grab those tools and use them on the next infectee. Cheers!


Add a comment

Please note: comments that are inappropriate or promotional in nature will be deleted. E-mail addresses are not displayed, but you must enter a valid e-mail address to confirm your comments.

Are you a registered Geekzone user? Login to have the fields below automatically filled in for you and to enable links in comments. If you have (or qualify to have) a Geekzone Blog then your comment will be automatically confirmed and shown in this blog post.

Your name:

Your e-mail:

Your webpage:

nzsouthernman's profile

Dael 
Christchurch
New Zealand


This blog is mainly going to be for writing down things when I work them out so when I have to try and do it again I don't have to think too hard.  And also to comment on stuff.  Hopefully not too much rant /rant involved.

My latest finished and successful home project;

FreeNAS NAS/SAN Appliance
Celeron 2.8ghz CPU, 1GB RAM, 4x 1TB SATA drives in RAID-5 array, booting from 1GB USB flash drive


Toys in the attic;
PS3
PSP
Nokia E71-3 (Telecom XT)
iPhone 3GS (Vodafone)
MythTV separated backend with 2 DVB-S encoders & 1.2TB disk space & two frontends

Follow me on twitter; http://twitter.com/nzsouthernman