Any day you learn something new is a good day

Removing the XPAntivirus bug that's going around

, posted: 18-Aug-2008 21:44

Five laptops in one week to remove this little darling from. My, people do click some funny emails.

To kill this wee begger and it's friends (from WinXP), do this; {I take no responsiblity if you cabbage your PC though}

1) Scan the HD out of band if you can. Ie remove and use a USB-IDE/SATA adapter if you've got one, or build a Bart-PE CD with the latest version of Clam-AV on it and boot up on the CD and scan from that.

2) Once scanned out-of-band, boot back up into safe mode (F8 repeatedly while turning the pc on)

3) Run regedit; navigate to HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

4) In here is an entry 'Userinit' - It should usually only have 'C:\WINDOWS\system32\userinit.exe,' in there - if there's anything else appended to that line remove it from the entry, take it back to the trailing ',' after userinit.exe

5) Then go to HKLM\Software\Microsoft\Windows\CurrentVersion\Run. Backup this reg key and then clean out anything you think is remotely dodgy. Do the same for HKCU\Software\Microsoft\Windows\CurrentVersion\Run & HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run

6) If you weren't able to log in during (2) as the first infected user the above steps can be done as the local admin - once these are done, to get into the other accounts (network ones) reboot, go into safe mode with networking. Then you can sign in as the network users. Use regedit to clean out HKCU\Software\Microsoft\Windows\CurrentVersion\Run for each other affected user.

7) Now that the registry is clean, reboot into normal mode, and run a local virus scan. You need to download and install spybot1.60 from and let spybot clean out some more crap from the registry.

Ta-Daa. Virus gone but not forgotten.

IMHO Symantec Enterprise 11 MR2 does a nice job of ferreting out the nasties out-of-band, and Spybot does a good job of the cleanup afterwards. AVG8 works OK too inband though haven't had to use it in anger out-of-band yet.

Other related posts:
Automating the changing of a Ruckus WiFi password
Extending the CEPH cluster, things we've learnt
Creating redundant, clustered & scalable storage - a DIY guide

Comment by garvani, on 19-Aug-2008 09:46

Ive done at least 20 laptops this month already (have 2 on my desk at present). Different variations of it too, vista antivirus, xp antivirus 2008 and 2009 and one other. I use 2 programs that remove it, they dont require too much effort on your behalf, just a bit of waiting time for the automated scans and removal.
Combofix (awesome awesome little program, this alone pretty much nukes it!) download
And Super Antispyware (i know, what a terible name for a anti-malware program, but this really is the best program out there!) link
Any questions, pm me!

Author's note by nzsouthernman, on 19-Aug-2008 13:17

Excellent - I'll have to grab those tools and use them on the next infectee. Cheers!

nzsouthernman's profile

New Zealand

This blog is mainly going to be for writing down things when I work them out so when I have to try and do it again I don't have to think too hard.  And also to comment on stuff.  Hopefully not too much rant /rant involved.

My latest finished and successful home project;

QNAS NAS/SAN Appliance
8x 750GB 2.5" SATA in R6 array, running PLEX and providing additional storage for MythTV

Toys in the attic;
iPhone 7+ (2D)
MythTV separated backend with 2 DVB-S encoders & 2TB disk space & two frontends

Follow me on twitter;