AntiSpyware2009

[Terry]

I have two machines XP Pro that are infected with Antispyware2009. One of the
machines has the application Antispyware Pro XP on it but did not remove the
infection.

I heard of MalwareBytes but have not tried it.

Has anyone else experienced this, how can I remove Antispyware2009?

 

[David H. Lipman]

From: "Terry" <[email protected]>

| I have two machines XP Pro that are infected with Antispyware2009. One of the
| machines has the application Antispyware Pro XP on it but did not remove the
| infection.

| I heard of MalwareBytes but have not tried it.

| Has anyone else experienced this, how can I remove Antispyware2009?


Yes. MBAM - MalwareBytes AntiMalware.
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

Back it up with SuperAntiSpyware
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

 

[Mike Hall - MVP]

I have two machines XP Pro that are infected with Antispyware2009. One of
the
machines has the application Antispyware Pro XP on it but did not remove
the
infection.

I heard of MalwareBytes but have not tried it.

Has anyone else experienced this, how can I remove Antispyware2009?

Malwarebytes works well but will need help. David Lipman suggests backing it
up with SUPERAntispyware. You might also want to consider SpyBot S&D 1.6..

 

[Danno]

I have this nasty virus on my computer. I d/l MalwareBytes, but AS2009
won't let me run the file to set it up. Not only that, but AS2009 is
apparently blocking the currently installed SpyBot & AdAware. It does this
in Normal, Safe, or Command Prompt mode. In the process of trying to get
rid of it, the wireless card became invisible to the computer/device
manager. Don't know if I blocked the wireless or AS2009 did.

I'm open to any and all suggestions. I was wondering if I could boot from a
CD into DOS and run an anti-virus program from there? But how to do this,
or what program to use is beyond me.

Help!!!

Dan K Hacker

 

[Terry]

The Malwarebytes worked everything seems to be ok. I actualy tried SpyBot S&D
first and it did not remove it. All other timed Spybot worked.

 

[Mike Hall - MVP]

The Malwarebytes worked everything seems to be ok. I actualy tried SpyBot
S&D
first and it did not remove it. All other timed Spybot worked.

Invariably, one needs to run two or more anti-spyware programs in order to
see all of the crap gone..

 

[Terry]

i agree

Invariably, one needs to run two or more anti-spyware programs in order to
see all of the crap gone..


--
Mike Hall - MVP

Mike's Window - My Blog..
http://msmvps.com/blogs/mikehall/default.aspx

 

[David H. Lipman]

From: "Terry" <[email protected]>

| i agree

Then please install, update and run SuperAntiSpyware.

 

[Terry]

Dan,
My situation does not seem as bad as yours. I can only offer that I saw
PCTools has a antispyware they say works but it costs.

Maybe someone else can help better. I do know MalwareBytes helped me.
Terry

 

[1PW]

I have this nasty virus on my computer. I d/l MalwareBytes, but AS2009
won't let me run the file to set it up. Not only that, but AS2009 is
apparently blocking the currently installed SpyBot & AdAware. It does
this in Normal, Safe, or Command Prompt mode. In the process of trying
to get rid of it, the wireless card became invisible to the
computer/device manager. Don't know if I blocked the wireless or AS2009
did.

I'm open to any and all suggestions. I was wondering if I could boot
from a CD into DOS and run an anti-virus program from there? But how to
do this, or what program to use is beyond me.

Help!!!

Dan K Hacker

Hello Dan:

Although of little consequence to you, Antispyware 2009 is rogue
antispyware and not a virus.

We will have to assume that although you downloaded mbam-setup.exe, you
were unable to launch/install it. This is characteristic of the malware
you are up against. The standard way of countering this is to rename
mbam-setup.exe to something very improbable. e.g. abcdef.exe

Now run the MBAM setup (abcdef.exe). If this went well, allow MBAM to
run as below. If you have lost the ability to "see" the internet, let's
hope that you have installed MBAM version 1.33 which would have a very
recent database. If instead version 1.32 was installed, you have two
choices:

Run 'as is' without updating the database, or use another computer to
obtain the latest database from:

<http://www.gt500.org/malwarebytes/mbam-rules.exe>

Of course it's best to have the very latest database.

"Sneakernet" the mbam-rules.exe to the infected computer(s).

Execute mbam-rules.exe so as to update MBAM's database. Now launch the
previously installed mbam.exe and run the scanner in quick scan:

<http://www.bleepingcomputer.com/malware-removal/remove-xp-antispyware-2009>

If you regain your ability to "see" the internet, follow-up with another
*updated* full scan and then run an updated SUPERAntiSpyware (SAS).

If all this failed, you are probably looking at a "level and rebuild"
situation from your backups.

Let us know how this worked for you. Best wishes.

Pete

 

[Danno]

Bless you my child for you are kind to the weak and ignorant.

I think the info you gave me might do the trick. I was wondering how this
thing knew what to block. Doh! A blacklist, or in this case would it be a
white list, or maybe a grey list. The renaming trick may allow me to run
the .exe files for the other scan & repair programs that I have.

BTW, I did know that it wasn't a true virus. But I was just lazy, I prefer
to call programs like AS2009 "scareware." If you don't install me, horrible
things will happen to you.

Also, the computer isn't one of mine. It belongs to a friend, whose
security habits aren't as strenuous as mine.

The only bit of advice that you gave me that I didn't like was that "level
and rebuild." I hate doing that. I have backups, but guess who doesn't.
That's right, my friend.

Thx a bunch,
Danno

 

[1PW]

Bless you my child for you are kind to the weak and ignorant.

A candle loses nothing by lighting another candle...

My pleasure sir.

Pete

 

[Danno]

Can you burn your candle at both ends?

Seriously, it seems that I have gotten rid of the "scare ware." Boy, you
wouldn't believe all the nasty files and registry keys that were there and
SpyBot had missed them!! Since I'm having to sneaker net all the latest
signature files to the scanning programs, it will be awhile before I can be
certain that I've gotten rid of everything.

I still have one problem that has several components. Here's where burning
the candle at both ends comes in. The laptop still does not recognize the
wireless card. Another component of this problem is that most of Control
Panel is not working. If I could run Add Hardware it might take of the
problem. Another component is that Device Manager shows nothing. Again, if
Device Manager saw a problem device, I could easily fix it.

If you, or someone else, has some suggestions I'm all ears. Isn't there a
way to run the Control Panel applets from the Run command. I looked for
..cpl files and couldn't figure out how to use them.


Again thanks for your help.
Danno

BTW, you might be interested in how I renamed the files that I needed to
run. Going to the appropriate directory, I simply used the Copy (the .exe
file) and Pasted it back into the same directory. This gave me a new .exe
file named "Copy of PROGRAM.exe." I liked this because I ran the smallest
possibility of forgetting the name of the original program, and when I need
to restore it, I simply used the Rename command and deleted the "Copy of"
portion of the new file name.

 

[David H. Lipman]

From: "Danno" <[email protected]>

| Can you burn your candle at both ends?

| Seriously, it seems that I have gotten rid of the "scare ware." Boy, you
| wouldn't believe all the nasty files and registry keys that were there and
| SpyBot had missed them!! Since I'm having to sneaker net all the latest
| signature files to the scanning programs, it will be awhile before I can be
| certain that I've gotten rid of everything.

| I still have one problem that has several components. Here's where burning
| the candle at both ends comes in. The laptop still does not recognize the
| wireless card. Another component of this problem is that most of Control
| Panel is not working. If I could run Add Hardware it might take of the
| problem. Another component is that Device Manager shows nothing. Again, if
| Device Manager saw a problem device, I could easily fix it.

| If you, or someone else, has some suggestions I'm all ears. Isn't there a
| way to run the Control Panel applets from the Run command. I looked for
| .cpl files and couldn't figure out how to use them.


| Again thanks for your help.
| Danno

| BTW, you might be interested in how I renamed the files that I needed to
| run. Going to the appropriate directory, I simply used the Copy (the .exe
| file) and Pasted it back into the same directory. This gave me a new .exe
| file named "Copy of PROGRAM.exe." I liked this because I ran the smallest
| possibility of forgetting the name of the original program, and when I need
| to restore it, I simply used the Rename command and deleted the "Copy of"
| portion of the new file name.

Run Regedit and go to;

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system

set NoDispCPL equal to 0 of it is set to 1.

 

[Danno]

I didn't find any such entry in the registry. On a lark, I tried adding the
entry, but I wasn't certain whether to enter it as a Dword, String value,
etc.

I ported over SpyBot and MalwareBytes. SpyBot ran fine, still finding
malware. But now MalwareBytes' has nothing but garbage where ANY printing
would normally be. It's like trying to view binary code in Notepad. I tried
reinstalling it from 3 differnet copies and nothing worked. I even tried to
install it in French, but no dice. It is even garbled on the RC context
menu.

I still can't get Device Manager to work, nor most of the applets in Control
Panel. They appear, they just won't open. Remove Programs works fine, Add
Hardware doesn't.

Fellas, I need help,
Danno

 

[Danno]

BTW, SpyBot and MalwareBytes both reported my attempt at a registry entry as
malware. I ran MB, by guess.


Thanks,
Danno

 

[1PW]

BTW, SpyBot and MalwareBytes both reported my attempt at a registry
entry as malware. I ran MB, by guess.


Thanks,
Danno

Hello Dan:

At this point, I believe the kindest thing you can do for your
girlfriend's system is to preserve as many data/document files as
possible and follow with a flatten and rebuild.

Too many system files seem to have been compromised. The risk/benefit
ratio no longer appears on your side. Hopefully the girlfriend will
learn from this.

You fought a good fight...

Pete

 

[Danno]

GIRLFRIEND?!?!

If I had a girlfriend, my wife would have a hissy, or perhaps a kitten.
This is a sales colleagues computer.

I think I may have found the problem. Almost all of the Services have been
disabled. On an XP Media Center system, are there any services that
*really* should be disabled. I'm not looking for performance at the moment;
I trying to restore as much functionality as possible.

I HATE reformat and reinstall. Nobody has the backups they should, and I've
never had one go halfway smooth.

But many thanks,
Danno

 

[1PW]

GIRLFRIEND?!?!

If I had a girlfriend, my wife would have a hissy, or perhaps a kitten.
This is a sales colleagues computer.

I apologize for my misstatement. I confused this thread with another.

I think I may have found the problem. Almost all of the Services have
been disabled. On an XP Media Center system, are there any services
that *really* should be disabled. I'm not looking for performance at
the moment; I trying to restore as much functionality as possible.

I HATE reformat and reinstall. Nobody has the backups they should, and
I've never had one go halfway smooth.

But many thanks,
Danno

Best wishes to you.

 

[Danno]

Hooray!!!!!

Apparently the "scareware" itself, or via another file it downloaded, had
disabled 905%+ of the services. Just enough left to boot up. Through
several steps, I finally settled on changing almost all of the disabled
services to Automatic. Now the machine runs fine. Maybe 95% of the way it
was before the malware.

Thanks to all the help from the NG. Malware Bytes played a key role in the
repair.

Anyone have any idea why the text in MWB looks like binary code displayed in
a word processor? I have Removed, reinstalled, installed over the existing
installation, and downloaded from different sites to be sure I had a good
installation program. Very vexing.


Danno