AntiVirus XP observations

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by SWario, Aug 20, 2008.

  1. SWario

    SWario Sergeant

    To chaslang et al:

    I don't know for sure if any of this is absolutely correct, but I have noticed some patterns after reading through several AntiVirus XP threads here and after dealing with it on my friend's computer. I thought that this information might be useful to you Malware fighters here at MajorGeeks.

    1. AntiVirus XP also seems to be accompanied by claims of BSOD. However, on my friends computer, I observed that this "BSOD" was ACTUALLY just a "Blue Screen of Death" Screen Saver. It will probably produce such error messages as "BAD_POOL_ERROR", "BOGUS_DRIVER", or "PANIC_SWITCH". The one I observed was the Sysinternals Fake BSOD Screen Saver:
      Code:
      NotHarmful.Sysinternals Bluescreen Screen Saver
	C:\WINDOWS\SYSTEM32\BLPHCLTQJ0ERCR.SCR
	C:\WINDOWS\SYSTEM32\BLPHCLTQJ0ERCR.SCR
    2. After running SUPERAntiSpyware (SAS), computers seem to lose the ability to run explorer.exe, even if the file is still present on the hard drive. I verified explorer.exe's location and presence using the NT CMD application on the computer I was cleaning. Attempting to launch explorer.exe in any fashion results in an error message:
      Code:
      (paraphrased from memory) "Cannot find or recognize explorer.exe"
      Many users panic at this point, especially when trying to launch SAS results in nothing happening. For some reason, at least on the systems I've worked on, SAS will not launch the fully visible program window automatically, but instead, it will open in the system tray. Double-clicking the SAS icon in the system tray will open the GUI, but if explorer.exe has not and cannot launch, you cannot do this. However, you CAN force the program to appear by running it twice. After it has been run the first time, simply use Task Manager to run the task again, and the GUI will appear. I don't know what causes explorer.exe to malfunction though. It was not shown to be deleted as malware in my SAS log.
    3. After running SAS and restarting, a wallpaper featuring a picture of an Antivirus XP warning window may appear. This, combined with explorer.exe not running, confuses some users into thinking that their computer has frozen since they cannot close the "window" and nothing else appears.
      Code:
      C:\WINDOWS\system32\phcltqj0ercr.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    4. This may be unrelated, but the computer with AntiVirus XP that I was working on infected my USB thumb drive. Given that other infections appeared to be present on the system, I cannot reliably declare AntiVirus XP as the culprit, but it is something to consider:
      Code:
      Virus or unwanted program 'TR/Gernid.C.5 [trojan]'
detected in file 'F:\system.exe.
Action performed: Deny access

    Given these commonalities and the large number of AntiVirus XP infections occurring, I think that it might be useful to write a sticky addressing some of these points. This might be helpful for those users that get stuck after running SAS, and keeping those users from getting stuck partway through the README would enable them to get from infected to clean quicker.

    I hope that this information can be helpful to you.
     
    SWario, Aug 20, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes we have seen all of this. What you mentioned in item # 4 is not related from what we have seen. The observation with SAS is probably not really a problem. Any scanner that is run first could cause the same issue if anything is being removed. I have been disussing this exact issue with the creator of SUPERAntiSpyware.

    This malware has evolved over the last few weeks and is causing significantly more problems now than before. In the first couple weeks, the READ & RUN ME almost always removed it completely with maybe just minor items remaining. Now it appears that the infection has become more insideous and has hook into the OS quite differently.

    At this point a sticky would not be of much use since we are seeing different results on computers. The issue with Windows Explorer not loading is the most recent change and I still don't know what the exact cause is. Nor do I know the fix yet. I guessing it may be something in the registry since the file is there and it does not appear to have been changed.
     
    chaslang, Aug 21, 2008
    #2
  3. SWario

    SWario Sergeant

    Yes, I suspected that #4 was not related, but it was better to mention it than to not mention it in case I was wrong.

    #3 and #1 are really more minor problems, though if users knew that this might happen, it would make them more informed and perhaps less likely to panic and stop their repair procedures. #1 especially, since most users mistake it for an ACTUAL blue screen.

    #2 is more serious, but I was more concerned with users stopping the README procedure than whether or not explorer.exe was actually gone. I was thinking more to instruct users to continue opening applications from Task Manager until they've completed the README. The only problems that I think they would run into here are:
    1. SAS currently needs to be run twice to force the application to appear visible.
    2. Any drag-and-drop procedures with ComboFix

    Copy-and-paste instructions for running ComboFix with scripts from the commandline would be helpful. Since BleepingComputer hosts these instructions, perhaps you could pass this along to them? Their instructions are also a bit outdated. As an example, the icon pictured in their instructions does not match the current icon being used by ComboFix.

    In any case, as I said, I hope that this dialogue can be helpful to you and your colleagues. Oh, and since some malware authors/distributors may read these forums, feel free to bury this thread when it has finished its usefulness.
     
    SWario, Aug 21, 2008
    #3

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds