More on Antivirus XP 2008
Had another user who had been infected by the Antivirus XP 2008 malware, I noticed they had both hit the same website at least once, myspacecdn.com, I haven’t checked it yet as I don’t have a machine handy that I can blow out, so I will have to check it later. The main install file seems to be ccwjgn.dll which gets run from the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify, it runs the popup from a program in the TEMP folder in Windows to get you to launch the install. The process is listed as a .tmp in Task Manager, usually with a weird name like ttC.tmp.exe or something similar.
On this machine, however, they set a explorer.exe registry key here, HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options, and Windows explorer could not run, I am assuming they were redirecting it to run some other malware and then starting explorer, but Virusscan deleted the file they were using, so, Windows just sat there. You could run Task Manager by hitting control-alt-delete, so that allowed me to run regedit, navigate to the key and delete the explorer.exe value out, which then allowed Windows explorer to run. After the desktop loaded, the Antivirus XP popup came up, I ended the process using Task Manager, I deleted all the files out of the Windows temp folder, found the programs/dll files in the System 32 folder, two of them this time with the lphctp9j0ea5j.exe and blphctp9j0ea5.scr type of names and after rebooting I was able to delete the ccwjgn.dll file.
I then ran the latest version of Spybot, which found some other stuff and removed them. No more popups or nag screens trying to get her to install their malware.
Update: I thought I had it until I updated to Windows XP Service Pack 3 and after rebooting I received the daggon popup again. More deleting and rebooting, after awhile I gave up and tried the free version of AVG, it found about 40 or so driver files that were infected and cleaned those and she has been running Antivirus Xp 2008 free for a couple hours now. So, for everyone who just wants it removed without knowing how or why, run AVG as Spybot doesn’t seem to clean it yet.