XP Antispyware 2009 & alert balloon virus

Author: Zhuotong Nan (zhn1@pitt.edu)

Description: An alert balloon continues to pop up to say something about the antispyware (see the below figure). When you click either left or right mouse over it, a downloading dialog is showing up and begins to download XP antispayware 2009 to your local machine. After its completion, the ‘antispyware’ looks like to scan your computer, and warns you of many spywares found in your system. This so-called XP Antispyware 2009 is not a real anti spyware, instead it is a spyware. The scanning will copy a lot of spywares to your different directories. Antivirus and anti-spyware software like Kaspersky and Spybot cannot be able to run.

image

Solution:

1. find the XP antispyware 2009 menu in your start menu, and try to uninstall.

2. delete C:Program FilesXP_AntiSpyware*

3. run regedit to bring up the register editor, and clean

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunbrastk
HKLMSoftwaremicrosoftwindowscurrentversionrunXP Antispyware 2009
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLS karna.dat
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunSVCHOST.exe C:WINDOWSsystem32driverssvchost.exe (if there exists)

4. run sfc /scannnow to restore your system protected files since beep.sys under your system32drivers directory has been modified by the virus. Or you can copy beep.sys from a clean computer to your infected one. beep.sys exists under two directories, system32drivers, and system32dllcache.

5. reboot your computer with safe mode, remove following files,

c:windowsbrastk.exe
c:windowssystem32brastk.exe
c:windowskarna.dat
c:windowssystem32karna.dat

check again your register at above-mentioned locations.

At this point, Karspersky and Spybot should be run normally. Run them and take a full scan.

6. Reboot. Hope it now works well.

Leave a Reply

Your email address will not be published. Required fields are marked *