Asher Bond

“Antivirus 2008″ a.k.a “Vista Antivirus 2008″ is actually a virus. When you boot up, it runs all kinds of stuff you don’t want in the background of your computer. One of the worst things it does is disable your ability to stop processes from running in the background.

You know you’re in trouble when you hit CTRL+ALT+DELETE and you get the message:

“Task Manager has been disabled by your Administrator”

LULZ! You can’t even get to your Task manager to stop who knows what from running in the background of your computer. Wow you really got owned this time.

BEFORE YOU START

1. Boot into safe mode with networking and run Symantec’s Norton Antivirus or Avast (if you want a free one) from www.avast.com to make sure the virus isn’t running in the background anymore. You might have to download this from another computer or buy it from the store. Some viruses will even redirect you to their own web site when you try to go to symantec.com, trendmicro.com, etc.
2. Don’t put credit card information into a computer that might have a virus. It’s better to download the trial or buy it in a store.
3. Don’t use shady “virus scanners” like StopZilla or Viruses acting like anti-viruses such as “error cleaner” or “Vista Antivirus 2008″ etc.
4. Make sure that you have the latest update of your virus scanning software. What makes you think it’s gonna find the virus if the software hasn’t been updated for weeks.
5. Vista AntiVirus is probably running on every time your system boots up and it’s probably running as vav.exe. You might want to find and delete that file if your Antivirus program missed it for some reason. It’s probably under C:\Program Files\VAV. You can’t delete it while it’s running, but you can rename it to novav.exe and delete the other files in this folder. When vav.exe can’t find the files, it will crash and you can then delete it. Also delete folders named “Antivirus 2008.”
6. Run Trend Micro’s Hijackthis and remove malicious files from the system boot process. If you aren’t sure if the file is malicous or not, look to see when the file was last modified. If you got the virus recently, then that file may be one of the malicious ones. Look the filename up on google from another computer and see what people are saying about it. Watch out for .dll (especially random letters like c:\WINDOWS\xokvrpwg.dll) and .exe files. Also check for system policies like “DisableRegedit=1″. Viruses often change your desktop using Desktop component 0… file://somedirectory\index.htm. Delete these.
7. Continue with the rest of these instructions once you have scanned your computer and cleaned out the viruses.

Here’s how to fix your Task Manager:

1. Don’t panic. Don’t download any more “error cleaners” or garbage that probably messed up your computer in the first place.
2. Shut down your computer (by force if you have to) and boot it into safe mode.
   (If you don’t know how to get to safe mode, all you have to do is hold down F8 during the boot up process). LOG IN AS ADMINISTRATOR. Don’t see Administrator as an option? Hit CTRL+ALT+DELETE and type Administrator.
3. Once you’re LOGGED IN AS ADMINISTRATOR in SAFE MODE, click “Start”, then go to “Run”… Oh noez.. where’s run? Wow, you sure got owned this time. You can’t even get the run menu up in SAFE MODE. Don’t worry, you still don’t have to scrap everything and do a clean re-installation.
4. Right click the task bar and go to “properties”.
5. Click the “Start Menu” tab.
6. Click the “Customize…” button.
7. Click the “Advanced” tab.
8. In the “Start menu items:” list, go through and click all the buttons that say “Display as a link”.
9. Click “OK” after you are done clicking all the “Display as a link” buttons.
10. Click “OK” again to get out of the “Taskbar and Start Menu Properties”.
11. Now you should have your Start Menu back to normal. Try to find the “run” button. If you can’t see it, it’s probably because you’re in Safe Mode and it’s scrolling off the screen. Don’t panic, just hit the up arrow on your computer once. This should highlight the “shutdown” button. Hit the up arrow on your keyboard again and you will be at “Log Off”. If you don’t see “Log Off”, then you’re not logged in as Administrator and you need to go back to step 1. Hit the up arrow a third time and you will be at “run” (even though you can’t see it). Now hit enter.
12. Now that you have the “run” menu up, type regedit in the “Open” box. and click “OK”.
13. You probably will get a box that pops up saying “Registry editing has been disabled by your administrator” LULZ! You can’t even get to regedit? Wow, you sure got owned this time. Don’t panic.
14. WINDOWS XP PROFESSIONAL: Go to Start, Run and type gpedit.msc and press ENTER. This should bring up a screen that says “Group Policy”.
15. If that didn’t bring up “Group Policy” then you don’t have Windows XP Professional. I guess that means you’re not really much of a PC professional are you? That’s ok, you aren’t missing much.. you will have to type in this nice long command though: [source:css]REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f[/source].
16. If you’re at the “Group Policy” screen, Click “User Configuration”, then click “Administrative Templates”, then click “System”. Double-click “Prevent Access to registry editing tools” and set it to “Disabled”.
    Note: If the setting already reads “Not Configured”, set it to “Enabled”, and click “Apply”. Then revert it back to “Disabled”. This ensures that the “DisableRegistryTools” registry value is removed successfully.
    Repeat this step for every item that says “Disable…” or “Prevent Access to…” (for example “Prevent Access to the command prompt”). Repeat this step for the CTRL+ALT+DEL options as well. This is where you can disable the policy of “Remove Task Manager”. When you’re finished, close the “Group Policy” screen.
17. If you still don’t have regedit back, it’s possible that the virus may have put a regedit.com file in your windows directory. Windows chooses to open .com files before it opens .exe files. If you get something different when you run regedit.exe, then you should delete regedit.com from your windows directory. Do a file search for regedit* and see what comes up.

I noticed some broken links to images, so I tried to log into Photobucket.com today and I got the following message:

IMPORTANT! Photobucket.com problem read here:
Last night Photobucket.com DNS at register.com was hacked by malicious people that are trying to compromise our business!
We are in no way affiliated with such bad deeds and cooperate with photobucket in capturing these individuals.
They have pointed the domain photobucket.com to an account hosted on our systems!
We have blocked that and photobucked techs have restored the domain pointing to its original location!
ALL account information and pictures on photobucket.com are OK, please have patience!
Unfortunately the complete DNS replication usually takes 24-48 hours and during this time caches DNS records might still point to us!
The normal operation of Photobucket is restored and as soon as the replication is complete there should be no further such issues!
We would like to emphasize that we are in now way responsible for what happens with photobucket and all users bumping across our systems!
We are a legitimate web hosting company operating since 2003 and in no way tolerate such hacking attempts!
If you have any questions please do not hesitate to contact us at abuse@zettahost.com!
Thanks for your patience and understanding!

This message would lead me to believe that someone spoofed and or injected their own DNS records in place of the legitimate dns records that point to Photobucket’s image hosting servers and other web servers.

I believe what they’re saying is true: that the data should be fine, since a DNS compromise only means that the hackers redirected the hostnames and domains to a different server. It is possible to lose data this way, but chances are the hackers who did this aren’t that elaborate.

Chances are it’s either some kids goofing around or someone in a poor country trying to make some quick cash off spamming or advertising revenue.