• On The Insider: Britney's Bikini-Clad Top 10
September 15, 2008 11:20 AM PDT

How to remove Antivirus XP 2008

by Seth Rosenblatt
  • Font size
  • Print
  • 187 comments
Update: Revised instructions to include folder deletion.

Antivirus XP 2008 is back, unfortunately. It's not an antivirus app, but a cleverly disguised rogue security application that tries to get you to buy the non-existent "security" it's selling. Advertised using the common tricks of Trojans and faux security alerts, this nasty piece of malware can take over your desktop settings to mimic safe mode, display fake virus detections, and opens a faux Internet Explorer window stating that Google has detected a malware infection.

Antivirus XP 2008's Web site looks legit, but caveat emptor.

Yeah, Google.

Apparently, though, the virus is now being spread in more insidious ways, and numerous people who claim safe browsing habits and up-to-date security definitions are being infected--including two of my friends.

In helping them remove it, I discovered an excellent post on the CNET Forums that explained a detailed and accurate method of removal. I've retyped it below with more detail in case you're not able to get to the forums. It's not particularly complicated, but if you're not comfortable with advanced settings, I'd recommend proceeding cautiously or get a friend to help.

The scan window from Antivirus XP 2008 also looks legit. It's also not.

A warning before we begin: do not boot your computer into safe mode. Leave it running as you normally would. I tried restarting into safe mode, and the malware was prepared for that--its folders and files became undetectable.

First, in the Start menu, click on Run. If you can't find the Run option, hit WIN+R. (That's the key with the Windows icon on it.)

Type in msconfig, and go to the Startup tab. You're looking for two files. One begins with the string of letters "lph," and the second begins with "rhc". The examples provided are longer strings, "lphc35dj0e1an" and "rhc75dj0e1an", but after the first three letters, the strings are known to change on different computers. Uncheck the boxes next to both of them, then click on Apply and OK or Close at the bottom of the window.

The scan window from an older version of Antivirus XP 2008.

Restart your computer, and then delete the main files the spyware uses. In Windows Explorer, navigate to C:\windows\system32 and delete the lph*.exe file. Then go to your Program Files folder, C:\program files, and delete the rhc folder and everything in it. Keep in mind that these strings are known to change.

Restart your computer normally. You'll notice that the background hasn't changed. To restore your desktop settings, you'll need to go to Start > Run again, or Win+R. This time, type in Gpedit.msc. On the left nav, look for User Configuration near the middle. Navigate through Administrative Templates, then Control Panel, and finally Display. When you click on display, you'll see a list of options open in the central pane. Right click on "Remove Display in Control Panel," and click "Properties." Then choose "Disabled."

Repeat those same steps for the following attributes: Hide Desktop, Prevent changing wallpaper, Hide Appearance and Themes, Hide Settings, and Hide Screen Saver. Change all to "Disabled," then hit Apply, OK, and restart your computer.

You will still see the Antivirus XP 2008 desktop "theme", but now you can change it. Anywhere on your desktop, right-click and select properties. The first tab that opens should allow you to change your theme. If you also suffer from massive icons, use the last tab on the right, Settings. In the middle of that tab's window you'll see a Screen Resolution option, most likely set to 800x600. Move the slider to the left to choose a more aesthetically appealing resolution.

Seth peers into the deep, dark corners of software so that you don't have to. He has yet to suffer a single nightmare about OS/2. You can follow him on Twitter.
Topics:

Security and spyware,

Windows Software

Tags:

Antivirus XP 2008,

virus,

malware,

Trojan,

howto-security

Share:
Digg
Del.icio.us
Reddit
Recent posts from The Download Blog
Windows Starter Kit refreshed for 2010
Big changes in Security Starter Kit 2010
Why to embrace Firefox 3.6's new-tab ethos
Sale: CoPilot Live GPS for iPhone, $19.99
Three apps we're thankful for
Mozilla issues near-final Thunderbird 3
eBay opens auction app for BlackBerry
iPhone app rounds up free Redbox rental codes
Add a Comment (Log in or register) Showing 1 of 7 pages (187 Comments)
by 0zSpit September 15, 2008 12:02 PM PDT
i let this in on my test machine. this is a tough one to get rid of. no security program i used would remove it. i would restart and it came right back, even when i stopped it in msconfig and removed it in the registry. it always came back. it took out my system restore, too. this one is worse than the previous versions. i just reinstalled my OS, after i wiped the hard drive, it seemed easier than fighting it. but it is one to stay away from
Reply to this comment
by kwt3200 September 16, 2008 11:19 AM PDT
you need to disable system restore, then update your antivirus product, then run full system scan to remove it
system restore keeps making a backup copy of the virus, that's why you cant get rid of it
after its fully removed and stays gone after reboot, then you can reenable system restore
by September 16, 2008 7:47 PM PDT
try using ComboFix this program works great to get rid of most malware
by thedad1 September 16, 2008 11:29 PM PDT
Ozspit
The samething happened to me had to redo my hard drive also I have sent them a e-mail for the product key or the FCC was going to be contacted they never replied back to me so I just let it go.
by RockSpot September 17, 2008 9:20 AM PDT
I fixed my neighbor's PC which had this nasty virus ? plus about 246 other ugly little nasties. It had AVG on it. I removed AVG, and stopped the system restore points service. Then I installed Avast 4.8, Stopzilla, Eraser 5.8 and Malwarebytes from CD. I let Avast run its boot-time scan on restart. I used Eraser to erase the blank space just in case some nasty bug was keeping track of where it put itself on the hard drive so it could reinstall upon restart (even though it might not be listed in the MFT or registry). Then I started running several iterations of Avast, Stopzilla, and Malwarebytes. Once I was sure that all the little nasties were out of the system, I restarted the system restore service.
by elnav September 17, 2008 10:10 AM PDT
I found and removed the files mentioned in the advice. Didn't help. eventually learned there were multiple incidents. Since I was operating in "SAFE" mode I did not see the hidden versions. Wiping the whole drive is NOT an option at this point in time. too much critical business related data. 10 gigabytes is kinda hard to back up. about 90% of the files are already backed up but Outlook files and email addresses are not. not everybody has enough financial resources to afford unlimited duplication of drives storage methods and so on.
Advising people to go and buy better software to remove an infestation is not good advice. This particular malware seems to log keystrokes and track often visited websites. Chances are good it would simply steal your financial transaction data as you paid for and uploaded new anti-virus software. Now your credit card account and your password is stolen.
by patel_cb September 17, 2008 10:54 AM PDT
Thank You, It's too much Headache, but you give solution. But it's "Gpedit.msc" not found in windows Vista. I will tried on windows XP. I will try tommorow, Is it run "Gpedit.msc"? Tjank You again.
by TGLewis1112 October 3, 2008 10:06 AM PDT
I have a mate who also eperienced this. on the desktop it would say he had a virus, but you couldn't change the wallpaper back to normal. in the end I deleted the registry entries it was putting in, and tried removing it via control panel, but it wouldn't budge. in the end I reinstalled windows for him. DEFINATELY KEEP AWAY FROM THIS ONE!!
by tracyhall76 January 23, 2009 5:59 PM PST
Hey Revo Uninstaller will kill it too.
by jtwhandyman September 15, 2008 3:01 PM PDT
I recently got a similar virus on my old windows 2000 machine called Antivirus 2009. It created a XP style windows firewall icon in my system tray and would always broadcast fake security alerts and would request that I pay to remove the threats. It was so bad that I could barely use my computer at all. I finally got rid of it with Avast Home Edition 4.8 when a new virus database update came in. Additionally, I installed Comodo 3.0 firewall (Free edition) and have not had any more problems. My old computer is up and running like a brand new machine. Thanks, CNet for guiding me to these free software programs
Reply to this comment
by Luckysaad September 16, 2008 5:23 PM PDT
Try this to remove Antivirus 2009 Malwarebytes' Anti-Malware Download and scan Download here http://www.bleepingcomputer.com/malware-removal/remove-xp-antivirus-2008-2009
by winstonh5 January 21, 2009 5:42 AM PST
In December 2008, I was infected with Antivirus XP 2009 on my desktop running Windows XP Pro and AVG free 8.0. I took my PC to TigerDirect who told me they needed to reformat my C drive if I had my files backed up. I always run two separate backups so I told them to go ahead if that was my only option. The reformatted and reloaded my Win XP Pro but failed to activate it. My custom PC was built 4 years ago in a small PC shop in another state and I did not have the orginal CD and activation code so my OS expired after 30 days. I bought a new PC with M$ Vista installed (I hate it). It also got infected with Antivirus XP 2009 so I called a friend in Atlanta who is an IT professional. He gave the the secret to the simple way to rid my PC of this malware which is as follows:
1-download Malwarebytes "Anti-Malware" (free) into my "downloads" folder on my desktop. 2. Download Sunbelt "Counterspy" (free) into my downloads folder on my desktop. 3-turn off my regular antivirus software (AVG Free 8.0), 4-install and run Malwarebytes "Anti-Malware" (free) to scan, then purge what it finds. 5-remove Malwarebytes "Anti-Malware" (free). 6-Download and run Sunbelt "Counterspy" (free) to scan, then purge what it finds. 7-remove Sunbelt "Counterspy" (free). 8-turn my regular antivirus program (AVG Free 8.0) back on. I was done. I found 32 pieces of malware using Malwarebytes "Anti-Malware" (free), but it missed 5 pieces which were detected and removed by Sunbelt "Counterspy" (free). I later got infected by this same piece of crap again and used the same process to remove it again. I already had the two programs downloaded in my downloads folder so all I did was re-install them and run them. This takes some time but it is SO SIMPLE. I am just sorry that I did not find out before TigerDirect's tech's reformatted by C drive on my other machine. I am stil trying to find the code so I can activate the OS.
by firefoxluva95 September 15, 2008 4:25 PM PDT
I've been infected too or at least it "attempted" to infect me. Avast stopped the malware from executing completely (though I still saw a fake security window) and I used Ccleaner to remove the startup items that would try to resurrect the virus. Then I scanned and got rid of it using Avast.
Reply to this comment
by TGLewis1112 November 30, 2008 11:04 AM PST
You're lucky you caught it at such an early stage! It can really wreck your machine if it has the time to embed itself in your registry.
by jpmccloud01 September 16, 2008 6:15 AM PDT
here is a point about this thing and it's varients, if you have a good antivirus program or suite and you see this in and email, delete it. Most of the people that are getting this thing don't have computer protection or are seeing something telling them they have viruses when they don't. they click on this thing and it's all over. I get some 4 or 5 calls at my store per day about this thing and it's varients and people are getting panicy over it. it would be nice to go after those who wrote this thing and make them remove it from every computer infected
Reply to this comment
by laurenfouts September 16, 2008 10:51 AM PDT
I agree - what sick thrill does someone get causing this much headache. I caught this bug at a Java site where it claimed to be recommended by Java. Even its logo copies part of the Windows logo and part of the Defender logo. I eventually started over from scratch and wiped my disc clean which is doable but it takes time. I couldn't download/backup all my files before starting over. I survived but what a pain. I am still getting this virus/malware caught by my double programs (Bellsouth Internet Security and Antispyware) and have to delete it at least once a day - it seems to be attaching to more and more web sites.
by virtualgval September 16, 2008 8:38 PM PDT
I agree, why doesn't someone go after these people that are doing this? I can't understand why the computer systems are not monitored better when there is so much delicate information out there. Again, we need to wake up!!!! I had this on my computer as well and it was a real pain in the rear end!
by cccook September 18, 2008 8:16 PM PDT
Yes These ***** Should Be Fined And Hung And Shot afterward This Is The Second Time It Got This **** And It Cost Me TWO Big Hard Drives Because It Lies At What The Drive Is IM SO PISSED AT THESE *****....
by brilo1 September 16, 2008 8:18 AM PDT
Use a program called Anti-malware, made by Malwarebytes. The software is free, and will remove the Antivirus XP 2008 software.
It's located here: http://www.malwarebytes.org/mbam.php
Reply to this comment
by LadyTech10 September 16, 2008 8:23 PM PDT
I tried the detailed way from above. It appeared it worked but it came back or pieces of the virus was still in the computer. I installed Malwarebytes. Haven't had a problem since. After spending hours on various ways I found on the Internet, this is the only one that worked. This viruse causes huge bandwidth problems if not completely removed completely.
by lotsasmiles September 16, 2008 9:12 PM PDT
I used this to get rid of Antivirus2009 - really easy to use and worked perfectly. I use Avast and it still manged to get through. Avast 'found' it but did not delete it.
by Mark69 September 17, 2008 7:54 AM PDT
Hi All, I dont normally reply to Review's, as Normally when i try a product it fails, But this Time i have to Say this program work's, I have paid for Programs on my Pc and this one found things that my paid one's for did'nt !! it's A Must have even for those who have little Knowledge on programs !! I might even now pay for the upgrade Version of this Program !! You Must try it, I even did scan's with my external back up hard drives and it found thing's there also and deleted them for me !! .All i can say just try it OK !!
by Claude Amyot September 17, 2008 11:01 AM PDT
Brilo: Thanks a million for posting that website. It definetly worked for me. Claudius
by Zyrac September 17, 2008 3:19 PM PDT
Activating the full version unlocks realtime protection, scheduled scanning, and scheduled updating. It is a one time fee of $24.95. Not exactly free, but tnx all the same Brilo!
by September 18, 2008 1:09 PM PDT
I too have had great success with Malwarebytes Anti-Malware and recomend it highly
Curt
by outxfan September 18, 2008 6:28 PM PDT
The antivirus 2009 had tagged my computer. Could not get rid of it. I downloaded the malwarebytes and then run a full scan. The antivirus 2009 is finally gone. It was so simple. Thanks so much for the information.
by julebo September 25, 2008 9:32 PM PDT
Thanks so much. Somehow, very mysteriously I picked up this virus, placed an icon on my tool bar and prevented normal turn on. I have been using my laptop primarily and have only used DT for printing. I tried the removal instructions first and they were of no use. This did it!!!!!!!!!!!!!!!!!!!!!!!!

Thanks Thanks Thanks
by adkiller2k7 September 16, 2008 8:39 AM PDT
Heh, my avast killed it from downloading, you avg people will have to remove it yourself!
Reply to this comment
by Diane Farrer September 16, 2008 10:21 PM PDT
Norton is charging $100 plus tax to remove it from your system. No I didn't pay, I'm not that much of an idiot!
by IKTHUSRJD September 17, 2008 11:47 AM PDT
Interesting that AVAST helped you; with me it not only let it in and it did considerable damage, but it almost let another one in a second time. At that point, I moved from AVAST to another program. This virus is a bad one. After spending two weeks trying to rid myself of it, I finally had to wipe everything off and start afresh.
by SxSascha September 20, 2008 11:32 AM PDT
*Cry*
:P
by xBobsx September 24, 2008 9:24 AM PDT
Avast did not stop Antivirus 2009 from installing and infecting my computer , Malwarebytes little program done the job in removing it.
by oclueless1 September 16, 2008 8:41 AM PDT
i tried this and after i restarted like it said, i did the whole "start>win>r "thing but i couldnt find the "gpedit.msc." thing... what should i do?
Reply to this comment
by saber0091 September 17, 2008 6:40 AM PDT
Group Policy editor (gpedit.msc) is not available on XP Home edition (without installing all the little bits and pieces by hand. There are kits available online if you really want it. Bunch of files and a batch file). Which most users still have.

It is available on XP Pro, and on Vista. XP Home gets to find all the registry entries that Group Policy editor gives you a window for, by hand in the registry.
by Doctor Entropy September 17, 2008 11:37 AM PDT
You just type gpedit.msc in the Run box. The actual file is in the /system32 folder. If you can't access it, you may not have Administrator privileges, or the file may have somehow been deleted. You may want to try typing mmc in the Run box to see if you have the management console, needed to run .msc files.
by MyShare120 October 8, 2008 6:54 AM PDT
Reply to "oclueless1".. I had the same problem on a machine that has Windows Media Edition as well as Media Home Edition. Apparently, there is no gpedit.msc file to be found (it may be named something else). The gpedit.msc is only on Windows Pro. I'm going to do a search to see if anyone has figured out how to remove the thing entirely from the other two operating systems that don't contain a gpedit.msc file. I will post again as soon as I locate it. I attempted to get the Bart Windows boot cd from Avast but they want an arm and a leg to get it so the reply from "Bollweevill" may not work for you either. I will return with an answer.
by bollweevill September 16, 2008 9:00 AM PDT
I work at a PC repair shop and I have had many computers come in with this junk on it. I have been successful at getting rid of it each time. However, my routine takes me about half an hour each time. I use the Bart Windows boot cd to dig through the hard drive of the computer, this could also be accomplished by attaching the infected hard drive to another pc. Folders to look for include
C:\program files\MSA,
c:\program files\rhc75dj0e1an (Or something similar)
c:\program files\Antivirus 2008
c:\program files\PC Security Center (Or something similar)

Load the infected pc's "c:\windows\system32\config\software" and "c:\documents and settings\username
tuser.dat" registry hives in the places they belong (google it if you don't know how)
Check "\software\microsoft\windows\explorer\current version\policies" for the issues with "task manager / registry editing / wallpaper & screen saver changing / start menu modifying has been disabled..."
Check "\software\microsoft\windows\current version\run" for entries to start the virus.
Check "\software\microsoft\windows NT\current version\Winlogon" for the "userinit" entry, it should only have the line for userinit.exe. Remove any text AFTER the comma in the entry.
Check "\software\microsoft\windows NT\current version\Winlogon
otify" for sub entries that are jargon (ie. rjwsxkychi) and delete them. Hopefully you can tell the difference if you are following these instructions, if not, get help from a pro.
Do this for both the software hive, and user hive. The notify folder wont exist in the user hive. These are all the entries that i remember at the moment.

Then get Avast free home edition, install, don't boot time scan yet, reboot, update definitions, then schedule a boot time scan.

Hope this helps!
Reply to this comment
by Taomuningtalun September 17, 2008 5:08 AM PDT
actually i have found this threat few month later and this kind of instruction with a full information really do help me to remove the threat completely...... really big thanks pal.......
by rhampton September 22, 2008 1:44 AM PDT
While your comments are helpful. I discovered by accident to trash windows system32fileWINLOGON with spybot shredder. The system then asks for your windows disk. Run an update from it about 50 mins. On restart the system comes up clean. Aparantly Buritos.exe is hiding in the winlogon file. Traces oft it will still be around but it will not start. Uncle Bob...
by tjmm1234 September 16, 2008 9:08 AM PDT
I ran Spyware doctor and before I did I updated the definition files. It removed it completly. However, running my Spysweeper program and updating that as well, it found and removed it. However, when I rebooted the computer using Spysweeper it came back. I found this out when I went to the Google home page and I got a warning message telling me I had a virus as indicated in the article above. I always tell my customers to have at least a couple of good spywear removal programs on their system. Some products do the job well with one kind of infection, while others will fail. My Norton failled to find it, and adaware found nothing as well. Make sure to update your software at all times. I hope they (I don't understand why these sites are left on line when one knows they are bougus) hang these people. There is no reason given the magnitude of the problem that the site lives on.
Reply to this comment
by idorablo September 16, 2008 9:46 AM PDT
i did the same except ran Anti Vir free and killed it all . Norton sucks
by drummer62 September 16, 2008 9:23 AM PDT
I had a friend that had gotten this and I used Superantispyware and it totally removed it as well. This thing is real nasty at what it was doing to his PC.
Reply to this comment
by katdeskinner September 16, 2008 9:42 AM PDT
why waste your time doing all that, just juse Malwarebytes anti Malware. It just works with out the headaches.
It's free on download .com- I used it for the same issue, and it was way to easy.
Reply to this comment
by ranton October 14, 2008 9:57 AM PDT
i have got to agree with this comment as i have used malwarebytes anti malware and surely it does get rid of all spy files . i have now cleared all files of both of my computers and also my friends who asked if i can sort her's out and leave the program running in the backround .so thanks for the tip it realy works.
by idorablo September 16, 2008 9:44 AM PDT
I down loaded Pc doctor ran the scan found it cleaned it all up and ran Antivir wallah Gone it works had a friend same thing told him what to run no problems . Shame you blew everything out
Reply to this comment
by Patrisha42 September 16, 2008 10:12 AM PDT
I got on Cnet to see if I could find something to remove this virus. Lucky me cnet's opening page had the removal process. Thank you.
Reply to this comment
by efrench9 September 16, 2008 10:14 AM PDT
I did not find the 'rhc' prefix in my msconfig list. I have the following:
VPTray
mobsync
jvsched
qttask
dwdregt
ttduur
owinmpex
ccapp
ctfmon
svchost
and adobe reader spe...

do any of those ring a bell as to their involvement?
Reply to this comment
by pcexpress201 September 17, 2008 7:41 AM PDT
Try going to www.superantispyware.com this will remove the entire program.
by rhampton September 22, 2008 1:48 AM PDT
try trashing svchost it will be hiding in there or winlogon. They are in windows system 32. You will need your windows disk ro install an update. Uncle Bob...
by cfiacco September 16, 2008 10:18 AM PDT
AntiVirus 2008 or the variant AntiVirus 2009 has been "back" for a few months now, i know a lot of people whe were wacked with it - the middle of August and blogging for help. I was one; i am an IT Professional and this was on my home pc, I scanned with Spysweeper; Spyware Dr. ; Adaware; spybot search and destroy and Counterpsy; windows defender and had AVG....these were already installed and all up to date when this got through ALL of them. After many hours of frustration and not wanting to reinit my system; upon research a few people including a Microsoft employee mentioned MalwareBytes in his blog and then Cnet showed it as a popular download, so what the heck .. i installed it and after I ran it, I had to put in my Microsoft registration numbers to reregister?! It came up clean! My Avg was wacked, so I removed that anyway and put another anitvirus on and ran many scans over.. Clean.
Reply to this comment
by wonders18 September 16, 2008 10:29 AM PDT
I've seen this spyware program for the past year. One program cleans the entire infection. Used best when in safe mode. The program is called Malwarebytes' Anti-Malware. It's free and works great.
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
Reply to this comment
by scorpius_1311 September 16, 2008 8:06 PM PDT
Contrary to popular belief, this so called "Malwarebytes" appears equally suspicious to me. My computer was also infected with XP anti-virus 2008, after which I first scanned my computer with Windows Defender, then with Mc Afee and finally with an anti-virus program called "Quick Heal 2008". It scanned the computer at the boot phase itself and created a log in c:\program files\quickheal2008\quickupdate.log . The scanned list showed a primary infection by antivius 2008 but the later part was filled with back door32.worm which was directly linked to malwarebytes anti-malware program which I managed to trace using the regisrty files of the program and also a previous log by MC Afee.
Better use an updated anti-virus program to get rid of this menace or risk getting the entire data corrupted till the last BYTE!!!!
by compudoc318 September 16, 2008 10:49 AM PDT
I remove 2-3 of these a week now. I like to use combofix and smitfraud fix for these, works well, then ill follow up with avast or avg and then spybot or adaware to get spyware that can come with this virus. malwarebytes and avast will remove it, but ive seen those leave behind other spyware that came with it. Just make sure to have a link checker program like the avg built in one or macafee site advisor and dont open unknown emails....most users who are infected with this have a valid a/v program and firewall, it all comes down to common sence and not clicking the wrong thing.
Reply to this comment
by Wizentub September 16, 2008 8:24 PM PDT
McAfee did not notice the program, it somehow switched it off and site advisor appeared tobe affected as I kept getting a faximily of the site advisor button but it had the wrong mcaffee logo.
V cleaner, AVG both of which I keep on file in case would not work at all.
I was not using anything when it installed, just reading a page from the Sydney Morning Herald.
I was blocked from reaching microsoft or Mcafee for help.
Full reinstal and reformat a couple of times and it is gone, it turned out easier than the 48 hours or so I spent trying to remove the files myself.
by elnav September 17, 2008 9:47 AM PDT
Sage advice but what if the email looks legit. I got it from a FedEx email with a tracker number. Since I was expecting a couple of packages I did not get suspicious. Only when FedEx said it wasn't their number did I I begin to wonder. It blew right through my Norton symantec and turned off my firewall. Then it started to block my Windows explorer. Thank goodness I was using Mozilla for emails or that would have also been blocked. Windows explorer is likewise blocked. Can't look for any folders and files mentioned. Yesterday i was told by my ISP that I am now blacklisted for Spamming. Guess what is doing the spamming? Once I prove I have a clean machine my ISP will give me a new address. Meanwhile my address is blacklisted around the world as a spammer.
Oh yeah. It also blocks all attempt to reach any anti virus software websites. It allows you to go to advertising websites that sell junk ,sex and pills. Guess who paid who to produce this version??
by adammcc81 September 16, 2008 11:00 AM PDT
I have found that by using Malware bytes and Superantispyware I was able to ride multiple computers of the infection. I would simply run Malware Bytes first then after removing most of the infection it would ask me to restart to remove the remaining spyware. At this time I would go into safe mode and run each scan once to make sure all of the malware files had been removed.
Reply to this comment
by rdavidson420 September 16, 2008 11:16 AM PDT
I had anitvirus xp 2008 a couple weeks ago. took me 3 days to finally get it all out. malwarebytes program worked to find it for me but couldnt remove all of it. I seriously considered reinstalling windows. If you cant seem to get it off your system, use a program called Combo fix. I find that this one program can remove many different problems, including stubborn vundo viruses and antivirus xp 2008. Be sure to read the instructions before u use combo fix, although it is pretty straight forward. also, smitfraud fix should also be ran as this was left over. good luck to anyone who has been infected, this is a great source i wish i had when i was infected, would have saved me a couple days.
Reply to this comment
by hecklermtbiker September 16, 2008 11:28 AM PDT
Some variants of this also have a bluescreen screen saver and a few other files in system 32 folder. If you view it in detail view and organize by date look for random lettered files that are recent since the problem. Delete the files. Usually I have to go into folder options, and select to view hidden files and folders and view operating system files. There is also a .sys file in system 32/drivers folder that will reload that program. Organize that folder in detail view then sort by date. You can google the name of files to see whether they are legitmate. You also can delete the rch..... folder from program files folder, and documents and settings/all users/ application data folder.
Reply to this comment
Showing 1 of 7 pages (187 Comments)

Search Download Blog posts

About The Download Blog

Download.com editors cover the world of downloadable software and beyond.

Add this feed to your online news reader

The Download Blog topics

download
Site map
Help center
Our software policies
Newsletters
Submit software
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET