How to remove Antivirus XP 2008 | The Download Blog - CNET Download.com

How to remove Antivirus XP 2008

Beware: Antivirus XP 2008 is back, and that's not a good thing. Editor Seth Rosenblatt takes you through a step-by-step on how to remove this infectious piece of malware that's disguised as a security program.

Update: Revised instructions to include folder deletion.

Antivirus XP 2008 is back, unfortunately. It's not an antivirus app, but a cleverly disguised rogue security application that tries to get you to buy the non-existent "security" it's selling. Advertised using the common tricks of Trojans and faux security alerts, this nasty piece of malware can take over your desktop settings to mimic safe mode, display fake virus detections, and opens a faux Internet Explorer window stating that Google has detected a malware infection.

Antivirus XP 2008's Web site looks legit, but caveat emptor.

Yeah, Google.

Apparently, though, the virus is now being spread in more insidious ways, and numerous people who claim safe browsing habits and up-to-date security definitions are being infected--including two of my friends.

In helping them remove it, I discovered an excellent post on the CNET Forums that explained a detailed and accurate method of removal. I've retyped it below with more detail in case you're not able to get to the forums. It's not particularly complicated, but if you're not comfortable with advanced settings, I'd recommend proceeding cautiously or get a friend to help.

The scan window from Antivirus XP 2008 also looks legit. It's also not.

A warning before we begin: do not boot your computer into safe mode. Leave it running as you normally would. I tried restarting into safe mode, and the malware was prepared for that--its folders and files became undetectable.

First, in the Start menu, click on Run. If you can't find the Run option, hit WIN+R. (That's the key with the Windows icon on it.)

Type in msconfig, and go to the Startup tab. You're looking for two files. One begins with the string of letters "lph," and the second begins with "rhc". The examples provided are longer strings, "lphc35dj0e1an" and "rhc75dj0e1an", but after the first three letters, the strings are known to change on different computers. Uncheck the boxes next to both of them, then click on Apply and OK or Close at the bottom of the window.

The scan window from an older version of Antivirus XP 2008.

Restart your computer, and then delete the main files the spyware uses. In Windows Explorer, navigate to C:\windows\system32 and delete the lph*.exe file. Then go to your Program Files folder, C:\program files, and delete the rhc folder and everything in it. Keep in mind that these strings are known to change.

Restart your computer normally. You'll notice that the background hasn't changed. To restore your desktop settings, you'll need to go to Start > Run again, or Win+R. This time, type in Gpedit.msc. On the left nav, look for User Configuration near the middle. Navigate through Administrative Templates, then Control Panel, and finally Display. When you click on display, you'll see a list of options open in the central pane. Right click on "Remove Display in Control Panel," and click "Properties." Then choose "Disabled."

Repeat those same steps for the following attributes: Hide Desktop, Prevent changing wallpaper, Hide Appearance and Themes, Hide Settings, and Hide Screen Saver. Change all to "Disabled," then hit Apply, OK, and restart your computer.

You will still see the Antivirus XP 2008 desktop "theme", but now you can change it. Anywhere on your desktop, right-click and select properties. The first tab that opens should allow you to change your theme. If you also suffer from massive icons, use the last tab on the right, Settings. In the middle of that tab's window you'll see a Screen Resolution option, most likely set to 800x600. Move the slider to the left to choose a more aesthetically appealing resolution.

CNET Top 5
Companies Apple could buy with their billions
Apple's sitting on a massive pile of cash. Here are five interesting ways they could spend it.
Play Video
 

Member Comments