Hijacked by AntiVirus Gold

Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

Earlier today, my main computer was hi-jacked by Antivirus Gold. I
can uninstall it, but it returns immediately upon reboot. Try as I
might, I cannot get rid of it. It's taken over my desktop and
will not allow me to change it, constant black background with a huge
"Buy Me" advertisement.

It seems to behave like Spyware, but Microsoft's beta spyware
detection and removal utility doesn't know about this and fails to see
it. In fact, none of my housekeeping utilities, including SpyBot,
AdAware, Registry FirstAid, etc., see it or remove it.

It won't leave me alone, constantly popping up with warning messages
urging me to buy.

At the same time this happened, 3 virus did invade my computer,
notwithstanding the presence of my SMC Barricade Router:

sysupd.dll
delprot.sys
edmond.exe

My Norton Anti-Virus detects and removes them following reboot. But
upon the next reboot, these 3 infected files have somehow been
restored and are still there. After Norton has done its thing, a
file search fails to find them, confirming deletion. But they keep
coming back.

I have a sinking feeling that this Antivirus Gold utility deliberately
planted these viruses, and will not allow them to be permanently
removed until I pay for it. Ugly, ugly, ugly...... :-(

Suggestions on how to get rid of Antivirus Gold and these 3 virus
would be appreciated. It somehow got itself installed without my
knowledge or concurrence. I already have Norton Anti-Virus which
until now has served me well.

I'm running WinXP Home, fully updated, including Microsoft AntiSpyware
beta 1.

Regards,

Terry Smythe
Winnipeg, Canada
32 answers Last reply
More about hijacked antivirus gold
  1. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    The top anti-spyware program is Webroot Spysweeper. Its real time
    protection is buggy as hell, but its scanner is the best.

    You also might try TDS-3, which is antitrojan software. You never know how
    what you are dealing with is classified. The fact that there are pieces of
    this thing that cannot be deleted and restore the orignal program indicate
    it is behaving an awful lot like an advanced trojan.

    Both programs have legitimate trial versions.

    What in the hell were you doing installing some off-brand anti-virus
    software? Never install anything that isn't on Virus Bulletin's approved
    list. The two universal choice of anti-virus software by knowledgeable
    people are Kaspersky and Eset NOD32.

    "Terry Smythe" <smythe@shaw.ca> wrote in message
    news:nrt79190qjgf0p4pbs07gn2mgpbfth813g@4ax.com...
    > Earlier today, my main computer was hi-jacked by Antivirus Gold. I
    > can uninstall it, but it returns immediately upon reboot. Try as I
    > might, I cannot get rid of it. It's taken over my desktop and
    > will not allow me to change it, constant black background with a huge
    > "Buy Me" advertisement.
    >
    > It seems to behave like Spyware, but Microsoft's beta spyware
    > detection and removal utility doesn't know about this and fails to see
    > it. In fact, none of my housekeeping utilities, including SpyBot,
    > AdAware, Registry FirstAid, etc., see it or remove it.
    >
    > It won't leave me alone, constantly popping up with warning messages
    > urging me to buy.
    >
    > At the same time this happened, 3 virus did invade my computer,
    > notwithstanding the presence of my SMC Barricade Router:
    >
    > sysupd.dll
    > delprot.sys
    > edmond.exe
    >
    > My Norton Anti-Virus detects and removes them following reboot. But
    > upon the next reboot, these 3 infected files have somehow been
    > restored and are still there. After Norton has done its thing, a
    > file search fails to find them, confirming deletion. But they keep
    > coming back.
    >
    > I have a sinking feeling that this Antivirus Gold utility deliberately
    > planted these viruses, and will not allow them to be permanently
    > removed until I pay for it. Ugly, ugly, ugly...... :-(
    >
    > Suggestions on how to get rid of Antivirus Gold and these 3 virus
    > would be appreciated. It somehow got itself installed without my
    > knowledge or concurrence. I already have Norton Anti-Virus which
    > until now has served me well.
    >
    > I'm running WinXP Home, fully updated, including Microsoft AntiSpyware
    > beta 1.
    >
    > Regards,
    >
    > Terry Smythe
    > Winnipeg, Canada
    >
  2. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    A list of what to do to ensure viruses, spyware, and adware off of your
    computer.
    1.. Don't use Internet Explorer, use Firefox. <---- Dont boot me for this
    2.. Turn off system restore and reboot.
    3.. Scan online for free at
    http://housecall.trendmicro.com/housecall/start_corp.asp and
    http://security.symantec.com/sscv6/home.asp?productid=symhome&langid=ie&venid=sym&close_parent=true.
    4.. Download "Spybot Search and Destory", Ad-Aware SE, Spywareblaster, and
    Microsoft Anti Spyware Beta. All of these are freeware. Then run each in
    turn.
    5.. Reboot computer and turn back on system restore.
    Locke

    "Terry Smythe" <smythe@shaw.ca> wrote in message
    news:nrt79190qjgf0p4pbs07gn2mgpbfth813g@4ax.com...
    > Earlier today, my main computer was hi-jacked by Antivirus Gold. I
    > can uninstall it, but it returns immediately upon reboot. Try as I
    > might, I cannot get rid of it. It's taken over my desktop and
    > will not allow me to change it, constant black background with a huge
    > "Buy Me" advertisement.
    >
    > It seems to behave like Spyware, but Microsoft's beta spyware
    > detection and removal utility doesn't know about this and fails to see
    > it. In fact, none of my housekeeping utilities, including SpyBot,
    > AdAware, Registry FirstAid, etc., see it or remove it.
    >
    > It won't leave me alone, constantly popping up with warning messages
    > urging me to buy.
    >
    > At the same time this happened, 3 virus did invade my computer,
    > notwithstanding the presence of my SMC Barricade Router:
    >
    > sysupd.dll
    > delprot.sys
    > edmond.exe
    >
    > My Norton Anti-Virus detects and removes them following reboot. But
    > upon the next reboot, these 3 infected files have somehow been
    > restored and are still there. After Norton has done its thing, a
    > file search fails to find them, confirming deletion. But they keep
    > coming back.
    >
    > I have a sinking feeling that this Antivirus Gold utility deliberately
    > planted these viruses, and will not allow them to be permanently
    > removed until I pay for it. Ugly, ugly, ugly...... :-(
    >
    > Suggestions on how to get rid of Antivirus Gold and these 3 virus
    > would be appreciated. It somehow got itself installed without my
    > knowledge or concurrence. I already have Norton Anti-Virus which
    > until now has served me well.
    >
    > I'm running WinXP Home, fully updated, including Microsoft AntiSpyware
    > beta 1.
    >
    > Regards,
    >
    > Terry Smythe
    > Winnipeg, Canada
    >
  3. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    "Locke" <this@that.com> wrote in message
    news:HP1le.18473$Fv.13580@lakeread01...
    >A list of what to do to ensure viruses, spyware, and adware off of your
    >computer.
    > 1.. Don't use Internet Explorer, use Firefox. <---- Dont boot me for
    > this

    In the future this might be a good idea but it won't get the junk off of his
    computer now.

    > 3.. Scan online for free at
    > http://housecall.trendmicro.com/housecall/start_corp.asp and
    > http://security.symantec.com/sscv6/home.asp?productid=symhome&langid=ie&venid=sym&close_parent=true.
    > 4.. Download "Spybot Search and Destory", Ad-Aware SE, Spywareblaster,
    > and Microsoft Anti Spyware Beta. All of these are freeware. Then run each
    > in turn.
    He's already mentioned that he's run those. Sometimes the freeware doesn't
    cut it. And those online scanners are really worthless!
  4. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    That's true but the good thing about using something like the Trend
    Micro is that it isn't corrupted by your virus so there is a chance that it
    might find the virus that Norton might not. Also you have to remember to
    turn off the System Restore anytime something has infected the computer to
    have it truly removed. That list I posted is just a good to know list for
    some of the items and suggestions to remove infections for the rest.

    Locke

    "Mister Scary" <daniel_newhouse@earthlink.net> wrote in message
    news:%23N1b5$VYFHA.2420@TK2MSFTNGP12.phx.gbl...
    >
    > "Locke" <this@that.com> wrote in message
    > news:HP1le.18473$Fv.13580@lakeread01...
    >>A list of what to do to ensure viruses, spyware, and adware off of your
    >>computer.
    >> 1.. Don't use Internet Explorer, use Firefox. <---- Dont boot me for
    >> this
    >
    > In the future this might be a good idea but it won't get the junk off of
    > his computer now.
    >
    >> 3.. Scan online for free at
    >> http://housecall.trendmicro.com/housecall/start_corp.asp and
    >> http://security.symantec.com/sscv6/home.asp?productid=symhome&langid=ie&venid=sym&close_parent=true.
    >> 4.. Download "Spybot Search and Destory", Ad-Aware SE, Spywareblaster,
    >> and Microsoft Anti Spyware Beta. All of these are freeware. Then run
    >> each in turn.
    > He's already mentioned that he's run those. Sometimes the freeware
    > doesn't cut it. And those online scanners are really worthless!
    >
  5. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    I have now verified that my desktop has been hijacked by
    "desktop.html" It resides in c:\windows I've tried
    deleting it and editing it, but can't get rid of it. Keeps coming
    back from somewhere, no matter what I do.

    It has imbedded within it a command to visit the Antivirus Gold web
    site. It appears to be extremely malicious marketing, planting 3
    virus that only it can remove, and itself. Its message is, 'if you
    want to remove these virus, then buy me'

    A search for this file on my computer reveals only 1 copy. If I
    delete it, it is replaced upon reboot. If I edit it, it is replaced
    upon reboot.

    A 'net search suggests an incredibly convoluted procedure for getting
    rid of it. Surely there must be an easier way.

    Along with SpyBot, AdAware, Microsoft's new parasite detector/remover
    fails to see it. They see all kinds of things, but won't touch this
    one. Registry First Aid finds only a single entry, deletes it, and
    upon reboot, it's back again. It's not in Startup.

    I'm hopeful of finding some kind of specific utility to remove this
    ugly parasite.

    Regards,

    Terry Smythe
  6. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Well like I said in my list - make sure you turn off System Restore -
    you go into Control Panel -> System Restore -> Turn off on all drives. You
    can d/l a trial of Webroot's SpySweeper which is very good at finding some
    things the others miss. It is a good idea to run all of them though b/c
    different ones find different things. I also say to use Trendmicro's
    website b/c it is off of your computer and finds and cleans various things.
    The virus can reside in the System Restore and reinstall itself upon
    reboot - it doesnt have to be listed in the startup to do this. If you know
    all of the names that are used by this then search the symantec website,
    many times there is a removal tool that you can run.

    Locke

    "Terry Smythe" <smythe@shaw.ca> wrote in message
    news:d0l991lmb7qbhnb5kc3pesl5nem4rpl64k@4ax.com...
    >I have now verified that my desktop has been hijacked by
    > "desktop.html" It resides in c:\windows I've tried
    > deleting it and editing it, but can't get rid of it. Keeps coming
    > back from somewhere, no matter what I do.
    >
    > It has imbedded within it a command to visit the Antivirus Gold web
    > site. It appears to be extremely malicious marketing, planting 3
    > virus that only it can remove, and itself. Its message is, 'if you
    > want to remove these virus, then buy me'
    >
    > A search for this file on my computer reveals only 1 copy. If I
    > delete it, it is replaced upon reboot. If I edit it, it is replaced
    > upon reboot.
    >
    > A 'net search suggests an incredibly convoluted procedure for getting
    > rid of it. Surely there must be an easier way.
    >
    > Along with SpyBot, AdAware, Microsoft's new parasite detector/remover
    > fails to see it. They see all kinds of things, but won't touch this
    > one. Registry First Aid finds only a single entry, deletes it, and
    > upon reboot, it's back again. It's not in Startup.
    >
    > I'm hopeful of finding some kind of specific utility to remove this
    > ugly parasite.
    >
    > Regards,
    >
    > Terry Smythe
    >
    >
    >
    >
  7. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    "Terry Smythe" <smythe@shaw.ca> wrote in message
    news:d0l991lmb7qbhnb5kc3pesl5nem4rpl64k@4ax.com...
    >I have now verified that my desktop has been hijacked by
    > "desktop.html" It resides in c:\windows I've tried
    > deleting it and editing it, but can't get rid of it. Keeps coming
    > back from somewhere, no matter what I do.
    >
    > It has imbedded within it a command to visit the Antivirus Gold web
    > site. It appears to be extremely malicious marketing, planting 3
    > virus that only it can remove, and itself. Its message is, 'if you
    > want to remove these virus, then buy me'
    >
    > A search for this file on my computer reveals only 1 copy. If I
    > delete it, it is replaced upon reboot. If I edit it, it is replaced
    > upon reboot.
    >
    > A 'net search suggests an incredibly convoluted procedure for getting
    > rid of it. Surely there must be an easier way.
    >
    > Along with SpyBot, AdAware, Microsoft's new parasite detector/remover
    > fails to see it. They see all kinds of things, but won't touch this
    > one. Registry First Aid finds only a single entry, deletes it, and
    > upon reboot, it's back again. It's not in Startup.
    >
    > I'm hopeful of finding some kind of specific utility to remove this
    > ugly parasite.
    >
    > Regards,
    >
    > Terry Smythe
    >

    Go to the following link and download HijackThis.

    http://www.aumha.org/freeware/freeware.php#hjt

    Run it and then post the log it generates to one of the forums dedicated to
    it's use. A good place to start is here:

    http://forum.aumha.org/viewforum.php?f=30

    http://www.techsupportforum.com/forumdisplay.php?f=50

    http://castlecops.com/forumx67-0-50.html

    Don't post the log here. Some malware hides very deep in the system and
    isn't detected by any of the spyware removal programs. Hijackthis and other
    tools will assist in it's manual removal. Barring that you could backup your
    data and reinstall Windows and all your programs then restore the data. If
    you are unable to do either I recommend you take your computer to a
    professional to have it fixed.

    Kerry
  8. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Hello Terry,

    I had the EXACT same problem as you (with ANTIVIRUS GOLD) and solved it
    as detailed below.

    I read the follow-up posts to your original email and it seems that
    some of the responses missed the nail in helping you out (one guy even
    criticized you for installing "off-brand" antivirus... - he missed the
    WHOLE point of your email for help not realizing that you DID NOT
    install ANTIVIRUS GOLD ant that it simply took over your system).

    In any event, I went to antivirus-gold.com customer service and emiled
    a complaint asking how to get rid of this. But of course they never
    responded.

    I WAS able to get rid of it though and mayby this will help you to.

    I'm running under XP Pro.

    In Windows "Help and Support" (accessible via Start button), I clicked
    "Undo changes to your computer with System Restore".

    I then selected "Restore my computer to an earlier time". When the
    calendar came up, I selected an available restore point a few days
    BEFORE the time when this whole problem started, rebooted as requested,
    and it's fine now.

    How it happened: In my case, I let my guard down by stopping both
    McAfee Vscan and McAfee AntiSpyware. I stopped these because I was
    burning DVD's for my business. When the burning completed, I forgot to
    re-arm these guys and went surfing. I hit a site that needed to load a
    CODEC to run the video. I run a film to DVD business and I try to make
    sure I always have all the latest CODECS and so I loaded the new
    "codec" and that's when the problem started. (ok ok, it was a porn site
    ;-)

    I would appreciate you letting me know if this solution help you at
    all.

    Veliko


    Kerry Brown wrote:
    > "Terry Smythe" <smythe@shaw.ca> wrote in message
    > news:d0l991lmb7qbhnb5kc3pesl5nem4rpl64k@4ax.com...
    > >I have now verified that my desktop has been hijacked by
    > > "desktop.html" It resides in c:\windows I've tried
    > > deleting it and editing it, but can't get rid of it. Keeps coming
    > > back from somewhere, no matter what I do.
    > >
    > > It has imbedded within it a command to visit the Antivirus Gold web
    > > site. It appears to be extremely malicious marketing, planting 3
    > > virus that only it can remove, and itself. Its message is, 'if you
    > > want to remove these virus, then buy me'
    > >
    > > A search for this file on my computer reveals only 1 copy. If I
    > > delete it, it is replaced upon reboot. If I edit it, it is replaced
    > > upon reboot.
    > >
    > > A 'net search suggests an incredibly convoluted procedure for getting
    > > rid of it. Surely there must be an easier way.
    > >
    > > Along with SpyBot, AdAware, Microsoft's new parasite detector/remover
    > > fails to see it. They see all kinds of things, but won't touch this
    > > one. Registry First Aid finds only a single entry, deletes it, and
    > > upon reboot, it's back again. It's not in Startup.
    > >
    > > I'm hopeful of finding some kind of specific utility to remove this
    > > ugly parasite.
    > >
    > > Regards,
    > >
    > > Terry Smythe
    > >
    >
    > Go to the following link and download HijackThis.
    >
    > http://www.aumha.org/freeware/freeware.php#hjt
    >
    > Run it and then post the log it generates to one of the forums dedicated to
    > it's use. A good place to start is here:
    >
    > http://forum.aumha.org/viewforum.php?f=30
    >
    > http://www.techsupportforum.com/forumdisplay.php?f=50
    >
    > http://castlecops.com/forumx67-0-50.html
    >
    > Don't post the log here. Some malware hides very deep in the system and
    > isn't detected by any of the spyware removal programs. Hijackthis and other
    > tools will assist in it's manual removal. Barring that you could backup your
    > data and reinstall Windows and all your programs then restore the data. If
    > you are unable to do either I recommend you take your computer to a
    > professional to have it fixed.
    >
    > Kerry
  9. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Hello Terry,

    I had the EXACT same problem as you (with ANTIVIRUS GOLD) and solved it
    as detailed below.

    I read the follow-up posts to your original email and it seems that
    some of the responses missed the nail in helping you out (one guy even
    criticized you for installing "off-brand" antivirus... - he missed the
    WHOLE point of your email for help not realizing that you DID NOT
    install ANTIVIRUS GOLD ant that it simply took over your system).

    In any event, I went to antivirus-gold.com customer service and emailed
    a complaint asking how to get rid of this. But of course they never
    responded.

    I WAS able to get rid of it though and maybe this will help you to.

    I'm running under XP Pro.

    In Windows "Help and Support" (accessible via Start button), I clicked
    "Undo changes to your computer with System Restore".

    I then selected "Restore my computer to an earlier time". When the
    calendar came up, I selected an available restore point a few days
    BEFORE the time when this whole problem started, rebooted as requested,
    and it's fine now.

    How it happened: In my case, I let my guard down by stopping both
    McAfee Vscan and McAfee AntiSpyware. I stopped these because I was
    burning DVD's for my business. When the burning completed, I forgot to
    re-arm these guys and went surfing. I hit a site that needed to load a
    CODEC to run the video. I run a film to DVD business and I try to make
    sure I always have all the latest CODEC'S and so I loaded the new
    "codec" and that's when the problem started. (ok ok, it was a porn site
    ;-)

    I would appreciate you letting me know if this solution help you at
    all.

    Veliko


    --
    velikoPosted from http://www.pcreview.co.uk/ newsgroup access
  10. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Hi
    Thanks a lot the problem got solved by the system restore. But the
    program got installed again after some time and now even system restore
    cant solve the problem.


    --
    januPosted from http://www.pcreview.co.uk/ newsgroup access
  11. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Hi janu,
    just yesterday i stumbled into the same problem. My 13 year old cousin
    caught this proggy but of course... "i didn't do anything".
    Whatever.
    I tried to track down how antivirus-gold kept sticking on the system
    and found that on startup a process called winnook.exe got started.
    That one was responsible for the red X in the taskbar (bottom right)
    telling you that your computer was infected. You can remove that one by
    starting msconfig from the run menu and unchecking it.
    Antivirus-gold was actually found in the software panel and could be
    uninstalled. But after the uninstall process was done it immediately
    started the internet explorer going to it's website. So i checked IE's
    settings and found some IE helper objects (sorry, forgot the name.).
    But the fact that AV gold got re-installed right after that made me
    think that it must have been one of those browser helpers (thank you
    microsoft!). So i de-activated the suspicious ones.
    The website on the desktop can be removed by settings -> system panel
    -> display -> desktop -> customize desktop (dont know if thats the
    correct english term) -> web. There you can remove that website from
    the active desktop.
    After all it did not come back. But of course you never know. Today i'm
    gonna deep check that machine for virii with knoppicillin.
    I hope this will help you.

    regards
    Olson
  12. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    On 29 May 2005 04:47:42 -0700, "Olson" <spdump@gmx.de> wrote:

    >just yesterday i stumbled into the same problem.

    My computer, the one that started this thread, is still infected with
    the Anitvirus Gold parasite. I have somehow been successful in
    shutting down the automatic re-install following reboot. Not sure
    what I did right. However, my desktop is still hi-jacked by the
    parasite that masquerades as an ad to buy Antivirus Gold.

    If there was ever a way to turn off a potential customer, the
    Antivirus Gold folks have seen very successful. With this
    aggravation in my face at all times, I'm filled with complete hatred
    for this product.

    Microsoft's AntiSpyware, Spy-Bot, Ad-Aware, TuneUp, SpySweeper,
    CWShredder, Registry First Aid, Norton, etc., all fail to find and
    remove this insidious parasite.

    My desktop is hi-jacked by "desktop.html" which resides in c:\windows.
    I can physically delete the file, remove all traces of it from the
    registry, but instantly upon reboot, it's back again in full control
    of my desktop.

    Symantec does have a page dedicated to this, but it appears to be
    outdated, as their suggested fix does not work. So I gather that
    the folks behind Anitvirus Gold have figured out a way around that
    fix, staying one-step ahead of everybody.

    What these folks are doing amounts to extortion, a criminal offense
    worthy of a formal charge.

    As this parasite has been around for a while, I'm astonished that
    Microsoft has not picked up on it, and added a fix to their
    AntiSpyware.

    If anybody comes up with a permanent fix, they will be a hero in the
    eyes of many.

    Regards,

    Terry Smythe
    Winnipeg, Canada
  13. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    "Terry Smythe" <smythe@shaw.ca> wrote in message
    news:ajdm919va0m3afqedq079lbmea98k297fc@4ax.com...
    > On 29 May 2005 04:47:42 -0700, "Olson" <spdump@gmx.de> wrote:
    >
    >>just yesterday i stumbled into the same problem.
    >
    > My computer, the one that started this thread, is still infected with
    > the Anitvirus Gold parasite. I have somehow been successful in
    > shutting down the automatic re-install following reboot. Not sure
    > what I did right. However, my desktop is still hi-jacked by the
    > parasite that masquerades as an ad to buy Antivirus Gold.
    >
    > If there was ever a way to turn off a potential customer, the
    > Antivirus Gold folks have seen very successful. With this
    > aggravation in my face at all times, I'm filled with complete hatred
    > for this product.
    >
    > Microsoft's AntiSpyware, Spy-Bot, Ad-Aware, TuneUp, SpySweeper,
    > CWShredder, Registry First Aid, Norton, etc., all fail to find and
    > remove this insidious parasite.
    >
    > My desktop is hi-jacked by "desktop.html" which resides in c:\windows.
    > I can physically delete the file, remove all traces of it from the
    > registry, but instantly upon reboot, it's back again in full control
    > of my desktop.
    >
    > Symantec does have a page dedicated to this, but it appears to be
    > outdated, as their suggested fix does not work. So I gather that
    > the folks behind Anitvirus Gold have figured out a way around that
    > fix, staying one-step ahead of everybody.
    >
    > What these folks are doing amounts to extortion, a criminal offense
    > worthy of a formal charge.
    >
    > As this parasite has been around for a while, I'm astonished that
    > Microsoft has not picked up on it, and added a fix to their
    > AntiSpyware.
    >
    > If anybody comes up with a permanent fix, they will be a hero in the
    > eyes of many.
    >
    > Regards,
    >
    > Terry Smythe
    > Winnipeg, Canada
    >
    >

    Did you download and run HijackThis then post your log to the recommended
    forums?

    Kerry
  14. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Hi Olson,

    I did what u told to do and the desktop has been cleaned but the
    program did install again so i did what u told me again but after that
    i also deleted the folder in the Program Files Folder . The only thing
    is that the entry in the msconfig still remains and is disactivated.

    When it install i checked the msconfig and i had 2 entries 1
    disactivated and one active but when i disactivated the other one too,
    i have only 1 entry.

    Hope it doesnt bother again. If it happens again will have to find the
    culprut file.

    Thanks for your help.
    Janu


    --
    januPosted from http://www.pcreview.co.uk/ newsgroup access
  15. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Hi
    I have noticed another thing it keeps installing in the Favorites links
    which i have deleted like a 100 times now but wouldnt go away i restart
    explorer and it installs even installs if you open a new window.

    Dont know when i will get rid of this stupid thing.

    I have even removed the registry of winnook.exe.
    also removed files frm prefetch folder so there are no backups to the
    files.

    Without luck.
    Hope a good solution to this problem comes fast i am loosing my mind.

    Take care


    --
    januPosted from http://www.pcreview.co.uk/ newsgroup access
  16. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    "janu" <janu.1pvhom@> wrote in message
    news:eO2dnb_JX5pTXQbfRVn_vg@giganews.com...
    >
    > Hi
    > I have noticed another thing it keeps installing in the Favorites links
    > which i have deleted like a 100 times now but wouldnt go away i restart
    > explorer and it installs even installs if you open a new window.
    >
    > Dont know when i will get rid of this stupid thing.
    >
    > I have even removed the registry of winnook.exe.
    > also removed files frm prefetch folder so there are no backups to the
    > files.
    >
    > Without luck.
    > Hope a good solution to this problem comes fast i am loosing my mind.
    >
    > Take care
    >
    >
    > --
    > januPosted from http://www.pcreview.co.uk/ newsgroup access
    >

    I know I'm harping on this but have either you or Terry Smythe tried
    HijackThis? When all other programs fail HijackThis will usually get to the
    root of the problem. It is a program for advanced users so do not use it
    blindly. Read the FAQ at the following link then follow the instructions you
    find there.

    http://forums.spywareinfo.com/

    Kerry
  17. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    I had the same EXACT problem...Sunday i went to a soccer game came home
    finding out that my sister used my computer and this software installed
    itself...HOWEVER there is a way to remove that backround...It is just an
    oversized window, so if you get it look at the top of ur screen and you
    see a grey bar or some kind or line and drag down and it just moves the
    window down and you simply close the X....My problem is that after i
    uninstall the little icon saying my computer is infected still stays in
    my toolbar. Now this was the other day Sunday, and i restored my
    computer to last Friday. This worked however, today the program
    reinstalled itself and i did not use internet explorer. I have
    firefox. Along with this program installing itself again some other
    junk instaled on my computer and i got 5 new icons on my desktop in
    total. I did a system restore and not more then 5 minutes after the
    restore the AVG software installed itself again. I contacted the
    company...of course no reply. I tried deleting the files under
    "regedit" from the Run command and one file for this program was ad
    efault and could not be deleted. But i guess im just gonna try to
    restore my computer to a few weeks ago and see if that helps.


    --
    e[x]!tPosted from http://www.pcreview.co.uk/ newsgroup access
  18. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Run Hijackthis and place a check beside each of the following. Once you
    have checked them, click fix checked.
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL =
    http://aflashcounter.com/?a=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL =
    http://aflashcounter.com/?a=2

    Download noact reg to desktop:
    http://home9.inet.tele.dk/le01/Sikkerhed.htm
    Doubleclick on it, say yes to merge.

    Reboot, post new log and tell how things are running


    --
    CGKBAPosted from http://www.pcreview.co.uk/ newsgroup access
  19. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    I finally got rid of the desktop danger thing, the redirects and
    everything those dirtbags at Antivirus Gold threw at me. I did it by
    using the free scans from SpywareNuker (aka pcOrion) and Xoftspy. I
    did the Nuker first and printed out the results from my scan, then
    found and deleted the cookies and files where it told me to find them
    on my C:/ Then I went into the regedit thing and did the same thing on
    my registry. All together Nuker found 22 nasties for me to delete.
    After that I still had the black screen up and the red X on my task bar
    so I used the Xoftspy scan and it dug up another list. I pretty much
    followed the locations it gave me and I got rid of everything else
    except the black desktop screen became white and I couldn't get rid of
    it. I Dogpiled AVGold and found yall on this string and I want to
    thank e[x]!t for his help. He's right, I just clicked and dragged the
    top of that window down, found the X in the upper right corner and its
    gone!

    I just registered on this site to thank you all for the advice I got
    reading the posts and wanted to share how I got over on AVGold. I'm
    pretty much a complete computer neophyte and I think my total ignorance
    allowed me to mess with my registry without a second thought and I just
    got lucky picking a couple of scans that happened to work out. But hey
    it worked for me, and if anybody knows how to trash AntiVirus Gold I'll
    be happy to hold the door open. Thanks for your help.


    --
    gregp86Posted from http://www.pcreview.co.uk/ newsgroup access
  20. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    You are using programs that are probabily bundled with spyware. I only know
    about the good stuff. I never heard of AVGold, Nuker, Softspy etc. Don't buy
    anything without checking with www.spywareinfo.com for a start. I use free
    avast virus software, free ad-aware, free spybot s&d, free microsoft-beta
    antispyware (not all at the same time) and I never had a problem. Security is
    #1. My advice, download "eraser" from heidi software (free), create a floppy
    nuke disk, erase the disk clean, reformat, and install a clean os. Then
    install sp2 for a firewall, update at microsoft, get zone alarm
    firewall-free, avast, and what I mentioned before. Before you buy an app, a
    game, especially free screensavers, learn all you can about adware and
    spyware. If you have a good virus program (avast updates automatically)
    you'll be ok.
    --
    oralcumfix


    "gregp86" wrote:

    >
    > I finally got rid of the desktop danger thing, the redirects and
    > everything those dirtbags at Antivirus Gold threw at me. I did it by
    > using the free scans from SpywareNuker (aka pcOrion) and Xoftspy. I
    > did the Nuker first and printed out the results from my scan, then
    > found and deleted the cookies and files where it told me to find them
    > on my C:/ Then I went into the regedit thing and did the same thing on
    > my registry. All together Nuker found 22 nasties for me to delete.
    > After that I still had the black screen up and the red X on my task bar
    > so I used the Xoftspy scan and it dug up another list. I pretty much
    > followed the locations it gave me and I got rid of everything else
    > except the black desktop screen became white and I couldn't get rid of
    > it. I Dogpiled AVGold and found yall on this string and I want to
    > thank e[x]!t for his help. He's right, I just clicked and dragged the
    > top of that window down, found the X in the upper right corner and its
    > gone!
    >
    > I just registered on this site to thank you all for the advice I got
    > reading the posts and wanted to share how I got over on AVGold. I'm
    > pretty much a complete computer neophyte and I think my total ignorance
    > allowed me to mess with my registry without a second thought and I just
    > got lucky picking a couple of scans that happened to work out. But hey
    > it worked for me, and if anybody knows how to trash AntiVirus Gold I'll
    > be happy to hold the door open. Thanks for your help.
    >
    >
    > --
    > gregp86Posted from http://www.pcreview.co.uk/ newsgroup access
    >
    >
  21. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    this thing is driving me mental!! this is what hijackthis says:
    Your ideas would be greatly appreciated..


    Logfile of HijackThis v1.99.1
    Scan saved at 2:21:40 a.m., on 10/06/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\system32\hookdump.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\360Share\Gui\360Share.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Pinch\Desktop\HijackThis.exe
    C:\WINDOWS\notepad.exe

    R3 - Default URLSearchHook is missing
    O1 - Hosts: 213.219.251.78 google.co.uk
    O1 - Hosts: 213.219.251.78 www.google.es
    O1 - Hosts: 213.219.251.78 google.es
    O1 - Hosts: 213.219.251.78 google.com.au
    O1 - Hosts: 66.218.75.184 mail.yahoo.com
    O1 - Hosts: 213.219.251.80 www.search.msn.com
    O1 - Hosts: 213.219.251.80 go.com
    O1 - Hosts: 213.219.251.80 www.go.com
    O2 - BHO: SuperAdBlockerBHO Class -
    {00000000-6C30-11D8-9363-000AE6309654} - C:\Program
    Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
    - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
    O2 - BHO: PCTools Browser Monitor -
    {B56A7D7D-6927-48C8-A975-17DF180C71AC} -
    C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O3 - Toolbar: Super Ad Blocker Toolbar -
    {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program
    Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll (file missing)
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
    Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP
    Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
    Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
    Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: C:\Program
    Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Windows Cleaner] "C:\Program Files\Windows Cleaner
    Full/WindowsCleanerFull"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [Barv] C:\WINDOWS\mefkkykm.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0
    -k
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
    Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero
    BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy
    Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Intel system tool]
    C:\WINDOWS\system32\hookdump.exe
    O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program
    Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
    O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware
    Doctor\swdoctor.exe" /Q
    O4 - Startup: 360Share On Startup.lnk = C:\Program
    Files\360Share\Gui\360Share.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
    Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\MSOffice\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console -
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
    Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    O9 - Extra button: Spyware Doctor -
    {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
    C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C}
    - C:\Program Files\Common Files\Microsoft Shared\Encarta Search
    Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
    - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
    Advantage Validation Tool) -
    http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
    Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader
    Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
    -
    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
    (MsnMessengerSetupDownloadControl Class) -
    http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O17 -
    HKLM\System\CCS\Services\Tcpip\..\{EC008768-3D34-4F3C-A557-AA4D38B10841}:
    NameServer = 192.168.1.254
    O23 - Service: Ati HotKey Poller - Unknown owner -
    C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner -
    C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
    C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program
    Files\Common Files\Macromedia Shared\Service\Macromedia
    Licensing.exe
    O23 - Service: Pml Driver HPZ12 - HP -
    C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner -
    C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file
    missing)
  22. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Nobody knows what "darn problem" you have because you didn't describe one.
    Post HiJack This logs in one of the forums created for that purpose, like
    Tom Coyote:
    http://forums.tomcoyote.org/index.php?showforum=27

    --
    Ted Zieglar
    "You can do it if you try."

    "finch21" <element862@hotmail-dot-com.no-spam.invalid> wrote in message
    news:-L-dnUPNgNB6VzjfRVn_vg@giganews.com...
    > this thing is driving me mental!! this is what hijackthis says:
    > Your ideas would be greatly appreciated..
    >
    >
    > Logfile of HijackThis v1.99.1
    > Scan saved at 2:21:40 a.m., on 10/06/2005
    > Platform: Windows XP SP2 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    >
    > Running processes:
    > C:\WINDOWS\System32\smss.exe
    > C:\WINDOWS\system32\csrss.exe
    > C:\WINDOWS\system32\winlogon.exe
    > C:\WINDOWS\system32\services.exe
    > C:\WINDOWS\system32\lsass.exe
    > C:\WINDOWS\System32\Ati2evxx.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\system32\spoolsv.exe
    > C:\WINDOWS\system32\Ati2evxx.exe
    > C:\WINDOWS\Explorer.EXE
    > C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    > C:\WINDOWS\SOUNDMAN.EXE
    > C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    > C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    > C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    > C:\Program Files\QuickTime\qttask.exe
    > C:\Program Files\iTunes\iTunesHelper.exe
    > C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    > C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    > C:\Program Files\MSN Messenger\MsnMsgr.Exe
    > C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    > C:\WINDOWS\system32\hookdump.exe
    > C:\Program Files\Spyware Doctor\swdoctor.exe
    > C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    > C:\Program Files\360Share\Gui\360Share.exe
    > C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
    > C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    > C:\WINDOWS\System32\svchost.exe
    > C:\Program Files\iPod\bin\iPodService.exe
    > C:\WINDOWS\System32\HPZipm12.exe
    > C:\WINDOWS\System32\alg.exe
    > C:\WINDOWS\system32\wscntfy.exe
    > C:\WINDOWS\system32\wuauclt.exe
    > C:\Documents and Settings\Pinch\Desktop\HijackThis.exe
    > C:\WINDOWS\notepad.exe
    >
    > R3 - Default URLSearchHook is missing
    > O1 - Hosts: 213.219.251.78 google.co.uk
    > O1 - Hosts: 213.219.251.78 www.google.es
    > O1 - Hosts: 213.219.251.78 google.es
    > O1 - Hosts: 213.219.251.78 google.com.au
    > O1 - Hosts: 66.218.75.184 mail.yahoo.com
    > O1 - Hosts: 213.219.251.80 www.search.msn.com
    > O1 - Hosts: 213.219.251.80 go.com
    > O1 - Hosts: 213.219.251.80 www.go.com
    > O2 - BHO: SuperAdBlockerBHO Class -
    > {00000000-6C30-11D8-9363-000AE6309654} - C:\Program
    > Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.dll (file missing)
    > O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    > - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}
    > - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
    > O2 - BHO: PCTools Browser Monitor -
    > {B56A7D7D-6927-48C8-A975-17DF180C71AC} -
    > C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    > O3 - Toolbar: Super Ad Blocker Toolbar -
    > {B4B3001E-0F56-4E51-8250-BDE11547EC55} - C:\Program
    > Files\SuperAdBlocker.com\Super Ad Blocker\sabtb.dll (file missing)
    > O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI
    > Control Panel\atiptaxx.exe
    > O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    > O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP
    > Software Update\HPWuSchd.exe"
    > O4 - HKLM\..\Run: [HP Component Manager] "C:\Program
    > Files\HP\hpcoretech\hpcmpmgr.exe"
    > O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
    > Files\Sonic\Update Manager\sgtray.exe" /r
    > O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
    > Files\QuickTime\qttask.exe" -atboottime
    > O4 - HKLM\..\Run: C:\Program
    > Files\iTunes\iTunesHelper.exe
    > O4 - HKLM\..\Run: [Windows Cleaner] "C:\Program Files\Windows Cleaner
    > Full/WindowsCleanerFull"
    > O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
    > Files\Real\Update_OB\realsched.exe" -osboot
    > O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    > O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
    > Files\Java\jre1.5.0_01\bin\jusched.exe
    > O4 - HKLM\..\Run: [Barv] C:\WINDOWS\mefkkykm.exe
    > O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0
    > -k
    > O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN
    > Messenger\MsnMsgr.Exe" /background
    > O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero
    > BackItUp\NBJ.exe"
    > O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy
    > Sweeper\SpySweeper.exe /0
    > O4 - HKCU\..\Run: [Intel system tool]
    > C:\WINDOWS\system32\hookdump.exe
    > O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program
    > Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
    > O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware
    > Doctor\swdoctor.exe" /Q
    > O4 - Startup: 360Share On Startup.lnk = C:\Program
    > Files\360Share\Gui\360Share.exe
    > O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program
    > Files\HP\Digital Imaging\bin\hpqtra08.exe
    > O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    > Office\Office10\OSA.EXE
    > O8 - Extra context menu item: E&xport to Microsoft Excel -
    > res://C:\MSOffice\OFFICE11\EXCEL.EXE/3000
    > O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    > - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    > O9 - Extra 'Tools' menuitem: Sun Java Console -
    > {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
    > Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
    > O9 - Extra button: Spyware Doctor -
    > {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
    > C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
    > O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C}
    > - C:\Program Files\Common Files\Microsoft Shared\Encarta Search
    > Bar\ENCSBAR.DLL
    > O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
    > - C:\Program Files\Messenger\msmsgs.exe
    > O9 - Extra 'Tools' menuitem: Windows Messenger -
    > {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    > Files\Messenger\msmsgs.exe
    > O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    > O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
    > Advantage Validation Tool) -
    > http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    > O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
    > Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
    > O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader
    > Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    > O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control)
    > -
    >
    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    > O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
    > (MsnMessengerSetupDownloadControl Class) -
    > http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    > O17 -
    > HKLM\System\CCS\Services\Tcpip\..\{EC008768-3D34-4F3C-A557-AA4D38B10841}:
    > NameServer = 192.168.1.254
    > O23 - Service: Ati HotKey Poller - Unknown owner -
    > C:\WINDOWS\System32\Ati2evxx.exe
    > O23 - Service: ATI Smart - Unknown owner -
    > C:\WINDOWS\system32\ati2sgag.exe
    > O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
    > C:\Program Files\iPod\bin\iPodService.exe
    > O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program
    > Files\Common Files\Macromedia Shared\Service\Macromedia
    > Licensing.exe
    > O23 - Service: Pml Driver HPZ12 - HP -
    > C:\WINDOWS\System32\HPZipm12.exe
    > O23 - Service: Super Ad Blocker Service (SABSVC) - Unknown owner -
    > C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE (file
    > missing)
    >
  23. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    sorry Ted its the antivirus gold like everyone else thats the problem,
    cant seem to get rid of that stupid little red cross on toolbar, but
    ill check out Tomecoyote, cheers:)
  24. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Hi, I have had the problem with avgold to, now, here are several users
    on this pc, and I saw other users dont have problems with it, so what I
    have done:

    I made a backup of all my files
    then made a new user
    putted my files in the new user
    deleted the user where avgold is on andd... you are rid of the avgold
    problem!


    --
    WildChildPosted from http://www.pcreview.co.uk/ newsgroup access
  25. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    hi, i read all these posts and was having to same problem with that darn
    trojan two days ago. I have found a solution and i felt obligated to
    post it for all of u. I have ad-aware running on my computer and it
    just wasnt cutting. What i ended up doing was downloading the freeware
    version of Spybot Search and Destroy and the free 15-day trial of
    Webroot Spy Sweeper. I ran them all together and it fixed it. I think
    that the Webroot Spy Sweeper was the key because in the free scan that
    you can do on their website, it was the only program to recognize the
    antivirus gold as a trojan. I dont know if it worked because all three
    programs removed part of it but it worked. Webroot asked me to reboot
    the system and when i did, there was no warning in the backround and no
    (X) in the toolbar.

    Hope that helps,
    Dazed and Confused

    Badabang


    --
    badabangPosted from http://www.pcreview.co.uk/ newsgroup access
  26. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Here is a copy of my HiJack THis Scan
    Logfile of HijackThis v1.99.0
    Scan saved at 10:13:12 PM, on 6/20/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\carpserv.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\DOCUME~1\Pat\LOCALS~1\Temp\Rar$EX03.688\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    http://www.insightbb.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    Microsoft Internet Explorer provided by Insight Broadband
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName
    =
    O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} -
    C:\Program Files\E-Book Systems\FlipAlbum 6 Pro Eval\fplaunch.dll
    O2 - BHO: AcroIEToolbarHelper Class -
    {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
    C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SAClient] "C:\Program
    Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
    AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet
    Security 2005\pccguide.exe"
    O4 - HKLM\..\Run: [Anti Trojan Elite] C:\Program Files\Anti Trojan
    Elite\TJEnder.exe :NO
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
    Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common
    Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
    Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
    present
    O8 - Extra context menu item: Convert link target to Adobe PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program
    Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF -
    res://C:\Program Files\Adobe\Acrobat
    7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
    C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
    Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger -
    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
    Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet
    Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
    O16 - DPF: ppctlcab -
    http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: WebControlDeploy - https://grouper.com/v1/GrouperSetup.cab
    O16 - DPF: Yahoo! MahJong Solitaire -
    http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
    Advantage Validation Tool) -
    http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
    https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus
    scanner) -
    http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13}
    (PPSDKActiveXScanner.MainScreen) -
    http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager
    Control) - http://tinyurl.com/b7dc9
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
    - http://tinyurl.com/8zso6
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI
    Utility Class) -
    http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    http://tinyurl.com/4xgfy
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
    http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline
    Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
    http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) -
    http://tinyurl.com/c3j8a
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer
    Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm
    Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo
    Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
    O16 - DPF: {D1792F99-AA90-4D46-8B73-2CE45DADDD3C} (WAFDownloader Class)
    - https://www.web-a-file.com/webafiledownloader.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
    - http://tinyurl.com/76o8j
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program
    Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -
    C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Trend Micro Central Control Component - Trend Micro
    Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service - Trend Micro
    Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. -
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. -
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


    Can anyone tell me what to do about the AntiVirus Gold invasion on my
    computer?
    I can not do a system restore for I undid that months ago.

    Please help this black screen is driving me nuts. I finally got it to
    stop downloading unless I accidently click off of the icon I am trying
    to open.

    This has been gong on for a week and I am about to throw this thing out
    the window.

    HELP ME PLEASE

    Hoosiermom


    --
    hoosiermomPosted from http://www.pcreview.co.uk/ newsgroup access
  27. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    I was attacked by antivirus gold or last nite, ive been reading these
    posts and thru trial and error of using different advice given, i found
    that as said using spysweeper, (free 15 day trial) got rid of it , mb
    theyve updted it recently or something, thanx to everyone for their
    support and advice


    --
    funky junktionPosted from http://www.pcreview.co.uk/ newsgroup access
  28. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    I have ran and have been running the full blown version of Webroot
    SpySweeper and it has done nothing. I still have it and it is driving
    me up a wall. Please someone has to know how to get rid of thid thing.


    --
    hoosiermomPosted from http://www.pcreview.co.uk/ newsgroup access
  29. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Hey,

    If i was being honest too , I also fell for the codec trick
    (www.vcodec.com or something, DO NOT DOWNLOAD) whilst needing to watch
    "Amusements". Looking through a few replies here none of you have it
    as bad as you do (might not have read a post that has this problem).
    The website that the warning is linked to in the desktop might or it
    might be one of the viruses shoved in, is constantly crashing my active
    desktop leaving me with no time to get 3 clicks in before i get the
    "Send Error Report" window from Windows before it crashes and flicks up
    again and crashes, it continues doing this until i rapid click the
    shutdown buttons before it crashes again :). Turns out also that my
    brother was going to change our antivirus software but 'didn't get
    round to finishing the job'. And with this problem i cant even install
    new software or even have enough time to pay the criminals (that's gotta
    be able to be dealt with?). Help asap please.

    veliko Wrote:
    > Hello Terry,
    >
    > I had the EXACT same problem as you (with ANTIVIRUS GOLD) and solved
    > it
    > as detailed below.
    >
    > I read the follow-up posts to your original email and it seems that
    > some of the responses missed the nail in helping you out (one guy even
    > criticized you for installing "off-brand" antivirus... - he missed the
    > WHOLE point of your email for help not realizing that you DID NOT
    > install ANTIVIRUS GOLD ant that it simply took over your system).
    >
    > In any event, I went to antivirus-gold.com customer service and emiled
    > a complaint asking how to get rid of this. But of course they never
    > responded.
    >
    > I WAS able to get rid of it though and mayby this will help you to.
    >
    > I'm running under XP Pro.
    >
    > In Windows "Help and Support" (accessible via Start button), I clicked
    > "Undo changes to your computer with System Restore".
    >
    > I then selected "Restore my computer to an earlier time". When the
    > calendar came up, I selected an available restore point a few days
    > BEFORE the time when this whole problem started, rebooted as
    > requested,
    > and it's fine now.
    >
    > How it happened: In my case, I let my guard down by stopping both
    > McAfee Vscan and McAfee AntiSpyware. I stopped these because I was
    > burning DVD's for my business. When the burning completed, I forgot to
    > re-arm these guys and went surfing. I hit a site that needed to load a
    > CODEC to run the video. I run a film to DVD business and I try to make
    > sure I always have all the latest CODECS and so I loaded the new
    > "codec" and that's when the problem started. (ok ok, it was a porn
    > site
    > ;-)
    >
    > I would appreciate you letting me know if this solution help you at
    > all.
    >
    > Veliko
    >
    >
    >
    > Kerry Brown wrote:
    > > "Terry Smythe" <smythe@shaw.ca> wrote in message
    > > news:d0l991lmb7qbhnb5kc3pesl5nem4rpl64k@4ax.com...
    > > >I have now verified that my desktop has been hijacked by
    > > > "desktop.html" It resides in c:\windows I've tried
    > > > deleting it and editing it, but can't get rid of it. Keeps
    > coming
    > > > back from somewhere, no matter what I do.
    > > >
    > > > It has imbedded within it a command to visit the Antivirus Gold
    > web
    > > > site. It appears to be extremely malicious marketing, planting
    > 3
    > > > virus that only it can remove, and itself. Its message is, 'if
    > you
    > > > want to remove these virus, then buy me'
    > > >
    > > > A search for this file on my computer reveals only 1 copy. If I
    > > > delete it, it is replaced upon reboot. If I edit it, it is
    > replaced
    > > > upon reboot.
    > > >
    > > > A 'net search suggests an incredibly convoluted procedure for
    > getting
    > > > rid of it. Surely there must be an easier way.
    > > >
    > > > Along with SpyBot, AdAware, Microsoft's new parasite
    > detector/remover
    > > > fails to see it. They see all kinds of things, but won't touch
    > this
    > > > one. Registry First Aid finds only a single entry, deletes it,
    > and
    > > > upon reboot, it's back again. It's not in Startup.
    > > >
    > > > I'm hopeful of finding some kind of specific utility to remove
    > this
    > > > ugly parasite.
    > > >
    > > > Regards,
    > > >
    > > > Terry Smythe
    > > >
    > >
    > > Go to the following link and download HijackThis.
    > >
    > > http://www.aumha.org/freeware/freeware.php#hjt
    > >
    > > Run it and then post the log it generates to one of the forums
    > dedicated to
    > > it's use. A good place to start is here:
    > >
    > > http://forum.aumha.org/viewforum.php?f=30
    > >
    > > http://www.techsupportforum.com/forumdisplay.php?f=50
    > >
    > > http://castlecops.com/forumx67-0-50.html
    > >
    > > Don't post the log here. Some malware hides very deep in the system
    > and
    > > isn't detected by any of the spyware removal programs. Hijackthis and
    > other
    > > tools will assist in it's manual removal. Barring that you could
    > backup your
    > > data and reinstall Windows and all your programs then restore the
    > data. If
    > > you are unable to do either I recommend you take your computer to a
    > > professional to have it fixed.
    > >
    > > Kerry


    --
    sir robPosted from http://www.pcreview.co.uk/ newsgroup access
  30. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    I have the same problem as sir rob with one of the t888ers at work who
    has managed to get it on his laptop. I am going to just wipe his
    system. I can't find anyway around it. The annoying thing is we have
    Symanted v9 all fully updated and on auto monitor but somehow this
    rubbish still got through.

    BTW I checked out the AV Gold website and they aren't far from me in
    central London, I have a goood mind to go round there and have a
    serious "discussion". I can't believe the useless putrid little
    whores.


    --
    konarobPosted from http://www.pcreview.co.uk/ newsgroup access
  31. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    Hi,

    Try this first.
    How to remove Antivirus Gold or AVGold
    http://www.bleepingcomputer.com/forums/How_to_remove_Antivirus_Gold_or_AVGold-t22397.html

    --
    Regards,
    Bert Kinney MS-MVP Shell/User
    http://dts-l.org/


    konarob wrote:
    > I have the same problem as sir rob with one of the
    > t888ers at work who has managed to get it on his laptop.
    > I am going to just wipe his system. I can't find anyway
    > around it. The annoying thing is we have Symanted v9 all
    > fully updated and on auto monitor but somehow this
    > rubbish still got through.
    >
    > BTW I checked out the AV Gold website and they aren't far
    > from me in central London, I have a goood mind to go
    > round there and have a serious "discussion". I can't
    > believe the useless putrid little whores.
  32. Archived from groups: microsoft.public.windowsxp.help_and_support (More info?)

    I had AV Gold on my computer too,and tried to do as quoted bellow,but in
    my case there was no winnook.exe there,but there was a process called
    hookdump.exe. I unchekked it,and after reboot,the red little button in
    the lower right corner is gone.then I ran Spybot and removed the files
    that was found.rebooted and ran spybot again,I don't know much about
    computers,but it seems to me like I have got rid of this mess.

    Olson Wrote:
    > Hi janu,
    > just yesterday i stumbled into the same problem. My 13 year old cousin
    > caught this proggy but of course... "i didn't do anything".
    > Whatever.
    > I tried to track down how antivirus-gold kept sticking on the system
    > and found that on startup a process called winnook.exe got started.
    > That one was responsible for the red X in the taskbar (bottom right)
    > telling you that your computer was infected. You can remove that one
    > by
    > starting msconfig from the run menu and unchecking it.
    > Antivirus-gold was actually found in the software panel and could be
    > uninstalled. But after the uninstall process was done it immediately
    > started the internet explorer going to it's website. So i checked IE's
    > settings and found some IE helper objects (sorry, forgot the name.).
    > But the fact that AV gold got re-installed right after that made me
    > think that it must have been one of those browser helpers (thank you
    > microsoft!). So i de-activated the suspicious ones.
    > The website on the desktop can be removed by settings - system panel
    > - display - desktop - customize desktop (dont know if thats the
    > correct english term) - web. There you can remove that website from
    > the active desktop.
    > After all it did not come back. But of course you never know. Today
    > i'm
    > gonna deep check that machine for virii with knoppicillin.
    > I hope this will help you.
    >
    > regards
    > Olson


    --
    toiletpaper
Ask a new question

Read More

Microsoft Antivirus Windows XP