A neighbor has acquired a program named AntivirusXP2008. I think she downloaded it thinking it was a legitimate program. It has planted a big box in the middle of the screen, run a bogus scan, found thousands of malware, and wants $99.99. It cannot be removed in the manner usually used to remove crap. It will not go away regardless of what is done.

Has anyone removed this and how is it done?

The problem is on a HP a1410Y computer with XP and Roadrunner.

Thanks

AntivirusXP2008.Removal

I ran crapcleaner/tools/startup & deleted it from there. I re-booted in safemode & went to start/search & typed the exact words, found 2 folders & deleted them. Pretty sure I used spybot & superantispyware after & scanned & found a few associations. That was it. Be sure to disable system restore first in full mode.

Edit: Chari beat me to it. I guess they came out with a removal tool. Never tried it though.

Dave101

"The only goddamn thing you know about the law is how to break it." Chief Lafleche

There's a bit more to it than that... I think you are thinking of some other rogue antivirus XP variant.

I would let the malware scanners remove it properly

Associated Antivirus XP 2008 Files:

Note, Some of these files and folders may be random:

C:\WINDOWS\qegbdmwf.dll
C:\WINDOWS\pntqkflv.dll
c:\Program Files\rhcnkrj0etfg
c:\Program Files\rhcnkrj0etfg\database.dat
c:\Program Files\rhcnkrj0etfg\license.txt
c:\Program Files\rhcnkrj0etfg\MFC71.dll
c:\Program Files\rhcnkrj0etfg\MFC71ENU.DLL
c:\Program Files\rhcnkrj0etfg\msvcp71.dll
c:\Program Files\rhcnkrj0etfg\msvcr71.dll
c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfg.exe
c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfg.exe.local
c:\Program Files\rhcnkrj0etfg\rhcnkrj0etfgSkin.dll
c:\Program Files\rhcnkrj0etfg\Uninstall.exe
c:\WINDOWS\system32\pphcjkrj0etfg.exe
c:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk
%UserProfile%\Application Data\rhcnkrj0etfg
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKCU
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKCU\RunOnce
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKLM
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\HKLM\RunOnce
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\StartMenuAllUsers
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Autorun\StartMenuCurrentUser
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\BrowserObjects
%UserProfile%\Application Data\rhcnkrj0etfg\Quarantine\Packages



Associated Antivirus XP 2008 Windows Registry Information:

Note, Some of these Registry keys and values may be random:

HKEY_LOCAL_MACHINE\SOFTWARE\rhcnkrj0etfg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcnkrj0etfg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "rhcnkrj0etfg"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform "AntivirXP08"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "SMrhcnkrj0etfg"

This list was taken from here:
http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008

(and apparently Malware Bytes Antimalware takes care of this, but I can't actually vouch for that because I just use the methods I trust)

Grogan

Dave101

"The only goddamn thing you know about the law is how to break it." Chief Lafleche

Yep, I'm seeing that one all over town. It's a bit bothersome to remove, but not that bad.

Kill its process in Task Manager

Get SuperAntiSpyware, Spybot Search and Destroy and Avira Antivir installed and updated.

Disconnect network (this malware is usually found in the presence of downloader trojans)

Run a SuperAntiSpyware scan, and when it's finished proceed to remove everything and accept the reboot.

Now, boot to Safe Mode and run Spybot Search and Destroy and remove everything it finds. Go to Advanced Tools, and use the Startup utility to clean up startup entries.

Spybot Search and Destroy will find and fix some System Policies for you as well. That thing in the middle of your screen is actually just wallpaper, but it sets policies so you can't get in and change it (tabs missing from display properties)

Open Avira Antivir, and go to Configuration and check the Expert box. Under General, enable all the Extended Threat Categories (optional, but I always enable them). Do a full system scan and let it quarantine or delete anything it finds.

That should take care of it. I usually have to do a bunch of manual hunting and poking during a malware cleanup, but that will get everything important related to "Antvirus XP 2008"

P.S. It also wouldn't be a bad idea to run Antivir's rootkit scan, because I've also found hidden services/drivers in the presence of this Antivirus XP 2008. It just depends on what the downloader trojans have done to the system additionally... Antivirus XP 2008 is seldom the only thing wrong.

Grogan

I removed the Antivirus2009 version using MalwareBytes, found at http://www.malwarebytes.org/. It made quick work of removing this crap.

Yep, ditto here.... just this past Tuesday I had a client's PC infected with this Rogue malware/trojan or however they want to classify it and Malwarebyte's Anti-malware 1.25 made short work of it in one pass. It got most everything but required a reboot to get rid of those files which were still in use. Ran Kaspersky AV 2009 (8.0.0.454) afterwards and it didn't find a thing. This is the second time Malwarebytes has impressed me in getting rid of resistant junk where others have failed.

Addendum: I really want to add that this PC had Norton 2009 installed on it . . . fully operational and updated; totally useless. The first thing I did after getting rid of Antivirus 2009 was to remove Norton and install Kaspersky AV.

Jeff
simul iustus et peccator

I've heard it's very good at what it does, but the reason I don't use it is, it only removes a limited subset of malware, and there's usually more on a PC than just that.

Time is money to me and another scan means another half an hour so I just stick with what I know works. I may try it as an alternate if I get something I'm having trouble finding/removing.

Grogan

Grogan....I'd like to know what programs that would be then? SAS? Thanks.

Yes, that's what I described as part of my method in post #3 in this thread.

SuperAntiSpyware
Spybot Search and Destroy
Avira Antivir

I also have to do some manual removal of some stubborn things, but for the purposes of this thread that will suffice.

Malware Bytes Antimalware may indeed take care of this one item marvelously, but I guarantee it won't be the only thing on the PC and I'm not familiar enough with it to recommend it. I'll have to get testing it.

Grogan

I am grateful to all you gentlemen who replied to my post with good information. It was nice to have some choices. I decided to try Malwarebytes first. It installed and worked great. It found a ton of junk and deleted it. I then ran Trendmicro Security which found nine more items. Two of these were trojans. They in turn were deleted. The computer is back up and running and my neighbor is happy. She says she has learned her lesson not to mess with a box that is running well.

Thanks to all.