Friday, August 01, 2008 8:48 AM
I was unfortunate enough to receive a free copy of Antivirus XP 2008. It is really quite malicious and difficult to remove, it made rules in my firewall settings and was impervious to the standard XP 'Add/remove Programs' function. I unfortunately did not consult the Internet before I removed it, rather brutally, but I think it has gone. However it took out some of my desktop picture functions. The Properties tab is no longer available - gone, not just greyed out. It left me with a bright blue background (Blue Screen colour) and on start up it says that it is missing a file: C:\Documents and Settings\'my name'\Local Settings\Temp\.tt21.tmp.vbs.
So far everything else seems OK, but I would like to know if I can repair the O/S?
Monday, August 04, 2008 9:20 AM
This is the Operating System issue rather than Exchange.
Thus, please post the issue on the below link:
Sunday, August 10, 2008 8:05 PMThe easy way to remove(Antivirus XP 2008) and repair system(windows XP),is to stop the program from loading! Go to click Start,Run Type msconfig, go to start up tab,uncheck lphc35dj0e1an, also uncheck
Monday, August 11, 2008 7:21 PMI was one of the unfortunate to receive this fun little bundle of !#!#! !!!! . I couldn't figure out how to remove it, so I deleted the folder labeled rhc75dj0e1an that was installed in the program files folder, thinking this would solve my problem. Then I ran AVG antivirus free edition (version 8 I think). Win I do a full scan, it will run for about 15 to 20 minutes, then My screen will go blank, and a bogus looking blue screen of death will pop up, then windows will restart, another (bsod) will pop up and windows will resrt again. The cycle of the blue screen and restarts does not stop unless I shut the computer down completely. When it does restart, I get an error saying its missing a vbs file.
Help me, please ? Have I botched up the removal process ? I just re-formatted my system about a week ago, so there are no restore points setup. What do I need to do to fix this ?
Tuesday, August 12, 2008 9:19 PM
Um! has just taken me the best part of 24hrs to figure/find out the best way of dealing with this little treasure........
I am no expert when it comes to computers but with a little bit of patience and a lot of searching came across and downloaded trial vesion of Spyware Doctor from www.pctools.com. After several scans & re boots....... computer is back to original state with no sign of antivirus xp 2008........... Hope this may be of help!
Thursday, August 14, 2008 5:01 PMyou need spyobt search and destroy!
download it from here (http://safer-networking.org/en/mirrors/index.html)
once installed run,check for updates,scan when the scan is finished click fix selected issues,reboot your computer, do another scan with spybot and continue enjoying your computer without that stupid,fake program
Friday, August 15, 2008 7:08 AM
Your method of disabling the virus on startup did stop it from starting up, but the restore point is only referencing todays date and the yellow box on the center of the screen is still there and the color of the screen is a darker blue, can you let me know if I missed something, also the link... lphc35dj0e1an you referenced was changed to a similar one, which I clicked off .
Thanks for any advice you can give!
Saturday, August 16, 2008 8:07 PM
I tried each of the suggestions in here and nothing worked, not even the Anti Spyware from PC Tools (A waste of 30 bucks). Here's how I removed this stupid program:
Start your PC in Safe Mode
Find location of the file
Right click on the file and delete
Open Control Panel and then Add/Remove Software
Click Remove for the program (This will only work in Safe Mode)
Perform a search by clicking Start, Search and run a search on all files and folders for your hard drive
Delete all associated files with the name (Antivirus XP 2008) and associated files
Run whatever antivirus program you have while in Safe Mode. This is just a good general practice as it actually sped my computer up.
Restart your computer as you normally do and it should be gone.
Saturday, August 16, 2008 11:47 PM
How do I start my PC in Safe Mode? And with respect to #3 above, what file am I right clicking on?
I'm so frustrated by this, and it sounds like you're the one who's figured out how to get out of this mess.
Sunday, August 17, 2008 3:49 AM
Sunday, August 17, 2008 4:14 AMWhat really galls me is how many anti virus programs (both free and commercial) that just aren't dealing with this particular antivirus and it's close variants. Its been out for a while now.
Spybot leaves some "residue" from this virus. The best tool for cleaning it up is Malware Bytes Anti Malware.
Sunday, August 17, 2008 5:57 AM
Don't confuse 'antivirus' software with 'anti-spyware' programs, though. I use Symantec Corporate Edition for antivirus and they make no claims to stop spyware (at least most of it.)
This Antivirus XP 2008 piece of *(&$@# that is spinning around now can most closely be categorized as scam-ware.
When it comes to cleaning up a mess like this, go with a trusted solution. There is a battle going on for your computer. The bots, adware freaks, and scammers all want control of your desktop. When it comes to cleaning up the mess they are leaving on your computer. get a recommendation from a trusted source such as Ziff Davis, CNET, etc... (don't take my word for it, read some articles from trusted sites)
Sunday, August 17, 2008 1:21 PM
Don't get frustrated. When you do, you will do things that will cost you time, money and possibly some files on your computer that you inadvertantly erase thinking they are the problem.
To start in Safe Mode, turn your computer off and the back on. When you turn it back on, start tapping the F8 (For Windows XP) or F7 (For Windows 2000...I think) keys every second or two. A screen will appear that asks you to chose the start-up mode. your mouse will not work so you'll need to move the highlighted area with the arrow keys on your keyboard to the prompt 'SAFE MODE'.
Monday, August 18, 2008 11:47 AMI tried to do this, however, when I tried to boot it in Safe Mode, the mouse stopped working, the wireless mouse, so I even tried plugging a USB mouse in too; has Antivirus XP managed to cripple my mouse as well? The mouse won't work in normal mode now either
Monday, August 18, 2008 4:32 PM
usb mousey no workie in safe mode...but you knew this already. LOL
i always have a PS/2 hangin' makes life bearable in dos/safe mode type situations...
sometimes older is better...go figure
Monday, August 18, 2008 7:17 PM
I purchased Spyware Doctor and it didn't work at all! I ran it three times until Antivirus XP wouldn't allow any other program to start. Spyware Doctor 'guaranteed' to remove Antivirus XP 2008. I started to wonder if they're the ones who circulated it in the first place in order to sell t heir software. But if that was true you'd think their software would remove XP 08. I've asked Spyware doctor for a refund.
Monday, August 18, 2008 9:44 PM
MY PC GOT GOT HIT WITH ANTIVIRUS XP2008. I FOLLOWED YOUR INSTRUCTION TO MSCONFIG BUT DID NOT SEE THE FILE " LHPC35DJ0E... IS THERE ANY FILE UNDER THAT NAME? ALSO, I HAVE DELETED ANTIVIRUS XP 2008 FROM REDIT BUT WHEN IT CAME BACK AFTER PC BOOT. HELP PLEASE... NEEDED TO H AVE PC FIX REALLY BADLY FOR SCHOOL.
Tuesday, August 19, 2008 12:25 AMThis virus invaded my computer last night and has now crippled my computer totally. It just keeps shutting down. I cannot login in safe-mode or any other mode, for that matter. I have copied some removal tools to a CD, but cannot run the CD because I cannot login on my computer. Any suggestions for getting the CD to run? My last resort is going to be a full recovery, but I was hoping to avoid that. Thanks in advance.
Tuesday, August 19, 2008 4:32 PM
This is very easy to remove. I work on a helpdesk and have removed at least 15 of these infections on remote connections!
As listed earlier by Lyonspugs: (great advice!)
Step 1: "Go to click Start,Run Type msconfig, go to start up tab, uncheck lphc35dj0e1an, also uncheck
rhc75dj0e1an, click apply, then ok,restart computer." *Note* -- these may not be exact names but will be similar
Instead of restoring to an earlier time...
Step 2: Download Malwarebytes:
*Note* -- the free version will work
Have it run a full scan, it will find it and remove it. It doesn't even have to be run in safe mode. I would suggest a Spybot Search and Destroy run after this one just to be well rounded.
This will work for XP Antivirus 2008, 2009, and XP Security Center.
Tuesday, August 19, 2008 6:36 PMwell ive got one of those too..this is what i did :
- cut off the internet line
- ended any process like lphc7nvj0e52e.exe , rhc3nvj0e52e.exe , pphc7nvj0e52e.exe and something like that.. at first it was difficult so i made those priority become low then end the process
- After it's done i delete any files of "AVXP08" from startmenu, programfiles, document setting, application data, win32
- also the temp files of windows
Make sure that u have shutdown the AVXP08 process If your task manager won't work u can use replacement tools like Currprocess r HijackThis... make sure u re deleting the appropriate task
- Then i went to registry and deleted some of it
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
Ps: i dont know what will affect on my pc beside the missing of AVXP08... but so far so good...
if iwas wrong im so sorry coz afterall I'M JUST A KID
Tuesday, August 19, 2008 9:47 PM
Thanks for the replies and advice. Unfortunately, I was unable to logon to Windows at all...not even in safe mode, safe mode command prompt, etc. The computer would automatically logoff. It was an endless cycle of logon, logoff and restart. Those are the only things I could do. I finally gave up and did a system recovery. What I cannot understand is how this thing got on here...through the anti-virus program, firewall, etc. Any thoughts? I am also very interested in hearing suggestions for what you consider to be a good anti-virus software...free or otherwise. Thanks.
Wednesday, August 20, 2008 11:38 AM
Thanks a million. Malware Bytes Anti malware RULES!!!!!!! After hours of scanning with McaFee, MS malicious software removal tools, deleting files and registry entries, Malware Bytes took care of and eliminated "Anti virus XP 2008" in just ten minutes.
Everyone else suffering with this virus should ignore all other posts and download and run Malware Bytes.
Wednesday, August 20, 2008 12:05 PM
Wednesday, August 20, 2008 4:45 PM
It is also worth while running HiJackThis from TrendMicro. You can send the log to Trend and they will tell you what to do, or even post the log here and I'll have a quick look for you.
BE VERY AWARE THAT MESSING WITH THE REGISTRY CAN KILL YOUR INSTALLATION.
Even if you delete the files that you can see, there may be some reference to a 'self propogating' executable which can re-infect your machine. Make sure that anything in your MSCONFIG is something that you know, otherwise, you could be re-infecting yourself.
Thursday, August 21, 2008 3:24 PM
I finally cleaned my pc of antivirus xp 2008 after 3 days of torture. I downloaded and ran Spybot Search and Destroy, Ad-Aware 2008, Windows Defender (Microsoft), Malicious Software removal too (Microsoft), Hijack This, and ran my McAfee Virus Program. Some of them cleaned up some other problems on my pc, but they couldn't get rid of antivirus xp 2008.
What finally seems to have fixed the problem is when I ran an online AV Scan frrom ESET www.eset.eu/online-scanner
The only drawback is that you have to be able to access the internet from the infected pc.
Friday, August 22, 2008 6:54 PM
This product can clean the Antivirus XP 2008 little bundle of joy.You must do the following first:Down load the software and install it.Go to click Start,Run Type msconfig, go to start up tab,uncheck lphc35dj0e1an, and rhc75dj0e1an, click apply, then ok, restart computer in safe mode. then run the malware software.This worked for me.
Saturday, August 23, 2008 9:39 AMThank you for posting a direct link to the download! This worked for me i tried the online scanner as well and then this just to be safe. I also went through and forced all the menioned processers to stop so that i could do this. Also, on my computer c.exe is that annoying bubble "theres is a security problem"! so i guess try stopping anything that stands out like that. good luck guys, it sucks this stuff exists. We should all just get anti-malware programs too!
Sunday, August 24, 2008 12:12 PM
OK, one thing that you can do but it will be long winded.
Go to the Panda software web site (www.pandasoftware.com) and download a trial of Internet Security. This will remove your existing AV program so make sure that you have the original disks to re-install afterwards. DO NOT install if it does not recognise your AV software as you will have a bun fight between the AV products.
Run a memory scan only during setup and re-boot at the end of the installation. When the machine starts, you can get 1 free update, download this and then run a Full System Scan. This is a good general AV product but it will slow your machine down - you will notice that it is installed.
I usually remove the HDD and perform a scan via USB on the target drive which clear out any infected files but this does not clean out the registry entries.
You can then remove Panda via Add/Remove programs and re-install your software.
.... Or you could try a trial of PREVX ..... which can run alongside your AV product.
Monday, August 25, 2008 1:55 PMI have goten rid of antiviris xp 2008 but I cannot use restore to revert to previous settings, as the only restore date available is the date when this program invaded. I also cannot load a picture onto my desktop. Any ideas,
Monday, August 25, 2008 5:29 PM
anytime I have malware/spyware issues, I run straight to www.bleepingcomputer.com. I just found that I had this antivirus xp 2008 program on my computer, and looked it up on the website above. 30 minutes later and I am all fixed up. I love that website!!!
This is the best solution.. great site, with great tool
Well, that kind of worked, but not really. I attempted to manually remove this malicious POS and apparently missed a part of it. It appears to have rebuilt itself just enough to keep my system from completing a startup. So, I go into a contiunal reboot situation. The AV software I had didn't catch this virus and now, the thing is keeping me from installing anything that might. Any more suggestions? I have many years of experience with this stuff and this one has me at about wits end.. .
My computer got infected with Antivirus XP 2008. Its blocked my internet access and browsing. Finally, I got the latest version of the Spy-bot S & D with a latest update in file. And this fixed the issue partially.
Now my PC is almost in good shape. But I am not able to access few of the Web pages. Antivirus sites like, CA, Symentac etc and few Bank sites are few examples.
When I try to ping/trace root these host names in my comand prompt, its pointing to my local host [127.0.0.1]
I tried to restore the system, but the spyware has already currpted the restore points, and now I dont have any restore points available.
Can anyone advise me how to fix this issue?
Thanks in Anticipation
I received the virus in an e-mail from a friend.
It is easy to remove!
Go to the following link -
Print out the instructions then follow the link to
This is a fully automated program and is shareware. They do offer a full version at a relatively fair price but this is an excellent tool and will remove the virus within a relatively short period of time.
You could try a manual system restore, using the recovery console.
This procedure has worked for me when the automated system restore fails.
Here is a link to the procedure: http://www.myfixes.com/articles/system
works great, I do suggest installing recovery console as a startup option, makes the entire process much quicker.
I did everything you said but the lphc35dj0e1an wasn't on my list. When I came back to the restore options there was not another restore date except todays. I had also ran Spybot and the program is gone the only problem is my desktop is screwed up. I don't have the option for screensaver or desktop now. Do you have any idea on how to fix that problem?
Any body got any ideas of how I can get my computer back to itself??? Please...
For more infomation you can check this web site
Thanks & Regards,
Jude Edward Antony
Microsoft Technical Support
Web site: Joula4xp.googlepages.com
I've almost got it licked, but I've got the same here. Whenever I try to access any anti-malware/spyware websites such as "lavasoft.com" (for Ad-aware) or "bleepingcomputer.com" I am not allowed to go there. My current Ad-aware cannot even access their server for an update. Does anyone have a solution for the restricted website access?
Thanks in advance,
I second that! I need to get my Hotmail back, I can see my inbox has items in it, but it will not open.
And I cannot successfully download any of the Antispyware I have tried...
Ended up doing a full system restore! Man in computer shop warned that this might work or it might embed itself in the motherboard... And then come back!
Does anyone know if this is true, or is he just touting for business?
exactly same problem, tried screwing with security setting with no luck and tried uninstalling ie but then i cant access the website through firefox to reinstall...huge ***
System restore using disk that came with PC? It looks like it may be the only way to fully get rid of it? And, yes, it is a HUGE (*&*(^*&^!!!
I'm suprised that there's been nothing in the media about this.
The guy saying that it'll infect the motherboard - he's a crook.
Anyway, could someone download and install Hijack-This (http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html) and post the log here. There will be a couple of DLL's loaded at startup which is causing some of your problems. It may be that this web site is blocked also - if so I can pop it up somewhere and post a link here.
Oh, and by the way, there is now an Antivirus 2009 which I dealt with yesterday.
The same thing happened to me when I used Malwarebytes' Anti-Malware. I simply clicked on the forward search tab when I got the "Un-safe web site" message and went straight to the Malwarebyte website.
If you can restore that file, then boot up run regedit. Find that wininet.dll file in the registry, and determine what the proper setting for that registry entry should be. I had a very similar problem and was able to resolve it this way.
Another option would be to use the cmd line system restore method from recovery console. If you restore an older (working) registry this should not attempt to load that infected dll you deleted.
If this is sending money to someone when you purchase it why can they not be found and put in jail?
To everyone who followed FYRSTOPR's advice (which was the most useful I found and didn't require me to download anything or require me to reformat), but who has the same problem as SILVERSLIDE47 in that they can't get their display back.
I followed FYRSTOPR's advice with a small modification. In safe mode, not only did I delete antivirus xp 2008, but I deleted all the contents that were originally in that folder too (I believe it was named rhc75dj0e1an but I've heard various people say that it might be slightly different). Like he said, I went to add/remove programs and removed it (although by that time it told me that the program was already removed). I searched the computer for rhc75jd0e1an and deleted any files I found. I also went to the system registry by typing in regedit under run in the start menu. Once you get to the registry, search for the phrase rhc75dj0e1an or whatever the original file name was (by pressing CTRL F (you need to press CTRL F after everytime you find something until it says "finished searching the registry")). I deleted any references that I found. I ran my antivirus software as FYRSTOPR suggested, and then I rebooted.
I also got the cycle of blue screen reboots, but I simply forced the computer to shut down (you can do it either by unplugging or pressing and holding the on/off switch), and then restarted again. I'm not sure if this solves the problem for everyone, so this is the one part of the solution that I'm not certain is full, but it certainly worked for me.
Once started back in normal mode, I checked my taskmanager. There were a few processes running that I didn't recognize (not everyone will necessarily have these--but I think they might be related based on what people have said). The first was .tt10F.tmp and the second one was lphcar6j0ele9.exe (like the rhc____ file, this file seems to have several name variations--I've also seen someone mention lphc35dj0e1an). I forced these processes to end (for those with trouble ending them, set their priority to low first by right clicking). I then searched both the computer and the registry for them and deleted any that I found. I believe that these might be the files responsible for the constant rebooting. Chances are, you can find them in safe mode as well.
Now on SILVERSLIDE47's problem (not having the screensaver or themes tabs in display properties). I found part of the solution on this website:
under response # 6. It says to go to the registry, and find HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System. Under that folder, you will find NoDispScrSavPage and NoDispBackgroundPage. If you look under the Data column, you'll see both are set to the value (1). Right click on NoDispScrSavPage and click modify. Change Value Data from 1 to 0. Do the same for NoDispBackgroundPage.
Now, open up your display options. Both of your tabs are back (yay!)! Go to the Desktop tab. Look for the offending picture (for me, it was named phcar6j0ele9). Search both your computer and the registry for that filename. Delete any you find in the computer, but be careful in the registry. Delete any that you find, but if you find ConvertedWallpaper, OriginalWallpaper, and Wallpaper, DON'T DELETE THEM--just blank their values (under modify) to nothing (delete the value, not the key). Lookout for the same thing for screensavers and themes--if you find registry values that look like they deal with screensavers and themes and wallpapers, modify their values to blank rather than delete them.
Now, go back to your display options (since you haven't changed anything yet, the offending image should still appear, but it's about to disappear). Change your background picture and do any other changes you see fit. Close your display options. Congratulations, you have just won against antivirus xp 2008!
As for the missing system restore points, chances are they're gone forever--I didn't check.
Good luck! And I hope this was helpful.
DO NOT DO THIS... IT ONLY SEEMS TO MAKE THINGS WORSE!
Try a very careful system restore - I seem to be completely cured. Make sure that you make a backup disk of important files first though (or better still stick em on an external hard drive for cleansing - if necessary)! Then when retsored get the most up to date antivirus/malware/spyware available. Use this to scan coputer AND backup disk (or external drive) before transferring files back.
If you download and install Hijack-This from Trend Micro, there is a .DLL file listed in O24 (from memory this is where the dll file is loaded from but it is in the O20 range) which I believe causes all the problems. Look up each DLL file listed on Google and you will find the offending one. This DLL file is loaded into memory at WINDOWS STARTUP - before any anti-virus/anti-toerag software is loaded. I did this on the AV2009 machine which was infected and I was then able to perform a full system scan and the machine is running fine now. It took me 10 minutes!! I am happy to have a look at any Hijack-This logs posted here to help remove this POS.
Hijack this will look at the registry data and other important bits in your system and put it all in a single place to look at and then perform a safe fix for the problem. However, if you do delete an entry that is required by the system, you can crash your entire machine requiring a re-install.
Another option is to perform a SFC from the command prompt. Start / Run and then type "SFC /SCANNOW" without the quotes. Have your original OS install disk handy as if there are any corrupted Windows files, these will be taken off the disk and they will overwrite the 'bad' file on your machine.
Don't buy Spyware Doctor. This just made things worse for me - I even suspected the Spyware and Spyware Doctor were in cahouts! I can't prove that.
I managed to get rid of the offending spyware by a combination of the following, all of which can be obtained free of charge. It takes a while, but its worth it:
Lavasoft's Spybot Search and Destroy
Windows Malware Removal Tool
Keep running the scans, updates, then scan again, each opportunity removing as much as you can, then re-booting. It only takes a couple of processes to get rid of the trojans the spyware has kindly downloaded without your permission. It gets quicker and easier after that.
Just persist in using the free tools from legitimate sources. Don't waste money on useless tools. Don't panic.
I followed your advice above and when it asked for a date to restore to, I was not given the ability to move the date backwards (only today's date was available). SInce this likely occured last week, how can I modify the date so I can restore?
Also, when I do the above and click restart computer, the two boxes above are marked again. Is that a problem? Doesn't that mean they are running again?
Your restore points are gone - the existing restore point left behind is infected. A Correction to my last post - the DLL file is found in O20.
There are now several variants of this Anti-Virus (sic) product running around - so be very aware of what you download and install into your PC.
I manage a non-profit community service office and Anitvirus XP 2008 took over our office computer. I have followed the msconfig advice and removed the background, too. The computer is running faster, but I still cannot download and install any programs fro tucows, cnet, or directly. Infact, I cannot go directly to any antispyware or antivirus sites. When it starts downloading I get a message like this:
C:/documents and settings\aneckan\local settings/temporary internet files\content.ie5\aciaf7qz\arotrial.exe is not a valid Win32 application
And I cannot bypass it. What do I do?
I followed these instructions exactly, and though my computer crashed the first time using malwarebytes, the second time it worked perfectly. Took less than ten minutes. Thanks comptekcs!!!!
(I have a dell xps 400 with microsoft xp)
I was able to complete Step 1, but can't get to the internet after a restart. XP2008 did not "scan" when I re-booted, but the "Warning" message is still appearing. Do I need to do remove something else to gain connectivity? ..yes I am connected now on a non-infected laptop
2 days on this and still no success...help
This was a nightmare. I'm a law student and my computer contains everything. Luckily, I ran across a site that told me just what to do. Here's the site...
I tried everything and this is the only thing that worked for me. Hope this helps!
I tried a bunch of suggestions posted on this site and other sites. Absolutely none of them worked until we downloaded Malwarebytes. Malwarebytes totally cleaned up that virus. We thought we were going to have to throw the computer away. Thank god for whoever made malware bytes. I want to bake them cookies.
My fiance's brother downloaded it. Then he emailed it to us. Then we ran it on the computer. So far it looks like it fixed everything. We are leaving it on the desktop for the next time something like this happens.
I wish I could find whoever is responsible for this virus. I would slit their throat. Not kidding. I lost a whole day of my life dealing with it. I was crying, too (yeah, I'm a girl. Shut up.)
Malwarebytes found 140 different places in the computer where the virus was hiding. It crawls into everything. It was even in the register keys.
The virus disables your ability to restore setting because it erases all your restore points. It basically takes over your computer. The good news is that it does not seem to hurt anything in your computer. So as long as you don't destroy your computer trying to get rid of the virus, you should be ok. Don't bother trying to find the virus files to delete them. It is hiding in too many places. You'd never get it that way. All of those people who said that worked for them are living in some other universe. Seriously, use the Malwarebytes. IT WORKS.
Any leads on what a-holes wrote the virus?
I have the same problem. I’ve gotten rid of most of this nasty virus by deleting files and registry keys. But, I can’t connect to most of the popular anti virus sites, and if I am able to connect and download the Malewarebytes program, I get the “not a valid Win32 application” error message when I try to run the extraction program.
Is this a known symptom of this virus? Has anybody got a cure?
As I type this I'm running Malwarebytes in hopes that it migh be able to complete the removal.
I finally managed to get Malwarebytes Anti-Malware installed and ran. It seems to have cleaned up my remaining issues with this Trojan. The computer has stopped locking up on me and I can now access all the websites that were blocked before. Malwarebytes rules!!
I think I had a different “flavor” of this virus/trojan than most folkes since most of the file names were different than what I have seen posted by others. For example, the main offending program files were named something like “lphcj27j0e5b5” instead of “rhc3nvj0e52e”.
I also found and deleted a whole bunch of VBScript files with names similar to “.tt12.tmp.vbs”. Most of these seemed to be messing with the restore points on the computer.
Below is the Malwarebytes log of the files it found after I had already deleted most of the program.
Malwarebytes' Anti-Malware 1.26
Database version: 1122
Windows 5.1.2600 Service Pack 2
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\phcj27j0e5b5.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Hopes his helps some of you.
Got this nasty bug about two weeks ago. It blocked me from opening all anti-virus sites. I was able to download the trial version of Windows live onecare. It was able to detect and remove XP antivirus 2008. The downside is that it also had to removed McAfee, but I can always reinstall this.
I suddenly got a screen on my computer saying your computer is infected please click to download Antivirus 2008. I have not clicked on it because I heard about it etc...the files are not showing up in any of my program files, temp files, temp internet files, task manager, ms config; however it has messed up the desktop and when on the internet trying to click on a website it tries to redirect to some bizarre address; however if you click on a sub category of the website then you get into the site with no problems. I have ran SpyBot & AVG; it is not showing up in any of the scans. Does anyone have any ideas on this? Thank you.
They have a free download of their software which will remove Antivirus 2008.
The screen telling you, that the computer is infected will be gone after restarting your computer.
Lyonspugs and Comptekcs have provided the best solution. Simply follow each step. My machine is clean now.
Thanks a lot guys.
Thanks, this worked for me for my desktop display. I got the the tabs back on my properties display. I do have some other problems though. For some reason, I don't have the option to set my desktop. The only background option I have is the color. I think the "theme" tab has control of the background and I'd like to get rid of it and just select my own pictures for the background. Do you know how to do this?
Also, since I removed the antivirus, I can no longer print anything off the internet and I don't get any sound from anything on the internet. Does anyone know how to fix these problems?
Again, thanks for the great help on getting rid of Antivirus XP!!
just want to know one thing... WHAT IS THE BASIC COORDINATION of virus into ur system... HOW WOULD WE REMOVE IT by developing our own software>
The Blue screen of death and restart windows is a screen saver, NOT real... play some music; watch it come on... kinda hard to play mp3 music on winamp while ur computer is restarting! I recommend just pressing space bar and it vanishes back to ur desktop :-P... I just woke up and saw that thinking same thing... once I actually wiped the sleep from my eyes... I realized what had happened... good luck.
Malware Bytes really does work. I did a full system scan and it cleaned out everything including the pest Anti virus_2008. Thanks a bunch!
I agree with most of the frustration expressed with the spyware and virus vendors and their inability to track this stuff. There are a few basic files I found which constitute the files you need to look for on your hard drive. The registry should help you find the locations of these files. The are blphcl35j0elag.scr - this one is the screen saver that produces the blue screen. phcl35j0elag.bmp which is the wallpaper. So to cut to the quick open your registry and from the top - the my computer icon - search for elag notice that the 2 files i pointed out here share elag in their name. If all goes right you should find these files in registry keys that address wallpaper, screen savers etc. you don't have to delete any keys just remove the offensive file names so they don't execute. You remove the file names by modifying the keys that contain these files and erasing references to scr's bmp's jpg's and exe's. After doing this close the registry and go into windows explorer. Go to the top of the C drive and search all files and folders for elag. You should bump into some of these in your windows, system32 and the prefetch area of windows. You can move these files into their own directory for safekeeping. Next, go to msconfig and uncheck the file lphc35dj0e1 You will probably find this file in your windows\system32 directory. I would go to that directory and rename the file to something else.
So that is about it. You should be able to restart your system and operate just fine.
Oh one more thing. The designer of this virus likes to hide the desktop tabs and screensaver tabs in your desktop properties area. You may need to go to your registery and change the values of the keys that control these areas
from the registry click HKEY_CURRENT_USER, then 'software', then 'microsoft', then 'windows' then 'currentversion', then click 'policies', and finally click 'system'
double click the files NoDispBackgroundPage and NoDispAppearancePage and change their value from 1 to 0
This will restore the tabs in your desktop properties area allowing you to select new wallpaper, or at least get rid of theirs.
Wonder why Norton, Trendmicro, Windows Defender and host of ridiculous trojan scanners couldn't find this stuff.
Unfortunately, it is NOT THAT SIMPLE. This particular rogue software (Antivirus xp 2008) is way more sophisticated than that. Trust me.....I am still working on fixing it. I tried going to "msconfig" and unchecked the two items "rhcnbfj0ecaa" in my case, and it still didn't remove it or stop it from starting. The best detailed set of instructions of how to remove this is this link: http://www.windowsvistaplace.com/remove-antivirus-xp-2008/othersoftware
My only problem now is......how to stop it from taking itself out of the recycling bin!! People--PLS CHECK YOUR RECYCLING BIN!! Some of these files that you delete DO NOT GO TO THE RECYCLING BIN. Count how many files you send to the recycling bin and then check them off when you empty it.
This is the reason some people can not get it fully off of their PC.
This is a nasty and very sophisticated Trojan/Virus but is being referred to as malware? Really? The desktop problems it causes can be repaired by replacing the C:\windows\web folder that it actually deletes!! I copied it from another XP computer after I had done the cleanup, which was, as you know, quite a task. Took me two hours and a second computer to do the job. First of all, I went to a website link for watching TV shows online and it's splash screen came up claiming I had an infection, then popped up it's program screen asking if you want to install, I moused over the screen and never clicked on anything and it took off and installed itself! Next I tried shutting it down by right-clicking the systray icon it threw there and wouldn't let me get to an exit selection. It also wouldn't let me shut it down in the Task Manager. Tried next to uninstall it using Add/Remove Programs and it wouldn't and gave me a Windows error report screen which I clicked to send. Tried System Restore to go back and it would not allow you to click on any previous dates. Oh yeah, it also wouldn't let me run AVG or Ad-Aware, and AVG never came up with a warning about the Trojan in the first place. When I tried to Google the problem to find out how to fix it, surprise, surprise their site came up as the solution several times at the top of the Google Search results. I scroll down, to find a legitimate site that seems to know what the solution is click on it, and I'm redirected to their site!!! By this time I am more than angry and have to walk away from my laptop before I throw it!! At this point, although I tried disabling my network connection to stop this communcation with this site, I couldn't, it would disable, but then it would enable and connect again!!! So, I had to pull the wireless card from my laptop and stopped the internet connection. Then I had problems booting into safe mode, numerous BSODs, had to boot from a Windows CD, but eventually Windows came up, I was able to find the suspected program under Program Files, and delete a few registry entries from instructions I got on the web and I was able to run Malwarebytes' Anti-Malware from my flash drive after downloading it from another computer. Was able to run full scans of my AVG and Ad-Aware also. Besides replacing the Web folder in my Windows directory, I had to run SFC to repair corrupted system files. Alas, I had my system back........ Needed to rant about this and I'm still posting and reporting every chance I get, cause enough is enough!!!!!! I fix network and computer problems for a living and pride myself on running a clean, efficient,optimized system of my own, so this has left me seething!! I haven't seen a trojan/malware like this since maybe Sircam .........
Here's the links to the good folks at Bleeping Computer and Malware Bytes:
For Download of free Malwarebytes' Anti-Malware:
Thank you to malwarebytes.org and bleepingcomputer.com for always having the right answers!!!
I got this *** on the 20th. I tried everything to get rid of it. Norton 360 helped somewhat. After Norton I ran Malware. Seems to have done the trick so far....
TRUE MALWARE WORKS!! THIS WILL SAVE ALL OF YOU!! HERES THE LINK I JUST DID IT TODAY AND GOT RID OF THE STUPID ANTI XP 2008
I totally agree. I got this virus a couple of weeks ago, and even though I have Norton anti-virus on my PC, it only managed to remove part of it, and loads of "traces" still remained in my Registry. I found this Forum through a Google search from my PC at work, installed Malwarebytes, and the thing was fixed in 10-15 minutes
I am not computer literate at all, (I use my PC mainly just to keep in touch wth relatives abroad through email, MSN etc), and I could never begin to follow some of the more complex instructions posted here, and I admit I was in tears with this ******** virus until Malwarebytes saved me!
Thanks for all those people who recommended it here.
I USED SPYBOT AND IT SAID IT HAD REMOVED IT
How did you get rid of the annoying red warning on your wallpaper?
Now everytime my computer goes idle it gives me all these errors and says windows is shutting down did you have this issue?
well i used avg and s&d and it somewhat worked..
except when i booted my pc... the window would appear and i had to goto task mgr and turn it off
as of now
I got a program that says it will take me to safe mode.. i rebooted it and now
i can't access xp on safe or normal mode it goes to bsod
on xp pro cd.. I can't f3 out exit, hit enter to format or hit R to repair. the keyboard reboots and freezes
any help would be great
I even tried to d/l my dell's bios and it didn't work
Can anyone tell me how to get my internet capabilities back? I got this virus a couple weeks ago and I think I'm rid of it. However, now I can't get any sound or print anything from the internet. Any ideas on how to fix this?
i'd recommend scanning with malware posted above
I have a problem myself, i have used the malware and tracked the remaining few pieces of the virus down, 14 to be exact, and i know where they are in the registry/folders, the problem is whenever i try to delete or rename them it says an error has occured while deleting or it says i do not have any sufficient access to delete them.
How do i fix this so i can delete these pieces of the virus and fix my PC?
Make sure you remove files and change registry keys while in safe mode. Some of the files are run as services and the system will not allow you to delete or rename them.
So...what if this won't even let you access anything. I can't get on the internet without it constantly taking me to fake anti-virus sites and when I go to my start menu, everything is gone, like my documents, my computer, control panel, nothing is in there. So I'm not even sure how to even download the Malware Bytes so I can scan my pc to get rid of it.
EDIT: Ok....so what i did is saved a copy of the Malware Bytes on an external hardrive and then used that to download it to the infected computer. Did the scan, and it found like 120 infected files, so I quarentined them, rebooted, scanned my computer again, then it only found around 25 infected files, quarentined infected files, rebooted. Everything is now working like a champ. Malware Bytes RULES!!! This is the only way to go, I wouldn't even try messing with the manual removal or any of those that say disable this and do that, none of those worked for me, and will only have you jacking around with you pc and getting really mad at it.
My Granddaughters computer was also infected with the Antivirus XP 2008. We thought it was removed, but like yours, it continues to restart. Did you have success in resolving this issue, and if so, what did you do? I would certainly appreciated a response.
If you have this virus it typically does not restart the computer. Rather, they created a screen saver that impresonates a blue screen then provides a video of the initial startup screen for XP. when you think you are rebooting hit your space bar and see if you get back to your desktop. If you do, you have the Antivirus xp 2008
Let me know
Norton full scan-nothing
Spywar doctor full scan-found and removed some (not all)
Thanks for the help, bookmarking this forum
This and it's other variants are difficult at times. It often does not use the same file names for each installation, it hides in different locations, etc.
I just found another site it is coming from and blocked it on our firewall. hxxp://antivirus-fullscan.com, I recommend IT managers block it.
Good luck with it. Of the 4 people that have come to me with this and countless others that call and ask about it, I have ended up just reformatting all of them. The time and effort wasn't worth it, and the one that I did clean up still didn't run correctly. If you catch it early enough, the removers may work, but if you don't catch it for a few days, it will have done alot of damage.
I couldn't agree more - however, be aware that any OEM software that you have, like Office 2003 and above requires activation. You may only activate this once and as such it can cause additional unwanted expense. Just be aware of this and think carefully before taking this course of action. ALWAYS back your data up before doing this as the software is cheap compared to the heartache of lost photographs etc. Make sure that your data is Virus scanned on a separate machine before re-introducing it to the clinical new environment.
Antivirus 2008,2009 is a Spyware....Remove it using roguefix_2.190.bat
REMOVE ANTIVIRUS XP 2008,2009
1) Boot your system in Safemode
2)Run "roguefix_2.190.bat" (Jus double click the file to execute it) and reboot ur PC
all i get from those links is "page cannot be displayed"
i have the antivirus xp 2008 on my pc and yes like a dumba** i purchased it thinking it was microsoft XP.
now i have a trojan
Can you get Google up? If so, search for malwarebytes - you must be able to download it from somewhere. The same applies for HijackThis. Both are invaluable tools for removing infections.
|Flitch Man wrote:|
I've made a tinyurl to download the latest malwarebytes, http://tinyurl.com/malupdate1
I instruct people to just click start, run, then type that in and press OK. then run the file
you can preview the tinyurl here: http://preview.tinyurl.com/malupdate1
thought I would pass that along.. enjoy
Neat - like it!!
I need help. I did a windows update express upload and noe i have this antivirus 2008 mess on my pc and i have windows defender that says i have a trojan downloader. i have no clue how to get this off. who do i contact or do you have suggestions on removing it? it pops up nonstop and in 50 pages and will not x out.
You have mentioned that you ran SFC to repair corrupted system files. What is 'SFC'? Thanks!!
SFC is a windows utility which stands for "System File Checker". It will scan the Windows files installed on your PC to make sure that they are Microsoft files. If they are not, SFC will replace the corrupted file. One problem with manufacturers, is that many of them now have a hidden partition on the hard disk which will allow you to do a "Full System Restore" back to how the machine left the factory. The problem with this is that when SFC requests the "Windows XP SP2 Disk", some people will not have one!! What a wonderful world we live in.
If any of the Windows files have been corrupted due to a 'malware' attack, this should fix the infected file(s).
Download MalwareBytes in the first instance, install and run it. That should solve most of the problems.
I am really curious who you paid. Can you id the company on your payment info. All their online links are masked very well. I lost two studio laptops to this company and I want to establish a class action lawsuit to take them down. I am surprised that Microsoft has not been more agressive in tracking down and eliminating the people responsible for this program.
nice idea - however, your class action would only apply if the individuals involved are in your country or your countries legal juristriction and also if their T&C's state where they are legally liable in the case of a dispute eg. The state of Delaware or the United Kingdom etc. Save your money. If the individuals / corporation is based in Siberia, your laws will not affect them. The joy of the net!!! There should be an international cybercrime unit but it all comes down to common sense I'm afraid. There is no such thing as a free lunch and offers that are too good to be true always lead to grief. All that we can do as techs is to pass the word around as best we can. If you paid with a credit card, contact the Credit card company and file a fraud report, you probably wont get your money back but at least you help other people not get stung.
The roguefix_2.190.bat fix worked like a charm. I wasn't so sure though there for awhile, but I rebooted, like you said, and it worked, Mucho Grassyass mi amigo!
I downloaded the MalwareBytes exe from another (uninfected) computer on my home LAN. When I launch it from my infected computer, I get the "Run/Cancel" modal dialog, hit "run", then nothing. Task Manager says process malb-setup.exe (sp?) is running, but there's no icon in the system tray or window on the screen -- alt-tab only shows the Win Explorer and IE. So how do I run the program?
I've run all the manual steps to remove program files, dirs and reg-key entries, but it must have matasticized since the last advice. Whereas the AntivirusPro2009 process isn't running in the task bar, the system tray icon is still there yelling at me and IE can't download things or visit some web pages. Any help would be greatly appreciated.
Start your machine in Safe Mode with Networking, by pressing F8 before you get the Windows logo displayed on your screen. Make sure that Malware Bytes is on the desktop and you should then be able to run it from there.
If you followed all the removal instructions and its still showing up in your task bar, have you gone into msconfig and looked at your startup list?
do a start\run\msconfig and then go through the start up programs and remove anything that doesn't need to start with windows.
Hope this helps.
|Flitch Man wrote:|
Alas, even in Safe Mode, I can't get MalwareBytes or HijackThis launched. Same symptom as before -- the Run dialog box comes up, I hit "run" and nothing happens, except the malb-setup.exe process is running in the Task Manager.
That batch file that people raved about didn't solve my problem, even though it ran to completion. It even said that it couldn't find anything, so I'm afraid that the Trojan has mutated beyond it's ability.
I can't get back to a restore point either. When it reboots, a dialog tells me it couldn't restore.
I opened a Windows log file and noticed that Automatic Updates runs a lot, processes svchost.exe and winlogon.exe with module wuaueng.dll, and process wuauclt.exe with module wucltui.dll. I'm a UNIX software developer, so I understand some of this but I'm no sys admin and I'm pretty ignorant when it comes to Windows XP kernel processes, so I don't know if that is part of the problem.
I'm at a loss now of what to do. Any help would be greatly appreciated.
Can you run MSCONFIG from the start / Run Menu?
If you can, stop all non essential services (Hide Microsoft Services - and get rid of everything there by unticking the boxes) and remove everything from your startup tab. Reboot then and see if you can get MalwareBytes to work.
Failing that, start in Safe Mode With Command Prompt. When the system is up, just type explorer and press enter. You now have a machine with the absolute minimum loaded. try and get malwarebytes to run from there. Failing that I'll have a hunt around for another cleaner and post a link here tomorrow.
You can also stop the Windows update service by using Start / Run / services.msc and disabling the Windows Update Service. This may help your problem but I'll still look for another generic cleaner which may help.
You can also take the drive out of the machine and scan it in another machine as a secondary drive or even better an external USB. MAKE SURE YOUR AV product is fully up to date before doing this though!!!!
What abbout safe mode command prompt? You can start most things from there. If you have been too agressive with deleting important registry entries, you may well be up the proverbial stream.
If you have only moved files - take teh drive out and put it into another machine and move the files back. Just as an idea....
|Flitch Man wrote:|
OK, safe mode with command prompt did the trick, was able to click on my icon and log on. However, after I moved all the files (listed below) from my quarantine dir back to \windows and \windows\system32, the system tray icon (red X) and annoying callout "Your computer is infected!" came back. I may have left out a file or two, but these are the files I remember having moved to quarantine, then back again:
The problems persist: can't run various anti-malware programs; IE nonsense pages, can't display help forum pages and other IE problems; can't restore from a restore point, etc.
\windows\system32\MRT.exe runs but I'm not sure it's to be trusted. The full scan seems to hang after about 7 min.
Ok, lots of files here and I don't have the time to look each one up.The easiest way is to just Google each filename. You will find out which are rogues and which are real Windows files.
One file looked familiar BRASTK.exe (http://answers.yahoo.com/question/index?qid=20081008140746AANayDs) so you still do have infections.
OK, you don't say which AV product you have so can you run HijackThis from Trend? Look it up on Google and make sure that you download it from Trend's web site. When you run it, make sure that in O20 you only have your AV product starting. Make sure that all the other entries are valid files. If they are not, put a click in the box to the left and when you have gone through the whole list, click on the Fix button at the bottom. Re-boot. Go into Control Panel, open you internet options and select the Advanced Tab. Click on the Reset button at the bottom. Click on OK when it has completed. Delete your Temp files in IE, and then click OK all the way out. Start your Malwarebytes scan again and let it run. If there are loads of Temp IE files, it does take quite some time. It should be quicker now. When you have removed the infections, reboot and check out the damage that has been done or is the system usable? At this stage it may we worth trying a Repair installation form your OS install disk if things are not behaving themselves.
When i got this virus i thought darn... i looked it up on google snd my avg safesearch voted the sight as ok! but
read more about it and people say tht its downloaded by another virus and then forces you to buy the full version, when you pay for it , it then downloads the full one which does more damage than the trial 1!
i used "revo uninstaller" i got it from www.download.com , just type "revo"in the search bar and download it , its great it removes anything! also you can go into a deep mode which scans for leftover info.
but i had a spare copy of windows tht i didn't use so i re-installed the operating system and wiped my hardrive.
Antivirus 2009 is an unwanted program, from the authors of Antivirus 2008 . These applications have resembling interface and "features". After stealth installation, Antivirus 2009 will show tonns of fake spyware\adware detection messages and offers to remove reported threats (after you purchase commercial version). But in real Antivirus 2009 is not a spyware cleaner, it's just an imitation of spyware remover. Antivirus 2009 can also slow your computer and cause system errors and crashes. Remove Antivirus 2009 using manual removal instructions (for advanced users) or removal tool.
use manual removal guide