ssosw
asked on
Antivirus XP Problems
Hi,
I need help with a lptop which was infected with Antivirus X and Trojan FakeAlert -AQ. I he used spyware doctor to scan and remove but I guess I could not get rid of it. The desktop background with the warning came back after restarting and the system is still extremely slow. I tried to clean manually after that and according to instructions I tried unregistering the DLL mentioned but I could not.I then just deleted the whole installation folder .The Antivirus XP scanner has stopped loading byt the desktop background still keeps coming back and it much more slower now.
I need help with a lptop which was infected with Antivirus X and Trojan FakeAlert -AQ. I he used spyware doctor to scan and remove but I guess I could not get rid of it. The desktop background with the warning came back after restarting and the system is still extremely slow. I tried to clean manually after that and according to instructions I tried unregistering the DLL mentioned but I could not.I then just deleted the whole installation folder .The Antivirus XP scanner has stopped loading byt the desktop background still keeps coming back and it much more slower now.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Ran both just to make sure .No more signs of any infection.The pc is a lot slower when starting appications though....
It's possible that there could be other nasties present in the system apart from "antivirus XP" that's why we always ask for logs.
For future questions, it would help us if you provide logs for us to look at, e.g. hijackthis logs, and results of any scans that's been done.
For future questions, it would help us if you provide logs for us to look at, e.g. hijackthis logs, and results of any scans that's been done.
ASKER
This is the log from another computer. Could you please go through this.The only problem with this machine is that Internet explorer hangs a lot. Some pages dont load and some ge stuck half way and will resume on starting the task manager.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:48:12, on 11/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Symantec\Backup Exec\NT\dlomaintsvcu.exe
C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tenable\Nessus\nessusd.exe
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\WINDOWS\system32\00THotkey.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\salisz\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file://C:\PROGRA~1\SPEEDB~1\vaproxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NVRotateSysTray] rundll32.exe C:\WINDOWS\system32\nvsysrot.dll,Enable
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ThpSrv] c:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PSQLLauncher] "C:\Program Files\Protector Suite QL\launcher.exe" /startup
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SpeedBitVideoAccelerator] "C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4788DE0A-3552-49EA-AC8C-233DA52523B9} (AxLoaderPassword Class) - http://www.blackberry.com/devicesoftware/AxLoader.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u1-windows-i586-jc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eu.esab.org
O17 - HKLM\Software\..\Telephony: DomainName = eu.esab.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eu.esab.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 172.20.246.55 172.20.106.53
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eu.esab.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 172.20.246.55 172.20.106.53
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 172.20.246.55 172.20.106.53
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: TosBtNP - C:\WINDOWS\SYSTEM32\TosBtNP.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Backup Exec DLO Maintenance Service (DLOMaintenanceSvc) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\NT\dlomaintsvcu.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Intel® NetStructure(TM) VPN Client (ICService) - Unknown owner - C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ScalaObjClientReg - Scala Business Solutions N.V. - C:\Program Files\Scala Business Solutions NV\iScala 2.2 Client\Client_BO\ScalaObjClientReg.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Tenable Nessus - Tenable Network Security - C:\Program Files\Tenable\Nessus\nessusd.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesbs32 (Tmesbs) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: VideoAcceleratorService - Speedbit Ltd. - C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
--
End of file - 13424 bytes
Hijackthis looks clean, I don't see obvious malicious entries there. But then a clean hijackthis doesn't guarantee a clean pc as many nasties are able to hide from the scan. I assume you recognize those 017 entries.
You have so many programs running at bootup there, you can disable some programs that you don't need straightaway after bootup.
IE freezes could also be caused by add-ons, toolbars or conflicts with some of your programs.
Try troubleshooting that first by disabling IE add-ons, toolbars etc, and try disabling some of your startup programs.
Also try disabling your antivirus to rule it out as the culprit(don't go online while antivirus if disabled)
If nothing helps, we can try running Combofix and see if it finds anything.
You have so many programs running at bootup there, you can disable some programs that you don't need straightaway after bootup.
IE freezes could also be caused by add-ons, toolbars or conflicts with some of your programs.
Try troubleshooting that first by disabling IE add-ons, toolbars etc, and try disabling some of your startup programs.
Also try disabling your antivirus to rule it out as the culprit(don't go online while antivirus if disabled)
If nothing helps, we can try running Combofix and see if it finds anything.
ASKER
Thanks ..I think its the Norton AV that is the problem...Shall live with it till end of subscription
To REMOVE XP Antivirus Manually...as so many scans and changes to it do not get it at times.
NOTE: When you locate the RANDOM FILE NAME, note it down to scan (find) the registry and remove entries which have this name.
Kill processes via Task Manager
AntivirusXP2008.exe %ProgramFiles%\\[RANDOM NAME]\\rhccv9j0e1b1.exe
%ProgramFiles%\\[RANDOM NAME]\\rhccv9j0e1b1.exe.lo cal
%ProgramFiles%\\[RANDOM NAME]\\Uninstall.exe %System%\\[RANDOM NAME].exe
Unregister DLLs: using from cmd prompt: regsvr32 u FILENAME
%ProgramFiles%\\[RANDOM NAME]\\msvcp71.dll
%ProgramFiles%\\[RANDOM NAME]\\msvcr71.dll
%ProgramFiles%\\[RANDOM NAME]\\MFC71.dll
%ProgramFiles%\\[RANDOM NAME]\\MFC71ENU.DLL
Delete files from your system: Note administrator access may be required and may be easier to delete these files though safe mode.
AntivirusXP2008.exe
%UserProfile%\\Application Data\\Microsoft\\Internet Explorer\\Quick Launch\\Antivirus XP 2008.lnk
C:\\Documents and Settings\\All Users\\Desktop\\Antivirus XP 2008.lnk
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Antivirus XP 2008\\Antivirus XP 2008.lnk
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Antivirus XP 2008\\How to Register Antivirus XP 2008.lnk
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Antivirus XP 2008\\License Agreement.lnk
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Antivirus XP 2008\\Register Antivirus XP 2008.lnk
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Antivirus XP 2008\\Uninstall.lnk
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Antivirus XP 2008.lnk
%ProgramFiles%\\[RANDOM NAME]\\database.dat
%ProgramFiles%\\[RANDOM NAME]\\license.txt
%ProgramFiles%\\[RANDOM NAME]\\MFC71.dll
%ProgramFiles%\\[RANDOM NAME]\\MFC71ENU.DLL
%ProgramFiles%\\[RANDOM NAME]\\msvcp71.dll
%ProgramFiles%\\[RANDOM NAME]\\msvcr71.dll
%ProgramFiles%\\[RANDOM NAME]\\rhccv9j0e1b1.exe
%ProgramFiles%\\[RANDOM NAME]\\rhccv9j0e1b1.exe.lo cal
%ProgramFiles%\\[RANDOM NAME]\\Uninstall.exe
%System%\\[RANDOM NAME].exe
Delete files which control the background and Screen saver
Located via Explorer the Random file name.scr and Random file name.bmp under windows directory or windows\system32 and delete.
NOTE: these files are usually created at or around the same date and time the virus was first located (last few hours or days)..
OTHER ISSUES TO LOOK FOR WITH XP ANTIVIRUS 2008
AFTER or WHEN YOU CLEAN - XP ANTIVIRUS 2008 VIA TOOLS FROM WEB OR MANUALLY,
When you restart, YOU LOGIN AND NOTHING IS THERE, No Explorer or Icons or Start Button !!!!
CTRL / ALT / DEL to start Task Manager.
Run REGEDIT and locate the following folder.
\HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Image File Execution\
Delete this highlighted folder (explorer.exe)
IE: Delete the folder and the Keys it holds
\HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Image File Execution\Explorer.exe
Then from TASK MANAGER run explorer.exe and your system should start if this was the problem that started this issue.
NOTE: When you locate the RANDOM FILE NAME, note it down to scan (find) the registry and remove entries which have this name.
Kill processes via Task Manager
AntivirusXP2008.exe %ProgramFiles%\\[RANDOM NAME]\\rhccv9j0e1b1.exe
%ProgramFiles%\\[RANDOM NAME]\\rhccv9j0e1b1.exe.lo
%ProgramFiles%\\[RANDOM NAME]\\Uninstall.exe %System%\\[RANDOM NAME].exe
Unregister DLLs: using from cmd prompt: regsvr32 u FILENAME
%ProgramFiles%\\[RANDOM NAME]\\msvcp71.dll
%ProgramFiles%\\[RANDOM NAME]\\msvcr71.dll
%ProgramFiles%\\[RANDOM NAME]\\MFC71.dll
%ProgramFiles%\\[RANDOM NAME]\\MFC71ENU.DLL
Delete files from your system: Note administrator access may be required and may be easier to delete these files though safe mode.
AntivirusXP2008.exe
%UserProfile%\\Application
C:\\Documents and Settings\\All Users\\Desktop\\Antivirus XP 2008.lnk
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Antivirus XP 2008\\Antivirus XP 2008.lnk
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Antivirus XP 2008\\How to Register Antivirus XP 2008.lnk
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Antivirus XP 2008\\License Agreement.lnk
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Antivirus XP 2008\\Register Antivirus XP 2008.lnk
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Antivirus XP 2008\\Uninstall.lnk
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Antivirus XP 2008.lnk
%ProgramFiles%\\[RANDOM NAME]\\database.dat
%ProgramFiles%\\[RANDOM NAME]\\license.txt
%ProgramFiles%\\[RANDOM NAME]\\MFC71.dll
%ProgramFiles%\\[RANDOM NAME]\\MFC71ENU.DLL
%ProgramFiles%\\[RANDOM NAME]\\msvcp71.dll
%ProgramFiles%\\[RANDOM NAME]\\msvcr71.dll
%ProgramFiles%\\[RANDOM NAME]\\rhccv9j0e1b1.exe
%ProgramFiles%\\[RANDOM NAME]\\rhccv9j0e1b1.exe.lo
%ProgramFiles%\\[RANDOM NAME]\\Uninstall.exe
%System%\\[RANDOM NAME].exe
Delete files which control the background and Screen saver
Located via Explorer the Random file name.scr and Random file name.bmp under windows directory or windows\system32 and delete.
NOTE: these files are usually created at or around the same date and time the virus was first located (last few hours or days)..
OTHER ISSUES TO LOOK FOR WITH XP ANTIVIRUS 2008
AFTER or WHEN YOU CLEAN - XP ANTIVIRUS 2008 VIA TOOLS FROM WEB OR MANUALLY,
When you restart, YOU LOGIN AND NOTHING IS THERE, No Explorer or Icons or Start Button !!!!
CTRL / ALT / DEL to start Task Manager.
Run REGEDIT and locate the following folder.
\HKEY_LOCAL_MACHINE\SOFTWA
Delete this highlighted folder (explorer.exe)
IE: Delete the folder and the Keys it holds
\HKEY_LOCAL_MACHINE\SOFTWA
Then from TASK MANAGER run explorer.exe and your system should start if this was the problem that started this issue.
I would've thought just either one would've done it.