If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Hijacked by AntiVirus Gold
Earlier today, my main computer was hi-jacked by Antivirus Gold. I
can uninstall it, but it returns immediately upon reboot. Try as I might, I cannot get rid of it. It's taken over my desktop and will not allow me to change it, constant black background with a huge "Buy Me" advertisement. It seems to behave like Spyware, but Microsoft's beta spyware detection and removal utility doesn't know about this and fails to see it. In fact, none of my housekeeping utilities, including SpyBot, AdAware, Registry FirstAid, etc., see it or remove it. It won't leave me alone, constantly popping up with warning messages urging me to buy. At the same time this happened, 3 virus did invade my computer, notwithstanding the presence of my SMC Barricade Router: sysupd.dll delprot.sys edmond.exe My Norton Anti-Virus detects and removes them following reboot. But upon the next reboot, these 3 infected files have somehow been restored and are still there. After Norton has done its thing, a file search fails to find them, confirming deletion. But they keep coming back. I have a sinking feeling that this Antivirus Gold utility deliberately planted these viruses, and will not allow them to be permanently removed until I pay for it. Ugly, ugly, ugly...... :-( Suggestions on how to get rid of Antivirus Gold and these 3 virus would be appreciated. It somehow got itself installed without my knowledge or concurrence. I already have Norton Anti-Virus which until now has served me well. I'm running WinXP Home, fully updated, including Microsoft AntiSpyware beta 1. Regards, Terry Smythe Winnipeg, Canada |
Ads |
#2
|
|||
|
|||
The top anti-spyware program is Webroot Spysweeper. Its real time
protection is buggy as hell, but its scanner is the best. You also might try TDS-3, which is antitrojan software. You never know how what you are dealing with is classified. The fact that there are pieces of this thing that cannot be deleted and restore the orignal program indicate it is behaving an awful lot like an advanced trojan. Both programs have legitimate trial versions. What in the hell were you doing installing some off-brand anti-virus software? Never install anything that isn't on Virus Bulletin's approved list. The two universal choice of anti-virus software by knowledgeable people are Kaspersky and Eset NOD32. "Terry Smythe" wrote in message ... Earlier today, my main computer was hi-jacked by Antivirus Gold. I can uninstall it, but it returns immediately upon reboot. Try as I might, I cannot get rid of it. It's taken over my desktop and will not allow me to change it, constant black background with a huge "Buy Me" advertisement. It seems to behave like Spyware, but Microsoft's beta spyware detection and removal utility doesn't know about this and fails to see it. In fact, none of my housekeeping utilities, including SpyBot, AdAware, Registry FirstAid, etc., see it or remove it. It won't leave me alone, constantly popping up with warning messages urging me to buy. At the same time this happened, 3 virus did invade my computer, notwithstanding the presence of my SMC Barricade Router: sysupd.dll delprot.sys edmond.exe My Norton Anti-Virus detects and removes them following reboot. But upon the next reboot, these 3 infected files have somehow been restored and are still there. After Norton has done its thing, a file search fails to find them, confirming deletion. But they keep coming back. I have a sinking feeling that this Antivirus Gold utility deliberately planted these viruses, and will not allow them to be permanently removed until I pay for it. Ugly, ugly, ugly...... :-( Suggestions on how to get rid of Antivirus Gold and these 3 virus would be appreciated. It somehow got itself installed without my knowledge or concurrence. I already have Norton Anti-Virus which until now has served me well. I'm running WinXP Home, fully updated, including Microsoft AntiSpyware beta 1. Regards, Terry Smythe Winnipeg, Canada |
#3
|
|||
|
|||
A list of what to do to ensure viruses, spyware, and adware off of your
computer. 1.. Don't use Internet Explorer, use Firefox. ---- Dont boot me for this 2.. Turn off system restore and reboot. 3.. Scan online for free at http://housecall.trendmicro.com/hous...start_corp.asp and http://security.symantec.com/sscv6/h...se_parent=true. 4.. Download "Spybot Search and Destory", Ad-Aware SE, Spywareblaster, and Microsoft Anti Spyware Beta. All of these are freeware. Then run each in turn. 5.. Reboot computer and turn back on system restore. Locke "Terry Smythe" wrote in message ... Earlier today, my main computer was hi-jacked by Antivirus Gold. I can uninstall it, but it returns immediately upon reboot. Try as I might, I cannot get rid of it. It's taken over my desktop and will not allow me to change it, constant black background with a huge "Buy Me" advertisement. It seems to behave like Spyware, but Microsoft's beta spyware detection and removal utility doesn't know about this and fails to see it. In fact, none of my housekeeping utilities, including SpyBot, AdAware, Registry FirstAid, etc., see it or remove it. It won't leave me alone, constantly popping up with warning messages urging me to buy. At the same time this happened, 3 virus did invade my computer, notwithstanding the presence of my SMC Barricade Router: sysupd.dll delprot.sys edmond.exe My Norton Anti-Virus detects and removes them following reboot. But upon the next reboot, these 3 infected files have somehow been restored and are still there. After Norton has done its thing, a file search fails to find them, confirming deletion. But they keep coming back. I have a sinking feeling that this Antivirus Gold utility deliberately planted these viruses, and will not allow them to be permanently removed until I pay for it. Ugly, ugly, ugly...... :-( Suggestions on how to get rid of Antivirus Gold and these 3 virus would be appreciated. It somehow got itself installed without my knowledge or concurrence. I already have Norton Anti-Virus which until now has served me well. I'm running WinXP Home, fully updated, including Microsoft AntiSpyware beta 1. Regards, Terry Smythe Winnipeg, Canada |
#4
|
|||
|
|||
"Locke" wrote in message news:HP1le.18473$Fv.13580@lakeread01... A list of what to do to ensure viruses, spyware, and adware off of your computer. 1.. Don't use Internet Explorer, use Firefox. ---- Dont boot me for this In the future this might be a good idea but it won't get the junk off of his computer now. 3.. Scan online for free at http://housecall.trendmicro.com/hous...start_corp.asp and http://security.symantec.com/sscv6/h...se_parent=true. 4.. Download "Spybot Search and Destory", Ad-Aware SE, Spywareblaster, and Microsoft Anti Spyware Beta. All of these are freeware. Then run each in turn. He's already mentioned that he's run those. Sometimes the freeware doesn't cut it. And those online scanners are really worthless! |
#5
|
|||
|
|||
That's true but the good thing about using something like the Trend
Micro is that it isn't corrupted by your virus so there is a chance that it might find the virus that Norton might not. Also you have to remember to turn off the System Restore anytime something has infected the computer to have it truly removed. That list I posted is just a good to know list for some of the items and suggestions to remove infections for the rest. Locke "Mister Scary" wrote in message ... "Locke" wrote in message news:HP1le.18473$Fv.13580@lakeread01... A list of what to do to ensure viruses, spyware, and adware off of your computer. 1.. Don't use Internet Explorer, use Firefox. ---- Dont boot me for this In the future this might be a good idea but it won't get the junk off of his computer now. 3.. Scan online for free at http://housecall.trendmicro.com/hous...start_corp.asp and http://security.symantec.com/sscv6/h...se_parent=true. 4.. Download "Spybot Search and Destory", Ad-Aware SE, Spywareblaster, and Microsoft Anti Spyware Beta. All of these are freeware. Then run each in turn. He's already mentioned that he's run those. Sometimes the freeware doesn't cut it. And those online scanners are really worthless! |
#6
|
|||
|
|||
I have now verified that my desktop has been hijacked by
"desktop.html" It resides in c:\windows I've tried deleting it and editing it, but can't get rid of it. Keeps coming back from somewhere, no matter what I do. It has imbedded within it a command to visit the Antivirus Gold web site. It appears to be extremely malicious marketing, planting 3 virus that only it can remove, and itself. Its message is, 'if you want to remove these virus, then buy me' A search for this file on my computer reveals only 1 copy. If I delete it, it is replaced upon reboot. If I edit it, it is replaced upon reboot. A 'net search suggests an incredibly convoluted procedure for getting rid of it. Surely there must be an easier way. Along with SpyBot, AdAware, Microsoft's new parasite detector/remover fails to see it. They see all kinds of things, but won't touch this one. Registry First Aid finds only a single entry, deletes it, and upon reboot, it's back again. It's not in Startup. I'm hopeful of finding some kind of specific utility to remove this ugly parasite. Regards, Terry Smythe |
#7
|
|||
|
|||
Well like I said in my list - make sure you turn off System Restore -
you go into Control Panel - System Restore - Turn off on all drives. You can d/l a trial of Webroot's SpySweeper which is very good at finding some things the others miss. It is a good idea to run all of them though b/c different ones find different things. I also say to use Trendmicro's website b/c it is off of your computer and finds and cleans various things. The virus can reside in the System Restore and reinstall itself upon reboot - it doesnt have to be listed in the startup to do this. If you know all of the names that are used by this then search the symantec website, many times there is a removal tool that you can run. Locke "Terry Smythe" wrote in message ... I have now verified that my desktop has been hijacked by "desktop.html" It resides in c:\windows I've tried deleting it and editing it, but can't get rid of it. Keeps coming back from somewhere, no matter what I do. It has imbedded within it a command to visit the Antivirus Gold web site. It appears to be extremely malicious marketing, planting 3 virus that only it can remove, and itself. Its message is, 'if you want to remove these virus, then buy me' A search for this file on my computer reveals only 1 copy. If I delete it, it is replaced upon reboot. If I edit it, it is replaced upon reboot. A 'net search suggests an incredibly convoluted procedure for getting rid of it. Surely there must be an easier way. Along with SpyBot, AdAware, Microsoft's new parasite detector/remover fails to see it. They see all kinds of things, but won't touch this one. Registry First Aid finds only a single entry, deletes it, and upon reboot, it's back again. It's not in Startup. I'm hopeful of finding some kind of specific utility to remove this ugly parasite. Regards, Terry Smythe |
#8
|
|||
|
|||
"Terry Smythe" wrote in message
... I have now verified that my desktop has been hijacked by "desktop.html" It resides in c:\windows I've tried deleting it and editing it, but can't get rid of it. Keeps coming back from somewhere, no matter what I do. It has imbedded within it a command to visit the Antivirus Gold web site. It appears to be extremely malicious marketing, planting 3 virus that only it can remove, and itself. Its message is, 'if you want to remove these virus, then buy me' A search for this file on my computer reveals only 1 copy. If I delete it, it is replaced upon reboot. If I edit it, it is replaced upon reboot. A 'net search suggests an incredibly convoluted procedure for getting rid of it. Surely there must be an easier way. Along with SpyBot, AdAware, Microsoft's new parasite detector/remover fails to see it. They see all kinds of things, but won't touch this one. Registry First Aid finds only a single entry, deletes it, and upon reboot, it's back again. It's not in Startup. I'm hopeful of finding some kind of specific utility to remove this ugly parasite. Regards, Terry Smythe Go to the following link and download HijackThis. http://www.aumha.org/freeware/freeware.php#hjt Run it and then post the log it generates to one of the forums dedicated to it's use. A good place to start is he http://forum.aumha.org/viewforum.php?f=30 http://www.techsupportforum.com/forumdisplay.php?f=50 http://castlecops.com/forumx67-0-50.html Don't post the log here. Some malware hides very deep in the system and isn't detected by any of the spyware removal programs. Hijackthis and other tools will assist in it's manual removal. Barring that you could backup your data and reinstall Windows and all your programs then restore the data. If you are unable to do either I recommend you take your computer to a professional to have it fixed. Kerry |
#9
|
|||
|
|||
Hello Terry,
I had the EXACT same problem as you (with ANTIVIRUS GOLD) and solved it as detailed below. I read the follow-up posts to your original email and it seems that some of the responses missed the nail in helping you out (one guy even criticized you for installing "off-brand" antivirus... - he missed the WHOLE point of your email for help not realizing that you DID NOT install ANTIVIRUS GOLD ant that it simply took over your system). In any event, I went to antivirus-gold.com customer service and emiled a complaint asking how to get rid of this. But of course they never responded. I WAS able to get rid of it though and mayby this will help you to. I'm running under XP Pro. In Windows "Help and Support" (accessible via Start button), I clicked "Undo changes to your computer with System Restore". I then selected "Restore my computer to an earlier time". When the calendar came up, I selected an available restore point a few days BEFORE the time when this whole problem started, rebooted as requested, and it's fine now. How it happened: In my case, I let my guard down by stopping both McAfee Vscan and McAfee AntiSpyware. I stopped these because I was burning DVD's for my business. When the burning completed, I forgot to re-arm these guys and went surfing. I hit a site that needed to load a CODEC to run the video. I run a film to DVD business and I try to make sure I always have all the latest CODECS and so I loaded the new "codec" and that's when the problem started. (ok ok, it was a porn site ;-) I would appreciate you letting me know if this solution help you at all. Veliko Kerry Brown wrote: "Terry Smythe" wrote in message ... I have now verified that my desktop has been hijacked by "desktop.html" It resides in c:\windows I've tried deleting it and editing it, but can't get rid of it. Keeps coming back from somewhere, no matter what I do. It has imbedded within it a command to visit the Antivirus Gold web site. It appears to be extremely malicious marketing, planting 3 virus that only it can remove, and itself. Its message is, 'if you want to remove these virus, then buy me' A search for this file on my computer reveals only 1 copy. If I delete it, it is replaced upon reboot. If I edit it, it is replaced upon reboot. A 'net search suggests an incredibly convoluted procedure for getting rid of it. Surely there must be an easier way. Along with SpyBot, AdAware, Microsoft's new parasite detector/remover fails to see it. They see all kinds of things, but won't touch this one. Registry First Aid finds only a single entry, deletes it, and upon reboot, it's back again. It's not in Startup. I'm hopeful of finding some kind of specific utility to remove this ugly parasite. Regards, Terry Smythe Go to the following link and download HijackThis. http://www.aumha.org/freeware/freeware.php#hjt Run it and then post the log it generates to one of the forums dedicated to it's use. A good place to start is he http://forum.aumha.org/viewforum.php?f=30 http://www.techsupportforum.com/forumdisplay.php?f=50 http://castlecops.com/forumx67-0-50.html Don't post the log here. Some malware hides very deep in the system and isn't detected by any of the spyware removal programs. Hijackthis and other tools will assist in it's manual removal. Barring that you could backup your data and reinstall Windows and all your programs then restore the data. If you are unable to do either I recommend you take your computer to a professional to have it fixed. Kerry |
#10
|
|||
|
|||
Hello Terry, I had the EXACT same problem as you (with ANTIVIRUS GOLD) and solved it as detailed below. I read the follow-up posts to your original email and it seems that some of the responses missed the nail in helping you out (one guy even criticized you for installing "off-brand" antivirus... - he missed the WHOLE point of your email for help not realizing that you DID NOT install ANTIVIRUS GOLD ant that it simply took over your system). In any event, I went to antivirus-gold.com customer service and emailed a complaint asking how to get rid of this. But of course they never responded. I WAS able to get rid of it though and maybe this will help you to. I'm running under XP Pro. In Windows "Help and Support" (accessible via Start button), I clicked "Undo changes to your computer with System Restore". I then selected "Restore my computer to an earlier time". When the calendar came up, I selected an available restore point a few days BEFORE the time when this whole problem started, rebooted as requested, and it's fine now. How it happened: In my case, I let my guard down by stopping both McAfee Vscan and McAfee AntiSpyware. I stopped these because I was burning DVD's for my business. When the burning completed, I forgot to re-arm these guys and went surfing. I hit a site that needed to load a CODEC to run the video. I run a film to DVD business and I try to make sure I always have all the latest CODEC'S and so I loaded the new "codec" and that's when the problem started. (ok ok, it was a porn site ;-) I would appreciate you letting me know if this solution help you at all. Veliko -- velikoPosted from http://www.pcreview.co.uk/ newsgroup access |
#11
|
|||
|
|||
Hi Thanks a lot the problem got solved by the system restore. But the program got installed again after some time and now even system restore cant solve the problem. -- januPosted from http://www.pcreview.co.uk/ newsgroup access |
#12
|
|||
|
|||
Hi janu,
just yesterday i stumbled into the same problem. My 13 year old cousin caught this proggy but of course... "i didn't do anything". Whatever. I tried to track down how antivirus-gold kept sticking on the system and found that on startup a process called winnook.exe got started. That one was responsible for the red X in the taskbar (bottom right) telling you that your computer was infected. You can remove that one by starting msconfig from the run menu and unchecking it. Antivirus-gold was actually found in the software panel and could be uninstalled. But after the uninstall process was done it immediately started the internet explorer going to it's website. So i checked IE's settings and found some IE helper objects (sorry, forgot the name.). But the fact that AV gold got re-installed right after that made me think that it must have been one of those browser helpers (thank you microsoft!). So i de-activated the suspicious ones. The website on the desktop can be removed by settings - system panel - display - desktop - customize desktop (dont know if thats the correct english term) - web. There you can remove that website from the active desktop. After all it did not come back. But of course you never know. Today i'm gonna deep check that machine for virii with knoppicillin. I hope this will help you. regards Olson |
#13
|
|||
|
|||
On 29 May 2005 04:47:42 -0700, "Olson" wrote:
just yesterday i stumbled into the same problem. My computer, the one that started this thread, is still infected with the Anitvirus Gold parasite. I have somehow been successful in shutting down the automatic re-install following reboot. Not sure what I did right. However, my desktop is still hi-jacked by the parasite that masquerades as an ad to buy Antivirus Gold. If there was ever a way to turn off a potential customer, the Antivirus Gold folks have seen very successful. With this aggravation in my face at all times, I'm filled with complete hatred for this product. Microsoft's AntiSpyware, Spy-Bot, Ad-Aware, TuneUp, SpySweeper, CWShredder, Registry First Aid, Norton, etc., all fail to find and remove this insidious parasite. My desktop is hi-jacked by "desktop.html" which resides in c:\windows. I can physically delete the file, remove all traces of it from the registry, but instantly upon reboot, it's back again in full control of my desktop. Symantec does have a page dedicated to this, but it appears to be outdated, as their suggested fix does not work. So I gather that the folks behind Anitvirus Gold have figured out a way around that fix, staying one-step ahead of everybody. What these folks are doing amounts to extortion, a criminal offense worthy of a formal charge. As this parasite has been around for a while, I'm astonished that Microsoft has not picked up on it, and added a fix to their AntiSpyware. If anybody comes up with a permanent fix, they will be a hero in the eyes of many. Regards, Terry Smythe Winnipeg, Canada |
#14
|
|||
|
|||
"Terry Smythe" wrote in message
... On 29 May 2005 04:47:42 -0700, "Olson" wrote: just yesterday i stumbled into the same problem. My computer, the one that started this thread, is still infected with the Anitvirus Gold parasite. I have somehow been successful in shutting down the automatic re-install following reboot. Not sure what I did right. However, my desktop is still hi-jacked by the parasite that masquerades as an ad to buy Antivirus Gold. If there was ever a way to turn off a potential customer, the Antivirus Gold folks have seen very successful. With this aggravation in my face at all times, I'm filled with complete hatred for this product. Microsoft's AntiSpyware, Spy-Bot, Ad-Aware, TuneUp, SpySweeper, CWShredder, Registry First Aid, Norton, etc., all fail to find and remove this insidious parasite. My desktop is hi-jacked by "desktop.html" which resides in c:\windows. I can physically delete the file, remove all traces of it from the registry, but instantly upon reboot, it's back again in full control of my desktop. Symantec does have a page dedicated to this, but it appears to be outdated, as their suggested fix does not work. So I gather that the folks behind Anitvirus Gold have figured out a way around that fix, staying one-step ahead of everybody. What these folks are doing amounts to extortion, a criminal offense worthy of a formal charge. As this parasite has been around for a while, I'm astonished that Microsoft has not picked up on it, and added a fix to their AntiSpyware. If anybody comes up with a permanent fix, they will be a hero in the eyes of many. Regards, Terry Smythe Winnipeg, Canada Did you download and run HijackThis then post your log to the recommended forums? Kerry |
#15
|
|||
|
|||
Hi Olson, I did what u told to do and the desktop has been cleaned but the program did install again so i did what u told me again but after that i also deleted the folder in the Program Files Folder . The only thing is that the entry in the msconfig still remains and is disactivated. When it install i checked the msconfig and i had 2 entries 1 disactivated and one active but when i disactivated the other one too, i have only 1 entry. Hope it doesnt bother again. If it happens again will have to find the culprut file. Thanks for your help. Janu -- januPosted from http://www.pcreview.co.uk/ newsgroup access |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Startup problem because of a antivirus program | dadimar | General XP issues or comments | 6 | March 19th 05 11:27 AM |
Hijacked - help | Danielle | Windows XP Help and Support | 3 | November 12th 04 04:55 AM |
unable to re-install Norton AntiVirus - valid digital signature not found | AG Young | Windows XP Help and Support | 2 | July 30th 04 01:12 AM |
unable to re-install Norton AntiVirus - valid digital signature no | lvee | General XP issues or comments | 8 | July 28th 04 10:34 AM |
unable to re-install Norton AntiVirus - valid digital signature not found | AG Young | General XP issues or comments | 1 | July 27th 04 10:38 PM |