AntivirXP08

[BioMechanic]

Despite having layers of protection (Ad-Aware, Spybot, two firewalls, AVG), this virus has infected my PC. Not sure how, but anyways.

My usual scanning programs don't delete it entirely. I'm hoping that I don't need to reformat my HD. Any suggestions would be most appreciated, as would further recommendations to keep this from happening.

I've found a few solutions on the web, eg.

http://www.removeonline.com/remove-a...-instructions/

but I'm not sure if this is a source for further viruses. Yes I'm paranoid.

Thanks!!

[epmode]

Weird, I just got an email about this at work. The solution is kinda similar, but here it is:

Install this update it and run full scan

http://www.download.com/Malwarebytes...-10804572.html

then do this manually

Kill processes:
AntiVirus2008.exe AntvrsInstall.exe AntvrsInstall[1].exe Antvrs.exe
HELP:
how to kill malicious processes

Delete registry values:
HKEY_USERS\Software\antivirus 2008
HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
HKEY_CURRENT_USER\Software\Antivirus
Software\Microsoft\Windows\CurrentVersion\RunOnce\3P_UDEC
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce "3P_UDEC"
Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Antivirus"
HELP:
how to remove registry entries

Unregister DLLs:
shlwapi.dll, wininet.dll
HELP:
how to unregister malicious DLLs

Delete files:
shlwapi.dll, wininet.dll, AntiVirus2008.exe, Uninstall Antivirus.lnk, AntiVirus 2008.lnk, AntvrsInstall.exe, AntvrsInstall[1].exe, AntiVirus 2008.lic, Antvrs.exe
HELP:
how to remove harmful files

Delete directories:
%ProgramFiles%\ANTIVIRUS 2008

[BioMechanic]

Thanks man! Looks like this is the newest latest virus thingy.

I also found a forum where this has worked for a bunch of people.

1. Boot the computer into SAFE MODE
2. Uninstall WinAnitVR XP 08 from your add/remove list.

Note: Don’t flip if the uninstaller doesn’t work… mine didn’t. We will manually remove it.

3. Open My Computer and navigate to the follwing directories and delete them.

CProgram Files\rhcedwj0ecev
CProgram Files\pphcadwj0ecev

4. Click start and goto RUN. Type in MSCONFIG

5. Remove rhcedwj0ecev.exe and pphcadwj0ecev.exe from your statup items. Apply the changes and DO NOT restart yet.

6. Click start and goto RUN. Type REGEDIT

7. In the registry, ENSURE you are the top of the list (Computer is highlight). Click EDIT and then FIND.

Type in wj0ecev (the 0 is a zero). Search the registy and you will find a dozen items matching this name.

Note: The virus file name has “wj0ecev” as it’s consistanty, the “pph” and “rhc” etc… just keep changing.

8. Do a new registry search and put in: AntivirXP. Remove any and all instances of it in the registry. Close the registry once done.

9. Open the My Computer icon and do a search on your Hard Drive for: wj0ecev

Removal all files associated with this file name. Close once completed.

10. Ensure that ALL of the Temp internet files have been deleted.

11. Restart normally and remove any/all icons on your desktop/start menu that AntiVIRXP created.

[BioMechanic]

Success! I used the above steps in my previous post.

The only problem was the root in the virus string was different from the “wj0ecev” in the example, but once I found what it was by looking in the program files, I was able to delete everything in safe mode.

[JMET]

I have seen at least 20 client machines in the past two weeks with this p.o.s, this tool has removed each one without issue.

http://www.malwarebytes.org