Fun With Antivirus XP 2008

Album Cover: It's Not Me, It's You

"I'm not a saint, but I'm not a sinner...everything's cool as long as I'm getting thinner."
Lily Allen / The Fear

Posted on September 27, 2008 7:04 PM in Computers
Warning: This blog entry was written two or more years ago. Therefore, it may contain broken links, out-dated or misleading content, or information that is just plain wrong. Please read on with caution.

For the most part, my copy of McAfee does little more than take up resources on my computer. When I run Ad-Aware, I catch a few harmless cookies, but nothing major. Today, though, I was presented with a handful for which neither seemed to be a match.

After reading about Paul Newman's death (R.I.P. Paul) earlier today, I decided to head on over to The Pirate Bay to see if I could find a copy of Butch Cassidy and the Sundance Kid in 720p to download. When I arrived at the search results, I was surprised to see that rather than the typical Firefox-outwitting pop-up ads, I was presented with an actual PDF file attempting to launch on my computer. Now that's a first!

As soon as I saw the chrome of Adobe Acrobat painting itself before my eyes, I knew I was in trouble, and immediately hit CTRL-SHIFT-ESC to try and kill the process. I closed what I could, but unfortunately for me, the damage had been done. The advantage of hindsight has now led me to believe that the page somehow triggered the launching of a malicious PDF file, which was able to exploit my version of Adobe Acrobat (version 8) in such a way that it unleashed the Antivirus XP 2008 application on my computer.

Although the malware went to work on my computer in a matter of seconds, it took much, much longer to rid my computer of it. Unfortunately for me, McAfee paid about as much attention to it as Clay Aiken would to Carrie Underwood if she couldn't sing. Ad-Aware 2008 actually located the affected files and pretended I could do something about them, but after I attempted to remove them and logged out and back in to my account, it was blatantly obvious it had had no effect whatsoever.

Antivirus XP 2008 is interesting in that it attempts to get you to accept a "license agreement" whenever you log in to your Windows account. I personally didn't see what the application does beyond that agreement, because I didn't accept it, but there are some details over at Symantec's website. The part I did see, though, is that it replaces your desktop background with an image of a generic antivirus dialog attempting to trick you into thinking you have viruses on your computer. It also changes some of your local computer policies so that you are unable to change the desktop background or your screensaver.

After reading some content over at Bleeping Computer, I decided to download Malwarebytes' Anti-Malware and see if it could take care of the problem. That was a terrible mistake, because not only did the tool not remove the malware, but it was extremely buggy and kept throwing up the types of error dialogs I'd expect from alpha software, if that. When that didn't work, I decided to give Spybot - Search & Destroy a try. I've always heard good things about it, but never gave it a try previously since I've always had such good experiences with Ad-Aware. Despite all the good things I'd heard, Spybot - Search & Destroy was a bust as well, even if not as badly as Malwarebytes' Anti-Malware.

At that point, I knew I was going to have to take things into my own hands. As they say, when you want something done right, do it yourself. I noticed that someone over in the CNET Computer Help Forums had posted some manual steps for removing Antivirus XP 2008 from a computer. For the most part, they got me where I needed to be, but there were a few differences in my experience, so I figured I'd post my modified steps here, in case it ever proves useful for anyone else.

Without further ado, here's the rundown on what I needed to do to rid my poor computer of the malware mess that is Antivirus XP 2008:

  1. Go to Start, Run and type "msconfig" and hit Enter.
  2. In the dialog, choose the Startup tab and uncheck the "lphc35dj0e1an" entry in the list. The aforementioned forum post recommended unchecking "rhc75dj0e1an," too, but I didn't find this in my list.
  3. Save the settings and restart the computer.
  4. Once the computer restarts, browse to the C:\Windows\System32 folder and delete the file lphc35dj0e1an.exe. The aforementioned forum post recommended deleting the entire folder located at C:\Program Files\rhc75dj0e1an, but I did not find this on my computer.
  5. The aforementioned forum post also recommended running GPedit.msc from Start, Run, but because I'm running Windows XP Home on my home computer, this is not an option. Rather than wading around in the registry to undo all of the display options that Antivirus XP 2008 had disabled, I did a little searching and stumbled upon an article that recommended using Doug's Windows XP Security Console as a graphical alternative to tweaking the registry. After having installed the application, I can now highly recommend it, too.
  6. From Doug's Windows XP Security Console, choose the Display Options tab and uncheck the "Disable the Desktop tab" and "Disable the Screensaver tab" options. Then hit Apply and then Exit.

After following the above steps myself, I was able to then go to the Display dialog for my desktop and return the desktop background to its previous state. I was also able to return the screensaver to its previous state. Funnily (or frustratingly, depending on your state of mind) enough, it was only at this point that McAfee caught wind of the malware and automatically removed it. I was notified of the following locations, in case they prove useful to anyone without access to an automatic cleanup utility like McAfee:

  • C:\Windows\system32\phc3j2j0e7dg.bmp
  • C:\Windows\System32\blphc3j2j0e7dg.scr
  • C:\System Volume Information\_restore{25A61011-48AC-4E32-BE28-95F28BF34C5F}\RP7\A0000077.scr

Hopefully for your sake, you're not reading this post because you've had a run-in with Antivirus XP 2008, but if you are, hopefully it's been at least somewhat helpful for you.

Comments

sw on October 01, 2008 at 7:18 PM:

Thanks a bunch! Worked like a charm! Saved my butt!

Permalink

Post Comments

If you feel like commenting on the above item, use the form below. Your email address will be used for personal contact reasons only, and will not be shown on this website.

Name:

Email Address:

Website:

Comments:

Check this box if you hate spam.