Hijacked by AntiVirus Gold

Hi
Thanks a lot the problem got solved by the system restore. But the program got installed again after some time and now even system restore cant solve the problem.

Hi janu,
just yesterday i stumbled into the same problem. My 13 year old cousin
caught this proggy but of course... "i didn't do anything".
Whatever.
I tried to track down how antivirus-gold kept sticking on the system
and found that on startup a process called winnook.exe got started.
That one was responsible for the red X in the taskbar (bottom right)
telling you that your computer was infected. You can remove that one by
starting msconfig from the run menu and unchecking it.
Antivirus-gold was actually found in the software panel and could be
uninstalled. But after the uninstall process was done it immediately
started the internet explorer going to it's website. So i checked IE's
settings and found some IE helper objects (sorry, forgot the name.).
But the fact that AV gold got re-installed right after that made me
think that it must have been one of those browser helpers (thank you
microsoft!). So i de-activated the suspicious ones.
The website on the desktop can be removed by settings -> system panel
-> display -> desktop -> customize desktop (dont know if thats the
correct english term) -> web. There you can remove that website from
the active desktop.
After all it did not come back. But of course you never know. Today i'm
gonna deep check that machine for virii with knoppicillin.
I hope this will help you.

regards
Olson

On 29 May 2005 04:47:42 -0700, "Olson" <spdump@gmx.de> wrote:

>just yesterday i stumbled into the same problem.

My computer, the one that started this thread, is still infected with
the Anitvirus Gold parasite. I have somehow been successful in
shutting down the automatic re-install following reboot. Not sure
what I did right. However, my desktop is still hi-jacked by the
parasite that masquerades as an ad to buy Antivirus Gold.

If there was ever a way to turn off a potential customer, the
Antivirus Gold folks have seen very successful. With this
aggravation in my face at all times, I'm filled with complete hatred
for this product.

Microsoft's AntiSpyware, Spy-Bot, Ad-Aware, TuneUp, SpySweeper,
CWShredder, Registry First Aid, Norton, etc., all fail to find and
remove this insidious parasite.

My desktop is hi-jacked by "desktop.html" which resides in c:\windows.
I can physically delete the file, remove all traces of it from the
registry, but instantly upon reboot, it's back again in full control
of my desktop.

Symantec does have a page dedicated to this, but it appears to be
outdated, as their suggested fix does not work. So I gather that
the folks behind Anitvirus Gold have figured out a way around that
fix, staying one-step ahead of everybody.

What these folks are doing amounts to extortion, a criminal offense
worthy of a formal charge.

As this parasite has been around for a while, I'm astonished that
Microsoft has not picked up on it, and added a fix to their
AntiSpyware.

If anybody comes up with a permanent fix, they will be a hero in the
eyes of many.

Regards,

Terry Smythe
Winnipeg, Canada

"Terry Smythe" <smythe@shaw.ca> wrote in message
news:ajdm919va0m3afqedq079lbmea98k297fc@4ax.com...
> On 29 May 2005 04:47:42 -0700, "Olson" <spdump@gmx.de> wrote:
>
>>just yesterday i stumbled into the same problem.
>
> My computer, the one that started this thread, is still infected with
> the Anitvirus Gold parasite. I have somehow been successful in
> shutting down the automatic re-install following reboot. Not sure
> what I did right. However, my desktop is still hi-jacked by the
> parasite that masquerades as an ad to buy Antivirus Gold.
>
> If there was ever a way to turn off a potential customer, the
> Antivirus Gold folks have seen very successful. With this
> aggravation in my face at all times, I'm filled with complete hatred
> for this product.
>
> Microsoft's AntiSpyware, Spy-Bot, Ad-Aware, TuneUp, SpySweeper,
> CWShredder, Registry First Aid, Norton, etc., all fail to find and
> remove this insidious parasite.
>
> My desktop is hi-jacked by "desktop.html" which resides in c:\windows.
> I can physically delete the file, remove all traces of it from the
> registry, but instantly upon reboot, it's back again in full control
> of my desktop.
>
> Symantec does have a page dedicated to this, but it appears to be
> outdated, as their suggested fix does not work. So I gather that
> the folks behind Anitvirus Gold have figured out a way around that
> fix, staying one-step ahead of everybody.
>
> What these folks are doing amounts to extortion, a criminal offense
> worthy of a formal charge.
>
> As this parasite has been around for a while, I'm astonished that
> Microsoft has not picked up on it, and added a fix to their
> AntiSpyware.
>
> If anybody comes up with a permanent fix, they will be a hero in the
> eyes of many.
>
> Regards,
>
> Terry Smythe
> Winnipeg, Canada
>
>

Did you download and run HijackThis then post your log to the recommended
forums?

Kerry

Hi Olson,

I did what u told to do and the desktop has been cleaned but the program did install again so i did what u told me again but after that i also deleted the folder in the Program Files Folder . The only thing is that the entry in the msconfig still remains and is disactivated.

When it install i checked the msconfig and i had 2 entries 1 disactivated and one active but when i disactivated the other one too, i have only 1 entry.

Hope it doesnt bother again. If it happens again will have to find the culprut file.

Thanks for your help.
Janu

Hi
I have noticed another thing it keeps installing in the Favorites links which i have deleted like a 100 times now but wouldnt go away i restart explorer and it installs even installs if you open a new window.

Dont know when i will get rid of this stupid thing.

I have even removed the registry of winnook.exe.
also removed files frm prefetch folder so there are no backups to the files.

Without luck.
Hope a good solution to this problem comes fast i am loosing my mind.

Take care

"janu" <janu.1pvhom@> wrote in message
news:eO2dnb_JX5pTXQbfRVn_vg@giganews.com...
>
> Hi
> I have noticed another thing it keeps installing in the Favorites links
> which i have deleted like a 100 times now but wouldnt go away i restart
> explorer and it installs even installs if you open a new window.
>
> Dont know when i will get rid of this stupid thing.
>
> I have even removed the registry of winnook.exe.
> also removed files frm prefetch folder so there are no backups to the
> files.
>
> Without luck.
> Hope a good solution to this problem comes fast i am loosing my mind.
>
> Take care
>
>
> --
> januPosted from http://www.pcreview.co.uk/ newsgroup access
>

I know I'm harping on this but have either you or Terry Smythe tried
HijackThis? When all other programs fail HijackThis will usually get to the
root of the problem. It is a program for advanced users so do not use it
blindly. Read the FAQ at the following link then follow the instructions you
find there.

http://forums.spywareinfo.com/

Kerry

I had the same EXACT problem...Sunday i went to a soccer game came home finding out that my sister used my computer and this software installed itself...HOWEVER there is a way to remove that backround...It is just an oversized window, so if you get it look at the top of ur screen and you see a grey bar or some kind or line and drag down and it just moves the window down and you simply close the X....My problem is that after i uninstall the little icon saying my computer is infected still stays in my toolbar. Now this was the other day Sunday, and i restored my computer to last Friday. This worked however, today the program reinstalled itself and i did not use internet explorer. I have firefox. Along with this program installing itself again some other junk instaled on my computer and i got 5 new icons on my desktop in total. I did a system restore and not more then 5 minutes after the restore the AVG software installed itself again. I contacted the company...of course no reply. I tried deleting the files under "regedit" from the Run command and one file for this program was ad efault and could not be deleted. But i guess im just gonna try to restore my computer to a few weeks ago and see if that helps.

Run Hijackthis and place a check beside each of the following. Once you have checked them, click fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://aflashcounter.com/?a=2

Download noact reg to desktop: http://home9.inet.tele.dk/le01/Sikkerhed.htm
Doubleclick on it, say yes to merge.

Reboot, post new log and tell how things are running

I finally got rid of the desktop danger thing, the redirects and everything those dirtbags at Antivirus Gold threw at me. I did it by using the free scans from SpywareNuker (aka pcOrion) and Xoftspy. I did the Nuker first and printed out the results from my scan, then found and deleted the cookies and files where it told me to find them on my C:/ When I had a .exe or .dll file I couldn't get to I deleted them in safe mode. Then I went into the regedit thing and did the same thing on my registry. All together Nuker found 22 nasties for me to delete. After that I still had the black screen up and the red X on my task bar so I used the Xoftspy scan and it dug up another list. I pretty much followed the locations it gave me and I got rid of everything else except the black desktop screen became white and I couldn't get rid of it. I Dogpiled AVGold and found yall on this string and I want to thank e[x]!t for his help. He's right, I just clicked and dragged the top of that window down, found the X in the upper right corner and its gone!

I just registered on this site to thank you all for the advice I got reading the posts and wanted to share how I got over on AVGold. I'm pretty much a complete computer neophyte and I think my total ignorance allowed me to mess with my registry without a second thought and I just got lucky picking a couple of scans that happened to work out. But hey it worked for me, and if anybody knows how to trash AntiVirus Gold I'll be happy to hold the door open. Thanks for your help.