I hate these spywares, they keep finding ways to sneak into my system every now and then.
Thanks god this time my Avast was able to detect the virus and delete it. But the real problem was, the moment this rootkit virus was detected and deleted, Antivirus XP would again install this rootkit virus.
Initially I thought that a boot time scan would be sufficient to remove this virus from my system, though it does not turned out that effective even though Avast removed more then 240 infected files.
The reason turned out to be Antivirus XP 2008, it was running at boot time resulting in re-infection.
So I finally had to get into action, to take back the control of my PC.
Here is step by step account of what I did(remember all this was done immediately after boot-time scan by Avast) to uninstall and remove it from my PC.
Step 1: Open Task Manager And End The Infecting Processes
Right click on the task bar and select the task manager, go to processes tab and end following process if found running(please note down the path)
- lphc9u2j0ejde.exe, and
- rhccu2j0ejde.exe (this is the process for antivirus xp software)
please not the actually name in you list may very, so you may want to kill any process name starting with lphc or rhc. Just remember even if you make mistake by closing wrong process you can always restart you system.
Step 2: Delete The Infecting Programs
Find the files whose process you just closed(& path noted above), and either rename them or delete them.
They are usually found at following locations
- c:windowssystem32blphc9u2j0ejde.scr, (updated on 28th july) and
- C:program filesrhc75dj0e1anrhccu2j0ejde.exe
Once you delete these two files you effectively removed the virus, but now we have to remove the side effects.
(update 8 august 2008) it is worth highlighting comment made by Jim, thanks Jim.
In order to avoid the problem with french I had my brother email me the english gpedit files from his computer. In addition to the files you indicated to delete from task manager I also found pphc5u2j0ejde.exe, so anyone doing this should look for files similar in nature. the jOejde.exe part on the end is the same but the beginning may be different
Step 3: Open msconfig To Clean Start Programs
Click ‘start’->run and type ‘msconfig’ in run window. This will open system configuration utility. If you get any warning or the msconfig window closes automatically then you should check out “How to stop regedit, taskmanager or msconfig from closing automatically“.
Click on startup Tab, and uncheck the boxes in front of “lphc and rhc” files as shown in figure, and click apply.
Let’s now do a cold boot of the system(basically press the reset button on your PC). Wait for computer to boot again.
Step 4: Change Group Policy To Restore Wallpaper
Click ‘start’->run and type ‘gpedit.msc’ in run window. This will open Group policy.
Now navigate to User configuration -> Administrative Templates ->Control Panel-> Display.
Finally double click on following items to open properties window and change the setting to disabled.
- Remove Display in Control Panel
- Hide Desktop Tab
- Prevent changing wallpaper
- Hide Appearance and Themes tab
- Hide Settings tab
- Hide Screen Saver tab
Check the picture above for more detailed view.
This will allow you to change the wallpaper back to normal.
Please also check the alternative suggested by itzel in comments below, in case you don’t have gpedit on your system.
(Update 5th step added on 28th July)
Step 5 : Change Screen Saver
You will need to change the screen saver from “blphc9u2j0ejde” to something else.
updated on 9-august-2008
Video of screensaver that is installed by Antivirus xp 2008.
After this attack I have decided to install a dedicated Anti-Spyware program. After looking through bunch of them, I have finally settled for
I think it is good idea to have one, on your system.