PC Hell: How to Remove AntiVirusGolden or AntiViralGolden

Removal of AntivirusGolden or AntiviralGolden

How Did My Computer Become Infected with AntivirusGolden?

You've been the victim of a SmitFraud attack that has downloaded AntivirusGolden and told you that you need to purchase it to remove many spyware problems. SmitFraud attacks show fake antispyware programs popups on your screen and/or a balloon popup from the windows system tray displaying a warning message that your computer is infected with spyware and telling you to purchase, download & install their program to remove it.

If your computer has become infected with one of these "spyware removal programs", you probably downloaded an infected codec program when you tried to watch a video online or you may have been hit by a "drive-by" installation of Smitfraud.

In any case, you'll want to follow the directions below to remove both the Smitfraud infection and AntiVirusGolden and gain control of your computer again.

In many of the infected computers I've dealt with, programs like "Video Access ActiveX Object" show up in the Control Panel and are the initial infection that start the whole issue. Most of these programs when scanned with an up-to-date virus scanner are shown to be infected with viruses like Troj.Zlob.AN or Spyware.Cyberlog-X.

In the case of AntivirusGolden, I was confronted with the following popup message of a Critical System Warning telling me I had been infected with Cyberlog-X

Soon after I was presented with the AntivirusGolden advertisement on my screen.

and then it downloaded, placed the following icon on my desktop and started scanning the system

The Hijackthis log shows the following information. Problem files are bolded.

Logfile of HijackThis v1.99.1
Scan saved at 5:38:50 PM, on 3/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\Program Files\Video Access ActiveX Object\pmmnt.exe
C:\Program Files\Video Access ActiveX Object\pmmnt.exe
C:\Program Files\AntiviralGolden\AntiviralGolden.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AntiviralGolden] C:\Program Files\AntiviralGolden\AntiviralGolden.exe /h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163981700061
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe

Step by Step Procedure for Removing AntivirusGolden or AntiviralGolden

Before attempting this removal procedure, download the following removal tools to your desktop and install them.

SmitRem by NoahdFear - Tool to remove Spyaxe and related infections
SmitFraudFix - Tool to remove most SmitFraud infections
MalwareBytes Anti-Malware - tool to remove Rogue applications and much more (highly recommended)
HijackThis 1.99.1 - Essential tool for finding spyware, virus, trojan, and other problems
CCleaner - Free tool for removing temporary files, cookies, history, and cleaning up registry problems

Removal Procedure

1) Download the programs above to your desktop, extracting and install them.

2) Open SmitFraudFix, and choose option 4 to check for updates and download any updates, then quit the program

3) Restart your computer in Safe Mode

4) Open the SmitRem folder and double-click on RunThis.bat to start the SmitRem removal procedure. Besides removing particular files that it looks for, the tool also runs the Disk Cleanup tool to remove temporary files on the hard drive that may contain problem files. For a Tutorial on using SmitRem click here

5) After SmitRem has finished, open SmitFraudFix and choose to search (option 1) and clean (option 2) and run a full system scan to remove anything it finds. For a tutorial on using SmitFraudFix click here

6) Double-click on MalwareBytes, install it, update it, and run it to remove misc rogue application files. If you prefer you can purchase MalwareBytes Anti-Malware which provides a realtime monitor that will alert you if you attempt to download a rogue program.

7) While still in Safe Mode, run CCleaner. Analyze and Clean files it finds, then click on the Issues button on the left side of the screen and Scan and Fix any Registry issues CCleaner discovers. Run both the Registry Scanner and the File Analyzer until nothing else is found.

8) Run Hijackthis and Remove any leftover issues. If you are not sure, if a line in Hijackthis is a problem, reboot in normal mode and use the Online HiJackthis Scanner to see if the file is a threat. Just copy and paste your Hijackthis log file into the scanner and let it analyze it for you. Although its not perfect, it will give you an idea if your system is clean or still needs some work. Do not delete anything with Hijackthis unless you are absolutely sure what the file is and what it does.

Another great tool to use is Process Library to see if a file is a threat.

For items in the Hijackthis log like the following, that will not delete manually, use KillBox to browse to the location of the file and delete it or delete it on reboot. Items that are impossible to remove unless using Killbox usually show up in the 20 section of Hijackthis.

O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: winrir32 - C:\WINDOWS\SYSTEM32\winrir32.dll
O20 - Winlogon Notify: dvd4free - C:\WINDOWS\SYSTEM32\dvd4free.dll

9) Reboot computer in Normal mode

10) Open the Add/Remove Control Panel, and uninstall any leftover programs like "AntivirusGolden" or any Video Active X programs that were the root cause of the infection.

AntivirusGolden Add/Remove

11) Delete any leftover directories for AntivirusGolden in the C:\Program Files folder by right-clicking on the AntivirusGolden folder and choosing Delete.

12) Scan your computer with online virus scanner like Housecall, BitDefender, or eTrust or download and install an antivirus program and run a complete scan. A list of online scanners is below, some however will only scan but not remove issues.

Online Virus Checkers
Trend Micro Housecall - will scan and remove threats
BitDefender Scan Online - will scan and remove threats
Ewido Online Scanner - will scan and remove threats
Kaspersky Online Scan - will scan and remove threats
Panda Activescan - appears to only scan for but not remove threats
McAfee FreeScan - appears to only scan for but not remove threats
eTrust Antivirus Web Scanner - will scan and remove threats
Symantec Security Check - will scan and remove threats
Dr.Web Online Check - user can upload and test for threats on particular files

You may also want to run a thorough scan for adware/spyware using Ad-aware SE, Spybot Search and Destroy, or Windows Defender as well to make sure your system is absolutely clean of other malware.

You can visit my page for other Essential Tools to Use in Removing Spyware, Adware, Trojans, and Viruses

Congratulations! Your computer should be free of the AntivirusGolden. Please be careful when being prompted to download any more Video Active X components to watch a particular video. If in doubt, dont install it.

Printer Friendly Version of This Page