Uninvited Programme

Howard Warehand · Post by **Howard Warehand** » 3 Oct 2007 4:53 am

After browsing the web I realised that I had collected an uninvited small programme, an icon on my desk top and in the task bar(at the bottom of the screen). It is a link to "Antivirgear.Com" in Latvia!! trying to frighten me into buying their spyware products. I have successfully deleted the small resident programme and the desktop Icon but I am not sure how to delete the icon in the task bar. It still links me to their site and now and again produces a "Speech Bubble" describing how dreadful it would be without their protection!!!!. I run XP Home edition with Norton 2007 AntiVirus and a full system scan shows I'm clear so now it is just so annoying that I cant get rid of this intruder. Advice would be most welcome please.
Regards, Howard.

Dave Potter · Post by **Dave Potter** » 3 Oct 2007 5:40 am

Norton isn't seeing it as anything untoward, thus, no alerts. Adequate reason to dump Norton and download and run one of the better, and free, anti-virus apps, like Avast or AVG (which I use).

But, back to the point and your question, from your description, there's still something running in the background that needs eliminating. That's why it's showing up in your taskbar and doing the "bubble" thing.

I Googled "antivirgear" and got lots of hits. It's apparently related to a trojan variant, and it's invasive and pervasive, meaning you probably still have a lot of files and registry entries on your system you need to get rid of. Removal will probably be tedious and time-consuming.

Of the many Google hits I found, I looked at a few and thought this one looked like a good way to start. Good luck.

Howard Warehand · Post by **Howard Warehand** » 3 Oct 2007 9:04 am

Dave
Very grateful for your advice and information links, looks like a midnight oil job. To be fair to Norton, the autoprotect log does show the following activities took place at the time of the "download":
Trojan.Zlob. Detected and Deleted.
Trojan.ZlobN. Detected and Deleted.
AntiVirGear. System access denied.
Does this alter things or am I still in trouble??
H.

Wiz Feinberg · Post by **Wiz Feinberg** » 3 Oct 2007 10:01 am

Howard;
Download SpyBot Search and Destroy, install and thoroughly update it to current definitions, then "Immunize" then "Check for problems," then Select all problem files and "Fix selected problems." If you are unfamiliar with the program see my blog entries about Spybot and read the articles and my extended comments for directions.

Dave Potter · Post by **Dave Potter** » 3 Oct 2007 11:54 am

Howard Warehand wrote:Dave
Very grateful for your advice and information links, looks like a midnight oil job. To be fair to Norton, the autoprotect log does show the following activities took place at the time of the "download":
Trojan.Zlob. Detected and Deleted.
Trojan.ZlobN. Detected and Deleted.
AntiVirGear. System access denied.

That last line is troublesome. Apparently, Norton dealt with the other two, but some aspect of "AntiVirGear" foiled it, which is common with these kinds of problems. The malware is coded to prevent antivirus software from deleting it, or, if deletion does occur, the malware regenerates itself on the next startup.

Does this alter things or am I still in trouble??

IMO, there's still work to be done.

If I were in your situation, I'd first follow Wiz's suggestion to d/l, update, and run Spybot Search and Destroy and see what happens. Hopefully, that'll fix it. But there's still the chance it won't, and if that were the case, I'd be aggressively following all the remedial steps I could find (as with the link I provided earlier and others) to ensure all vestiges of the trojan have been eliminated. This one apparently has several layers of ability to cause trouble, as you know by now, in that you've tried to uninstall the "program" but still have something running in the background.

Again, good luck, and, as always, the standard disclaimer is that making changes to the registry can render your system unbootable. I would make appropriate backups before making these kinds of changes just to be safe.

Wiz Feinberg · Post by **Wiz Feinberg** » 3 Oct 2007 7:12 pm

Spybot is able to rerun before the Windows "Explorer" desktop loads, after you reboot, after running Spybot the first time. By running a scan before the malware is able to load into memory access restrictions imposed by the malware are bypassed.

Howard Warehand · Post by **Howard Warehand** » 4 Oct 2007 7:26 am

Dave/Wiz
My grateful thanks to you both, I reckon with this information I will be able to sort it out. Thanks again, Howard.

Al Marcus · Post by **Al Marcus** » 4 Oct 2007 8:52 pm

This is good information for all of us relatiing to computers. Thanks Wiz....al.

:)