Google involved in spreading XP Antivirus 2009 and Vista Antivirus 2009

As my last post made a hudge interest, I made a quick research regarding those trojan which has so wide spreaded.

Almost all of my search keywords are “How to remove XP Antivirus 2008

About removing of the trojan I have written before. Write to me if you have more questions or problems – I will try to help with advices.

If I dont know something, I ask Google.

And the irony in this case is Google told me that Google is was spreading malware via its AdWords links.

If you don’t know – AdWords is an advertising program of Google. They get paid to put ads in some pages and in main search results page too.

Some of those advertising links belonged to hackers. They had redirected the user who had clicked on their link to a trojan downloader page. This way many web users become infected with viruses just surfing the web.

The good news is Google have identified and canceled AdWords accounts which displayed malicious ads re-directing users to hacker sites.

More info can find at the official Google AdWords blog

XP Antivirus 2008 is a Trojan!

I had surfing the net when a red alert in Tray menu started to appear. It read Windows Seciruty has to be updated.

It offered me a site with “XP Antivirus 2008”

As I tought it is Microsoft security center alert, entered the site  http://s c a n n e r . a n v i-s c a n n e r . c o m / 3 4 /? a d v i d  =  0 0 0 0 0 0 4 6 8 3 & H T T &  /Attention – better do not try to open/

When I saw the fake system scanning and $20 price to “clean my system” I quickly left but was too late.

Then Avira Antivir  started to alert about viruses detected. The computer became very slow.

I restarted in Safe Mode /F8/ and  ran Spyware Doctor – it found more than 20 viruses and 30 infected files. Spyware Doctor cleaned them. I had disabled System Restore in advance. /Important!/

Then ran Avira Antivir again and cleaned  17 trojans.

Open Task manager /alt+ctrl+del/ and stop the following processes:


Then Remove following XP Antivirus 2008 Registry Values:

HKEY_USERS\Software\XP antivirus
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c displayname
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\rhc7nsj0e57c uninstallstring
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c advid
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c automaticallyupdates
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscan
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c backgroundscantimeout
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c databaseversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c daysinterval
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c domain
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c engineversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c guiversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c installdir
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c minimizeonstart
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c programversion
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyname
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c proxyport
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationdiscurl
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run smrhc7nsj0e57c
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c registrationurl
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scandepth
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scanpriority
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c scansystemonstartup
HKEY_LOCAL_MACHINE\software\rhc7nsj0e57c softid

This way I cleaned my system from that annoying malware.