For example In “How to remove antivirus XP 2008“  MK asked

when i go to start run gpedit.msc my computer says windows can not find it ???

So I thought instead of replying to in the comments itself I will post the solution here and refer everyone to this post

As I had already mentioned in my first newfolder.exe virus removal article you can download the french version of gpedit.msc from bogdan.org.ua.

Once you download it you can install it as follows. I am quoting directly from that article itself

However, here are some short instructions in English for manual MMC snap-in installation (batch file from the archive does everything automatically, but you’ll have to edit-verify the batch file first):

* put these files: (appmgmts.dll, appmgr.dll, fde.dll, fdeploy.dll, gpedit.msc, gpedit.dll, gptext.dll) into %SystemRoot%\system32\ folder

* put these files: (system.adm, inetres.adm, conf.adm) into %SystemRoot%\system32\GroupPolicy\Adm\ (create if this folder doesn’t exist)

* finally, run these commands one by one in the CMD window:

regsvr32 gpedit.dll
regsvr32 fde.dll
regsvr32 gptext.dll
regsvr32 appmgr.dll
regsvr32 fdeploy.dll

That should do it.

You should read the article at Bogdan for more detailed instructions.

As for french, most of the articles that I have written I have attached the image that shows the exact line that needs to be modified, you can use them as reference.

I hope this will help you install the gpedit.msc on your system.

Earlier it was “New Folder.exe” and then these other irritating viruses, and now Antivirus XP 2008.

Thanks god this time my Avast was able to detect the virus and delete it. But the real problem was, the moment this rootkit  virus was detected and deleted, Antivirus XP would again install this rootkit virus.

Initially I thought that a boot time scan would be sufficient to remove this virus from my system, though it does not turned out that effective even though Avast removed more then 240 infected files.

The reason turned out to be Antivirus XP 2008, it was running at boot time resulting in re-infection.

So I finally had to get into action, to take back the control of my PC.

Here is step by step account of what I did(remember all this was done immediately after boot-time scan by Avast) to uninstall and remove it from my PC.

Step 1: Open Task Manager And End The Infecting Processes

Right click on the task bar and select the task manager, go to processes tab and end following process if found running(please note down the path)

• lphc9u2j0ejde.exe, and
• rhccu2j0ejde.exe (this is the process for antivirus xp software)

please not the actually name in you list may very, so you may want to kill any process name starting with lphc or rhc. Just remember even if you make mistake by closing wrong process you can always restart you system.

Step 2: Delete The Infecting Programs

Find the files whose process you just closed(& path noted above), and either rename them or delete them.

They are usually found at following locations

• C:\windows\system32\lphc9u2j0ejde.exe,
• c:\windows\system32\blphc9u2j0ejde.scr, (updated on 28th july) and
• C:\program files\rhc75dj0e1an\rhccu2j0ejde.exe

Once you delete these two files you effectively removed the virus, but now we have to remove the side effects.

(update 8 august 2008) it is worth highlighting comment made by Jim, thanks Jim.

 In order to avoid the problem with french I had my brother email me the english gpedit files from his computer. In addition to the files you indicated to delete from task manager I also found pphc5u2j0ejde.exe, so anyone doing this should look for files similar in nature. the jOejde.exe part on the end is the same but the beginning may be different

Step 3: Open msconfig To Clean Start Programs

Click ‘start’->run and type ‘msconfig’ in run window. This will open system configuration utility. If you get any warning or the msconfig window closes automatically then you should check out “How to stop regedit, taskmanager or msconfig from closing automatically“.

Click on startup Tab, and uncheck the boxes in front of “lphc and rhc” files as shown in figure, and click apply.

Let’s now do a cold boot of the system(basically press the reset button on your PC). Wait for computer to boot again.

Step 4: Change Group Policy To Restore Wallpaper

Click ‘start’->run and type ‘gpedit.msc’ in run window. This will open Group policy.

Now navigate to User configuration -> Administrative Templates ->Control Panel-> Display.

Finally double click on following items to open properties window and change the setting to disabled.

1. Remove Display in Control Panel
2. Hide Desktop Tab
3. Prevent changing wallpaper
4. Hide Appearance and Themes tab
5. Hide Settings tab
6. Hide Screen Saver tab

Check the picture above for more detailed view.

This will allow you to change the wallpaper back to normal.

Please also check the alternative suggested by itzel in comments below, in case you don’t have gpedit on your system.

(Update 5th step added on 28th July)

Step 5 : Change Screen Saver

You will need to change the screen saver from “blphc9u2j0ejde” to something else.

updated on 9-august-2008

Video of screensaver that is installed by Antivirus xp 2008.

After this attack I have decided to install a dedicated Anti-Spyware program. After looking through bunch of them, I have finally settled for
Spyware Doctor
.

I think it is good idea to have one, on your system.

Now i have to say as i have yet to face this issue personally myself, i am not really able to suggest anything but to recommend people to do a boot time scan from avast, and hope that fixes their problem.

But after receiving a repeated request to fix this issue, i decided to write about the approach that i would take if i face this problem and to collaborate with you to solve your problem and in the process create a workable solution to fix this problem, once and for all.

Symptoms of the problem that we are tying to solve,

1. you open regedit, the regedit window flickers and closes again,
2. you open taskmanager, window opens and immediately closes.
3. you try to open msconfig, window closes the moment it opens.

What might be happening?

My thinking is that some rouge process is running that is scanning for these applications and the moment they open, it closes them.

Our Aim : to identify and kill

so what we need to do is, identify these rouge programs and destroy them by first killing the running process and then deleting the actual application from the system. We need to do this to prevent them from running again.
So first let’s try this solution,

1. Create the copy of regedit.exe file and put it in another directory.
   1. you can do this by selecting the regedit.exe file(located in c:\windows directory) and pressing crtl+c and then crtl+v
   2. move this copied file to another new directory say c:\eme_utils
2. Similarly create the copy of task manager located at (C:\WINDOWS\system32\taskmgr.exe) and system configuration utility aka msconfig located at (C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe)
3. Now run these copies by clicking them, to see if you can access the respective applications.

if you don’t want to do this manually you may want to download the xp_emergency tool which does this for you in Windows XP OS.

With this hopefully we may have bypassed the restrictions imposed by the virus or worm or any rouge application, we still need to identify and kill them so that we can leave in peace instead of using alternative solutions.

So let’s start the identification process,

just a warning, this is a repetitive and frustrating process but if you really want to use the taskmanger, regedit or msconfig then you will have to find the process and kill it, so let’s start the journey.

you will need to download Process Explorer from system internals, so that we can identify the culprit process.

once you have downloaded it, extract the zip file and run the procexp.exe file by double clicking it. This will show you all the processes running right now.

From here onwards you are almost on your own, you will have to trust your own knowledge of your system and your intuition. What we now need to do is to kill the processes that you can’t identify.

Note : before making any changes please keep a screen shot or write down the changes that you are doing.

1. Look for any process that you can’t identify the source. as you can see from this image<image above> process explorer gives the description and company name of all the process that are running. so the first targets would be the application that you can’t identify the company name or application that you might not have installed.
2. Once you think a process as rouge, note down the path of that application(this will help you delete the file later) by right clicking the name and clicking on properties window in the pop up.
3. 
4. Now kill the process tree by right clicking and choosing the kill process tree option <image>
5. It is the time now to check if we have killed the right process or not, do find that out simply run the regedit or taskmanger or msconfig and see if they stay opened. if they do, move on to next step otherwise get back to step 1.

Worst that can happen at this stage is that you might kill some important process, in that case you have to just restart the system and you will be back from where you started.

6. Once you have identified the process, we will now rename this application by changing the extension to something like *.fix or any thing you like by going to the path that we noted above. We did not delete the file at this stage because we want to be sure that this is the culprit file and not some other file.
7. To verify this just restart you system and see if you can still access the regedit, task manger or msconfig, if you can then you want to delete the file that we renamed above.
8. If not then we will have to start the identification process again, so start from step 1.

Here are some of the known rouge process that are know to do such things

• WebRebates0.exe
• WebRebates1.exe
• msconfig35.exe
• msconfig45.exe
• funny ust scandal.avi.exe,
• SMSS.exe ( an important windows process, Session Manager Subsystem, of same name also exists so be very careful before killing it.)
• Killer.exe

If you fear, or, are not able to identify the process in that case you may want to save the process explorer output in a text file by hitting crtl+s and post the output in comment below so that I or others who have faced the problem will try to help you identify the rouge process to kill.

I am interested in knowing if this process helped you or not, It will be really good if you can participate in this process and leave a note below about all the rouge process or application that you identified.

This will help others to solve their problem as you might have already noticed their is very little help out their regarding this problem.

I was surprised that my most reliable friend Avast, for the first time failed me in this war against viruses but then again avg and bitdiffender also failed against it. This virus is know popularly as regsvr.exe virus, or as new folder.exe virus and most people identify this one by seeing autorun.inf file on their pen drives, But trend micro identified it as WORM_DELF.FKZ. It is spreading mostly using pen drives as the medium.

Well, so here is the story of how i was able to kill the monster and reclaim my hard disk space.

Manual Process of removal

I prefer manual process simply because it gives me option to learn new things in the process.

So let’s start the process off reclaiming the turf that virus took over from us.

1. Cut The Supply Line
   1. Search for autorun.inf file. It is a read only file so you will have to change it to normal by right clicking the file , selecting the properties and un-check the read only option
   2. Open the file in notepad and delete everything and save the file.
   3. Now change the file status back to read only mode so that the virus could not get access again.
   4. 
   5. Click start->run and type msconfig and click ok
   6. Go to startup tab look for regsvr and uncheck the option click OK.
   7. Click on Exit without Restart, cause there are still few things we need to do before we can restart the PC.
   8. Now go to control panel -> scheduled tasks, and delete the At1 task listed their.
2. Open The Gates Of Castle
   1. Click on start -> run and type gpedit.msc and click Ok.
   2. 
   3. If you are Windows XP Home Edition user you might not have gpedit.msc in that case download and install it from Windows XP Home Edition: gpedit.msc and then follow these steps.
      
   4. Go to users configuration->Administrative templates->system
   5. Find “prevent access to registry editing tools” and change the option to disable.
   6. 
   7. Once you do this you have registry access back.
3. Launch The Attack At Heart Of Castle
   1. Click on start->run and type regedit and click ok
   2. Go to edit->find and start the search for regsvr.exe,
   3. 
   4. Delete all the occurrence of regsvr.exe; remember to take a backup before deleting. KEEP IN MIND regsvr32.exe is not to be deleted. Delete regsvr.exe occurrences only.
   5. At one ore two places you will find it after explorer.exe in theses cases only delete the regsvr.exe part and not the whole part. E.g. Shell = “Explorer.exe regsvr.exe” the just delete the regsvr.exe and leave the explorer.exe
4. Seek And Destroy the enemy soldiers, no one should be left behind
   1. Click on start->search->for files and folders.
   2. Their click all files and folders
   3. Type “*.exe” as filename to search for
   4. Click on ‘when was it modified ‘ option and select the specify date option
   5. Type from date as 1/31/2008 and also type To date as 1/31/2008
   6. 
   7. Now hit search and wait for all the exe’s to show up.
   8. Once search is over select all the exe files and shift+delete the files, caution must be taken so that you don’t delete the legitimate exe file that you have installed on 31^st January.
   9. Also selecting lot of files together might make your computer unresponsive so delete them in small bunches.
   10. Also find and delete regsvr.exe, svchost .exe( notice an extra space between the svchost and .exe)
5. Time For Celebrations
   1. Now do a cold reboot (ie press the reboot button instead) and you are done.

I hope this information helps you win your own battle against this virus. Soon all antivirus programs will be able to automatically detect and clean this virus. Also i hope Avast finds a way to solve this issues.

As a side note i have found a little back dog( winpatrol ) that used to work perfectly on my old system. It was not their in my new PC, I have installed it again , as I want to stay ahead by forever closing the supply line of these virus. You can download it form Winpatrol website.

UPDATE : Avast Boot Time Scheduling

Check out How to stop regedit, task manager and msconfig  from closing automatically if your regedit or msconfig closes automatically.