Friday
2008-11-28, 17:06
The following instructions have been created to help you to get rid of "AV-Gold" manually.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
malware
Description:
As soon as the system is infected with AV-Gold, a red symbol and a balloon come up next to the system clock asking the user to scan his computer for viruses. Clicking on this symbol leads to a dubious web site offering a "free scan". After downloading the program it finds alleged viruses (hookdump) which get installed by AV-Gold and asks the user to remove those. Of course, this is only possible after purchasing the program for $20.
Supposed Functionality:
AV Gold claims to be a virus scanner.
Removal Instructions:
Desktop:
Please remove the following files from your desktop.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Shortcuts named "AntivirusGold.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Shortcuts named "AntivirusGold.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Shortcuts named "AntivirusGold.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Start Menu:
Please remove the following items from your start menu.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Items named "AntivirusGold 2.0.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Items named "AntivirusGold 2.0.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Items named "AntivirusGold 2.0.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Quicklaunch area:
Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Quicklaunch symbols named "AntivirusGold.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Quicklaunch symbols named "AntivirusGold 2.0.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Important: There are more quicklaunch items that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "Intel system tool" and pointing to "<$SYSDIR>\hookdump.exe".
Entries named "AntivirusGold".
Entries named "Intel system tool" and pointing to "<$SYSDIR>\hookdump.exe".
Entries named "Intel system tool" and pointing to "<$SYSDIR>\hookdump.exe".
Entries named "AntivirusGold" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe /h".
Entries named "Intel system tool" and pointing to "<$SYSDIR>\hookdump.exe".
Entries named "AntivirusGold" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe /h".
Entries named "Intel system tool" and pointing to "<$SYSDIR>\winnook.exe".
Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "Antivirus-Golden".
Products that have a key or property named "AntivirusGolden".
Products that have a key or property named "Antivirus Golden".
Products that have a key or property named "Antivirus-Gold".
Products that have a key or property named "Antivirus Gold".
Products that have a key or property named "AntivirusGold".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\Antivirus-Golden\Antivirus-Golden.exe".
The file at "<$PROGRAMFILES>\Antivirus-Golden\Antivirus-Golden.url".
The file at "<$PROGRAMFILES>\Antivirus-Golden\db.dat".
The file at "<$PROGRAMFILES>\Antivirus-Golden\DbgHelp.Dll".
The file at "<$PROGRAMFILES>\Antivirus-Golden\generalConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus-Golden\monitorConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus-Golden\scannerConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus-Golden\usageStats.xml".
The file at "<$PROGRAMFILES>\AntivirusGolden\AntivirusGolden.exe".
The file at "<$PROGRAMFILES>\AntivirusGolden\AntivirusGolden.url".
The file at "<$PROGRAMFILES>\AntivirusGolden\db.dat".
The file at "<$PROGRAMFILES>\AntivirusGolden\DbgHelp.Dll".
The file at "<$PROGRAMFILES>\AntivirusGolden\generalConfig.xml".
The file at "<$PROGRAMFILES>\AntivirusGolden\monitorConfig.xml".
The file at "<$PROGRAMFILES>\AntivirusGolden\scannerConfig.xml".
The file at "<$PROGRAMFILES>\AntivirusGolden\usageStats.xml".
The file at "<$PROGRAMFILES>\Antivirus Golden\Antivirus Golden.exe".
The file at "<$PROGRAMFILES>\Antivirus Golden\Antivirus Golden.url".
The file at "<$PROGRAMFILES>\Antivirus Golden\db.dat".
The file at "<$PROGRAMFILES>\Antivirus Golden\DbgHelp.Dll".
The file at "<$PROGRAMFILES>\Antivirus Golden\generalConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus Golden\monitorConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus Golden\scannerConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus Golden\usageStats.xml".
The file at "<$PROGRAMFILES>\Antivirus-Gold\Antivirus-Gold.exe".
The file at "<$PROGRAMFILES>\Antivirus-Gold\Antivirus-Gold.url".
The file at "<$PROGRAMFILES>\Antivirus-Gold\db.dat".
The file at "<$PROGRAMFILES>\Antivirus-Gold\DbgHelp.Dll".
The file at "<$PROGRAMFILES>\Antivirus-Gold\generalConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus-Gold\monitorConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus-Gold\scannerConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus-Gold\usageStats.xml".
The file at "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
The file at "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.url".
The file at "<$PROGRAMFILES>\AntivirusGold\db.dat".
The file at "<$PROGRAMFILES>\AntivirusGold\DbgHelp.Dll".
The file at "<$PROGRAMFILES>\AntivirusGold\generalConfig.xml".
The file at "<$PROGRAMFILES>\AntivirusGold\monitorConfig.xml".
The file at "<$PROGRAMFILES>\AntivirusGold\scannerConfig.xml".
The file at "<$PROGRAMFILES>\AntivirusGold\usageStats.xml".
The file at "<$PROGRAMFILES>\Antivirus Gold\Antivirus Gold.exe".
The file at "<$PROGRAMFILES>\Antivirus Gold\Antivirus Gold.url".
The file at "<$PROGRAMFILES>\Antivirus Gold\db.dat".
The file at "<$PROGRAMFILES>\Antivirus Gold\DbgHelp.Dll".
The file at "<$PROGRAMFILES>\Antivirus Gold\generalConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus Gold\monitorConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus Gold\scannerConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus Gold\usageStats.xml".
The file at "<$PROGRAMFILES>\Antivirus-Golden\Lang\English.ini".
The file at "<$PROGRAMFILES>\AntivirusGolden\Lang\English.ini".
The file at "<$PROGRAMFILES>\Antivirus Golden\Lang\English.ini".
The file at "<$PROGRAMFILES>\Antivirus-Gold\Lang\English.ini".
The file at "<$PROGRAMFILES>\AntivirusGold\Lang\English.ini".
The file at "<$PROGRAMFILES>\Antivirus Gold\Lang\English.ini".
The file at "<$PROGRAMFILES>\Antivirus-Golden\Logs\scan_log_11282006-093511.html".
The file at "<$PROGRAMFILES>\AntivirusGolden\Logs\scan_log_11282006-093511.html".
The file at "<$PROGRAMFILES>\Antivirus Golden\Logs\scan_log_11282006-093511.html".
The file at "<$PROGRAMFILES>\Antivirus-Gold\Logs\scan_log_11282006-093511.html".
The file at "<$PROGRAMFILES>\AntivirusGold\Logs\scan_log_11282006-093511.html".
The file at "<$PROGRAMFILES>\Antivirus Gold\Logs\scan_log_11282006-093511.html".
The file at "<$DESKTOP>\Antivirus-Golden.lnk".
The file at "<$DESKTOP>\AntivirusGolden.lnk".
The file at "<$DESKTOP>\Antivirus Golden.lnk".
The file at "<$DESKTOP>\Antivirus-Gold.lnk".
The file at "<$DESKTOP>\AntivirusGold.lnk".
The file at "<$DESKTOP>\Antivirus Gold.lnk".
The file at "<$SYSDIR>\hookdump.exe".
The file at "<$WINDIR>\screen.html".
The file at "<$LOCALSETTINGS>\Temp\AGLanguage.ini".
The file at "<$SYSDIR>\hookdump.exe".
The file at "<$SYSDIR>\hookdump.exe".
A file with an unknown location named "hookdump.exe".
The file at "<$LOCALSETTINGS>\Temp\AGLanguage.ini".
The file at "<$LOCALSETTINGS>\Temp\AntivirusGold 2.0 Installer.exe".
The file at "<$WINDIR>\screen.html".
The file at "<$SYSDIR>\hookdump.exe".
The file at "<$SYSDIR>\winnook.exe".
A file with an unknown location named "avg_setup.exe".
A file with an unknown location named "dd3.exe".
A file with an unknown location named "winnook.exe".
Make sure you set your file manager to display hidden and system files. If AV-Gold uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMS>\AntivirusGold".
The directory at "<$PROGRAMFILES>\AntivirusGold".
Make sure you set your file manager to display hidden and system files. If AV-Gold uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{17152BD5-4212-FEB6-BA05-A53571CF99F2}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{60F94D7D-563E-4942-B5EC-2DE9C135C139}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{715D709B-2B10-42FA-A069-297D25D93601}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{3F6D6C35-FB73-45E6-9473-BB4CC25CE019}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{886B1D08-B404-40F0-AA18-4E416682A2E9}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8B5F65CF-0B0A-4291-8DA2-86D7F7B0A6DB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{925B0211-A1C1-4712-8FCA-5F5B8101736D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B01E37C4-5497-4D58-9FFD-D5653B8DC866}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{CCAA201C-C48D-48A8-A1E8-846562CBF1C1}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D483521B-D5CC-43FF-A45A-9BE4A8E6606E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{ED2AFF47-B7BE-4273-A203-C796E87F72D2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F0FA7ED9-5A0A-4374-B63E-BEBAFD52192E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F5DEE77C-87EB-4E00-BBF9-8CBF3BDEA7AF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FB5DDAB7-6AA5-4E97-9541-5A75ADDF4ABA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FDDF521B-0EBE-4D15-838C-73E2D851161B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FF609434-EB47-481B-BA0E-1D2B467629A5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "Cerberus.EXE" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "AntivirusGold" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "AntivirusGold.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
Delete the registry key "{020B1227-417D-4682-9AC3-61F43CB5B6B1}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{125494B2-ACAD-414c-98B9-452F3EF7703A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{20A3D913-30EF-4e69-B3F7-93B3F1FB9D5C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3D00A39C-655B-428b-AEB2-2FBA03DCC49C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{408F660A-9465-44a3-B557-8709DFD992BC}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5F6BBD8A-18CF-4d55-8B4C-C9B4C9328DFE}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{8C56B6CE-C53F-44c4-9BDC-A9BC1711D05A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{8EE6BF73-B370-4d13-9126-EB0071178F2E}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{97F56E12-C706-4aeb-9FFB-133C05EE5D38}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{9BB7E700-4E48-476d-B75C-6F47606BE988}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{9CB478A2-CA39-0CFD-EFAC-DB80710601D3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CBCACA58-1AEE-4600-8CF0-E8B30BFF1535}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D6D64CDF-0363-4261-B723-29A3AF365E1D}" at "HKEY_CLASSES_ROOT\CLSID\".
A key in HKEY_CLASSES_ROOT\ named "Cerberus.EngineListener", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Cerberus.EngineListener.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Cerberus.Scanner", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Cerberus.Scanner.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Cerberus.ThreatCollection", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Cerberus.ThreatCollection.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Backup", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Backup.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.IgnoreList", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.IgnoreList.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Log", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Log.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.LogRecord", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.LogRecord.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Paths", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Paths.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Quarantine", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Quarantine.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.RunAs", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.RunAs.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.SearchItem", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.SearchItem.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Threat", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Threat.1", plus associated values.
If AV-Gold uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.
Use this guide at your own risk; software should usually be better suited to remove malware, since it is able to look deeper.
If this guide was helpful to you, please consider donating towards this site (http://www.safer-networking.org/index.php?page=donate).
Threat Details:
Categories:
malware
Description:
As soon as the system is infected with AV-Gold, a red symbol and a balloon come up next to the system clock asking the user to scan his computer for viruses. Clicking on this symbol leads to a dubious web site offering a "free scan". After downloading the program it finds alleged viruses (hookdump) which get installed by AV-Gold and asks the user to remove those. Of course, this is only possible after purchasing the program for $20.
Supposed Functionality:
AV Gold claims to be a virus scanner.
Removal Instructions:
Desktop:
Please remove the following files from your desktop.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Shortcuts named "AntivirusGold.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Shortcuts named "AntivirusGold.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Shortcuts named "AntivirusGold.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Start Menu:
Please remove the following items from your start menu.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Items named "AntivirusGold 2.0.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Items named "AntivirusGold 2.0.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Items named "AntivirusGold 2.0.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Quicklaunch area:
Please remove the following items from your start quick launch area text to the "Start" button in the taskbar at the bottom.
To check where they are pointing to, right-click them and choose "Properties" from the context menu appearing.
Quicklaunch symbols named "AntivirusGold.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Quicklaunch symbols named "AntivirusGold 2.0.lnk" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
Important: There are more quicklaunch items that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Autorun:
Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd), RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) or msconfig.exe to remove the following autorun entries.
Entries named "Intel system tool" and pointing to "<$SYSDIR>\hookdump.exe".
Entries named "AntivirusGold".
Entries named "Intel system tool" and pointing to "<$SYSDIR>\hookdump.exe".
Entries named "Intel system tool" and pointing to "<$SYSDIR>\hookdump.exe".
Entries named "AntivirusGold" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe /h".
Entries named "Intel system tool" and pointing to "<$SYSDIR>\hookdump.exe".
Entries named "AntivirusGold" and pointing to "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe /h".
Entries named "Intel system tool" and pointing to "<$SYSDIR>\winnook.exe".
Important: There are more autorun entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Installed Software List:
You can try to uninstall products with the names listed below; for items identified by other properties or to avoid malware getting active again on uninstallation, use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) or RunAlyzer (http://www.safer-networking.org/index.php?page=runalyzer) to locate and get rid of these entries.
Products that have a key or property named "Antivirus-Golden".
Products that have a key or property named "AntivirusGolden".
Products that have a key or property named "Antivirus Golden".
Products that have a key or property named "Antivirus-Gold".
Products that have a key or property named "Antivirus Gold".
Products that have a key or property named "AntivirusGold".
Files:
Please use Windows Explorer or another file manager of your choice to locate and delete these files.
The file at "<$PROGRAMFILES>\Antivirus-Golden\Antivirus-Golden.exe".
The file at "<$PROGRAMFILES>\Antivirus-Golden\Antivirus-Golden.url".
The file at "<$PROGRAMFILES>\Antivirus-Golden\db.dat".
The file at "<$PROGRAMFILES>\Antivirus-Golden\DbgHelp.Dll".
The file at "<$PROGRAMFILES>\Antivirus-Golden\generalConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus-Golden\monitorConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus-Golden\scannerConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus-Golden\usageStats.xml".
The file at "<$PROGRAMFILES>\AntivirusGolden\AntivirusGolden.exe".
The file at "<$PROGRAMFILES>\AntivirusGolden\AntivirusGolden.url".
The file at "<$PROGRAMFILES>\AntivirusGolden\db.dat".
The file at "<$PROGRAMFILES>\AntivirusGolden\DbgHelp.Dll".
The file at "<$PROGRAMFILES>\AntivirusGolden\generalConfig.xml".
The file at "<$PROGRAMFILES>\AntivirusGolden\monitorConfig.xml".
The file at "<$PROGRAMFILES>\AntivirusGolden\scannerConfig.xml".
The file at "<$PROGRAMFILES>\AntivirusGolden\usageStats.xml".
The file at "<$PROGRAMFILES>\Antivirus Golden\Antivirus Golden.exe".
The file at "<$PROGRAMFILES>\Antivirus Golden\Antivirus Golden.url".
The file at "<$PROGRAMFILES>\Antivirus Golden\db.dat".
The file at "<$PROGRAMFILES>\Antivirus Golden\DbgHelp.Dll".
The file at "<$PROGRAMFILES>\Antivirus Golden\generalConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus Golden\monitorConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus Golden\scannerConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus Golden\usageStats.xml".
The file at "<$PROGRAMFILES>\Antivirus-Gold\Antivirus-Gold.exe".
The file at "<$PROGRAMFILES>\Antivirus-Gold\Antivirus-Gold.url".
The file at "<$PROGRAMFILES>\Antivirus-Gold\db.dat".
The file at "<$PROGRAMFILES>\Antivirus-Gold\DbgHelp.Dll".
The file at "<$PROGRAMFILES>\Antivirus-Gold\generalConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus-Gold\monitorConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus-Gold\scannerConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus-Gold\usageStats.xml".
The file at "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.exe".
The file at "<$PROGRAMFILES>\AntivirusGold\AntivirusGold.url".
The file at "<$PROGRAMFILES>\AntivirusGold\db.dat".
The file at "<$PROGRAMFILES>\AntivirusGold\DbgHelp.Dll".
The file at "<$PROGRAMFILES>\AntivirusGold\generalConfig.xml".
The file at "<$PROGRAMFILES>\AntivirusGold\monitorConfig.xml".
The file at "<$PROGRAMFILES>\AntivirusGold\scannerConfig.xml".
The file at "<$PROGRAMFILES>\AntivirusGold\usageStats.xml".
The file at "<$PROGRAMFILES>\Antivirus Gold\Antivirus Gold.exe".
The file at "<$PROGRAMFILES>\Antivirus Gold\Antivirus Gold.url".
The file at "<$PROGRAMFILES>\Antivirus Gold\db.dat".
The file at "<$PROGRAMFILES>\Antivirus Gold\DbgHelp.Dll".
The file at "<$PROGRAMFILES>\Antivirus Gold\generalConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus Gold\monitorConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus Gold\scannerConfig.xml".
The file at "<$PROGRAMFILES>\Antivirus Gold\usageStats.xml".
The file at "<$PROGRAMFILES>\Antivirus-Golden\Lang\English.ini".
The file at "<$PROGRAMFILES>\AntivirusGolden\Lang\English.ini".
The file at "<$PROGRAMFILES>\Antivirus Golden\Lang\English.ini".
The file at "<$PROGRAMFILES>\Antivirus-Gold\Lang\English.ini".
The file at "<$PROGRAMFILES>\AntivirusGold\Lang\English.ini".
The file at "<$PROGRAMFILES>\Antivirus Gold\Lang\English.ini".
The file at "<$PROGRAMFILES>\Antivirus-Golden\Logs\scan_log_11282006-093511.html".
The file at "<$PROGRAMFILES>\AntivirusGolden\Logs\scan_log_11282006-093511.html".
The file at "<$PROGRAMFILES>\Antivirus Golden\Logs\scan_log_11282006-093511.html".
The file at "<$PROGRAMFILES>\Antivirus-Gold\Logs\scan_log_11282006-093511.html".
The file at "<$PROGRAMFILES>\AntivirusGold\Logs\scan_log_11282006-093511.html".
The file at "<$PROGRAMFILES>\Antivirus Gold\Logs\scan_log_11282006-093511.html".
The file at "<$DESKTOP>\Antivirus-Golden.lnk".
The file at "<$DESKTOP>\AntivirusGolden.lnk".
The file at "<$DESKTOP>\Antivirus Golden.lnk".
The file at "<$DESKTOP>\Antivirus-Gold.lnk".
The file at "<$DESKTOP>\AntivirusGold.lnk".
The file at "<$DESKTOP>\Antivirus Gold.lnk".
The file at "<$SYSDIR>\hookdump.exe".
The file at "<$WINDIR>\screen.html".
The file at "<$LOCALSETTINGS>\Temp\AGLanguage.ini".
The file at "<$SYSDIR>\hookdump.exe".
The file at "<$SYSDIR>\hookdump.exe".
A file with an unknown location named "hookdump.exe".
The file at "<$LOCALSETTINGS>\Temp\AGLanguage.ini".
The file at "<$LOCALSETTINGS>\Temp\AntivirusGold 2.0 Installer.exe".
The file at "<$WINDIR>\screen.html".
The file at "<$SYSDIR>\hookdump.exe".
The file at "<$SYSDIR>\winnook.exe".
A file with an unknown location named "avg_setup.exe".
A file with an unknown location named "dd3.exe".
A file with an unknown location named "winnook.exe".
Make sure you set your file manager to display hidden and system files. If AV-Gold uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify files!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Folders:
Please use Windows Explorer or another file manager of your choice to locate and delete these folders.
The directory at "<$PROGRAMS>\AntivirusGold".
The directory at "<$PROGRAMFILES>\AntivirusGold".
Make sure you set your file manager to display hidden and system files. If AV-Gold uses rootkit technologies, use our RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
You will have to use a global search for files without a name specified. Be extra careful, because just the name might not be enough to identify folders!
Important: There are more files that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Registry:
You can use regedit.exe (included in Windows) to locate and delete these registry entries.
Delete the registry key "{17152BD5-4212-FEB6-BA05-A53571CF99F2}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{60F94D7D-563E-4942-B5EC-2DE9C135C139}" at "HKEY_CLASSES_ROOT\TypeLib\".
Delete the registry key "{715D709B-2B10-42FA-A069-297D25D93601}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{3F6D6C35-FB73-45E6-9473-BB4CC25CE019}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{886B1D08-B404-40F0-AA18-4E416682A2E9}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{8B5F65CF-0B0A-4291-8DA2-86D7F7B0A6DB}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{925B0211-A1C1-4712-8FCA-5F5B8101736D}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{B01E37C4-5497-4D58-9FFD-D5653B8DC866}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{CCAA201C-C48D-48A8-A1E8-846562CBF1C1}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{D483521B-D5CC-43FF-A45A-9BE4A8E6606E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{ED2AFF47-B7BE-4273-A203-C796E87F72D2}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F0FA7ED9-5A0A-4374-B63E-BEBAFD52192E}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{F5DEE77C-87EB-4E00-BBF9-8CBF3BDEA7AF}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FB5DDAB7-6AA5-4E97-9541-5A75ADDF4ABA}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FDDF521B-0EBE-4D15-838C-73E2D851161B}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "{FF609434-EB47-481B-BA0E-1D2B467629A5}" at "HKEY_CLASSES_ROOT\Interface\".
Delete the registry key "Cerberus.EXE" at "HKEY_CLASSES_ROOT\AppID\".
Delete the registry key "AntivirusGold" at "HKEY_LOCAL_MACHINE\SOFTWARE\".
Delete the registry key "AntivirusGold.exe" at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\".
Delete the registry key "{020B1227-417D-4682-9AC3-61F43CB5B6B1}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{125494B2-ACAD-414c-98B9-452F3EF7703A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{20A3D913-30EF-4e69-B3F7-93B3F1FB9D5C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{3D00A39C-655B-428b-AEB2-2FBA03DCC49C}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{408F660A-9465-44a3-B557-8709DFD992BC}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{5F6BBD8A-18CF-4d55-8B4C-C9B4C9328DFE}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{8C56B6CE-C53F-44c4-9BDC-A9BC1711D05A}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{8EE6BF73-B370-4d13-9126-EB0071178F2E}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{97F56E12-C706-4aeb-9FFB-133C05EE5D38}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{9BB7E700-4E48-476d-B75C-6F47606BE988}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{9CB478A2-CA39-0CFD-EFAC-DB80710601D3}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{CBCACA58-1AEE-4600-8CF0-E8B30BFF1535}" at "HKEY_CLASSES_ROOT\CLSID\".
Delete the registry key "{D6D64CDF-0363-4261-B723-29A3AF365E1D}" at "HKEY_CLASSES_ROOT\CLSID\".
A key in HKEY_CLASSES_ROOT\ named "Cerberus.EngineListener", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Cerberus.EngineListener.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Cerberus.Scanner", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Cerberus.Scanner.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Cerberus.ThreatCollection", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Cerberus.ThreatCollection.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Backup", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Backup.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.IgnoreList", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.IgnoreList.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Log", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Log.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.LogRecord", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.LogRecord.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Paths", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Paths.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Quarantine", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Quarantine.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.RunAs", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.RunAs.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.SearchItem", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.SearchItem.1", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Threat", plus associated values.
A key in HKEY_CLASSES_ROOT\ named "Engine.Threat.1", plus associated values.
If AV-Gold uses rootkit technologies, use our RegAlyzer (http://www.safer-networking.org/index.php?page=regalyzer), RootAlyzer (http://forums.spybot.info/downloads.php?id=8) or our Total Commander anti-rootkit plugins (http://forums.spybot.info/downloads.php?id=3).
There are more registry entries that cannot be safely described in simple words. Please use Spybot-S&D (http://www.safer-networking.org/index.php?page=spybotsd) to remove them.
Final Words:
If neither Spybot-S&D nor self help did resolve the issue or you would prefer one on one help,
Please read these instructions (http://forums.spybot.info/showthread.php?t=288) before requesting assistance,
Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) where a volunteer analyst will advise you as soon as available.