Welcome to MSDN Blogs Sign in | Join | Help

Miguel Campos Blog

General information regarding Microsoft technology
Removing the Antivirus 2009 infection

One of my home computers (Windows XP) got infested by the Antivirus 2009.

My brother in law was downloading videos (from YouTube I think) and then the Antivirus 2009 warning came up.

By chance I happened to be near and was able to identify the exact time of the infection and locate files several based on this.

 This nasty infection makes it difficult to run several common security tools. I was able to remote it (so being able to run complex scans) by doing:

- Killed the av2009.exe process using Task Manager
- Took a look at where the Antivirus 2009 shortcut pointed  (they put one in the desktop)
- Took note on the date and time of the av2009.exe file (it was in C:\Program Files\Antivirus 2009)
- Searched the Registry to see if they were any references to av2009.exe. Did not find any, but this is something important to do: ensure there are no references to a file before removing it.
- Removed the C:\Program Files\Antivirus 2009 directory and all files
- Removed the desktop shortcut
- Removed the shortcut in the Start Menu (we aware ... they put it in the upper area, near where Windows Update is located)
- Rebooted, but then discovered that IE was still infected, in particular when I tried to navigate to Sysinternals (now inside microsoft.com) they marked this as an "unsafe" site. Also discovered that the Security Center applet in Control Panel was not working

- Went to Windows\System32 and found 3 files from about the same time of the infection:


   ieupdates.exe
   scui.cpl
   winsrc.dll

- Took a look at the properties of the file, in effect those are not provided by Microsoft as part of the OS

- Again before removing the files I searched the registry and deleted values that referenced ieupdates.exe (register to start automatically) and winsrc.dll (registered as a COM file)
- Reboot again and tried IE and Security Center, both are working now 

I was able to run several full antispyware and antivirus checks after the previous steps.

And was able to locate more instructions in http://www.enigmasoftware.com/support/antivirus2009-removal/

Note that this post is informational only, I cannot give any warranties that this procedure will work in other computers and/or that the virus is completly removed. And please be sure to backup your registry and important data before any manual removal.

PLEASE ENSURE the usage of trusted tools to validate complete removal of this and other threats it may install.

Finally, CERT has published a set of suggested steps in order to recover from a system compromise, you may want to take a look at them http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

Hope this is useful

 

Posted: Saturday, July 05, 2008 5:03 AM by mcampos

Comments

a-foton » Removing the Antivirus 2009 infection said:

PingBack from http://blog.a-foton.ru/2008/07/removing-the-antivirus-2009-infection/

# July 5, 2008 1:09 AM

Ken Bennet said:

It saddens me to see a Microsoft employee advising as to how to remove an infection that is system wide like this. Miguel, you can never truly trust this computer again until you format the heard disk and reinstall Windows from scratch! How do you know some other malware wasn't also installed on the system during this infection - malware that you failed to detect and remove? It is still lurking around on your system and sending lff your bank account numbers and sensitive personal information to some crooks who will use it to commit fraud. CERT says that such an infection can only be guaranteed to be removed only after complete rebuild of the system. "Removing" the infection in the way you cite lures you and everyone who tries your advice into a false sense of security.

Take my advice: Repartition and reformat your hard disk, reinstall Windows from known trusted media and reinstall your applications from know trusted media. then restore from your most recent pre-infection backup. To prevent this problem in the future, remove yourself from the administrators and power users groups and run as a standard user and require others to do the same. As a standard user, you should never run into a situation where your entire system gets infected. The worst that can happen if you are running as standard user is that your user profile gets infected and you have to delete the profile and rebuild it. Please feel free to contact me at kjbemail-cl@yahoo.com if you need to follow up on this comment.

# July 6, 2008 5:54 PM

Miguel Campos ROCKS !!!! said:

Thank you very much for your help, now I am a hero for to my friend for getting rid of the virus on his computer (by following your instructions).

THANK YOU !

# July 6, 2008 7:45 PM

David said:

Thank you so much!  It worked perfectly.

# July 6, 2008 8:17 PM

mcampos said:

Thanks a lot to Ken ! His recommendations are right on the mark.

Actually I ran several tools to scan the system for spyware (including Defender and OneCare), this took several hours.

And yes, while all other users in my system run with limited privileges, my brother in law just sit down and used my machine when my user was logged on.

My purpose on writing this entry is to make it easier to people to remove the Antivirus 2009 ... so they will be able to run trusted scan and removal tools. The results of this scanning will make it easier to determine if a complete reformat is required.

 

# July 6, 2008 8:34 PM

Marcus said:

Thanks a lot. This was very helpful!!!!!!!!

# July 9, 2008 7:17 AM

Leonie said:

Hi Please help - a very blond lady when it comes to issues like this, I am currently having this virus poping up telling me that I need to update I am running my own virus program but this is blocking me for doing any thing and I am to scared to do any thing, I also can not delet this dame thing

Please mail me instuctions in very lame terms to leo2_angel @yahoo.com

# July 10, 2008 5:17 AM

rick frost said:

miguel...thank you...!! it worked..

# July 10, 2008 8:18 AM

Sandy Beidel said:

Antivirus 2009 popped up on my screen a couple of days ago when I was using Mozilla Firefox - I don't use Internet Explorer.  I went through screens popping up and interfering with everything I tried to do - stopping my computer and telling me I had a blue monster that could infect my computer, etc.  McAfee tried to walk me through removing it but I kept being  interuppted by the Antivirus.  I finally did a System Restore going back to a previous date. After that I checked all of the places I knew to look for any evidence that it was still on my computer but I am not very computer literate and like "very blond lady" said I need instructions  in very lame terms in order to know if I need to do anything else to be sure I am rid of this virus.  I plan to buy the Max Spyware Detector and run it on my computer later today and run a scan to see if it picks up anything.  So far I haven't had any problems since then but does that mean it could still be in the background getting info from my bank account and personal information and passing it on to "crooks" as Ken Bennett said?  Thanks for any help.

# July 11, 2008 11:47 AM

mcampos said:

Try to run at least two full antivirus and antiscan from different providers (I did that).

As Ken said there may a possibility of some other spyware being installed during the duration of the infection.

The more different tools you use to scan you increase the probability of locating another threats.

But sadly the only way to be 100% safe maybe to reinstall the machine as Ken recommended.

# July 11, 2008 1:16 PM

Bill Miller said:

Thanks for the help.  This was nasty problem.  It is disappointing when your virus protection software company doesn't do its job.

# July 14, 2008 8:43 AM

dotlizard said:

i installed Windows Live OneCare and before it was even done with setup, it had found and dealt with this threat. perhaps the computer is not completely clean, but it sure seems that way.

# July 20, 2008 1:35 AM

dotlizard said:

this evening my son said to me "antivirus says i have a virus!" and i knew we were in for a long night. i've battled infections of Antivirus 2008 and i know it to be a very insidious enemy. well,...

# July 20, 2008 1:38 AM

Harmonic said:

I ran SmitfraudFix and got rid of the popup ads and toolbar icons,then ran Malwarebytes' Anti-Malware to get rid of the Google Tips Warning about unregistered copy of Antivirus 2009. These were all free removal tools.  System appears clean now.

# July 23, 2008 4:36 PM

dartbeyder said:

I used malwarebytes anti-malware and successfuly removed the threat. Just follow the removal procedure here: http://www.precisesecurity.com/blogs/2008/06/26/antivirus-2009/

# July 27, 2008 6:26 AM

campaignagainstinternetscum said:

The best advice anyone can give is NEVER repeat NEVER download any "FREE" software that claims it will remove Antivirus 2009 - it's probably made by the same scum that actually created Antivirus 2009!!!

Re-format!

# July 28, 2008 8:57 PM

Scott said:

this virus has morphed. who ever heard of a virus being updated?? usually its take the money and run..antivirus 2008 updated to antivirus 2009 and attached a whole host of other rogue malware.. the internet sucks.. peace out

# July 29, 2008 1:50 AM

T. White said:

I have to agree with Ken.  I don't completely trust that the malware has been completely removed unless I format the hard drive and reinstall the OS.  I have an end user that has somehow had her machine infected.  I've tried booting from the Windows XP cd with the intention of deleting the partition and starting over from scratch.  I can't even get that far.  The XP drivers will load and right before it comes up with the menu to install or repair Windows - it crashes.  Every single time.  So how do I get past this??  

# July 29, 2008 8:30 PM

jesse said:

thank you i had the 2008 version first and could not get everythng and then i saw that it turned into the 09 version and followe he steps and no everything seems o ork fine thank you a lot

# July 30, 2008 3:28 PM
New Comments to this post are disabled
Page view tracker