Antivirus 2009

Beware of Antivirus 2009 (i think theres a 2008 version aswell). It is a killer.

Anyone come across this, i've seen it's been quite rampant over the past couple of months. My neice bought her laptop round to mine infected with this, what an absolute nightmare of an infection. I've just re-installed xp on her machine because of it.

Tried manually removing the infection but still something was there. It basically blocks you from going to any Anti-virus/spyware website, installing any anti-virus program or updating what you have (tried several ways of installing malware bytes, spybot etc). Was an absolute nightmare. Thought i'd removed files relating to it, but it went a lot deeper into the system. Also it screwed up the system resore aswell.

If anyone has ever come across ways to get rid of this, some info would be great for future reference. I had a look on bleeping computer forum and a few people had this and are having nightmares removing it. I'd hate to get it on my laptop, and have to reinstall everything.

 

I work in a computer repair shop and I remove a variant of this daily. There are tons of variants, but all are based on Smitfraud or Vundo.
Names are things like
WinAntiVirus
WinAntiSpyware
Antivirus 200x
SpySentry
and so on.

The process I use to remove it is not short or easy to explain, and it covers removal of 99% of the variants, and I've written several batch files to make it easier for myself, but in summary...
Boot to safemode
Run combofix and smitfraudfix
Boot normal mode, run ccleaner, turn off system restore.
Run spybot, superantispyware, malwarebytes antimalware, reboot
Install spyware blaster, update, enable.
Check hosts file for bad entries
Run bitdefender scan with above antispyware, reboot
Check processes with process explorer, remove startup entries in msconfig, reboot.
Run ccleaner, turn on system restore.

 

My boss' computer has it
I hope she cries and then lets me fix the computer, which leads me to creating an administrator account for myself when I'm in the office on the weekends.

>: )

 

I can even zip up my whole folder and megaupload it if anyone's interested.

 

Sounds good, I'll have it!!!!!

Where's the most common place it comes from as my neice has no idea what she donloaded or site she visited to get it.

 

I've written a post on a previous version XP Antivirus 2008 here.
It's mainly about the informative article on TheRegister by Jesper M. Johansson, which can be found through this link.
He shows with screenshots and in layman terms what malware writers use to lure victims into clicking/downloading malware.
Sorry bangert, it's of little/no use to your situation but the article can be an eye opener.

 

The screen shot on the second pages of the articles are very similar to the one i tried to fix, as hep said there are many different variants.

Thanks for the links to the articles, i've read the first couple of pages, but i'm needed elsewhere lol, so i'll give them a good looking over later.

I'm not really to fussed myself about having to reinstall xp as i love tampering and playing about with computers, but more peeved for my neice as she's been without her comp for a couple of days now. She'll just have to be a bit more cautious about what she does on her laptop.

 

Here's the link.
http://www.megaupload.com/?d=07GR4SDG

It's a pretty big rar. How it works is you extract it to a flash drive (that's how I use it anyway) and run the 00-sysclean-start.bat. This will set a pwd at the run from location, and copy a folder called _SHC_Sysclean to the All Users desktop, as well as putting ccleaner in the all users startup directory.
Everything is ordered...
It will run things as you need them. When bootsafe comes up, reboot in safemode. Then log in, and run the stuff in the safemode folder.
Reboot (smitfraud and/or combofix occasionally reboot for you, if this happens make sure you boot into safemode again and finish running the others).
Install the stuff in the third folder, and run it.

Utils has misc tools I regularly use.
Extras has a bitdefender trial installer, a firefox installer (it automatically installs silently when you run the initial batch file), and Antivirus removal tools (since it's important to remove whatever AV you currently have installed - MCPR is for mcafee, Norton Removal is for Symantec, use the uninstaller for anything else.
When you're done, you run the first batch file in the end, it does some stuff, you nurse it along and reboot. Then you run the second file, and it deletes everything that it put in. And you're done.

Feel free to ask any questions. I think I'll make a guide later on how to use the package in greater detail.

 

Can't get it to download, it just goes round in a loop. Enter the 3 letters, wait 25 seconds then does this over and over?????

 

it should give you a link after 45 seconds...
It does appear to be messed up though. If it doesn't resolve itself tonight I'll re-upload tomorrow.

 

Cheers, yes, the link just takes you back to the beginning again when you type in the 3 letters!!! Maybe download limits have been reached for free users, who knows!!

 

It now works, cheers for the upload, always usefull having tools like this. Thanks again.

 

Keep in mind that I update it about once a week and my batch files are a work in progress. But like I said, later this week when I get some time, I'm going to make a spyware removal guide.

 

Extremely easy to fix. Microsoft Update should download a Malicious *something* Tool, which will get rid of this.

 

Some people are very naive downloading "antivirus 2009" or progs with similar title.
Some people are also naive paying for a product called "Kaspersky antivirus" which is produced by a russian lab closely cooperating with Russian special services FSB, believing that it will protect their computers better that other similar products, and forgetting the backdoor opportunities this installation provides to Russian cybercriminals working under the patronage of FSB.

 

Have you got any info to back this up, would be good to see some sources, cheers.

 

there is only one tool you need to remove this and all its variants its called smitfraudfix. works every time without any issues

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

download extract to a folder where you know where it is click on the batch file to execute and choose 1 to scan and let it scan. then choose 2 to clean. let it clean. choose 5 to clean registry let it clean reboot ....done

with xp smit does not usually need to be run in safe mode. with vista i do recc it because of uac.

 

Smitfraudfix is included in my toolkit. Sadly, smitfraud does not fix all variants of this issue.

 

i have never found a variant it didnt fix myself yet

 

Then again, a lot of people unwittingly use an OS developed by an American lab that closely cooperates with U.S. intelligence services at the highest levels, never realizing the backdoor opportunities this use provides to the CIA to install virtual tinfoil-hat defeating mechanisms - um, that would be Microsoft.

 

Came home with going out with the wife on a date and had AntiVirus 2009 infection. (And I payed the babysitter $40 ).

I did a system recovery to a couple of days before and that worked.

 

Well, I clean a minimum of one but up to four of these a day. Trust me. Many tools will do a very good job - nothing is foolproof.

 

oh im sure its not foolproof i just have not seen one it didnt clean yet

 

All of these Virus' are related to the 'Vundo' chain of virus and it has annoying, unavoidable pop ups that constantly appear and you cannot close them .

I recently had the 2008 version of the virus, so I ran a Malwarebytes quick scan and it removed the virus no problems. I am pretty sure VundoFix and SmitFraudFix can remove all traces of this virus aswell.

I would run a Malwarebytes quick scan just to make sure nothing is still lurking around, better to be safe than sorry.

 

I recently made a huge overhaul on my toolkit, and re-wrote most of the automation files.
Added in OS detection and Vista support.
Currently in testing phases, would anyone like me to upload it now, or wait for the final, or does anyone even care at all?

 

Does it disturb you? I don't expect these to act against my country and the values we share with USA. Russia and its special service FSB sponsoring and supervising kaspersky's lab and the propagation of its product is the opposite pole ... for me, at least. By the way, M$ had to provide its closed code to FSB as a precondition for
making business in Russia. Kaspersky lab is likely to use this advantage.

If you wish to argue with this please go to KAV related threads.

 

Ran into the newest variant today, Antivirus 360

As has been discussed throughout this article, I have seen at least a dozen variants of this and what is really surprising to me is how several variants seem to load very differently.

From simple registry run keys to more dastardly winlogon entries, with files sprinkled in program files, windows\system32 and just yesterday a hidden folder on the desktop. Even found one that was kicked off by a CPL file that was dormant until you loaded the control panel.

 

I'd be interested, need to test a couple of machines, so this could be handy. Cheers.

 

Certainly interested Hep!
If you can post a link when you've finished the final version, i'd be much obliged.
Cheers.

 

Testing should be finished by tuesday (I like to clean at least 4-5 machines before saying "okay, looks good")
I will upload then.

 

the newest updated version of smit removed that new variant as well i actually infected a virtual drive to test it. worked great

 

does anyone know if malwarebytes or Avira can get rid of this...my nephew's computer has it and so far neither Avast nor Spybot SD can get rid of it.....

 

use smitfraudfix its free and works

 

some recent variants use rootkits too. in that case, it helps to use for example rootkit revealer to look if it's there (it's usually something like TDSSxxx.sys hidden driver). if it is this rootkit, you may need to disable it in the devices manager (it's necessary to allow displaying of hidden drivers) and delete it via gmer.
in such case, any "purely-antivirus" sw solution without an anti-rootkit component most probably cannot help, tools like gmer are needed.

 

Yes indeed--I ran into one of these variants yesterday--I'm not sure if it was all one infection or mutliple ones but there was a rootkit to hide it's installation and initialization files, a BHO that would reinstall everything the second IE was loaded, a GPO to prevent access to the registry, an altered exe association to prevent the installation of any other programs and it cripped several major AV/Security programs, and the thing even had a dang keylogger associatied with it--all loaded through the winlogon notify key so that kept reloading after every attempt to turn it off and kill it.

Took me about an hour to kill it then another two hours to repair all the damaged

 

in a email i had yesterday from smitfraud they said they will be updating to also include fixes for the new variants.. just to let you all know

 

Hi,

try to use this manual removal guide: http://www.2-spyware.com/remove-antivirus-2009.html