XP Antivirus 2008 and Antivirus 2009 are evil!

June 29, 2008

This entry is part 1 of 6 in the series Removing Antivirus 2009
Removing Antivirus 2009

Wow! I just spent two hours on the phone and CoPilot with my dad to get one of his computers cleaned up. I’ve dealt with a couple of spyware infections in the past, but nothing as insidious as this. Fortunately my dad was suspicious enough to reach out for assistance before he really got took. Here is the re-cap:

I got this email from my dad earlier today:

Matt my desktop computer has been infected with Antivirus 2009.  Do you have a recommendation for software to remove it?  Spyware Hunter has been recommended but, at this point, I don’t trust anything.  Dad

I’m glad that he was suspicious. After a little Googling on the key words from his message, I was suspicious. Here was my reply:

You are right. Searching on ‘antivirus 2009′ does seem to lead you to certain tools and seems to be very confusing. I suspect that this is itself is part of the cycle. Something tells you that you have a virus and oh, by the way, try out my product.

Quick question: How do you know that your desktop has been infected? What application is telling you that? There are lots of sites that will pop up little windows telling you things like that in an effort to get you to click on them and then sell you a product. If your anti-virus/spy-ware application told you that it found a problem, I would suspect that they would also be capable of fixing it.

What I think you are dealing with is some type of spy-ware. Nothing malicious, just annoying. So, what you need is a spyware removal tool. Here is a link to download.com sorted by most popular: http://www.download.com/sort/3150-8022_4-0-1-4.html?  As you can see, Ad-Aware and SpyBot are the two most popular, by far. I have used both in the past and would recommend them. I searched through the top 100 and couldn’t find Spyware Hunter anywhere in there. So, I suggest you stay clear.

I was kind of curious about how he was being informed of all of this information. Was it legitimately coming from his anti-virus app (McAfee) or through some other means? I was thinking that it was one of those annoying pop-up windows that I run across every now and then. You know the ones: Click here because your computer is out of date and is going to explode any second now! So, I followed up the email with a call.

After the normal chit-chat, we got around to the issue. He was saying that he was running into the messages all over the place. When he logs in, browsing the internet, Google, etc. I had to see for myself so I fired up CoPilot (its now free on the weekends, you know!). I told my dad to fire up IE (I know, they should be on Firefox but I haven’t wanted to go there yet.) and go to copilot.com. He said that the site briefly flashed up but then was replaced by an IE warning message that said, "Visiting this web site may harm your computer!" WTF!

OK, so let’s do the run-around. How about we Google ‘copilot’ and then click the link? So we did that. This time my dad tells me that Google is giving him a message about his computer being unprotected/unregistered/whatever. Why/how does Google know? At this point, I was thinking that he was telling me about the warning/message bar that IE and FF now use to communicate to the user. Anyway, we finally get connected through CoPilot.

I won’t bore you with anymore play-by-play but as soon as I got into IE, I could see that there were issues (you’ll see in just a second). He has McAfee and keeps it current so I wasn’t too worried about it being a virus. However, I’m pretty sure that he did not have any type of anti-spyware tools running on his system. So we were going to run out and download Lavasoft’s free Ad-Aware anti-spyware app. Here is what I ran into:

Interesting. I’ve never heard of Google Tips before (neither has Google). For the benefit of the search engines, here is what the tips says:

"Google has detected unregistered Antivirus 2009 copy on your computer. Google recommends you to activate Antivirus 2009 to protect your PC from malicious intrusions from the Internet."

However, I was pretty suspicious once I saw the URL that the whole box was linked to: microsoft.browserprotectioncenter.com. OK, we’ll ignore that for now and continue on to get Ad-Aware. So I clicked the link that you see below the Google Tips box. This is what we got back:

A couple things to point out:

  • This appears to be the standard IE warning about malicious sites (I’m guessing. I’ve never actually run across it since I use FF (but not at work because we aren’t allowed - don’t ask)).
  • The Lavasoft site page was briefly displayed before this was displayed.
  • The url changed to about:blank.
  • All three links list the same microsoft.browserprotectioncenter.com page.
  • This was actually happening for a lot of pages, not just the Lavasoft page. I actually ran across this as soon as I got on his computer and was the first thing that tipped me off that something was amiss.

Since the Lavasoft page briefly displayed, that suggested to me that it was still in the browser history. So I clicked Back. The Lavasoft page did display, but it was severely mangled.

SwoofWare

Notice the yellow bar? Here is what it says:

The page you are opening is probably contains spyware, adware, etc.. Your system might be at risk, Click here to protect your system with Antivirus 2009.

Want to guess where the link goes? You got it! And guess what? We had to run the same gauntlet for each page we clicked on to try to download Ad-Aware. Once we got to the download, we were still hosed since the spyware seemed to have control over the pop-up window too. I had to drop back to my computer, download Ad-Aware, upload it to my FTP site, then go back on his computer and download from my FTP site. What a PITA!

So we finally fired up Ad-Aware and let it scan his system. When all was said and done, it found (sorry, no screenshots):

  • 2 critical registry key entries
  • 225 privacy cookies

We nuked them all. Ad-Aware needed to restart the computer in order to completely remove everything but we decided to check IE to see how it was doing. We were able to pull it up and access all of the previous pages without any of the issues! Yay!

Moral(s) of the story:

  • Make sure your family and friends are running a reputable anti-spyware tool in addition to their anti-virus tool.
  • Have your family and friends switch from IE to Firefox.
  • Try to get them to run under the non-admin account (although this can cause problems with some apps).
  • Tell them to trust their instinct when something doesn’t seem right.
  • Take advantage of free CoPilot on the weekends. Thanks Joel!
  • Make sure that at least one of your kids is technically-literate to bail you out when you can no longer keep up with technology.

Now if only we could get this to bubble up a little in the search engines to help other unsuspecting people. Spread the word with the Share This link below.

Series NavigationXP Antivirus 2008 and Antivirus 2009 - Round 2»

Popularity: 65% [?]

Share This

Posted by Matt Smith | Filed Under General 

Comments

24 Responses to “XP Antivirus 2008 and Antivirus 2009 are evil!”

  1. Jan on June 29th, 2008 12:27 pm

    Matt,
    I thank you for the info you posted here. It helped some but didn’t totally. After downloading Ad Aware and scanning my entire system it found a couple critical and 160 or so cookie items. I too removed all of them and then rebooted. I then went to IE and went to a couple of sites. As soon as I tried to log into any of them (online tools that I use), the same “Insecure Internet activty. Threat of virus attack” appeared only now the line that says to register Antivirus 2009 is no longer a link, it’s just a sentence. The other two links are still there and look like they will go to link to “purchase” Antivirus 2009.

    Do you have any further suggestions? I wonder why it totally cleaned up your dad’s system but not mine. I’m sending this from my work laptop that I brought home for the weekend because using IE is next to impossible. I too plan to start using Firefox as soon as I get this problem resolved.

    Thanks in advance for any assistance you might be able to provide.

  2. Matt Smith on June 29th, 2008 1:24 pm

    Wow, it didn’t take long for this post to get picked up.

    Unfortunately, I probably posted too soon. I got another email from my dad a little while ago. He said that despite a complete system scan with Ad-Aware and McAfee overnight, he again started to run into problems when he logged back into his normal non-admin account.

    I did a little more research and ran across this thread that looks promising: http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=2873308&SiteID=2

    If you go to the 2nd page, there is a post by ’shecut’ that a number of subsequent posters said worked.

    I’m on the phone with my dad right now. I’ll post back with more info once we try it.

  3. Jan Anderson on June 29th, 2008 1:51 pm

    Matt,
    Part of the problem is I can’t get my PC to boot up in safe mode. I’ve tried probably a dozen times since I started this last night and quit about 1:30 am. I’ve tried it a couple times now and will keep trying.

    Let me know if you and your dad get it resolved.

  4. Matt Smith on June 29th, 2008 2:08 pm

    Interesting. Right now we can’t get it back OUT of safe mode. We were able to delete the folder but it was called Antivirus2009 (instead of XPAntivirus mentioned in the forum thread).

  5. Jan Anderson on June 29th, 2008 4:38 pm

    I finally got instructions from Dell on an alternate method to boot in Safe Mode. So, now I am on to follow the instructions in that post. Were you able to solve your Dad’s problem? Hope so.. this crap is very frustrating.

    I’ll let you know how it goes for me.

    Thanks for the original post! :-)

  6. XP Antivirus 2008 and Antivirus 2009 - Round 2 | SwoofWare » Official Site of Matt Smith on June 29th, 2008 8:25 pm

    […] so it was a bit premature to declare victory over the XP Antivirus 2008 / Antivirus 2009 issues that my dad was facing. Here is the email I got this morning: I ran the full scan over night which […]

  7. kim on July 3rd, 2008 2:53 pm

    i’m a student & use computer for e’thing!! yesterday the antivirus 2009 came up saying all the same things i’m reading hetre i’m not all that tech. savvy can anyone tell me where to start to get rid of it? i have trendmicrovirus (installed by best buy 2 mos. ago) when i bought computer.

  8. Jan on July 4th, 2008 12:25 pm

    Hi Matt,

    Well, I finally (fingers, toes and eyes crossed) got rid of IT!!!! I’ve also installed Firefox and removed most of the blue E’s so my husband can’t find it easily.

    In the end I just kept running scans with VirusScan (it never did find ANYTHING), Spybot S&D and Ad-Aware. I also printed several sets of cleanup instructions as some contained other file names. Then I got a little over zealous in deleting some of them and realized I hadn’t read the instructions closely enough and was only supposed to delete some instances of two DLLs. I stopped before I did any harm and everything seems to be working.

    Man, what a PITA!! Thanks for all your help and lending an ear through this ordeal. Take care and HAPPY BIRTHDAY, AMERICA!!!

    Jan

  9. Removing Antivirus 2009 - Round 3 | SwoofWare » Official Site of Matt Smith on July 6th, 2008 4:29 pm

    […] my best efforts in XP Antivirus 2008 and Antivirus 2009 are evil! and XP Antivirus 2008 and Antivirus 2009 - Round 2 it appears that there might still be some […]

  10. krisi wade on July 12th, 2008 8:42 pm

    Been there-done that-got the T-shirt!-was up half of last night researching both what the thing (AvXP2008) is, what it is capable of and how to get rid-gave up last night and tried again today-started at 11-tried every suggestion I could find- each route to recovery that I tried was somehow(?)blocked!-ie:- uninstalling it–booting in safe mode-deleting things-system restore-spy ware removal tool etc etc-!it even ate my screen saver and the means to restore it!-then finally at 5.45 I finally got shot of it-when I saw it disappear when I uninstalled it I wasnt sure if it was gone for real-or was it just playing hide and seek?!- could have cried with joy when my PC returned to its former self!-HOWEVER-I have been bombarded with attempts by assorted malware all evening-blocked by Spyware Doctor-downloaded Adaware-did scan and it found new spyware-not AvXP2008 tho-had to reboot earlier and the pop up that says your PC is infected with stuff came backI-cant find where rest of it is hiding yet!-I wish I had never heard of torrents now!-I am 90% certain thats where it came from-be warned!-let you know if it returns!

  11. Danny J on July 14th, 2008 9:43 am

    There is an easy way to stop this, however there is only a split second reaction time in doing it.

    Bring up the microsoft task manager, go to processes, stop task beginning with r834718ra or whatever, thats the main source of the virus.

    Open up my computer, go to the drive with programme files in, open it up and the programme files, search for the process you disabled in that folder.

    Go to the Process manager again and look for a process beginning with P194udj1 or something and click stop task, do not press yes immediatly, make sure your mouse is on the virus folder, press enter to stop the process then click the mouse and delete + enter the folder, it will get rid of the folder for good, however if you are not fast enough it will just reappear in the process menu, disallowing you from deleting it.

    After that run a registry cleaner and get rid of the dead files which are left behind and your sorted.

  12. Sim on July 15th, 2008 9:34 am

    My new BTO computer was only 2 days old and infected with XP Antivirus 2008 and a root tool kit from installing a freeware program. I’m a programmer and I still didn’t know what to do to remove it. I then use this remote service.

    http://www.remotecontrolhelp.us/

    Cost about $175.00… worth every penny.

    Problems:
    Spyware - Caused by SpyHunter Failure
    Slow Computer - Junk accumulation

    Fixes:
    Remove SpyHunter and Install SpyBot.
    Spybot failed to install on first download, second try successful.
    Spybot updated, immunized and run. Found Spyhunter (duh), Direct Tract & others.
    Run File Cleaner (CCleaner) software.
    Run Registry Cleaner.
    Run CleanUP!
    RR and Malwarebytes would not launch. Anti-Protection Spyware running.
    Malwarebytes found 63 entries, including Vundo (bad).
    Vundo detector run as backup – all clear.
    Removed temps and temp Internet, $nt$.
    Optomized boot process with Autoruns and edit of startup file.

    Repair Time 1:08

    Install SpyBot
    Install Malwarebytes
    Install RogueRemover

    or use

    http://www.remotecontrolhelp.us/

  13. LS on July 16th, 2008 1:44 pm

    Nice, informative blog post! We’re interested in sharing your post in our co. blog or newsletter as a true story of our software in action, and as a way to educate consumers about rogue software.

    Please e-mail me for more information. I look forward to hearing from you.

  14. Jerry In Austin Texas on July 16th, 2008 11:20 pm

    Just spent a lot of time trying to find a solution to this on a friend’s computer. Was not successful removing the virus. We kept opening browser folders and they were all getting hijacked. Tried to go to http://www.mozilla.com to get firefox. Clicked on green download button as soon as the screen came up. You only get about two seconds. Finally was successful in bringing down firefox. Again, you must hit the download now button within about a second after it comes up. That runs well. At least they have a browser that works now while we try to find some solution to this pest.

  15. cindy on July 17th, 2008 9:48 pm

    Infected a few hours ago…just control alt delete…go to task manager…processes….stop processes that end in 2009. for me it was av2009. Then do a search for antivirus 2009. delete all files.

    to be safe, restart the computer in safe mode. this can be done by restarting and while the screen is still black hit f8 then choose safe mode.

    for xp, click start, accessories, system tools, system restore.

    restore your computer to a date in the past when you did not have this problem.

    hope it helps!

  16. Melissa on July 18th, 2008 8:06 pm

    Hey I just google this site - my pc keeps giving me this message:

    Google has detected unregistered XP Antivirus copy on your computer. Google recommends you to activate XP Antivirus to protect your PC from malicious intrusions from the Internet.

    So I did. Was this a sham? Did I just download a virus or something? I have no idea, only that now all my websites get blocked and warnings pop-up constantly.

    HELP ME!!!!

    Melissa

  17. Glenn on July 22nd, 2008 12:49 am

    http://www.precisesecurity.com/blogs/2008/06/26/antivirus-2009/#comment-58960
    go check out this site, the program the webmaster suggested worked great for me. I was very skeptical at first but tried it out of desperation. It is shareware, they do want you to buy the full program, but there is no intrusive marketing and it actually removed the issue for free.

  18. AntivirusExpert on July 22nd, 2008 10:32 am

    Quite well-done spyware pushing. I guess with advertising on behalf of google (what a trick!) this scam extortion is gonna have even bigger “success” than its predecessors, XP antivirus and antivirus xp 2008. Man, why Windows users get all these problems?..

  19. Antivirus XP 2008 and avxp2008.com | SwoofWare » Official Site of Matt Smith on July 23rd, 2008 5:08 pm

    […] been monitoring my traffic a fair amount over the past few weeks since I first published XP Antivirus 2008 and Antivirus 2009 are evil!. It looks like things were starting to taper off a little but has jumped up this week and in […]

  20. something on July 26th, 2008 3:20 pm

    Thank you soo much! I had XP Antivirus 2008 on my computer for about a week or 2 now and it just wouldn’t go away. I did everything you said. I deleted it, but it still kept taking over my browser when i went on the internet. Like every website i went to, Xp antivirus would keep coming up, and that google tips thng was there too, even after i deleted antivirus from my computer. I was so fed up with it, having to keep refreshing my page and hitting the back and forward buttons like 15 times just to finally get to the site i wanted to go to.

    Viruses and spyware have never been a problem with my computer, until XP antivirus came along, but i finally got rid of it. (entirely, every part of it gone) and this is how i did it: (i forget where i got this from but another guy did this. So i’m telling you what he told me, I’m just trying not to take the credit)

    1. First enter safe mode on your computer and go to your account, not admin.
    2. When on safemode. Go to “my computer” by either going to the start button or if you have the my computer icon on your desktop. After that click on the “local programs (c:)” thing. Then go to program files.
    3. Under program files, whatever Xp antivirus thing you have should be there. It should have its own folder and 1 file inside of it. (for me it was XP Antivirus 2008 and the file was xpa.exe)
    4. Delete that folder to send it to the recycling bin, then delete it from there.
    5. Restart your computer in normal mode, and go to this site (free.avg.com) to download there “free” antivirus software. Yes, it is free if you download there free version. They have other versions but you only need the free one.
    6. After you’ve downloaded it, update it by clicking the “update now” thing and when it is done updating, run a scan over your whole computer. It should find whatever the virus is and then just remove it.
    7. After that go to your start bar and click on “run” in there type in “msconfig” and a folder should open. go to the far rightest tab. There should be a list of folders and things with a box next to them. Make sure you uncheck the one that says “xpa” (it was on mine, i don’t know if it will be on yours.
    8. That’s it, it should be gone. I hope it works (it worked for me) :)

  21. marcus on July 29th, 2008 1:54 pm

    have you tried running smitfraud and smitrem,run them both in safemode

  22. andrea on August 6th, 2008 9:45 am

    If you can, the best thing to do to get rid of them is to recover your computer, it’s kind of pain, but it workes. That’s what I did, after going around circle for hours!!!

  23. KevinG3 on August 18th, 2008 3:18 pm

    I run a small computer service shop, This thing no longer qualifies as a virus, it is probably more accurate to call it a plague. I rarely see the same virus twice, never mind 25 times in 14 days. Considering that I have to provide a warranty for the service i provide i can suggest nothing to my customers short of a compklete format and reload of windows. Even when I can rid a computer of this infection, there is soo much collateral damage to windows that I cannot return the computer to pre-infection functionality, and guarantee that it wil stay that way.

    There iks not ONE AV or antispyware program that will stop this thing from getting in to your computer .
    Even if you get “rid” of it, Regedit is now gone, your AV program no longer works, nor can it be reinstalled.

    The only good news is that it does not corrupt personal data.
    Save your Documents folder and reformat. Anyone tht says they have found a magic bullet to get out of this one hasn’t tried to use windows afterwards.

    listen to Andrea, she knows……..

  24. jp on August 18th, 2008 11:20 pm

    wat sux is dat virus effected my computer so much my internet barely works so i cant go to dat web site dat guy b4 Marcus was talkin about

Got something to say?





MyHomePoint

Having trouble keeping track of everything going on at home? Is the refrigerator organizer not cutting it anymore? We feel the same way...
Check out MyHomePoint »

Latest Blog Posts

Close
E-mail It