XP Antivirus 2008 and Antivirus 2009 - Round 2

June 29, 2008

This entry is part 2 of 6 in the series Removing Antivirus 2009
Removing Antivirus 2009

OK, so it was a bit premature to declare victory over the XP Antivirus 2008 / Antivirus 2009 issues that my dad was facing. Here is the email I got this morning:

I ran the full scan over night which produced one more critical item and over a hundred cookies which were removed.  At first it seemed like there were no problems.  I switched to the non-admin account and started getting the same screens we had viewed last night.  Still in the this partition, I cranked up the full scan and after running a while the interference got worse by displaying two or three new screens predicting even more dire consequences. And, periodically going into what appears to be a  rebooting of the system following which the scan proceeded as normal.

I did a little more research using some of the keywords from last night’s screen shots and ran across this xp antivirus 2008 post in the Windows Live OneCare Anti-Virus forum. Looks like people started running across variations of the virus/spyware back in February. Since then there have been over 42,000 views and over 80 replies with varying degrees of success. Most people referred to a post by ’shecut’ on page 2 as having been successful. I decided that was what we were going to try.

We got on the phone and connected via Copilot again. Again, it was immediately apparent that there was something going on with his computer. Check out these screen shots:

SwoofWare

Hey look, there is that helpful Google Tips box. Except this time it is on the main Google search page. Same text though:

Google has detected unregistered Antivirus 2009 copy on your computer. Google recommends you to activate Antivirus 2009 to protect your PC from malicious intrusions from the internet.

And did you notice the pale yellow warning bar?

The page you are opening is probably contains spyware, adware, etc. Your system might be at risk, Click here to protect your system with Antivirus 2009.

Both the ‘Google Tips’ box and the ‘Click here’ link point to the same microsoft.browserprotectioncenter.com link.

But wait, there’s more!

SwoofWare

Check it out. Not one, not two, but three different popups in one view! How do they do it? No wonder my dad was so irritated. Here’s the run down on each:

Antivirus 2009 - Threats detected

Unwanted software (malware) or tracking cookies have been found during last scan. it is highly recommended to remove it from Your computer.

  • Lost Documents and Settings
  • Permanent Data Loss
  • System not starting up
  • System Slowdown and Crashes
  • Loss of Internet Connections
  • Infecting other computers on your network

It is tempting to make fun of all of the grammar mistakes and inconsistencies but I was recently admonished about my own grammar and inconsistencies.

Antivirus 2009 Security Center

Antivirus 2009 protection has detected Spyware program Win32.Monster.fx that is trying to attack your computer. Do you want to block the attack?

Aaaahhh! Monsters are attacking! Should we try to block it or run for the hills!

Antivirus 2009

Privacy Violation alert!

Antivirus 2009 detected Privacy Violation. Some program is secretly sending your private data to untrusted internet host. Click here to block this activity by removing threats (Recommended).

Privacy violations!? Secret internet transmissions!? Untrusted internet hosts!? Wait a minute! How did the government get on my dad’s computer? Must be that damn FISA Act. I knew living in Iran in 1978 would catch up with us.

And it gets worse! Much worse if don’t have all of your wits about you. I feel sorry for those less technically literate. These guys are crazy in their attempts to convey legitimate problems! My dad had mentioned a couple times about his computer rebooting randomly but that something didn’t seem quite right. We got lucky and caught it in the act.

This is the fake BSOD:

SwoofWare

It appeared briefly, even resizing into a pseudo-DOS mode. My Copilot port screen went from 1280×1024 to 640×480. Again, the full text for the search engines:

A spyware application has been detected and Windows has been shut down to prevent damage to your computer

SPYWARE.MONSTER.FX_WILD_0×00000000

If this is the first time you’ve seen this Stop error screen, restart your computer. If this screen appears again, follow these steps:

Check to make sure your antivirus software is properly installed. If this is a new installation, ask your software manufacturer for any antivirus updates you might need.

Windows detected unregistered version of Antivirus 2009 protection on your computer. If problems continue, please activate your antivirus software to prevent computer damage and data loss.

Beginning dump of physical memory.

And then came the fake reboot:

SwoofWare

Looks pretty legit. Except for the helpful message:

Your Antivirus 2009 copy is unregistered. Microsoft Security Center recommends you to activate your antivirus protection software.

And then we were right back to where we were when it started: In IE with the same windows open. No logging in or anything. And I thought they were good.

OK, all of the above pictures and commentary are for the benefit of those who haven’t run across this yet and think that their friends and family are just blowing things out of proportion. I’m sure that the rest of you who are currently dealing with the problem just want me to get on with it and tell everyone what fixed the problem! I’m getting there, Jan!

Unfortunately, our time is up. Tune in next week for Round 3!

Just kidding!

Before we continue, I need a favor:

Register now! For only $49.95 I will hunt down and paralyse all viruses today! This is a one-time only charge. Your credit card will never be rebilled, and you will receive UPGRADES FOR FREE!

Sorry, inside joke! Those of you who are dealing with this particular issue probably get it (and probably don’t think it is funny). Those that don’t get it, try going to the microsoft.browserprotectioncenter.com site. You’ll get it (and you probably won’t like it either).

OK, where were we? Ah, I just gone done showing you all the ways this spyware was manifesting itself on a system. Now it was time to try the steps as listed by ’shecut’ on the xp antivirus 2008 post in the Windows Live OneCare Anti-Virus forum. The steps are:

  1. Print out these instructions as we will need to close every window that is open later in the fix.
  2. Next, please reboot your computer into Safe Mode by doing the following:

    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
    • Login as a user with administrator privileges.
  3. When your computer has started in safe mode, and you see the Safe Mode by doing the following:

    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
    • Login as a user with administrator privileges.
  4. When your computer has started in safe mode, and you see the desktop, continue with the rest of the instructions.
  5. Click on the Start button and then select the Run option.
  6. In the Open: field type C:\Program Files\ and then press the OK button.
  7. When the folder appears, if it says These files are hidden, click on the Show the contents of this folder option.
  8. When the C:\Program Files\ folder opens, look through the list of folders and when you find the folder named XPAntivirus left-click on it once so it becomes highlighted.
  9. Then hit the Delete button on your keyboard and when it asks if you are you want to delete the folder, click on the Yes button with your mouse.
  10. When the folder is deleted, reboot your computer back to normal mode.

Unfortunately, your mileage may vary.

  • It was a little unclear if we were supposed to reboot into Safe Mode twice or not. I opted for not since it sounded like the second time they were letting us know how we would have gotten into Safe Mode in the first place.

    • How do I know if I am in Safe Mode or not? Good question! You will see the words ‘Safe Mode’ in all four corners of your computer screen.
  • I tried to be smart and go through the msconfig screen and check the /Safeboot flag but we were running under the non-admin account so it didn’t appear to take.
  • We did not have a folder called XPAntivirus. Ours was called Antivirus2009.
  • We actually got stuck in Safe Mode for a while (six or eight reboots). A combination of msconfig options and not pressing F8 eventually got us out. It was scary for a few minutes because the results for "can’t get out of safe mode" all involved boot disks.
  • We initially thought we were triumphant. There were no pop-ups after we got in and IE brought up his home pages fine. But as soon as we tried to go to another page, the madness started again! Aaargghh!

There were some other hints in the xp antivirus 2008 post about looking for some crazy-named files in the System32 directory or installed as applications. We struck out there. There was one post that mentioned having success with Spybot Search & Destroy.

So off we went. But wait, with IE acting up, I can’t download Spybot. I know! We need to install Firefox. It won’t be affected. Yeah, guess what? With IE acting up… So here we go again: Drop back to my computer, download FF, upload to my FTP site, get back on my dad’s computer, connect to my FTP site, download FF and install. Yay! "Hey look, Firefox doesn’t seem to be affected. Impressive." says my dad. Oh yeah, one more convert to Firefox!

Now to download Spybot with FF. We install Spybot and let it scan the system. Not surprisingly, it finds some additional items that Ad-Aware didn’t find last night. We let Spybot remove them and reboot. An initial check shows that things seem to be OK. IE isn’t acting up anymore. We try a few more things and are cautiously optimistic that they problem is solved. My dad is going to run Spybot a couple more times tonight (under different accounts).

So here we are at the end of Round 2. What are the morals of this episode?

  • For the sake of your Family IT Person, run, do not walk, run and download and install Firefox right now! It is more secure than IE, and comes in handy for those times when IE is completely hosed!
  • It seems there really is some truth to the rumor that you should run Ad-Aware and Spybot since they sometimes find stuff the other didn’t.

It has been five hours since I signed off with my dad. Hopefully there won’t be a Round 3!

Update!

Just received word from my dad:

After completing the scan of both the admin and non-admin accounts I’ve rambled around using both Explorer and Firefox and have encountered none of the annoying pop-ups. Will do more checking tomorrow. I’m optimistic that you’ve come up with the necessary fixes.

We’ll see what tomorrow brings. Keep your fingers crossed!

Series Navigation«XP Antivirus 2008 and Antivirus 2009 are evil!Removing Antivirus 2009 - Round 3»

Popularity: 68% [?]

Share This

Posted by Matt Smith | Filed Under General 

Comments

15 Responses to “XP Antivirus 2008 and Antivirus 2009 - Round 2”

  1. Jan Anderson on June 29th, 2008 9:15 pm

    Hi Matt,

    Sounds like you had as fun of a day as I did (not). I finally was able to boot up in Safe Mode but only by using msconfig. Once there I ran VirusScan just to see what it would catch (big surprise, nothing). That gave me an hour or so to go work off some of my frustration.

    Anyway, so then I went to the steps from Shecut (and that you’ve posted above) with my fingers and toes crossed. Lo and behold I didn’t have any of those folders in the Program Files folder. So, then I had nothing better to do (ha!) so I looked through the majority of the rest of the folders and couldn’t find anything with the key words we’ve seen on various posts.

    I also went back through RegEdit and searched for all the key words and couldn’t find anything there either.

    So, after yet another day, I am no where closer to a fix. I guess I will too try Spybot. I’ve tried just about everything else, so why not!! I think my only advantage over you is that I have my work laptop here at home so I’m using it to do all my searching and downloading.

    I assume I will still have the same problem when I boot in normal mode as I wasn’t able to find anything. Guess I will try Spybot next.

    Talk to you soon.

  2. Jan Anderson on June 29th, 2008 10:10 pm

    Matt,

    Well, that didn’t take long. I booted up in Normal mode and installed SpyBot StopZilla and when it launched it asked if I wanted to register the software now. The same old window popped up saying I was in dire risk. LOL

    Anyway, thought I would run SpyBot first before loading Firefox. If I’m not able to get rid of this problem and stop using IE do you think that could cause problems for me down the road? (I really don’t know that much about viruses and this kind of crap.) I would really feel much better getting this resolved but I’m about at the end of things to try.

    Well, I have SpyBot scanning so I guess this is a good time to go to bed. We’ll see what the morning brings. I can hardly wait!! lol

  3. Matt Smith on June 29th, 2008 10:20 pm

    @Jan - Are you running SpyBot or StopZilla? I’m not familiar with StopZilla. Not saying that it good or bad, just not familiar with it. I did see that it is #17 on this list: http://www.download.com/sort/3150-8022_4-0-1-4.html Notice that it only has 630K downloads. Ad-Aware and SpyBot have 300M and 100M downloads.

    You can switch over and use Firefox and you might not run into too many problems, but I have a feeling that if you don’t completely eradicate this thing, it will keep showing up in annoying ways and make you miserable.

    Not sure if you saw the update at the end of my post, but my dad emailed and said that so far things look pretty good.

    I’ll let you know how it goes.

  4. Matt Smith on June 30th, 2008 5:49 am

    I got this in my email this morning from Philip:

    Dealing with Antivirus 2009 on VISTA (for those like me who are pretty clueless).

    When I ‘allowed’ this damned poison to infect my laptop during Saturday evening it almost gave me palpitations - I had a sleepless night. But yesterday I took a lo-tech approach and have solved the problem (I think) to a level of satisfaction ‘out of sight is out of mind’.

    First of all I downloaded the entirely free SPYBOT S&D - not any of the other tools that sit somewhat misleadingly on that site (and certainly NOT SPYWARE!).

    Once installed and having ‘done its thing’ - detected and removed AV2009 - I was instructed to reboot. Unfortunately, once ‘back up’ a box ‘purportedly’ from SPYBOT tells me that a program (AV2009) is trying to make changes and do I wish to allow this or not. Of course I try to disallow BUT it won’t allow me to. There’s an info option and one marked (?) - if memory serves but NOTHING works and the box stubbornly remains. The ONLY option (as far as I see) is to allow the change …… BUGGER! This opens the door to the scumbags once again.

    So, (and here’s my advice - it’s working for me) go throught the SPYBOT S&D operation once more BUT after having brought the system back up, RATHER than allowing the AV2009 change I went into the Windows Task Manager and ended its operation AND THEN - and here’s the lo-tech bit - I DRAGGED the supposed SPYBOT alert box down into the task bar (to about 4cm in length) and then pushed it all the way to the right-hand-side until it was all but disappeared. The SPYBOT task ‘emblem’ - I said I’m clueless - I have left in place (also the emblem for the WTM) all a small price to pay for now seeing absolutely nothing from Antivirus 2009.

    I was concerned that dropping the system into ’sleep mode’ and then later waking it would start the whole nonsense once again but it hasn’t.

    As I said at the beginning ‘out of sight is out of mind’.

    I hope some will find this helpfull.

    Regards

  5. dynin mark on July 8th, 2008 8:24 am

    i got win32 and i want to try it

  6. Suess60 on July 8th, 2008 3:42 pm

    Thank you SSSSSOOOOOO much. You are a computer God!!
    I had this stupid Antivirus 2009 and is was in total control of my computer. I tried everything I could think of to get rid of it.
    I did your “safe mode” directions and it worked perfectly. I then downloaded foxfire and got rid of IE. Thank you again.
    A dumb computer owner.

  7. Matt Smith on July 8th, 2008 4:29 pm

    @Suess60 - Glad I could help!

  8. dee walsh on July 13th, 2008 2:54 am

    hi this happened to me and i actually went and bought the antivirus 2009 feel like an idiot! once i got the email sending me my invoice i decided to google it and realised it was dodgy. i cancelled my card and hopefully will get my money back. then i restored the computer to two days-and havent seen av since, does this mean its gone or could it be lurking in my system somewhere. im not the most technically minded there are no icons on the screen anymore and have had no problems online or in general with my computer.please help

  9. Removing Antivirus 2009 - Round 3 | SwoofWare » Official Site of Matt Smith on July 20th, 2008 10:10 pm

    […] XP Antivirus 2008 and Antivirus 2009 - Round 2 […]

  10. comp.illiterate on August 13th, 2008 4:51 pm

    I have a laptop that was infected with antivirus 2009 with Verizon internet w/Verizon security, I am running Vista home Premium and
    the pop ups were not only scary but were driving me crazy, I tried to
    find something free to remove it but every one wanted to charge me at one time or another. I could not even find in the add or remove programs and that to made me nervous. so I looked at my
    security and verizon could not find it. A smart guy at work said that I
    should have Windows defender so I looked under software running and there it was av 2009. I removed it and I have been on
    the computer for 8hrs with out a single popup. horray!!!

  11. Kelly on August 24th, 2008 9:18 am

    Hello All I just wanted to add, I tried everything to remove this antivirus 2009 and googled for 3 hours to find a cure. I ran ad-aware over and over again and it would only find 2 affected files and then I would have to remove them restart run it again and it would find another two, I did that several times but it was still there.My problem however was that all the Cures did not work for me. I did searches and could not find the antivirus2009 in my task manager or anywhere else for that matter. everywhere was saying tha same thing .find that file and delete it. But what do you do when you can’t find that file. After a few more hours of searching I noticed the file _A00F276851, It looked suspicious to me so I look into it by searching it on google and found absolutely nothing, so I figured it would be OK to delete. I also noted the date it showed up was around the time I started having problems so I deleted it in my start up but not before searching for it in files or folder. What do you know it didn’t show up. I knew it had to be somwhere, if it was in my start up so I kept searching I finally found it by going into search clicking on the search in more areas, Searched in my computer (it showed up I deleted it) but just to be safe ran another search in my computer and It showed up again. (PLEASE NOTE) I do not know what the _A00F27851 file was (If someone else does please feel free to correct me) but since removing it from my computer and my start up I have not had any problems what so ever. No pop ups no warnings No anti virus adds what so ever. Then when I ran another ad-aware scan it showed nothing for the first time since I had the virus.
    Thought I would just add this to all that are searching for a cure that can’t seem to be found as antivirus2009 in hopes that it may be helpfull to somone esle. Please let me know if it is.

    Kelly

  12. john on September 15th, 2008 2:40 pm

    In XP, I caught XP Antivirus 2008 via Firefox even though I had Norton 360 which detected it, but clicking the “fix” did not fix it. Somewhere I read Norton detects only 6%, but Avira detects 90%, AVG 78%.

    From a USB drive, I loaded free programs recommended by CNET, as follows:

    Spybot stopped the popups.
    Avira detected some files.
    SuperAntiMalware (or something like that) detected more.
    AVG detected nothing after all those ran.
    I uninstalled Firefox and re-installed it.

    Still, after I do a Google search and click on a result, Firefox takes me to some other unwanted Web site.

    I GIVE UP. I AM GOING TO REINSTALL THE OPERATING SYSTEM with Dell’s phone help.

  13. Deane on November 5th, 2008 11:02 pm

    I’ve fought this mess too, and I found that ESET Nod32 completely obliterates it. It cleaned three infected machines for me.

  14. computer on November 20th, 2008 7:00 pm

    Many of my IT clients are running into this latest threat. Everyone is in a panic about internet privacy and security. That makes them jump the gun and pool the trigger loading these viruses into their machines. I used CA’s Spyware cleaner and it got rid of the infection. Also, I found that if this pops up on your screen and the first thing you do is shut off the computer. Hold the power off button. Then reboot and delete you browsers cache. Don’t go anywhere near the site you were at it doesn’t infest your machine. TechBranch, Tampa Computer
    Repair     I have also been able to get rid of the infection with CA’s spyware cleaner.

  15. arnold stugs on March 15th, 2009 6:48 pm

    You can download Norton Internet Security 2009 with Working Authentic Commercial Keys on this link: http://fileblip.com/3fe3e546!

Got something to say?





MyHomePoint

Having trouble keeping track of everything going on at home? Is the refrigerator organizer not cutting it anymore? We feel the same way...
Check out MyHomePoint »

Latest Blog Posts

Close
E-mail It