Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antivirus 2009: Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

This post analyzes the installation method of a rogue antivirus application Antivirus 2009 and its effective removal as observed by me. Antivirus 2009 is a fake antivirus application, designed to scare the users with fake alert screens about non-existent and often misleadingly named threats found on your system. When the user tries to clean the reported infections, the fake application directs the user to a subscription page and prompts for payment.

I was prompted to install this bogus anti virus software when I clicked on a link from a hacked Website, using Internet Explorer 6 (for test purpose) on Windows XP SP3. The browser was redirected to an ip 87.248.180.90 in Moldova and then to greatvideo3.com on its way to internet-defense2009.com.

antivirus2009 hijack Antivirus 2009: Analysis and Removal

At internet-defense2009.com, I was informed that Antivirus 2009 will scan my system for threats. The scan will run whether you close the Window or Click the OK button.

antivirus20090021 Antivirus 2009: Analysis and Removal

The fake antivirus 2009 scan appears to run and finds “dangerous spyware” just after a few seconds. While you are pondering over the options “Remove all” or “Ignore”, IE pops up a file download warning for a file named “AV2009Install_880147.exe“, the downloader for Antivirus 2009. This program on execution downloads and installs Antivirus 2009 on your PC.

Here it should be noted that to get really infected by this rogue antivirus software, you need to get past two IE 6 warnings. You can at any time before the actual installation disconnect from your network and close IE windows to avoid this infection.

antivirus2009003 150x150 Antivirus 2009: Analysis and Removalantivirus2009004 150x150 Antivirus 2009: Analysis and Removalantivirus2009005 150x150 Antivirus 2009: Analysis and Removalantivirus2009006 150x150 Antivirus 2009: Analysis and Removal

Once the user get past the IE warnings the program itself prompts you to install Antivirus 2009. When the user clicks continue the browser downloads Antivirus 2009 installer av_2009.exe from antivirus-download3.com and prompts for updates to the program from fastupdateserver.com.

It proceeds to download “winsystem.dll” and “zs880000.exe” which are saved as “ieupdates.exe” and “winsrc.dll” in the local system folder. Once its installed, the programs shows a fake Windows Security Center look alike and the fake alerts start popping up every few minutes.

antivirus2009009 150x150 Antivirus 2009: Analysis and Removal antivirus2009013 150x150 Antivirus 2009: Analysis and Removal antivirus2009008 150x150 Antivirus 2009: Analysis and Removalantivirus2009014 150x150 Antivirus 2009: Analysis and Removal

When the user chooses to clean the non-existent infections the software redirects to its shopping cart at the domain “antivirus2009-pro.com” via “update-direct.com“. Curiously antivirus2009-pro.com uses google analytics to track its visitors as does many legitimate sites including this one.

antivirus2009 order path Antivirus 2009: Analysis and Removal

Here you are presented with the subscription options for Antivirus 2009, on clicking any of the options you are directed to the payment processor at “secure.extrabilling.com“, a 128 bilt SSL encrypted connection, secured by Comodo “Essential SSL” certificate.

One of the fake alerts also opens a “buy page” at “microsoft.browsersecuritycenter.com“. Unless the correct variable is used in the URL, this domain redirects to the legitimate IE download site at http://www.microsoft.com/windows/downloads/ie/getitnow.mspx.

antivirus2009 ssl1 Antivirus 2009: Analysis and Removal

antivirus2009024 150x150 Antivirus 2009: Analysis and Removal
antivirus2009025 150x150 Antivirus 2009: Analysis and Removal
antivirus2009x001 150x150 Antivirus 2009: Analysis and Removal
antivirus2009x002 150x150 Antivirus 2009: Analysis and Removal

System Changes

The following changes were noted on my system.

Files

  • C:\Program Files\AV9\av2009.exe
  • C:\WINDOWS\system32\ieupdates.exe
  • C:\WINDOWS\system32\winsrc.dll
  • C:\Documents and Settings\username\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
  • C:\Documents and Settings\username\Desktop\Antivirus 2009.lnk

Registry

  • HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037c7b8a-151a-49e6-baed-cc05fcb50328}
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieupdate
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\38566660009196907304366822968945

Associated Domains

  • internet-defense2009.com
  • greatvideo3.com
  • antivirus-download3.com
  • fastupdateserver.com
  • update-direct.com
  • antivirusprotection2009.com
  • secure.extrabilling.com
  • microsoft.browsersecuritycenter.com
  • antivirus-database.com
  • xp-registration.com

Antivirus 2009 Removal

The free editions of both SUPERAntiSpyware and Malwarebytes’ Anti-Malware are capable of cleaning this fake antivirus application.

More Antivirus 2009 Screenshots

antivirus2009017 150x150 Antivirus 2009: Analysis and Removalantivirus2009018 150x150 Antivirus 2009: Analysis and Removalantivirus2009023 150x150 Antivirus 2009: Analysis and Removalantivirus2009028 150x150 Antivirus 2009: Analysis and Removalantivirus20090231 150x126 Antivirus 2009: Analysis and Removalantivirus2009029 150x150 Antivirus 2009: Analysis and Removal

You may also like to read



{ 46 comments… read them below or add one }

maggie August 22, 2008 at 7:29 PM

Hi

I fell for this scam and have now been charged $149 – I have emailed the supposed support, but have received no response – any suggestions as to how to get my money back and if this is a fake how do I get rid of it? Thanks.

In distress,

Maggie

Reply

Shanmuga August 22, 2008 at 8:11 PM

I am sorry to hear about your plight. As intimated in the post the free versions of both SUPERAntiSpyware and Malwarebytes’ Anti-Malware are quite capable of cleaning this fake antivirus application.

Reply

Mash August 23, 2008 at 4:50 PM

Shanmuga,

its taken me over two weeks trying to get rid of this antivirus application and you are a absolute
angel !

SUPERAntiSpyware removed it !!!!!!!!!!!!

THANK YOU VERY VERY MUCH FOR TAKING THE TIME TO ASSIST IN EXTRACTING THIS PAIN IN THE A55 VIRUS

Reply

Shanmuga August 23, 2008 at 5:08 PM

Hi Mash, glad that you found the post useful.

Reply

Anonhelper August 26, 2008 at 4:07 AM

Dear all, You are seeing this because someone has hacked the webserver that you are accessing, so please avoid any fear that your client machine or PC is infected with a virus. However, this INDEED is a security threat, but this is a issue for the server admins to sort out, not for the end-pc users.

Reply

Shanmuga August 26, 2008 at 7:20 AM

@Anonhelper, that’s not quite true, while the server admins should clean-up and secure their machines to avoid recurrence, the already infected users must clean their systems to get rid of this pest. So, it’s not quite correct to say that this threat in not for the end users.

Reply

Anonhelper August 26, 2008 at 8:01 PM

OK, Let me be clear on what I intend to say

a) If you have just had a pop up window from internet-defense2009 asking to install, and you did NOT take any action by clicking, then your machine is NOT infected with any virus and does not need any cleaning up. Please do not install any software just because you have seen this popup. This pop up happens becuase of a server security issue, which is for the server admins to sort out. No need to worry.

b) If you have installed the software from the internet-defense2009 phising website by clicking the link, you may want to try a system restore first before installing any software. See whether that has sorted the issue before installing any malware/spyware software remedy.

Reply

Shanmuga August 26, 2008 at 9:36 PM

Anonhelper, Thanks for coming back to clarify your point. I briefly touched upon this in the post itself,

Here it should be noted that to get really infected by this rogue antivirus software, you need to get past two IE 6 warnings. You can at any time before the actual installation disconnect from your network and close IE windows to avoid this infection.

But, I wonder how many users are going to have the presence of mind to do that?

Reply

Lici August 26, 2008 at 11:06 PM

Hi, I also installed this thing and I’m trying to clean my computer, but I just want to verify if someone that is already billed can have the money back.

Reply

niceguy August 27, 2008 at 2:01 AM

You can get your money back – but not with the perpertrators’ help. Call you credit card company and admit that you have fallen victim to an internet scam. The charges will be placed in dispute, and they should immediately credit your account pending investigation.

Reply

frustrated August 28, 2008 at 11:10 AM

Hi,

I haven’t downloaded antivirus 2009 (not that I recall) but the pop-ups are really frequent, urging me to download. It is starting to get really frustrating because it seems with every website, it pops up. Is this a sign that I accidently downloaded it? Is my pop up blocker not strong enough? I have tried to go into Windows Task manager and see if Antivirus 2099 processes are running, but I haven’t found any. Help! :S

Reply

Shanmuga August 28, 2008 at 2:56 PM

Download the free edition of SUPERAntiSpyware and perform a scan, it should remove it. If you still have the popups after the scan please request for help in one of the Recommended Online Forums for Malware Help.

Reply

frustrated September 1, 2008 at 11:41 PM

Thanks Shanmuga, it worked! :) The new software you got me to dl worked really well, it picked up so many trojans and other viruses that my old system didn’t find. Thanks again.

Reply

Shanmuga September 2, 2008 at 8:56 AM

Glad it helped! Would you mind telling us what was your earlier antispyware software which missed this and other infections?

Reply

goingpostal September 9, 2008 at 4:06 AM

I ran the end process and delete from program files , but now it seems to be blocking my access to my home webpage.
Probably a last ditch effort.
Any suggestions on cleaning this up.

Reply

Shanmuga September 9, 2008 at 12:36 PM

Did you run any of the scans mentioned in the article. If not please download the free edition of SUPERAntiSpyware and perform a scan, it should remove it. If you still see popups after the scan please request for help in one of the Recommended Online Forums for Malware Help.

Reply

Garry September 9, 2008 at 5:09 PM

Well done Shanmuga
This range of malware is really something different. I have been using the 2 mentioned products mbam & Super to tackle many machines with various degrees of success. Some need a three pronged approach with updated antivirus software as well. Some pc’s needed the mbam exe to be renamed before it can be executed.Some took many sweeps and mucking around with tcp/ip settings before it could go online & be updated.

But two wonderful products nonetheless.

Reply

computer crazy September 9, 2008 at 4:15 PM

I am SOOOOOO grateful for your blog and suggestion of using SUPERantispyware to remove this computer pest. As soon as I started getting the pop-ups earlier today I ran a symantec antivirus update, but it did not remove the issue. I also tried Avast, noadware, and cyberdefender to no avail before finding your blog online and trying SUPERantispyware. So far so good as far as looking like the virus is gone!!! Thank you!!!

Reply

Shanmuga September 9, 2008 at 5:39 PM

Hi computer crazy and Garry, Thanks for sharing your experience.

Reply

computer crazy September 10, 2008 at 3:37 PM

Hi Shanmuga,

My computer began having the pop ups associated with the MS Antivirus 2009 yesterday and I ran superspyware and it seems to have cleaned out the virus, but today I noticed the fake icon for this virus is still on my control panel. Like an idiot, I clicked on it to see if it was the virus icon and it is, as now I’m getting the pop ups again. I am in the process of running the SUPERantispyware again, but is there any way of getting this virus out of my control panel permanently?

Reply

Shanmuga September 10, 2008 at 5:08 PM

Try scanning with Malwarebytes’ Anti-Malware. That should automatically remove it. The fake security center icon in control panel points to the file \WINDOWS\system32\scui.cpl.

Reply

frustrated September 15, 2008 at 1:53 PM

Hi Shanmunga,

sorry for the late reply, I was post 13. the pop-up blocker I was using was LavaSoft Ad-Aware. My anti-virus is AVG.

Reply

Going Crazy September 20, 2008 at 7:21 PM

I had Anti-virus 2009 and got spyhunter to remove it. Although it looks like all traces were gone my IE 7 is still not working and my system keeps crashing. I then downloaded spybot which got rid of the Spyhunter and other things and my system is still acting the same way. I tried to remove IE & and install the new 8 Beta version and no changes. The links are still going to all sorts of places on google. Help!

Reply

you are my star October 2, 2008 at 4:44 PM

thank you for such a detailed antivirus 2009 removal ! ! !

Reply

daniel October 2, 2008 at 6:58 PM

I recently deletd the fake MS Antivirus but paid a whopping €60 for the subcription!

does anyone know if the fee is once off onto the card or do the malware people try and get you again even if the program was completey removed?

Either way I will have to cancel my credit card…

thanks for help

Reply

vero October 11, 2008 at 1:29 AM

i have this virus on my computer and my computer is soooo slow and sometimes it turns off by it self.. i cant even log into the internet.. how can i delete it completely.. do you think it would be better if i rebuilt my computer?

Reply

Shanmuga October 11, 2008 at 8:37 AM

You may not need to re-install your system. Please post for help in one of the Recommended Online Forums for Malware Help.

Reply

Annie October 16, 2008 at 5:06 AM

Antivirus 2009 keeps popping up on my computer trying to install, but it hasn’t installed. Is there a way to block that from popping up? I went through all the manual steps to uninstall it and it’s not on my computer, but its perpetual pop-ups concern me. Any advice would be great. Thanks!

Reply

marj October 24, 2008 at 2:23 AM

Hi Shanmuga,
a big thank you for that advice on that spyware its clean up the av2009 virus i had poping up on my sreen, again thanks heaps

Reply

marj October 24, 2008 at 2:29 AM

sorry about some spelling mistake i made in my first message, again tks

Reply

Shanmuga October 24, 2008 at 7:50 AM

Glad it helped, marj.

Reply

sarahspbear October 24, 2008 at 7:47 PM

I fell victim, and the company keeps charging stuff. 3 times now I have had charges hit my account so I had to change my cc number. And put all charges from that company in dispute with my cc company. The charging company has a new name each time(memberfees, membershipfees, etc). BUT, they keep the same tel # attached to it so you can call. BUT, they refuse to answer any questions when you call them and only want more info.
I am in the process of filing paperwork with the BBB. And of course I’m paranoid to download even this clean-up spyware because I feel like I can’t trust any online anything anymore.

Reply

damned October 30, 2008 at 5:57 AM

Initially I had Superantispyware but the virus blocked it from opening. Then I got Malwarebytes and it removed it…. temporarily. I keep updating definitions whenever there’s something to update but to no avail… it just restarts at some point and returns. Now my clock is stuck in 24hrs. time. One of many annoyances.

Reply

Anonymous November 2, 2008 at 2:24 PM

i just got a x on the bottom of my screen and it says my computer is infected to click on it and then windows will download the proper antispyware for me and to click to protect my computer. when i click it say pleace wait extracting and it don’t do nothing else. what should i do.

Reply

Find Me The Moron Who Made This Virus And I'll Manhunt Him ... November 15, 2008 at 8:44 PM

Ok so i was browsing through the web (oh and i wasnt browsing through those xxx sites or anything..) and suddenly my computer rebooted by itself …. i know from there that when i logged in i will have a virus .. but dang this is the most irritating virus yet … i scanned it with my antivirus( im using eset32), it detected and deleted some trojans and when i restart my computer everything was gone EXCEPT that irritating popup, and my control panel has changed( i know cause i can only view it on classic view, i cant change it to the normal xp default view ) i have download malywarebytes and while typing this i am scanning my computer, anyone know how i can get my control panel back to the way it was … i feel so mad that someone has changed my computer settings, especially someone that i dont even know! F*** you hackers, get a life, your not getting any cent from me, get a job a HOLES!

I hope malywarebytes fixes everything .. will post again after i completed the scan

Reply

bob November 19, 2008 at 1:37 PM

i have a major problem somehow this stupid antivirus pro2009 program installed itself on my computer while i was browsing the net, i installed it on thinkin that it was going to helpafter the stupid popup said that i was infected, then by chance i found out it was a virus so i spent hours and days searching for a way to remove it i managed to remove antivirus pro 2009, but the friggin popup thing doesnt leave, everything ive tried doesnt work, now before u recommend me to download a antivirus program like you’ve suggested before i cannot install any programs on my computer it won’t let me, windows defender doesnt work it comes up with an error and AVG and spybot wont open no matter how many times i clicked on them, i dont know what to do – please help me – and please provide a very detailed descrpitpion as im no computer expert

Reply

Shanmuga November 19, 2008 at 4:57 PM

bob, can you restart in safe mode? If you can try running the security scans in safe mode. If you cannot restart in safe mode or the malware is stubborn, please post for help in one of the Recommended Online Forums for Malware Help. Help on booting in safe mode if you require is at How to Start Windows in Safe Mode.

Reply

bob November 20, 2008 at 10:11 AM

i can restart in safe mode but again they dont open and i cant run the scans, ill post on the site that u recommended and hopefully that will help

Reply

jerremy December 4, 2008 at 6:46 PM

manual removal of antivirus2009 is kinda complicated but it’s the fastest way to deal with this infection. well unless you want to format disks and reinstall windows. those who recommend running some scans, they probably hadn’t met antivirus 2009. it can block security tools. the only effective way to deal with it is using antivirus2009 removal.

Reply

Clifford December 6, 2008 at 8:10 PM

thank you , that ad has been driving my nuts from a month and i can finally rest now since it is gone. tried many programs including store brought and none worked until i used malwarebytes.

Thanks again

Reply

Karen December 29, 2008 at 11:14 PM

12/29/08
Last night I received warnings about virus in my computer and that I should download “Antivirus 2009″. Even on the Google homepage it had warnings. I didn’t download or pay for it but just opening it up to see what it was about it took over my computer with pop-ups, blocking anything I wanted to look at and freezing my computer. I didn’t know what to do. I found this website by accident and read what everyone had to say which helped me a lot. I downloaded the free “SuperAntispyware” program and the pop-up and warnings are gone. Thank you for all your information. Happy New Year, Karen

Reply

becstar December 30, 2008 at 8:05 AM

I have tried to download both of the suggested programs onto my infected computer but the websites to download from will either not open or once the program has been installed, it won’t launch. I have installed Malwarebytes Anti-Malware but can’t get it to run!
I can’t connect to the online support for the anit virus software that I purchased (legit and well known company). I don’t know what else to do other than rebuilding my PC!

Reply

Space Captain January 3, 2009 at 12:22 PM

A few years ago, while employed by a custom pc builder, I brought a little discovery to their attention. A well-known anti-virus trial-to-purchase program, that happened to be bundled with new pc software, seemed to be doing amazing things. The day before the trial version ended, the program stated that the pc was virus or threat-free. The day the trial version ended, the program stated that the pc had acquired critical threats and advised the customer to purchase the program to eliminate the problems. Has anyone else been enlightened by such actions or am I the world’s first. Since then I’ve refused to use that program and tell others that use it my story.

Reply

John January 25, 2009 at 6:52 PM

This is a nasty little booger indeed. I was running AVG and Malwarebytes on my PC and it still found it’s way in, I ended up using Spybot to clean everything out. It found all kinds of stuff that the other 2 missed. Also, if you use thumb drives be really careful. A machine I had cleaned loaded 2 files onto my thumb drive, undetectable by AVG. It was the virus files. So whatever you do, be careful when plugging in a thumb drive from another computer. I have a feeling that there are still some resident files on my machines from this virus leaving the door open for another infection later.

Reply

Eddie March 7, 2009 at 10:03 AM

Hi,

Thanks for the great column. We were able to rid ourselves of this nasty malware with the free download from malwarebytes.com

Here is my question: Should we stop using IE and start using only Mozilla Firefox as a web browser?

Thanks!

Eddie

Reply

mike fink August 18, 2009 at 11:26 PM

This is an awful Malware. I had the Window Anti Virus Pro version. It took over my desktop and could not run any exexutables including any anti spyware. I found Spyhunter by Enigmasoftware and purchased Spyhunter which runs off a .bat not a .exe. This released my other programs and the executables would function. Both IE and CHOME however were not cleaned. Pop-ups and new tabs kept opening and opening wanting me to purchase the beast. I could not open in Safe mode or attempt restores either. Firefox was not impacted. Spyhunter kept telling me that I was clean. I tried a few other spyware programs (Sypbot). They didn’t find it either.
I finally found Malwarehelp.org. It recommended SuperAntispyware (which is free.) After running that — I was finally clean. This program found 3 Trojan’s that Spyhunter did not. I needed a combo treatmeant. Spent hours on this. — Mike

Reply

Leave a Comment

Previous post:

Next post: