Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Antivirus 2009: Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

This post analyzes the installation method of a rogue antivirus application Antivirus 2009 and its effective removal as observed by me. Antivirus 2009 is a fake antivirus application, designed to scare the users with fake alert screens about non-existent and often misleadingly named threats found on your system. When the user tries to clean the reported infections, the fake application directs the user to a subscription page and prompts for payment.

I was prompted to install this bogus anti virus software when I clicked on a link from a hacked Website, using Internet Explorer 6 (for test purpose) on Windows XP SP3. The browser was redirected to an ip in Moldova and then to on its way to

At, I was informed that Antivirus 2009 will scan my system for threats. The scan will run whether you close the Window or Click the OK button.

The fake antivirus 2009 scan appears to run and finds “dangerous spyware” just after a few seconds. While you are pondering over the options “Remove all” or “Ignore”, IE pops up a file download warning for a file named “AV2009Install_880147.exe“, the downloader for Antivirus 2009. This program on execution downloads and installs Antivirus 2009 on your PC.

Here it should be noted that to get really infected by this rogue antivirus software, you need to get past two IE 6 warnings. You can at any time before the actual installation disconnect from your network and close IE windows to avoid this infection.

Once the user get past the IE warnings the program itself prompts you to install Antivirus 2009. When the user clicks continue the browser downloads Antivirus 2009 installer av_2009.exe from and prompts for updates to the program from

It proceeds to download “winsystem.dll” and “zs880000.exe” which are saved as “ieupdates.exe” and “winsrc.dll” in the local system folder. Once its installed, the programs shows a fake Windows Security Center look alike and the fake alerts start popping up every few minutes.

When the user chooses to clean the non-existent infections the software redirects to its shopping cart at the domain “” via ““. Curiously uses google analytics to track its visitors as does many legitimate sites including this one.

Here you are presented with the subscription options for Antivirus 2009, on clicking any of the options you are directed to the payment processor at ““, a 128 bilt SSL encrypted connection, secured by Comodo “Essential SSL” certificate.

One of the fake alerts also opens a “buy page” at ““. Unless the correct variable is used in the URL, this domain redirects to the legitimate IE download site at

System Changes

The following changes were noted on my system.


  • C:\Program Files\AV9\av2009.exe
  • C:\WINDOWS\system32\ieupdates.exe
  • C:\WINDOWS\system32\winsrc.dll
  • C:\Documents and Settings\username\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
  • C:\Documents and Settings\username\Desktop\Antivirus 2009.lnk


  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037c7b8a-151a-49e6-baed-cc05fcb50328}
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ieupdate
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\38566660009196907304366822968945

Associated Domains


Antivirus 2009 Removal

The free editions of both SUPERAntiSpyware and Malwarebytes’ Anti-Malware are capable of cleaning this fake antivirus application.

More Antivirus 2009 Screenshots

{ 46 comments… read them below or add one }

maggie August 22, 2008 at 7:29 PM


I fell for this scam and have now been charged $149 – I have emailed the supposed support, but have received no response – any suggestions as to how to get my money back and if this is a fake how do I get rid of it? Thanks.

In distress,



Shanmuga August 22, 2008 at 8:11 PM

I am sorry to hear about your plight. As intimated in the post the free versions of both SUPERAntiSpyware and Malwarebytes’ Anti-Malware are quite capable of cleaning this fake antivirus application.


Mash August 23, 2008 at 4:50 PM


its taken me over two weeks trying to get rid of this antivirus application and you are a absolute
angel !

SUPERAntiSpyware removed it !!!!!!!!!!!!



Shanmuga August 23, 2008 at 5:08 PM

Hi Mash, glad that you found the post useful.


Anonhelper August 26, 2008 at 4:07 AM

Dear all, You are seeing this because someone has hacked the webserver that you are accessing, so please avoid any fear that your client machine or PC is infected with a virus. However, this INDEED is a security threat, but this is a issue for the server admins to sort out, not for the end-pc users.


Shanmuga August 26, 2008 at 7:20 AM

@Anonhelper, that’s not quite true, while the server admins should clean-up and secure their machines to avoid recurrence, the already infected users must clean their systems to get rid of this pest. So, it’s not quite correct to say that this threat in not for the end users.


Anonhelper August 26, 2008 at 8:01 PM

OK, Let me be clear on what I intend to say

a) If you have just had a pop up window from internet-defense2009 asking to install, and you did NOT take any action by clicking, then your machine is NOT infected with any virus and does not need any cleaning up. Please do not install any software just because you have seen this popup. This pop up happens becuase of a server security issue, which is for the server admins to sort out. No need to worry.

b) If you have installed the software from the internet-defense2009 phising website by clicking the link, you may want to try a system restore first before installing any software. See whether that has sorted the issue before installing any malware/spyware software remedy.


Shanmuga August 26, 2008 at 9:36 PM

Anonhelper, Thanks for coming back to clarify your point. I briefly touched upon this in the post itself,

Here it should be noted that to get really infected by this rogue antivirus software, you need to get past two IE 6 warnings. You can at any time before the actual installation disconnect from your network and close IE windows to avoid this infection.

But, I wonder how many users are going to have the presence of mind to do that?


Lici August 26, 2008 at 11:06 PM

Hi, I also installed this thing and I’m trying to clean my computer, but I just want to verify if someone that is already billed can have the money back.


niceguy August 27, 2008 at 2:01 AM

You can get your money back – but not with the perpertrators’ help. Call you credit card company and admit that you have fallen victim to an internet scam. The charges will be placed in dispute, and they should immediately credit your account pending investigation.


frustrated August 28, 2008 at 11:10 AM


I haven’t downloaded antivirus 2009 (not that I recall) but the pop-ups are really frequent, urging me to download. It is starting to get really frustrating because it seems with every website, it pops up. Is this a sign that I accidently downloaded it? Is my pop up blocker not strong enough? I have tried to go into Windows Task manager and see if Antivirus 2099 processes are running, but I haven’t found any. Help! :S


Shanmuga August 28, 2008 at 2:56 PM

Download the free edition of SUPERAntiSpyware and perform a scan, it should remove it. If you still have the popups after the scan please request for help in one of the Recommended Online Forums for Malware Help.


frustrated September 1, 2008 at 11:41 PM

Thanks Shanmuga, it worked! 🙂 The new software you got me to dl worked really well, it picked up so many trojans and other viruses that my old system didn’t find. Thanks again.


Shanmuga September 2, 2008 at 8:56 AM

Glad it helped! Would you mind telling us what was your earlier antispyware software which missed this and other infections?


goingpostal September 9, 2008 at 4:06 AM

I ran the end process and delete from program files , but now it seems to be blocking my access to my home webpage.
Probably a last ditch effort.
Any suggestions on cleaning this up.


Shanmuga September 9, 2008 at 12:36 PM

Did you run any of the scans mentioned in the article. If not please download the free edition of SUPERAntiSpyware and perform a scan, it should remove it. If you still see popups after the scan please request for help in one of the Recommended Online Forums for Malware Help.


Garry September 9, 2008 at 5:09 PM

Well done Shanmuga
This range of malware is really something different. I have been using the 2 mentioned products mbam & Super to tackle many machines with various degrees of success. Some need a three pronged approach with updated antivirus software as well. Some pc’s needed the mbam exe to be renamed before it can be executed.Some took many sweeps and mucking around with tcp/ip settings before it could go online & be updated.

But two wonderful products nonetheless.


computer crazy September 9, 2008 at 4:15 PM

I am SOOOOOO grateful for your blog and suggestion of using SUPERantispyware to remove this computer pest. As soon as I started getting the pop-ups earlier today I ran a symantec antivirus update, but it did not remove the issue. I also tried Avast, noadware, and cyberdefender to no avail before finding your blog online and trying SUPERantispyware. So far so good as far as looking like the virus is gone!!! Thank you!!!


Shanmuga September 9, 2008 at 5:39 PM

Hi computer crazy and Garry, Thanks for sharing your experience.


computer crazy September 10, 2008 at 3:37 PM

Hi Shanmuga,

My computer began having the pop ups associated with the MS Antivirus 2009 yesterday and I ran superspyware and it seems to have cleaned out the virus, but today I noticed the fake icon for this virus is still on my control panel. Like an idiot, I clicked on it to see if it was the virus icon and it is, as now I’m getting the pop ups again. I am in the process of running the SUPERantispyware again, but is there any way of getting this virus out of my control panel permanently?


Shanmuga September 10, 2008 at 5:08 PM

Try scanning with Malwarebytes’ Anti-Malware. That should automatically remove it. The fake security center icon in control panel points to the file \WINDOWS\system32\scui.cpl.


frustrated September 15, 2008 at 1:53 PM

Hi Shanmunga,

sorry for the late reply, I was post 13. the pop-up blocker I was using was LavaSoft Ad-Aware. My anti-virus is AVG.


Going Crazy September 20, 2008 at 7:21 PM

I had Anti-virus 2009 and got spyhunter to remove it. Although it looks like all traces were gone my IE 7 is still not working and my system keeps crashing. I then downloaded spybot which got rid of the Spyhunter and other things and my system is still acting the same way. I tried to remove IE & and install the new 8 Beta version and no changes. The links are still going to all sorts of places on google. Help!


you are my star October 2, 2008 at 4:44 PM

thank you for such a detailed antivirus 2009 removal ! ! !


daniel October 2, 2008 at 6:58 PM

I recently deletd the fake MS Antivirus but paid a whopping €60 for the subcription!

does anyone know if the fee is once off onto the card or do the malware people try and get you again even if the program was completey removed?

Either way I will have to cancel my credit card…

thanks for help


vero October 11, 2008 at 1:29 AM

i have this virus on my computer and my computer is soooo slow and sometimes it turns off by it self.. i cant even log into the internet.. how can i delete it completely.. do you think it would be better if i rebuilt my computer?


Shanmuga October 11, 2008 at 8:37 AM

You may not need to re-install your system. Please post for help in one of the Recommended Online Forums for Malware Help.


Annie October 16, 2008 at 5:06 AM

Antivirus 2009 keeps popping up on my computer trying to install, but it hasn’t installed. Is there a way to block that from popping up? I went through all the manual steps to uninstall it and it’s not on my computer, but its perpetual pop-ups concern me. Any advice would be great. Thanks!


marj October 24, 2008 at 2:23 AM

Hi Shanmuga,
a big thank you for that advice on that spyware its clean up the av2009 virus i had poping up on my sreen, again thanks heaps


marj October 24, 2008 at 2:29 AM

sorry about some spelling mistake i made in my first message, again tks


Shanmuga October 24, 2008 at 7:50 AM

Glad it helped, marj.


sarahspbear October 24, 2008 at 7:47 PM

I fell victim, and the company keeps charging stuff. 3 times now I have had charges hit my account so I had to change my cc number. And put all charges from that company in dispute with my cc company. The charging company has a new name each time(memberfees, membershipfees, etc). BUT, they keep the same tel # attached to it so you can call. BUT, they refuse to answer any questions when you call them and only want more info.
I am in the process of filing paperwork with the BBB. And of course I’m paranoid to download even this clean-up spyware because I feel like I can’t trust any online anything anymore.


damned October 30, 2008 at 5:57 AM

Initially I had Superantispyware but the virus blocked it from opening. Then I got Malwarebytes and it removed it…. temporarily. I keep updating definitions whenever there’s something to update but to no avail… it just restarts at some point and returns. Now my clock is stuck in 24hrs. time. One of many annoyances.


Anonymous November 2, 2008 at 2:24 PM

i just got a x on the bottom of my screen and it says my computer is infected to click on it and then windows will download the proper antispyware for me and to click to protect my computer. when i click it say pleace wait extracting and it don’t do nothing else. what should i do.


Find Me The Moron Who Made This Virus And I'll Manhunt Him ... November 15, 2008 at 8:44 PM

Ok so i was browsing through the web (oh and i wasnt browsing through those xxx sites or anything..) and suddenly my computer rebooted by itself …. i know from there that when i logged in i will have a virus .. but dang this is the most irritating virus yet … i scanned it with my antivirus( im using eset32), it detected and deleted some trojans and when i restart my computer everything was gone EXCEPT that irritating popup, and my control panel has changed( i know cause i can only view it on classic view, i cant change it to the normal xp default view ) i have download malywarebytes and while typing this i am scanning my computer, anyone know how i can get my control panel back to the way it was … i feel so mad that someone has changed my computer settings, especially someone that i dont even know! F*** you hackers, get a life, your not getting any cent from me, get a job a HOLES!

I hope malywarebytes fixes everything .. will post again after i completed the scan


bob November 19, 2008 at 1:37 PM

i have a major problem somehow this stupid antivirus pro2009 program installed itself on my computer while i was browsing the net, i installed it on thinkin that it was going to helpafter the stupid popup said that i was infected, then by chance i found out it was a virus so i spent hours and days searching for a way to remove it i managed to remove antivirus pro 2009, but the friggin popup thing doesnt leave, everything ive tried doesnt work, now before u recommend me to download a antivirus program like you’ve suggested before i cannot install any programs on my computer it won’t let me, windows defender doesnt work it comes up with an error and AVG and spybot wont open no matter how many times i clicked on them, i dont know what to do – please help me – and please provide a very detailed descrpitpion as im no computer expert


Shanmuga November 19, 2008 at 4:57 PM

bob, can you restart in safe mode? If you can try running the security scans in safe mode. If you cannot restart in safe mode or the malware is stubborn, please post for help in one of the Recommended Online Forums for Malware Help. Help on booting in safe mode if you require is at How to Start Windows in Safe Mode.


bob November 20, 2008 at 10:11 AM

i can restart in safe mode but again they dont open and i cant run the scans, ill post on the site that u recommended and hopefully that will help


jerremy December 4, 2008 at 6:46 PM

manual removal of antivirus2009 is kinda complicated but it’s the fastest way to deal with this infection. well unless you want to format disks and reinstall windows. those who recommend running some scans, they probably hadn’t met antivirus 2009. it can block security tools. the only effective way to deal with it is using antivirus2009 removal.


Clifford December 6, 2008 at 8:10 PM

thank you , that ad has been driving my nuts from a month and i can finally rest now since it is gone. tried many programs including store brought and none worked until i used malwarebytes.

Thanks again


Karen December 29, 2008 at 11:14 PM

Last night I received warnings about virus in my computer and that I should download “Antivirus 2009”. Even on the Google homepage it had warnings. I didn’t download or pay for it but just opening it up to see what it was about it took over my computer with pop-ups, blocking anything I wanted to look at and freezing my computer. I didn’t know what to do. I found this website by accident and read what everyone had to say which helped me a lot. I downloaded the free “SuperAntispyware” program and the pop-up and warnings are gone. Thank you for all your information. Happy New Year, Karen


becstar December 30, 2008 at 8:05 AM

I have tried to download both of the suggested programs onto my infected computer but the websites to download from will either not open or once the program has been installed, it won’t launch. I have installed Malwarebytes Anti-Malware but can’t get it to run!
I can’t connect to the online support for the anit virus software that I purchased (legit and well known company). I don’t know what else to do other than rebuilding my PC!


Space Captain January 3, 2009 at 12:22 PM

A few years ago, while employed by a custom pc builder, I brought a little discovery to their attention. A well-known anti-virus trial-to-purchase program, that happened to be bundled with new pc software, seemed to be doing amazing things. The day before the trial version ended, the program stated that the pc was virus or threat-free. The day the trial version ended, the program stated that the pc had acquired critical threats and advised the customer to purchase the program to eliminate the problems. Has anyone else been enlightened by such actions or am I the world’s first. Since then I’ve refused to use that program and tell others that use it my story.


John January 25, 2009 at 6:52 PM

This is a nasty little booger indeed. I was running AVG and Malwarebytes on my PC and it still found it’s way in, I ended up using Spybot to clean everything out. It found all kinds of stuff that the other 2 missed. Also, if you use thumb drives be really careful. A machine I had cleaned loaded 2 files onto my thumb drive, undetectable by AVG. It was the virus files. So whatever you do, be careful when plugging in a thumb drive from another computer. I have a feeling that there are still some resident files on my machines from this virus leaving the door open for another infection later.


Eddie March 7, 2009 at 10:03 AM


Thanks for the great column. We were able to rid ourselves of this nasty malware with the free download from

Here is my question: Should we stop using IE and start using only Mozilla Firefox as a web browser?




mike fink August 18, 2009 at 11:26 PM

This is an awful Malware. I had the Window Anti Virus Pro version. It took over my desktop and could not run any exexutables including any anti spyware. I found Spyhunter by Enigmasoftware and purchased Spyhunter which runs off a .bat not a .exe. This released my other programs and the executables would function. Both IE and CHOME however were not cleaned. Pop-ups and new tabs kept opening and opening wanting me to purchase the beast. I could not open in Safe mode or attempt restores either. Firefox was not impacted. Spyhunter kept telling me that I was clean. I tried a few other spyware programs (Sypbot). They didn’t find it either.
I finally found It recommended SuperAntispyware (which is free.) After running that — I was finally clean. This program found 3 Trojan’s that Spyhunter did not. I needed a combo treatmeant. Spent hours on this. — Mike


Leave a Comment

Previous post:

Next post: