Antivirus 2009

Some Internet Street Smarts

What I find, among my friends and those I talk with is some basic Internet smarts. From this is how the thieves and crooks of the Internet ply on. These people should be treated exactly the same as the armed robber. Stealing is stealing, breaking in another person's computer should be treated the same as breaking into someone's living quarters (whether you are armed or not the penalty should be the same).

Enough, the first part of this lesson is recognize one of the tricks spy/mal ware scammers get their goods on your computer and with your permission (albeit but forced). For the most part, this will deal with Antivirus 2009, which can go under a variety names:

  • XP Antivirus;
  • Vitae Antivirus;
  • Windows Antivirus;
  • Win Antivirus;
  • Antivirus Pro;
  • Antivirus Pro 2009;
  • Antivirus 2007, 2008, 2009, 2010, and 360;
  • System Antivirus;
  • Vista Antivirus;
  • AntiSpywareMaster;
  • XP AntiSpyware 2009,

You are happily cruising the net, maybe doing a research on a subject matter, or looking up something maybe just what is ailing your children. Google, Yahoo, Cuil and any other search engines aren't immune, and unless they catch it, you may be one of the first victims.  It evens gets by WOT (web of Trust which I recommend having ).  What they do is construct innocent looking websites which the search engines find, but when you arrive are redirected to their site.

So Step by step here is what happens.   

 

What quickly happens at the Rogue Site

1)First step: I was doing some research on '"concrete dust" health hazards'  This is my search results.  Did this for Google (2nd or 3rd site down), and Cuil (1st).  Well it seems like a good site so click away.
1)First step: I was doing some research on '"concrete dust" health hazards' This is my search results. Did this for Google (2nd or 3rd site down), and Cuil (1st). Well it seems like a good site so click away.
2)Partial view of my Desktop.  Woe where did my Browser disappear to!!.  They shrunk it, and covered it up with their threat notice. (here I moved it slightly off)
2)Partial view of my Desktop. Woe where did my Browser disappear to!!. They shrunk it, and covered it up with their threat notice. (here I moved it slightly off)
3)At this point. Whatever you do don't hit Cancel(it's a fake) or OK.  Close out with the X for the window (circled X)
3)At this point. Whatever you do don't hit Cancel(it's a fake) or OK. Close out with the X for the window (circled X)
  1. Hit the first search term (Google they came up 2nd or 3rd, and Cuil 1st). Where most people go first.
  2. They reduced my Flock browser and covered it up with their notice (here I uncovered it slightly)
  3. Close their window with X (circled). Always do this.
  4. At next popup. Close that with the X  
  5. and quickly close your browser (or tab if you prefer to save your session) on the X too (start a new session).

You Can close it at this stage.

4)Close this window on the X, it will still do the phony scan.
4)Close this window on the X, it will still do the phony scan.
5)Close this on the Tab's X (if you want to save your session)or close down your browser altogether and come back to default settings (new session)
5)Close this on the Tab's X (if you want to save your session)or close down your browser altogether and come back to default settings (new session)

If the following types of screens showing the scan results occur closing out your explorer/browser is going to be difficult.  It can be done through the Task manager for Windows operations, and Monitor in Linux. 

So let's walk through the steps

6.  Copy of phony results.  Enough to make one panic if they didn't know better.  They are clubbing by fear.  Another popup box with a Windows Security  look-a-like logo (another part of the ploy).  Whatever you do don't click anwhere's except the X.  Even inside the popup and not on the buttons will automatically prompt from your browser for the download.

7.Download that popped up.  DON'T DOWNLOAD!!!, HIT YOUR BROWSER CANCEL, DON'T RUN, HIT CANCEL OR X.

8.Now the nag popup occurs.  It is now a futile operation to cancel the nag window via the X (except in one case), for it quickly reopens again.  Don't hit any of the other buttons, or you can expect the download prompt again. (see 7 above ).  

Warning if you reach these stages you will have trouble closing

6)  Copy of phony results.  Enough to make one panic if they didn't know better.  They are clubbing by fear.  Another popup box with a Windows Security  look-a-like logo (another part of the ploy).  Whatever you do don't click anwhere's except the X.
6) Copy of phony results. Enough to make one panic if they didn't know better. They are clubbing by fear. Another popup box with a Windows Security look-a-like logo (another part of the ploy). Whatever you do don't click anwhere's except the X.
7)Download that popped up.  DON'T DOWNLOAD!!!, HIT YOUR BROWSER CANCEL, DON'T RUN, HIT CANCEL OR X.
7)Download that popped up. DON'T DOWNLOAD!!!, HIT YOUR BROWSER CANCEL, DON'T RUN, HIT CANCEL OR X.
 8)Now the nag popup occurs.  It is now a futile operation to cancel the nag window via the X (except in one case), for it quickly reopens again.  Don't hit any of the other buttons, or you can expect the download prompt again. (see 7 above ).
8)Now the nag popup occurs. It is now a futile operation to cancel the nag window via the X (except in one case), for it quickly reopens again. Don't hit any of the other buttons, or you can expect the download prompt again. (see 7 above ).

Your Final Solutions

Once we reach the screen window at 8), the fight is on. Closing via the X only results in it quickly reopening and too quickly for you to close the tab or browser.

But not all is lost some tricks can be done here.

9. Pull up the Task Manager - via Ctrl-Alt-Del(ete).

  • Click on the application tab
  • Click on explorer/browser affected
  • Click end task
  • If prompt select OK.

10. Another alternative, but requires a fast clicking of the mouse.  Is drag their popup box such that Xs are aligned over the Tab X or Browser X.  Double click and you'll beat the popup.  One more popup may appear but it can now be Xed out too.

For extra peace of mind run your Antivirus.  It will probably just clean up your Browser's cache. 

Closing Techniques

9)  Do Crtl-Alt-Del and bring up the task manager.  Follow the steps 1-2-3 to end the application.
9) Do Crtl-Alt-Del and bring up the task manager. Follow the steps 1-2-3 to end the application.
10)  Or a slightly trickier way is to align the Xs on the Nag box and the Tab/Browser and double click.
10) Or a slightly trickier way is to align the Xs on the Nag box and the Tab/Browser and double click.

Defense Solutions

  1. Have a good antivirus installed. It may not stop from getting to the site but will warn. Or have it integrated in your browser AVG has a toolbar. Figure 11) shows what my AVG did in Windows (yes I redid the hit in Windows). Note another thing is you must know what your warnings from your Antivirus program looks like and behaves, the imitators will try and duplicate these too. If uncertain you can always use the Task Manager to see what is running and close things down and run you Antivirus program.
  2. If you don't have an antivirus I recommend getting one of these three: AVG Free, Comodo, or Avast ( I have used any one of these three, prefer the first two).  Plus haveSpybot S&D and Lavasoft Ad-aware installed 
  3. If using FireFox or Mozilla like browsers (Flock) have "No Script" installed - here is what I got in 12) from a "No Script" FireFox. It put a quick stop to the whole affair.

11) My AVG response.  Picked move to vault.  Note says fake alert.
11) My AVG response. Picked move to vault. Note says fake alert.
12) Here is what the "NO Script" produced.  Cool.  I've been warned, so if I proceed than I better be ready.
12) Here is what the "NO Script" produced. Cool. I've been warned, so if I proceed than I better be ready.

Alright - you've been infected. Now what.

HSymptoms of infection is constant popups declaring your infection, stating to removing infections you need antivirus protection. Directing you to the phony site. Unfortunately thousands if not millions have fallen for this ploy, and purchased the phony antivirus protection. (It merely becomes even more entrenched). Also the longer the phony warnings stays on the slower your machine becomes and the more entrenched it becomes.

Deleting it will not remove and depending on the variety uninstalling won't either. Instead it reinstalls itself. It may even disable your real Antivirus programs. The crooks here constantly update this antivirus rogue ware so it can avoid detection.

So how do you remove it? Well do you want to do this yourself or use antivirus software? As a DIY, I have no recommendations of which software to use. There are several dealers out there but a good starting pointing which software would be PC Mag's forum. PC mag will direct you to the Bleepingcomputer.com A very good starting point.

Now if you are up to the challenge here is the manual way of removing (It's not for the novice to do this). Please reboot your computer into safe mode. This disables a lot of drivers and functions. But will allow you access to remove this virus.

Find and stop these Antivirus 2009 processes:

  • av2009.exe
  • Antivirus2009.exe
  • AV2009Install.exe
  • av2009[1].exe
  • AV2009Install_880405[1].exe
  • AV2009Install_880405[2].exe
  • c:\Program Files\Antivirus 2009\av2009.exe
  • c:\WINDOWS\system32\ieupdates.exe
  • Power-Antivirus-2009.exe
  • AV2009Install[1].exe
  • ieexplorer32.exe
  • %PROGRAMFILES%\Antivirus 2009\av2009.exe
  • AntivirusPro2009.exe
  • %PROGRAMFILES%\AV9\av2009.exe

Find and Remove these Antivirus 2009 DLL files:

  • shlwapi.dll located usually in c:\WINDOWS\system32
  • wininet.dll located usually in %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V

Remove these Antivirus 2009 Registry files:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\15358943642955870504508370025739
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Antivirus” = “%ProgramFiles%\Antivirus 2009\Antvrs.exe”
  • HKEY_CURRENT_USER\Software\Antivirus
  • Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
  • Menu2\Programs\Antivirus 2009
  • HKEY_CURRENT_USER\Software\75319611769193918898704537500611
  • HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ieupdate"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "75319611769193918898704537500611"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}

Remove these Antivirus 2009 files:

  • av2009.exe
  • Antivirus2009.exe
  • AV2009Install.exe
  • av2009[1].exe
  • Antivirus 2009.lnk
  • Uninstall Antivirus 2009.lnk
  • AV2009Install_880405[1].exe
  • AV2009Install_880405[2].exe
  • c:\Program Files\Antivirus 2009
  • c:\Program Files\Antivirus 2009\av2009.exe
  • c:\WINDOWS\system32\ieupdates.exe
  • c:\WINDOWS\system32\winsrc.dll
  • c:\WINDOWS\system32\scui.cpl
  • %UserProfile%\Desktop\Antivirus 2009.lnk
  • %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
  • %UserProfile%\Start Menu\Antivirus 2009
  • %UserProfile%\Start Menu\Antivirus 2009\Uninstall
  • Antivirus 2009.lnk
  • %UserProfile%\Start Menu\Antivirus 2009\Antivirus2009.lnk
  • Power-Antivirus-2009.exe
  • AV2009Install[1].exe
  • ieexplorer32.exe
  • ieexplorer32.exe-removed_skip
  • AntivirusPro2009.exe

 

Conclusion.

I have never been infected with this program, encounter through various search engines and other rogue like applications. My course of action has always been my friend the Task Manager. Get to know it. Plus I am a heavy FireFox user, and with that "No Script" is usually installed.

As can be seen from the steps it's better to nip these culprits before they even enter the gate - "No Script", or an good Antivirus with a toolbar (warns of bad sites in search engine results). WOT is good and should be installed.

Next is some smarts in how to act with these crooks. Stopping them at the door with the Task Manager or even if are uncertain having your system just plain out right shut down (good process for the novice). As always instruct your family or loved ones all these people. Awareness is a good defense.

Stopping them, is far better then trying to remove them. But remember the protection is only as good as the person is using it. The best locks don't work if they aren't used right. Firewalls and Antivirus protections are good, but we must still exercise some defense and be educated what the crooks do out there and their techniques. Because you the operator can let the crooks through your defenses.

It should be noted according to the FTC and it's a good read.

"At the request of the Federal Trade Commission, a U.S. district court has issued a temporary halt to a massive “scareware” scheme, which falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. According to the FTC, the scheme has tricked more than one million consumers into buying computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The court also froze the assets of those responsible for the scheme, to preserve the possibility of providing consumers with monetary redress."

But this isn't going to stop similar events from happening or from other countries. As an internet traveller be on your toes.

More by this Author


Comments 2 comments

charlemont profile image

charlemont 7 years ago from Lithuania

OMG, 1 million people were fooled by scammers! Never could imagine that so many unsuspecting people would fall for these tricks. Awful.


eaglegordon profile image

eaglegordon 7 years ago Author

charlemont : when I saw that, it was woe. Internet scams can be big business.

    Sign in or sign up and post using a HubPages Network account.

    0 of 8192 characters used
    Post Comment

    No HTML is allowed in comments, but URLs will be hyperlinked. Comments are not for promoting your articles or other sites.


    Click to Rate This Article
    working