ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

Antivirus 2009

Updated on February 16, 2009

Some Internet Street Smarts

What I find, among my friends and those I talk with is some basic Internet smarts. From this is how the thieves and crooks of the Internet ply on. These people should be treated exactly the same as the armed robber. Stealing is stealing, breaking in another person's computer should be treated the same as breaking into someone's living quarters (whether you are armed or not the penalty should be the same).

Enough, the first part of this lesson is recognize one of the tricks spy/mal ware scammers get their goods on your computer and with your permission (albeit but forced). For the most part, this will deal with Antivirus 2009, which can go under a variety names:

  • XP Antivirus;
  • Vitae Antivirus;
  • Windows Antivirus;
  • Win Antivirus;
  • Antivirus Pro;
  • Antivirus Pro 2009;
  • Antivirus 2007, 2008, 2009, 2010, and 360;
  • System Antivirus;
  • Vista Antivirus;
  • AntiSpywareMaster;
  • XP AntiSpyware 2009,

You are happily cruising the net, maybe doing a research on a subject matter, or looking up something maybe just what is ailing your children. Google, Yahoo, Cuil and any other search engines aren't immune, and unless they catch it, you may be one of the first victims.  It evens gets by WOT (web of Trust which I recommend having ).  What they do is construct innocent looking websites which the search engines find, but when you arrive are redirected to their site.

So Step by step here is what happens.   

 

What quickly happens at the Rogue Site

1)First step: I was doing some research on '"concrete dust" health hazards'  This is my search results.  Did this for Google (2nd or 3rd site down), and Cuil (1st).  Well it seems like a good site so click away.
1)First step: I was doing some research on '"concrete dust" health hazards' This is my search results. Did this for Google (2nd or 3rd site down), and Cuil (1st). Well it seems like a good site so click away.
2)Partial view of my Desktop.  Woe where did my Browser disappear to!!.  They shrunk it, and covered it up with their threat notice. (here I moved it slightly off)
2)Partial view of my Desktop. Woe where did my Browser disappear to!!. They shrunk it, and covered it up with their threat notice. (here I moved it slightly off)
3)At this point. Whatever you do don't hit Cancel(it's a fake) or OK.  Close out with the X for the window (circled X)
3)At this point. Whatever you do don't hit Cancel(it's a fake) or OK. Close out with the X for the window (circled X)
  1. Hit the first search term (Google they came up 2nd or 3rd, and Cuil 1st). Where most people go first.
  2. They reduced my Flock browser and covered it up with their notice (here I uncovered it slightly)
  3. Close their window with X (circled). Always do this.
  4. At next popup. Close that with the X  
  5. and quickly close your browser (or tab if you prefer to save your session) on the X too (start a new session).

You Can close it at this stage.

4)Close this window on the X, it will still do the phony scan.
4)Close this window on the X, it will still do the phony scan.
5)Close this on the Tab's X (if you want to save your session)or close down your browser altogether and come back to default settings (new session)
5)Close this on the Tab's X (if you want to save your session)or close down your browser altogether and come back to default settings (new session)

If the following types of screens showing the scan results occur closing out your explorer/browser is going to be difficult.  It can be done through the Task manager for Windows operations, and Monitor in Linux. 

So let's walk through the steps

6.  Copy of phony results.  Enough to make one panic if they didn't know better.  They are clubbing by fear.  Another popup box with a Windows Security  look-a-like logo (another part of the ploy).  Whatever you do don't click anwhere's except the X.  Even inside the popup and not on the buttons will automatically prompt from your browser for the download.

7.Download that popped up.  DON'T DOWNLOAD!!!, HIT YOUR BROWSER CANCEL, DON'T RUN, HIT CANCEL OR X.

8.Now the nag popup occurs.  It is now a futile operation to cancel the nag window via the X (except in one case), for it quickly reopens again.  Don't hit any of the other buttons, or you can expect the download prompt again. (see 7 above ).  

Warning if you reach these stages you will have trouble closing

6)  Copy of phony results.  Enough to make one panic if they didn't know better.  They are clubbing by fear.  Another popup box with a Windows Security  look-a-like logo (another part of the ploy).  Whatever you do don't click anwhere's except the X.
6) Copy of phony results. Enough to make one panic if they didn't know better. They are clubbing by fear. Another popup box with a Windows Security look-a-like logo (another part of the ploy). Whatever you do don't click anwhere's except the X.
7)Download that popped up.  DON'T DOWNLOAD!!!, HIT YOUR BROWSER CANCEL, DON'T RUN, HIT CANCEL OR X.
7)Download that popped up. DON'T DOWNLOAD!!!, HIT YOUR BROWSER CANCEL, DON'T RUN, HIT CANCEL OR X.
 8)Now the nag popup occurs.  It is now a futile operation to cancel the nag window via the X (except in one case), for it quickly reopens again.  Don't hit any of the other buttons, or you can expect the download prompt again. (see 7 above ).
8)Now the nag popup occurs. It is now a futile operation to cancel the nag window via the X (except in one case), for it quickly reopens again. Don't hit any of the other buttons, or you can expect the download prompt again. (see 7 above ).

Your Final Solutions

Once we reach the screen window at 8), the fight is on. Closing via the X only results in it quickly reopening and too quickly for you to close the tab or browser.

But not all is lost some tricks can be done here.

9. Pull up the Task Manager - via Ctrl-Alt-Del(ete).

  • Click on the application tab
  • Click on explorer/browser affected
  • Click end task
  • If prompt select OK.

10. Another alternative, but requires a fast clicking of the mouse.  Is drag their popup box such that Xs are aligned over the Tab X or Browser X.  Double click and you'll beat the popup.  One more popup may appear but it can now be Xed out too.

For extra peace of mind run your Antivirus.  It will probably just clean up your Browser's cache. 

Closing Techniques

9)  Do Crtl-Alt-Del and bring up the task manager.  Follow the steps 1-2-3 to end the application.
9) Do Crtl-Alt-Del and bring up the task manager. Follow the steps 1-2-3 to end the application.
10)  Or a slightly trickier way is to align the Xs on the Nag box and the Tab/Browser and double click.
10) Or a slightly trickier way is to align the Xs on the Nag box and the Tab/Browser and double click.

Defense Solutions

  1. Have a good antivirus installed. It may not stop from getting to the site but will warn. Or have it integrated in your browser AVG has a toolbar. Figure 11) shows what my AVG did in Windows (yes I redid the hit in Windows). Note another thing is you must know what your warnings from your Antivirus program looks like and behaves, the imitators will try and duplicate these too. If uncertain you can always use the Task Manager to see what is running and close things down and run you Antivirus program.
  2. If you don't have an antivirus I recommend getting one of these three: AVG Free, Comodo, or Avast ( I have used any one of these three, prefer the first two).  Plus haveSpybot S&D and Lavasoft Ad-aware installed 
  3. If using FireFox or Mozilla like browsers (Flock) have "No Script" installed - here is what I got in 12) from a "No Script" FireFox. It put a quick stop to the whole affair.

11) My AVG response.  Picked move to vault.  Note says fake alert.
11) My AVG response. Picked move to vault. Note says fake alert.
12) Here is what the "NO Script" produced.  Cool.  I've been warned, so if I proceed than I better be ready.
12) Here is what the "NO Script" produced. Cool. I've been warned, so if I proceed than I better be ready.

Alright - you've been infected. Now what.

HSymptoms of infection is constant popups declaring your infection, stating to removing infections you need antivirus protection. Directing you to the phony site. Unfortunately thousands if not millions have fallen for this ploy, and purchased the phony antivirus protection. (It merely becomes even more entrenched). Also the longer the phony warnings stays on the slower your machine becomes and the more entrenched it becomes.

Deleting it will not remove and depending on the variety uninstalling won't either. Instead it reinstalls itself. It may even disable your real Antivirus programs. The crooks here constantly update this antivirus rogue ware so it can avoid detection.

So how do you remove it? Well do you want to do this yourself or use antivirus software? As a DIY, I have no recommendations of which software to use. There are several dealers out there but a good starting pointing which software would be PC Mag's forum. PC mag will direct you to the Bleepingcomputer.com A very good starting point.

Now if you are up to the challenge here is the manual way of removing (It's not for the novice to do this). Please reboot your computer into safe mode. This disables a lot of drivers and functions. But will allow you access to remove this virus.

Find and stop these Antivirus 2009 processes:

  • av2009.exe
  • Antivirus2009.exe
  • AV2009Install.exe
  • av2009[1].exe
  • AV2009Install_880405[1].exe
  • AV2009Install_880405[2].exe
  • c:\Program Files\Antivirus 2009\av2009.exe
  • c:\WINDOWS\system32\ieupdates.exe
  • Power-Antivirus-2009.exe
  • AV2009Install[1].exe
  • ieexplorer32.exe
  • %PROGRAMFILES%\Antivirus 2009\av2009.exe
  • AntivirusPro2009.exe
  • %PROGRAMFILES%\AV9\av2009.exe

Find and Remove these Antivirus 2009 DLL files:

  • shlwapi.dll located usually in c:\WINDOWS\system32
  • wininet.dll located usually in %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V

Remove these Antivirus 2009 Registry files:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\15358943642955870504508370025739
  • HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Antivirus” = “%ProgramFiles%\Antivirus 2009\Antvrs.exe”
  • HKEY_CURRENT_USER\Software\Antivirus
  • Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
  • Menu2\Programs\Antivirus 2009
  • HKEY_CURRENT_USER\Software\75319611769193918898704537500611
  • HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ieupdate"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "75319611769193918898704537500611"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}

Remove these Antivirus 2009 files:

  • av2009.exe
  • Antivirus2009.exe
  • AV2009Install.exe
  • av2009[1].exe
  • Antivirus 2009.lnk
  • Uninstall Antivirus 2009.lnk
  • AV2009Install_880405[1].exe
  • AV2009Install_880405[2].exe
  • c:\Program Files\Antivirus 2009
  • c:\Program Files\Antivirus 2009\av2009.exe
  • c:\WINDOWS\system32\ieupdates.exe
  • c:\WINDOWS\system32\winsrc.dll
  • c:\WINDOWS\system32\scui.cpl
  • %UserProfile%\Desktop\Antivirus 2009.lnk
  • %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll
  • %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
  • %UserProfile%\Start Menu\Antivirus 2009
  • %UserProfile%\Start Menu\Antivirus 2009\Uninstall
  • Antivirus 2009.lnk
  • %UserProfile%\Start Menu\Antivirus 2009\Antivirus2009.lnk
  • Power-Antivirus-2009.exe
  • AV2009Install[1].exe
  • ieexplorer32.exe
  • ieexplorer32.exe-removed_skip
  • AntivirusPro2009.exe

 

Conclusion.

I have never been infected with this program, encounter through various search engines and other rogue like applications. My course of action has always been my friend the Task Manager. Get to know it. Plus I am a heavy FireFox user, and with that "No Script" is usually installed.

As can be seen from the steps it's better to nip these culprits before they even enter the gate - "No Script", or an good Antivirus with a toolbar (warns of bad sites in search engine results). WOT is good and should be installed.

Next is some smarts in how to act with these crooks. Stopping them at the door with the Task Manager or even if are uncertain having your system just plain out right shut down (good process for the novice). As always instruct your family or loved ones all these people. Awareness is a good defense.

Stopping them, is far better then trying to remove them. But remember the protection is only as good as the person is using it. The best locks don't work if they aren't used right. Firewalls and Antivirus protections are good, but we must still exercise some defense and be educated what the crooks do out there and their techniques. Because you the operator can let the crooks through your defenses.

It should be noted according to the FTC and it's a good read.

"At the request of the Federal Trade Commission, a U.S. district court has issued a temporary halt to a massive “scareware” scheme, which falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. According to the FTC, the scheme has tricked more than one million consumers into buying computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The court also froze the assets of those responsible for the scheme, to preserve the possibility of providing consumers with monetary redress."

But this isn't going to stop similar events from happening or from other countries. As an internet traveller be on your toes.

Comments

    0 of 8192 characters used
    Post Comment

    • eaglegordon profile imageAUTHOR

      eaglegordon 

      9 years ago

      charlemont : when I saw that, it was woe. Internet scams can be big business.

    • charlemont profile image

      charlemont 

      9 years ago from Lithuania

      OMG, 1 million people were fooled by scammers! Never could imagine that so many unsuspecting people would fall for these tricks. Awful.

    working

    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, hubpages.com uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at: https://hubpages.com/privacy-policy#gdpr

    Show Details
    Necessary
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the googleapis.com or gstatic.com domains, for performance and efficiency reasons. (Privacy Policy)
    Features
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Marketing
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Statistics
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)