# WARNING: AntiVirus 2009



## ZentratheFox (Nov 24, 2008)

Okay, I've been seeing this pop up absolutely everywhere for a few months, and I figure I could help out by spreading the word...

Some of you may, at some point in time or another, get a popup saying that you have ## infected items on your computer, and you need to install/run/purchase AntiVirus 2009 so it can clean your system. Often, these windows look exactly like the Security Center built into Windows. Today, I came across a particularly bad infection which actually emulated a Windows XP bootscreen and associated BSoD. (I guess the programmers got a bit lazy, because it was on a Vista box). But yeah, basically, if you see AntiVirus 2009, it's a virus.

Now, despite the excellent reviews that most AV programs get, such as AVG, NOD32, Panda, etc, none of them that I have tested have been able to successfully clean all parts of AV2009. In fact, there are only two known programs that have blasted this little bugger completely: MalwareBytes AntiMalware (which I've tested) and Super AntiSpyware (recommended by an insider at Perot Systems). These can be downloaded at http://www.malwarebytes.org/ and http://www.superantispyware.com/ respectively. Run a scan, and let it clean. It may take two to three scans, but most of the time, it gets it in one fell swoop. G'luck!

*tl;dr It's a virus.*

Background: I'm a computer specialist for a small IT company. I've been working with computers my whole life, and gaining on three years as an IT professional. I've cleaned far too many systems with AV2009 installed.


----------



## Aurali (Nov 24, 2008)

I'd give you a captain obvious stamp.. but there are too many idiots out there for that to work ><


----------



## ZentratheFox (Nov 24, 2008)

Eli said:


> I'd give you a captain obvious stamp.. but there are too many idiots out there for that to work ><



Hahaha, lets just say... I had four of these one day last week. Some people... just don't get it.


----------



## Verin Asper (Nov 25, 2008)

got rid of mines using Spydoctor though it comes back I have something to kick it back out


----------



## WolvesSoulZ (Nov 25, 2008)

Some people are enuf dumb to click on it, its their problems, though it good to spread the word, not usefull for me since i already know about it xD my friend had it and i got rid of it for him.


----------



## Eevee (Nov 25, 2008)

where's my motorcycle..


----------



## LizardKing (Nov 25, 2008)

Eevee said:


> where's my motorcycle..



I stole it while you were looking at the anti-virus software in Best Buy, sorry.


----------



## Emil (Nov 25, 2008)

Quick somewhat offtopic question...

I run Endpoint, Adaware, and Spybot. Is this decent? Ive got Windows Firewall and Defender too, but I dont have Defender running because I have Endpoint.

I understand that Symantec stuff is supposed to be crap, but my school makes me run it to access the network ><


----------



## Aden (Nov 25, 2008)

[Insert smug Mac user comment here]

\Mac user.
\\I try not to be smug.


----------



## Zero_Point (Nov 25, 2008)

A friend of mine was finally convinced that Limewire was bad when he caught AV2009 while downloading "King Ralph".
"Was it worth it, Mike?"
"No. ._."


----------



## Eevee (Nov 25, 2008)

LizardKing said:


> I stole it while you were looking at the anti-virus software in Best Buy, sorry.


<3



Aden said:


> [Insert smug Mac user comment here]


OS X had a root escalation exploit for three years.

Combine that with the remote code execution exploit in Safari that was used to jailbreak iPhones for a while, and you have root just by having someone look at a Web page.  Whoops.


----------



## Runefox (Nov 25, 2008)

ZentratheFox said:


> Background: I'm a computer specialist for a small IT company. I've been working with computers my whole life, and gaining on three years as an IT professional. I've cleaned far too many systems with AV2009 installed.


Yeah, you and me both. I guess I mistook this thread for another "OMG I GOT INFECTED LOOK OUT" thread, since there have been multiple threads to that effect here about WinAntivirusPro/XPAntivirusPro/etc. Speaking of which, one of our customers managed to get it infected in their Parallels installation for Mac. Wow.



> got rid of mines using Spydoctor though it comes back I have something to kick it back out


You had (x)AntivirusPro? I doubt SpywareDoctor did anything here, but hell, I dunno, I never use it. Too intrusive, and the fucker even automatically starts in Safe Mode, last I checked.



> Quick somewhat offtopic question...
> 
> I run Endpoint, Adaware, and Spybot. Is this decent? Ive got Windows Firewall and Defender too, but I dont have Defender running because I have Endpoint.


Endpoint... Endpoint... Yanno, I haven't heard of it. Let me check it out.

Ooooh. Right. _That_. Well, I'll give it one thing - It's better than the Norton line of AV products, but I personally wouldn't trust anything with it. Symantec products are garbage, and products that Symantec acquires rights to tend to be the same, or just die altogether.



> I understand that Symantec stuff is supposed to be crap, but my school makes me run it to access the network ><


Symantec stuff is both crap and more system-intensive than an actual virus infection in most cases. I've seen some fairly mid-low range systems running Norton that I could seriously be running _AntivirusPro_ on and have them perform faster.

That having been said, Norton 360 is surprisingly not quite as intensive, but once the scanner starts up, it's just like the other versions.


----------



## net-cat (Nov 25, 2008)

Eevee said:


> OS X had a root escalation exploit for three years.
> 
> Combine that with the remote code execution exploit in Safari that was used to jailbreak iPhones for a while, and you have root just by having someone look at a Web page.  Whoops.


I love that. It's so fun to watch the blood drain out of someone's face when I do that.

I guess they finally got around to fixing it, though. It hasn't worked on the last few Macs I've used.


----------



## ZentratheFox (Nov 25, 2008)

Runefox said:


> Symantec stuff is both crap and more system-intensive than an actual virus infection in most cases. I've seen some fairly mid-low range systems running Norton that I could seriously be running _AntivirusPro_ on and have them perform faster.



Truth.

And ya'know, I still can't seem to figure out how people get infected with this crap. I'm not even RUNNING AntiVirus/AntiMalware. And I just tried a MalwareBytes scan, I'm clean.


----------



## Runefox (Nov 25, 2008)

ZentratheFox said:


> And ya'know, I still can't seem to figure out how people get infected with this crap. I'm not even RUNNING AntiVirus/AntiMalware. And I just tried a MalwareBytes scan, I'm clean.


I guess it comes down to two things: Do you use Internet Explorer? And if not, do you blaze through dialogue boxes without reading them?


----------



## ZentratheFox (Nov 25, 2008)

Runefox said:


> I guess it comes down to two things: Do you use Internet Explorer? And if not, do you blaze through dialogue boxes without reading them?



No, yes. (but not Firefox boxes)


----------



## Aden (Nov 25, 2008)

Eevee said:


> OS X had a root escalation exploit for three years.
> 
> Combine that with the remote code execution exploit in Safari that was used to jailbreak iPhones for a while, and you have root just by having someone look at a Web page.  Whoops.



Dude, joke.


----------



## Armaetus (Nov 25, 2008)

This is *WHY* you do research and check around the web to see if said vendor is legitimate or rogue.

Also, this is why a hardware firewall should be mandatory for every broadband person on the planet. Too many gullible people these days.


----------



## Runefox (Nov 25, 2008)

mrchris said:


> This is *WHY* you do research and check around the web to see if said vendor is legitimate or rogue.
> 
> Also, this is why a hardware firewall should be mandatory for every broadband person on the planet. Too many gullible people these days.


Firewalls have nothing to do with it, and whether the vendor is legit or not, many people are becoming victim of the drive-by download phenomenon, thanks to the many security holes present in Internet Explorer, which most people believe is the only web browser out there (the internet icon).

In other words, just going to a poisoned website can inflict this malady on you if you use IE. Failing that, it IS possible to download the bug manually (I was gonna link to the site, but it looks like it might have been taken down with the loss of McColo), if you were gullible enough, but the major method of infestation for this one (and many others) is unsolicited downloads via IE security holes.


----------



## indrora (Nov 28, 2008)

... I hate doing a heug tl;dr but I'll try ...
So far Norton sucks, Symantec cant catch a decent infection of Smitfraud-NG and I've had to deal with AV2009 for some time.

the //ONLY// thing i have found that has managed to wipe that shit off a machine is Spybot S&D with the TrojanWatch addon. its in beta, so watch out.

I run a healthy mix of AVG Free and Spybot, along with Komodo Firewall. All free, all nice and easy to use.

And i agree with RuneFox, hardware firewalls have one pourpose in life: control what ports get talked to. thats it.

For those of us who dont know what the pourpose of a firewall is, I'll say Read The Wiki -- hardware firewalls are PATs and work on the Transport Layer of the OSI Model. Go Fucking Me. I'm working towards my CCNA, bitches.

and Mrchris, I have a fibre line to my house. I dont have a firewall, I have good security and impliment my own DNS. I keep a list of all the "bad people" and make sure that they get routed to my internal dumping ground. its kinda fun :3

Also, if anyone wants to know how to make life with an ad-filled world simpler, go learn about Split DNS. Set one up if you want. Window's %SYSTEMROOT%/system32/drivers/etc/hosts file is *nix compatible. Go MS.


----------



## ZentratheFox (Nov 28, 2008)

Yay fellow FTTH (fiber to the home) consumer! FIOS, I assume? I've got so many servers running from mine... 

Anyways, SpyBot never cleaned any AV200* infections. I'm not one to experiment with addons when there are other programs like MalwareBytes that are completely successful at cleaning it. I'd recommend using that next.

Yay hardware firewalls. I have one despite me not even caring. It's called a router.


----------



## indrora (Nov 28, 2008)

Well I dont have a //true// fibere line. its Qwest so what they give you is essentially an aDSL modem to POTS to the Fibre backbone. I'm in the BLOODY MIDDLE OF FUCKING NOWHERE, so thats really my only option. If you notice there's a box with blinky lights  on my desk that isnt a switch, has a wifi antenna on it, thats my DSL router. 

Spybot has found and cleaned a lot of the things (you just gotta keep it updated  ) MalwareBytes I've never really tried, but i've managed to get most machines running smoothly with Spybot and some knowledge of how the motherfuckers work

My first thing isnt even spybot. My first stop is Process Explorer. then comes PeID. Then comes some little shell scripts i run in a protected Cygwin environment, and then the IE Crippler (for windows people only > ) and THEN comes spybot. If you have to ask what the IE crippler is, its a tool that i wrote that I dont hardly trust myself with, as it rips any and all extentions that I dont recognize (things like Flash) out, disables them in registry and shreds the motherhumpers by opening, writeing, rewinding, rewriting, rinse repeat (the classic form of shred). Most of the time it renders IE useless, except for the rendering engine, which works nicely via IE-tab.

I applied for Geek Squad. I showed them my resume (several programming gigs, copious computer cleanings, OS fixes, etc) and they went "we cant accept you" i said "Why" they said "You wouldnt follow our procedures"
When i inquired, they're basically taught to copy everything, reinstall the OS, then copy everything back. Dumbasses


----------



## ZentratheFox (Nov 29, 2008)

indrora said:


> I applied for Geek Squad. I showed them my resume (several programming gigs, copious computer cleanings, OS fixes, etc) and they went "we cant accept you" i said "Why" they said "You wouldnt follow our procedures"
> When i inquired, they're basically taught to copy everything, reinstall the OS, then copy everything back. Dumbasses



This made my day. LOL!!!!


----------



## indrora (Nov 29, 2008)

Its a true story


----------



## Lowblock (Dec 2, 2008)

Gah, my parents downloaded this without knowing and put it in my folder on our computer.  I looked and I found this random file, clicked on it, and saw that it was Antivirus 2009.  When I tried to close it, it started to install, and I had, like, 10 seconds to go to process manager and shut it off.

I need to have a "talk" with my parents soon.


----------



## BlauShep (Dec 2, 2008)

oh, thank you, THANK you. .__.
this somehow got on my computer right after Thanksgiving, and it's really pissing me off. i even had a friend 'hack' my computer to see what was wrong. i really, really hope one of those programs works! i've been afraid i was going to wake up one day and find the BSoD.


----------



## Stratelier (Dec 2, 2008)

ZentratheFox said:


> ...if you see AntiVirus 2009, it's a virus.


So as an IT professional you should know the definition of a software virus and how AV2009 fails to meet that definition, and I hope you are just euphemizing it for the less educated among the forumgoers.  Since AV 2009 falls under the category of _rogue software_, similar to a trojan and a subset of the greater 'malware' label in general.

Aside from that, AV does what any rogue app does:  Tries to install itself in the most damned-near-impossible-to-remove way.

Reminds me of the one time my PC caught the Vundo bug:  Two or three Vundo killers still could not terminate its process, but once I knew which file to hunt for I was able to reboot into XP's Recovery Console and clean it manually.


----------



## BlauShep (Dec 4, 2008)

aarg, i used both programs and scanned about 4 times each, each time doing both full scans and quick ones. i still have not gotten rid of it. D:


----------



## ZentratheFox (Dec 12, 2008)

Stratadrake said:


> So as an IT professional you should know the definition of a software virus and how AV2009 fails to meet that definition, and I hope you are just euphemizing it for the less educated among the forumgoers.  Since AV 2009 falls under the category of _rogue software_, similar to a trojan and a subset of the greater 'malware' label in general.



Yes, I am completely aware that it isn't a true virus. I merely called it a virus for emphasis. People, especially those who are susceptible to programs such as AV2009 generally aren't phased by phrases unfamiliar to them. "Virus", in this context, will have more of an impact.


----------



## ZentratheFox (Dec 12, 2008)

BlauShep said:


> aarg, i used both programs and scanned about 4 times each, each time doing both full scans and quick ones. i still have not gotten rid of it. D:



Also, (I know this might sound odd, but) try running System Restore. Seriously. Then, run the programs.


----------



## Shockey Rai (Dec 13, 2008)

Zero_Point said:


> A friend of mine was finally convinced that Limewire was bad when he caught AV2009 while downloading "King Ralph".
> "Was it worth it, Mike?"
> "No. ._."



I used to use Limewire, But now i use Ares & uTorrent.


----------



## ZentratheFox (Dec 13, 2008)

Marik J. Foxx said:


> I used to use Limewire, But now i use Ares & uTorrent.



I buy software and music. Safer that way.

Well, except for Spore. That game was made to be pirated.


----------



## StainMcGorver (Dec 13, 2008)

Funny. It reminds me of when I was downloading JFK:R, I became infected with over 250 viruses. They include: Antivirus 2009, Porn viruses, a BDoS virus, and a worm.


----------



## ZentratheFox (Dec 13, 2008)

Awesome! When I was younger, I accidentally destroyed my Windows install by going to a serial key website. I was dumb and used Internet Exploder, and then all of a sudden my screen was blue. And Windows was gone. It was awesome! ^^

Oh, and it was at a LAN party, no less. So, no recourse but to wait out the night and watch other people have fun (after unplugging my NIC, lol). Good times.


----------



## mapdark (Dec 17, 2008)

AV2009 or whatever it's called is a smitfraud type attack.

It's a BITCH to clean when you click on it by mistake (I would never be dumb enough to click on it knowingly)

I had to make 3 rounds or combofix and company to get rid of it!


----------



## WoefulDerelict (Jan 1, 2009)

I must say, reading this was certainly entertaining but, it does lead me to question the role of everyday users in this phenomenon and their umm... right to use the system at all.

In all honestly I've never once had an to deal with a Maleware, Virus , or Worm on one of my own machines. I will admit that I don't use MS Windows as my primary OS but, I do use it and have used it and computers for much longer than I care to admit. (Just to give you an idea there is an 80286 chip @ 12MHz in my desk drawer than hangs out as a memento.)

Now I've cleaned out plenty of this shit from the systems of friends and family (thankfully not this one) but, I still fail to see HOW this happens. I mean... I don't run any defence software on my Windows boxen and I never have as I'm not fond of the resource drain given that I mostly run resource hogs like Adobe software and compilers and really do just want to tool to run quickly as quickly and smoothly as possible. So... in theory the box is wide open. I'm practially begging for it right? Yet, still critter free.

Maybe I'm just wicked old school. Does anyone remember the time when the majority of computer viruses were spread through the redistrubution of things like shareware... on like a 5.25" floppy? The same rule applies: "If you don't know or trust the source, don't put it in your computer." There are exceptions and I am aware of things like browser exploits and what not but, still... I mean... REALLY? Do I just have the luck of the Irish here or what?


----------



## FabiFox (Jan 1, 2009)

WoefulDerelict said:


> I must say, reading this was certainly entertaining but, it does lead me to question the role of everyday users in this phenomenon and their umm... right to use the system at all.
> 
> In all honestly I've never once had an to deal with a Maleware, Virus , or Worm on one of my own machines. I will admit that I don't use MS Windows as my primary OS but, I do use it and have used it and computers for much longer than I care to admit. (Just to give you an idea there is an 80286 chip @ 12MHz in my desk drawer than hangs out as a memento.)
> 
> Now I've cleaned out plenty of this shit from the systems of friends and family (thankfully not this one) but, I still fail to see HOW this happens. I mean... I don't run any defence software on my Windows boxen and I never have as I'm not fond of the resource drain given that I mostly run resource hogs like Adobe software and compilers and really do just want to tool to run quickly as quickly and smoothly as possible. So... in theory the box is wide open. I'm practially begging for it right? Yet, still critter free.



100% with you, i'm running 3 windows machines and 2 on ubuntu. Not a single one has any form of anti virus or malware protection running on it, not one of my windows machines over the past 10 years have had any protection, and i've never had a problem... perhaps use of the internet should require an IQ test?

Some clients seem to screw up their machines within days, the amount of people who come running to me with a messed up box because they thought opening girls.exe would be a great idea is truly worrying.

Don't click on "LOL FR33 ANTI VIRUS SCAN CLICK HERE LOL!!11", don't be an idiot, and you won't have anything to worry about


----------



## pheonix (Jan 1, 2009)

FabiFox said:


> 100% with you, i'm running 3 windows machines and 2 on ubuntu. Not a single one has any form of anti virus or malware protection running on it, not one of my windows machines over the past 10 years have had any protection, and i've never had a problem... perhaps use of the internet should require an IQ test?
> 
> Some clients seem to screw up their machines within days, the amount of people who come running to me with a messed up box because they thought opening girls.exe would be a great idea is truly worrying.
> 
> Don't click on "LOL FR33 ANTI VIRUS SCAN CLICK HERE LOL!!11", don't be an idiot, and you won't have anything to worry about



I agree, I'm not stupid enough to get blue screened. I did that one time when I was 10 and learned my lessen. (and a few tricks)


----------



## harry2110 (Jan 2, 2009)

The only program that i can garrente to get rid of it with is malwerebytes. just download it for free, install it and then update it.  after that run msconfig from run and go to startup uncheck all wierd lettered programs.  then dont restart first run a full system scan with MB then restart and run it again. by now most of the program should be gone. if it pops up again in a few hours run it again twice.  i had to do it 3 time but now it is completely gone.


----------



## ZentratheFox (Jan 2, 2009)

harry2110 said:


> The only program that i can garrente to get rid of it with is malwerebytes. just download it for free, install it and then update it.  after that run msconfig from run and go to startup uncheck all wierd lettered programs.  then dont restart first run a full system scan with MB then restart and run it again. by now most of the program should be gone. if it pops up again in a few hours run it again twice.  i had to do it 3 time but now it is completely gone.



Just got an emergency client call who got infected with it on one of their main computers. My boss handled it, but still... it just never stops.


----------



## djslum (Jan 3, 2009)

this is a "Smitfraud Rougeware" they suck xD

this thing you are encountering is not new, it's actually a revamped rougeware virus that once installed inhibits and basically renders your AV useless. Depending on how well made it is, it can also kill your active desktop, disable access to taskmanager.exe, msconfig.exe, and others. It can also change your system clock , corrupt your registry and more.

btw it also likes to embed itself in winlogon.exe or winver.exe, that is bad.


It pops up as AntiVirus2009, Antivirus2008, WinAntiVirus2009 /*2008, WINAV2009, AV2009, AV2008 and other generic stupid names. 
Process names I have come across when fixing these can come up like Pnstkrba01.exe or prnkbstr01.exe or something similar in char length and such, other names may include "youShouldntSeeMe.exe", 01.exe, 1010.exe, and some other stuff. Also the obvious like AV2008.exe, and stuff like that.

solutions (easily googled) : 
Rougefix
Darens Nuke and Boot (for when your comp is toast and you need to nuke your drive)
Trial Eset Nod32 
AVG 8.0 Free Edition
Ccleaner
Hijackthis (not recommended unless you know what you're doing, like for real, you can fuck up your computer more than it was if you aren't careful)
and many more.

the way this bitch gets in your comp is simple, you click on a tab in your browser that says your PC is infected, or a popup window or tab. Or this thing called "Media Codec" which normally is offered on a black page with blue borders and a pretty professional appearence, it will ask you to install software, don't even think about it. Another fine way to let this in is if you're downloading shit in Frostwire, Limewire, and other community downloaders, also torrents. I've seen lot's of comments on rougeware in comments.

*To avoid virus attacks:*

Get someone computer smart to configure your Anti-virus, firewall, spyware-killer the right way.

Read over every word in the popup tabs, windows, or popups in general.

when ever you download some .exe or executible file (.exe, .dmg, ect...) right click  and select properties and check just where this thing is from, and see if it is legit.

READ COMMENTS ON TORRENTS or DOWNLOAD FILES, I don't know how many people blow this off and then come back crying to me about how their computer got data-raped by some virus.

If you don't know what the proccess, or install file does, just google the process name such as winlogon.exe it's on every computer. What is it? Google it, normally someone in the first three links will tell you what it does.

there are lot's of things you can do. Just have a good chat with a geek about computer safety and what it can do for you.

any questions or comments?


----------



## Wait Wait (Jan 3, 2009)

lol windows


----------



## djslum (Jan 3, 2009)

Wait Wait said:


> lol windows


Linux = win
windows = fail... sorta... I like XP
mac = meh shiney stuff.

xD


----------



## Wait Wait (Jan 3, 2009)

my mac is so shiny <3


----------



## djslum (Jan 3, 2009)

Wait Wait said:


> my mac is so shiny <3


xD nice. I got three rigs running xD server, gaming rig, and this. XP Pro, XP pro, and Ubuntu Server :]


----------

