Antivirus 2009

:frowning: I think I have this thing “Antivirus2009” it pops up. Shows a shield on taskbar. Says I have a virus and keeps asking me to run it. I did a “System Restore” to 5 days ago and i haven’t seen it yet. This happened in the last 2 hrs. Can this be removed from computer with the Avast Virus cleaner. What should i do if it comes back? Help!!!

Try this

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

I think I am good!!! Here’s the notes:

Malwarebytes’ Anti-Malware 1.25
Database version: 1092
Windows 6.0.6001 Service Pack 1

1:00:56 PM 8/28/2008
mbam-log-08-28-2008 (13-00-56).txt

Scan type: Quick Scan
Objects scanned: 36204
Time elapsed: 3 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

dear DL]
do not disappear
we gotta keep this from happening again

first rt click the avast ball and update-programs
then
rt click and schedule a boot time scan
reboot
post up the results

essex boy is excellent - you got lucky

do you have any other anti-spyware installed on your computer?
windows defender? spybot?
if you do update and do a scan
if you do not
download SuperANtiSpyware , update and do a scan
post the results back here

results are clean!!! I do use defender ;D

I’d be a little concerned about the possibility of this lurking in the system restore. (And am quite surprised that a system restore seems to have prevented it getting its hooks in. This infection normally needs a right going over with MBAM to kill it, and sometimes more, it seems.)
If the computer is running well you should consider turning System restore off, rebooting, turning it back on again. This will delete all your system restore points, so you don’t want to do it unless everything is working well. It will also take out any infection residue that might be in system restore.

The results in MBAM don’t show anything that might be antivirus 2009, so nothing has been removed that would stop it.

The system restore you did going back to a point prior to the anti-virus 2009 was what removed it I believe.

I would recommend keeping MBAM and update it weekly and run a scan after the update, a quick scan should suffice, a full scan if you have any suspicions or problems.

@ Tarq57
I too am somewhat surprised at the effectiveness of the system restore, but only very recently I have seen MBAM used against antivirus 2008 and that produced many, many registry entries. But I don’t believe Essexboy would have suggested MBAM if it couldn’t deal with this lates version of antivirus2009.

DavidR, yes, I know MBAM (and to a lesser degree, perhaps, SAS) have been the “uber-tools” of success against this beast. So was surprised when MBAM detected nothing.
Do you also think dlprobert should delete the old restore points?
Likely there was a degree of immunity/hardening or up-to-date -ness in the applications which meant the thing couldn’t get a proper foothold, I guess.
dlprobert when (if) you scanned with SAS, was it set to scan System volume information? (This is the third checkbox under scanning options). It’s set to examine System Volume info by default, I think.

Hi Tarq57,

I’ll always instruct to do a SafeMode, disabled SystemRestore scan with the scanners of choice MBAM & SAS).
As the latest 2009-beast has the Zlob infection characteristics, a SafeMode and System Restore disabled SmitFraudFix run would be advisable (you have to run SmitFraudFix in SafeMode, because else it may crash).
So MBAM and the recent SAS run in SafeMode/disabled System Restore, then a similar run of SmitFraudFix to top the cream, and then enable System Restore, normal mode and a final full scan with the resident av-scanner, a HJT logfile txt could be checked to see if the user’s OS is malware free,

polonus

I don’t really know as when you go back using system restore, I don’t know if restore points that are effectively points in the future would be removed or not. Since system restore isn’t infallible I choose not to have it enabled at all and choose drive imaging as my replacement for it.

It would be advantageous to clear out all restore points that way there is no doubt about using it in the future and being bitten in the rear by an infected restore point. As polonous says disabling system restore is almost the norm when hunting malware that might be in the system folders and only enable it when clean.

System restore replaces the registry and MS files if they have been changed. The files used by the malware will still possibly be on the system. The only way to be sure all is gone is to run an analysis tool

[*]Download random’s system information tool (RSIT) by random/random from here and save it to your desktop.
[*]Double click on RSIT.exe to run RSIT.
[*]Click Continue at the disclaimer screen.
[*]Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

This is a new virus, see analis - http://www.virustotal.com/ru/analisis/3b0784a1cfb63ae248eef215b25e91f8

I found virus file c.exe, have lenght 64000 bytes and located in %USERPROFILE%\Local Settings\Temp.

Virus in taskbar - comically… and comfortably…

yvs
thanks for the update
however if YOU have this 2009 version you can start by following the suggestions in the above thread but post your results in a NEW thread-
once logs start to be posted and advice based on those logs multiple problems would quickly overwhelm us
at least me

I have him and i save him (only in passive mode, a some file) until avast recognize this virus.

Also i have this - http://www.virustotal.com/ru/analisis/baf1efc3b4c74df8b07272498cdd74da
and this - http://www.virustotal.com/ru/analisis/fb66fbe8873bb9d55db658f670ebd3b9
and sending all to virus@avast.com.

Lately i sending some viruses to virus@avast.com and now avast recognize theirs:
http://www.virustotal.com/ru/analisis/0685b8f9ed5c93b105a8d1ed2fb12eed
http://www.virustotal.com/ru/analisis/374a0fc26019749107183f4def333276

Hi yvs,

Did you see this info:
B.EXE

Disagree with this determination? Tell us, please.

This executable program has a file size of 64,000 bytes, it is most frequently called B.EXE and is most frequently located in the %temp%\ folder.
This file is considered unsafe and is part of the malware group, Spyware.Midaddle. It was first seen on Thursday, Aug 28 2008. It has been seen by 10 users in this section of the community. The file was first seen in TURKEY but has been seen in other locations, including NETHERLANDS.
B.EXE has been seen to perform the following behaviors:

  • The Process is packed and/or encrypted using a software packing process
  • Can communicate with other computer systems using HTTP protocols
  • Writes to another Process’s Virtual Memory (Process Hijacking)
  • Executes a Process
    B.EXE has been the subject of the following behaviors:
  • Created as a process on disk
  • Has code inserted into its Virtual Memory space by other programs
  • Executed as a Process
  • Deleted as a process from disk

The process belongs to the software b.exe or iTunes by unknown.

Description: File b.exe is located in C:. The file size on Windows XP is 19456 bytes.
The application has no file description. The program is not visible. The program starts upon Windows startup (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices). The file is not a Windows system file. The program uses ports to connect to LAN or Internet. Therefore the technical security rating is 82% dangerous.

If b.exe is located in a subfolder of “C:\Documents and Settings” then the security rating is 74% dangerous. File size is 69632 bytes. b.exe is a file without information about the maker of this file. The program is not visible. The file is not a Windows system file. The process listens for or sends data on open ports to LAN or Internet. b.exe is able to monitor applications.

Important: Some malware camouflage themselves as b.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. (Lampsy Trojan, W32 Alcra.b) Thus check the b.exe process on your pc whether it is pest. We recommend Security Task Manager for verifying your computer’s security. It is one of the Top Download Picks of 2005 of The Washington Post and PC World.

pozdrawiam,

polonus

OK guys
you’ve managed to hijack dlprobert’s thread
Go somewhere else
start your own thread

I dont know. I dont study viruses, only try from them protected. :slight_smile:

But i can tell my story. Sorry for my franch.

Today I was at my clients (accounting software, Ukraine). I see on system tray icon like shild (like icon of WinXP brandmauer). And over them see ballon message “You have a virus”. After click on ballon i get messagebox() with propose to treat (not remeber text). If I answer Yes - running internet explorer and go to one site. Yes, i dnot remember adress. Then in browser see some spyware scanning imitation and they some other propose.

With a2HiJackFree.exe i found process c.exe, and they found his file c.exe. I kill this process, they move mouse over shild icon - and icon disappear. I was move c.exe to my usb-flash drive. Windows was rebooting - all right.

By the way, file c.exe have shild icon just in windows explorer. :slight_smile:

Near c.exe i see file a.exe, size - 49156, analis - http://www.virustotal.com/ru/analisis/fb66fbe8873bb9d55db658f670ebd3b9
But this file was not running, was inactive, I delete him without kill any process.

Hi yvs,

This is how they do it, pop up some threat messages, and waiting for people to react (and if you do this you get infected, because it is fake, and then there is a chain reaction and malware is installed (you get “z deszczu pod rynnę”). The exploit can be the so-called setslice exploit, a malicious ActiveX zero day exploit for Internet Explorer 6 and this makes the vulnerable browser crash and the drive-install of the fake AV malware possible, or there is a Messenger exploit to do this, or users open an infected e-mail. The latest forms have Zlob worm characteristics and are a real pain in the neck (wirus-robal),

polonus

P.S. Wyrmrider I asked this to be moved to another thread,