How to remove Trojan: anti-virus-defence.com/2009/1/de?

This morning avast told me that a Trojan: “anti-virus-defence.com/2009/1/de” was trying to access my computer. Shortly before I was surfing on another website, when it asked me to install an anti-virus-software which i denied.

Shortly before avast showed the alarm, the firewall showed a message that this virus has changed something within the Avast registry. On the web there is allmost nothing to be found on this virus (some entries from today and yesterday in spanish). The scan found nothing on my computer… but now i am not sure anymore that avast is still functioning.

Thanks for your help!

It is rogueware an fake antivirus, trying to get money out of you or truly infect you.

Whilst avast appears to be blocking this, there is likely to be something else benign trying to get this on to your system.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.

  2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
    1

Both scanners found nothing: ???

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/18/2008 at 06:16 PM

Application Version : 4.22.1014

Core Rules Database Version : 3641
Trace Rules Database Version: 1624

Scan type : Complete Scan
Total Scan Time : 00:40:00

Memory items scanned : 359
Memory threats detected : 0
Registry items scanned : 3860
Registry threats detected : 0
File items scanned : 14697
File threats detected : 0

Malwarebytes’ Anti-Malware 1.30
Datenbank Version: 1409
Windows 5.1.2600 Service Pack 2

18.11.2008 19:10:33
mbam-log-2008-11-18 (19-10-32).txt

Scan-Methode: Vollständiger Scan (C:|)
Durchsuchte Objekte: 78147
Laufzeit: 43 minute(s), 1 second(s)

Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0

Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)

Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)

Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)

Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)

Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)

Infizierte Dateien:
(Keine bösartigen Objekte gefunden)

Looks like avast kept it out, there is one other tool that specialises in this type of rogue ware.

Try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php.

David, just my opinion, but RogueRemover is not being updated “anymore”… very few updates really. MBAM is being their big product, not RogueRemover. Although it could work sometimes. I’m not recommending it anymore.

Well many suggest using MBAM first and then RogueRemover as they are looking at slightly different things.

Isolde, what firewall do you use, and is there any information about this event in the log?

Hello – I’ve just received the same message, advising that I have serious infections in my Windows XP installation. It appeared when I clicked on a link provided by a Google search for a CR-V10-U6N memory card reader spec.

However, as I am running Linux, I rather doubt it. I do have Windows XP on my system as I enabled dual-booting, but I don’t mount the partition containing Windows when I’m running Linux. It was not mounted when what claimed to be a “Microsoft Security Warning” popped up, telling me that Spyware.IEMonster.b, Zlob.PornAdvertiser.Xplisit, and Trogan.InfoStealer.Banker.s were installed in my system, apparently on my WindowsXP partition, labeled C: in the (possibly simulated) search that appeared on my screen.

I downloaded the A9installer_880819.exe file (into a pen drive) for further use whenever I booted into Windows if I found it was appropriate. It looks to me, based on this thread, that it is not.

Looks to me like a scam from the get-go, not having to do with any AVAST activation at all. Am I wrong about that?

A9installer_880819.exe is malware. Do not run it in Windows.

You came across a poisoned Google search.

Anti-Virus2009 is a scam.

It claimed to find malware on my computer, running Ubuntu. Ha ha ha!

Unfortunately, detection of the malware installer sucks.

Antivirus Version Last Update Result
AhnLab-V3 2008.11.18.2 2008.11.18 -
AntiVir 7.9.0.31 2008.11.18 -
Authentium 5.1.0.4 2008.11.18 -
Avast 4.8.1281.0 2008.11.18 -
AVG 8.0.0.199 2008.11.18 -
BitDefender 7.2 2008.11.18 -
CAT-QuickHeal 10.00 2008.11.18 -
ClamAV 0.94.1 2008.11.18 -
DrWeb 4.44.0.09170 2008.11.18 -
eSafe 7.0.17.0 2008.11.18 -
eTrust-Vet 31.6.6214 2008.11.18 -
Ewido 4.0 2008.11.18 -
F-Prot 4.4.4.56 2008.11.18 -
F-Secure 8.0.14332.0 2008.11.18 -
Fortinet 3.117.0.0 2008.11.18 -
GData 19 2008.11.18 -
Ikarus T3.1.1.45.0 2008.11.18 -
K7AntiVirus 7.10.527 2008.11.18 -
Kaspersky 7.0.0.125 2008.11.18 -
McAfee 5438 2008.11.18 -
Microsoft 1.4104 2008.11.17 -
NOD32 3623 2008.11.18 -
Norman 5.80.02 2008.11.18 -
Panda 9.0.0.4 2008.11.18 -
PCTools 4.4.2.0 2008.11.18 -
Rising 21.04.12.00 2008.11.18 -
SecureWeb-Gateway 6.7.6 2008.11.18 -
Sophos 4.35.0 2008.11.18 -
Sunbelt 3.1.1801.2 2008.11.14 -
Symantec 10 2008.11.18 -
TheHacker 6.3.1.1.157 2008.11.18 -
TrendMicro 8.700.0.1004 2008.11.18 -
VBA32 3.12.8.9 2008.11.18 -
ViRobot 2008.11.18.1474 2008.11.18 -
VirusBuster 4.5.11.0 2008.11.18 -

Beeing a bit of a computer nerd, i found out that the thing I called firewall is acctually “Spybot-SD Resident” but it was not that programm that warned me at least i can´t find the entry anymore, but maybe avast. here is the entry avast made:

18.11.2008 09:32:08 SYSTEM 1716 Sign of “JS:Agent-DE [trj]” has been found in “hXXp://anti-virus-defence.com/2009/1/de/_freescan.php?nu=880338” file.
18.11.2008 10:12:08 SYSTEM 1716 Sign of “Win32:Spyware-gen [trj]” has been found in “C:\Downloads\spywareentferner\snm-2.67_swpl.exe” file.

The second one is from a anti-spyware tool, i tried to use to get rid of the first one, but which also caused an avast allert. So i removed the file from the computer.

Thanks again for your support!

Please modify your post to the link to the suspect site isn’t active and leave people at risk to accidental exposure.

Change the http to hXXp that will break the link.
example hXXp://anti-virus-defence.com/2009/1/de/_freescan.php?nu=880338

See http://linkscanner.explabs.com/linkscanner/checksite.aspx?NS=ChkOnly&SRC=apps.explabs.com&CS=http://anti-virus-defence.com/2009/1/de/_freescan.php?nu=880338

The avast self-defence may have been what alerted you as it would stop something trying to modify its registry entries, possibly trying to disable it.

It appears to be a good detection. It’s SpyNoMore.

http://virscan.org/report/8f4cda59b6cf50933fc7cc05180fe301.html

Is this what the detection looked like? (Complete with siren, if you have sounds configured/on, and a yellow and blue warning bar at the bottom of the page.)
Avast has protected you from it.
Still curious about what registry entry has been modified.

Yes, it showed first the blue bar at the bottom and then the window with the siren, when i clicked on “cut connection” the window closed, so I could not see further, what happend.

I catched this doing a simple google search, having nothing to do with anti-virus software.

Basically it was intercepted by the Web Shield as it tried to open that page the web shield scaned it and didn’t like the content. That is why you only got the abort connection, it drops that particular connection so the file doesn’t come down.