The Weekly Geek

I'm the Geek so you don't have to be!

The Weekly Geek random header image

AV2009 the fake anti-virus

October 30th, 2008 · 4 Comments

Just a quick “blog” to let you all know to watch out for a fake program called AV 2009 that is popping up and appears to be a Windows Security warning. It is a fake and clicking on it installs several pieces of fraud-ware, mal-ware and crap-ware.

This particular program and attempt to get on your computers has been around for a while, however the most recent incarnation that started a week or two ago seems to be evading several anti-viruses. I have found it on machines with current up-to-date versions of Norton, ESET, AVG (free) and Computer Associates. I have read of others with Trend Micro as well as Panda Anti-virus getting infected.

Usually this particular nasty only infects people who visit sites with infected video codecs (normally, but not always “adult” sites). This time around it seems to be using some vulnerability and hacking “good” web sites and or servers and injecting them with the infection. Once they are infected you (or in one case your child) goes to the site / server and wham bam no thank-you man, you are infected.

Once infected the program tries to prevent your current security from updating or running properly.

The first thing that needs to be done is to disable System Restore and reboot.
Next you need to kill AV2009.exe via Task Manager.
Now navigate to “Program Files” and under the folder “AV2009” delete AV2009.exe (I just deleted the whole folder the first time but then security programs did not find the program and thus a pop up still occurred)
At this point I have been able to manually run a thorough anti-virus scan which has caught and paused other AV2009 files.
The next thing, I downloaded, updated and ran Spybot Search and Destroy 1.6 from Safer-networking (be aware there is a crap-ware and malware program masquerading as this program). Spybot S&D seems to have finalized the destruction of AV2009 but just in case I also have run Combo Fix.
Finally I suggest that you remove all temporary internet files for all your browsers (many of you use Firefox or Opera but still have Internet Explorer to remember). That should finish removing this program. All that is left is to turn System Restore back on and reboot.

I hope this helps many of you out. Until we meet again, have a virus free week.

Tags: Internet · Malware · Security · Trojans · Virus

4 responses so far ↓

  • 1 Paul Kevil // Jan 2, 2009 at 9:41 am

    What if you finally were convinced that it was authentic and paid for it? Like a dummy after 2 days it had worn me down and I paid for it. There was something about a 30 day refund. I have checked my credit card to see if I was billed, so I could dispute the charge. Nothing has shown up yet. I did finally get rid of it with spybot which I had forgotten that I had on my computer from a couple of years ago.

  • 2 Obbop // Jan 7, 2009 at 10:43 pm

    Dearly beloved,

    We are gathered together on this solemn occasion to lament the infiltration of our beloved electronic brains by AV2009 or one of the similarly named trojans, viri, whatever.

    Sadly, the scum creating or evolving this malady are making constant changes to thwart attempts at prevention and/or removal.

    It appears the latest variant has done a fine job at browser hijacking to prevent the infected one from accessing Web sites that offer information and/or downloads that can be used to defeat the infection.

    I assisted one of the kinfolk who was infected and took along printed instructions found on the Web along with three different programs burned onto a DVD to apply against the AV2009.

    The damnable trojan (supposedly infecting via a rootkit) actually prevented the Malwarebytes free program (reported to have worked for several folks) from activating on the infected machine.

    I used several different removal methods reported by others to have worked for them but to no avail.

    I talked to a local pro who informed me his shop has seen several permutations of the trojan and that different removal methods are needed with a couple worst-case scenarios actually requiring a hard-drive wipe and reinstalling the O/S.

    Be aware of the evolving nature of this trojan and that you may need to use different removal methods until you find the one that works against the variant of the trojan infesting your machine.

    Good Luck!!!!!!!

    http://obbop.wordpress.com/

  • 3 AV2009 virus - causes fake security popups - Southern Maryland Community Forums // Jan 30, 2009 at 7:42 am

    […] virus – causes fake security popups AV2009 the fake anti-virus My PC became infected this week, I’m assuming from the kidlet visiting MySpace (a favorite […]

  • 4 kyle // May 16, 2009 at 10:44 pm

    Guys remember to look for add ons in the browser IE they will need to be removed to complete the removal good luck

Leave a Comment