this evening my son said to me “antivirus says i have a virus!” and i knew we were in for a long night. i’ve battled infections of Antivirus 2008 and i know it to be a very insidious enemy. well, Antivirus 2009 is new and improved with extra insidiousness!
Antivirus2008 / Antivirus2009 attacks when you visit infected websites, and has a very aggressive installer, once it’s popped up it is virtually impossible to click or do anything that doesn’t grant the installer permission. It uses a logo/icon with the shape of the Windows Security icon, and the Windows logo colors; it is very carefully designed to look like a legitimate piece of software. once installed it pops up a bogus virus scan window with a list of viruses, none of which are on the computer. i will repeat: it does not find viruses! there may indeed be infections somewhere on the computer, but this software does not find them. it is a scam. it then tells you to buy a license in order to remove the non-existent threats. it will continue to pop up dire virus warnings every few minutes or so, and it can’t be shut down. it is not possible to uninstall this software through the normal methods – either its own “uninstaller” or through Windows Program Manager.
the difference between 2008 and 2009 versions, is that the 2009 version is capable of disabling existing anti-virus software – in my case, AVG free. after AVG dies (and this is the seriously insidious part), Windows Security Center then pops up and informs you you have no virus protection because Antivirus 2009 is not activated, and offers you a button to purchase a license from Antivirus 2009. further, the Windows Security Center alert logo appears in the taskbar, with a message that Antivirus 2009 is not activated, and says to click this balloon to fix the problem. they have managed to exploit the way Windows Security Center monitors the computer’s protective software, in order to compel the user to purchase a license, and the user can initiate this process by clicking a button within the Windows operating system itself.
seriously, get a Mac.
haha, just kidding. i have Macs and PCs and i like them both, you’re not going to get any of that OS-bashing here.
a friend recommended Simply Super Trojan Remover, but i installed Windows Live OneCare first to see if that would do it. i’ve used AVG, Avast, ClamWin, Norton, and Macafee, but i’m most happy with Live OneCare, it is effective and (unlike most of the freeware anti-virus programs listed) it is not a system resource hog.
before Live OneCare was even finished with setup, it had found and dealt with Antivirus 2009. i’d expected to do a lot more work to get rid of the insidious pest, but it was actually quite an easy fix.i am very impressed (and surprised) by OneCare’s ability to deal with a very nasty infection.
i guess it’s not going to be such a long night after all.
note: according to Miguel Campos, it might require more effort, but for now, i’m going to relax and be happy that the computer is suffering no further symptoms.
seriously you should check out XoftSpy SE if you run XP, it removes virus’ and spyware completely off your system, if you want i have it here. Let me know
i will check it out. there were a few other exploits on the computer that OneCare found and cleaned, but you just never know.
i’m also going to do the OpenDNS that was recommended by friends on Plurk. that sounds like a good way to stop things at the router level.
Great post! Thanks so much for sharing your experiences with this malware. The more people are aware of it, the better.
I recently submitted several related sites to 8e6 (a corporate Web filtering company) and McAfee SiteAdvisor (a free service that lets users rate Web sites and offers a plug-in for Firefox and Internet Explorer that can assist in helping users determine whether a site is safe). Here are some SiteAdvisor reports for 4 domains related to the “Antivirus 2009″ scamware:
http://www.siteadvisor.com/sites/antivirus2009professional.com/postid/?p=1012256
http://www.siteadvisor.com/sites/Antivirus2009-freescan.com/postid/?p=1012254
http://www.siteadvisor.com/sites/Virus9-webscanner.com/postid/?p=1016109
http://www.siteadvisor.com/sites/xp-registration.com/postid/?p=1012257
You can now submit malicious Web sites to Google as well:
http://www.google.com/safebrowsing/report_badware/
I recommend reporting suspected or known badware sites to Google, SiteAdvisor, and any other organizations that actively fight these types of sites or seek to protect people from them. You can also report spam (including but not limited to junk e-mail containing links to malware or scam sites) to KnujOn, a site that has shut down several spammer-run domains. More info here:
http://www.knujon.com/sendusspam.html
I personally use a few layers of protection: my router uses OpenDNS, and my family’s Windows box runs AVG and SpywareBlaster (we mostly use Macs at my house).
OpenDNS ( http://opendns.com ) is an excellent free service that offers filtering for phishing and adware sites (and you can optionally use it to protect your kids from porn sites etc. as well).
AVG ( http://free.avg.com ) is a free anti-virus and anti-spyware program, as you mentioned. It usually does a very good job of protecting against these types of threats, but no single anti-virus/anti-spyware solution is 100% foolproof. I recommend installing AVG 8 using the following instructions…
http://free.avg.com/ww.faq.num-1338#faq_1338
…and then disabling the daily hard drive scan if it seems to slow down the computer a lot (the full scan should be unnecessary since AVG actively protects the system). I’ve found that these tips make AVG 8 run quite well instead of being a resource hog like (as you mentioned) it seems to be if you leave the default settings.
SpywareBlaster ( http://www.javacoolsoftware.com/spywareblaster.html ) is a free Windows utility that immunizes Internet Explorer and Firefox against thousands of known malicious sites. It’s updated regularly, and best of all, it doesn’t hog any resources because the nature of the immunization is such that it doesn’t need to be constantly running in the background. I love this app and highly recommend it. It makes another good layer in defending a Windows system from spyware.
I hope these tips help you and/or your readers!
thank you so much, @JoshMeister, for all the great resources. i would not, however, recommend AVG 8 to anyone at this point, considering that Antivirus 2009 quickly and easily disabled AVG 8 to the extent that the Windows Security Center itself popped up and said it had no virus protection and offered a link to purchase a license from AV 2009.
the average end user probably considers information coming from within the Windows OS as safe, and in some way endorsed or approved by Microsoft. So any software that leaves the user vulnerable to being confronted with an urgent security alert from Windows Security Center, urging them to purchase a license from AV2009, is not giving them very good protection.
Windows Live OneCare Live removed ‘antivirus2009′ easily and quickly. I tried Norton 360 first, which identified the possible files that were malware but would not delete them (or could not deltete them).
Microsoft Windows OneCare Live worked like a charm.
i’m happy to hear others have had the same success with Live OneCare as i have – i think it’s an excellent, all-in-one spyware, adware, virus solution, the price is good, and it doesn’t bog down the computer.
and i am in no way connected with Microsoft, no one’s paying me (haha, as if) to say this, just wanted to make that clear.
SUPERantispyware, ( free ), is another all-in-one program that removes this type of malware.
I found that it was a much better program than Spybot & Lavasoft.
As for a free anti-virus — I have switched over to Comodo.