from MS blog
http://blogs.msdn.com/mcampos/archive/2008/07/05/removing-the-antivirus-2009-infection.aspx
One of my home computers (Windows XP) got infested by the Antivirus 2009.
My brother in law was downloading videos (from YouTube I think) and then the Antivirus 2009 warning came up.
By chance I happened to be near and was able to identify the exact time of the infection and locate files several based on this.
This nasty infection makes it difficult to run several common security tools. I was able to remote it (so being able to run complex scans) by doing:
– Killed the av2009.exe process using Task Manager
– Took a look at where the Antivirus 2009 shortcut pointed (they put one in the desktop)
– Took note on the date and time of the av2009.exe file (it was in C:Program FilesAntivirus 2009)
– Searched the Registry to see if they were any references to av2009.exe. Did not find any, but this is something important to do: ensure there are no references to a file before removing it.
– Removed the C:Program FilesAntivirus 2009 directory and all files
– Removed the desktop shortcut
– Removed the shortcut in the Start Menu (we aware … they put it in the upper area, near where Windows Update is located)
– Rebooted, but then discovered that IE was still infected, in particular when I tried to navigate to Sysinternals (now inside microsoft.com) they marked this as an “unsafe” site. Also discovered that the Security Center applet in Control Panel was not working
– Went to WindowsSystem32 and found 3 files from about the same time of the infection:
ieupdates.exe
scui.cpl
winsrc.dll
– Took a look at the properties of the file, in effect those are not provided by Microsoft as part of the OS
– Again before removing the files I searched the registry and deleted values that referenced ieupdates.exe (register to start automatically) and winsrc.dll (registered as a COM file)
– Reboot again and tried IE and Security Center, both are working now
I was able to run several full antispyware and antivirus checks after the previous steps.
And was able to locate more instructions in http://www.enigmasoftware.com/support/antivirus2009-removal/
Note that this post is informational only, I cannot give any warranties that this procedure will work in other computers and/or that the virus is completly removed. And please be sure to backup your registry and important data before any manual removal.
PLEASE ENSURE the usage of trusted tools to validate complete removal of this and other threats it may install.
Finally, CERT has published a set of suggested steps in order to recover from a system compromise, you may want to take a look at them http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
Hope this is useful