{"id":340,"date":"2009-12-30T21:59:11","date_gmt":"2009-12-31T02:59:11","guid":{"rendered":"http:\/\/192.168.33.66\/wp\/?p=340"},"modified":"2009-12-30T21:59:11","modified_gmt":"2009-12-31T02:59:11","slug":"removing-the-antivirus-2009-infection","status":"publish","type":"post","link":"http:\/\/www.wildow.com\/blog\/?p=340","title":{"rendered":"Removing the Antivirus 2009 infection"},"content":{"rendered":"<div>\n<p>from MS blog<\/p>\n<p><a href=\"http:\/\/blogs.msdn.com\/mcampos\/archive\/2008\/07\/05\/removing-the-antivirus-2009-infection.aspx\">http:\/\/blogs.msdn.com\/mcampos\/archive\/2008\/07\/05\/removing-the-antivirus-2009-infection.aspx<\/a><\/p>\n<p>One of my home computers (Windows XP) got infested by the Antivirus 2009.<\/p>\n<p>My brother in law was downloading videos (from YouTube I think) and then the Antivirus 2009 warning came up.<\/p>\n<p>By chance I happened to be near and was able to identify the exact time of the infection and locate files several based on this.<\/p>\n<p>This nasty infection makes it difficult to run several common security tools. I was able to remote it (so being able to run complex scans) by doing:<!--more--><\/p>\n<p>&#8211; Killed the av2009.exe process using Task Manager<br \/>\n&#8211; Took a look at where the Antivirus 2009 shortcut pointed  (they put one in the desktop)<br \/>\n&#8211; Took note on the date and time of the av2009.exe file (it was in C:Program FilesAntivirus 2009)<br \/>\n&#8211; Searched the Registry to see if they were any references to av2009.exe. Did not find any, but this is something important to do: ensure there are no references to a file before removing it.<br \/>\n&#8211; Removed the C:Program FilesAntivirus 2009 directory and all files<br \/>\n&#8211; Removed the desktop shortcut<br \/>\n&#8211; Removed the shortcut in the Start Menu (we aware \u2026 they put it in the upper area, near where Windows Update is located)<br \/>\n&#8211; Rebooted, but then discovered that IE was still infected, in particular when I tried to navigate to Sysinternals (now inside microsoft.com) they marked this as an \u201cunsafe\u201d site. Also discovered that the Security Center applet in Control Panel was not working<\/p>\n<p>&#8211; Went to WindowsSystem32 and found 3 files from about the same time of the infection:<\/p>\n<p>ieupdates.exe<br \/>\nscui.cpl<br \/>\nwinsrc.dll<\/p>\n<p>&#8211; Took a look at the properties of the file, in effect those are not provided by Microsoft as part of the OS<\/p>\n<p>&#8211; Again before removing the files I searched the registry and deleted values that referenced ieupdates.exe (register to start automatically) and winsrc.dll (registered as a COM file)<br \/>\n&#8211; Reboot again and tried IE and Security Center, both are working now<\/p>\n<p>I was able to run several full antispyware and antivirus checks after the previous steps.<\/p>\n<p>And was able to locate more instructions in http:\/\/www.enigmasoftware.com\/support\/antivirus2009-removal\/<\/p>\n<p>Note that this post is informational only, I cannot give any warranties that this procedure will work in other computers and\/or that the virus is completly removed. And please be sure to backup your registry and important data before any manual removal.<\/p>\n<p>PLEASE ENSURE the usage of trusted tools to validate complete removal of this and other threats it may install.<\/p>\n<p>Finally, CERT has published a set of suggested steps in order to recover from a system compromise, you may want to take a look at them http:\/\/www.cert.org\/tech_tips\/win-UNIX-system_compromise.html<\/p>\n<p>Hope this is useful<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>from MS blog http:\/\/blogs.msdn.com\/mcampos\/archive\/2008\/07\/05\/removing-the-antivirus-2009-infection.aspx One of my home computers (Windows XP) got infested by the Antivirus 2009. My brother in law was downloading videos (from YouTube I think) and then the Antivirus 2009 warning came up. By chance I happened &#8230; <a class=\"more-link\" href=\"http:\/\/www.wildow.com\/blog\/?p=340\">Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-340","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/340","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=340"}],"version-history":[{"count":2,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/340\/revisions"}],"predecessor-version":[{"id":342,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/340\/revisions\/342"}],"wp:attachment":[{"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=340"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.wildow.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}