Nov 13 2008

Removing XP Antispyware 2009

Category: Computer NewsEric (a.k.a. TweakHound) @ 2:04 pm

I am now cleaning my 8th PC of this nasty little virus for folks. For those who have not run into this thing just Google it. My observations based on these 8 removals:
1 – All 8 machines were running XP.
2 – 6 of the 8 machines were still on SP2.
3 – 7 of the 8 machines had an EXPIRED AV program.
4 – None of the 8 computers had an image (Acronis/Ghost/etc.) to restore from.
BleepingComputer has a decent guide on how to remove this:
How to remove XP Antispyware 2009
BUT, I have some tips to improve on the above guide instructions. This is the only method I have found to remove everything.
1 – The first and most important thing. If you entered your credit card info in one of the pop-ups, call your credit card company immediately!
2 – As per the above instructions download Malwarebytes’ Anti-Malware. Then go here and download SmitFraudFix and print the instructions.
2 – Disconnect the target machine from the internet and install Malwarebytes’ Anti-Malware. Reboot into Safe Mode and run a FULL SCAN ON ALL DRIVES. Quarantine and then remove the files it finds, then reboot.
3 – Install and the run SmitFraudFix as per the instructions.
4 – Connect the target machine back to the net and update Malwarebytes’ Anti-Malware. Reboot into safe mode and do step 2 again.
That should do it.
Now, PLEASE, download and install an AV program and run a complete scan. Then fully update Windows.

Tags: ,



10 Responses to “Removing XP Antispyware 2009”

  1. Jordan says:
    November 13th, 2008 at 4:01 pm

    Unfortunately, I don’t think the fact that 7 of your machines had expired AV software mattered. I’ve seen many computers with some form of rogue software installed on it. And it did not matter if it was Norton, McAfee, Trend Micro, Eset, Panda, Kaspersky, or SpySweeper. I have also seen is on computers with SP3 and on Vista machines.

  2. Eric (a.k.a. TweakHound) says:
    November 13th, 2008 at 5:46 pm

    Just FYI, they weren’t “my” machines. They were friends, clients.
    But, I believe you may be right. That’s what really scares me. Many of the experts now believe that using traditional AV software is becoming all but futile. This program in particular “looks” like it is legit and the more the non-techie thinks he is trying to rid himself of this the worse the problem becomes.
    I’ve yet to come across a Vista machine with this. Can you tell me more about what you saw? Did the machine have UAC enabled, etc?

  3. Toby says:
    November 13th, 2008 at 8:35 pm

    I’ve helped a few people with similar viruses such as Antivirus XP 2008 and Antivirus 2009. I also used BleepingComputer and Malwarebytes’ Anti-Malware to remove these. I will try your suggestion about SmitFraudFix next time. I’ve even seen these viruses on computers with fully updated versions of Norton. I think most people are getting these by clicking on pop-ups or other ads. On top of your recommendations, I recommend using an ad blocker. That way people don’t even see a lot of this stuff and aren’t tempted to click on it and install it. I also recommend downloading Spybot and keeping the immunizations updated.

  4. ernie says:
    November 13th, 2008 at 10:11 pm

    two machine at my work was infected. I cleaned one machine. and then a week later it was back.
    that’s when I Google XP anti virus and found it was spy ware. cleaned it again so far so good. but we had a salesman that got it on his laptop. :( didn’t even ask for help. he made it worse. in up sending it to IT department. and the striped it to bad for him it could have been done at the office and not lost any down time.

  5. Paul says:
    November 13th, 2008 at 10:46 pm

    I can confirm that it is getting past Symantec AV, Comodo AV (Free) and Windows defender but cant confirm if it was fully updated or not. Spybot can pick it up and appears to clean it but next restart its back. It also looks like it might also be able to install on users machine even if they dont have admin rights. All these machines are XP 32bit.

  6. Dan says:
    November 14th, 2008 at 9:58 am

    Eric,

    Is this the same as XP Anti-spy found here:

    http://www.xp-antispy.org/index.php/lang-en

    ???

    I’ve got this installed on my PC and have had no signs of problems. I ran Malwarebytes Anti-malware just to be safe and it found no issues (though I updated it in normal mode before rebooting to Safe mode and running it).

    Thanks,
    Dan

  7. Jordan says:
    November 14th, 2008 at 12:16 pm

    Eric,

    The Vista machines were fully protected with one of the major AV programs, SP1 was installed, and UAC was enabled. I even found it on my own PC, but I don’t know if I accidentally downloaded it, or got it from using my thumb drive in an infected computer.

    I have been hearing some interesting information about these rogue software being found on machines:
    1. They are actually disguised as AV software, so your anti-virus not only allows it to download, but even allows it to install.
    2. Hackers go to well known websites and add their own sections that just tell the browser to download and install this piece of software. No interaction is needed by the user.
    3. As far as UAC is concerned, if the programmer writes the code to have it install without Administrator privileges, I believe it bypasses it. (http://www.crn.com/software/207100934?cid=CRNFeed).

    Not sure how much of this is actually true, but it’s what I’ve been hearing in my little IT world.

    P.S. A lot of times, you can just boot into safe mode and delete the folder for the software. Doesn’t completely get rid of it, and you may get errors about a program not being able to start, but you won’t see it pop up anymore.

  8. Eric (a.k.a. TweakHound) says:
    November 14th, 2008 at 1:43 pm

    Dan – I don’t think it is the same? Actually, my bad, I swill rename the title of this to “Antispyware”
    Jordan – Good information to know. Thanks!

  9. Soldier1st says:
    November 15th, 2008 at 3:32 am

    i would suspect that antivirus 2009 would be included in certain programs,i had a customer complain about antivirus 2009 not too long ago and no matter what she did she could not get rid of it but the magic i have fixed it and is gone, it could have come from a popup but i suspect it would be included with a program and once installed it would install it without your knowing about it,i have never had this rogue app on my system but i am very careful and very picky when it comes to installing apps that i need.

  10. Charlene says:
    November 15th, 2008 at 4:51 pm

    Ugh, yeah, I had that stupid virus. I happened right after I downloaded AVG 8.0. I didn’t download it directly from the avg site, which is why I probably got it. My computer was fine before then. Ok now, too, after removing it.