Posted by: reformedmusings | April 18, 2009

Antivirus 2009 nasty malware attack on a Windows laptop

I wrote some time ago about a friend victimized by Windows malware on a Dell desktop in The agony of life with Windows. Well, another friend was recently hit harder by Antivirus 2009 (morphed form Antivirus 2008) and a dozen or so of its closest buddies. Some years ago, when your Windows computer got a virus, it was a single-malware infection. There were some nasty ones, but they were solo. Today, malware tends to attack in packs. One opens the door and the rest of the rats come scurrying in the gap. Such is life for Microsoft’s vassals these days.

That’s the case with this Antivirus 2009, et al, infection. The symptoms are a popup message from the system tray saying that “You have a security problem.” You certainly do, but they are the problem. The underlying system tray icon looks like the Windows Security Center icon. Clicking on the message opens a fake but very official-looking scanner that fakes a scan of your computer and asks for money to register the “product”:


You can tell the scan is fake because it’s very quick. A real scan of a well-used disk can take 20-30 minutes or longer. Anitvirus 2009 takes less then a minute. I will only “clean” your system from the fake infections if you register. From what I’ve seen on the forums, if you pay, you get nothing but they will continue to repeatedly charge your credit card for a “subscription” until you cancel the card. The charges appear to go to Russia.

It’s difficult to ignore the popups, as they are relentless. Either it or its hijacker friends will produce regular web connections to porn and adware sites. The longer the infection runs, the more malware is downloaded to your machine and the worse things get.

One of the pieces of malware than Antivirus 2009 let in was designed to uninstall common anti-virus software without the user knowing. My friend had registered the full McAfee Total Protection 2009 for like $80. He and his family do not visit social networking or other high-risk sites, so they had reasonable expectation that McAfee would keep them safe. Based on this and my previous battle with similar malware, I’d have to rate McAfee as worthless. For the second incident in a row, it did nothing to prevent rampant infections and allowed itself to be uninstalled by malware. Is this performance worth $80?

This infection occurred on a Dell XPS laptop with Windows XP Media Center installed. This laptop went through two rounds of repair. The first round, I used SuperAntiSpyware Free Edition and MalwareBytes’ Anti-Malware to clean the machine. That seemed to go OK. Both found Antivirus 2009 elements and other malware and removed them. I should have run them multiple times, but was pressed for time and only ran them once. The system tray icon was gone, so things looked OK.

Less than a week later, the porn popups came back with a vengeance. I could see the rapidly increasing progression in the Internet Explorer 7 history. The Antivrus 2009 system tray icon and popup warnings also returned. This time, I took the laptop home to work on. Because of the severity of this attack, the first thing I did was run an Ubuntu 8.10 Live CD and used Linux to copy their data safely to a flash stick. This proved to be a very wise move. Ubuntu worked great on the Dell.

SuperAntiSpyware and MalwareBytes’ Anti-Malware were still installed on the XPS, so I ran them again. SuperAntiSpyware found almost 60 occurrences of AV2009 on the disk! As before, the AV 2009 system tray icon still remained after this cleaning, so I ran MalwareBytes AM. During Anti-Malware’s scan, the battle escalated. About 1/2 way through the scan and without warning, Windows started to shut down. Anti-Malware warned that it wasn’t done scanning, so I told it not to close, but Windows overrode the instructions and shut down anyway.

From that point on, the laptop would not get past the login screen. No matter which user I picked, Windows would say it was loading the user’s settings, go to the wallpaper for just a flash, then back to the shutdown screen and say it was saving the user’s settings. I tried Safe Mode but it acted exactly the same way. Wasn’t looking good.

I tried a number of suggestions from sites like Bill Mullins and Kioskia, but couldn’t find userinit.exe or wsaupdater.exe on the disk under the Recovery Console. I even tried copying the backup copy of the registry over the current one, it didn’t make any difference. After these initial efforts, I tried to reinstall Windows XP over itself, which cures just about everything. Not in this case. Running the Recovery Console from a CD is incredibly frustrating as it takes forever to boot up every time. An average Linux Live CD loads quickly and does so much more.

One of the most frustrating things about Windows is that you have to actually be in Windows to run most of its recovery capabilities, including System Restore. If you can’t get into Windows, or to a command line outside of the \Windows directory (an annoying limitation of the Recovery Console), you’re basically hosed. Thankfully, Linux has no such limitations and can be used to fix pithed Windows setups or at least limit rescue your data.

After all this, I concluded that nothing short of wiping the system and starting over would fix the laptop. I turned to System Rescue CD, a Linux-based Live CD with recovery tools, including the option to use several GUIs. I have used other free, Linux-based repair CDs like Knoppix and Trinity Rescue Kit, but my personal preference rests with System Rescue. I ran the Gnome Partition Editor (GParted) on the System Rescue CD to explore and clean up the partitioning plus reformat the XPS’ hard drive with NTFS, preserving the two special Dell FAT utility partitions. At that point, I installed Windows XP Media Center from scratch on the drive. Of course, the basic installation took almost an hour – more of that Windows joy.

Rather than return to the virtually useless McAfee Total Protection which only protects McAfee’s revenue stream, I took a different and free route. I installed Avast4 Home Edition Antivirus,  which I used in my Windows days. It never let me down. Never. I also installed SpyBot Search & Destroy. In addition to scanning for malware, its resident module protects the Windows registry against unauthorized changes. Its Tea Timer detects and protects against a host of malware processes before they can execute. This combination served me well for many years. I also reinstalled SuperAntiSpyware and MalwareBytes’ Anti-Malware in case something gets through Avast4 and SpyBot.

The newly installed system works fine, so I restored the user data. In order to further protect the system, I installed Google Chrome for browsing and Thunderbird for email. While I prefer Firefox for browsing, I believe that my friend needs something simpler to maintain and their browsing needs are simple. I also installed the office suite. These open source items together will nicely replace the Microsoft’s Internet Explorer, Outlook, and Office that are sucking chest wounds in regards to security.

After several days’ work, the Dell XPS has been restored to full operational status. I will strongly recommend Ubuntu to my friend, as it ran perfectly on the XPS and is far more secure than Windows.



  1. […] the original here: Antivirus 2009 na&#115&#116&#121 malware attack on a Windows laptop Nessun tag per questo […]

  2. […] = time on my hands <rant>After recently resurrecting several Windows computers back from the malware pit, an interesting thought occurred to me. I used to spend dedicated time […]

  3. Wow!

    What a story – you are a very persistent person!

    I commend you for all the hard work you put into rescuing your friend’s machine. He’s fortunate to have someone as dedicated as you as a friend.

    Thank you for sharing this.


  4. Bill,

    Thank you for your kind words. My buddy is going to help me build a nice new rifle, so it will even out in the end. 🙂

    Your site is a great knowledge resource. I really appreciate the time and effort that you put into it.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: