Removing Antivirus 2009 with a Hijacked Browser, and Blocked Applications
As a foreword, this guide is intended for Technicians, End-Users will find some of the terminology difficult to understand. I recommend that people who do not feel comfortable making system wide changes should consult a certified technician.
I had the great privilege the other day of removing one of the worst AV2009 (Antivirus 2009) infections I have ever seen. This Trojan is frighteningly hard to get rid of. What probably makes it most dangerous is not the actually annoying AV2009 popups but the other infections that AV2009 downloads onto the system.
Here are some symptoms I’ve seen caused by AV2009:
- Hijacking of TCP/IP Stack. Websites would be redirected affiliate pages.
- A wide number of secondary infections downloaded.
- Execution prevention of HijackThis, Spybot, SUPERantispyware. Malwarebytes Anti-malware, Killbox.
- Fake reboot screen and BSOD which makes the user think that purchasing is necessary to continue.
The most frustrating part of this entire endeavour is that most of the tools that the average technician is used to have been blocked by the trojan and its minions. Not to mention the enduser typically can’t download a remote control tool from a Technician’s portal. Here is what I had to do to remove the infection it was a slow process but it worked.
At nearly every step of the process it is necessary to rename the .exes of installers and executables. I recommend that before you get started you download the following apps from an uninfected computer to a flash drive.
- MBAM Malwarebytes Anti-malware
- Process Explorer
- PC Tools Spyware Doctor I was skeptical about these guys, but it’s not on the trojan’s Blacklist.
- Avira Anti-Vir
Rename each of them from their original filenames to something that will allow you to recognise them but remove important identifiers. An example would be SSD.exe instead of spybotinstall.exe. Copy them all to a flash drive so that you can avoid the frustration of dealing with a hijacked browser.
The trick to removing this infection is throwing everything at it. You’ll need to chisel away at the number of infections by using everyone of these tools to go at it from a different angle. The best way to deal with the hijacked connection is by setting up a proxy server on another machine on the network and using it as the internet connection.
I will provide you with the order I typically use, although you can can follow whichever you prefer.
1. I recommend the first thing you do is to install Spybot’s Teatimer. This will allow you to control infections that may try to rewrite Registry values once you’ve deleted them. Often times the update server will be rerouted to localhost 127.0.0.1. If this happens, elect to not install updates immediately in the installer, you can specify a proxy later.
2. Nextly I usually run HijackThis and remove all the alien entries. Most of the harder infections will resist this because they use WinLogon and DLL hooks. But the simpler infections will not come back on next reboot.
3. Reboot the machine. This should let your HijackThis changes set in.
4. Run ATFCleaner. This will delete your Temporary Internet Files and System Temp files. This means that your scans will move a lot faster. Sometimes up to an hour faster.
5. I recommend that you now install Avira Anti-vir and have the real-time virus protection run. This means that while the other scans are running it will also double check the files. It means the scan will go much slower, but you won’t have to run a full scan later with Avira.
6. I now recommend that you run, Spybot, MBAM, SUPERAntiSpyware, PCTools Spyware Doctor. Reboot between each of these, if the application requests to run on reboot. Run it. This is going to take a while so let the applications run whenever they ask to. When the scans starts to come up clean, you can skip to the final step.
7. Use Unlocker/Killbox to remove any particularly stubborn files thatkeep coming up in the scans. Use safemode with command prompt to increase the likelihood that you’ll be able to delete the file. The Spyboot File Shredder is also a very useful way to destroy a stubborn file. Process Explorer is a useful way to see if a stubborn dll file is still loaded.
8. Finally check HijackThis one last time to verify that it comes up clean. From command prompt run “sfc /scannow”. This will check your windows installation for corrupt files. It should make sure that any files corrupted by the infections will be repaired.
VoilÃ . If this doesn’t work, you’re going to have to get creative. Or better yet, reformat. This infection is a real pain and you can’t win every battle.