Antivirus 2009

Recommended Posts

ok I have a neighbor who has been infected with at least antivirus 2009

The issue, Malware bytes will not install, it comes up with the choose language and a splash of the next screen before it is is killed. Jeff recommended that and I followed the site that rename malware bytes install, and runs some batch files,, but still no joy, no joy in safe mode. I have tried hijackthis.. no joy can't install even when renamed.

Cdrom does not work in safe mode, when you try to explore it takes you to My documents.

This is a nasty little bugger, and I am ready to just format and start over, but its not my computer and they have not backed up..

I can install but they want $30 to remove it, I have no real issue, but I do not trust programs that will cure for a cost as that is same tactic that antivirus 2009 uses.

so any suggestions are heeded.


Link to post
Share on other sites

If Windows is fairly up to date you can manually run Microsoft's Malicious Software Removal Tool. It removes the Antivirus 2009 trojan. Of course not sure if it will remove anything that may have been downloaded by AV 2009. To run it click Start > Run and type mrt run the deep scan.

Link to post
Share on other sites


its not up to date.. It is still service pack 2 XP and what ever other rootkit is with the trojan is really hampering effects.

Link to post
Share on other sites

I've just had a barrel of laughs removing this from someone's PC.

First I used the SmitFraudFix program (running in Safe mode) to remove most of it, as I couldn't get anything else to run. Then I had to use Ad-Aware, Spybot and Mcafee Stinger to get rid of everything that was still around (although some of this may not have been related).

The problem is it was using Karna.dat which is a nightmare to remove as it infects a windows system file, beep.sys, to re-install itself. SmitFraudFix removed the files and repaired beep.sys so i could get the other software running properly.

Link to post
Share on other sites

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Link to post
Share on other sites
Bluebird... Why are you as a normal member posting in this forum? Any advice should only be given from the groups listed in this topic...

Thank you.

Sorry :blush: - I didn't see a HJT log posted, just a question about how to deal with a certain piece of Malware which as I just spent nearly a whole day trying to remove it I thought I would help out with what I learnt. :)

Normally I wouldn't try to analyse a HJT log.

Link to post
Share on other sites

thanks I will try this when I get back next week, and see if it fixes the issues they are having

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.