Antivirus 2009 Hijacks The Google Web Site Options

[Grinler]

A new Rogue anti-spyware program called Antivirus 2009 was released this weekend that for the most part, acts just like all the rest. It displays false results, it is advertised through misleading web sites, comes bundled with malware, displays fake results, and requires you to first purchase the software before you can remove anything. What makes this rogue a bit different, though, is how it hijacks the Google homepage and search results by inserting an advertisement for Antivirus 2009.

Google Homepage Hijack

Now, this is not the first time this is happened, but it is uncommon enough that it warrants discussing. When Antivirus 2009 is installed, it will install a Internet Explorer browser helper object called C:\Windows\System32\winsrc.dll. This program will automatically load when Internet Explorer starts, and when you visit certain sites, it will insert its own information into the web pages that are retrieved. Currently the information that is inserted into the Google home page and search results is a misleading advertisement for Antivirus 2009. The current text of the advertisement is:

Google Tips

Google has detected unregistered Antivirus 2009 copy on your computer. Google recommends you to activate Antivirus 2009 to protect your PC from malicious intrusions from the Internet.

The advertisement is actually one big link that if clicked will bring you to a page at the hxxp://microsoft.browserprotectioncenter.com/ site that says you are infected and should purchase Antivirus 2009.

BrowserProtection.com Advertisement

The tactic being used by this Rogue is to trick the infected user into thinking a well known and highly trusted brand, like Google, is actually endorsing their products. In reality, though, this is just another scam being used to steal your money. If you are infected with Antivirus 2009, you should use the following guide to remove the malware for free. If you have already paid for the software, please contact your credit card company immediately and dispute the charges.

 Link: How to remove Antivirus 2009 (Uninstall Instructions)

[sandra08]

I discovered this injection on one of our clients this morning and, with your help, was able to completely remove Antivirus 2009.
Great article and instructions

[xbunnyx]

Hi I just joined to say thankyou soo much for the guide to remove antivirus 2009. It was very easy to follow and it worked. :-) It was driving me mad and blocking nearly every site i went onto :-( Cant thankyou enuf xx

[otteradmin]

Just wanted to say thanks to Grinler, Eaglehawk2 and anyone else that may have contributed to resolving this very annoying issue. It showed up on my CEO's laptop today and this information really saved the day!

Thanks again,

otteradmin

[prando]

Wow, thanks a lot for the assistance, it was fantastic. I was perplexed as i thought my system might need complete formatting.
Good job..
Great doing guys..


--Prando

[ecafy]

You guys are awesome! Zapped that Power Antivirus 2009 quickly & easily. Thanks so much!

[samuel3]

Cheers for the info.

[colle1986]

thx for info.........

[pouringreign]

Excellent explanation-I have many friends who have gotten the antivirus 2008. I would like to send them your explanation and give you credit for it, if its okay.

[pouringreign]

Also would you recommend people change their homepage from goggle?

[KingOfIdiocy]

Also would you recommend people change their homepage from goggle?

You mean google. Goggle was an extremely dangerous site to visit. I think it may have been abandoned, but it contained may viruses, including downloading the rogue SpySheriff. I takes/took advantage of the very typo you've made.

Edit: I confirm the site is abandoned, but it could be used for criminal behaviour in the future, so don't go there.

This post has been edited by KingOfIdiocy: Aug 15 2008, 06:04 PM

[Lukepd]

rogue antiviruses are so morally corrupt! Well there are worse things in the world... but these people need to get a life!

[Bloody Eddie]

Kick A$$..

[samuel3]

What do you type in google for this to come up?

So i can avoid it.

This post has been edited by samuel3: Oct 31 2008, 10:13 AM

[jacks]

Thanks for the info... cheers !!

[taytomyname]

I only joined this forum to thank you for your help.
I have sucessfully deleted the antivirus2009 , thanks to you.

Gur a maith agat Grinler.

This post has been edited by taytomyname: Nov 19 2008, 11:00 AM

[FULLMOON_1]

umm.. Of Course! i'm going to say! THankkks! it's works 1000%.

hey, i just want to poin out..that i just get this windows:


check! it out!

then i get cuz it was't in the INSTRUCTIONS!


anyway,

[JCtitan]

I just got this rogue. trojan yesterday. I tried to come here but it blocked my access to this site. I was however able to get to download.com and get Stopzilla and malwarebytes.

It wouldnt let me run malwarebytes, so I ran stopzilla and it seemed to work right away. After running stopzilla I was able to run malwarebytes.

This is a tough one, because it blocks most sites with any information on how to get rid of the virus. I got lucky by reading enough in an off topic forum to get rid of it.

I contacted trendmicro and the engineer told me this week there has been a huge number of these types of infections. May be a good idea to print out fix instructions and stick it in a drawer somewhere just to have. I have only one computer so it was pretty frustrating hunting down links while being redirected from every "proven" forum.


Just thought I would share with you all. Good luck!

edited to say: I was on a site about movie clips, something about the hbo series true blood as I remember it. The box came up saying i had a virus, and I have seen plenty of these things and have always hit X and they go away. I hit X and it launched. The Trend Micro guy told me clicking any part of the box will launch it. So for now I would just close my browser if I see anything similar to this.

This post has been edited by JCtitan: Dec 1 2008, 01:46 PM

[foxdark]

hi

here is a different take on it

if you google search "pg equine rescue" and click on the link you get the antivirus 2009 site.
i have tried it on a few different computers and same thing but i can go there direct from through other sites.

i ran malware programs and it was not the computers infected it is google it's self that seems to be infected.

i only figured it out when the owners of the computers told me they just used googles auto complete searches to get to the site.

i tried a google search on a clean computer and bingo.

i suppose they are using googles spiders to clone sites

great site keep up the great work

[galaxydefender]

hi

here is a different take on it

if you google search "pg equine rescue" and click on the link you get the antivirus 2009 site.
i have tried it on a few different computers and same thing but i can go there direct from through other sites.

i ran malware programs and it was not the computers infected it is google it's self that seems to be infected.

i only figured it out when the owners of the computers told me they just used googles auto complete searches to get to the site.

i tried a google search on a clean computer and bingo.

i suppose they are using googles spiders to clone sites

great site keep up the great work

Thanks to this forum, on Christmas Eve my brother helped me vanquish the trojans from that rogue antivirus 2009/2008/360 et al. I think Goggle has a problem, or it seems to have a problem. So Malware Bytes has been installed on my PC. It took care of the problem completely. I agree, Goggle is the problem. Every other site with Goggle ads seem to have problems of some kind.

[cms_45]

Great article Grinler! One question, how is this contracted and how can I educate an end user on how to avoid contracting this?

Many thanks,
CMS

[Grinler]

This infection has so many attack vectors that there is no one way they may have gotten it.

Here are some of the attack vectors:

1. Braviax Trojan had, or is, installing it.
2. Fake online video codecs
3. Hacked web servers displaying pop-ups
4. Spam advertising it
5. Major sites advertising it via rogue advertisers.

[xXAlphaXx]

Well, thats something you need to keep a clsoe eye on. I've never checked (For obvious reasons) but I hear goggle is a huge infecting site. Thats something you have to keep an eye on.

[sugarpuss]

you have to be careful getting music off limewire alot of the songs are infected with this virus.

[jdamit]

Thank you for your help.

I have run the malware program and removed the rouge file. I do not beleive Antivirus was installed but the google page still displays the Antivirus 2009 link. What is the best way to remove this?

Thank you again,

[boopme]

Hi jdamit As this is not the malware removal section you need to open a Topic in the Am I Infected forum in the Security section. You will get help there.

This post has been edited by boopme: Jan 18 2009, 10:51 PM

[roaky]

This solution did not work for me. Scans, removes, restarts, and everything is the same. Also "install this program and then use it" seems like an odd guide to removing a specific malware.

[wanny]

Hi there,

I am a little confused. I appear to - about every other search on google - get shown websites that clearly do not match the search results, often with supposed antivirus websites instead of news.bbc.co.uk which it should say, for example. This seems to be my only symptom and when I go to the google homepage there is no big 'google tips' notification and I have not noticed any other things different with my pc apart from this occasional google search issue. Reading a few reports about this antivirus thing, including your own which most others seem to reference, I'm not entirely sure whether the problem must be with my computer or with google itself.

I have the latest mcaffee software. Should I be concerned?

Thanks for any help you could offer.

[boopme]

Hello wanny,please refer to post #26

EDIT: roaky you should also post there.

This post has been edited by boopme: Jan 22 2009, 10:16 AM

[janie1635]

This solution did not work for me. Scans, removes, restarts, and everything is the same. Also "install this program and then use it" seems like an odd guide to removing a specific malware.

I followed the instruction 2 days ago, and did not work. Did the virus change ?

[janie1635]

This solution did not work for me. Scans, removes, restarts, and everything is the same. Also "install this program and then use it" seems like an odd guide to removing a specific malware.

I followed the instruction 2 days ago, and did not work. Did the virus change ?

Please help how to remove this. Is only Internet Explorer that is affected? Does anybody know that if I remove my IE, will it solve the problem?

[boopme]

janie1635 please start atopic in the AM I Infected forum so we can help you with this,.

http://www.bleepingcomputer.com/forums/forum103.html

[roaky]

I intend to make a topic, but I think honest feedback as to the results of this method of removal is pertinant. Negative and posative results are constructive I think.

[boopme]

Also "install this program and then use it" seems like an odd guide to removing a specific malware.

I at a loss of what you mean. Would you prefer we just threw any tool at you ,say CWshredder and say run that?
The tool is directed at that malware and the scan log usually produces clues as to what needs to be done next, if needed. I have seen that tool remove it a 1000 times in this forum alone. Usually the times it doesn't work is because of the presence of other malwares.

[Goldwyn]

That's a bummer. Good thing for about 30 bucks I have AVG. Just renewed my license for it. No problems with that.