A guide on how to uninstall and remove HomeAntivirus 2009
Posted by Grinler on April 16, 2009 @ 10:22 PM · Views: 1,729
What this programs does:
HomeAntivirus 2009, or Home Antivirus 2009, is a rogue anti-spyware
program from the same family as XP
Antispyware 2009. Like its predecessors, this malware is classified as a
rogue because it utilizes malware and displays fake scan results. Any program
that uses deception in order to create sales is automatically placed into the
rogue classification. The following guide will explain how HomeAntivirus is
promoted, what it does when installed, and how to remove the infection. Images
of the program can also be found below.
The HomeAntivirus 2009 Rogue
For more screen shots of this infection click on the image above.
There are a total of 7 images you can view.
This rogue is advertised and installed through the use of Trojans that display
warnings that state your computer is at risk. When you click on these alerts
it will then download and install Home Antivirus 2009 onto your computer without
your permission. While installing, HomeAntivirus 2009 will also create numerous
files on your computer that are made to appear as infections, but are in reality
harmless as they cannot run and are thus unable to affect your computer in any
way. Some of the files that were created on our analysis computer when testing
Home Antivirus are:
c:\Program Files\Common Files\itihosa.inf
c:\Program Files\Common Files\kupave.sys
c:\Program Files\Common Files\senuryja.inf
c:\Program Files\Common Files\ukanemuh.inf
c:\WINDOWS\cegi.com
c:\WINDOWS\erunamud.scr
c:\WINDOWS\fyber.ban
c:\WINDOWS\joti.dll
c:\WINDOWS\kecukuqyx.reg
c:\WINDOWS\osuwez.vbs
c:\WINDOWS\repabowy.dat
c:\WINDOWS\salubat.pif
c:\WINDOWS\ukajaresil._sy
c:\WINDOWS\xexufovyjy.exe
c:\WINDOWS\system32\efeqil.sys
c:\WINDOWS\system32\elodid.dl
c:\WINDOWS\system32\eqyzax.pif
c:\Documents and Settings\All Users\Application Data\ador.db
c:\Documents and Settings\All Users\Application Data\rocipaz.com
c:\Documents and Settings\All Users\Application Data\yhanat.dl
c:\Documents and Settings\All Users\Documents\ditebyl.lib
%UserProfile%\Application Data\sezyfi.db
%UserProfile%\Application Data\ygor.reg
Some of the infections that is states are on your computer are:
Mal/Iframe
First4DRM
Virtool.DoS.Synte.A
Envolo
Aenima
Fake-Mailer
AdStartup
Adware.BHO.je
Backdoor.Hupigon.mqe
Adrotator.IconAds
BookedSpace
Adware.ZToolbar
E2Give
MeridianPopUpper
SearchFast
Iggsey Toolbar
Home Antivirus will also be configured to start automatically when your computer
starts. Once started it will scan your computer and display numerous infections
that cannot be removed until you first purchase the program. As was already
said, none of the files that are detected are actually legitimate infections,
but rather the fake ones that were created when it was first installed. These
results are only being shown to scare you into thinking you are infected in
the hope that you purchase the program.
While running you will also see numerous security warnings appear from your
Windows taskbar. These alerts are used to further trick you into thinking there
is a serious security issue on your computer. Some of the warnings you will
see are:
Privacy alert!
Your system was found to be infected with intercepting programs. These can
log your activity and damage your privacy. Click here for %s spyware removal.
Trojan detected!
A piece of malicious code was found in your system which can replicate itself
if no action is taken. Click here to have your system cleaned by %s.
Spyware alarm!
Our scan has reported that pieces of malicious spyware code are present on
your hard drive. To get rid of security threats, click here for a %s scan.
Privacy is at risk!
Attention, keylogging and intercepting scripts were detected. Your private
data may be disclosed to third parties. Click here and %s will remove the
infection.
Last but not least, this program will also create a file that launches a window
that impersonates the Windows Security Center control panel. It does this by
installing a file named c:\WINDOWS\system32\_scui.cpl, which
when run will start a control panel that looks exactly like Windows Security
Center, but instead promotes the HomeAntivirus 2009 program. It also disables
the launching of the legitimate Windows Security Center by adding the following
Windows Registry keys to your computer:
HKEY_CURRENT_USER\Control Panel\don't load "scui.cpl"
HKEY_CURRENT_USER\Control Panel\don't load "wscui.cpl"
If you are infected, or have symptoms of HomeAntivirus 2009, then please use
the removal guide below in order to remove this rogue and any associated malware.
Threat Classification:
Advanced information:
View HomeAntivirus 2009 files.
View HomeAntivirus 2009 Registry Information.
Entries for this program found in the Add or Remove Programs control panel:
Home Antivirus 2009
Tools Needed for this fix:
Symptoms that may be in a HijackThis Log:
O4 - HKLM\..\Run: [HomeAntivirus 2009] "C:\Program Files\HomeAntivirus2009\HomeAntivirus2009.exe" /hide
Guide Updates:
04/16/09 - Initial guide creation.
04/17/09 - Minor edits and addition of SmitFraudFix as a removal tool.
Choose the removal method you would like to use:
Automated Removal Instructions for HomeAntivirus 2009 using Malwarebytes' Anti-Malware:
- Print out these instructions as we will need to close every window that
is open later in the fix.
- Download Malwarebytes' Anti-Malware, or MBAM, from the following location
and save it to your desktop:
Malwarebytes' Anti-Malware Download Link
- Once downloaded, close all programs and Windows on your computer, including
this one.
- Double-click on the icon on your desktop named mbam-setup.exe.
This will start the installation of MBAM onto your computer.
- When the installation begins, keep following the prompts in order to continue
with the installation process. Do not make any changes to default settings
and when the program has finished installing, make sure you leave both the
Update Malwarebytes' Anti-Malware and Launch
Malwarebytes' Anti-Malware checked. Then click on the Finish
button.
- MBAM will now automatically start and you will see a message stating that
you should update the program before performing a scan. As MBAM will automatically
update itself after the install, you can press the OK button
to close that box and you will now be at the main program as shown below.
- On the Scanner tab, make sure the the Perform
quick scan option is selected and then click on the Scan
button to start scanning your computer for HomeAntivirus 2009 related
files.
- MBAM will now start scanning your computer for malware. This process can
take quite a while, so we suggest you go and do something else and periodically
check on the status of the scan. When MBAM is scanning it will look like the
image below.
- When the scan is finished a message box will appear as shown in the image
below.
You should click on the OK button to close the message box and continue with
the Home Antivirus 2009 removal process.
- You will now be back at the main Scanner screen. At this point you should
click on the Show Results button.
- A screen displaying all the malware that the program found will be shown
as seen in the image below. Please note that the infections found may be different than what is shown in the image.
You should now click on the Remove Selected button to remove
all the listed malware. MBAM will now delete all of the files and registry
keys and add them to the programs quarantine. When removing the files, MBAM
may require a reboot in order to remove some of them. If it displays a message
stating that it needs to reboot, please allow it to do so. Once your computer
has rebooted, and you are logged in, please continue with the rest of the
steps.
- When MBAM has finished removing the malware, it will open the scan log and
display it in Notepad. Review the log as desired, and then close the Notepad
window.
- You can now exit the MBAM program.
Your computer should now be free of the Home Antivirus 2009 program. If your current anti-virus solution let this infection through, you may want to consider purchasing the PRO version of Malwarebytes' Anti-Malware to protect against these types of threats in the future.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Posting A Hijackthis Log
Automated Removal Instructions for HomeAntivirus 2009 using SmitFraudFix:
- Print out these instructions as we will need to close every window that
is open later in the fix.
- Download SmitfraudFix.exe from here and save it to your desktop:
SmitFraudFix.exe
Confirm that the file SmitfraudFix.exe now resides
on your desktop, but do not double-click on the icon as of yet. We will use
it in later steps. The icon will look like the one below:
- Next, please reboot your computer into Safe
Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the
Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear
- Select the first option, to run Windows in Safe Mode.
- When you are at the logon prompt, log in as the same user that you had
performed the previous steps as.
- When your computer has started in safe mode, and you see the desktop, close
all open Windows.
- Now, double-click on the SmitFraudfix icon that should be residing on your
desktop.The icon will look like the one below:
- When the tool first starts you will see a credits screen. Simply press
any key on your keyboard to get to the next screen.
- You will now see a menu as shown in the image below. Press the number 2
on your keyboard and the press the enter key to choose the
option Clean (safe mode recommended).
- The program will start cleaning your computer and go through a series of
cleanup processes. When it is done, it will automatically start the Disk Cleanup
program as shown by the image below.
This program will remove all Temp, Temporary Internet Files, and other files
that may be leftover files from this infection. This process can take up to
a few hours depending on your computer, so please be patient. When it is complete,
it will close automatically and you will should continue with step 11.
- When Disk Cleanup is finished, you will be presented with an option asking
Do you want to clean the registry ? (y/n). At this
screen you should press the Y button on your keyboard and
then press the enter key.
- When this last routine is finished, you will be presented with a red screen
stating Computer will reboot now. Close all applications.
You should now press the spacebar on your computer. A counter will appear
stating that the computer will reboot in 15 seconds. Do not cancel this countdown
and allow your computer to reboot.
- Once the computer has rebooted, you will be presented with a Notepad screen
containing a log of all the files removed from your computer. Examine this
log, and when you are done, close the Notepad screen.
Your computer should now be free of the HomeAntivirus 2009
infection.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
Preparation Guide For Use Before Posting A Hijackthis Log
Associated HomeAntivirus 2009 Files:
c:\Program Files\Common Files\itihosa.inf
c:\Program Files\Common Files\kupave.sys
c:\Program Files\Common Files\senuryja.inf
c:\Program Files\Common Files\ukanemuh.inf
c:\Program Files\HomeAntivirus2009
c:\Program Files\HomeAntivirus2009\.cfg
c:\Program Files\HomeAntivirus2009\AVEngn.dll
c:\Program Files\HomeAntivirus2009\HomeAntivirus2009.exe
c:\Program Files\HomeAntivirus2009\htmlayout.dll
c:\Program Files\HomeAntivirus2009\pthreadVC2.dll
c:\Program Files\HomeAntivirus2009\Uninstall.exe
c:\Program Files\HomeAntivirus2009\wscui.cpl
c:\Program Files\HomeAntivirus2009\data
c:\Program Files\HomeAntivirus2009\data\daily.cvd
c:\Program Files\HomeAntivirus2009\Microsoft.VC80.CRT
c:\Program Files\HomeAntivirus2009\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\Program Files\HomeAntivirus2009\Microsoft.VC80.CRT\msvcm80.dll
c:\Program Files\HomeAntivirus2009\Microsoft.VC80.CRT\msvcp80.dll
c:\Program Files\HomeAntivirus2009\Microsoft.VC80.CRT\msvcr80.dll
c:\WINDOWS\cegi.com
c:\WINDOWS\erunamud.scr
c:\WINDOWS\fyber.ban
c:\WINDOWS\joti.dll
c:\WINDOWS\kecukuqyx.reg
c:\WINDOWS\osuwez.vbs
c:\WINDOWS\repabowy.dat
c:\WINDOWS\salubat.pif
c:\WINDOWS\ukajaresil._sy
c:\WINDOWS\xexufovyjy.exe
c:\WINDOWS\system32\_scui.cpl
c:\WINDOWS\system32\efeqil.sys
c:\WINDOWS\system32\elodid.dl
c:\WINDOWS\system32\eqyzax.pif
c:\Documents and Settings\All Users\Application Data\ador.db
c:\Documents and Settings\All Users\Application Data\rocipaz.com
c:\Documents and Settings\All Users\Application Data\yhanat.dl
c:\Documents and Settings\All Users\Documents\ditebyl.lib
%UserProfile%\Application Data\sezyfi.db
%UserProfile%\Application Data\ygor.reg
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\HomeAntivirus2009.lnk
%UserProfile%\Cookies\jebipej.reg
%UserProfile%\Cookies\muhanuhewi.sys
%UserProfile%\Cookies\oxesybas.inf
%UserProfile%\Cookies\tipyde._dl
%UserProfile%\Cookies\ucodi.bin
%UserProfile%\Desktop\HomeAntivirus2009.lnk
%UserProfile%\Local Settings\Application Data\awubo._sy
%UserProfile%\Local Settings\Application Data\ecipi._sy
%UserProfile%\Local Settings\Temporary Internet Files\amecemosu._sy
%UserProfile%\Local Settings\Temporary Internet Files\arazifely.scr
%UserProfile%\Local Settings\Temporary Internet Files\ylumyrez.vbs
%UserProfile%\Start Menu\Programs\HomeAntivirus2009
%UserProfile%\Start Menu\Programs\HomeAntivirus2009\HomeAntivirus2009.lnk
%UserProfile%\Start Menu\Programs\HomeAntivirus2009\Uninstall.lnk
Associated HomeAntivirus 2009 Windows Registry Information:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HomeAntivirus2009
HKEY_CURRENT_USER\Control Panel\don't load "scui.cpl"
HKEY_CURRENT_USER\Control Panel\don't load "wscui.cpl"
HKEY_LOCAL_MACHINE "info"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "HomeAntivirus 2009"
Have a problem and would like to ask us for help? To learn how to ask your question Click Here!
Do you have popups or other malware infecting your computer? If so, Start Here!
Are you having trouble using this site? Then you should visit the New User Orientation Center!
RSS
