Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Protection against Antivirus 2009

  • Please log in to reply
4 replies to this topic

#1 Droiyan3


  • Members
  • 2 posts
  • Local time:03:25 AM

Posted 03 September 2009 - 11:40 PM

Good morning all,

this is my first post so dont be hard on me.

I have about 100 machines in the domain. Most of them XPSP3 with about 54 of MS critical updates. One of them has been infected with Antivirus 2009 ( http://www.bleepingcomputer.com/virus-remo...antivirus-2009) after that it started to jump over the network to other users . I can remove it , but then it pops out in another PC. After a while the PC that i have cleaned get it again.

How do i protect the PC actually against it ?

Anti-virus software is McAfee 8.5 to 8.7 which detects the virus but cant remove it.

please let me know if you need any more information .

Thanks a lot


BC AdBot (Login to Remove)


#2 Blade


    Strong in the Bleepforce

  • Site Admin
  • 12,704 posts
  • Gender:Male
  • Location:US
  • Local time:07:25 PM

Posted 04 September 2009 - 12:11 AM

First thing I'd do is quarantine the infected machines; take them off the network entirely. Physically unplug their connection if you have to. Your problem is that the malware is spreading faster than you can kill it. If you can contain the infection, then you can clean all the infected machines at once. Once all your machines are clean, then you can reconnect them.

As far as protecting yourself against it, there's no "magic program" that can guarantee protection. You need to figure out how the infection gained entry to the network: for rogues like AV2K9 it's usually visiting a shady website of some sort. Once you've found the entry point, implement a policy to plug the hole. Maybe switch the browser security settings up and then prevent general users from modifying them.

Hope that helps.


Edited by Blade Zephon, 04 September 2009 - 12:15 AM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+

#3 Droiyan3

  • Topic Starter

  • Members
  • 2 posts
  • Local time:03:25 AM

Posted 04 September 2009 - 12:36 AM

Hello Blade,

I did exactly how you described it . I've removed all machines that were infected physically from the network . Problem is that , some users do not report to me because they are at remote site . They are not telling if they have an infection and if they tell me then they dont give it to me as it takes too much time.

i just want to know if their is a patch , hotfix or anything that can prevent the installation of AV2K9...

thanks a lot for your help!


#4 Bambo


  • Members
  • 133 posts
  • Gender:Male
  • Location:Denmark
  • Local time:01:25 AM

Posted 04 September 2009 - 02:16 AM

Dont know if it is relevant for your setup but WOT http://www.mywot.com/ is the best tool to block malware domains - if that is where it comes from. Relying on scanner can a bit unsafe. Well you have to see it so test away. Just a browser plugin and easy to ignore warning/block, does not do much about infected usb drives either of course, so not really much foolproof safety. But if someone needs help navigating internet it is useful. Is updated fast which makes all the difference to for example Siteadvisor from Mcafee. Plugin also flexible so you can set it up to only react to real bad sites, those hosting stuff like Antivirus 2009.

So all XPs are updated with IE8? Smart screen is pretty good at blocking malware. IE7 did very little besides phishing, all changed. WOT is just much more of same blacklisting.

Since you ask here you probably want easy cheap solution right now, magic MS patch preferably. Not available so all considered WOT is better than nothing perhaps. Locking down computers with SRP and whatnot is not an option or possible I guess. Ive only read about SRP but seems very powerful. May be you get other problems, WHY does this not run??? Depends on network and users how well that goes. Same as if you bought and installed better security software. If they dont even tell you when infected any restrictions/changes might be hard to carry out.

You should forget all about Antivirus 2009, only relevant now. Will be something else next time, a new variant Mcafee dont know about? Who knows. 1000s of such infections so expect the worst :thumbsup: There is a problem with at least one of the users, all you can be sure of.

Mcafee detects virus but cant remove it? What is there to remove when detected? Or there was a slip and then Mcafee could not stop it because Network Tour began? Cant trust scanners or people anyhow.

Actually there could be an alternative. Latest beta of Hostman http://forum.abelhadigital.com/index.php?showtopic=553 can use one of WOTs main sources hphost, including daily updates. All done automatically. Can add all the hosts file you can dig up. Tool will remove duplicates and manage them. Not updated as fast as WOT but an alternative. hphost includes a lot! If Antivirus 2009 came from internet very likely hphost already had that domain on the list. May be more appeal since systemwide and not a tiny browser plugin. Hostman beta runs great, think close to final but check forum. I tried it for week or so. Problem with hphost is they are very rigid sometimes - but with hostman it take only few seconds to whitelist a site. Most annoyances with old hosts trick are gone. If you can lock down/hide hostman so not possible or easy to tinker? May be.

You used Malwarebytes then. They just added some IP-blocking. How much? I think Ive seen the dude who make hphost over at their forum. If Malwarebytes start to get data from hphost that would be very cool. I dont know details other than some have complained about lack of exclusion list (which made me think hphost!) Malwarebytes not that expensive is it? :flowers: Mcafee will appreciate the help.

Edited by Bambo, 04 September 2009 - 02:18 AM.

#5 HowToRemoveSpyware


  • Members
  • 10 posts
  • Location:Southern California
  • Local time:04:25 PM

Posted 13 September 2009 - 04:10 PM

Droiyan3 I would agree with Blade Zephon on containment but not on magic programs to keep you safe , there is a way to prevent Rogue anti-virus programs from getting installed in the first place.

Because you have so many computers on the domain, not sure it would be financially possible to get a malwarebytes Anti-Malware license for each of them.

MalwareBytes isn't magical by any means, but for spyware it does a darn good job!

They do a fantastic job of getting rid of and keeping away the nasty fake anti-virus programs.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users