Questions

Attention! If your computer is infected...

+
0 Votes
Locked

Attention! If your computer is infected...

rbardy
Please read all of this before replying.

I've had several users receive the following pop-up message over the past few months while using Windows XP and IE...

ATTENTION! If your computer is infected,you could suffer data loss, erratic PC behaviour, PC freezes and creahes.
Detect and remove viruses before they damage your computer!
Antivirus 2009 will perform a quick and 100% FREE scan of your computer for VIruses, Spyware and Adware.
Do you want to install Antivirus 2009 to scan your computer for malware now? (Recomended)

It's an annoying pop-up that cannot be removed no matter what I try it seems.

Before you start recommending ad-aware, spybot, hijackthis, symantec, macfee, etc. etc. etc. I'VE TRIED THEM ALL. They didn't work. Please don't recommend another spyware removal tool. This is obviously something more malicious.

Has anyone else encountered this annoying pop-up and how did you remove it for good? It seems to have a nasty habit of replicating.
  • +
    0 Votes
    geraray

    Hello rbardy, I had same promblem. what I did to solve this problem is that I downloaded for free Malwarebytes Antimalware, and it worked out fine for me.
    You should give it a try mate.

    +
    0 Votes

    Start > run, and type in "regedit".
    When in got to "edit > find" and in the box type in "Antivirus 2009 ", and then click on "find next". This will make the registry search for this item, once found just delete it. Once you have done this then (with both keys)"CTRL +F", and this will get the registry to search again for any more items belonging to this bit annoyware, keep on doing this with the keys until all is removed.

    Please post back if you have any more problems or questions.

    +
    0 Votes
    Jacky Howe

    it claims to be able to remove it.

    http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009

    How to remove Antivirus 2009 (Uninstall Instructions)

    Malwarebytes' Anti-Malware http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe

    +
    0 Votes
    Jacky Howe

    From another PC download and install these two programs and copy the the installed folders to a USB Stick.
    <br><br>
    Restart the PC in Safe Mode and turn off System Restore, then run Sophos and then run Spybot.
    <br><br>
    Download Spybot - Search & Destroy 1.5.2 and install it. Update it. http://www.safer-networking.org/en/download/index.html
    <br><br>

    Download Sophos and the latest IDE Files. Install it and extract the IDE files to the C:\SAV32CLI folder.
    <br><br>
    http://www.sophos.com/support/knowledgebase/article/13251.html
    <br><br>
    Copy and paste the below two lines into Notepad and save the file to the USB Stick as sophos.bat, it will scan and remove. When the Scan has finished check the log file to see what it hasn't removed.
    <br><br>
    ===============================
    <br><br>
    CD SAV32CLI
    <br><br>
    SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT
    <br><br>
    ===============================
    <br><br>
    The Sophos SAV32CLI folder can be safely deleted after it is copied to USB.
    <br><br>
    When you have finished running the above download and install Malwarebytes and update it. Reboot your PC in Safe Mode and run it.
    <br><br>
    http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe
    <br><br>
    Download RootkitRevealer v1.71 and run it
    <br><br>
    http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
    <br><br>
    Just to be on the safe side when you finish do an online scan with Bitdefender.
    <br><br>
    http://www.bitdefender.com/scan8/ie.html
    <br><br>
    Remember to turn on System Restore when you have finished cleaning.
    <br><br>
    Let us know how you get on.
    <br><br>

    +
    0 Votes
    jdclyde

    had two laptops that had the same thing.

    I also ran AdAware by lavasoft.

    S&D took most of it, but had some it couldn't get, even in safe mode.

    regedit was the bit that ripped it out.

    I think this comes in the UPS email saying their package was undeliverable, and then has a zip file.

    people are stupid enough to wonder what package, when they knew full well that they didn't send anything and the email doesn't have ANY personal information about the sender/recipient. Some people don't deserve to have a computer.

    +
    0 Votes
    Jacky Howe

    I recieved this the other day. It is obvious that you would have to open the executable but it would suck a lot of people in thinking that something had been charged to their credit card.
    <br><br>

    Dear Gentlemen,
    <br><br>
    Thank you for using our new service "Buy flight ticket Online" on our website.
    <br><br>
    Your account has been created:
    <br><br>

    Your login: my@emailaddress
    <br><br>
    Your password: passB3BF
    <br><br>

    Your credit card has been charged for $683.57.
    <br><br>
    We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
    <br><br>
    Attached to this message is the purchase Invoice and the flight ticket.
    <br><br>
    To use your ticket, simply print it on a color printed, and you are set to take off for the journey!


    Kind regards,
    <br><br>
    AirTran Airways
    <br><br>


    It contained an Attachement Ticket_N141-SK.zip
    <br><br>

    When the zip was extracted it had an exe Ticket_N141-SK.exe and the exe had a Word Icon
    <br><br>
    Uploaded and tested as with http://virscan.org/
    <br><br>
    Trojan.Win32.Emold.A
    <br><br>
    Mal_Banker
    <br><br>

    +
    0 Votes
    jdclyde

    For a while, you could spot them because key words they would misspell or phrases didn't fit.

    Got one the other day from paypal, and it DID look convincing. If I didn't already know better, I can see how it would fool people.

    === Here is what I got ==========

    From: service@paypal.com <support@ctcu.com>
    Date: Thu, Aug 28, 2008 at 9:41 AM
    Subject: Notification of Limited Account Access
    To: undisclosed-recipients

    Due to security measures, we regulary screen our customers account activity. While your account has been reviewed, unusual activity has been detected that requires further verification. For this reason, limitations have been placed to your account, until you confirm your registered informations. In order to remove the account limitations, complete 2 easy steps by clicking on the following link:

    Login to your PayPal Account

    After all the necessary information will be gathered, the limitations on your account will be removed, and your session will be continued as normally.

    Thank you for taking your time,
    PayPal Account Review Dept.

    Copyright 2008 PayPal Inc. All rights reserved

    ==================================

    I reported it, and got this back from paypal

    ===================================

    Dear jd,

    Thanks for taking an active role by reporting suspicious-looking emails.
    The email you forwarded to us is a phishing email, and our security team
    is working to disable it.

    +
    0 Votes
    jdclyde

    and it goes on....


    At least it is easier each time. B-)

    +
    0 Votes
    Jacky Howe

    from a Bank that I haven't an account with. That one was pretty obvious.

    +
    0 Votes
    XnavyDK

    I use mbam religiously, I also use sem endpoint which does a good job of blocking it so far.

    yet i still cant configure my firebox correctly.. cant win for loosing.. LOL

    +
    0 Votes
    josephjameslupo

    I have been working 2 days straight to remove all of the above. I have completely formatted to ntfs twice reloaded xp pro corp installed <malwarebytes antimalware, spyeraser, nod32 full> and ran all prior to hooking up internet. within minutes of plugging internet in bam total internet attack. Im loosing my mind here. any idea of how to correct this mess??

    +
    0 Votes

    Before you add on your Anti-virus software.
    Load on this to get you started:
    AVG:
    http://free.avg.com/
    Then switch on your router and do all of the updates. Hope all works out for you.

    Please post back if you have any more problems or questions.

    +
    0 Votes
    ComputerCookie

    ago, solved it by running Spybot S & D and Ad-Aware 2007 in safe mode, then removed some files by starting in command prompt and deleting the files that I noted that could not be deleted.

    Was a real pain as windows installer will not run in safe mode and I cannot remember which, but either Spybot S&D or Ad-Aware 2007 could not be installed. Also Ad-Aware 2007 maxed out at 5000 so I had to find the files and delete them.

    The guy was using BearShare and had downloaded a selection of files from someones computer, approx. 30 GB he also had two incomplete files from the same source, approx 10 and 14 GB. Once I deleted these I still had a problem as he also a complete copy of the "C:" drive of this computer and this was a hidden 60 GB folder in the root directory called C.

    All the files were a .exe of 192 KB every file had a name that related to videos(porn and normal release), music (just about every genre), teaching and business resources.

    How the person created over 31,000 different file names I don't know, or really care but I'm sure he's probably infected thousands.

  • +
    0 Votes
    geraray

    Hello rbardy, I had same promblem. what I did to solve this problem is that I downloaded for free Malwarebytes Antimalware, and it worked out fine for me.
    You should give it a try mate.

    +
    0 Votes

    Start > run, and type in "regedit".
    When in got to "edit > find" and in the box type in "Antivirus 2009 ", and then click on "find next". This will make the registry search for this item, once found just delete it. Once you have done this then (with both keys)"CTRL +F", and this will get the registry to search again for any more items belonging to this bit annoyware, keep on doing this with the keys until all is removed.

    Please post back if you have any more problems or questions.

    +
    0 Votes
    Jacky Howe

    it claims to be able to remove it.

    http://www.bleepingcomputer.com/malware-removal/uninstall-antivirus-2009

    How to remove Antivirus 2009 (Uninstall Instructions)

    Malwarebytes' Anti-Malware http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe

    +
    0 Votes
    Jacky Howe

    From another PC download and install these two programs and copy the the installed folders to a USB Stick.
    <br><br>
    Restart the PC in Safe Mode and turn off System Restore, then run Sophos and then run Spybot.
    <br><br>
    Download Spybot - Search & Destroy 1.5.2 and install it. Update it. http://www.safer-networking.org/en/download/index.html
    <br><br>

    Download Sophos and the latest IDE Files. Install it and extract the IDE files to the C:\SAV32CLI folder.
    <br><br>
    http://www.sophos.com/support/knowledgebase/article/13251.html
    <br><br>
    Copy and paste the below two lines into Notepad and save the file to the USB Stick as sophos.bat, it will scan and remove. When the Scan has finished check the log file to see what it hasn't removed.
    <br><br>
    ===============================
    <br><br>
    CD SAV32CLI
    <br><br>
    SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT
    <br><br>
    ===============================
    <br><br>
    The Sophos SAV32CLI folder can be safely deleted after it is copied to USB.
    <br><br>
    When you have finished running the above download and install Malwarebytes and update it. Reboot your PC in Safe Mode and run it.
    <br><br>
    http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe
    <br><br>
    Download RootkitRevealer v1.71 and run it
    <br><br>
    http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
    <br><br>
    Just to be on the safe side when you finish do an online scan with Bitdefender.
    <br><br>
    http://www.bitdefender.com/scan8/ie.html
    <br><br>
    Remember to turn on System Restore when you have finished cleaning.
    <br><br>
    Let us know how you get on.
    <br><br>

    +
    0 Votes
    jdclyde

    had two laptops that had the same thing.

    I also ran AdAware by lavasoft.

    S&D took most of it, but had some it couldn't get, even in safe mode.

    regedit was the bit that ripped it out.

    I think this comes in the UPS email saying their package was undeliverable, and then has a zip file.

    people are stupid enough to wonder what package, when they knew full well that they didn't send anything and the email doesn't have ANY personal information about the sender/recipient. Some people don't deserve to have a computer.

    +
    0 Votes
    Jacky Howe

    I recieved this the other day. It is obvious that you would have to open the executable but it would suck a lot of people in thinking that something had been charged to their credit card.
    <br><br>

    Dear Gentlemen,
    <br><br>
    Thank you for using our new service "Buy flight ticket Online" on our website.
    <br><br>
    Your account has been created:
    <br><br>

    Your login: my@emailaddress
    <br><br>
    Your password: passB3BF
    <br><br>

    Your credit card has been charged for $683.57.
    <br><br>
    We would like to remind you that whenever you order tickets on our website you get a discount of 10%!
    <br><br>
    Attached to this message is the purchase Invoice and the flight ticket.
    <br><br>
    To use your ticket, simply print it on a color printed, and you are set to take off for the journey!


    Kind regards,
    <br><br>
    AirTran Airways
    <br><br>


    It contained an Attachement Ticket_N141-SK.zip
    <br><br>

    When the zip was extracted it had an exe Ticket_N141-SK.exe and the exe had a Word Icon
    <br><br>
    Uploaded and tested as with http://virscan.org/
    <br><br>
    Trojan.Win32.Emold.A
    <br><br>
    Mal_Banker
    <br><br>

    +
    0 Votes
    jdclyde

    For a while, you could spot them because key words they would misspell or phrases didn't fit.

    Got one the other day from paypal, and it DID look convincing. If I didn't already know better, I can see how it would fool people.

    === Here is what I got ==========

    From: service@paypal.com <support@ctcu.com>
    Date: Thu, Aug 28, 2008 at 9:41 AM
    Subject: Notification of Limited Account Access
    To: undisclosed-recipients

    Due to security measures, we regulary screen our customers account activity. While your account has been reviewed, unusual activity has been detected that requires further verification. For this reason, limitations have been placed to your account, until you confirm your registered informations. In order to remove the account limitations, complete 2 easy steps by clicking on the following link:

    Login to your PayPal Account

    After all the necessary information will be gathered, the limitations on your account will be removed, and your session will be continued as normally.

    Thank you for taking your time,
    PayPal Account Review Dept.

    Copyright 2008 PayPal Inc. All rights reserved

    ==================================

    I reported it, and got this back from paypal

    ===================================

    Dear jd,

    Thanks for taking an active role by reporting suspicious-looking emails.
    The email you forwarded to us is a phishing email, and our security team
    is working to disable it.

    +
    0 Votes
    jdclyde

    and it goes on....


    At least it is easier each time. B-)

    +
    0 Votes
    Jacky Howe

    from a Bank that I haven't an account with. That one was pretty obvious.

    +
    0 Votes
    XnavyDK

    I use mbam religiously, I also use sem endpoint which does a good job of blocking it so far.

    yet i still cant configure my firebox correctly.. cant win for loosing.. LOL

    +
    0 Votes
    josephjameslupo

    I have been working 2 days straight to remove all of the above. I have completely formatted to ntfs twice reloaded xp pro corp installed <malwarebytes antimalware, spyeraser, nod32 full> and ran all prior to hooking up internet. within minutes of plugging internet in bam total internet attack. Im loosing my mind here. any idea of how to correct this mess??

    +
    0 Votes

    Before you add on your Anti-virus software.
    Load on this to get you started:
    AVG:
    http://free.avg.com/
    Then switch on your router and do all of the updates. Hope all works out for you.

    Please post back if you have any more problems or questions.

    +
    0 Votes
    ComputerCookie

    ago, solved it by running Spybot S & D and Ad-Aware 2007 in safe mode, then removed some files by starting in command prompt and deleting the files that I noted that could not be deleted.

    Was a real pain as windows installer will not run in safe mode and I cannot remember which, but either Spybot S&D or Ad-Aware 2007 could not be installed. Also Ad-Aware 2007 maxed out at 5000 so I had to find the files and delete them.

    The guy was using BearShare and had downloaded a selection of files from someones computer, approx. 30 GB he also had two incomplete files from the same source, approx 10 and 14 GB. Once I deleted these I still had a problem as he also a complete copy of the "C:" drive of this computer and this was a hidden 60 GB folder in the root directory called C.

    All the files were a .exe of 192 KB every file had a name that related to videos(porn and normal release), music (just about every genre), teaching and business resources.

    How the person created over 31,000 different file names I don't know, or really care but I'm sure he's probably infected thousands.