AntiVirus XP 2009 seems to be the latest surge of frequently encountered trojan viruses. You may stumble onto it on the web where it looks very real to the end user like the My Computer window with a scan occuring over top. There is a sequence of pop-ups that will all try to get you to download the file antivirus.v.1.exe.
I’ve seen Google search results redirect to these pages, meaning even well-intentioned users can stumble onto these pages. You’ll want to cancel out of everything, not download anything, and closing your browser as soon as possible seems to be the easiest way to get out of this.
You’ll certainly know if you’re affected because your computer will misbehave and webpages will look different. For example:
A lot of times, after the legitimate page loads in Internet Explorer, it will redirect you to about:blank which has links to download AntiVirus 2009. Using Firefox will prevent you from these repurcussions, but you don’t want this malware on your machine doing who knows what in the background even if you’re not visually affronted by it.
We want to do two things at this point: Remove the malware from our machine and prevent ourselves and our users from stumbling on to these malware ridden sites.
Running a legitimate antivirus scan should remove the majority of things but there are still some slippery things that get by. Reboot in Safe Mode and run your virus scan for even better results.
Unfortunately my virus scan missed a few things left by this little bugger. Specifically, it missed the about:blank redirector and the additions made to Google. There is a browser helper object in IE that is allowing it to do this.
You have to take a guess, but it seems like this unnamed, random letters BHO is to blame. If you disable it, it just seems to come back enabled again next time you start up IE, very malware like behavior. It also shows it uses winsrc.dll. Doing a quick search for that file, finds that it is located in C:WindowsSystem32. Checking the properties. It was created the same time as the initial incident occurred. Delete this file.
Deleting this file will prevent it from working. You can also find the entries in Internet Explorer’s add-on menu in the registry. Open the registry and do a search for the random letter names. I found three entries and safely deleted them. The specific one that tied it to the Browser Helper Objects is seen below and removed its entry from the IE menu.
Delete the matching named key from HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{random letters}.
Also, run Spybot Search and Destroy. It turned up two results related to Antivirus XP 2009 on this machine.
That should remove the AntiVirus Xp 2009 threat from your machine. To prevent users from getting to the page where they might download the file or have it run for them we’ll use an old trick of editting the HOSTS file. The HOSTS file is where your computer first looks to see how to resolve a URL to an IP. If there is no entry in the HOSTS file, it looks to the DNS server. In most cases these days, the HOSTS file contains a bunch of comments and one line: 127.0.0.1 localhost
This tells the machine that if the word localhost resolves to the IP address 127.0.0.1, which is your machine’s local IP address (different than the IP address you’ll get from your router or modem). We’re going to add a few lines here to tell the computer that the domain name that is serving up these malicious programs actually lives on our machine. It doesn’t so, it will just break the links instead.
Do not go to these sites! They are live and host malicious software!
Go to C:WindowsSystem32Driversetc and edit the HOSTS (no extension) with Notepad or Notepad++.
Add the following lines under the ‘127.0.0.1 localhost’ entry:
127.0.0.1 av-check-online-scan.com
127.0.0.1 best-downloads-arch.com
127.0.0.1 masterspitetds09.com
127.0.0.1 onlineprivatescan.com
127.0.0.1 antispyware-free-scanner.com
127.0.0.1 scanner.ms-scan.com
127.0.0.1 scanner.micro-antivir-2009.com
It should look like the following screenshot. If you immunize with Spybot (recommended) you’ll also notice a lot more websites listed.
You can save this file (remember, no file extension) and copy to your users’ computers. This will prevent them from being accidentally redirected to a known site with malicious content. If you find more sites, simply add the URL to this same file in the same fashion and push it out to your users again. You can use Microsoft’s DS Tools to generate a list of computers and then standard command line script ‘copy’ to overwrite a computer’s current file with your customized one. If you need to revert back, just delete everything and make a single line with:
127.0.0.1 localhost
The above sites were a compilation of the URLs I encountered while researching and trying to clean up an infected machine. If you know any other sites related to AntiVirus 2009 that should be filtered, I’d be very grateful to hear them to further reduce the likelihood of my users getting tricked into this site.
Update: I will add more addresses to the list to block as I unfortunately stumble upon them.