XP Antivirus 2008 Morphs into XP Antivirus 2009 – Still Lies!

Rogue security software developers are not unlike legitimate software developers; they are both fond of updating their products.

The cyber criminals behind the development of XP Antivirus 2008 have just morphed this parasitic rogue security software application into XP Antivirus 2009.

So now we have one more software parasite to add to the epidemic of rogue security software infesting the Internet.

A rogue security application like XP Antivirus 2009 is an application that uses malware, or malicious tools, to advertise or install itself. Unless you have had the bad experience of installing this type of malicious software, you may not be aware that such a class of software even exists. But it does; and regrettably it is becoming more widespread.

Just like its predecessor, this particular rogue security software’s installer (ZLOB/MediaAccess Codec) is usually found on adult websites, or it can be installed manually from rogue security software websites like antivirus-scanner.com or antivirus2009.com.

After the installation of XP Antivirus 2009 be prepared for false positives; fake or false malware detection warnings. As with all rogue security applications, XP Antivirus 2009 was developed to mislead uninformed computer users’ into downloading and paying for the “full” version of this bogus software, based on the false malware positives generated by the application.

If the full program fee is not paid, XP Antivirus 2009 continues to run as a background process incessantly reporting those fake or false malware detection warnings. To really try your patience, this rogue security software cannot be uninstalled using the Windows Add/Remove Programs tool.

Generally, reputable anti-spyware software is capable of detecting rogue software if it attempts to install, or on a malware scan. But this is not always the case. Anti-malware programs that rely on a definition database can be behind the curve in recognizing the newest threats. Nevertheless, it is critically important that your Anti-malware programs definition database is always kept current.

An additional safeguard is, ensure you have installed, and are running, an anti-malware application such as ThreatFire 3, free from PC Tools. This type of program operates using heuristics, or behavioral analysis, to identify newer threats.

As well, Malwarebytes, a reliable anti-malware company has created a free application to help keep you safe and secure. RogueRemover (latest version released May 30/08), will safely remove a number of rogue security applications.

SmitFraudFix available for download at Geekstogo is a free tool that is continuously updated to assist victims of rogue security applications.

A further resource worth noting is the Bleeping Computer web site where help is available for many computer related problems, including the removal of rogue software.

For another view on removing malware checkout Malware Removal Techniques by my good buddy TechPaul.

An absolute necessity is to make sure that any security application you are considering installing is recognized as legitimate by industry experts. An excellent web site that will keep you in the loop, and advise you what products work and have a deserved reputation for quality performance is Spyware Warrior.

What you can do to reduce the chances of infecting your system with rogue security software.

  • Be careful in downloading freeware or shareware programs. Spyware is occasionally concealed in these programs. Download this type of program only through reputable web sites such as Download.com, or sites that you know to be safe.
  • Consider carefully the inherent risks attached to peer-to-peer (P2P), or file sharing applications where exposure to rogue security applications is widespread.
  • Install an Internet Browser add-on that provides protection against questionable or unsafe websites. My personal favorite is Web of Trust, an Internet Explorer/FireFox add-on that offers substantial protection against questionable or unsafe websites.
  • Do not click on unsolicited invitations to download software of any kind.

60 Comments

Filed under Anti-Malware Tools, Browser add-ons, Firefox Add-ons, Free Security Programs, Freeware, Interconnectivity, Internet Explorer Add-ons, Internet Safety, Internet Safety Tools, internet scams, Malware Advisories, Online Safety, Rogue Software, Safe Surfing, Spyware - Adware Protection, System Security, Windows Tips and Tools

60 responses to “XP Antivirus 2008 Morphs into XP Antivirus 2009 – Still Lies!

  1. Another great post Bill, these guys are clever and motivated. One security expert I heard recently stated that some of these malware vender’s and their associated data theft operations are making 100’s of millions a year!
    Another interesting tool I recently heard of is Returnil, which creates a virtual environment on your PC similar to a SandboxIE, It has a low resource penalty while being pretty thorough. A little more of a hassle than SandboxIE as you need to reboot to turn it on or off, but possibly a little more effective. I appears to be free for personal use so check it out.
    Keep up the good work.
    Cheers
    Mark
    P.S. oh and a shout out to “The Mike Tech show” podcast where I heard about it, it’s one of the best hands on computer help podcasts out there.

  2. t owczarski

    My home computer is infected with the xp antivirus 2008 rogue software. It has grown like a cancer and has attacked my .dll files and I no longer can use my Internet Explorer to log on to the internet. I was told by a customer support person at Dell computer that eventually it will destroy all my files and I’ll have nothing but a blue screen. I’ve tried several removal tools that require you to buy their full program and since I can’t get on the internet I’m dead in the water. Is their any free program that actually works? I’ve tried pc tools, Avira, Spy Hunter, a squared & others. HELP!!!

  3. joost

    I just cleaned a customers pc with this tool, very fast and efficient (less than 30 minutes):

    http://www.internetinspiration.co.uk/roguefix.htm

    Make sure to follow the instructions:
    – The tool must be run in safe mode.
    – The rest of the procedure is, however not strictly necessary, usefull to clean left over clutter and to prevent future infections like this.

  4. Lewis Balentine

    What gets me is why these people are still in the not in jail (or better yet dead). They are colecting (or least trying to collect money). Seems like one of our otherwise useless government agencies could follow the money trail and do something about them.

  5. Pingback: Bookmarks about Shareware

  6. Rebecca

    I ended up purchasing the Anti Virus XP 2008 as I panicked that the virus would wipe out the computer. They have aready billed my account for a number of charges I did not authorise and invoiced me. Is there any way I will get my money back and should I now change my banking details?

  7. Scott

    What an awesome page this is, thank you. Unbelievable what this thing did to my laptop. No access to task manager, no access to “my computer”. Pop-ups everywhere. Tried spybot, fixwareout, hijackthis to no avail. Might as well not have had Black Ice and Norton. Somehow I maintained the presence of mind to realize I was getting seriously bent over. I swear to God “breaking on the wheel” is a good punishment for these psychopaths. Luckily I keep most of the important stuff, including a script I’m writing, externally, so I re-formatted (2X). I know, NOT a good solution for people with all their stuff on the C drive. I’ll try the freeware, but basically I’m going to keep myself prepared as much as possible to have to scrub the hard drive at a moments notice. Bastards.

  8. K.A.Lehnsdal

    According to Internet sites (Antivirus2009), the malware proceeds from Kaspersky Lab–It has run in U.S.A., – France, – Spain, – and Germany, and is now entering Denmark…+

  9. Janet M

    I also purchased this software out of fear and they are continuing to bill my account for charges I did not authorize. I have called the billing company and emailed them without success. I just got off the phone with a foreign country who told me he couldn’t help me even though they say they can help 24-7. I contacted my bank 2 days ago and found out I had to wait till they recieved the order and I was charged (at that time the charges were pending). The charges were removed yesterday and back on today with additional charges. Anybody got any ideas how to stop this. I emailed the FTC and plan to call them tomorrow.

  10. I found the 2008 version of this virus on a co-worker PC and removed it as follows. 1) looked for odd processes in tack manager. 2) In windows explorer looked for files in c:\windows\system32 and sorted the files by date at the top. 3) Compare these files to the processes in task manager. 4) Terminate these processes and check them in www,processlibrary.com. 5) Run REGEDIT and go to subkey HKEY_LOCAL_MACHINE, SOFTWARE MICROSOFT, WINDOWS, CURRENT VERSION, RUN. Look for the lines that start the malware processes and not where they are loaded from. 6) delete these lines and in Windows Explorer, delete all the files in the malware folder and delete the folder. 7) Re-boot and prey….

  11. Two typos in the above fix. It should read Task Manager and Note where the files are loaded from in the registry.

  12. peppermint

    To Janet M. Ask your bank to issue you a new credit card and transfer your balance from the old card to the new card so these scums cannot keep billing you. If you paid by checks, cancel your checking account and open a new one. Hope that helps.
    I am a victim of the 2009 so called antivirus, too. I am going to summit a complaint to FTC so they can put these criminals behind bars.

  13. jennifer

    I downloaded this too! I already see the pending charge to my bank account. I am so angry! It said a one time charge of 49.95 so I am wondering if there will be any other charges. I guess that i better not take any chances and cancel the bank care right away.

  14. Janet M

    Thaks, peppermint, I had already contacted my bank and cancelled my card. They are investigating and have credited my account. The spyware billing company has credited me back a whopping $3.30 of the $113.00 they charged. To all you who have been victims get your banks involved in the investigation. Maybe this will help put these thugs behind bars. I am also going to contact my states reps and the BBB. Good Luck to all.

  15. peppermint

    You can also report them to http://www.ftc.gov or http://www.ic3.gov. These two are goverment agencies dealing with unfair trade practices or crimes. We really need to put these criminals behind bars. The world is better off without them.

  16. rum

    3 times I’ve been contacted about both the 2008 and 2009 versions. Usually I do a full reload of the operating system, painfully ignoring the malware while backing up the user’s data. But just yesterday, I discovered that a simple system restore solves the problem without having to scourge the web for hours and downloading even more crap.

    The best antivirus out there is your awareness, so this is an outstanding blog. Don’t slow your computer down with countless add-ons and malicious software removers… all you have to do is be CAREFUL of what you download, and be even more careful of what you install.

  17. gary

    Contact your credit card company and dispute this charge. My VISA company refunded the amount without question.

  18. Rob

    I was hit by xp antivirus a few days ago..source unknown as I was not using the pc – this newer version made it so I could not run system restore; could not get to the windows graphics setting to remove the ‘blue’ xp screen – in fact stopping the startups with msconfig; or safemode did not really help me to get rid of this thing – pulled the plug – reformated c:\ – and now crossing my fingers. I also tried pctools…but did not try spyzooka. These devils are good at what they are doing….organized crime???

  19. Unknown

    For those of you who have purchased this software and have noticed that they have been billing your account on several instances please contact your bank and file a merchant dispute.

  20. Queen

    OMG. I purchased the antivirus XP 2008 a few nights ago and it also said that the product was for $49.95 but $190.00 was taking out of my account. This is insane. I have been trying to contact them, but when you put in your email address all it says is UNKNOWN EMAIL (bs). The sad thing about it is, I was searching online to find there phone number and headquarters and it brought me to this site. So many of us has been affected by this bull crap.

  21. Ilya

    I just used Malwarebytes and it found 15 infected files with various Trojan’s. I used this software to remove all files and it said there were a couple it could not remove but the problem seems to be fixed. I’m not getting any more pop-ups and I’m not getting directed to the Antivirus 2009 site anymore. Anyone that seems to be infected by these f’ers sould download Malwarebytes. You can follow the link in the article above to Download.com and get the software for free.

  22. Liza

    These people drove me crazy with their phony junk for 2 days, I finally used StopZilla to get rid of it (I hope for good) and have since reported them to the FBI’s cyber crimes unit. Let’s see if they can stand a federal investigation.

  23. Liza

    For those of you who have been taken in by this ultimate bait and switch scam, report them to the FBI Cyber Crimes Unit. I know that dealing with the feds can be scary, but the only way to put a stop to these people is to have them taken down by the powers that be. The more that they are complained about the faster something will get done. By the way, what they are doing to you is against the law, it is called FRAUD and should be reported immediately.

  24. Another tool i’ve had success with when removing these programs is SmitFraudFix: siri.geekstogo.com

    Small program, easy to follow.

  25. Matt

    I am a pc tech and have encountered countless instances of the XP Antivirus. They come in different flavors, with these being the most popular:
    XP Antivirus 2008, XP Antivirus 2009, Vista Antivirus 2009, and PowerAntivirus.

    Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) can be used to clean these – I have used it successfully on every occasion. Combofix is also a free program.

  26. Rich

    I have just faxed 27 pages of documentation and emails to my bank to get credited for these lazy scumbags and their phony XP Antivirus 2009 software. My bank has credited my account and is going to enter a dispute with the company. When I repored the problem to XPAV I was continuously given a link that eventually took me to a URL to ‘purchase’ the sopftware (again). After numerous emails, I requested a refund. Every 5 days or so I get the runaround..”send your request to ###”, “call ###”. Sure until the 30 day refund period expires. Then I’ll get an email “Sorry ..you’ve exceeded 30 days”. Aside from the pop ups, the screens there was no way to close and the overall slow performance, I should have known from their discliamer they cannot bill the same credit card more than once. Thery are no better than terrorists. Fry them!

  27. PadLocked

    There is a successor to aintivirus xp 2008, this is just detected by some security expert called Antivirus XP 2009. http://www.precisesecurity.com/blogs/2008/09/02/antivirus-xp-2009/

  28. angelspit

    Can someone post the names and contacts of the companies that are showing up on the bills?

  29. john

    hello all, i had this virus myself until i went to http://forums.majorgeeks.com/showthread.php?p=1229620 so now im just spreading the message cuz i know how horrible and annoying this is and i only find it as a duty to do so. these guys are exactly what the link says, computer geeks, and great help. i fixed it following their instructions. just go to the link. good luck

  30. Alex

    As somebody said above, malwarebytes works wonders! Out of curiosity I downloaded cleaner2009 and antimalware2009. They did no harm to my laptop with NO av on it, and malwarebytes completely removed everything. PopupNukePro is by them, and amazingly works and was not detected by ANY app as malware!

  31. Bruce

    I had this a few weeks ago. No idea where it came from, was on my gaming PC that I barely use for anything else. I don’t have any antivirus on there because of performance hit, I like to think I’m reasonably computer savvy but it looked so convincing it nearly fooled me into buying it until the pushy sales and typos hit home and I looked on Google. I’d have thought Microsoft would have a legal interest in stopping this scam, since it purports to be a genuine MS app to con money from Windows users :-/

    The way I removed it was with using Spyhunter to find the files, then deleted them all manually and did the rest through regedit. It came back a couple of times on reboot but only as a different .exe sitting there waiting to be activated (bram.exe or whatever it was) that spyhunter again found and I deleted, that was 4 weeks ago and it’s been fine since. Even Nod32 couldn’t find it.

    Moral of the story, always take an interest in what’s running on your computer, if you find something you aren’t sure about, Google it and then kill it if you don’t need it.

    If you got fooled like I almost did and paid for this c**p then I feel sorry for you, good luck getting your money back from these clowns.

    • billmullins

      Bruce,

      I’m surprised Spyhunter was up to the task of removing XP Antivirus 2008, or
      XP Antivirus 2009, since it ranks consistently in the lowest 20% of
      anti-malware tools.

      Frankly, I would advise my readers NOT to use Spyhunter, but instead to use
      the free tools recommended in the article which in fact, do work.

      Recently, Microsoft has taken steps to sue the developers of this rogue
      application.

      As you say, the moral of the story is to always be aware of what’s running
      on your computer.

      Bill

  32. What will remove this nasty program is spybot search and destroy (http://www.spybot.com/index2.html) it’s free and works every time. I run across this issue a lot (twice in the last two days) and have removed all versions using spybot. The trick is to install spybot first and let it run till completion this takes a while sometime an hour or more. Then fix the problems listed in spybot and immunize the system. Reboot and you are free.

    When the computer is infected it takes forever to boot up and what you do is just wait it out till all the rogue screens are up and you can kill them. I disable IE because virus is using the security holes in IE to disable you accessing the net. Just use Firefox to d/l Spybot or have spybot on a flash drive. But in order for spybot to install it must have internet access. If you do not have Firefox on the machine have it on a flash drive to install.

    If you are foolish enough to use a shareware program you must purchase you are just throwing money away. This is a nasty and difficult issue to resolve I would like ot hang the crooks who are doing this.

    When using spybot be patient and let it work. If it bogs down just restart and try again. Give yourself about 2 hours for this process. You may find as many as 100 rouge entry’s in this process.

    • billmullins

      Hi John,

      Thanks for the tip. Good to see that Spybot Search and Destroy is now
      capable of removing this nasty.

      Bill

  33. tim

    BLEEPING COMPUTER HAS THE ANSWER! I DOWNLOADED THEIR MALEWARE REMOVAL… AND IT KICKED ANTIVIRUS 2009’S BUTT RIGHT OFF MY LAPTOP!! PLEASE NOTICE THE CAPITAL TEXT AND EXCLAMATION MARKS!!! I AM SOOOOO HAPPY WITH THE RESULTS!!! BEST PART WAS I PAID NOTHING!!

    • billmullins

      Hey Tim,

      Wow. I hear ya.

      I’ve had occasional correspondence with Larry Abrams over at the
      BleepingComputer site. He provides a greatly needed public service, and
      without a doubt, he’s always on top of the latest threats.

      I agree with your EMPHASIZED sentiments entirely. In fact, in the last 60
      days alone, his free malware solutions have been downloaded over 8,500 times
      through my site.

      Bill

  34. Vicky

    Thank you Bill Mullins! So glad your website was in the first 5 that popped up when i goggled xp antivirus 2009. After getting info from a couple of sites on how to get rid of the VIRUS (which is all it is, certainly not a legitimate product), I logged on to your site to see what your recommendations might be for a free, legitimate software that could get rid of this annoying pop up. Malwarebytes from bleepingcomputer.com was one of your recommendations, and one I had read up on, so I trusted it was legit — and it was! I downloaded the provided instructions, and poof! that annoying, fraudulent program is gone. You can trust this one people.

  35. Vicky

    I’ve been thinking about this for over a day now — I was “infected” with the xp antivirus 2009 but have since taken care of the problem (see above). But what I REALLY want to know at this point is — how in the world did it get on my laptop? I assumed the cybercreeps somehow found that my mcafee program had expired and they were able to get in, but that’s too simplistic, isn’t it? The few in my family who use that laptop swear they don’t download things – just safe things like itunes – which i hope is true. My son also uses it to hook up to the internet to play games with others out in cyberspance on his ps3.

    So my question to you, Bill, is this — is the only way that the xp antivirus 2009 could get on my computer is through a download (accidentally I hope) hidden inside of something else that got legitmately downloaded? If not by a download, then how? Thanks!

    • billmullins

      Hi Vicky,

      The best way to answer your question is with the following piece, taken from
      my article of today, on a new rogue application, Perfect Defender
      2009-

      *Unfortunately, Perfect Defender 2009 can be installed on a computer system
      without any action on the part of the user. Delivery methods used by this
      parasite include dropping a Trojan, in this case the infamous Zlob Trojan,
      and Internet Browser security holes. It can also be downloaded voluntarily,
      from rogue security software websites including defender2009.com, the
      website described earlier, or from “adult” websites*”.

      Technically, a download (transfer), must occur before malware can be dropped
      on a system. However, the Internet is not the only manner in which this can
      occur. With the increasing popularity of USB drives, iPods (which are
      essentially USB drives), and even digi cams, malware can be installed on an
      unsuspecting victims computer.

      It’s not uncommon for USB sticks to be exchanged or to allow family members
      to insert USB sticks, or digi cams into our personal machines. The problem
      is of course, often we don’t know where these drives have been previously.

      This is not an overstatement – please read Steal Your Friends Passwords and
      Software Licenses,
      on my site.

      I continuously recommend, Internet users install the following 2 free
      applications to guard against malware insertions:

      WOT (Web of Trust)Internet
      Browser protection – there are a number of articles on my site
      referencing this application.

      Threatfire-
      again, there are a number of articles on my site referencing this
      application.

      Additionally, reading my article “Minimum Security Precautions for New
      Internet Users”,
      may be instructive.

      Bill

  36. Anastazya

    Well, i ahd passed experience removing XP Antivirus 2008, XP Antivirus 2009, Vista Antivirus 2009, and PowerAntivirus , and in my experience Malwarebytes was the best. A question thou , to those who maybe have more experience than me :
    is there ThreatFire support for x64 operating systems ? I was unable to find that information on theyr website.
    Thank you.

  37. Candace

    AntiVirus 2009 is a virus! I figured than out just about a week a go.
    I’m srry if that dissapoints you but is is true. SORRY BILL but Antvirus 2009 just a scam. My dad downloaded it and payed like $80.00 for it and it just hacked my computer and we had to buy a new one cuz of it. There is my eveid ence that it is just a fake! If you believe that it will help, Bill, then you are wrong because it doesn’t at all. And you are right! It does lie! THEY LIED ABOUT EVERYTHING!!!! Please notice the capital letters and more exclamation marks. i am so MAD ai AntiVirus. In fact, I’m FURIOUS! And to every one who is reading this, now you kno the truth about AntiVirus 2009. It wouldn’t let me go on any of my websites and they all didn’t have a virus. I even made sure with Norton. And you are right Janet M!! It does do that! I hate AntiVirus now!!! Bill PLEASE right back about anything you know that has to do with AntiVirus because i want to put those ppl that do AntiVirus behind bars or atleast make them pay a fee! Oh and if ou didnt kno that happened last year so i meant antivirus 2007 now i am 18 so yeah. BILL PLZ RIGHT BACK AS SOON AS POSSIBLE!! I AM BEGGIN YOU! PLZ

  38. Candace

    i know i just wrote but i have 1 more thing. every one including bill who helped with that scam thank you and you saved my computer! expecially you john warnken and peppermint lol thanx and bill plz give me some tips about this so i can do somthing about it and tell ppl thanx again c ya

  39. Candace

    lol woops i mean about i year a go i figured out the truth about antivirus 2008

  40. peppermint

    Just yesterday I was using my company’s computer. I was on the Google website. A warning popped up and asked me to install antivirus 2009 because my computer had virus. Having been a victim of antivirus 2009 not too ago (I was infected in August 2008), I recognized it was a scam. So I pressed control+alt+delete to shut down the internet. This was the third time I saw this warning popped up on the Google search site. I thought the FTC had put these criminals behind bars or did something about them, but obviously not.

  41. From what I’ve seen, 2009 actually installs on your computer through a security hole provided by another virus. I’ve observed several instances where a browser had been hijacked, only pointing to sites which hosted the XP Antivirus

  42. I have already posted about my success with removing Xp Antivirus 2008-2009. Since I am a Tech, I should thank these Russians who made this as it has been my major source of income of late. (just kidding) The more I remove it the more I learn.

    OK when removing this is the three step process I use. First run your antivirus from scratch. I have avast on a flash drive and run avast first. http://www.avast.com free home edition. Uninstall any antivirus you have especially Norton or Macafee.

    One of the issues you will find with this virus is the browser hijacking and or blocking of internet access. When you run Avast from scratch and do a clean reinstall it will eliminate the browser redirects. This is only temporary mind you as there is more to do in the process.

    After you run Avast then install Spybot Search and Destroy also free and run till it finishes. You will need internet access to install Spybot whether you have it on a flash drive or from a download. (www.safer-networking.org) Now you can junp through a lot of hoops trying to fix the browser redirects but Avast will fix it for you.

    When the system reboots install and run Spybot.
    You will need internet access to finish the install

    Spybot will take a while and sometimes gets bogged down. Be patient and let it work. When finished you will see the rogue aspects of this virus in Spybot. Fix the problems then immunize. You may want to run Spybot a second time just to be sure. This is a slow process and can take as long as an hour depending on the size of your hard drive.

    When all done here then use CCleaner http://www.ccleaner.com another free program. Run all aspects of ccleaner and it will both speed up and tune up things. It has a nifty little program remover and its good to get rid of any unnecessary programs now. Be sure to remove any of the browser toolbars. These are a big source of problems.

    For the next few hours expect Avast to start finding all kinds of problems so just kill these and let it do its job. Delete or quarantine everything.

    I have all three of these programs on a flash drive before I start. Avast, Spybot and Ccleaner. All are free and excellent to use and highly recommended, There is no need to pay for any spyware removal program. What you need is time and patience here. Plus the knowledge of what to expect in the process.

    This will take upwards of three hours to fully complete. Some systems are more infected than others. Rather than spend hours fooling around with manually killing a process and all that just start with the complete virus scan first. Be sure however you have removed any current antivirus first.

    Also I suggest you have Firefox on the flash drive it you need an alternate browser. You may also want to disable Internet Explorer. Since you cannot remove IE what you can do is block it from internet access. You do this by setting a dummy proxy server at 0.0.0.0

    Do this by going to Tools, Internet Options, Connections, LAN Settings check the box proxy server set to 0.0.0.0 then OK now you have blocked access to the internet for IE. To unblock remove the proxy.

    Now get smart and use Firefox, Opera or KMelon anything but IE.

    I feel it’s bad enough this virus is causing all this work and pain and suffering. To pay for a Spyware remover program is to add insult to injury. What you need here is time, patience and knowledge. John Warnken

  43. G Berg

    Good advice John. I ran into a very bad outcome today removing XP Antivirus 2009. I found from doing battle with Antivirus 2008 on several machines that Malwarebytes does a great job of removing this family of garbage-but not today. My usual routine is to:
    1. run Malwarebytes and check all found infections for removal on reboot.
    2. Reboot in safe mode and run Malwarebytes again.
    3. Reboot, turn off system restore and do a full system scan with AVG Free, remove anything it finds.
    4. Reboot and turn system restore back on.

    Usually works, but this time I think AVG removed winlogon.exe because it was infected by Antivirus2009. Now you can’t reboot in safe mode, debug mode, command line or anything else. You go immediately to user logon, load personal settings, then right away to saving your settings and shutdown. Nothing usable in between.

    I’m posting this to warn others about this behavior. I’m not sure if the older renditions of Antivirus corrupt winlogon, but XP Antivirus 2009 certainly does, leaving you with the very time consuming job of format/reinstall or buying a new hard drive, installing Windows and using your old trashed HD as a slave to get the files off that you need.

  44. One more post on this issue. I only use free open source applications. Malwarebytes will remove the problem yes but in order to keep a reinfection you must buy the paid version. I feel this is just a come on to sell you a program. Bad enough you have to deal with the time involved. Again I will say Spybot Search and Destroy is free and will protect from reinfection again it’s free. I have used this countless times all with no problems.

    Per the issue with AVG a good free antivirus but it comes with problems. I use AVAST its free and seems to work with no issues. I find it amusing that Norton will not stop these issues.

    There were a few times I used Combofix for more difficult removals but again I use Spybot to protect from reinfection. Combo fix uses command line to work and may scare off those who have never worked in that environment. Again this is free just read the directions to use properly and be patient.

    The issues here is not just removal but protection from reinfection.

  45. larry

    I’ve been infected bad with this thing! It’s locked me out of my desktop and task manager completely. I have no desktop icons or task bar. I also cannot get to my task manager as it’s been disabled. Safe mode doesn’t work either. Short of formatting the hd, is there a way to get my desktop back? I tried the Avast bootable cd, but the GUI is too large for my screen in safe mode.

  46. To answer the above question. D/L Combo Fix Spybot S&D and Avast on a flash drive. Reboot in safe mode and run ComboFix first it runs in command line…it takes a while when finished reboot again in safe mode and run spybot search and destroy. This may take an hour or more itself. When this is finished then install and run avast free home…let it reboot and scan the drive. The operative word here is patience it will take a while…. make sure you let all the programs finish. If in doubt do it again. Keep rebooting in safe mode and try all the options and be patient. You may also try a system restore if you can boot into safe mode with command line you can do a restore there. This may help http://www.tech-recipes.com/rx/780/execute-system-restore-from-the-command-line-safe-boot/

  47. This is a really informative post about these rogue applications which incidentally is the second one I have seen today. The other issue with the infection of these programs is that the perpertrators have some degree of SEO skills and have good Google placement which to some degree legitimises their sites in the eyes of consumers. It is articles such as this that thwart these dangerous applications and spread the word. Please keep up the good work!

  48. maggy

    has any1 use cleaner2009? gosh i think these people ripped me off =[

  49. Ron_B

    I have removed Antivirus 2009 from several friends PCs using Malwarbytes program. I am just wondering who are the people behind Antivirus 2009 and why can’t they be found and shut down? Where does the money go when someone pays for the bogus antivirus? I’m guessing that maybe they are offshore but it seems like something could be done to at least block their activities.

  50. Pingback: Antivirus 2009 nasty malware attack on a Windows laptop « Reformed Musings

  51. use combofix to clear it up.
    it might leave one or two file behind for you to clean up, but you can find them within the log file. I’ve cleaned up a few clients computers with this and I recommend it 100%. Use the bleeping computer link for a safe download.

  52. A tip for the users that got infected with the xp antivirus 2009.
    In most cases that i have seen and repaired i have noticed the first thing that happens to the computer is the user will be denied access to different applications such as task manager, run and others. I have figured out a quick way for you to gain access to those functions. Go to your start menu—->control panel—->user accounts. Once you are in the account manager create a new admin and switch over to that user: start—->log off—->switch user. Once you are logged on as the new admin, go back to your user accounts and change your original user to a limited user. this gives you exclusive new rights as an admin and allows you to access task manager, run, your spy re-mover and other programs you couldn’t get to before thus allowing you to at least find the root of your problem. After you have done this run your program, i suggest ComboFix……

  53. Hi Bill,

    No problem. I’m always happy to give a pointer when I can. I think your blog is great, and I will definitely be making comments on a few other topics you have going. Thanks for the site.
    As for Antivirus xp 2009, I have been working on ways with a couple of colleagues that can remove av-xp 2009 and a few other rouge programs quickly and completely. Maybe I will post a quick way to get rid of it step by step for everyone to use…

    Talk to you later.

  54. Matt

    i used spybot s&d it did it fast but i really think thes thugs should be shot lol

  55. hanum

    I use avira as antivirus. Thank’s a lot for info sharing. Nice reference posting ^_^