I’d love to say that I spend all of my time playing games on the computer, on a tabletop, reading SF/F and enjoying my family. However all but the last are simply hobbies for the time being and I support myself with a day job working with computers.
Which means that when friends have problems with computers, I generally get a call. Which leads me to an article detailing a few ways to remove the Antivirus 2009 piece of crap that infested a friends machine. Generally speaking I won’t post to many technical articles on this site. But this piece of malware sucks and can seriously impede the ability of someone to use their computer for anything – productive or gaming related. So here’s what I found out and what I did to remove it. If you have further suggestions or techniques that work, please feel free to mention them in the comments.
Malware like Antivirus2009 and others of similar names are becoming more prevalent and harder to remove from Windows systems. They actively disable antivirus/antimalware programs, redirect requests to get to anti-malware and anti-virus websites and install themselves as hidden virtual hardware to both work in safe mode and reinstall themselves if the ‘software’ is removed from the system.
These things masquerade as windows updates, or free online tools that tell users they’re infected by something and offer to fix it – often in the form of a pop up from the task bar. To the uninitiated they look pretty much like a windows notification and can be mistaken as valid.
This particular POS (on an XP SP3 machine) was bundled with a hidden process named “TDSSserv.sys” It’s a service that re-directs all software updates (and requests to Symantec’s website among others) to 127.0.0.1 (your own computer) so that nothing will update. It also prevents Malwarebytes, Spybot, Adaware and Hijack This! and more from installing or running. On your machine it appears as a piece of hidden hardware.
What you need to do is go to Start-> Control Panel-> System-> Hardware-> Device Manager-> Show Hidden Devices.
Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
Find “TDSSserv.sys” and right click on it. Choose ‘Disable‘. Don’t remove it becasue it will just pop back into existence on your next reboot.
Now people will be able to update and use their programs and delete the virus. MalwareBytes worked very well for this. I installed Malwarebytes in safe mode from my USB stick and the latest database update from here. (also downloaded to my usb drive via a laptop). Running this in safe mode with no networking after disabling the above mentioned virtual hardware and then running it again in normal mode seemed to fix this. AV2009 can block the install of Malwarebytes. A way around this is to rename the install file and then rename the executable to launch Malwarebytes.
In my research it looks like Avast Antivirus (free version) does a handy job of preventing infection from this nasty thing as well. No mention was made of NAV being effective or ineffective.
For Manual cleanup (which is less fun):
Unregister Antivirus 2009 DLL Files:
shlwapi.dll
wininet.dll
Stop Antivirus 2009 Processes:
av2009.exe
Antivirus 2009.lnk
Uninstall Antivirus.lnk
Antivirus2009.exe
Find and Delete these Antivirus 2009:
av2009.exe
Antivirus2009.exe
shlwapi.dll
wininet.dll
Antivirus 2009.lnk
Uninstall Antivirus 2009.lnk
Remove Antivirus 2009 Registry Values:
HKEY_CURRENT_USER\Software\Antivirus
HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Antivirus”=”%ProgramFiles%\Antivirus 2009\Antvrs.exe”
Technorati Tags: computers, antivirus2009
Related posts:
- WizMouse – possibly the best little Windows app ever
- Steam’s CEG to kill off DRM. Will it be enough to save Steam from OnLive’s video game streaming?
- Dragon Age DLC ready to go before the game is even released?
- A bit of geekery – using your USB thumb drive to install multiple OSes
- Osmos is the most chill and addicting game I have ever played
Loading ...
April 27th, 2009 at 9:42 pm
Ben, I got to non plug and play drivers and tdsserv.sys was not there,is there anywhere else it could be hiding?
May 1st, 2009 at 2:13 am
your blog is good… I’m happy come in your blog friend..
May 5th, 2009 at 10:41 pm
thanks your info very good
May 6th, 2009 at 5:59 am
thank you for solving my problem!
May 16th, 2009 at 5:59 pm
got to nonplug and play driver but couldnt find the next step…tdss thing..please help
May 21st, 2009 at 3:16 am
I’m happy come in your blog friend, very good info
May 27th, 2009 at 1:21 pm
Don’t know for sure if it handles AV 2009, but when all else fails COMBOFIX.EXE gets the job done (get through from majorgeeks.com or bleepingcomputer.com via google search). That program has saved me (and my inlaws, etc) a dozen times, including root kit infections.
May 27th, 2009 at 1:22 pm
Good find in Combofix.exe – I have not heard of that yet. I’ll check it out!
June 2nd, 2009 at 8:26 pm
Thx for it !
June 11th, 2009 at 7:59 am
Many thanks for this great article. :)
June 16th, 2009 at 4:26 am
hmm you have to remove first the anti virus go to the control panel and uninstall.
June 17th, 2009 at 8:33 am
This is important to know! Does this instruction able to apply to other antivirus softwares as well. These days my free antivirus seems not working. It was recommended as good by most of antivirus users. My computer is moving very slow. Hmm confusing
July 8th, 2009 at 9:00 am
thanks! this was my problem too. very helpful
July 31st, 2009 at 1:00 pm
Firstly thanks for taking the time to share this with us, there are occasions that resists uninstall only add that I have to do this from safe mode of windows, this will only load the processes that starts with the pc and you can be free to do what you like with the uninstall / install anything.
September 24th, 2009 at 2:23 pm
Thanks, I needed that. Very helpful.
September 28th, 2009 at 11:48 pm
thanks for your tips.. But i have a problem with my pc because i cannot open the drives because autorun appears.. I use different anti virus but autorun are still on my pc.. Do you know how to remove autorun? I found on the net that autorun is not a virus and it is part of windows. But autorun infected by virus i think.
October 18th, 2009 at 4:15 am
Great information, thanks for that
November 16th, 2009 at 7:17 pm
Thanks for the very helpful post. This information has helped run my games a lot quicker.
November 16th, 2009 at 11:05 pm
this is nice post…
but..
can you help me…
how to “sality virus”
sality virus make corrupt my data
November 22nd, 2009 at 8:53 pm
Important things that I should know.
Is it can use for all anti virus?
November 22nd, 2009 at 11:45 pm
thanks admin, this is a good explanation about how to remove antivirus2009 malware really is, my computer is now free from malware, but just an additional course, after doing delete antivirus2009, then we must immediately install kaspersky or if required we can install in order deppreze virus and other viruses can not enter into our computer system, how do you think?
January 6th, 2010 at 5:10 pm
hi ben it is nice tutorial i wanna advice you to use avira antiver i realized that it is the best anti virus as it is very fast in scanning and never slow your PC, i tried most of anti virus but all are crap.
it only tale 13 Mb from my ram .try it and tell me your opinion i hope this help you.
January 21st, 2010 at 5:12 am
thank you for solving my problem!
February 1st, 2010 at 9:51 pm
I went to a medieval jousting weekend and saw some one on one combat.. this game is nearly so close to the real thing that I saw, I am now hooked on this.. Block, Parry, Swing, Stab, roll, jump back – Not just with same key – you can do any at any time – just make sure you have your stamina or you’ll end up puffing!.. It has something RPG’s dont – it isn’t button mashing, its tactics and each hit and block can be felt through the rumble..
this game has fire explosions.. surround sound roars!.