I’d love to say that I spend all of my time playing games on the computer, on a tabletop, reading SF/F and enjoying my family. However all but the last are simply hobbies for the time being and I support myself with a day job working with computers.
Which means that when friends have problems with computers, I generally get a call. Which leads me to an article detailing a few ways to remove the Antivirus 2009 piece of crap that infested a friends machine. Generally speaking I won’t post to many technical articles on this site. But this piece of malware sucks and can seriously impede the ability of someone to use their computer for anything – productive or gaming related. So here’s what I found out and what I did to remove it. If you have further suggestions or techniques that work, please feel free to mention them in the comments.
Malware like Antivirus2009 and others of similar names are becoming more prevalent and harder to remove from Windows systems. They actively disable antivirus/antimalware programs, redirect requests to get to anti-malware and anti-virus websites and install themselves as hidden virtual hardware to both work in safe mode and reinstall themselves if the ‘software’ is removed from the system.
These things masquerade as windows updates, or free online tools that tell users they’re infected by something and offer to fix it – often in the form of a pop up from the task bar. To the uninitiated they look pretty much like a windows notification and can be mistaken as valid.
This particular POS (on an XP SP3 machine) was bundled with a hidden process named “TDSSserv.sys” It’s a service that re-directs all software updates (and requests to Symantec’s website among others) to 127.0.0.1 (your own computer) so that nothing will update. It also prevents Malwarebytes, Spybot, Adaware and Hijack This! and more from installing or running. On your machine it appears as a piece of hidden hardware.
What you need to do is go to Start-> Control Panel-> System-> Hardware-> Device Manager-> Show Hidden Devices.
Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
Find “TDSSserv.sys” and right click on it. Choose ‘Disable‘. Don’t remove it becasue it will just pop back into existence on your next reboot.
Now people will be able to update and use their programs and delete the virus. MalwareBytes worked very well for this. I installed Malwarebytes in safe mode from my USB stick and the latest database update from here. (also downloaded to my usb drive via a laptop). Running this in safe mode with no networking after disabling the above mentioned virtual hardware and then running it again in normal mode seemed to fix this. AV2009 can block the install of Malwarebytes. A way around this is to rename the install file and then rename the executable to launch Malwarebytes.
In my research it looks like Avast Antivirus (free version) does a handy job of preventing infection from this nasty thing as well. No mention was made of NAV being effective or ineffective.
For Manual cleanup (which is less fun):
Unregister Antivirus 2009 DLL Files:
Stop Antivirus 2009 Processes:
Find and Delete these Antivirus 2009:
Uninstall Antivirus 2009.lnk
Remove Antivirus 2009 Registry Values: