A colleague brought his XP-based laptop into the office today. Through a quirk of fate, Antivirus 2009 had managed to install itself. It’s a pretty swish looking piece of malware that looks very much like leading anti-virus programs, even giving you the feel-good factor that it has found infected files and has cleaned them for you. It is, of course, a confidence trick, smoke and mirrors.
It’s most likely to have come from the same stable as WinAntivirus did, as noted here.
I’m repeating myself, however my advice is simple: if a web page pops up a dialog box telling you that your computer is infected and offers a free clean-up, ignore it. Never install software that offers itself via a web page pop-up, go to a reputable download site (ideally a vendor site) and download from there.
Or, if you are in any doubt, use a search engine to get some more information. Here’s what Google returns for Antivirus 2009 and here’s what Live Search returns. These result should be the first clue that Antivirus 2009 isn’t all it’s cracked up to be.
I still promote the use of these tools for cleaning up: Crap Cleaner, Spybot and HijackThis.
As part of this infection Spybot discovered Win32.TDSS, which includes a rather invasive rootkit. I used ComboFix.exe and Smitfraudfix.exe as discussed over in the Spybot forums.
Technorati Tags: Antivirus 2009, Smitfraud, Smitfraudfix, ComboFix, ComboFix.exe
Full description of Antivirus 2009, and removal steps
[…] run applications that perform untoward actions. “Internet Security 20xx”-type of applications seem to be more common; certainly the last 5-6 laptops that I’ve been asked to fix have had […]