Thursday, January 15, 2009

Antivirus 2009 - Malware

I have Norton Internet security, yet my computer has been infected with the Antivirus 2009 program. How can this happen and how do I get rid of it? – Glenn

Your question underscores an often mistaken mindset of many computer users: “If I have security software in place, I shouldn’t get any infections.” Nothing could be further from reality.

Anti-virus/anti-spyware programs as well as firewalls are of no protection if the user of the computer decides to click on links that generate malicious code or download and run questionable files.

The user’s interactions can easily override the installed protection and in some cases, actually disable your protection programs, but make it look like they are still running.

The fake anti-virus program scams actually started last year as “Antivirus 2008? and it was so successful that it lives on as many variations including “Antivirus 2009.” A clever author of malware discovered a sneaky way to fool folks into installing malicious software into their computers, THEN extract money from them by posing as a legitimate program for removing the malicious software.

The reason that this approach has been so successful is that they very closely mimic Windows warning screens and legitimate antivirus programs. Virtually every legitimate antivirus company has a product called Antivirus 2009, which further confuses the uninitiated.

The most common ways to come in contact with this infection include maliciously coded Web sites that popup a warning message that you are infected, e-mail messages that trick folks into clicking on a link, Web sites that claim you need to download software in order to see a posted video and links or downloads that are spread through social networking sites such as MySpace and Facebook as well as all of the Instant Messaging systems.

At this point in time, any form of popup or error message that refers to Antivirus 2008 or 2009 (including System Antivirus, Ultimate Antivirus, Vista Antivirus, Pro Antivirus or XP Antivirus followed by a number) should be considered extremely suspicious.

If you ever see any reference to a virus that is not specifically from the product that you have installed in your computer for protection, you should consider it to be a fake (Windows, itself won’t ever alert you of a virus infection).

In the same token, any Web site that claims that you need to download a new video program or “codec” in order to view a video should be considered a threat.

Users of file sharing networks are at a high risk of contracting malicious software as it’s often hidden within what appears to be a legitimate program (referred to as a Trojan).

The writers of malicious code count on users that are not really paying attention and at this point, they are fooling people by the millions around the Internet. This type of infection is amongst the worst that I have seen in my 20 years of servicing computers.

Getting rid of the code once it has infected your system can be very involved and is different for the various versions of the infections, so don’t attempt this without help if you are a novice.

Start by identifying the exact version of the malware that you have and placing it in quotation marks followed by the words ‘removal instructions’ in Google (Ex: “Antivirus 2009? removal instructions).

WARNING: There are so many people infected with this family of malware that many new scam programs that claim to specifically clean the code have popped up. Some appear to be free programs that will only scan your system for free, but charge you to remove the code and often they don’t even do that properly.

Since there are so many different variations of this infection, the exact steps are going to be based on the exact version of the malware that you have.

In our service business, we use a combination of several manual detection and removal processes (again, based on the exact version of the infection) along with multiple scanning programs to ensure that all potential re-infection avenues (temp files, restore points, modified dll files, etc.) have been removed or restored.

Depending upon how long and which version of the malware you have, you may also need to run a Windows repair after you remove the code as certain Windows files can become corrupted as a side effect.

If you know how to work with the Windows registry, operate in Safe Mode and have a current backup of your critical files, you should be able to find instructions online for removing the exact version of the infection that you have.

If not, consult a tech savvy friend or a professional as removing this infection properly (so that you don’t re-infect) is not for the novice.

Ken Colburn
President of Data Doctors Computer Services, Host of the award-winning Computer Corner radio show, and Author of Computer Q&A in the East Valley Tribune newspapers.


http://www.lockergnome.com/windows/2009/01/14/how-did-i-get-infected-with-antivirus-2009/

Read this post also