More How To Remove Antivirus 2009 and TDSS Rootkit
Filed under: How To Remove MS Antivirus 2009, How To Remove TDSS Rootkit
In my previous posting on How To Remove MS Antivirus 2009 I mentioned using Malwarebyte’s Anti-Malware Removal Tool along with running SuperAntivirus. These are both excellent spyware cleaners.
However, you may run into a few “gotchas” that prevent you from running these cleaning programs. Here’s how you can get around those problems, which are based on my first hand experience from cleaning one instance of MS Antivirus 2009 on a single PC.
Problem #1 — Unable to run Malwarebyte’s mbab-setup.exe program.
On this particular PC I kept clicking on the setup icon and nothing happened. I found out that this was because the spyware program was blocking execution of the antispyware installation file. Man, these spyware programs are getting more and more devious all the time!
To get around this I just renamed the mbab-setup.exe program to fred.exe and I was able to install the program. However, I could still only install the program from Safe mode.
Problem #2 — Unable to run Malwarebyte’s Anti-Malware program.
Once I booted to Safe mode and was able to install Mal’s program, I wasn’t able to RUN the program. This was because the spyware was also blocking that application filename as well.
So I navigated to c:\program files\malwarebyte’s antimalware and renamed the application file mbab.exe to fred.exe. Same trick as before.
Now the application ran, although this time I had to run the application from Normal mode and NOT Safe mode! Sheesh…what gyrations!
Program #3 — Browser is hijacked.
After running Mal’s Anti-Malware which caught a lot infections, I wanted to install SuperAntivirus. However, the browser was hijacked and would not let me navigate to the correct URL.
I decided to run Mal’s program a few more times from Normal mode and after about the third time if revealed that the PC had the TDSServ Rootkit virus.
Mal’s was able to clean up most of the TDSS infection. However, I had to manually navigate to c:\windows\system32 to manually delete the remaining TDSSxxxx files.
Once that was done, the browser seemed to be back to normal.
I ran SuperAntivirus from both Normal and Safe mode and also ran Mal’s from Safe mode — which was now working again — and everything finally came up clean.
How To Remove MS Antivirus 2009
In the last 3 months I have seen at least 5 cases of Antivirus 2008, Antivirus 2009, or MS Antivirus 2009 infecting my client’s computers.
Apparently this same spyware also goes by the name of Vitae Antivirus 2008 and Vista Antivirus 2008.
You’ll recognize it by the multicolored shield they use which tries to make you think it is an official Microsoft Windows product.
The spyware puts out a lot of annoying fake virus detection messages and like all spyware this Antivirus spyware is basically a big pain the arse.
What I have found to be the best way to remove these current infestations of Antivirus 2008, 2009, and their MS Antivirus variants is to use the free spyware cleaner found at Malwarebyte’s Anti-Malware site:
http://www.malwarebytes.org/mbam.php
Once I download and install the software I usually run a quick scan first, just to see if that reduces the popups.
If it looks promising then I run the full scan which does a “deep cleaning.” The full scan can take several hours, depending upon the number of files on the hard drive so I usually plan on taking a long break while the scan is running.
In most cases Malwarebyte’s cleaner does a good job of removing the MS Antivirus 2009 spyware.
However, for good measure I also tend to run another cleaner called SuperAntiSpyare found at this site:
http://www.superantispyware.com/
It also has a quick mode and a deeper cleaning mode. I tend to run the quick mode first and if it finds any spyware then I run the deeper cleaning mode as well.