Maximum PC

hackman2007 · Malware specialist Joined: 03 Apr 2005 Posts: 9860

The follow is a self-help guide on how to get rid of that pesky AntiVirus/AntiVirus Pro 2009 malware that has been going around lately.

There are several ways to get rid of this malware and some work better than others. In this particular case I'm going to assume that you know you have this particular malware on your computer.

Please note you may have other malware on your computer (which we will deal with at the end).

a. Legal Stuff, please read
The producer of his guide, hackman2007, is not to be held liable for anything that could possibly happen, which includes, but is not limited to: stop screens, more malware pop-ups, unbootable computers, and anything else. By using this guide, you are agreeing to hold hackman2007 free of liability for any damage, data loss, or inconveniences that may occur. You are using this guide under your own supervision without assistance. Please do not use this guide for production, mission-critical, or anything else that could have serious implications. Hackman2007 will not be held liable for anything that may happen and further use of this guide constitutes your agreement with these terms.

This guide is made possible by the wonderful people of many websites, including: Bleepingcomputer, Geekstogo, and various other forums.

Now that the legal stuff is out of the way, let us begin.

1. Fix entries with HijackThis
If you have already ran a HijackThis log, please find the following entries from the log (please note that may not all exist) and put checkmarks next to the following entries:

O2 - BHO: &Research - {037C7B8A-151A-49E6-BAED-CC05FCB50328} - C:\WINDOWS\system32\winsrc.dll

O4 - HKCU\..\Run: [75319611769193918898704537500611] C:\Program Files\Antivirus 2009\av2009.exe
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe"
O4 - HKLM\..\Run: [Antivirus Pro 2009] "C:\Program Files\AntivirusPro2009\AntivirusPro2009.exe" /hide

now click Fix Checked

If you see any other entries that have Antivirus 2009 in them, please make sure you delete them.

2. Delete AntiVirus 2009 Files and Folders
Make sure you replace the $Your Username$ with your username that you use to login to the computer.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

c:\Program Files\AntivirusPro2009
c:\Documents and Settings\$Your Username$\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro2009.lnk
c:\Documents and Settings\$Your Username$\Desktop\AntivirusPro2009.lnk
c:\Documents and Settings\$Your Username$\Start Menu\Programs\AntivirusPro2009
c:\Documents and Settings\$Your Username$\Start Menu\Programs\AntivirusPro2009\AntivirusPro2009.lnk
c:\Documents and Settings\$Your Username$\Start Menu\Programs\AntivirusPro2009\Uninstall.lnk
c:\WINDOWS\dyxad.bat
c:\WINDOWS\gutysolyk.dll
c:\WINDOWS\oheva._dl
c:\WINDOWS\uhuleko.bat
c:\WINDOWS\ulysi.bin
c:\WINDOWS\votadiboz.sys
c:\WINDOWS\xocorepen.lib
c:\WINDOWS\system32\_scui.cpl
c:\WINDOWS\system32\mehydohahe.scr
c:\WINDOWS\system32\owah.bat
c:\WINDOWS\system32\uquhoti.reg
c:\WINDOWS\system32\zuxeme._dl
c:\Program Files\Common Files\buryleto.dll
c:\Documents and Settings\All Users\Application Data\cyqi.sys
c:\Documents and Settings\All Users\Application Data\gemegiqyno.ban
c:\Documents and Settings\All Users\Application Data\pisijupag.dll
c:\Documents and Settings\All Users\Application Data\pymom.lib
c:\Documents and Settings\All Users\Application Data\wivodexy.reg
c:\Documents and Settings\All Users\Application Data\yzotuxeka.vbs
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\winsrc.dll
C:\Program Files\Antivirus 2009
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (Please post a new topic if you receive this message)

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

3. Run Combofix
Combofix is very effective at removing the remnants of this particular malware. Please note, if may prompt you that there is rootkit activity and to run a rootkit scanner. If it does, please post a HijackThis log in the Free Clinic and I will assist you in removing this rootkit properly.

Download ComboFix from Here

After the download, double click combofix.exe and follow all the prompts.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

4. Run SUPERAntiSpyware
At this point, the infection should be just about gone. Now to make sure the infection doesn't come back (or to remove other parts that the other programs missed, or new variants), we will run SUPERAntiSpyware.

Since I am not requesting this logfile, it is not necessary to go through a whole bunch of configuration.

Instead just download SUPERAntiSpyware from Here and then update and run a Complete System Scan.

Remove all the malware it finds (it will probably quarantine it for safety reasons) and then restart the computer.

If all went well, your computer should now be free of this particular piece of software. Have fun browsing and make sure you run with detect protection on your end so you don't risk further infecting yourself. If you still have malware present on your system, please feel free to post a new topic on the Maximum PC Forums Free Clinic sub-folder requesting help.