I had a very busy week cleaning AV2009 on home and business computers. I’m not sure what’s going on, but a lot of people are being infected with adware that redirects search queries to AV2009 affiliates. Some of the new AV2009 adware even prevents users from browsing the internet by “blocking” the website they are trying to load and instead loading an AV2009 advert.
Take a look at the screen shot below…notice the little yellow drop down bar. Looks like an ActiveX control trying to load…not….it’s basically a link that directs us to a “Professional License for Antivirus 2009 Pro”
SuperAntiSpyware was able to find and remove the Adware that was responsible for these AV2009 adverts. Here is a log in case you’re curious.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/20/2009 at 08:32 AM
Application Version : 4.25.1012
Core Rules Database Version : 3717
Trace Rules Database Version: 1691
Scan type : Quick Scan
Total Scan Time : 00:11:34
Memory items scanned : 586
Memory threats detected : 1
Registry items scanned : 425
Registry threats detected : 11
File items scanned : 8400
File threats detected : 1
Adware.WinSrc/WinSystems
C:\WINDOWS\SYSTEM32\WINSYSTEMS.DLL
C:\WINDOWS\SYSTEM32\WINSYSTEMS.DLL
Adware.WinSrc
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0B014B81-4E12-46F9-806F-55867AF8FD3C}
HKCR\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}
HKCR\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}
HKCR\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}\InprocServer32
HKCR\CLSID\{0B014B81-4E12-46F9-806F-55867AF8FD3C}\InprocServer32#ThreadingModel
HKU\S-1-5-21-1454471165-1035525444-839522115-5612\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0B014B81-4E12-46F9-806F-55867AF8FD3C}
Rogue.Component/Trace
HKU\S-1-5-21-1454471165-1035525444-839522115-5612\Software\88398351299340675485548564674080\Options
HKU\S-1-5-21-1454471165-1035525444-839522115-5612\Software\88398351299340675485548564674080\Options#Aff
HKU\S-1-5-21-1454471165-1035525444-839522115-5612\Software\88398351299340675485548564674080\Options#AdvancedScanType
HKU\S-1-5-21-1454471165-1035525444-839522115-5612\Software\88398351299340675485548564674080\Options#FirstRunUrl
HKU\S-1-5-21-1454471165-1035525444-839522115-5612\Software\88398351299340675485548564674080
{ 7 comments… read them below or add one }
mbam should detect that file but it dont (at least not yesterday)
LOL. That is normal in my virtual PC
i got that in my vm
it also has a fake bluescreen
and
i also got
pro antisypware 2009, wich also has the fake active x, so they are competing for space. And i think that also has a fake bsod
does anybody know what happend to antrim antivirus pro, because all of a suddent, i dont get its poppuos anymore
I removed AV09 from two laptops in my office in 1 day!! It is really annoying!! MBAM did the job!! But did not find the adware responsible for the redirection…SAS did!!!
@darcjrt – SAS and MBAM trash all rogues with ease
Antivirus 2010 is out, I have a URL, I could send it to you.
Greetings:
You indicated …
“… had a very busy week cleaning AV2009 on home and business computers. I’m not sure what’s going on, but a lot of people are being infected with adware that redirects search queries to AV2009 affiliates. Some of the new AV2009 adware even prevents users from browsing ….”
I don’t know if you got the connection based on the timing, but what you saw likely had something to do with massive attack by Downadup / Conficker. As part of my package, I got Spyware Guard 2008 as well as svhost, tdss, fake alert, patched.ck as well as 4 or 5 others that I did not get noted.
What was really strange was that I did not do any of the usuals wrt getting that, I was not pronning, not DLing, not using usb stick. But I really got nailed.
cheers … JoW