Anti-virus 2009 Variant - **Flaw**

Anti-virus 2009 has many variants. Real Anti-virus programs do not disable functionality, such as MSCONFIG, task manager or regedit.

AV 2009 continues to bark in a loop telling you to purchase the software in order to clean it.

However, since this in ran during bootup, if quick enough you can disable it.

START > RUN > MSCONFIG > startup tab. Disable all - Apply. REBOOT.

Finding the one you need to disable would take too long, and disabling all is much faster.

However this variant runs the file called : "mfomsftav.exe" located under application data. But cant be seen.

After you reboot, will will get normal functionality back. And can do a boot time scan with avast after you re-install it.

Hope this helps..

This is a relatively easy one to get out as well. There is a more advanced version that doesn't put itself in the startup router.

If you can, boot an ERD, and edit the registry, and look for anything such as "av", "pav", "av2009" (and 2k10, 2k11). This is for advanced users of course.

There is another out there called "Security Tool". This program won't let other programs run, but!, if you open the task manager as soon as the system logs in, you can kill the process, and run your removal software.

I have seen these so many times on clients PCs. I have found an easy solution. Download MalwareBytes to a flash drive, boot the infected PC in Safe mode Command Prompt. When the prompt comes up install MBAM from command line and let it run a scan. This works 99.9%. I have only had one other virus that this method failed, it would BSOD the machine if booting any safe mode option.

I found a solution similar to bchur's. Install MalwareBytes to a flash drive. Then on the client's infected machine install MalwareBytes. It will install but the virus will delete the mbam.exe. That's fine since the installer installs the dependencies needed by MalwareBytes. Then run MalwareBytes from the flash drive and it will fix it. May need a few runs to clear out everything.

With this variant, it killed every app I tried to run. Including from a flash drive.

Thankfully it did not load in time, where I was able to run msconfig and shut them all down.

I work in an internet tech support call center, and you have no idea how many old ladies call in with this virus saying they paid $50 (or however much) for it and it's not working. It's sad, really.

malware bytes = good bye AV! at least it worked on a friends computer.

Joeteck said:

With this variant, it killed every app I tried to run. Including from a flash drive.

Thankfully it did not load in time, where I was able to run msconfig and shut them all down.

Click to expand...

I deal with it day in and day out.

Boot in safemode (with networking preferably). It won't load in safemode.

Then run combofix. It gets rid of it and usually a handful of riders that come with it (the real stuff killing the system). Reboot into real (regular) mode and run your anti-malware of choice and voila... clean.

Joeteck said:

With this variant, it killed every app I tried to run. Including from a flash drive.

Thankfully it did not load in time, where I was able to run msconfig and shut them all down.

Click to expand...

You can start the browser and go here

http://www.thetechherald.com/article.php/200941/4592/Rogue-anti-Virus-holding-systems-hostage

As soon as you copy some of the serials it will think you paid for it and stop buggin you.

Mods: please note this is not piracy, Panda Software cracked rogue security software to help people clean their systems.

Why enter in a serial to still leave it on your system?

it is a virus, get rid of it.

Mr.Guvernment said:

Why enter in a serial to still leave it on your system?

it is a virus, get rid of it.

Click to expand...

Because once you enter a serial number it will enable you to actually download and run antimalware stuff. So it won't uninstall it but it will make it easier to remove it.