AntivirusPro 2009 Trojan

[Guest 16032]

Anyone know how to get rid of this Trojan ?

Most of the guides online don't work because it appears to be an updated version of the trojan.

The biggest problem is it blocks all the virus killers from running & updating, it also blocks all anti-virus websites.

[Guest 6751]

Try running the free version of Super Anti Spyware

[Guest 16032]

The trojan is blocking the site, also all the other popular ones you can think of are all blocked.

[danielsesay]

Try searching for it on www.download.com

I had a similar problem on Sunday with a trojan altering my browser settings and only loading ad website. I used download.com to download Malwarebytes Anti-Malware. After I managed to get rid of some of the trojans I downloaded Trojan Remover which helped clean up more nasties my anti-virus software missed.

[Guest 16032]

Thanks, but this trojan is VERY HARD to remove. This is an updated trojan.

It will not allow any of those virus/trojan removal programs to run. When I look at my process list it's clean.

So how is it running ?

Secondly I found some of the files it uses and when I remove them they come back.

I think I need something that runs off CD.

[AdminSpod]

If it keeps coming back you need to turn off System Restore before removing it.
See: http://www.pchell.com/virus/systemrestore.shtml

[ian turner]

try installing spybot s&d in safe mode and enable teatimer. Also install hijackthis. Assuming this works then run the cleaners again and when teatimer says allow ? say yes but don't tick the remember box. Then whatever is reinstalling them will cause teatimer to throw up an allow box and you say no and tick remember. Use hijackthis to see if anything is attached to the winlogon (also try processexplorer which will list associated processes dependant on winlogon) as this can attempt to reinstall stuff when you shutdown.
Best bet is to switch the pc off at the mains thus avoiding any shutdown sequence at all if its reinstalling by that route. Note that using a service to reinstall if removed sidesteps the system restore route.
I've used this method to clean a laptop that a company director foolishly allowed net savvy (read net ignorant) kids to use resulting in malware hooked onto the logon system

[Guest 27300]

Combo Fix has served me well for previous version of this one... does it work against the latest?

[compa]

Hi sorry you are having problems what AV are you using ?

It might be worth d/l Nod 32 it will work as a full working version for 30 days it as a real time scanner and also scans memory.
If the trojan is loaded into memory it can re install its self when the pc is shutting down.

A2 (a squared) is also worth a try if Nod32 does not sort it.

[kwangomango]

A colleague of mine handed me a laptop with this on today. As mentioned above i used Malwarebytes' Anti-Malware to get rid of it. I got it from here and just followed the instructions.
Afterwards, Windows Security Center appeared to be missing. The control panel icon had been hidden. Look here and unhide the wscui.cpl key. You might also need to enable the Security Center service.

[Boink!]

I've got the same problem with my other half's PC, it's a right mare to get sorted. WIll try the Malwarebytes' Anti-Malware route even though it's not letting me run any av software on it (apart from NOD32 which is coming up with nothing).

I'm tempted to wipe the harddrive and start over.

[Guest 20598]

this one is a real git...

malware bytes is what you need my good man/woman.... i must've removed this at least 10times with malwarebytes....

[Guest 16032]

Hey guys thanks for your help.

I had two: TDSSserv.sys rootkit & Antiviruspro 2009.

It was a knightmare to delete since it was a rootkit embedded deep. 5 hours wasted on this.

Eveytime I went to update a virus killer or download one it would block the sites. I fixed it by downloading SDFix on another PC and extracting it and running in safemode. Then I used malware bytes to clean up.

Also you can trick it by renaming its own files (SDFix.exe once renamed will run), but it places them back again. Anyway I think its gone now.

Thanks for all your help!!!

[Boink!]

Big write up on what to delete here.

Oh great, I copied the above info to a Word doc and put it on the desk top of the infected PC so I could check which files to delete and now the PC just keeps rebooting itself. You little ****.

If I can't get to a stable desktop or Safe Mode desktop, then I'll just have to wipe the C:\ and start again (I do still have a floppy somewhere around, don't I?).

[Guest 16032]

Quote:

Originally Posted by Boink!

Big write up on what to delete here.

Yep, that's only half the story it works with TDSServ.sys rootkit which is invisible to the OS.

[Boink!]

Well, it's not stable enough now to boot into the desktop. As soon as the desktop appears it reboots again. Can't even get into safe mode.
Is there anyway I can force even a stable C:\ to copy a few documents to safety? Would a LINUX install be of use?

Or maybe a temp XP install on the D:\?

[Guest 16032]

What about a bootable CD ? 911 forums have some information on them.

[Boink!]

Porche forums?

Ah, found it. Thanks.

[Boink!]

Ended up wiping the C:\ drive and doing a fresh install of XP. That trojan was a right bugger and would stop you from doing anything near trying to stop it (including copying a Word document, containing all the files to be deleted, to the desktop resulted in the PC rebooting itself. ).

[mikegray]

To be honest, when you get a virus, the only way to be sure is to do a full format and start from scratch. Back when viruses weren't stealing information, it was less of a big deal, but nowadays when there's a financial motive, it's not worth the risk.