Thursday, January 8, 2009

Removing Antivirus 2009

I've received a number of hits on my previous post about some legal issues regarding Antivirus 2009 which I suspect are from people looking for how to get rid of the malware but can't get to the big antivirus sites because Antivirus 2009 has blocked them. For anyone looking for how to get rid of the program, here's my advice:

1) Don't expect to download a tool to fix the problem. The nastiest feature of Antivirus 2009 is that blocks downloads from the major antivirus websites. In particular, Malwarebytes, which is recommended in a number of places to deal with Antivirus 2009, is blocked.

2) Get to a clean system. Just because you can't download the proper tools on a compromised system doesn't mean you can't download them at all. Go to another computer and download the tools you need. Malwarebytes Anti-Malware, mentioned above, can be downloaded here.

3) Send the tools from the clean system to the compromised system. The most obvious way to do this is via a flash drive. However, the version of Antivirus 2009 I dealt with (surprisingly) allowed me to send the mbam-setup.exe program though email.

4) Once the tool (whatever it is) is downloaded, rename it to .bat. With the version of Antivirus 2009 I dealt with, it wouldn't let mbam-setup.exe execute, but it would let blank.bat (what I renamed mbam-setup.exe) run just fine.

Please note that, for step 4 above to work, you might have to restart Windows in safe mode. A description of how to do that can be found here.

Please also note that the above 4 steps (including restarting in safe mode) might not actually work. The version of Antivirus 2009 which got onto my grandmother's computer let me run the antivirus setup program, but blocked the antivirus program itself. My next step after step 4 would have been to create a rescue CD and use that to boot from. However, my brother who also happened to be visiting that weekend had different advice: since my grandmother's computer was brand new, why not reformat the hard drive and just reinstall everything my grandmother wanted? In the end, that's what happened, since I would have been required to go back to my house (across town) to get a rescue CD, while my brother could reformat the hard drive immediately. It's an extreme measure, but I can testify that it certainly worked for my grandmother.

Update: As a potential alternative, I sent a message to Malwarebytes and asked them if they had a link that wouldn't be blocked by Antivirus 2009. They sent me a link, and I added it in this post.

2 comments:

John Taylor said...

William,
Great article. In the case of Antivirus 2009 do you reccommend that people download the software fix even if they don't know their machine has been infected?

William Morriss said...

For most people, I don't think that downloading a fix in advance would do much good. As I mentioned, the version of Antivirus 2009 on my grandmother's computer included countermeasures against the standard fixes. While a knowledgeable user can implement counter-countermeasures, most users don't have the knowledge to do that, and Antivirues 2009 blocked websites where they could find instructions on what to do.

In my opinion, a better way to be sure you can recover is to get a wireless router and a second (cheap) computer which can use it to access the internet. That way, if your primary system gets infected, you can use the secondary computer to find instructions on how to bring it back to life.

Of course, the best of all is to not get infected in the first place, which is why I think everyone should have good antivirus software on their systems.