Antivirus 2009, antivirus 2008, XP Antivirus, XP antivirus 2008 and XP Antivirus 2009 are all part of the same family of rogue anti-spyware programs that perform devious tactics when run or executed to get you to purchase the rogue anti-spyware programs. An abundance of spywareremove readers have complained of trojan infections that are related to the XP antivirus or Antivirus 2009 family. Our Threat Research Team has found that these trojan infections have the ability to infect the winlogon.exe system file where it can initiate the download of rogue anti-spyware programs such as XP antivirus and Antivirus 2008. Because the winlogon.exe is an essential Windows file for operation it makes removal of these trojans very difficult to accomplish.

antivirus 2008 or Antivirus 2009 trojan Family removal Difficulties

Many people who have attempted to remove the antivirus 2009 family of rogue anti-spyware programs have been successful but some have had difficulties. The Antivirus 2009 trojan family may be difficult to remove because of the nature of the trojan infections such as Zlob, Vundo or other trojan downloaders.

The trojans have acquired rootkit-like capabilities which allows them to hide various files within the system and be able to avoid detection from spyware removal programs. The worst case scenario is when the infection reaches the Winlogon, where it can disable key functions from a user’s computer, leaving the user unable to even log in as an administrator. As for protection, antivirus 2009 infection takes care of disabling security programs and blocking security websites so the user’s only avenue is to purchase whatever rogue anti-spyware program is continuously popping up on the computer. Even if you terminate the running processes of the Antivirus 2009 infections, it may start up again the next time you reboot your computer. It requires a deep and careful removal procedure to completely remove antivirus 2009 infections. This is definitely a problem that our Threat Research Team is highly aware of and its main priority is to have a seamless solution for Antivirus 2009 infections in the Winlogon and other parts of the system.

Signs of antivirus 2009 trojan Family Infection

• Each of the Antivirus 2009 variations will display popups or alerts stating that it has detected a violation or security issue within your computer. Of course this type of notification is fake and should not be clicked on or it may prompt you to purchase one of the antivirus 2009 variations. XP Antivirus, XP antivirus 2008 or XP Antivirus 2009 alert messages appear, for example:
  1. System files modification alert!
     Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss. Click here to block unathorised modification by removing threats (Recommended).
  2. Privacy Violation alert!
     XP antivirus detected Privacy Violation. Some program is secretly sending your private data to untrusted internet host. Click here to block this activity by removing threats (Recommended).
• You notice that your desktop has unknown or new desktop icons or desktop shortcut icons.
• C: Drive icon in the “My Computer” disappears.
• The Windows Start Menu no longer displays the normal items of “My Documents”, “My Computer”, “Search”, “Help” and other items that are normally found in the start menu.
• Desktop background switches to a red background that has an image set out to look like a toxic logo in the middle with the text “Privacy is in Danger! download Privacy Protection software Now” beneath it.
• Your screensaver settings are changed to display black bugs crawling on your screen or to an image of the infamous “Blue Screen of Death”.
• “virus ALERT!” text on the system tray.
• Administrative privileges are removed or limited from the default administrator account.
• The performance of your computer is very slow or crashes during common operations.

The following links provide information for antivirus 2009, Antivirus 2008, XP antivirus, XP Antivirus 2008 and XP antivirus 2009.

• Antivirus 2008 or Antivirus2008 removal Instructions
• Antivirus 2009 or Antivirus2009 removal Instructions
• XP Antivirus or XPAntivirus removal Instructions
• XP Antivirus 2008 or XPAntivirus 2008 removal Instructions
• XP Antivirus 2009 or XPAntivirus 2009 removal Instructions

Has this article assisted you in better understanding the Antivirus 2009 family of rogue anti-spyware programs? Are you able to better identify and remove Antivirus 2009, XP Antivirus, XP Antivirus 2008 or XP Antivirus 2009?

A trojan rootkit variant (part of the Win32.Rootkit.Gen or Rootkit.Gen family group) continues to threaten computer users and has the ability to prevent anti-virus software from running to scan and remove parasites on your computer. Computer users who are infected with the rootkit variant state that it does not allow them to open their anti-virus program or visit websites that assist them in the removal of the infection such as symantec.com and update.microsoft.com. It is apparent that serious issues will occur for computer users who have a Rootkit type of infection on their computer.

Understanding Rootkits

A Rootkit may be composed of one program or a combination of malicious programs that are designed to take control of your computer. Basically, a rootkit will allow hackers or outside attackers have root access to an infected computer. They can virtually act as an administrator and have access to your system without your permission. A rootkit like Rootkit.Gen runs in the background and limits usage of certain programs or access to websites that could assist you in removing the rootkit infection. Other rootkits have been known to act or pretend to be proxy servers and manually spread from executable files.

Rootkits were originally legitimate programs that gave a user or administrator control to fix issues on an unresponsive computer. Nowadays, hackers have used this type of technology for malicious purposes (usually to extort money) at the expense of computer users, who often times are unaware that they’ve been infected with a rootkit. Just like trojans or Rogue Anti-spyware you have to find means of protecting yourself from rootkit infections and other malware.

Rootkit Symptoms to Watch Out For

• The anti-virus program that you currently have installed no longer runs.
  You notice that you are no longer protected by your antivirus program. You may get popup alerts from Windows that say you are not protected by an antivirus program. If you normally run antivirus software and it doesn’t run upon command, then this is a clear indication that a setting has been changed without your permission.
• Your computer locks up or fails to respond to common inputs.
  At times you notice that your mouse is not moving or a program ceases to function or respond to commands given to it by you.
• Settings in Windows change without your permission.
  When you access certain programs or perform actions on your Windows desktop, you notice that a setting has been manipulated or changed from what you originally set it as. This can be anything from your background or screen saver changing to your taskbar hiding itself.
• Disabled web browser applications.
  You are not able to open Firefox or Internet Explorer to surf the web. Sometimes malicious applications block your access to the Internet by shutting down web browser applications.
• You experience excessive network traffic or your network connect becomes slow or disconnected.
  You may notice web pages or network actives to be intermittent or cease to function properly at times.

What to Do to Disable Rootkits?

So you’ve been infected by a rootkit and it’s causing havoc on your computer. Most of the symptoms mentioned above you’re experiencing occur after the presence of a Rootkit.Gen infection. In order to gain control of your computer, you must disable the Rootkit.Gen and its variations.

IMPORTANT: Although the instructions listed below have been added to help you disable a rootkit on your computer, there’s no guarantee that the rootkit and other malware will not reappear on your computer. Make sure to follow the instructions with caution and back up your computer before you start. Instructions are to be used at your own discretion. If you’re not sure what to do, then it’s advised that you get help from an experienced computer technician.

1. Locate and install the program called RootkitRevealer from SystemInternals. After installation, run the RootkitRevealer so it may scan your system to identify files that are marked as hidden from Windows API. Once the files are no longer hidden you can then determine which ones need to be removed so you can disable the rootkit. The file “clbdriver.sys” is used as an example of the main file of a rootkit which can be located in the folder C:\Windows\System32\Drivers.
2. Boot your computer from a Windows Installation CD into Recovery Console Mode.
3. delete the following files which are located in the default Windows directory C:\WINNT or %WinDir%:

   %WinDir%\system32\clb.dll
   %WinDir%\system32\clbcatex.dll
   %WinDir%\system32\clbcatq.dll
   %WinDir%\system32\dllcache\clb.dll
   %WinDir%\system32\dllcache\clbcatex.dll
   %WinDir%\system32\dllcache\clbcatq.dll

4. While you are still in Recovery Console Mode, enter the following commands to kill the file:

   cd \
   cd c:\windows\system32\driversdir clbdriver.sys – Should return “1 File Found”
   del clbdriver.sys
   dir clbdriver.sys – Should return “No file Found”

5. Reboot your computer.
6. Open up your registry editor (regedit) and find and delete the following registry keys:

   HKEY_LOCAL_MACHINE\software\MRSoft
   HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}
   HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}
   HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\clbImageData
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clbdriver
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\clbdriver.sys
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\clbdriver.sys
   HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\clbdriver
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\clbdriver.sys
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\clbdriver.sys

7. Use the expand.exe command to extract the files explorer.exe and clb.dll from the i386 directory. This is basically copying the files over to the C:\Windows\System32 directory.
8. Rename the explorer.exe file to something else such as explorer_new.exe.
9. Open you registry editor again (regedit) and change the value of the key HKLM\software\Microsoft\WindowsNT\CurrentVersion\WINDOWS\shell from explorer.exe to the new renamed one (explorer_new.exe). If the name is not changed then the infection will return.
10. Restart your computer. The rootkit should now be disabled.

Remember the instructions mentioned on this article are to be followed at your own discretion. We are not responsible for any complications that may occur when using the information provided above.

Simple Tips to Prevent Rootkits from Running on Your PC

• Pay special attention to the settings of your privileges and what programs you allow to be installed by users. Do not give users the ability to install applications. In other words, do not allow guests or secondary users have many privileges to change settings.
• Keep up-to-date on all available security patches. Verify your Windows update schedule and make sure automatic updates are on and running properly. It never hurts to manually check for any new updates or security patches that come available from the Microsoft update website.
• Verify that you have firewall protection. Utilizing the built in Windows Firewall is always a good idea. The use of other firewall software can aid in the protection of infections as well.

What will these hackers and their Rootkits do next? Of course, there are other methods to disable trojan rootkits. If anybody has any new methods or developments about rootkits that they will like to add to this article, we encourage you to post a comment below.