Does ESET AV remove malware Antivirus 2009?

Hi A client's PC became infected with Antivirus 2009. Another tech worked on it remotely, and said it needed a full reinstall of XP, so I rebuilt it. I didn't have time to re-scan with NOD again.

The PC had NOD 3.0 AV, the tech said he ran a full NOD AV scan, but it didn't remove the virus completely. Or rather, it removed the malware program itself, but IE still had the pop-ups after about 10 secs on the internet, saying they needed to re-install Antivirus 2009. So the PC wasn't completely fixed.

Does anyone have any similar experiences? Does NOD remove this bug normally?

Thanks
M

 

No, unfortunately nod32 can't remove this pest, it detects many variants of it, but there are new variants everyday. If u get infected again, there's no need to reinstall windows, u can get rid of it easily with some anti-malware tools like this one http://www.malwarebytes.org/index.php

There are other tools like this one that can help u, but i've used this and it has worked very well.

 

That's really strange. Why is it that malwarebytes can get rid of it, but somehow ESET can't?

Would anyone from ESET like to comment? My clients are asking....

M

 

Correct me if I'm wrong, but certain security applications are not much targeted by malware writers and thus can recognize certain malware better than AV programs at which malware writers target their creations. I won't go into discussion about MB here, I'll rather leave it up to you to find out how good it's in removing other malware whose writers don't target famous AVs, how many FPs it may cause, or if it removes malware in a safe manner which, for instance, may not cause system restarts or other severe problems. I'm not entitled to compare products from different AV vendors so you must make a test and the conclusion yourself. However, take into account that there are millions of malware variants in the world and the fact that a particular application is better in recognizing certain malware families doesn't mean it will protect you better against all other threats.

If you notice a strange behavior and are unable to identify the file that is causing it, send a log from ESET SysInspector to samples[at]eset.com with this thread's url in the subject and we'll check it for you and give you further instructions or provide a cleaner to remove it.

 

For proper removal of Antivirus 2009 or any of its variants, please remember to turn off system restore before attempting to clean this pest, otherwise it will always re-infect on reboot. Run the latest Microsoft Malicious Software Removal Tool, as far as I know the only software that can properly access the system restore folder for cleanup. Then run malwarebytes or whatever other anti-malware tool you like.

 

Why? How does that work? I was under the impression that files can only come out of the System Restore folder when explicitly told to by performing a Restore. What mechanism results in Antivirus 2009 being able to repair itself in this manner? I know some of them will re download missing files and components from the server they arrived from but this is different from resurrection from the SR folder.

Also many experts don't recommend this - see this page

 

Dont' ask me how, but I had a couple of machines where they would always reinfect on boot (If i logged with account with administrative rights) it wasn't until i disabled system restore and ran the microsoft tool that I finally was able to get rid of Antivirus 2009.

What troubles me is that the only people who seem to have access to the System Restore database appears to be virus/malware authors and microsoft. Most antivirus/antimalware programs dont' seem to have access to this area of the system. I hope i am wrong though.

 

I'm afraid you are.

No program can spontaneously regenerate from SR. Chances are there are other undetected processes repairing and maintaining the malware.

Some AV can remove files from the SR folder but this is not advisable. Many fail when they try - "Access denied".

Many anti virus products can detect files in the SR folder but they are always old copies that were backed up when the original file was deleted. Some AV elect not to scan the SR as it produces "false" detections. I had a machine here last week where it was continuously stating it had detected x, y and z virus. A quick check of the logs showed that it was the AV detecting the files in the SR folder. I could find corresponding entries in the log from when they were originally deleted a few days before. The PC wasn't actually infected any more and in this case flushing the SR did stop the problem of the "false" alerts.

 

This is odd because I've had two-three machines that brought up that the user tried installing this and NOD32 seemed to quarantine the exe before anybody could install it??

MB, Adware, and NOD32 say the system is clean.. As much as I like NOD32 I do not trust it to be my sole confirmation after I see a hit on a machine..

 

Must be a variant sneaking its way through. Or maybe we didn't have HTTP download protection turned on for the machine in question.

AGREED!! Unfortunately we only have limited billable time to fix a machine. Its actually faster to rebuild than it is to run a full scan, repair, find it's still infected, try another tool, rescan again, repeat..... Rebuild = 1-2 hours max, 100% fix rate!!! Scan alone takes at least 30min....

 

That is because you don't know what tools exactly to use Scanning with one program , waiting , removing , using another signature based program , updating , scanning , removing , trying 3rd signature based program , scanning , removing ... is an outdated solution to deal with todays' threats. There are other methods which guarantee faster way to deal with malware and do not work the same way as signature based tools - which guarantee removal of both know and unknown threats . Actually ALL threats could be unknown , but not all are known.

 

I thought that it was the security applications that are supposed to target the malware! I guess it works the other way around too.

Look, all I'm saying is that there is a tool out there, Malwarebytes, that everyone is recommending is the best thing for this pest. I've not tried it yet because by the time I've run a scan with NOD and with MB, my client time is exhausted and I could have rebuilt the machine faster anyway. Now as I'm paying for ESET, and this failing is costing client's time and money, I'm going to be on ESET's case if you don't keep up with your security vendor competitors.

If the best you can do is claim that MB's removal process could/maybe/might damage the machine in some way, well that's not good enough. It is up to ESET to keep up with trends in AV malware which of course you do, but so far no-one is recommending ESET for this pest! So get it on the hit list please!

Fair enough; fact is that basic scan of MB is claimed to remove AV2009. So far, no-one seems to be recommending ESET for this particular virus. So you guys should please add it to your hit list, and make sure you are the recommended tool so I can continue to recommend it to my clients!

The last thing I need is to tell the client that my recommended security tool didn't protect them, that is the LAST thing I need. So please, raise the importance of this pest in your malware hit list, and make sure that ESET is still the best product for removing malware.

 

OK now I'm intrigued. Please share, what method and tools do you recommend, HiTech_boy?

 

I use HijackThis, Avenger, Killbox, HostsXpert. That's it and I can remove 100% of any new threat. It may take me a bit to figure a new one out (such as the new kind which hid in the %userprofile%/ApplicationData/Google folder) but I can get them out.