Wednesday 14 January 2009

AntiVirus 2009 on Google's Home Page?!? WinSystems.dll

This is probably one of the more interesting things to see on any given day:


Google has detected unregistered (sic) AntiVirus 2009 copy on your computer.

Now, besides the bad grammar, it is a little surprising that Google would be supporting any kind of A/V product.

If one is careful enough, the so-called IE Information Bar actually hides a bit of bad code that shows itself.

BleepingComputer.com has some great articles on removing the malware.

The articles point to a MalwareByte's A/V freeware product that actually does the removal: Malwarebytes' Anti-Malware.

In the above screenshot, the malware shows in the tray. The user knew that there was something up on the initial window, but did not realize that the only way to get rid of that window was via the Task Manager. So, clicking on the red X only served to give A/V 2009 a foothold into the system.

So, we downloaded the tool and ran it through. It cleaned out the system, but missed something. After the clean we were still getting the A/V 2009 hook on the Google Web page.

So, back to BleepingComputer.com: Antivirus 2009 Hijacks The Google Web Site. But, the winsrc.dll file mentioned in the article did not exist on this system.

Run IE with no add-ons and Google was clean.

So, a look into the Add-Ons manager in IE turned up:

IE Add-On for Research? winsystems.dll

Disable that add-on, and sure enough there was no more A/V 2009 on Google's home page.

A quick search for the file and a SHIFT+DEL and the file was gone.

The lesson here is quite simple: MalwareBytes is a great tool, but like any other malware fighting tool, it may miss on its searches once in a while. It managed to scan through and find a whole bunch of different stuff like the original A/V 2009 programs, search bars and the like, but it missed the winsystems.dll.

For users with Windows Vista, the UAC lesson is very simple: Cancel.

For users of Windows XP: Do Not Touch. Bring up the Task Manager and kill the software there.

The process in the Processes tab was AntiVirus2009.exe, so it was not too difficult to kill so we could get to the MalwareBytes site and download the cleaner tool as A/V 2009 always redirected to a "Get our product now or else you are doomed" type message page.

We really need to keep on top of training our users! In this case, we are dealing with a new client. So, in time, and with some Internet "Street Smarts" training, our new client's users will be more prone to avoid any malware infections.

Working against malware is one area where our experience, that is our working with the same settings and Internet Explorer Add-Ons, and knowing which Windows processes are the right ones to be there, can pay dividends in finding the source of the problem quickly and efficiently.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists

*All Mac on SBS posts are posted on our in-house iMac via the Safari Web browser.

10 comments:

Anonymous said...

Yes one many thing that keep us busy they some great removal tool for it too


Andy Asselin

Anonymous said...

Seems like we went through the exact same proccess, malware bytes fixed 90% of the popups, but that last one was there, redirecting to the antivirus2009 page.

I think this variant may only be less than a week old as malware bytes misses it and there isnt any other mention of this dll on the removal instructions on any of the pages.

Jen said...

Well I cannot shift + del winsystems.dll, access denied. Have run Ad-aware, spybot search & destroy, malwarebytes, all say they're gone..but google still warns about AV2009. This is terrible!

Philip Elder Cluster MVP said...

Jen,

Make sure you start IE in No Add-ons mode first. Disable the A/V 2009 Add-on. Close IE.

Then try to SHIFT+DEL and it should work.

Philip

Jen said...

Thank you Phillip, unfortunately it is still not working. I disabled it, closed IE, tried deleting the dll file, access still denied. I think I'm going to try combofix now. It'll be the 5th one I'm trying....
problem is, the darn browser helper object "research" keeps enabling itself....Arghhh!

Anonymous said...

I couldn't get rid of the file either, but i rebooted in safe mode and it deleted just fine.

Anonymous said...

Man I'm so glad I found this blog... Customer had antivirus2009on her pc. To get rid of the spyware was nothing: like you said: malwarebytes did the trick.

But the ie problem! It was driving me insane and no solution to be found! Except here! Ur the best :D
If this wouldn't have worked; i'd just have reinstalled the pc.. *me does a happy dance*

Greetings
Maaike

Anonymous said...

Google did not find it, what is happening is there is a BHO (browser helper object) that is attempting to connect to the AV 2009 (now AV360.net) website and the built-in malware blocker is actually working and not allowing it to go there, unless of course you tell it you want to.

Anonymous said...

StopZilla was the only program that fixed it. I tried all the other methods but it kept coming back. After I installed StopZilla, the Atnivirus 2009 popups were gone from my computer. $20.00 is way cheaper than your time unless you like to pull your hair out.

Thanks

Anonymous said...

Had same problem as above but the “Research” Plug-In was associated with a file named winconfig.dll in the Windows\System32 file. Malwarebytes found it, quarantined it and deleted it. By the way, I had the same problem trying to delete it manually, even Shift > Delete wouldn’t work, access denied. Good luck (From what I have been reading about this little nasty critter is that it morphs or changes registry keys and file names all the time as you can see by the winconfig.dll versus the winsystem.dll). I say they should find the creator’s and “Off with their heads”.