Virus Response (Lab) 2009

Dzomlija

Dzomlija

Resistance is Futile
Vista Guru
Gold Member
Has anybody heard of the fake anti-virus "Virus Response 2009", and it's clone "Virus Response Lab 2009". Better yet, has anyone had any luck FULLY removing it?

I have 2 client machine here (XP Pro and Vista Home Premium), and I've manage to sort of get rid of this sucker, but still there remains a Taskbar Notification icon that I can't get rid of, and it's still there even in Safe Mode!

The only "solutions" I've found require downloading and installing some other piece of suspect software.

I've searched Avast, Kaspersky, Symantec and AVG websites, all of which have no references to this. Which makes me believe it's still too new...
 

My Computer

System One

  • Manufacturer/Model
    Custom Build
    CPU
    AMD Phenom 9600 Quad
    Motherboard
    ASUS MB-M3A32-MVP Deluxe/WiFi
    Memory
    2 x A-Data 2GB DDR2-800
    Graphics Card(s)
    ASUS ATI Radeon HD 2400PRO
    Monitor(s) Displays
    SAHARA 21"
    Screen Resolution
    1600x1200
    Hard Drives
    2 x 80GB Seagate (I)
    2 x 120GB Seagate (I/S)
    2 x 200GB Seagate (I/S)
    2 x 250GB Seagate (I/S)
    PSU
    800W
    Case
    Thermaltake Tai-Chi
    Cooling
    Tai-Chi Water Cooler
    Keyboard
    Genius
    Mouse
    Logitech
    Internet Speed
    384kbps
    Other Info
    Currently dual booting between Vista x64 Ultimate Windows 7 BETA x64
Nope sorry this is the first time I heard of it. Thanks for the heads up about it too.
 

My Computer

System One

  • Manufacturer/Model
    HP Compaq Presario/SR5113WM
    CPU
    AMD Athlon 64 X2 3600+ 1.9Ghz
    Motherboard
    Asus M2N68-LA
    Memory
    PNY Optima Memory DDR2 2GB 2x1 kit
    Graphics Card(s)
    PNY Nvidia 8400 GS 256MB
    Sound Card
    On board RealTek
    Monitor(s) Displays
    Acer X163W LCD
    Screen Resolution
    1366x768
    Hard Drives
    Western Digital 160 GB SATA 3G (3.0Gb/sec)
    7200 rpm
    Western Digital 160 GB IDE
    PSU
    Dynex 400w
    Case
    Nothin Special
    Cooling
    Stock
    Keyboard
    Standard 102 key with volume and sleep buttons
    Mouse
    Wireless Logitech LX7
    Internet Speed
    Comcrap 10mb cable
    Other Info
    Insignia 2.1 speakers, wireless Xbox 360 controller w/plug n play charger, Belkin wireless G + mimo usb network adapter.
mansrm81 said:
Nope sorry this is the first time I heard of it. Thanks for the heads up about it too.
Click to expand...


And it's a particularly nasty one too. In my attempts to remvoe it, I found traces of it's activities, and I've already given my customer a headsup to have all their online backing logins changed...
 

My Computer

System One

  • Manufacturer/Model
    Custom Build
    CPU
    AMD Phenom 9600 Quad
    Motherboard
    ASUS MB-M3A32-MVP Deluxe/WiFi
    Memory
    2 x A-Data 2GB DDR2-800
    Graphics Card(s)
    ASUS ATI Radeon HD 2400PRO
    Monitor(s) Displays
    SAHARA 21"
    Screen Resolution
    1600x1200
    Hard Drives
    2 x 80GB Seagate (I)
    2 x 120GB Seagate (I/S)
    2 x 200GB Seagate (I/S)
    2 x 250GB Seagate (I/S)
    PSU
    800W
    Case
    Thermaltake Tai-Chi
    Cooling
    Tai-Chi Water Cooler
    Keyboard
    Genius
    Mouse
    Logitech
    Internet Speed
    384kbps
    Other Info
    Currently dual booting between Vista x64 Ultimate Windows 7 BETA x64
Hi Peter,

Have a look at this video from YouTube:
[youtube]hRLVPiPJPZs[/youtube]
 

My Computer

System One

  • Manufacturer/Model
    Dwarf Dwf/11/2012 r09/2013
    CPU
    Intel Core-i5-3570K 4-core @ 3.4GHz (Ivy Bridge) (OC 4.2GHz)
    Motherboard
    ASRock Z77 Extreme4-M
    Memory
    4 x 4GB DDR3-1600 Corsair Vengeance CMZ8GX3M2A1600C9B (16GB)
    Graphics Card(s)
    MSI GeForce GTX770 Gaming OC 2GB
    Sound Card
    Realtek High Definition on board solution (ALC 898)
    Monitor(s) Displays
    ViewSonic VA1912w Widescreen
    Screen Resolution
    1440x900
    Hard Drives
    OCZ Agility 3 120GB SATA III x2 (RAID 0)
    Samsung HD501LJ 500GB SATA II x2
    Hitachi HDS721010CLA332 1TB SATA II
    Iomega 1.5TB Ext USB 2.0
    WD 2.0TB Ext USB 3.0
    PSU
    XFX Pro Series 850W Semi-Modular
    Case
    Gigabyte IF233
    Cooling
    1 x 120mm Front Inlet 1 x 120mm Rear Exhaust
    Keyboard
    Microsoft Comfort Curve Keyboard 3000 (USB)
    Mouse
    Microsoft Comfort Mouse 3000 for Business (USB)
    Internet Speed
    NetGear DG834Gv3 ADSL Modem/Router (Ethernet) ~4.0 Mb/s (O2)
    Other Info
    Optical Drive: HL-DT-ST BD-RE BH10LS30 SATA Bluray
    Lexmark S305 Printer/Scanner/Copier (USB)
    WEI Score: 8.1/8.1/8.5/8.5/8.25
    Asus Eee PC 1011PX Netbook (Windows 7 x86 Starter)
Dwarf said:
Hi Peter,

Have a look at this video from YouTube:
[youtube]hRLVPiPJPZs[/youtube]
Click to expand...

Thanks Dwarf, but our Indian friend in that video neglected to mention that somehow even the Manual Removal Instructions, in concert with CCleaner, HijackThis and Process Explorer does not fully remove it.

A taskbar noticfication still remains that I am unable to track down. It's not a service, because disabling ALL services doesn't stop it. Disabling ALL startup items doesn't stop it. Even removing Policy Run registry entries that MSCONFIG doesn't see didn't stop it.

This "Virus Response Lab 2009" somehow evens starts in Safe Mode Command Only! No matter what I do...
 

My Computer

System One

  • Manufacturer/Model
    Custom Build
    CPU
    AMD Phenom 9600 Quad
    Motherboard
    ASUS MB-M3A32-MVP Deluxe/WiFi
    Memory
    2 x A-Data 2GB DDR2-800
    Graphics Card(s)
    ASUS ATI Radeon HD 2400PRO
    Monitor(s) Displays
    SAHARA 21"
    Screen Resolution
    1600x1200
    Hard Drives
    2 x 80GB Seagate (I)
    2 x 120GB Seagate (I/S)
    2 x 200GB Seagate (I/S)
    2 x 250GB Seagate (I/S)
    PSU
    800W
    Case
    Thermaltake Tai-Chi
    Cooling
    Tai-Chi Water Cooler
    Keyboard
    Genius
    Mouse
    Logitech
    Internet Speed
    384kbps
    Other Info
    Currently dual booting between Vista x64 Ultimate Windows 7 BETA x64
Hi Peter,

Can you post an image of this notification, together with any text associated with it?
 

My Computer

System One

  • Manufacturer/Model
    Dwarf Dwf/11/2012 r09/2013
    CPU
    Intel Core-i5-3570K 4-core @ 3.4GHz (Ivy Bridge) (OC 4.2GHz)
    Motherboard
    ASRock Z77 Extreme4-M
    Memory
    4 x 4GB DDR3-1600 Corsair Vengeance CMZ8GX3M2A1600C9B (16GB)
    Graphics Card(s)
    MSI GeForce GTX770 Gaming OC 2GB
    Sound Card
    Realtek High Definition on board solution (ALC 898)
    Monitor(s) Displays
    ViewSonic VA1912w Widescreen
    Screen Resolution
    1440x900
    Hard Drives
    OCZ Agility 3 120GB SATA III x2 (RAID 0)
    Samsung HD501LJ 500GB SATA II x2
    Hitachi HDS721010CLA332 1TB SATA II
    Iomega 1.5TB Ext USB 2.0
    WD 2.0TB Ext USB 3.0
    PSU
    XFX Pro Series 850W Semi-Modular
    Case
    Gigabyte IF233
    Cooling
    1 x 120mm Front Inlet 1 x 120mm Rear Exhaust
    Keyboard
    Microsoft Comfort Curve Keyboard 3000 (USB)
    Mouse
    Microsoft Comfort Mouse 3000 for Business (USB)
    Internet Speed
    NetGear DG834Gv3 ADSL Modem/Router (Ethernet) ~4.0 Mb/s (O2)
    Other Info
    Optical Drive: HL-DT-ST BD-RE BH10LS30 SATA Bluray
    Lexmark S305 Printer/Scanner/Copier (USB)
    WEI Score: 8.1/8.1/8.5/8.5/8.25
    Asus Eee PC 1011PX Netbook (Windows 7 x86 Starter)
Dwarf said:
Hi Peter,

Can you post an image of this notification, together with any text associated with it?
Click to expand...

Your timing could not have been any worse! The customer has instructed me to just go ahead and use the restore disks, which I started about 15 minutes ago!

What I can tell you is what the icon in the noticifcation area looks like, and what it does.

It looks like the "Windows Updates" shield, except it flashes bettwen a Blue and Yellow version of itself, and if you click on it's notification balloon, or left click or right click on the icon itself, it tries to open up a page to virusXXXresponseXXX2009DOTcom (I've deliberately obfusticated the address for safety reasons with XXX and DOT). I've never allowed the page to open, so I can't say what happens beyond that....

Some extra files that I deleted, and that for some reason are not mentioned in any of the "solutions" I've found are "qttask.exe", "qttasku.exe" and "qttaskm.exe", all in "C:\Windows". They appear to be part of Quicktime, but End Tasking either one does nothing, as each monitors the other and just starts them up again, so cannot possibly belong to Quicktime...

Oddly enough, before I started the Recovery Disk, I also forcibly removed Grisoft AVG by deleting the Program Files entries, and the notification went away, so it would appear to have targeted AVG.
 

My Computer

System One

  • Manufacturer/Model
    Custom Build
    CPU
    AMD Phenom 9600 Quad
    Motherboard
    ASUS MB-M3A32-MVP Deluxe/WiFi
    Memory
    2 x A-Data 2GB DDR2-800
    Graphics Card(s)
    ASUS ATI Radeon HD 2400PRO
    Monitor(s) Displays
    SAHARA 21"
    Screen Resolution
    1600x1200
    Hard Drives
    2 x 80GB Seagate (I)
    2 x 120GB Seagate (I/S)
    2 x 200GB Seagate (I/S)
    2 x 250GB Seagate (I/S)
    PSU
    800W
    Case
    Thermaltake Tai-Chi
    Cooling
    Tai-Chi Water Cooler
    Keyboard
    Genius
    Mouse
    Logitech
    Internet Speed
    384kbps
    Other Info
    Currently dual booting between Vista x64 Ultimate Windows 7 BETA x64
Dzomlija said:
Has anybody heard of the fake anti-virus "Virus Response 2009", and it's clone "Virus Response Lab 2009". Better yet, has anyone had any luck FULLY removing it?

I have 2 client machine here (XP Pro and Vista Home Premium), and I've manage to sort of get rid of this sucker, but still there remains a Taskbar Notification icon that I can't get rid of, and it's still there even in Safe Mode!

The only "solutions" I've found require downloading and installing some other piece of suspect software.

I've searched Avast, Kaspersky, Symantec and AVG websites, all of which have no references to this. Which makes me believe it's still too new...
Click to expand...

mansrm81 said:
Nope sorry this is the first time I heard of it. Thanks for the heads up about it too.
Click to expand...

Dwarf said:
Hi Peter,

Can you post an image of this notification, together with any text associated with it?
Click to expand...

Uncertain if this will give you any new pointers Chaps, but it's the latest blog on the Microsoft Malware Protection Centre site;

Microsoft® Malware Protection Center : FakeXPA... Journey of a Rogue

May help in some small way.
 

My Computer

System One

  • Manufacturer/Model
    Acer Aspire Notebook 5633WLMi.[5630 Series]
    CPU
    Intel Centrino Duo Processor - Intel Core 2 CPU.
    Memory
    4GB DDR2 [3.07GB maximum real available]
    Graphics Card(s)
    nVidia GeForce Go 7300, 128MB
    Sound Card
    Realtek HD Audio, Ver. 6.0.1.5717, 2.08MB
    Monitor(s) Displays
    Acer Aspire Notebook - 15.4"; Acer LCD Monitor X223Wsd - 22".
    Screen Resolution
    1280x800x60Hertz [max.]
    Hard Drives
    Notebook - Samsung HM320JI 320GB HD installed 07 August 2009.
    External HDs [4];Maxtor One Touch4 - 500GB External HD [Drive M:\].Western Digital WDXMS1200TA - 120GB External HD [Drive G:\ - Windows Defender Backup Files only]. Two x LaCie 320GB Mobi
    Mouse
    Logitech Wireless V320 for Notebooks - Model M/N: M-RCD125
    Internet Speed
    Down 20000kb/sec / Up 1000kb/sec [Bigpond-Aus]
    Other Info
    Brother MFC-465CN; PC to Fax/Scan/Copy/Photo MFC. Epson Perfection V300 Photo Scanner. Siemens Speedstream 6520 Router. Wacom 'Bamboo Fun' CTE-650 PC Tablet, Stylus and Mouse. UAC - On;Activated. Browsers; [1] FireFox v3.6[2] IE8. Honorary R.S.M. to the 4th [Assault Pioneer] Troop Pune Sepoys , and 3rd Troop Jodhpur Bengali Lancers.
I'm guessing the fakers don't use exact Microsoft interfaces is because they don't want to do anything wrong, like copyright violations. Wreaking havoc is ok though.
 

My Computer

System One

  • Manufacturer/Model
    H/P dv7 Notebook PC
    CPU
    Intel(R) Core(TM)2 Duo CPU T5800 @ 2.00GHz
    Motherboard
    Compal ID 30F4 Version 99.67
    Memory
    4.096
    Graphics Card(s)
    NVidia GeForce 9600M GT
    Screen Resolution
    1440x900
    Hard Drives
    WDC WD3200BVET-60ZTC0 ATA DEVICE
    Keyboard
    IBM ENHANCED (101 or 102) keyboard
    Mouse
    Synaptics PS/2 Port TouchPad HID-compliant mouse
So ive had this virus response lab problem for about 2 months now, and have just ignored it....tell now. One day i was Instant Messaging when a window popped up and it said it was some virus remover, three of them popped up and then it started deleting a bunch of files and i right away clicked out of it.

About a week later(today) i havent been able to click anything because when i click something it refreshs a billion times or clicks the program a billion times.....I am sick of this virus.

PLEASE HELP
 

My Computer

System One

I had this issue on one of my customer's computer and had ran just these 3 items and Virus response 2009 was simply out of the computer including the icon at the system tray. try these:
http://siri.urz.free.fr/Fix/SmitfraudFix.exe
Malwarebytes.org
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Note: Some antivirus programs like freeavg and pc cillin may falsely detect smitfraudfix.exe as a virus and may remove it. So disable your antivirus program temporarily and then execute the above mentioned files.
 
Last edited:

My Computer

System One

  • Manufacturer/Model
    Compaq
    CPU
    intel core 2 duo T 5550 @ 1.83 MHz
    Motherboard
    intel 965 chipset family
    Memory
    2 GB DDR 2 SD RAM @ 667 MHz
    Graphics Card(s)
    On board upto 358 MB RAM
    Sound Card
    Onboard
    Monitor(s) Displays
    15"
    Hard Drives
    160 GB WDC
Dida08 said:
So ive had this virus response lab problem for about 2 months now, and have just ignored it....tell now. One day i was Instant Messaging when a window popped up and it said it was some virus remover, three of them popped up and then it started deleting a bunch of files and i right away clicked out of it.

About a week later(today) i havent been able to click anything because when i click something it refreshs a billion times or clicks the program a billion times.....I am sick of this virus.

PLEASE HELP
Click to expand...

I usually don't like recommending this, but the only really effective way I've found to remvoe this sucker is to backup what you can, then format and re-install you OS.

It's unfortunate, but Virus Response Lab 2009 embeds itself so deeply into the system, that it's nearly impossible to remove 100% without causing additional damage.

The only real protection against these fake AV programs is to use and regularly update your antivirus program, and to learn the methods that your AV uses to alert you. That way you can tell when something is trying to fake you into installing additional malware.
 

My Computer

System One

  • Manufacturer/Model
    Custom Build
    CPU
    AMD Phenom 9600 Quad
    Motherboard
    ASUS MB-M3A32-MVP Deluxe/WiFi
    Memory
    2 x A-Data 2GB DDR2-800
    Graphics Card(s)
    ASUS ATI Radeon HD 2400PRO
    Monitor(s) Displays
    SAHARA 21"
    Screen Resolution
    1600x1200
    Hard Drives
    2 x 80GB Seagate (I)
    2 x 120GB Seagate (I/S)
    2 x 200GB Seagate (I/S)
    2 x 250GB Seagate (I/S)
    PSU
    800W
    Case
    Thermaltake Tai-Chi
    Cooling
    Tai-Chi Water Cooler
    Keyboard
    Genius
    Mouse
    Logitech
    Internet Speed
    384kbps
    Other Info
    Currently dual booting between Vista x64 Ultimate Windows 7 BETA x64
You must log in or register to reply here.
Back
Top