Antivirus 2008: The Latest Scourge of the Internet
The one thing that never changes in IT is the fact that everything is constantly changing. In the past people had to watch out for viruses. Then it was spyware, and then it was browser hijackers. Next came the Trojan, a program that when opened would release either a virus, spyware or both. Lastly we heard about phishing, an attack that tricked the end user into giving out personal information and lead to identity theft.
Recently The Village Geek has been flooded by computers that are infected with what researchers are calling rogue software, or fraudware. Fraudware is software that tries to frighten the end user into purchasing protection from… itself. In the old days they called it extortion.
The current rash of fraudware is called Antivirus 2008; it is available in several varieties, including XP Antivirus 2008, XP Antivirus 2009 (the latest version!), MS Antivirus and probably more. This is an actual program that installs itself on your system in the same way spyware installs, without your knowledge or permission. Antivirus 2008 then shows up on your task bar as a warning icon that looks almost identical to the Windows Security Center shield and it shows an “X” or an exclamation mark. Pop up bubbles will warn you that an infection has been found. If you ignore the pop ups the program will pop up full screen and simulate a virus scan showing multiple infections. The program will show you all the problems and then it will explain that you must purchase the full version for $50 in order to clean these infections.
Here are some typical warning messages:
Privacy Violation alert!
XP antivirus detected Privacy Violation. Some program is secretly sending your private data to untrusted internet host. Click here to block this activity by removing threats (Recommended).
or
System files modification alert!
Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss. Click here to block unathorised <sic> modification by removing threats (Recommended).
The beauty of the scam is that (at least so far) none of the major antivirus and antispyware programs are picking this thing up. Once you pay your money the program doesn’t clean anything and on some versions it will actually release a flood of spyware or Trojans into your system. Eventually you will no longer be able to use your system as the Antivirus 2008 will not allow you to get past its interface except follow the link where they will allow you to repurchase the software in hopes of ridding yourself of the menace.
Obviously if you have paid these crooks for the full version you will need to contact your credit card company and stop payment as soon as possible.
The early version of this rogue software had an uninstall routine, which would remove it from the “Add and Remove Programs” applet in the control panel, but did not remove the program. The newest versions don’t bother with the extra steps, they’ve got you and they aren’t going to let go.
Below are some typical processes, files and registry entries that must be removed in order to clean Antivirus 2008 off your system. You should be aware that editing the registry should only be done by experienced technicians, and there is no guarantee that these files are the only ones on your system. Comparing your running processes in the Windows Task Manager against this list will help you determine if this is an issue on your system.
Associated (XP) Antivirus 2008, XP Antivirus 2009, and XPAntivirus Processes
Antvrs.exe
AntvrsInstall.exe
AntvrsInstall[1].exe
Win Antivirus 2008.exe
av2008xp.exe
Antivirus-2008.exe
xpa_2008.exe
Associated (XP) Antivirus 2008, XP Antivirus 2009, and XPAntivirus Files:
c:\Program Files\XP Antivirus
c:\Program Files\XP Antivirus\xpa.exe
C:\Program Files\XPAntivirus\
C:\Program Files\XPAntivirus\XPAntivirus.exe
c:\WINDOWS\system32\scui.cpl
%UserProfile%\Desktop\XP Antivirus 2008.lnk
%UserProfile%\Start Menu\XP Antivirus 2008
%UserProfile%\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk
%UserProfile%\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\XP Antivirus 2008.lnk
C:\WINDOWS\krln32.exe
C:\WINDOWS\system32\scvh0st.exe
C:\Program Files\Common Files\trjdwnl.dll
C:\WINDOWS\shlext32.exe
Associated (XP) Antivirus 2008, XP Antivirus 2009, and XPAntivirus Windows Registry Information:
HKEY_CURRENT_USER\Software\XP antivirus
HKEY_CURRENT_USER\Software\
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\XPAntivirusFilter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XPAntivirusFilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{4e7bd74f-2b8d-469e-dcf7-f96da086b434}\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{6C6B8C69-9285-4D94-8492-9E920C8C2B65}\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{74f25a2c-22b3-4023-8f1a-ca616c30a8b5}\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{9a19966f-ae0e-4699-8cce-9b6f5f1c352c}\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
Objects\{D714A94F-123A-45CC-8F03-040BCAF82AD6}\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP antivirus_is1\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "XP Antivirus"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "mmnext06"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "shellbn"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "System"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Framework"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ""
Typically I would refer you to links on the internet that may be helpful at this point, but every site I can find is busy attempting to sell you a solution, or worse, attempting to infect you. At one point the top paid advertisement on the right side of a Google search was for Antivirus 2009. Tread carefully here folks, or just bring it to The Village Geek and let us clean this mess up for you.
We have found one freeware program that will remove the rogue, but of course the site is blocked by the rogue software as soon as you are infected. If you are reading this you may still be able to download the utility here
