IDENTITY THEFT and IDENTITY FRAUD News and views - This daily news service searches the web to bring you relevant news to your desktop

Hi ALL you people in cyberworld! It's been brought to our attention in the last week that a rogue antivirus software program called Antivirus 2008 (also called 2009) is doing the rounds at the moment.

Real antivirus or not?

Right, first and foremost it is not an antivirus program - it is in fact a spyware program and very aggressive at that! Better still this spyware software is doing the rounds disguised as a leading anti virus software - which it isn't. If you do happen to have it installed - and you'll only know about that when you see a batch of annoying pop ups saying your computer is infected and an AV (windows looking security icon) looking symbol in the task tray - you are in serious trouble!

What is the spyware program called?

Antivirus2008 and it claims it is FREE. In fact it isn't - eventually asking you for credit card details! I here you sigh! In fact it doesn't do anything at all - no scan - all it does is drop some malicious programs onto your computer (called a trojan). These types of software programs are sometimes referred to as 'rogue anti-spyware'.

How does this install on your computer?

Firstly its origin is Ukraine and it's something you do not want lying around as it gets up to all sorts of naughty and nasty things. We've come across three methods of install (including of course the malicious files) - one by using Antivirus online scanner (the adverts can be found on Google sponsored links), the other is when a someone clicks on an advertisement for 'Antivirus 2008' and the last via Instant Messenger (IM) emoticons/animations.

The last one interests me most although using an online scanner from these guys is not a sensible move (use a scanner from the ID Theft Protect www.id-theftprotect.com 'Find a solution' zone) - Emoticon animations are popular additions to IM and it is through this route we believe the Antivirus 2008 (and other malicious software) is being installed without the users knowledge. So be extra careful when downloading those emoticons as they may contain a lot of malware and spyware!! You have been warned!

What do the malicious programs do?

We are not entirely 100% sure. Although we have personally seen this spyware at work and successfully removed it from a friends computer! Which is the most important point here. Some of things I've noticed are the processor slows the computer to a snails pace, installs annoying pop ups that tell you that your computer is infected and installs some not so interesting spyware and malware (which may contain a keylogger and some horrible tracking stuff). So best beware!

Antivirus 2008 2009 removal instructions

Firstly we suggest you download TWO anti-malware/spyware programs. We used:
PC Doctor and Ad-Aware FREE - PC Doctor cost $29.95 (this identified the pop up application which with manual removal would be difficult to find let alone remove). When you have run the scans and fixed the results proceed as follows:

(you might want to restart your computer and hit F8 to work in SAFE mode which means no drivers will have loaded and generally this is the recommended method)

Remove the processes
Antvrs.exe
AntiVirus2008.exe
AntvrsInstall.exe
AntvrsInstall[1].exe

Remove the DLL files
shlwapi.dll
wininet.dll

Remove the registry files
IMPORTANT: To remove the following files requires good knowledge of the computers registry. If you do not have experience of or have never edited a registry, I suggest you contact someone who has (find a friend ;)). Reason is, if you mess up the registry (which is the engine of windows) you may not be able to use Windows at all. Which isn't good news!

To remove the following registry commands it is recommended that you create a backup of the registry. Go to START then click RUN and type "REGEDIT". The registry will load. Save this as "REGEDITbackup". Remove the following commands with "REGEDIT" as follows:

MicrosoftCode Store DatabaseDistribution Units3BA4271E-5C1E-48E2-B432-D8BF420DD31D
HKEY_USERSSoftwareantivirus 2008
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun "Antivirus"
HKEY_LOCAL_MACHINESOFTWAREAntivirus
HKEY_CURRENT_USERSoftwareAntivirus
SoftwareMicrosoftWindowsCurrentVersionRunOnce3P_UDEC
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce "3P_UDEC"

Remove the files
shlwapi.dll
wininet.dll
AntiVirus 2008.lnk
Uninstall Antivirus.lnk
AntiVirus2008.exe
AntvrsInstall.exe
AntvrsInstall[1].exe
Antvrs.exe
AntiVirus 2008.lic

When this is done. You will need to restart your computer. The process above will remove Antivirus 2008 and 2009 variants. If you use a firewall (which I hope you all do!!!) you should block the "exe" files listed above (from program control on your firewall), just in case a remnant file still remains or you get infected again.

Source: ID Theft Protect

Search Related News: antivirus, malware