Hi ALL you people in cyber world! It’s been brought to our attention in the last week that a rogue antivirus software program called Antivirus 2008 (also called 2009) is doing the rounds at the moment.
Real antivirus or not?
Right, first and foremost it is not an antivirus program – it is in fact a spyware program and very aggressive at that! Better still this spyware software is doing the rounds disguised as a leading anti virus software – which it isn’t. If you do happen to have it installed – and you’ll only know about that when you see a batch of annoying pop ups saying your computer is infected and an AV (windows looking security icon) looking symbol in the task tray – you are in serious trouble!
What is the spyware program called?
Antivirus2008 and it claims it is FREE. In fact it isn’t – eventually asking you for credit card details! I here you sigh! In fact it doesn’t do anything at all – no scan – all it does is drop some malicious programs onto your computer (called a trojan). These types of software programs are sometimes referred to as ‘rogue anti-spyware’.
How does this install on your computer?
Firstly its origin is Ukraine and it’s something you do not want lying around as it gets up to all sorts of naughty and nasty things. We’ve come across three methods of install (including of course the malicious files) – one by using Antivirus online scanner (the ads can be found on Google sponsored links), the other is when a someone clicks on an advertisement for ‘Antivirus 2008’ and the last via Instant Messenger (IM) emoticons/animations.
The last one interests me most although using an online scanner from these guys is not a sensible move (use a scanner from the ID Theft Protect www.id-theftprotect.com ‘Find a solution’ zone) – Emoticon animations are popular additions to IM and it is through this route we believe the Antivirus 2008 (and other malicious software) is being installed without the users knowledge. So be extra careful when downloading those emoticons as they may contain a lot of malware and spyware!! You have been warned!
What do the malicious programs do?
We are not entirely 100% sure. Although I have personally seen this spyware at work and successfully removed it from a friends computer! Which is the most important thing here. Some of things I’ve noticed are the processor slows the computer to a snails pace, installs annoying pop ups that tell you that your computer is infected and installs some not so interesting spyware and malware (which may contain a keylogger and some horrible tracking stuff). So best beware!
Antivirus 2008 2009 removal instructions
Firstly I suggest you download TWO anti-malware/spyware programs. I used:
PC Doctor and Ad-Aware FREE – PC Doctor cost $29.95 (this identified the pop up application which with manual removal would be difficult to find let alone remove). When you have run the scans and fixed the results proceed as follows:
(you might want to restart your computer and hit F8 to work in SAFE mode which means no drivers will have loaded and generally this is the recommended method)
Remove the processes
Remove the DLL files
Remove the registry files
IMPORTANT: To remove the following files requires good knowledge of the computers registry. If you do not have experience of or have never edited a registry, I suggest you contact someone who has (find a friend ;)). Reason is, if you mess up the registry (which is the engine of windows) you may not be able to use Windows at all. Which isn’t good news!
To remove the following registry commands it is recommended that you create a backup of the registry. Go to START then click RUN and type “REGEDIT“. The registry will load. Save this as “REGEDITbackup”. Remove the following commands with “REGEDIT” as follows:
Microsoft\Code Store Database\Distribution Units\3BA4271E-5C1E-48E2-B432-D8BF420DD31D
Remove the files
When this is done. You will need to restart your computer. The process above will remove Antivirus 2008 and 2009 variants. If you use a firewall (which I hope you all do!!!) you should block the “exe” files listed above (from program control on firewall), just in case a remnant file still remains or you get infected again.