The one thing that never changes in IT is the fact that everything is constantly changing. In the past, people had to watch out for viruses. Then it was spyware, and then it was browser hijackers. Next came the Trojan, a program, that when opened would release either a virus, spyware or both. Lastly, we heard about phishing, an attack that tricked the end user into giving out personal information that can lead to identity theft.
Recently The Village Geek has been flooded by computers that are infected with what researchers are calling fraudware. Fraudware is software that tries to frighten the end user into purchasing protection from… itself. In the old days they called it extortion.
The current rash of fraudware is called Antivirus 2008; it is available in several varieties, including XP Antivirus 2008, XP Antivirus 2009 (the latest version!), MS Antivirus and probably more. This is an actual program that installs itself on your system in the same way spyware installs, without your knowledge or permission. Antivirus 2008 then shows up on your task bar as a warning icon that looks almost identical to the Windows Security Center shield and it shows an "X" or an exclamation mark. Pop up bubbles will warn you that an infection has been found. If you ignore the pop ups the program will pop up full screen and simulate a virus scan showing multiple infections. The program will show you all the problems and then it will explain that you must purchase the full version for $50 in order to clean these infections.
Here are some typical warning messages:
Privacy Violation alert!
XP antivirus detected Privacy Violation. Some program is secretly sending your private data to untrusted internet host. Click here to block this activity by removing threats (Recommended).
Or
System files modification alert!
Some critical system files of your computer were modified by malicious program. It may cause system instability and data loss. Click here to block unauthorized modification by removing threats (Recommended).
The beauty of the scam is that (at least so far) none of the major antivirus and antispyware programs are picking this thing up. Once you pay your money the program doesn't clean anything and on some versions it will actually release a flood of spyware or Trojans into your system. Eventually you will no longer be able to use your system as the Antivirus 2008 will not allow you to get past its interface except to follow the link where they will allow you to repurchase the software in hopes of ridding yourself of the menace.
Obviously if you have paid these crooks for the full version you will need to contact your credit card company and stop payment as soon as possible.
The early version of this fraudware had an uninstall routine, which would remove it from the "Add and Remove Programs" applet in the control panel, but did not remove the program. The newest versions don't bother with the extra steps, they've got you and they aren't going to let go.
Below are some typical processes, files and registry entries that must be removed in order to clean Antivirus 2008 off your system. You should be aware that editing the registry should only be done by experienced technicians, and there is no guarantee that these files are the only ones on your system. Comparing your running processes in the Windows Task Manager against this list will help you determine if this is an issue on your system.
Associated (XP) Antivirus 2008, XP Antivirus 2009, and XP Antivirus Processes
Antvrs.exe
AntvrsInstall.exe
AntvrsInstall[1].exe
Win Antivirus 2008.exe
av2008xp.exe
Antivirus-2008.exe
xpa_2008.exe
Associated (XP) Antivirus 2008, XP Antivirus 2009, and XP Antivirus Files:
c:Program FilesXP Antivirus
c:Program FilesXP Antivirusxpa.exe
c:Program FilesXPAntivirus
c:Program FilesXPAntivirusXPAntivirus.exe
c:WINDOWSsystem32scui.cpl
%UserProfile%DesktopXP Antivirus 2008.lnk
%UserProfile%Start MenuXP Antivirus 2008
%UserProfile%Start MenuXP Antivirus 2008Uninstall XP Antivirus 2008.lnk
%UserProfile%Start MenuXP Antivirus 2008XP Antivirus 2008.lnk
%UserProfile%Application DataMicrosoftInternet ExplorerQuick LaunchXP Antivirus 2008.lnk
c:WINDOWSkrln32.exe
c:WINDOWSsystem32scvh0st.exe
c:Program FilesCommon Filestrjdwnl.dll
c:WINDOWSshlext32.exe
Associated (XP) Antivirus 2008, XP Antivirus 2009, and XP Antivirus Windows Registry Information:
HKEY_CURRENT_USERSoftwareXP antivirus
HKEY_CURRENT_USERSoftware
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesXPAntivirusFilter
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesXPAntivirusFilter
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper
Objects{4e7bd74f-2b8d-469e-dcf7-f96da086b434}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper
Objects{6C6B8C69-9285-4D94-8492-9E920C8C2B65}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper
Objects{74f25a2c-22b3-4023-8f1a-ca616c30a8b5}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper
Objects{9a19966f-ae0e-4699-8cce-9b6f5f1c352c}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper
Objects{D714A94F-123A-45CC-8F03-040BCAF82AD6}
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallXP antivirus_is1
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “XP Antivirus”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “mmnext06″
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “shellbn”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “System”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Framework”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “”
Typically I would refer you to links on the internet that may be helpful at this point, but every site I can find is busy attempting to sell you a solution, or worse, attempting to infect you. At one point the top paid advertisement on the right side of a Google search was for Antivirus 2008. Tread carefully here folks, or just bring it to The Village Geek and let us clean this mess up for you.
Steve Weigle is the owner of Village Geek Computers, an IT center with multiple locations. Steve has provided IT services to Central Indiana since 1996.
You read more posts here:
Antivirus 2008: the Latest Scourge of the Internet
No comments:
Post a Comment