Thursday, January 6, 2011

Antivirus 8 - and no this is not a post about a new utility

Usually I try to come up with a catchy title for my posts, but, it's bad enough one of my users "caught" the Antivirus 8 malware bug a few days ago. And normally, my technical posts go to another of my blogs. Antivirus 8 is in the same family of malware as those other programs that claim you have a virus and if you just "click here" they'll be happy to remove it for you. Unfortunately, when you click there (as this user did) you actually install the malware which basically cripples your machine with pop-ups.



When I started troubleshooting the issue, I figured "no big deal". I'd just throw Malwarebytes at it and it would wipe the incidious software from the PC. Wrong! And when ComboFix didn't do the trick either I began to worry.

Fortunately, there is a utiliity available for free download via softpedia called the Antivirus 8 Removal Tool 1.0 It really does a great job. I was a little worried since I typically do my utility downloading from Download.com But since I was desperate I downloaded it. I wish I had taken a snapshot of what was happening on the screen, but basically it wipes any folders containing the malicious code and cleans the registry for you.

Once it had finished and the PC rebooted, I was extremely glad not to see Associated Files and Registry Entries that a post on bleepingcomputer.com suggests you look for, namely:

Associated Antivirus8 Files:

c:\Documents and Settings\All Users\Start Menu\AV8\

c:\Documents and Settings\All Users\Start Menu\AV8\Antivirus8.lnk

c:\Documents and Settings\All Users\Start Menu\AV8\Uninstall.lnk

C:\Program Files\AV8\

C:\Program Files\AV8\av8.exe

%UserProfile%\Desktop\Antivirus8.lnk

File Location Notes:

%UserProfile% refers to the current user's profile folder. By default, this is C:\Documents and Settings\ for Windows 2000/XP, C:\Users\ for Windows Vista/7, and c:\winnt\profiles\ for Windows NT.



Associated Antivirus8 Windows Registry Information:

HKEY_CURRENT_USER\Software\A88246

HKEY_CURRENT_USER\Software\WinFD

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "AV8"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "WinNT-A8I 23.09.2010"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe "Debugger" = "C:\Program Files\AV8\av8.exe -d"

While the post at bleeping computer suggests MalwareBytes as the removal tool, following their instructions did not work for me. Maybe Antivirus 8 had nestled in a bit too tight. At any rate I still ran an updated MalwareBytes and Combofix just to be sure no other nasties were on the PC, before returning it to the user this morning.

Hope this helps, if you get stuck trying to remove Antivirus 8.
get your own embeddable forum with Talki