Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VirusRemover2008

Aug 17, 2008 1:57PM PDT

Hi,
I was recently taken to this site (virusremover200Cool and I got all these message popups claiming I had a virus on my computer and I needed to download this program to remove it. I knew it was a fake right away (or one of those rogue sites) and tried to exit all the windows but they just kept popping up. So I clicked on Windows Task Manager, and then I noticed that 'virusremover2008.exe' was running as an application so I removed it right away. So far, there doesn't seem to be anything suspicious. However, does this mean my computer has been infected and I need to remove the virus? If so, how do I find the infected files and remove them? I did a search for 'virusremover2008' and a virus scan (though I have no idea how complete) and nothing has turned up. What can I do to make sure my computer isn't infected? Also, what are the chances that my computer is infected with this virus by the rogue site (even though I didn't purposely download anything)?

Discussion is locked

- Collapse -
reply
Aug 17, 2008 2:00PM PDT
- Collapse -
What the site says (if you don't want to click on it)
Aug 17, 2008 2:01PM PDT

VirusRemover2008, also known as Virus Remover 2008 by a lot of people, is the latest counterfeit anti-spyware software that endangers the world of computers. VirusRemover2008 usually installed itself onto your PC without your permission, through Vundo Trojan, Virus or fake software. VirusRemover2008 will display fake system alerts or fake security alerts to trick user to buy the paid version of VirusRemover2008, in order to remove the potential and reported problems. Not only does it cause your machine to slow down dramatically, it would also put your privacy and data in risk.

- Collapse -
How to Remove VirusRemover 2008 (Uninstall Instructions)
Aug 17, 2008 3:08PM PDT
"What can I do to make sure my computer isn't infected? Also, what are the chances that my computer is infected with this virus by the rogue site (even though I didn't purposely download anything)?"

What you can do is go to the below link and scroll down to where you see:

"Automated Removal Instructions for VirusRemover 2008 using Malwarebytes' Anti-Malware:"
http://www.bleepingcomputer.com/malware-removal/virusremover2008-removal

MBAM should remove it, but if you experience any problems afterwards, have a look at this thread. Please do not hesitate to post back, if you need further help.

Best of luck to you..
Carol
- Collapse -
Additional information ...
Aug 17, 2008 3:31PM PDT

if needed:

Installation
When the program is executed, it creates the following files:

%ProgramFiles%\VirusRemover2008\VRM2008.exe - (detected as VirusRemover200Cool
%ProgramFiles%\VirusRemover2008\Viruses.bdt - (clean file)
%SystemDrive%\VirusRemover2008.lnk
%SystemDrive%\Documents and Settings\Administrator\Desktop\VirusRemover2008.lnk
%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\VirusRemover2008
%SystemDrive%\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusRemover2008.lnk

Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"VirusRemover2008" = "%ProgramFiles%\VirusRemover2008\VRM2008.exe"

It also creates the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"ActivationCode" = "36"
HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"CookieParams" = "29"
HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"InfectionCount" = "4"
HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"InstallDate" = "16"
HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"LastDetectTime" = "[RANDOM HEXIDECIMAL STRING]"
HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"LastScanTime" = "[RANDOM HEXIDECIMAL STRING]"
HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"TotalScanCount" = "4"
HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"UpdateEnabled" = "1"

It also creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\{5222008A-DD62-49c7-A735-7BD18ECC7350}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusRemover2008


http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-072217-2258-99&tabid=2

- Collapse -
Thanks
Aug 18, 2008 3:34AM PDT

OK, thanks. I downloaded the malware program you suggested and doing a complete scan right now. Not sure if it's necessary but I'm doing it anyway.

The thing is - is that I did NOT download anything or grant permission from the 'virusremover2008' site. All I got was some very annoying/aggressive messages that popped up (I had to read it a few times to realize it was a fake but I knew it wasn't legitimate). I definitely did not allow the program to be installed (at least not intentionally) or grant my credit card info to buy it (as others have done so).

SO far, it has not turned up again on my computer in any shape or form. Downloaded spyware earlier and it did not detect any infected files (all I got were some cookies that were 'infected' but no rogue programs seemed to be found). My computer should be OK then right?

So I'm wondering if it's possible that the rogue program could still be in my computer under hidden files??? In which case, there would be NO way of me knowing it...Thanks. Any help or info would be appreciated.

- Collapse -
You're welcome..
Aug 18, 2008 4:13AM PDT

Hi "Hello".. Happy

You wrote that you "didn't know if it was necessary to scan with MBAM, but you were going to do it anyway". I think it would be necessary, if only to give you some piece of mind. You also wrote, you "downloaded spyware earlier and it did not detect any infected files". You didn't mention the name of the "spyware" you downloaded. Not all scanners detect rogue programs, such as VirusRemover 2008. MBAM is one, as is SUPERAntiSpyware.

Let us know the results of the scan.
Carol

- Collapse -
reply to carol
Aug 18, 2008 4:22AM PDT

Actually I agree with you on it being necessary to use the malware program you have linked to above (I take back what I said). I just want to avoid downloading as many 'anti-virus' programs as possible (considering the security risks and what not).

I previously used 'spyhunter3' (directed from another website) - not sure if that was useful. But I used the 'malwarbytes' program and so far, nothing has turned up. From what I understand, this particular virus scanner detects rogue programs such as 'virusremover2008'. Should everything be A-OK then Carol? Thanks for your help by the way.

- Collapse -
Spy Hunter 3
Aug 18, 2008 5:00AM PDT

"helloihaveaquestion"..

"HelloIhaveareply" regarding Spy Hunter 3. Happy Read the below post. It will give you some additional information about Spy Hunter and also Enigma Software. (They are NOT on my "top 10" list.. that's for sure!)

"Some Information about Spy Hunter 3"

Also, read "Is spyhunter a real program or a fake one?", at another forum.

You might want to take a look at The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites, prior to downloading a program. It hasn't been updated in a couple of years, but it's a good place to start, when considering which software to install. And of course, you always have the option of posting here and asking. Wink

You're welcome by the way..
Carol

- Collapse -
Scan Completed
Aug 18, 2008 4:03AM PDT

So my scan using the 'malwarebytes' anti-malware' program (as linked to by Carol) has completed and no infections have been found.

Is this a good sign? And does this mean there a 100% or 99.9% chance that my computer is NOT infected by the 'virusremover2008' rogue program?

Please let me know what you think. Thanks.

- Collapse -
one more thing
Aug 18, 2008 4:18AM PDT

What I'm most concerned about is how I found 'virusremover2008.exe' or something running as an application on my computer when I checked my windows task manager yesterday (immediately after I exited the bogus/rogue website). The thing is - is that i did NOT download or install anything from the site! How on earth did it get into my system like that? Of course, I removed this right away and so far it has not turned up again.

Does this mean my computer has been infected? Or should be it be OK (because I ended the application)? If you know anythign about this, please let me know. Thank you.

I'm just asking this to make sure there are no hidden/covert viruses on my computer - even though the virus scan did not detect anything, how can you be sure? no idea...

- Collapse -
Sorry I didn't see this post..
Aug 18, 2008 4:27AM PDT

If you're not getting anymore pop-ups and the scan was clean, I'd say it is a very good sign.

You might want to consider installing a free link scanner, such as SiteAdvisor, SiteHound, or WOT. Either of the 3 would have alerted you that the link in your post with the subject "Reply", was to be avoided. Enter either of them in the search function, at the top of the forum's page. You'll get some varying opinions about the above 3.

Safe surfing!
Carol

- Collapse -
good sign
Aug 18, 2008 5:04AM PDT

Yeah, I take it as a good sign nothing has turned up on my scan using Malwarebytes (also no more pop-ups since yesterday). I'll probably run a few more scans just in case - and make sure my Malwarebytes has all the latest updates and stuff (so it can detect rogue programs like that). Also, when I installed it, I believe I was supposed to have the the following items 'Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked, right? I think I did this but I can't remember. Is this important? If it is, then I might re-install the program again to make sure that I have checked off those two options. Right now, my 'updates' tab says that my current database info is 8/18/2008 and that i have version 1066....so I guess it should be OK?

By the way, the link to my post entitled 'reply' is actually a website that tells you how to remove the 'virusremover2008' program for those who got tricked into downloading it. It's not a link to the actual rogue website that I got directed to while surfing the web yesterday (i believe it starts with http://virus.... or something like that). I can't remember the link but even if I did, I wouldn't post it to anyone EVEr!

Thanks.

- Collapse -
Re: Good sign
Aug 18, 2008 7:55AM PDT

Under MBAM's "about" tab, it should read, "Malwarebytes' Anti-Malware Version 1.25". If you show the most recent Database Version as 1066, which it looks as if you do, you should be current.

I realize the link isn't the one, where you ran into the problem. The link leads to Enigma's Spy Hunter, which has less than a stellar reputation, and the reason I felt it important to point out. The site is listed within this article. Please know, my only intent is put forth the information. Nothing more. Whether anyone cares to install their software, is totally up to them.

Best of luck..
Carol

- Collapse -
SpyHunter
Aug 18, 2008 9:27AM PDT

Actually, I've already uninstalled SpyHunter so I longer have it. It doesn't seem to be very useful either according to people on some other forums... With regard to that article you posted - So the company has engaged in some questionable practices like spamming? What exactly has it been doing? It's not malicious or anything right? Sounds scary.

Anyway, I'll probably be keeping Malwarebytes. It seems to be a good program.