Rogue:W32/Antivirus2008 is a rogue that tries to dupe the user into purchasing a version of the product that can supposedly "remove" all the malware that it reports to the user.
The presence of this rogue in the system is evident when a window similar to this one appears:
All the supposedly "malicious" files that are displayed don't exist in the system. These are just meant to spook the user into purchasing the product.
Then it will display this after scanning:
And when you select "Remove all threats now", it will show this window:
Where you have to input the necessary activation key.
If you select "Continue Unprotected", it will show this balloon:
This rogue may also create this folder and drop itself in it:
- C:\Program Files\Antivirus 2008
Then it will create a corresponding autorun key here. A sample entry would be:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run& Antivirus = "C:\Program Files\Antivirus 2008\Antvrs.exe"
And the following keys: