"Rogue" software is an antivirus or antispyware program that tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

For more Support

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

This program is the "demo" version of a rogue antispyware application. It attempts to convince the user to "upgrade" and purchase the full version of the software by making the user believe that their computer system is riddled with malware; the malware would, of course, only be removed if the user purchases the full version of the program.See also the rogue antispyware description.


Upon execution, this rogue antispyware displays this End User License Agreement (EULA):

Supposedly, the user must accept it before the software will install onto the system. If the user does not accept the EULA, it will not pretend to scan the system and display fake output. It will, however, still create the following registry keys:

  • HKLM\Software\VirusRemover2008
  • HKLM\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}

Create these files:

  • C:\Documents and Settings\All Users\Start Menu\Programs\VirusRemover2008\VirusRemover2008.lnk Link to C:\Program Files\VirusRemover2008\VRM2008.exe
  • C:\Documents and Settings\%current user%\Application Data\VirusRemover2008\Logs\scns.log Contains a log of requests sent to
  • C:\Documents and Settings\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusRemover2008.lnk Link to C:\Program Files\VirusRemover2008\VRM2008.exe
  • C:\Documents and Settings\%current user%\Desktop\VirusRemover2008.lnk Link to C:\Program Files\VirusRemover2008\VRM2008.exe
  • C:\Program Files\VirusRemover2008\Viruses.bdt A text file containing the list of the fake malware found in the system.
  • C:\Program Files\VirusRemover2008\VRM2008.exe Main rogue scanner file detected as Rogue:W32/VirusRemover2008.C

It queries this website:


If the user does agree to the EULA, the program does all the above, and in addition will pretend to scan the system:

After the scan, it will display these files, which are supposedly on the computer system. In reality, these files are taken from a predefined list located in C:\Program Files\VirusRemover2008\Viruses.bdt.

If the user closes this window, the rogue will display this notification box to remind the user that the system is still infected:

File System Changes

Create these directories:

  • C:\Documents and Settings\All Users\Start Menu\Programs\VirusRemover2008
  • C:\Documents and Settings\%current user%\Application Data\VirusRemover2008
  • C:\Documents and Settings\%current user%\Application Data\VirusRemover2008\Logs
  • C:\Program Files\VirusRemover2008

Process Changes

Creates these mutexes:

  • AntiMalwareMaster8E0C904E-85D5-4fd8-9473-D173D4D31A9F

Network Connections

Attempts to download files from:


Registry Modifications

Sets these values:

  • HKEY_CURRENT_USER\Software\VirusRemover2008 scns_time hex:b1,89,2d,49,00,00,00,00,
  • HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008 LicenseAccepted hex:01, Upd_size hex:00,00,00,00, InstallDate hex:d8,07,0b,00,03,00,1a,00,13,00,26,00,38,00,71,02, ActivationCode hex:31,37,39,31,42,37,42,32,2d,30,43,44,39,2d,34,36,33,41,2d,41,44,44,46,2d,43,33,41,37,30,38,30,44,37,35,37,30, UpdateEnabled hex:01, InfectionCount hex:11,00,00,00, LastScanTime hex:d8,07,0b,00,03,00,1a,00,13,00,26,00,39,00,19,01, TotalScanCount hex:01,00,00,00, LastDetectTime hex:d8,07,0b,00,03,00,1a,00,13,00,28,00,0a,00,0a,01,
  • HKEY_LOCAL_MACHINE\SOFTWARE\{5222008A-DD62-49c7-A735-7BD18ECC7350} Version hex:33,50,5f,56,52,4d,

Creates these keys:

  • HKLM\Software\VirusRemover2008
  • HKLM\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}