Custom Search

Search more than 150 trusted Websites for related information.

Antispyware Pro XP Analysis and Removal

Antispyware Pro XP or Anti spyware Pro XP is one of the many variants belonging to the family of rogue security software. The following is an account of my experience with this rogue.

What is a rogue security software, rogue anti-spyware, rogue anti-virus or rogue anti-malware software?

A family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

Note: Visiting any of the malware hosting domains mentioned below may be injurious to the health of your computer system.

Analysis of Antispyware Pro XP Installation

This rogue mimics a online spyware scan at scan.antispyware-free-scanner.com (IP 78.26.179.230 based in Ukraine), once the fake scan is run it displays fraudulent false positives and persuades the users’ to download an installer setup_1_1_.exe of size 90.50 KB VirusTotal info: File setup_1_1_.exe received on 09.23.2008 10:02:01 (CET) Result: 7/36 (19.44%) from files.as-pro-xp-download.com (IP 78.157.142.79 based in Latvia).

Then the following Internet Connections were established:

• 85.92.157.141/mxlivemedia/get_file.php
• int.azsxdcqwe.com/stat.php?func=install&pid=1&ip=127.0.0.1&landing=1&subid=0&progid=MXwwfDAwMDZGRDM4
• 85.92.157.141/mxlivemedia/multi/11.exe
• a1.mxlivemedia.com/bc/123kah.php

An adware mxlivemedia browser enhancer ( which may serve advertisements even while you are not surfing the Internet ) is downloaded and installed as identified by the following HijackThis entries:

• O2 -- BHO: mxlivemedia browser enhancer -- {70501665-0202-d505-1a1a-e0112ba2560f} -- C:\WINDOWS\system32\fcwsqamokaehjnw.dll
• O4 -- HKLM\..\Run: [wtuehxugvpph] C:\WINDOWS\System32\Rundll32.exe “C:\WINDOWS\system32\fcwsqamokaehjnw.dll” EntryPoint

The payment processor for this rogue security software is secure.paymentbit.net (IP 216.195.56.148 )notorious for peddling rogue security software. This domain is registered to Markus Lulmann via SRSPlus Private Registration.

Antispyware Pro XP -- Associated Files and Folders

• C:\Documents and Settings\All Users\Application Data\Software Licensors\Antispyware PRO XP
• C:\Documents and Settings\All Users\Application Data\Software Licensors\Antispyware PRO XP\BASE
• C:\Documents and Settings\All Users\Application Data\Software Licensors\Antispyware PRO XP\DELETED
• C:\Documents and Settings\All Users\Application Data\Software Licensors\Antispyware PRO XP\LOG
• C:\Documents and Settings\All Users\Application Data\Software Licensors\Antispyware PRO XP\SAVED
• C:\Documents and Settings\All Users\Application Data\Software Licensors\Antispyware PRO XP\asproxp.exe
• C:\Documents and Settings\All Users\Application Data\Software Licensors\Antispyware PRO XP\LOG\20080923130552480.log
• C:\WINDOWS\SYSTEM32\FCWSQAMOKAEHJNW.DLL

Antispyware Pro XP -- Associated Registry keys and values

• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\s9201
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtuehxugvpph
• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70501665-0202-d505-1a1a-e0112ba2560f}
• HKCR\CLSID\{70501665-0202-D505-1A1A-E0112BA2560F}
• HKCR\CLSID\{70501665-0202-D505-1A1A-E0112BA2560F}\InProcServer32
• HKCR\CLSID\{70501665-0202-D505-1A1A-E0112BA2560F}\InProcServer32#ThreadingModel
• HKU\S-1-5-21-746137067-776561741-1417001333-1003\Software\Software Licensors\Antispyware PRO XP

Note: File names may be randomly generated.

Antispyware Pro XP -- Associated Domains

• antispyware-pro-xp.com
• scan.proxp.com
• scan.antispyware-free-scanner.com
• files.as-pro-xp-download.com
• 85.92.157.141
• int.azsxdcqwe.com
• sales.buy-antispyware-pro-xp.com
• int.mjnhbgvf.com
• secure.paymentbit.net

Antispyware Pro XP -- Removal

I ran the scans with 5 of the most widely used FREE anti spyware software…after updating them with the latest definitions…the results speak for themselves.

Spybot -- Search & Destroy

Poor performance, found only the tracking cookies…not the rogue Antispyware Pro XP or the adware mxlivemedia browser enhancer.

Ad-Aware 2008

A smart scan with Ad-Aware 2008 turned up the rogue and tracking cookies but not the adware.

a-squared Free 3.5

A smart scan with a-squared Free 3.5 turned up only the registry entries, tracking cookies but not the actual malware .dll or .exe files.

SuperAntiSpyware Free Edition

A quick scan with SuperAntiSpyware Free Edition did a great job rooting out the evil .dll, .exe, registry traces, the adware and the tracking cookies. It required a reboot to complete the cleaning process, but it failed to delete the rogue softwares’ program files folder and files and clean the autostart registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wtuehxugvpph leading to the following prompt on reboot:

Malwarebytes’ Anti-Malware

A quick scan with Malwarebytes’ Anti-Malware was thorough in cleaning the malware files, registry traces and the tracking cookies with out a reboot.

I recommend using Malwarebytes’ Anti-Malware Free version for cleaning Antispyware Pro XP.

I further used CCleaner to clear the temporary and cache files of Windows and my browsers and I also disabled the system restore to wipe out the remnants of rogueware from the restore files and re-enabled it back.

If you still have popups or other symptoms after running the automated malware scans, please post your problem at one of the Recommended Online Forums for Malware Help.

Antispyware Pro XP -- Rogue Gallery

 

Antispyware Pro XP -- Video

Note: The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or different testing conditions.