Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Fake XP SecurityCenter Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

XP SecurityCenter is rogue antimalware application installed through dubious means like a link in a spam mail or through a link in a hacked website. It’s look-alike of the legitimate Windows Security Center and it does what other rogue antimalware apps do that is to scare the unfortunate victim by throwing various pop-up messages about the state of the health of their PC.

xp securitycenter012 Fake XP SecurityCenter Analysis and Removal
XP SecurityCenter shows various non-existent infections afflicting the victim’s PC and insists on payment when the victim tries to remove the infections.

xp securitycenter013 Fake XP SecurityCenter Analysis and Removal

In this instance the installer was dropped by a trojan downloader which was downloaded when I clicked on a link found in a celebrity malicious spam (include link) mail. The installer is about 340KB named Install.exe, well recognized over at VirusTotal with about 78% detection rate.

When the installer is executed it connects to 206.161.126.40 which hosts many rogue antimalware domains like winantimalware.com, winantispyware2008.com, winreanimator.com, xpcleaner2008.com, xpdefender2008.com, xpguard2008.com and xpsecuritycenter.com to download the remaining part of the application. The successful installation is phoned home to a member’s account at softcashier.net.

softcashier.net is hosted at IP 216.195.56.82 which also hosts softcashier.com. The registrar of softcashier.net is DIRECTI INTERNET SOLUTIONS PVT. LTD, the domain was created on 2008-09-03 by the registrant Hawkwing Professional Services Limited based in Belize, a country in Central America.

Softcashier.net lists an interesting offer on its home page.

xp securitycenter014 Fake XP SecurityCenter Analysis and Removal

Once installed the scare tactics start and the need to register XP SecurityCenter is stressed many times. When the victim clicks the Register now button the fake app opens the default browser and connects to the buy page at xpsecuritycenter.com which espouses the benefits of XP SecurityCenter. The page also uses fradulent logos purported to be awards from various well known computer magazines/websites.

xp securitycenter001 Fake XP SecurityCenter Analysis and Removal

I clicked on the BUY ONLINE button, I was directed to their payment processor secure.chronopay.com, 128 bit SSL secured certificate issued by Verisign. Here ends my experience with Fake XP SecurityCenter. Now is the time to clean up.

xp securitycenter002 Fake XP SecurityCenter Analysis and Removal

Files and Folders Infected

C:\Program Files\XPSecurityCenter\install.exe
C:\Program Files\XPSecurityCenter\comp.dat
C:\Program Files\XPSecurityCenter\htmlayout.dll
C:\Program Files\XPSecurityCenter\unzip32.dll
C:\Program Files\XPSecurityCenter\pthreadVC2.dll
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
C:\Program Files\XPSecurityCenter\un.ico
C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe
C:\Program Files\XPSecurityCenter\wscui.cpl
C:\Program Files\XPSecurityCenter\XPSecurityCenter.dll
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\Uninstall.lnk
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcm80.dll
C:\Program Files\XPSecurityCenter\data\daily.cvd
C:\Program Files\XPSecurityCenter\XP_SecurityCenter.cfg
C:\Documents and Settings\All Users\Desktop\XPSecurityCenter.lnk
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcp80.dll
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcr80.dll
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\XPSecurityCenter.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter
C:\Program Files\XPSecurityCenter
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT
C:\Program Files\XPSecurityCenter\data

Registry changes detected

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xp securitycenter
HKEY_LOCAL_MACHINE\SOFTWARE\XP_SecurityCenter (Rogue.XPSecurityCenter)

Associated Domains

winantimalware.com
winantispyware2008.com
winreanimator.com
xpcleaner2008.com
xpdefender2008.com
xpguard2008.com
xpsecuritycenter.com
softcashier.net
softcashier.com
chronopay.com

XP SecurityCenter Removal

It was very easy to remove this infection with Malwarebytes’ Anti-Malware. Please download the free version of Malwarebytes’ Anti-Malware, update and run a quick scan to get rid of this infection.

More Screenshots of Fake XP SecurityCenter

xp securitycenter005 150x150 Fake XP SecurityCenter Analysis and Removal
xp securitycenter006 150x150 Fake XP SecurityCenter Analysis and Removalxp securitycenter007 150x150 Fake XP SecurityCenter Analysis and Removalxp securitycenter010 150x150 Fake XP SecurityCenter Analysis and Removal

You may also like to read



{ 3 comments… read them below or add one }

daniel conklin March 4, 2009 at 4:33 AM

This solution worked great for me…

Reply

Samatva September 7, 2009 at 2:25 AM

This program has morphed into “AntivirusPro 2010″ – still making the rounds trying to coerce folks into giving up the $$$

Reply

Dennis March 1, 2010 at 12:56 AM

i was able to do a system restore back a couple of days and now it’s gone

Reply

Leave a Comment

Previous post:

Next post: