Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

XP/Vista Antivirus 2008 Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

This rogue anti-malware application mostly installs via encoded re-directs from hacked web pages. When you happen to visit a hacked web page on a otherwise legitimate website your browser is automatically redirected to a rogue ware hosting website which shows a popup with a the text “Your computer is running slower than normal, maybe it is infected with with Viruses, Adware or Spyware. XP/Vista Antivirus will perform a quick and completely FREE scan of your system for malicious software.”

In this instance I have used Internet Explorer 6 running on Windows XP SP3 to visit a hacked web page at rolfhamre.com. Here the the hacked web page happened to reside in the folder of Webalizer, a popular web server log file analysis program included with most Web hosting accounts.

xpantivirus20080000 XP/Vista Antivirus 2008 Analysis and Removal

As can be seen from the screen shot above, my browser was re-directed to pornpissing.net and from there to a landing page at 0scan.com, a mirror site of scanner.win-antivir-2008.com. The website fraudulently uses an image to indicate an encrypted connection which it is not. Here through a combination of javascript and CSS an image is mimicked to resemble a ‘virus scan in progress’ is run automatically and I was shown a window with a suggestion to download XP/Vista Antivirus 2008 for free.

xpantivirus20080035 XP/Vista Antivirus 2008 Analysis and Removal

The IE download dialogue box pops-up even if you press “Cancel” and thereafter it pops up if you click anywhere on the web page. Here it must be mentioned that if you disconnect the network connection, close the browser and clear out the internet cache files, you are probably not infected, since up to this point only few images and a couple of javascript files are downloaded. The actual rogue application will download only when you chose to click any buttons or tried to close the popup window. Even then you have to specifically allow your browser to run or download and execute the rogue application.

If you chose to install the application, the file AV2008.exe (203,776 bytes) is downloaded and executed. Once installed it hijacks the desktop background with an image (C:\WINDOWS\system32\phccdmj0eacr.bmp) alerting the user that their computer system has been infected with spyware.

xpantivirus20080041 XP/Vista Antivirus 2008 Analysis and Removal

It also installs BlueScreen Screen Saver from Microsoft (SysInternals) to simulate a fake BSOD activity whenever the the screensaver is triggered. When there is a keypress or a mouse movement it simulates a the windows restarting screen and displays the “the system has recovered from a serious error” window followed by “Are you sure keep your computer exposing to cyber terrorists” Window. The screensaver was installed in C:\WINDOWS\SYSTEM32\BLPHCCDMJ0EACR.SCR. This rogue anti-malware application uses this screensaver as a component to trick the user into buying their product.

xpantivirus200800521 470x358 XP/Vista Antivirus 2008 Analysis and Removal

xpantivirus20080053 220x220 XP/Vista Antivirus 2008 Analysis and Removal
xpantivirus20080048 220x220 XP/Vista Antivirus 2008 Analysis and Removal

The desktop and screensaver tabs in display properties are also disabled so as not to allow the user to change it back.

xpantivirus20080042 XP/Vista Antivirus 2008 Analysis and Removal

This is achieved using Windows Policies:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage

It then drops a trojan C:\WINDOWS\SYSTEM32\LPHCCDMJ0EACR.EXE which connects to IP 77.244.220.134 in Russian Federation St. Petersburg presumably to download the actual rogue anti-malware application Antivirus XP 2008. Presently this IP plays host to Online-security-systems.com and Xpprotector.com. It is also associated with anti-virus-xp.net, youpornztube.org and antivirusxp-08.net.

One more trojan/spambot/rootkit is dropped identified by files sysrest32.exe and sysres.sys which makes frequent connects to the IP 218.106.90.227. This IP is a refuge to many rogue anti-malware domains like anti-virus-xp.net, antivirusxp-2008.net, antivirusxp2008.net, axpfixer.com, youpornztube.biz, Axpdefender08.com and wg3q.com. It is also associated with malwareprotector08.com, antivirus-xp-08.com, antivirusxp-2008.com, antivirusxp08.net, antivirxp08.com, av-xp-2008.com, avxp-08.com, avxp08.com, avxp2008.com, axpfixer.com and youpornztube.org.

Once the application is downloaded the license agreement is shown, without any visible way to exit if you don’t agree to the license and install.

xpantivirus20080012 470x345 XP/Vista Antivirus 2008 Analysis and Removal

The usual fake alerts start immediately.

xpantivirus20080018 XP/Vista Antivirus 2008 Analysis and Removal
xpantivirus20080019 470x360 XP/Vista Antivirus 2008 Analysis and Removal

At random interval Display Properties > Settings > Color quality is set to Low (8 bit). Clicking on Remove viruses brings up the demo mode notice which contains a link to upgrade/register the software.

xpantivirus20080026 470x495 XP/Vista Antivirus 2008 Analysis and Removal

Clicking on click here to switch to full mode triggers the default browser and the subscription options page is opened from URL Online-security-systems.com.

xpantivirus20080102 470x332 XP/Vista Antivirus 2008 Analysis and Removal

Clicking on “pay by credit card” redirects to their payment processor at secure.innovagest2000sl.com, a 128bit SSL secured page certified by Thawte. This Website is registered to “Trans Eurogroup S A” through the registrar ESTDOMAINS INC.

xpantivirus20080030 220x220 XP/Vista Antivirus 2008 Analysis and Removal

xpantivirus20080031 220x220 XP/Vista Antivirus 2008 Analysis and Removal

Visual changes noticed

  • Randomly changes the display color quality to 8 bit.
  • Disables desktop and screensaver tabs in display properties
  • Fake windows bsod is shown using Microsoft Sysinternals screensaver software
  • Fake windows restart screen shown

Associated Files and Folders

  • C:\WINDOWS\SYSTEM32\LPHCCDMJ0EACR.EXE
  • C:\WINDOWS\SYSTEM32\LPHCCDMJ0EACR.EXE
  • C:\WINDOWS\SYSTEM32\BLPHCCDMJ0EACR.SCR
  • C:\WINDOWS\SYSTEM32\BLPHCCDMJ0EACR.SCR
  • C:\WINDOWS\SYSTEM32\SYSREST32.EXE
  • C:\WINDOWS\SYSTEM32\PPHCCDMJ0EACR.EXE
  • C:\WINDOWS\SYSTEM32\PHCCDMJ0EACR.BMP
  • C:\WINDOWS\SYSTEM32\14.TMP
  • C:\WINDOWS\SYSTEM32\15.TMP
  • C:\WINDOWS\SYSTEM32\16.TMP
  • C:\WINDOWS\SYSTEM32\17.TMP
  • C:\WINDOWS\SYSTEM32\18.TMP
  • C:\WINDOWS\SYSTEM32\19.TMP
  • C:\WINDOWS\SYSTEM32\1A.TMP
  • C:\WINDOWS\SYSTEM32\1B.TMP
  • C:\WINDOWS\SYSTEM32\E.TMP
  • C:\WINDOWS\Prefetch\BLPHCCDMJ0EACR.SCR-38D430EC.pf
  • C:\PROGRAM FILES\RHC9DMJ0EACR\RHC9DMJ0EACR.EXE
  • C:\Program Files\RHC9DMJ0EACR
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
  • C:\Documents and Settings\Shanmuga\Application Data\RHC9DMJ0EACR

Associated Registry keys and values

  • HKU\S-1-5-21-2000478354-1801674531-110152249-1003\CONTROL PANEL\DESKTOP#WALLPAPER
  • HKU\S-1-5-21-2000478354-1801674531-110152249-1003\CONTROL PANEL\DESKTOP#ORIGINALWALLPAPER
  • HKU\S-1-5-21-2000478354-1801674531-110152249-1003\CONTROL PANEL\DESKTOP#CONVERTEDWALLPAPER
  • HKLM\System\ControlSet001\Services\sysrest.sysC:\WINDOWS\SYSTEM32\SYSREST.SYS
  • HKLM\System\ControlSet001\Enum\Root\LEGACY_sysrest.sys
  • HKLM\System\ControlSet002\Services\sysrest.sys
  • HKLM\System\ControlSet002\Enum\Root\LEGACY_sysrest.sys
  • HKLM\System\CurrentControlSet\Services\sysrest.sys
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_sysrest.sysC:\SYSTEM VOLUMEINFORMATION\_RESTORE{2D37B717-CAD7-46A9-85A3-594EDA39DA99\RP3\A0000010.SYS

Associated Domains

  • 0scan.com
  • scanner.win-antivir-2008.com
  • Online-security-systems.com
  • Xpprotector.com
  • axpfixer.com
  • Axpdefender08.com
  • wg3q.com
  • malwareprotector08.com
  • antivirus-xp-08.com
  • antivirusxp-2008.com
  • antivirxp08.com
  • av-xp-2008.com
  • avxp-08.com
  • avxp08.com
  • avxp2008.com
  • axpfixer.com
  • innovagest2000sl.com
  • pornpissing.net
  • anti-virus-xp.net
  • antivirusxp-08.net
  • anti-virus-xp.net
  • antivirusxp-2008.net
  • antivirusxp2008.net
  • antivirusxp08.net
  • youpornztube.org
  • youpornztube.biz

Removal

My first run with SuperAntiSpyware in safemode was a disappointment. Though it detected the rogue anti-malware and the associated malware files and registry entries it was unable to clean many of them, even after two full system scans. MalwareByte’s AntiMalware performed in a sterling fashion, removing all the infections and restoring the desktop and screensaver tabs in display properties. For cleaning this rogue anti-malware I recommend using Malwarebytes’ Anti-Malware . As an additional measue I turned off and on the system restore and also used CCleaner to clean the temporary internet and other cache files.

If you still have popups or other symptoms after running the automated malware scans, please post your problem at one of the Recommended Online Forums for Malware Help.

This type of infection is difficult to avoid for not so security conscious surfers as it is triggered by a Web page hack, unless a layered approach to secure browsing is practised. Manually, the infection can be avoided by timely dis-connection from the network and a combination of running couple of malware scans and/or restoring from a clean backup.

Disclaimer

The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or different testing conditions.

Screen shot Gallery

You may also like to read



{ 11 comments… read them below or add one }

crazyBear September 17, 2008 at 11:50 PM

yes, i do it mostly in the same way as you explained in the blog… bravo AAA
(after that, for final screening i use superantispyware, spyboot&destroy,previx and paretologic)
good job
best
uf

Reply

Antivirus Expert September 21, 2008 at 1:31 AM

Excellent post!
Now I know what victims refer to as “blue screen of death”. That’s simply wrapping of the malware!
To my mind the first thing about Antivirus 2008 that causes suspicion is the size of setup – it’s ridiculously small. If to look at setup executables of world known antivirus makers, it’s evident they take often over 20 or even 60 megs of hdd space before installation.

Reply

GuyWithHair September 21, 2008 at 10:30 AM

yeah i have that problem right now, downloaded a free norton 09 and came with this crap, downloaded Malwarebytes’ scanner, its scanning now already detected 27 infected files, hopefully it does the job thanks

Reply

guest September 23, 2008 at 1:01 AM

hi
i also face the same problem….will need to double check.Thanks for the details..will try this out..

Reply

Leftsoldier September 26, 2008 at 7:09 AM

I have been dealing with this little beauty for past 6 months on many of my client’s pc’s.
I have had great success with a combination of Microsoft Sysinternals tools, Process Explorer and Autoruns along with the malware tool Combofix.
I use process Explorer to kill the rogue processes and also locate the dll and exe files.
Which can be deleted only when the processes have been killed.
I then use autoruns to locate and remove registry entries. Afterwards,I use combofix to cleanup and remove any residual files left. I have had a 100% success rate with this process and have manged to effectively clean a heavily infected machine in less than a half hour.

Reply

MadasHell September 26, 2008 at 6:25 PM

The people that made this have should be lined up before a firing squad. I wonder how many millions of dollars have been wasted by the man hours spent dealing with this sort of crap.

Reply

Tristan Bukenberger October 1, 2008 at 8:18 PM

Just got rid of this, used Malwarebytes’ Anti-Malware and Spybot S&D, along with Process explorer at the very beginning.

When I used Malwarebytes Anti-Malware and Spybot S&D, the popups would still come every so often, but a quick discovery that a file called “pwrmgr.exe” located somewhere in the Local Settings folder was causing this, the file would not let me delete it so I used a feature that Malwarebytes Anti-Malware has called FileASSASSIN, which deletes when you restart the computer.

Whoever has this problem should follow my advice and use what I use, be careful next time too, in which you download.

Reply

Dave October 7, 2008 at 11:37 AM

I cant find a file called pwrmgr.exe…. any advice?

Reply

keai_21 October 7, 2008 at 12:13 PM

Hi..

I also have te same problem. I’m not a computer expert could you please help me to remove the internet antivirus pro.

Reply

DOO100 November 9, 2008 at 2:41 AM

thank you

Reply

Megan December 24, 2008 at 5:56 PM

OMG
Thank you sooooooo much.
Last time I got my computer repaired they installed AntiMalware.
THANK GOD
And i came here and saw it COMPLETELY removed it unlike Synametic AntiVirus which only removes about 52 at a time and i had about 500.
Whoever invented this virus crap should be starved in hole.

Reply

Leave a Comment

Previous post:

Next post: