Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

XP/Vista Antivirus 2008 Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

This rogue anti-malware application mostly installs via encoded re-directs from hacked web pages. When you happen to visit a hacked web page on a otherwise legitimate website your browser is automatically redirected to a rogue ware hosting website which shows a popup with a the text “Your computer is running slower than normal, maybe it is infected with with Viruses, Adware or Spyware. XP/Vista Antivirus will perform a quick and completely FREE scan of your system for malicious software.”

In this instance I have used Internet Explorer 6 running on Windows XP SP3 to visit a hacked web page at Here the the hacked web page happened to reside in the folder of Webalizer, a popular web server log file analysis program included with most Web hosting accounts.

As can be seen from the screen shot above, my browser was re-directed to and from there to a landing page at, a mirror site of The website fraudulently uses an image to indicate an encrypted connection which it is not. Here through a combination of javascript and CSS an image is mimicked to resemble a ‘virus scan in progress’ is run automatically and I was shown a window with a suggestion to download XP/Vista Antivirus 2008 for free.

The IE download dialogue box pops-up even if you press “Cancel” and thereafter it pops up if you click anywhere on the web page. Here it must be mentioned that if you disconnect the network connection, close the browser and clear out the internet cache files, you are probably not infected, since up to this point only few images and a couple of javascript files are downloaded. The actual rogue application will download only when you chose to click any buttons or tried to close the popup window. Even then you have to specifically allow your browser to run or download and execute the rogue application.

If you chose to install the application, the file AV2008.exe (203,776 bytes) is downloaded and executed. Once installed it hijacks the desktop background with an image (C:\WINDOWS\system32\phccdmj0eacr.bmp) alerting the user that their computer system has been infected with spyware.

It also installs BlueScreen Screen Saver from Microsoft (SysInternals) to simulate a fake BSOD activity whenever the the screensaver is triggered. When there is a keypress or a mouse movement it simulates a the windows restarting screen and displays the “the system has recovered from a serious error” window followed by “Are you sure keep your computer exposing to cyber terrorists” Window. The screensaver was installed in C:\WINDOWS\SYSTEM32\BLPHCCDMJ0EACR.SCR. This rogue anti-malware application uses this screensaver as a component to trick the user into buying their product.

The desktop and screensaver tabs in display properties are also disabled so as not to allow the user to change it back.

This is achieved using Windows Policies:


It then drops a trojan C:\WINDOWS\SYSTEM32\LPHCCDMJ0EACR.EXE which connects to IP in Russian Federation St. Petersburg presumably to download the actual rogue anti-malware application Antivirus XP 2008. Presently this IP plays host to and It is also associated with, and

One more trojan/spambot/rootkit is dropped identified by files sysrest32.exe and sysres.sys which makes frequent connects to the IP This IP is a refuge to many rogue anti-malware domains like,,,,, and It is also associated with,,,,,,,,, and

Once the application is downloaded the license agreement is shown, without any visible way to exit if you don’t agree to the license and install.

The usual fake alerts start immediately.

At random interval Display Properties > Settings > Color quality is set to Low (8 bit). Clicking on Remove viruses brings up the demo mode notice which contains a link to upgrade/register the software.

Clicking on click here to switch to full mode triggers the default browser and the subscription options page is opened from URL

Clicking on “pay by credit card” redirects to their payment processor at, a 128bit SSL secured page certified by Thawte. This Website is registered to “Trans Eurogroup S A” through the registrar ESTDOMAINS INC.

Visual changes noticed

  • Randomly changes the display color quality to 8 bit.
  • Disables desktop and screensaver tabs in display properties
  • Fake windows bsod is shown using Microsoft Sysinternals screensaver software
  • Fake windows restart screen shown

Associated Files and Folders

  • C:\WINDOWS\Prefetch\
  • C:\Program Files\RHC9DMJ0EACR
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
  • C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
  • C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk
  • C:\Documents and Settings\Shanmuga\Application Data\RHC9DMJ0EACR

Associated Registry keys and values

  • HKU\S-1-5-21-2000478354-1801674531-110152249-1003\CONTROL PANEL\DESKTOP#WALLPAPER
  • HKU\S-1-5-21-2000478354-1801674531-110152249-1003\CONTROL PANEL\DESKTOP#ORIGINALWALLPAPER
  • HKU\S-1-5-21-2000478354-1801674531-110152249-1003\CONTROL PANEL\DESKTOP#CONVERTEDWALLPAPER
  • HKLM\System\ControlSet001\Services\sysrest.sysC:\WINDOWS\SYSTEM32\SYSREST.SYS
  • HKLM\System\ControlSet001\Enum\Root\LEGACY_sysrest.sys
  • HKLM\System\ControlSet002\Services\sysrest.sys
  • HKLM\System\ControlSet002\Enum\Root\LEGACY_sysrest.sys
  • HKLM\System\CurrentControlSet\Services\sysrest.sys
  • HKLM\System\CurrentControlSet\Enum\Root\LEGACY_sysrest.sysC:\SYSTEM VOLUMEINFORMATION\_RESTORE{2D37B717-CAD7-46A9-85A3-594EDA39DA99\RP3\A0000010.SYS

Associated Domains



My first run with SuperAntiSpyware in safemode was a disappointment. Though it detected the rogue anti-malware and the associated malware files and registry entries it was unable to clean many of them, even after two full system scans. MalwareByte’s AntiMalware performed in a sterling fashion, removing all the infections and restoring the desktop and screensaver tabs in display properties. For cleaning this rogue anti-malware I recommend using Malwarebytes’ Anti-Malware . As an additional measue I turned off and on the system restore and also used CCleaner to clean the temporary internet and other cache files.

If you still have popups or other symptoms after running the automated malware scans, please post your problem at one of the Recommended Online Forums for Malware Help.

This type of infection is difficult to avoid for not so security conscious surfers as it is triggered by a Web page hack, unless a layered approach to secure browsing is practised. Manually, the infection can be avoided by timely dis-connection from the network and a combination of running couple of malware scans and/or restoring from a clean backup.


The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or different testing conditions.

Screen shot Gallery

{ 11 comments… read them below or add one }

crazyBear September 17, 2008 at 11:50 PM

yes, i do it mostly in the same way as you explained in the blog… bravo AAA
(after that, for final screening i use superantispyware, spyboot&destroy,previx and paretologic)
good job


Antivirus Expert September 21, 2008 at 1:31 AM

Excellent post!
Now I know what victims refer to as “blue screen of death”. That’s simply wrapping of the malware!
To my mind the first thing about Antivirus 2008 that causes suspicion is the size of setup – it’s ridiculously small. If to look at setup executables of world known antivirus makers, it’s evident they take often over 20 or even 60 megs of hdd space before installation.


GuyWithHair September 21, 2008 at 10:30 AM

yeah i have that problem right now, downloaded a free norton 09 and came with this crap, downloaded Malwarebytes’ scanner, its scanning now already detected 27 infected files, hopefully it does the job thanks


guest September 23, 2008 at 1:01 AM

i also face the same problem….will need to double check.Thanks for the details..will try this out..


Leftsoldier September 26, 2008 at 7:09 AM

I have been dealing with this little beauty for past 6 months on many of my client’s pc’s.
I have had great success with a combination of Microsoft Sysinternals tools, Process Explorer and Autoruns along with the malware tool Combofix.
I use process Explorer to kill the rogue processes and also locate the dll and exe files.
Which can be deleted only when the processes have been killed.
I then use autoruns to locate and remove registry entries. Afterwards,I use combofix to cleanup and remove any residual files left. I have had a 100% success rate with this process and have manged to effectively clean a heavily infected machine in less than a half hour.


MadasHell September 26, 2008 at 6:25 PM

The people that made this have should be lined up before a firing squad. I wonder how many millions of dollars have been wasted by the man hours spent dealing with this sort of crap.


Tristan Bukenberger October 1, 2008 at 8:18 PM

Just got rid of this, used Malwarebytes’ Anti-Malware and Spybot S&D, along with Process explorer at the very beginning.

When I used Malwarebytes Anti-Malware and Spybot S&D, the popups would still come every so often, but a quick discovery that a file called “pwrmgr.exe” located somewhere in the Local Settings folder was causing this, the file would not let me delete it so I used a feature that Malwarebytes Anti-Malware has called FileASSASSIN, which deletes when you restart the computer.

Whoever has this problem should follow my advice and use what I use, be careful next time too, in which you download.


Dave October 7, 2008 at 11:37 AM

I cant find a file called pwrmgr.exe…. any advice?


keai_21 October 7, 2008 at 12:13 PM


I also have te same problem. I’m not a computer expert could you please help me to remove the internet antivirus pro.


DOO100 November 9, 2008 at 2:41 AM

thank you


Megan December 24, 2008 at 5:56 PM

Thank you sooooooo much.
Last time I got my computer repaired they installed AntiMalware.
And i came here and saw it COMPLETELY removed it unlike Synametic AntiVirus which only removes about 52 at a time and i had about 500.
Whoever invented this virus crap should be starved in hole.


Leave a Comment

Previous post:

Next post: