Abs.Net web Page

Share Your Knowledge, Build your Network..

Don't Be Cheated, They're Malware!

Posted by absnet on 23 February 2009


Ever heard about Malware?.  Malware, a portmanteau from the words malicious and software, is software designed to infiltrate or damage a computer system without the owner’s informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.[1] The term “computer virus” is sometimes used as a catch-all phrase to include all types of malware, including true viruses.

Software is considered malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruseswormstrojan horses, most rootkitsspyware, dishonest adwarecrimeware and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of several American states, including California andWest Virginia. (http://en.wikipedia.org/wiki/Malware)

When we surf, sometimes our eyes easily catch by a banner offering a program or a services that we must install it in our computer. When we install it, then the program report that we have virus in our computer, and must download (pay of course) full program.

Some programs offered in this way contain malware. It’s not intended to help us clean our virus, but the virus warning only false alarm. What this program do actually only stealing our data, our surfing data, and maybe: our password.

Usually this program has no uninstall option and automatically run when windows start after we install it. Here’s some of that programs :

 

WINCLEANER 2009

WinCleaner 2009 is a rogue anti-malware software from the same developers as Win Antivirus Vista/XP and ASC-AntiSpyware. This particular rogue uses false advertising, exaggerated results, and Trojans to promote itself. The engine behind WinCleaner 2009 is the open source security engine called ClamWin. ClamWin is a legitimate anti-malware engine that allows developers to integrate anti-malware technology into their products. This basically allows anyone to create their own anti-malware program using the ClamWin engine and it’s malware definitions. WinCleaner, though, takes it a step forward and made it so WinCleaner will also displays legitimate Windows programs as infections. To make matters worse, this program also utilizes Trojans that will display fake alerts on your computer’s desktop that try to convince you that you are infected.

 

When WinCleaner is installed it will be configured to automatically start when you turn on your computer. Once started it will scan your computer and display a variety of infections, but not the infected file names, which cannot be removed unless you first purchase the software. It will then display another screen that shows a list of known Windows programs and state that they are all infected. In reality, though, none of these files are infected, but are only being shown to scare you into purchasing their software

PrivacyGuard Pro

PrivacyGuardPro is a rogue privacy program that is a clone of Privacy Protection Suite. This program is promoted via the use of fake online anti-malware scanners that state your computer has a variety of privacy risks and that you should install PrivacyGuardPro in order to protect yourself. Once downloaded and installed, the program will scan your computer and list a variety of privacy risks. These risks, though, are highly exaggerated and in fact do not pose a risk at all to your privacy or computer. These risks are only being in order to scare you into thinking you are infected in the hopes that you will purchase their software

Total Virus Protection

 

otal Virus Protection is a rogue anti-spyware program whose point of origin is the Russian Federation. This program is classified as a rogue because it uses aggressive advertising and displays false scan results. When installed this program will scan your computer and list a variety of infections that cannot be removed unless you have already purchased the software. These infections, though, are all legitimate programs and are actually required for the proper operation of Windows. Some of the detected scan results are:

  • C:\Windows\System32\diskperf.exe is detected as Backdoor.Netdevil
  • C:\Windows\System32\6to4svc.dll is detected as Dialer.Palazzo
  • C:\Windows\System32\hypertrm.dll is detected Trojan.USBsteal
  • C:\Windows\System32\kbdno.dll is detected as Trojan.Anits

In reality, though, all of these files are required system files for the proper operation of Windows. If these files are deleted then certain Windows programs and services will no longer work properly.

 

Malware Doctor

MalwareDoc is a clone of the rogue called AntiSpy Knight. This program is classified as a rogue because it uses deceptive advertising, attempts to trick users into thinking it’s a different program, and show false results when scanning your computer. The developers of MalwareDoc were also sloppy when they cloned AntiSpy Knight into MalwareDoc as shown by the Registry key HKEY_CURRENT_USER\Software\Malware Doctor\AntiSpy Knight. When testing MalwareDoc on a freshly formatted computer it still found infections. Unfortunately, these infections were legitimate Microsoft programs that includes files such as C:\Windows\Notepad.exe, C:\Windows\regedit.exe, and C:\Windows\System32\xcopy.exe. A large concern is that infected users who are unfamiliar with this program may mistakenly delete files thinking they are infections when in fact they are files required for the proper operation of Windows.

 

When installed, MalwareDoc will be configured to start automatically when you boot your computer. Once running, it will scan your computer and display a variety of infections on your computer that cannot be removed unless you first purchase the program. As described above, these infections are all fake and are only being shown to scare you into thinking you are infected and to have you purchase the program. To further confuse users, when the installer creates the autostart entry in yourWindows Registry that is used to start the program automatically, they chose a name that is used by a legitimate software. This name is Alcmtr and normally is associated with the a piece of audio software from RealTek. The reason they chose a legitimate name was to make it further appear like a program that should be allowed to run.

MalwareDoc is an unwanted program and has no redeeming qualities. It was not created to help anyone, but rather to steal your money. Instead of using this software, please use the free removal guide outlined below to remove MalwareDoc and any malware that was installed with it.

 

Anti Virus 1

Anti-virus-1 is a new rogue anti-spyware program from the same family as Antivirus 2010 and Antivirus 360. This program is promoted primarily through two methods. The first is through the use of advertisements that pretend to be online anti-malware scanners. These advertisements go through what appears to be a scan of your machine and then when finished, state that your computer is infected and that you should download Anti-virus-1 to protect yourself. Remember, though, that this is just an advertisement and it has no way of knowing what is running on your computer. The second method that is used to promote this rogue is through the use of Trojans. When certain Trojans are installed on your computer they will display security alerts stating that your computer is infected or that you have some other security risk. When you click on these alerts, it will download and install Anti-virus-1 onto your computer.

 

When Anti-virus-1 is installed it will configure itself to start automatically when Windows starts. It will also modify your C:\Windows\System32\drivers\etc\hosts file so that when you visit certain sites you will be go to a site under the malware developer’s control rather than the legitimate site you were expecting to go to. This allows them to show you information that further promotes the Anti-virus-1 program. When the program is started it will automatically scan your computer and then display a list of infections that cannot be removed unless you first purchase the program. The infections that it will show include Spyware.IEMonster.d, Zlob.PornAdvertiser.ba, Spyware.IMMonitor, Infostealer.Banker.E, and Dialer.Xpehbam.biz_dialer among many others. All of these infections do not actually exist on your computer, but are only being shown to scam you into thinking that you have infections on your computer.

While the program is running you will also see security alerts in the form of a balloon appearing from the Windows taskbar. These alerts will have messages like:

Spyware activity alert!
Spyware.IEMonster activity detected. It is spyware that attempts to steal passwords from Internet Explorer,Mozilla Firefox, Outlook and other programs, including logins and passwords from online banking sessions, eBay, PayPal.

and

svchost.exe
Internal conflict alert.
Anti-virus-1 detected internal software conflict. Some applicztion <sic> tries to get access to system kernel (such behavior is typical to Spyware/Malware). It may cause crash of your computer.

You may also encounter what appears to be a crash screen, or Blue Screen of Death, that states SPYWARE.MONSTER.FX_WILD has been detected. Your computer will then pretend to reboot and in the fake Windows boot screen you will see the following message under the Windows logo:

Your Anti-virus-1 copy is unregistered. Microsoft Security recommends you to activate your antivirus protection software.

When you see these fake taskbar alerts, blue screen crashes, and reboots, please do not be alarmed as they are all fake. In fact the blue screen crash, and the subsequent reboot, are just a screen saver run by the c:\Documents and Settings\All Users\Application Data\AV1\svchost.exe file. In reality your computer never crashed or rebooted.

Though Anti-virus-1 may look like a legitimate anti-malware program it is important to remember that these programs are scripted to always show that you have infections. This program, when run will always show you the same infections, the same alerts, and the same warnings. It does this for one reason and only one reason. To scare you into thinking you are infected and thus you purchase their software. Instead of doing so, please use the free removal guide outlined below to remove Anti-virus-1 and the malware that was installed with it.

 

Privacy Component (Privacy Tool Pack)

 

Privacy Components is a new rogue program that pretends to be an all-in-one security suite. This particular rogue is being promoted through a trojan delivered through a fake site called Porn Tube. This site will show images of adult videos, and when you try to watch a video, state that you need to install a program, which is actually a Trojan, in order to watch it. When you install this Trojan, it will download and install Privacy Components on your computer. What I find interesting about Privacy Components is that if they actually put their time into it, they could potentially make this into a useful and legitimate program. The suite of utilities that are bundled with Privacy Components are:

  • Cookie guarder
  • Secure channel
  • Memory wizard
  • Surf Protector
  • Registry Doctor
  • System Monitor

Unfortunately, the developers of Privacy Components would rather make their money by scamming you rather than working for it and all of these utilities fall short of actually being useful. One tool that I found interesting was the secure channel tool, which allows a registered user to create a secure VPN, or encrypted tunnel, to Privacy Component’s servers and surf the web using this VPN. Supposedly this would bypass the regular Internet routing and instead go through the company’s private routers. It does this by including a copy of OpenVPN that allows you to create a VPN to one of their servers. Unfortunately, I could not test this because I did not have a username or password, but I was able to determine that there is indeed a VPN server residing on one of Privacy Components devices. If this was a legitimate company and one I could trust, I think this would be an interesting concept. Unfortunately, as this company is just trying to scam us, I wouldn’t trust them with any of my information.

 

ASC-ANTI SPYWARE/ Win Antivirus Vista/XP

Win Antivirus Vista/XP is a rogue from the same developers of ASC-AntiSpyware. In fact, both ASC-AntiSpyware and Win Antivirus are the same program just with different names. Win Antivirus Vista/XP is advertised through the use of Trojans that display fake security alerts on your computer. These alerts range from a fake Windows Security Center to alerts from the Windows taskbar stating your computer is under attack. All of these alerts will then suggest that you purchase Win Antivirus in order to protect yourself. When Win Antivirus Vista/XP is installed, it will be configured to start automatically when you boot your computer. Once running, it will scan your computer and state that you have a variety of infections on your computer and in order to remove these infections you will need to purchase the program. The problem is that the files it states are infections are actually legitimate Windows programs such as msimn.exe, which is Outlook Express, and explorer.exe, which is a vital program for the proper operation of Windows. Some of the infections it identifies these programs as are Trojan-Keylogger.Win32.QQHelper.aoc, Net-Worm.Win32.Kido.fx, and Trojan-PSW.Win32. OnLineGames.sxa. The reason it is showing you these files is to scare you into purchasing the software.

 

Inside the program’s folder will also be a file called fastcam.exe, which is the Trojan that displays fake security alerts on your computer. When fastcam.exe is executed it will create a new service called AntipyWarex32_ that launches the c:\WINDOWS\svchost.exe file. When running, this program will randomly issue security alerts and nag screens on your computer in order to have you purchase the software. It is also possible to manually trigger these nag screens and warnings by using the following command line switches:

-uninstal – This argument will remove the service and Trojan from your computer.

-redalert – Displays a nag screen stating you are infected and that you should purchase the program.

-updtalert – Displays a screen stating that there is an update to the malware definitions and that you should purchase the program in order to perform this update.

-mainalert – Displays alert screen showing various programs that are infections.

-trymsg – Displays a balloon Windows taskbar alert stating your computer is under attack.

-except – Displays a new type of fake alert that pretends to be svchost.exe crashing on your computer. The current text of this alert is:

svchost.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

If you were in the middle of something, the information you were working on might be lost.

Please tell Microsoft about this problem.

If you click on the Fix It button it will start Win Antivirus again.

-center – Displays a fake Windows Security Center screen that is advertising Win Antivirus.

As you can see this program deliberately attempts to trick you into thinking you are infected so that you purchase the program. Please ignore these warnings and instead use the free removal guide below.

 

System Guard Center

System Guard Center is a rogue from the same family as Cleaner2009 and SystemBooster 2009. It pretends to be a all-in-one security suite that will check your computer for privacy risks, spyware risks, and errors. In reality, though, this computer will display false or exaggerated security issues on your computer rather than any legitimate ones. This program is advertised through the use of pop-ups that appear when visiting web sites. These pop-ups state that your computer has security risks and that you should run an online security scanner to see what these risks are. If you click on this pop-up, you will automatically be brought to a page that shows an advertisement pretending to be an online security scanner. When the advertisement has finished, you will be shown a screen stating that your computer has security risks and that you should download and install System Guard Center.

 

When System Guard Center is installed it will add an entry into the Windows Registry that will cause the program to start automatically when you boot your computer. When the program starts it will scan your computer and display privacy, errors, and spyware risks on your computer. These risks, though, cannot be removed until you first purchase the software The risks that are found, though, are fake, or not risks at all, and are only being shown to scare you into purchasing the software. While the program is running you will also see advertisements for other rogue security products. In our testing the rogues that were advertised were Cleaner2009, Personal AntiSpy, and RegistryDoctor 2008. When you click on these advertisements, the advertised programs will automatically be downloaded using the bundled QuickInstallPack program.

Instead of purchasing this program, please use the free removal guide below to remove System Guard Center and any related programs.

 

Uninstal Privacy Protection Suite

Privacy Protection Suite is a rogue privacy program that uses false web site advertising and exaggerated scan results in order to coerce you into purchasing their software. Privacy Protection Suite is advertised via web site pop-ups that state your computer has privacy risks. When you click on this pop-up you will be brought to a page that shows an advertisement pretending to be an online anti-malware scanner. When the advertisement has finished it will state that your computer is infected with a variety of malware and advise you to download Privacy Protection Suite in order to protect yourself.

XPY Burner

XpyBurner is a rogue anti-spyware program that is a clone of an earlier rogue named SpyBurner. XpyBurner is currently not advertised by any known means, but as was done with SpyBurner, we assume that it will be advertised through the use of Trojans. These Trojans will probably display fake security alerts from your Windows taskbar stating that you are infected and that you should download and install XpyBurner in order to protect yourself.

Once XpyBurner is installed it will start automatically when you boot your computer. When running, it will automatically scan your computer and then list a variety of infections that cannot be removed unless you first purchase the program. The infections found, though, are all fake and are only being shown to convince you that you are infected. This is method of pretending that your infected, when your not, so that you purchase their software is a scam and should obviously be avoided. 

System Tuner

System Tuner is a rogue system optimization program from the same developers as HDriveSweeper. This program pretends to be a system optimization utility that scans your computer for problems that may cause your computer to perform inefficiently. In reality, System Tuner will report problems on your computer regardless of whether any exist or not. As of now this rogue is not advertised through the use Trojans, but its predecessors such as SystemSweeper were known to be involved in such behaviour. Therefore there is a good chance that this will happen as well with System Tuner.

When System Tuner is installed it will be configured to startup automatically due to an entry added to the Windows Registry. Once running, System Tuner will scan your computer and list a variety of performance issues with it. It does not, though, provide any detail as to what these issues are. In order to fix these issues you will first need to purchase the software, which I advise that you do not do. Instead, please use the removal guide listed below to remove System Tuner and any associated malware.

There’s many more program which do nothing in your computer but stealing and giving false alarm on virus existence. It’s real purpose is only pushing you to buy their software (sorry, my hand is tired writing this, so i cut this here..). 

 HOW TO REMOVE THEM ALL

  1. Download Malware Byte here
  2. Delete Them using that program

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: