We found a new WinSpywareProtect binary in the wild today. It currently has a low (2/36 hueristic) detection rate at VirusTotal. We recommend not visiting the sites unless you know what you are doing. Proceed at your own risk.
Site: hxxp://win-xp-antivir-hqscanner.com/ | hxxp://download-soft-basez.com
File: antivirus.v.1.exe (A3CB3D1DD392E1DF079F263B9C653EE8)
VirusTotal: Result: 2/36 (5.56%)
MDB: /lithium-malware/antivirus.v.1.zip
This is a special post that will provide some knowledge on how to remove some of the rogue anti-malware software that has become an epidemic (Antivirus 2008, XP Antivirus, MS Antivirus, etc.). AV companies try their best to keep up to date of all the latest incarnations of this rogue software, but in some cases it can be weeks for your AV to detect these. This will show you how you can remove some of these with free utilities. These instructions may not be that easy for the novice user, but we tried to make it as simple as possible. I will say that this process may not work in EVERY case, however most of the ones we’ve come across can be removed this way. Please be careful when attempting to remove this malware. You do not want to delete the wrong file. Try this at your own risk.
The tools used in this video are Process Explorer and Autoruns both available for free from SysInternals.
Process Explorer
Autoruns
(Click image for video)
(Click here to download video (.wmv))
Today we found a new site distributing WinSpywareProtect. The URL in question is hxxp://antivirus777.com which is redirecting to a recently created domain hxxp://antivir-online-scan.com/. Once on the site it will “run” a scan on your computer and it will proceed to tell you that it found malware and adult material. The file antivirus.v.1.0.exe only has a 5/36 detection ratio at VirusTotal at the time of the post so be careful!
