Sunday, October 5, 2008

"Antispyware-review.biz" Scareware Removal

It started last Friday where my notebook computer would randomly pop up Windows Security Alert messages about trojan spyware.


Figure 1 - Scareware pop-upmessage masquerades itself as legitimate Windows Security Alert with warning about "Trojan-Clicker.Win32.Tiny.h"


Figure 2 - Scareware pop-upmessage masquerades itself as legitimate Windows Security Alert with warning about "Trojan-Spy.HTML.Bankfraud.dq"


Figure 3 - Scareware pop-upmessage masquerades itself as legitimate Windows Security Alert with warning about "Trojan-Spy.Win32.GreenScreen"


Figure 4 - Scareware pop-upmessage masquerades itself as legitimate Windows Security Alert with warning about "Trojan-Spy.Win32.KeyLogger.aa"

At first glance, these messages appeared legitimate with technical information and its graphical interface consistent with most Microsoft Windows.

However, when the "Enable Protection" button is clicked, it hijacks user's web browser to a website, www.antispyware-review.biz, which sells rogue software PC Antispy & PC Clean Pro.


Figure 5 - www.antispyware-review.com sells rogue software PC Antispy & PC Clean Pro


Removal:

In this case, there were three new startup processes in the registry "HKCU:run" which I have never seen before, nor I could find any information on them:


Figure 6 - "apien", "O94r7l940x", & "enwin" are spyware lingering in registry as automatic startup

With help from CCleaner, I was able to remove these registry entries and prevent them from starting. Additionally, I used Spybot Search & Destroy to scan & immunize the system.