Spyware and adware programs use many different methods to disguise themselves. A fairly common disguise these days is to appear to be an antispywar program. After installing a large bundle of spyware and malware programs on a Clean PC, it is not uncommon to find that there is an “antispyware” program installed as well.
Recently while browsing the internet on PC with a clean installation of windows XP, I experienced a similar situation. The computer began to run slower and I noticed a lot of hard drive access. Soon after this an official looking icon appeared in the system tray. A popup message showed up from there indicating that my machine may be infected:

This was followed by another similar message. Soon after this, I noticed my desktop turned bright red. I minimized my windows. The desktop had been hijacked to show an advertisement for “Raze Spyware”

The problems continued. Without my performing any action, the PC was making a lot of unsolicited network connections (pills-catalog.net, razespyware.net, 195.225.177.33,
69.50.167.162). The actual Raze Spyware program launched itself and started performing a scan on my PC. It placed 2 more icons in the system tray. Periodically it would launch a window with a message indicating that an infection by the name of xxxdialer had been detected. I opened a new internet browser and did some internet searches. Not only was the default search hijacked, but when doing searches on Google, the infection on my PC was hijacking that search as well. The Google results page would display as usual, but the results were not normal results, but links to sales pages etc. I quickly isolated and saved all of the suspicious files that had been placed on my test machine and restored a clean install of XP. Each file has to be analyzed separately to find out which spyware or adware infection is responsible for it. To my surprise, I found that the behavior I had seen on my test PC was not the result of a bundle of different infections. The desktop hijack, the default search and search engine hijacks, the xxxdialer.exe file and the antispyware program were all one infection. This rogue antispyware program had planted the xxxdialer.exe file in order to be able to display a message indicating that it had been detected. Registry keys had been added to run this executable as well as two RazeSpyware detection tools at startup:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Universal Porn Dialer"="C:\WINDOWS\System32\xxxdialer.exe"

[HKEY_USERS\*\Software\Microsoft\Windows\CurrentVersion\Run]
"RazeSpyware"="C:\Program Files\RazeSpyware\RazeSpyware.exe"
"RazeSpyware Monitor"="C:\Program Files\RazeSpyware\RazeSpyware_monitor.exe"

It also places quite a few files in the system32 folder. A couple of the files are just duplicates of each other with different file names. This is fairly common among malicious programs.

Directory of C:\WINDOWS\system32\
01/12/2006 13:35 a 29696 intxt.exe
01/12/2006 13:37 a 53760 mswinb32.dll
01/12/2006 13:37 a 53760 mswinb32.exe
01/12/2006 13:50 a 60928 mswinf32.dll
01/12/2006 13:50 a 60928 mswinf32.exe
01/12/2006 13:35 a 392 mswinup32.dll
01/12/2006 13:35 a 9119 mswinxml.dll
01/12/2006 13:35 a 154 page.htm
01/12/2006 13:41 a 2632122 r.exe
01/12/2006 13:35 a 41476 shell386.exe
01/12/2006 13:35 a 64000 winapi32.dll
01/12/2006 13:35 a 89 winlfl32.dll
01/12/2006 13:50 a 8192 xxxdialer.exe

The infection had rendered the computer virtually unusable. It was impossible to perform internet searches. The extra programs launched at startup were hogging most of the system resources and slowing the computer to a crawl. After udating Spyware Nuker, I performed a scan and was able to remove this infection. With RazeSpyware and all of its registry keys and malicious files removed it was like having a brand new PC again.