Spyware and adware programs use many different methods to disguise
themselves. A fairly common disguise these days is to appear to
be an antispywar program. After installing a large bundle of spyware
and malware programs on a Clean PC, it is not uncommon to find that
there is an “antispyware” program installed as well.
Recently while browsing the internet on PC with a clean installation
of windows XP, I experienced a similar situation. The computer began
to run slower and I noticed a lot of hard drive access. Soon after
this an official looking icon appeared in the system tray. A popup
message showed up from there indicating that my machine may be infected:
This was followed by another similar message. Soon after this, I
noticed my desktop turned bright red. I minimized my windows. The
desktop had been hijacked to show an advertisement for “Raze
The problems continued. Without my performing any action, the PC
was making a lot of unsolicited network connections (pills-catalog.net,
188.8.131.52). The actual Raze Spyware program launched itself
and started performing a scan on my PC. It placed 2 more icons in
the system tray. Periodically it would launch a window with a message
indicating that an infection by the name of xxxdialer had been detected.
I opened a new internet browser and did some internet searches.
Not only was the default search hijacked, but when doing searches
on Google, the infection on my PC was hijacking that search as well.
The Google results page would display as usual, but the results
were not normal results, but links to sales pages etc. I quickly
isolated and saved all of the suspicious files that had been placed
on my test machine and restored a clean install of XP. Each file
has to be analyzed separately to find out which spyware or adware
infection is responsible for it. To my surprise, I found that the
behavior I had seen on my test PC was not the result of a bundle
of different infections. The desktop hijack, the default search
and search engine hijacks, the xxxdialer.exe file and the antispyware
program were all one infection. This rogue antispyware program had
planted the xxxdialer.exe file in order to be able to display a
message indicating that it had been detected. Registry keys had
been added to run this executable as well as two RazeSpyware detection
tools at startup:
"Universal Porn Dialer"="C:\WINDOWS\System32\xxxdialer.exe"
"RazeSpyware Monitor"="C:\Program Files\RazeSpyware\RazeSpyware_monitor.exe"
It also places quite a few files in the system32 folder. A couple
of the files are just duplicates of each other with different file
names. This is fairly common among malicious programs.
Directory of C:\WINDOWS\system32\
01/12/2006 13:35 a 29696 intxt.exe
01/12/2006 13:37 a 53760 mswinb32.dll
01/12/2006 13:37 a 53760 mswinb32.exe
01/12/2006 13:50 a 60928 mswinf32.dll
01/12/2006 13:50 a 60928 mswinf32.exe
01/12/2006 13:35 a 392 mswinup32.dll
01/12/2006 13:35 a 9119 mswinxml.dll
01/12/2006 13:35 a 154 page.htm
01/12/2006 13:41 a 2632122 r.exe
01/12/2006 13:35 a 41476 shell386.exe
01/12/2006 13:35 a 64000 winapi32.dll
01/12/2006 13:35 a 89 winlfl32.dll
01/12/2006 13:50 a 8192 xxxdialer.exe
The infection had rendered the computer virtually unusable. It
was impossible to perform internet searches. The extra programs
launched at startup were hogging most of the system resources and
slowing the computer to a crawl. After udating Spyware Nuker, I
performed a scan and was able to remove this infection. With RazeSpyware
and all of its registry keys and malicious files removed it was
like having a brand new PC again.