You Have a Security Problem

If you see the above message popping up on your system, you most certainly do. The creators of Antivirus 2008 have updated their system of delivering fraudulent and inaccurate alerts to users around the world, following up their 2008 money maker with Antivirus 2009:

We’ve been watching users get slammed by (and TF-protected from) another set of phony codec files, like “codecpack.v.1.0.0.exe”, or after its download, “codecpack.v.1.0.0[1].exe”. These files kick off the first of the innaccurate warnings like the ones above and download additional content. We’re seeing downloads and execution of “AV2009Install_77040502.exe”, leading to a slew of phony detections and messages. Don’t bother paying to clean up your system with these guys. Just to persist on the system, they often cannot be removed using the standard Windows Add/Remove control applet — there is no uninstall listing.
And don’t believe the pop-up warnings like “Adult content traces found on your PC”. They display warnings of adult content that is not present on our lab system as well, listing links to adult sites that do not exist:

Update (8.16.2008): Bill Mullins provides his readers with some great cleanup advice, including SmitFraudFix. You might try SpywareDoctor’s cleanup capabilities too.

Update (8.19.2008): Researcher and consultant Dancho Danchev posts an exhaustive list of this group’s Rogueware Urls in his “Diverse Portfolio” typo-squating postings.

This entry was posted in Online Fraud. Bookmark the permalink.

14 Responses to You Have a Security Problem

  1. Saurav says:

    I hit the same issue today. Generally my laptop is clean because I have a pretty good anti-virus installed.

    Anyways, I couldn’t wait for the full scan to complete. Started googleling.

    I actually started inspecting the processes running, using Process Explorer.

    Found the following processes to be fishy, 7F.tmp and 7D.tmp.exe. Did some research online. Moved them to a different directory and restarted my machine. And the icon on the task bar was gone. Stopped getting the popups.

    Anyways, this solved the problem. Now I will anyways do an overnight scan to confirm it.

  2. ThreatFire Blogger says:

    Hey Saurav-

    Thanks for your comment. Unfortunately, we’ve seen that same filename (7.tmp) used by a zbot variant recently, which can have some pretty bad implications. Be sure to scan your system, and look for any directories with “wsnpoem” in them.
    Hopefully, 7.tmp really is just a temp file used by the downloader/fakealert on your system.

    Thanks again!

  3. saberfox says:

    I’d like to know, if possible, what measures the research team has in mind against these types of threats. From what I’ve seen these trojans often exhibit very little in terms of behavior, leaving very little traces for a behavior blocker like TF to detect.


  4. blkhwk884 says:

    I gave both “Malwarebytes” and “SUPERAntiSpyware” a try. Both detected and logged antispyware 2008 under threats, but after completing the quarantine and restart process, failed to get rid of the popups. I did find an entry in my browser history tagged as “LcodePlus.v.1.0.20081.exe.” It is located right in the time slot where I picked this thing up. It’s redirect website is “http://soft-upgrade-network.com/LcodecPlus.v.1.0.20081.exe.” A search on the computer did not turn up anything under that. Does anyone have any further suggstions. Unfortunately, I am not very skilled in computer files, logs, and registry use and am very reluctant to make changes by deleting anything. Thanks, John

  5. aSstHa says:

    I have the same issue b4 and managed to completely remove the darn thing…

    but it’s popped up again today and I really don’t know wat to do… sometimes they ask me 2 install Antivirus 2009… and sometimes another name like PersonalAntiSpy, etc.

    Please help… it’s annoying and I can’t get any work done. Thanks.

  6. Vicente says:

    Go to start>run>msconfig>startup>unchek an startup item called jut "a"
    the red icon must not appear anymore


  7. jabs sita kzn says:

    I think you should try start-run-msconfig-startup-and unchek the “a” the security massege disapeared
    Thanks Regards


  8. lucky says:

    I do not know that much about computers but i tried the example that vicente posted and when i ran the msconfig it stated that it could not find the file. any other suggestions?

  9. fremmy says:

    This is something i found and got rid of the problem hope will help as much as it helped me. Pay attention on how to find the file and how to delete it oh by the way if you also have a file under the name xxx8227 you should also delete it the same way you deleted xxx41

    xxx41.exe is a malware-associated executable file. Legitimate executable files are used to launch programs in Windows. Malware-associated executable files are automatically run from registry autorun locations and the Windows startup folder to execute malicious code.

    Location of xxx41.exe and Associated Malware
    Check whether xxx41.exe is present in the following locations:

    C:\Documents and Settings\UserName\Local Settings\Temp\xxx41.exe
    If you find xxx41.exe in these locations, your computer is very likely to be infected with the following malware:


    You can check if xxx41.exe is associated with the malware listed above by running a free scan in Exterminate It!.
    You can easily remove all the files listed above with Exterminate It!.
    IMPORTANT: Malware files can be camouflaged with the same file names as legitimate files. The xxx41.exe file is associated with malware only if found in the locations listed above.

    Why Is It Important to Remove Malware Files?
    It is imperative that you delete malware-associated files as soon as possible because they can be used – or are already being used – to inflict serious damage on your PC, including:

    Disrupting the normal functioning of the operating system or rendering it completely useless.
    Hijacking valuable private information (credit card numbers, passwords, PIN codes, etc.)
    Directing all your Web searches to the same unwanted or malicious sites.
    Dramatically slowing down your computer.
    Gaining total control of your PC to spread viruses and trojans and send out spam.

    How to Remove xxx41.exe
    To enable deleting the xxx41.exe file, terminate the associated process in the Task Manager as follows:
    Right-click in the Windows taskbar (a bar that appears along the bottom of the Windows screen) and select Task Manager on the menu.
    In the Tasks Manager window, click the Processes tab.
    On the Processes tab, select xxx41.exe and click End Process.
    Using your file explorer, browse to the file using the paths listed in Location of xxx41.exe and Associated Malware.
    Select the file and press SHIFT+Delete on the keyboard.
    Click Yes in the confirm deletion dialog box.
    Repeat steps 2-4 for each location listed in Location of xxx41.exe and Associated Malware.

    The deletion of xxx41.exe will fail if it is locked; that is, it is in use by some application (Windows will display a corresponding message). For instructions on deleting locked files, see Deleting Locked Files.
    The deletion of xxx41.exe will fail if your Windows uses the NT File System (NTFS) and you have no write rights for the file. Request your system administrator to grant you write rights for the file.
    Delete xxx41.exe Automatically.

    Deleting Locked Files
    You can delete locked files with the RemoveOnReboot utility. You can install the RemoveOnReboot utility from here.

    After you delete a locked file, you need to delete all the references to the file in Windows registry.

    To delete a locked file:

    Right-click on the file and select Send To -> Remove on Next Reboot on the menu.
    Restart your computer.
    The file will be deleted on restart.

    Note: In the case of complex viruses that can replicate themselves, malware files can reappear in the same locations even after you have deleted those files and restarted your computer. Exterminate It! can effectively eradicate such viruses from your computer.

    To remove all registry references to a malware file:

    On the Windows Start menu, click Run.
    In the Open box, type regedit and click OK. The Registry Editor window opens.
    On the Edit menu, select Find.
    In the Find dialog box, type FILENAME. The name of the first found registry value referencing xxx41.exe is highlighted in the right pane of the Registry Editor window.
    Right-click the registry value name and select Delete on the menu.
    Click Yes in the Confirm Value Delete dialog box.
    To delete all other references to xxx41.exe, repeat steps 4-6.
    IMPORTANT: Malware files can masquerade as legitimate files by using the same file names. To avoid deleting a harmless file, ensure that the Value column for the registry value displays exactly one of the paths listed in Location of xxx41.exe and Associated Malware

  10. Matic says:

    I had the same problem. I went in my temp folder….c:/documents and settings/user/local settings/temp

    There I loocked every file that was created that day when the messages started to apear in my case that was 10 december 2008,13:35.

    There were a lot of this files like:a,b,c,d,e,f,… and they were all .exe files.

    I deleted them all. I even had to kill some processes in Task manager.Success, it worked.
    Youst look for strange names of folders and delete them.

  11. The Black Lotus says:

    I got the problem last night around 9pm. Driving me nuts. Since I’ve had McAfee, I really haven’t had to worry about viruses and such on my computer. I’m a little computer savvy, but not enough to try and follow some of these rather complicated methods for deleting this thing. It is gone, so far. And seemed to be rather simple.

    I opened my task manager, and selected the “processes” tab. Right at the very top was a process that was open which was ~tmpb.exe . I didn’t want to go deleting things that I didn’t know what they were. So, I went to start and Search. I typed in the file name, and it came up under “documents and settings” like a previous post mentioned. I right clicked on it, and found that it was “created” right when all this B.S. started. So, I “ended the process” in the task manager. And then right click and “deleted” it from the search result. SO far it has worked. It took the icon away instantly. If it comes back, I’ll probably go look for another file just the same. Good luck.

  12. The Black Lotus says:

    Yeah, it came back. Is there any way in the world to get some program to remove these things for free? What good is a “free scan” if you have to pay for them to be removed. I will not pay for one of them programs, whether someone swears it works or not. I just won’t. But, manually, just really isn’t gonna work, plus will take SO long. I’d love it if there was actually a way to just get rid of this stupid thing.

  13. The Black Lotus says:

    Yay! I did it. It was very easy. I typed in the name of this file that kept showing back up every time I restarted my computer, and googled it. I found this site Prvx.com which was another one of those stupid free scan thing. They claimed they’d clean your computer to. But it never is free. So, when it’s all done scanning, it did indeed find three files that have been buggin’ around on my computer. Then, since you can’t really copy and paste. I opened notepad and litterally typed out the complete file names.

    Then I copy and pasted what I typed into the search on my computer, found them really fast, and erased them. All three of them.

    Restarted my computer, and no trace of this thing. So, finally, it’s gone. Hopefully it stays that way. My computer’s MUCH faster again. Yay!!

  14. Garvz_B says:

    I’m not great with computers but I got this advice from Macafree senior support, it’s reallt easy with their instructions and the download is free – I used the 1st download and it’s really easy:


    download Malwarebytes’ Anti-Malware, save it to your desktop.




    Make sure you are connected to the Internet.
    Double-click on Download_mbam-setup.exe to install the application.
    When the installation begins, follow the prompts and do not make any changes to default settings.
    When installation has finished, make sure you leave both of these checked:
    Update Malwarebytes’ Anti-Malware
    Launch Malwarebytes’ Anti-Malware
    Then click Finish. MBAM will automatically start and you will be asked to update the program
    before performing a scan. If an update is found, the program will automatically update itself.
    Press the OK button to close that box and continue.

    On the Scanner tab:
    Make sure the “Perform Quick Scan” option is selected. Then click on the Scan button.
    The next screen will ask you to select the drives to scan. Leave all the drives selected
    and click on the Start Scan button. The scan will begin and “Scan in progress” will show at the
    top. It may take some time to complete so please be patient. When the scan is finished, a message
    box will say “The scan completed successfully. Click ‘Show Results’ to display all objects found”.
    Click OK to close the message box and continue with the removal process. Back at the main Scanner
    screen, click on the Show Results button to see a list of any malware that was found. Make sure
    that everything is checked, and click Remove Selected. When removal is completed, a log report
    will open in Notepad and you may be prompted to restart your computer. (see Note below) The log
    is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
    Click OK to either and let MBAM proceed with the disinfection process.
    If asked to restart the computer, please do so immediately.
    Failure to reboot will prevent MBAM from removing all the malware.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>