This site is distributing Rogue “Fake” Anti-Malware product. Do not visit, pay, or download the software discussed below.
SharedNS: 
File: eAntivirusProInstaller.exe
Site: hxxp://eantivirus-payments.com
File size: 2006502 bytes
MD5…: 8c396fbdacce214de2e86354a77350d2
SHA1..: dba514af18c0ed0b190f16f8b9da2d137f47a219
SHA256: b59e1e75d9647357e686f077470054688d2b130e08dfc7ab9763ae22b83b2109
SHA512: 5b30016234a2e96088192568d2b623a8bf5b2d8d1c6c2c4a460af313ae8369c3
542528b8a69abe51f62c82493e953b7c010f064fff23508a033b39d595526f39
Creates:
- %CommonPrograms%\eAntivirusPro
- %AppData%\whcc5dj0erc1
- %ProgramFiles%\whcc5dj0erc1
- %AppData%\whcc5dj0erc1\Quarantine
- %AppData%\whcc5dj0erc1\Quarantine\Autorun
- %AppData%\whcc5dj0erc1\Quarantine\Autorun\HKCU
- %AppData%\whcc5dj0erc1\Quarantine\Autorun\HKCU\RunOnce
- %AppData%\whcc5dj0erc1\Quarantine\Autorun\HKLM
- %AppData%\whcc5dj0erc1\Quarantine\Autorun\HKLM\RunOnce
- %AppData%\whcc5dj0erc1\Quarantine\Autorun\StartMenuAllUsers
- %AppData%\whcc5dj0erc1\Quarantine\Autorun\StartMenuCurrentUser
- %AppData%\whcc5dj0erc1\Quarantine\BrowserObjects
- %AppData%\whcc5dj0erc1\Quarantine\Packages
Visible Processes:
whcc5dj0erc1.exe %ProgramFiles%\whcc5dj0erc1\whcc5dj0erc1.exe 12,242,944 bytes
Hidden Processes:
pphc35dj0erc1.e 110,592 bytes
Registry Modifications:
- The following Registry Keys were created:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\whcc5dj0erc1
- HKEY_LOCAL_MACHINE\SOFTWARE\whcc5dj0erc1
- HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
- HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
- The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]
- rhc75dj0erc1 = 5D DA D0 48
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
- eAntivirusPro = “eAntivirusPro”
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- SMwhcc5dj0erc1 = “%ProgramFiles%\whcc5dj0erc1\whcc5dj0erc1.exe”
so that whcc5dj0erc1.exe runs every time Windows starts
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\whcc5dj0erc1]
- DisplayName = “eAntivirusPro”
- UninstallString = “”%ProgramFiles%\whcc5dj0erc1\uninstall.exe”"
- [HKEY_LOCAL_MACHINE\SOFTWARE\whcc5dj0erc1]
BuyUrl = “73D5DE49682F7BBE66152CF560A7F15AD41F5D634258A92ED6446D11E601A4D
599B76A2DA60345982326DB8CE829FDB262BD60B9044C704E”
BuyDiscUrl = “E1CB91E47B5E05E6766AFCAC8EA2CC2AD41F5D634258A92ED6446D11E601A4D
599B76A2DA60345982326DB8CE829FDB262BD60AB04472109426E88B897″
domain = “A67808E58B33E04B4C27F4EC7AB34B3AD90A47671101EF2BD4406E0
4E616BDD981AA6B76B64158″- ADVid = “”
- (Default) = “%ProgramFiles%\whcc5dj0erc1″
- InstallDir = “%ProgramFiles%\whcc5dj0erc1″
- SoftID = “eAntivirusPro”
- DatabaseVersion = “2.1″
- ProgramVersion = “2.1″
- EngineVersion = “2.1″
- GuiVersion = “2.1″
- ProxyName = “”
- ProxyPort = 0×00000000
- ScanPriority = 0×00000001
- DaysInterval = 0×00000007
- ScanDepth = 0×00000002
- ScanSystemOnStartup = 0×00000001
- AutomaticallyUpdates = 0×00000001
- MinimizeOnStart = 0×00000000
- BackgroundScan = 0×00000001
- BackgroundScanTimeout = 0×00000001
- LastTimeStamp = 0×0000011F
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion]