Removing XP Home Security 2011 / 2012 malware

March 8, 2011 Chilling_Silence How-To's / Guides / Tech info

NOTE: This malware comes under many similar names, they pretty much all do the same thing, some marginally worse than others. Removal is easy and straight-forward either way.

EDIT: Added XP Home Security 2012 updated info. The newer ones are getting more and more clever at hiding!

Unfortunately I’m still not sure where this sneaky bugger originates from, but I’m pretty sure that it could be avoided by using a decent browser such as Chrome or Firefox. So far everybody I know of who’s been infected has been using Internet Explorer, and I’ve seen about 30 infections at the time of updating this to include info on the 2012 ‘edition’. (June 2011)

That said, it’s not too difficult to remove the XP Home Security 2011 fake antivirus software.

If you’re getting popups like this:

Then congrats, you’re infected.

Thankfully, the current editions don’t do any key logging at all (From what I can tell), they’re just horribly annoying and bug you for your credit card details etc.

Whatever you do, don’t pay for it!

NOTE: Before we begin, grab this: exefix_xp.com - It will restore the file association for EXE files which this software likes to hijack, amongst other things. Ideally save this to your Desktop so it’s easy for you to double-click without having to fire up Windows Explorer to navigate to it.

First things first, you need to kill it off. You may or may not need to be in safe mode when you do this, I’ve had good success without needing to be in Safe Mode. I’d *strongly* suggest that all other applications are closed though.

The easiest way to kill it is to press Ctrl + Shift + Esc to bring up Task Manager.

Under the Application tab, right-click on the fake security software and choose “Go to process”. This is the file name of the culprit. Write the name down on some paper, then right-click on it and choose “End Process”.

Now, run the aforementioned EXE Fix.

Then, click Start –> Run –> Regedit (And click OK)

If you’re running Vista or Windows 7, just click Start, type “regedit” and hit Enter

NOTE: If the malware fires up when you launch Registry Editor, then simple kill it using Task Manager, and re-run the EXE fix (As it will have already changed the associations AGAIN. Annoying huh?).

Now, you want to go through these places:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command

You’ll find something that looks a little bit like this:

Delete those entries that match the name of the malware, with the exception of the last IEXPLORE.EXE entry (Which tells Windows what to do when you want to load Internet Explorer). Simply clear the extra malware guff from the beginning so that it looks like this:

C:\Program Files\Internet Explorer\iexplore.exe

Now you need to search your HDD using Windows Search, including hidden and system folders, for that file.

When you find it, just right-click on it and delete it.

It’s also worth checking to make sure that it’s not set itself up as a Proxy. In Internet Explorer, you can go into your Internet Options –> Connections Tab –> LAN Settings. Make sure that “Use a proxy server for your LAN” is unticked.

If this has been of any help to you, or you’ve found another way of doing things that I haven’t, please let me know in the comments

Cheers

Chill.

Pictures below:

EDIT 20110808 : I’ve been given this link, if you’re *still* having issues after following this, there’s a few more recommended places in the registry you can try, details here: http://www.best-anti-spyware.com/anti-malware/win-7-security-2012-fake-security-app-used-by-hackers-to-extract-money-from-pc/

 

 

exefix, Fake AntiVirus, Malware, Trojans, Viruses,