Jump to content

Welcome to Geeks to Go
Geeks to Go Welcome
Create Account Login to Account
Photo

Removal instructions for XP Internet Security

- - - - -

  • Please log in to reply
5 replies to this topic

#1
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,305 posts
Content is republished with permission from Malwarebytes.

What is XP Internet Security?

The Malwarebytes research team has determined that XP Internet Security is a fake anti-malware application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue. You are strongly advised to follow our removal instructions below.

How do I know if I am infected with XP Internet Security?

This is how the main screen of the rogue application looks:

Posted Image

And see these warnings:

Posted Image

Posted Image

Posted Image

Posted Image

Posted Image

Posted Image

How did XP Internet Security get on my computer?

Rogue programs use different methods for spreading themselves. This particular one was installed by a trojan.

How do I remove XP Internet Security?

Our program Malwarebytes' Anti-Malware can detect and remove this rogue application.

Please follow the detailed instructions posted in the last post in this thread.

How would the full version of Malwarebytes' Anti-Malware help protect me?

We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes' Anti-Malware for additional protection.

As you can see below the full version of Malwarebytes' Anti-Malware would have protected you against the XP Internet Security rogue. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.

Posted Image

Posted Image

Technical details for experts

Signs in a HijackThis log:
C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe

Alterations made by the installer:
File System
  ===============
	In the existing folder C:\Documents and Settings\All Users\Application Data
	  Adds the file QJyrk5wvCU1"="21:14 17/03/10 1286 bytes
	In the existing folder C:\Documents and Settings\{username}\Local Settings\Application Data
	  Adds the file ave.exe"="21:13 17/03/10 200704 bytes
	  Adds the file QJyrk5wvCU1"="21:14 17/03/10 1286 bytes
	In the existing folder C:\Documents and Settings\{username}\Local Settings\Temp
	  Adds the file QJyrk5wvCU1"="21:14 17/03/10 1286 bytes
	In the existing folder C:\Documents and Settings\{username}\Templates
	  Adds the file QJyrk5wvCU1"="21:14 17/03/10 1286 bytes

  Registry
  ===============
	[HKEY_CLASSES_ROOT\secfile]
	  "Content Type"="'application/x-msdownload'"
	  "(Default)"="'Application'
	[HKEY_CLASSES_ROOT\secfile\shell\start\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CLASSES_ROOT\secfile\shell\runas\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CLASSES_ROOT\secfile\shell\open\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "%1" %*'"
	[HKEY_CLASSES_ROOT\secfile\DefaultIcon]
	  "(Default)"="'%1'"
	[HKEY_CLASSES_ROOT\.exe]
	  "(Default)"="'secfile'"
	[HKEY_CLASSES_ROOT\.exe\DefaultIcon]
	  "(Default)"="'%1'"
	[HKEY_CLASSES_ROOT\.exe\shell\start\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CLASSES_ROOT\.exe\shell\runas\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CLASSES_ROOT\.exe\shell\open\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "%1" %*'"
	[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
	  "(Default)"="C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
	[HKEY_CURRENT_USER\Software\Classes\.exe]
	  "Content Type"="'application/x-msdownload'"
	  "(Default)"="'secfile'"
	[HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "%1" %*'"
	[HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon]
	  "(Default)"="'%1'"
	[HKEY_CURRENT_USER\Software\Classes\secfile]
	  "Content Type"="'application/x-msdownload'"
	  "(Default)"="'Application'"
	[HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "%1" %*'"
	[HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon]
	  "(Default)"="'%1'"
	[HKEY_CURRENT_USER\Software\Microsoft\Windows]
	  "Identity"="1042655107"

Malwarebytes' Anti-Malware log:
Malwarebytes' Anti-Malware 1.44
Database version: 3877
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/17/2010 9:44:03 PM
mbam-log-2010-03-17 (21-44-03).txt

Scan type: Quick Scan
Objects scanned: 105479
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

As mentioned before the full version of Malwarebytes' Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
  • IP-blocks
  • Execution protection
Save yourself the hassle and get protected.

Edited by Metallica, 20 March 2010 - 12:40 PM.

  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,305 posts
The malware described above uses several names and adapts to the Windows version in use. You can find other manifestations below.
The removal method is exactly the same.
To limit the number of screen-shots to download, you can view any of particular interest to you by using the links below.
Since they all look alike if you are using the same Windows version, we limited the total download by using this method.

Other manifestations of this malware

XP Defender Pro
Posted Image

XP Smart Security

XP AntiMalware

XP Security Tool 2010

Vista AntiMalware
Posted Image

Vista Defender Pro

Vista Internet Security

Total Vista Security

Win 7 AntiMalware 2010
Posted Image

Win 7 AntiMalware

Win 7 Defender

Antispyware Win 7

Win 7 Smart Security 2010
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 32,305 posts
Please download Malwarebytes' Anti-Malware from Here
If you are unable to do this from the infected computer diurectly, transfer the file from another computer.
Download the mbam-setup.exe to your desktop.

Now make sure extensions are shown. To do this, please look here
Then rename the mbam-setup.exe: Posted Image to mbam-setup.com: Posted Image
Then launch mbam-setup.com in order to install Malwarebytes' Anti-malware

Once Malwarebytes' Anti-Malware is installed, navigate to your Program Files\Malwarebytes' Anti-Malware folder and locate the mbam.exe in there:

Posted Image

rename it to mbam.com:

Posted Image

Now doubleclick mbam.com to launch Malwarebytes' Anti-malware.
  • Click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart, so please allow MBAM to restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
This should get rid of your problem as you see in the screenshot below:

Posted Image

You will be prompted to reboot the computer. Once this has been done, please rename mbam.com back to mbam.exe.
You'll see that it will be able to run again.
  • 0

#4
yocalif

yocalif

    New Member

  • Member
  • Pip
  • 1 posts
I was 1st infected with the XP Internet Security virus on Sun apr 4.
I was 2nd infected this past Sunday 4/11.

In both cases I used Malwarebytes to detect and clean.
In both cases a residual virus is left, and none of the virus detectors can find it.
(see symptoms below)


History
System is an XP Home Media,
For Anti Virus I run for resident protection Avast Free, Superantispyware Pro, and Malwarebytes has been used when either of the other two can't detect or clean a virus.

Per the symptoms when the virus first executes it locks up all exe including the AV programs.
I rebooted to Windows Safe Mode, found I still couldn't run any AV software, didn't read the thing about changing the malwarebytes.exe to .com until a few days ago. So I restored the system to 5 days earlier, and thus was able to run AV, from safe mode I first uninstalled and then reinstalled Malwarebytes and MB found the offending files and did a clean. I then reinstalled all AV and scanned with all each found something.
However there was a residual virus still in place (symptoms below).

Both infections were started when my son visited each sunday and got on the computer. And the XP Internet Security screens started appearing.

2nd infestation, I again rebooted to Safe Mode, this time uninstalled Malwarebytes and then used MB clean to clean up the install. Next I installed a latest copy + rules, still couldn't run, so changed the malwarebytes exe to .com. Ran malwarebytes it found the infestation Ave.exe and 10 other infections. Did the clean, and again have residual virus issues.

Residual Virus, is first detected by Avast,

13.04.2010 15:56:02 Network Shield: blocked access to malicious site [ C:\WINDOWS\system32\svchost.exe ]


Unfortunately I don't know what is triggering the svchost.exe or what site is trying to be accessed.

I have no clue what is triggering this, it happens at various times of day. If I do a boot scan with Avast it has found a few infections but not every time, after the above residual runs. Further I have scanned multiple times with Malwarebytes and SAS, with no results.

I need help to clean the remaining virus off my system.
  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE.

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post an OTListIt log in THAT forum.
  • 0

#6
lehua011

lehua011

    New Member

  • Member
  • Pip
  • 2 posts
advice removed

Edited by Artellos, 06 May 2010 - 02:55 PM.

  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured
Malware Removal How to Guides Windows 7 System Building Download Files Register welcome

Never used a forum? Learn how.