5 replies to this topic

[Metallica]

Content is republished with permission from Malwarebytes.

What is XP Internet Security?

The Malwarebytes research team has determined that XP Internet Security is a fake anti-malware application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue. You are strongly advised to follow our removal instructions below.

How do I know if I am infected with XP Internet Security?

This is how the main screen of the rogue application looks:



And see these warnings:













How did XP Internet Security get on my computer?

Rogue programs use different methods for spreading themselves. This particular one was installed by a trojan.

How do I remove XP Internet Security?

Our program Malwarebytes' Anti-Malware can detect and remove this rogue application.

Please follow the detailed instructions posted in the last post in this thread.

How would the full version of Malwarebytes' Anti-Malware help protect me?

We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes' Anti-Malware for additional protection.

As you can see below the full version of Malwarebytes' Anti-Malware would have protected you against the XP Internet Security rogue. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.





Technical details for experts

Signs in a HijackThis log:

C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe

Alterations made by the installer:

File System
  ===============
	In the existing folder C:\Documents and Settings\All Users\Application Data
	  Adds the file QJyrk5wvCU1"="21:14 17/03/10 1286 bytes
	In the existing folder C:\Documents and Settings\{username}\Local Settings\Application Data
	  Adds the file ave.exe"="21:13 17/03/10 200704 bytes
	  Adds the file QJyrk5wvCU1"="21:14 17/03/10 1286 bytes
	In the existing folder C:\Documents and Settings\{username}\Local Settings\Temp
	  Adds the file QJyrk5wvCU1"="21:14 17/03/10 1286 bytes
	In the existing folder C:\Documents and Settings\{username}\Templates
	  Adds the file QJyrk5wvCU1"="21:14 17/03/10 1286 bytes

  Registry
  ===============
	[HKEY_CLASSES_ROOT\secfile]
	  "Content Type"="'application/x-msdownload'"
	  "(Default)"="'Application'
	[HKEY_CLASSES_ROOT\secfile\shell\start\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CLASSES_ROOT\secfile\shell\runas\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CLASSES_ROOT\secfile\shell\open\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "%1" %*'"
	[HKEY_CLASSES_ROOT\secfile\DefaultIcon]
	  "(Default)"="'%1'"
	[HKEY_CLASSES_ROOT\.exe]
	  "(Default)"="'secfile'"
	[HKEY_CLASSES_ROOT\.exe\DefaultIcon]
	  "(Default)"="'%1'"
	[HKEY_CLASSES_ROOT\.exe\shell\start\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CLASSES_ROOT\.exe\shell\runas\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CLASSES_ROOT\.exe\shell\open\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "%1" %*'"
	[HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command]
	  "(Default)"="C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
	[HKEY_CURRENT_USER\Software\Classes\.exe]
	  "Content Type"="'application/x-msdownload'"
	  "(Default)"="'secfile'"
	[HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "%1" %*'"
	[HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon]
	  "(Default)"="'%1'"
	[HKEY_CURRENT_USER\Software\Classes\secfile]
	  "Content Type"="'application/x-msdownload'"
	  "(Default)"="'Application'"
	[HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"%1" %*'"
	[HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command]
	  "IsolatedCommand"="'"%1" %*'"
	  "(Default)"="'"C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "%1" %*'"
	[HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon]
	  "(Default)"="'%1'"
	[HKEY_CURRENT_USER\Software\Microsoft\Windows]
	  "Identity"="1042655107"

Malwarebytes' Anti-Malware log:

Malwarebytes' Anti-Malware 1.44
Database version: 3877
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/17/2010 9:44:03 PM
mbam-log-2010-03-17 (21-44-03).txt

Scan type: Quick Scan
Objects scanned: 105479
Time elapsed: 3 minute(s), 1 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

As mentioned before the full version of Malwarebytes' Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):

• IP-blocks
• Execution protection

Save yourself the hassle and get protected.

Edited by Metallica, 20 March 2010 - 12:40 PM.

[Metallica]

The malware described above uses several names and adapts to the Windows version in use. You can find other manifestations below.
The removal method is exactly the same.
To limit the number of screen-shots to download, you can view any of particular interest to you by using the links below.
Since they all look alike if you are using the same Windows version, we limited the total download by using this method.

Other manifestations of this malware

XP Defender Pro


XP Smart Security

XP AntiMalware

XP Security Tool 2010

Vista AntiMalware


Vista Defender Pro

Vista Internet Security

Total Vista Security

Win 7 AntiMalware 2010


Win 7 AntiMalware

Win 7 Defender

Antispyware Win 7

Win 7 Smart Security 2010

[Metallica]

Please download Malwarebytes' Anti-Malware from Here
If you are unable to do this from the infected computer diurectly, transfer the file from another computer.
Download the mbam-setup.exe to your desktop.

Now make sure extensions are shown. To do this, please look here
Then rename the mbam-setup.exe: to mbam-setup.com:
Then launch mbam-setup.com in order to install Malwarebytes' Anti-malware

Once Malwarebytes' Anti-Malware is installed, navigate to your Program Files\Malwarebytes' Anti-Malware folder and locate the mbam.exe in there:



rename it to mbam.com:



Now doubleclick mbam.com to launch Malwarebytes' Anti-malware.

• Click the "Update" tab and click the "Check For updates" button.
• Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart, so please allow MBAM to restart.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

This should get rid of your problem as you see in the screenshot below:



You will be prompted to reboot the computer. Once this has been done, please rename mbam.com back to mbam.exe.
You'll see that it will be able to run again.

[yocalif]

I was 1st infected with the XP Internet Security virus on Sun apr 4.
I was 2nd infected this past Sunday 4/11.

In both cases I used Malwarebytes to detect and clean.
In both cases a residual virus is left, and none of the virus detectors can find it.
(see symptoms below)


History
System is an XP Home Media,
For Anti Virus I run for resident protection Avast Free, Superantispyware Pro, and Malwarebytes has been used when either of the other two can't detect or clean a virus.

Per the symptoms when the virus first executes it locks up all exe including the AV programs.
I rebooted to Windows Safe Mode, found I still couldn't run any AV software, didn't read the thing about changing the malwarebytes.exe to .com until a few days ago. So I restored the system to 5 days earlier, and thus was able to run AV, from safe mode I first uninstalled and then reinstalled Malwarebytes and MB found the offending files and did a clean. I then reinstalled all AV and scanned with all each found something.
However there was a residual virus still in place (symptoms below).

Both infections were started when my son visited each sunday and got on the computer. And the XP Internet Security screens started appearing.

2nd infestation, I again rebooted to Safe Mode, this time uninstalled Malwarebytes and then used MB clean to clean up the install. Next I installed a latest copy + rules, still couldn't run, so changed the malwarebytes exe to .com. Ran malwarebytes it found the infestation Ave.exe and 10 other infections. Did the clean, and again have residual virus issues.

Residual Virus, is first detected by Avast,

13.04.2010 15:56:02 Network Shield: blocked access to malicious site [ C:\WINDOWS\system32\svchost.exe ]

Unfortunately I don't know what is triggering the svchost.exe or what site is trying to be accessed.

I have no clue what is triggering this, it happens at various times of day. If I do a boot scan with Avast it has found a few infections but not every time, after the above residual runs. Further I have scanned multiple times with Malwarebytes and SAS, with no results.

I need help to clean the remaining virus off my system.

[Rorschach112]

Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE.

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post an OTListIt log in THAT forum.

[lehua011]

advice removed

Edited by Artellos, 06 May 2010 - 02:55 PM.