What is XP Internet Security?
The Malwarebytes research team has determined that XP Internet Security is a fake anti-malware application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue. You are strongly advised to follow our removal instructions below.
How do I know if I am infected with XP Internet Security?
This is how the main screen of the rogue application looks:
And see these warnings:
How did XP Internet Security get on my computer?
Rogue programs use different methods for spreading themselves. This particular one was installed by a trojan.
How do I remove XP Internet Security?
Our program Malwarebytes' Anti-Malware can detect and remove this rogue application.
Please follow the detailed instructions posted in the last post in this thread.
How would the full version of Malwarebytes' Anti-Malware help protect me?
We hope our application has helped you eradicate this malicious software. If your current security solution let this infection through, you might please consider purchasing the FULL version of Malwarebytes' Anti-Malware for additional protection.
As you can see below the full version of Malwarebytes' Anti-Malware would have protected you against the XP Internet Security rogue. It would have warned you before the rogue could install itself, giving you a chance to stop it before it became too late.
Technical details for experts
Signs in a HijackThis log:
C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe
Alterations made by the installer:
File System =============== In the existing folder C:\Documents and Settings\All Users\Application Data Adds the file QJyrk5wvCU1"="21:14 17/03/10 1286 bytes In the existing folder C:\Documents and Settings\{username}\Local Settings\Application Data Adds the file ave.exe"="21:13 17/03/10 200704 bytes Adds the file QJyrk5wvCU1"="21:14 17/03/10 1286 bytes In the existing folder C:\Documents and Settings\{username}\Local Settings\Temp Adds the file QJyrk5wvCU1"="21:14 17/03/10 1286 bytes In the existing folder C:\Documents and Settings\{username}\Templates Adds the file QJyrk5wvCU1"="21:14 17/03/10 1286 bytes Registry =============== [HKEY_CLASSES_ROOT\secfile] "Content Type"="'application/x-msdownload'" "(Default)"="'Application' [HKEY_CLASSES_ROOT\secfile\shell\start\command] "IsolatedCommand"="'"%1" %*'" "(Default)"="'"%1" %*'" [HKEY_CLASSES_ROOT\secfile\shell\runas\command] "IsolatedCommand"="'"%1" %*'" "(Default)"="'"%1" %*'" [HKEY_CLASSES_ROOT\secfile\shell\open\command] "IsolatedCommand"="'"%1" %*'" "(Default)"="'"C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "%1" %*'" [HKEY_CLASSES_ROOT\secfile\DefaultIcon] "(Default)"="'%1'" [HKEY_CLASSES_ROOT\.exe] "(Default)"="'secfile'" [HKEY_CLASSES_ROOT\.exe\DefaultIcon] "(Default)"="'%1'" [HKEY_CLASSES_ROOT\.exe\shell\start\command] "IsolatedCommand"="'"%1" %*'" "(Default)"="'"%1" %*'" [HKEY_CLASSES_ROOT\.exe\shell\runas\command] "IsolatedCommand"="'"%1" %*'" "(Default)"="'"%1" %*'" [HKEY_CLASSES_ROOT\.exe\shell\open\command] "IsolatedCommand"="'"%1" %*'" "(Default)"="'"C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "%1" %*'" [HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command] "(Default)"="C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe" [HKEY_CURRENT_USER\Software\Classes\.exe] "Content Type"="'application/x-msdownload'" "(Default)"="'secfile'" [HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command] "IsolatedCommand"="'"%1" %*'" "(Default)"="'"%1" %*'" [HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command] "IsolatedCommand"="'"%1" %*'" "(Default)"="'"%1" %*'" [HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command] "IsolatedCommand"="'"%1" %*'" "(Default)"="'"C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "%1" %*'" [HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon] "(Default)"="'%1'" [HKEY_CURRENT_USER\Software\Classes\secfile] "Content Type"="'application/x-msdownload'" "(Default)"="'Application'" [HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command] "IsolatedCommand"="'"%1" %*'" "(Default)"="'"%1" %*'" [HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command] "IsolatedCommand"="'"%1" %*'" "(Default)"="'"%1" %*'" [HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command] "IsolatedCommand"="'"%1" %*'" "(Default)"="'"C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "%1" %*'" [HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon] "(Default)"="'%1'" [HKEY_CURRENT_USER\Software\Microsoft\Windows] "Identity"="1042655107"
Malwarebytes' Anti-Malware log:
Malwarebytes' Anti-Malware 1.44 Database version: 3877 Windows 5.1.2600 Service Pack 2 Internet Explorer 6.0.2900.2180 3/17/2010 9:44:03 PM mbam-log-2010-03-17 (21-44-03).txt Scan type: Quick Scan Objects scanned: 105479 Time elapsed: 3 minute(s), 1 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 5 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\{username}\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.
As mentioned before the full version of Malwarebytes' Anti-Malware could have protected your computer against this threat.
We use different ways of protecting your computer(s):
- IP-blocks
- Execution protection
Edited by Metallica, 20 March 2010 - 12:40 PM.