XP Internet Security 2012 Virus

[kc7052]

FAKE FAKE XP Internet Security 2012 (Virus) is Killin me
Any help in how to dump it most appreciated....

[jimmy556]

Have you tried running malwarebytes free? if you do not have it installed install it and update it and run a scan. http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol;1 If you cannot run malwarebytes or download the program please let us know.

[DavidR]

They are all pretty much on the same theme, just different variants constantly released.

See http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010 for removal instructions. Whilst this mentions Vista and 2010, it is still relevant and the way to go.

[ChilliKwok]

I just got bombed by this too. I launched out of nowhere - I wasn't even browsing at the time. Must've been on a timer.

I had full up to date Avast running at the time but it didn't notice anything. I immediately ran a full system scan using Avast - but again it didn't detect anything (even though it was running in plane sight).

The bogus virus checker program appears as wscntfy.exe in the process list - and launches a fake scanner process called bdj.exe whenever you try to run anything.

I tried following the instructions linked above to install MalwareBytes - running fixreg.e then the MWB setup - but it still blocked me when I tried to install MWB (looks like the fixreg thing didn't work - it's still blocking every exe)

Then I tried booting up in safe mode + networking. Running MWB off a memory stick. But it blocked me again and instantly lauched the fake XP Virus scan page.

I am now worried it's got onto the memory stick - and infected my MWB setup.exe - so I've ditched that thumbdrive.

Not sure what to try next - system restore? Wipe the HD? Very alarming. Any advice would be much welcomed.

[Pondus]

see if this guide will help you... read it all before you start

http://deletemalware.blogspot.com/2011/06/remove-xp-antispyware-2012-xp-internet.html

if no success we have Essexboy here..   

report back..

[ChilliKwok]

Many thanks! I will try and report back

[ChilliKwok]

Many thanks Pondus - your link worked for me (I think, touch wood etc).

I used method 2 - renaming the "wmi" file (was called bdj.exe in my infection)

Then installing Malwarebytes of a flash drive using the suppied regedit fix (had to rename it to MWB setup to explorer.exe to get it to run)

It found 5 items - rebooted - managed to connect to the internet and download the latest updates for MWB - scanned again - found 2 more items.

Rebooted - now performing a fullscan. Looking good so far. By my confidence in Avast has been severely shaken.

[Pondus]

. By my confidence in Avast has been severely shaken.

these rogues are not easy to detect.....but are a malwarebytes speciality

Fake antivirus overwhelming scanners
http://www.networkworld.com/news/2009/100209-fake-antivirus-overwhelming.html

you should also remeber that Malwarebytes is a specialised tool with only a bit over 300 000 signatures while avast are in the millions, so you need both. avast will detect lots of stuff MBAM will not

[ChilliKwok]

Many thanks for the info. I read about fake anti-virus ages ago on The Register - but you never think it's going to happen to you - because you're smart - you have all the latest anti-virus, windows updates, never visit dodgy websites, never download anything... and then BAM!! Very scary.

[ChilliKwok]

Pondus and DavidR - thanks for your help. Might I ask; do you think this particular fake 'XP Securtiy' rogue is likely to have infected any memory sticks plugged into the PC?

Also - do you know if MWB can spot it in the dormant state - or only once it's exploded and left a load of crap in the registry?

Thanks again.

[DavidR]

I rather doubt that, only based on what we have seen in the past this doesn't appear to be a target.

However you should protect your USB sticks:
"Flash Disinfector" program, see below and http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/ - Also see http://en.wikipedia.org/wiki/Autorun

1. Flash Drive Disinfector
Information and Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Mirror download site, http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe

- Also see, AutoRun.inf problems, etc. - Download and run Autorun Eater