Bob Rankin: How to Remove XP Total Security 2011 Virus

bobr

By Bob Rankin

An especially nasty fake anti-malware program is making the rounds. It goes by many names including XP Total Security, XP Home Security Vista Anti-Virus, Win 7 Anti-Spyware, Win 7 Internet Security, and “2011” variants that sound like the latest and greatest anti-malware tool. But they’re all the same evil malware in various disguises.

This malware is delivered to your computer via a Trojan horse: a file that purports to be something else such as a movie or handy utility. It installs itself as an executable file whose name is three letters long; unfortunately, the three letters are randomly generated so I can’t tell you a file name to look for. Once installed, it pretends to be a security update for Windows installed via Automatic Updates.

The malware launches whenever your launch another executable file. It also modifies Windows registry settings so that whenever you launch Internet Explorer or Firefox from the Windows Start menu, the malware launches instead and displays a fake firewall warning.

Like other rogue anti-malware, this one fakes a “full scan” of your computer when it starts. It then displays multiple alarming warnings of “infected files” – all of them false positives. It tells you that you must purchase the “full” version” of the fake anti-malware program to eliminate the infections. Don’t do it, and don’t try to remove the “infected” files manually. All of them are legitimate system files that Windows needs to operate.

The rogue aggressively deters efforts to remove it or get help. If you try to run a legitimate anti-malware app, the rogue will block its startup and display a fake “infected file” alert. Try browsing to a popular anti-malware site and the rogue will block the URL, telling you (falsely) that the page you are trying to visit is dangerous and blocked “for your protection.”

Article continued here: The Cure For XP Total Security

BOB’S WORLD

Internet Tourbus -> Free Newsletter

Ask Bob Rankin -> Tech Support

73 total views, 1 views today

(Visited 9 times, 1 visits today)

5 thoughts on “Bob Rankin: How to Remove XP Total Security 2011 Virus

  1. An IT at a major business will rarely deal with Rogue Viruses but supporting family, friends, or the “Maw and Paw Business”, that’s another story. I have a remote list of about 100 computers that includes family but mostly friends or friends of friends that are handicapped in some way, some home bound patients with terminal illnesses, Veterans families needing assistance with computer communications to their loved ones overseas, and older folks that just need to learn and use “good side” of computing. It’s a non paying non profit thing with other rewards and one of those being, experience with personal and small business computers with varying security program combinations. Note that none of these users stray from the moral use of computers, and few know enough to deal with online banking, but all do email and research into their own needs. All have encountered something similar or the exact infection described. Its one thing to deal with it on a local level but via remote is something else.
    Since the availability of LogMeIn and Malwarebytes Free Editions, I use or have used them both on all the machines regardless of other security software. MWB Free is a manual scanner, no automatic viral detection, but routinely updated (one of its automatics), is a reliable Rogue Killer especially if you can get to Safe Mode. In normal Windows, MWB is prevented from running due to registry keys being controlled by the virus, but in Safe Mode, MWB is able to run if it’s already installed on the system. If it’s not on the system, follow Bob Rankins instructions and have at it.
    This brings me to LogMeIn Free. One of the special functions of LMI is a forced and immediate reboot of the computer into Safe Mode with Networking. This allows you to LMI to the computer, preferably logging into the Administrator account, and despite the false flags from the virus; you can run Malwarebytes immediately without updates which has never failed me. Once MWB kills the virus and recommends the restart, let it boot back into Windows normal and check things for functionality.
    There are sites that force a combination of a Rogue Fake AV with variants of Vundoo; a nasty combination that would warrant a complete rebuild of the system due to extent of the damage after the infection has been eliminated. As in all my systems, a remote automatic Ghost Cloner is available with a restoration option that can be controlled remotely or on site, and I’ve had to use it in some of these Rogue cases.
    I suggest when using MWB Paid Edition with other security protection, if your protector monitors emails, files and file executions, there’s an option in MWB to set MWB not to monitor “real-time” files and folders, but to “real-time” monitor your Browser for bad links and rogue attempts when you running around on the net. Many times when used with security programs like Norton, AVG, Avast, Kaspersky, McAfee and many others, there’s a conflict of duties that can slow down or even stop activities; conflicts that the Security’s firewall or exemption options cannot correct or maintain. On some machines where email is internet based like gmail, hotmail, etc, and no other onboard email clients like Outlook and Exchange are used, MWB Paid version is the only security I have on the system and works just fine (user habits dictated). MWB will prompt and block suspicious callouts made by onboard programs or cookies trying to nail known bad addresses listed in MWB(s) database. Good feature.
    As of this posting date, the major security programs have all been updating to focus on the re-directives planted in sites; the manipulations by Rogues and other “User Trapping Techniques”, and especially at Social Networking and media sites. These upgrades are now in direct competition with MWB to prevent Rogue and “Tricking the User” attacks.
    Still, an ounce of prevention added to the pound? For my blessed Aunti Em, I’ll take it.

  2. I was caught by this one a few months back; at that particular time I was overtired and fell right in.

    Although I could have used a “live” cd or usb drive to access the PC and clean it, I decided to see if I could find a back door to IE so that I might access “step-by -step” instructions. After all, most people have only one PC and if this thing strikes there is no way that they are going to get online to find out how to deal with the situation.

    Access to the Internet for this information proved to be very easy; any link direct to Microsoft’s website works. I used the “check Microsoft’s Privacy Statement Online” link via Control Panel. There are others, such as the manual update system.

    Once on the Microsoft site, it is easy enough to do a “search” away from that point for information on removing this curse; the information can be jotted down and then acted upon.

  3. I no longer react to any POP UP warnings, even though MSE warning boxes appear legit. I Shut down the computer if any of those boxes appear, restart and run a scan to confirm accuracy of any warnings.

  4. Believe it or Not, I am having THIS problem with McAfee. I get this Warning that my Computer is At Risk and I must download the latest Updates but when I attempt to do so the Downloads go so far and then back to Zero and it goes on like that. For sure I can just ignore it because it does not seem to be negatively affecting my PC with XP otherwise. BUT can this really be happening that even McAfee that is our Numero Uno Virus Protection could be so infected??? As
    you relate, I’ve had a problem as you’ve related trying to contact McAfee in this case. There seems to be something blocking me from getting the help I need from them.

  5. I had this fake security warning on my machine. I new it was anti-malware, so I booted into safe mode with networking and downloaded Malwarebytes ran a full scan, and this nastie was found and removed. Job done

Leave a Reply

Your email address will not be published. Required fields are marked *