x404.co.uk
http://www.x404.co.uk/forum/

XP Security 2011
http://www.x404.co.uk/forum/viewtopic.php?f=4&t=12867		 Page 1 of 1
Author:  Spreadie [ Fri Mar 04, 2011 2:26 pm ]
Post subject:  XP Security 2011
Just had a call from a mate.

He says he has been infected by a rogue anti-spyware suite called XP Security 2011.

Ok, that's not altogether unusual as there are plenty of the things crawling about the net. The problem is he has booted into safe mode so he can run anti-malware bytes, but this dodgy suite still automagically runs in safe mode and prevents execution of Anti-malware bytes and Microsoft Security Essentials!

I'll go and get rid of it obviously, but I've never seen one of these suites running in safe mode before. Intriguing.
Author:  saspro [ Sun Mar 06, 2011 4:53 pm ]
Post subject:  Re: XP Security 2011
A lot of them add the exe into the registry to boot even in safe mode.

I usually find killing the exe then a quick malwarebytes gets rid of it.
Author:  pcernie [ Sun Mar 06, 2011 5:08 pm ]
Post subject:  Re: XP Security 2011
saspro wrote:
A lot of them add the exe into the registry to boot even in safe mode.

I usually find killing the exe then a quick malwarebytes gets rid of it.


Out of curiosity, how do you kill the exe to do that? Just for future reference :)
Author:  Spreadie [ Sun Mar 06, 2011 6:35 pm ]
Post subject:  Re: XP Security 2011
pcernie wrote:
saspro wrote:
A lot of them add the exe into the registry to boot even in safe mode.

I usually find killing the exe then a quick malwarebytes gets rid of it.


Out of curiosity, how do you kill the exe to do that? Just for future reference :)

If you open task manager when the rogue suite is supposedly running it's virus scan, you can identify which file it is through CPU usage.

I found that there where actually five executables, all with different names, so deleting one simply meant another ran the suite.

Very clever, and bloody annoying.

You can download a file called rkill.exe which will hunt them down, although XP security 2011 made that little more difficult by preventing executables from running. It resulted in the "open with" dialogue box popping up - so I just pointed it at the win.com file in the system32 folder.

After that cleaning up the system got a lot easier.

Needless to say, don't attempt a system restore or you'll re-infect the machine.
Author:  pcernie [ Sun Mar 06, 2011 8:17 pm ]
Post subject:  Re: XP Security 2011
Spreadie wrote:
pcernie wrote:
saspro wrote:
A lot of them add the exe into the registry to boot even in safe mode.

I usually find killing the exe then a quick malwarebytes gets rid of it.


Out of curiosity, how do you kill the exe to do that? Just for future reference :)

If you open task manager when the rogue suite is supposedly running it's virus scan, you can identify which file it is through CPU usage.

I found that there where actually five executables, all with different names, so deleting one simply meant another ran the suite.

Very clever, and bloody annoying.

You can download a file called rkill.exe which will hunt them down, although XP security 2011 made that little more difficult by preventing executables from running. It resulted in the "open with" dialogue box popping up - so I just pointed it at the win.com file in the system32 folder.

After that cleaning up the system got a lot easier.

Needless to say, don't attempt a system restore or you'll re-infect the machine.


I was thinking of TM, but then I never understood what some of the process names meant, and Googling them often gave different opinions :roll:

Thanks for the info, good to know :D
Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/