XP Home Security Scareware - Detected but not blocked on user account?

The title is a bit long, but let me describe what happened...

I managed to get my home computer infected with the "XP Home Security 2011" scareware. Got it cleaned off fine, but my AV software didn't detect it. Now at work, I had a system with a similar problem. Same thing, cleaned up now problem. However the occurences has reaised several questions that I need to answer:

1. The account only has User rights. How can a program attach itself in a way that it loads every time?

2. The infection was not blocked, however after I cleaned the scareware off the system, I did a full scan using FCS and the program was detected in the deleted items! How did it miss it the first time?

Thanks!

April 4th, 2011 8:28pm

Hi,

Thanks for the post.

Please understand that "XP Home Security 2011" scareware is running under the some kind of system security context, which means it can loads every time. In general, manually locating and deleting of malicious files should also be performed.

Here is the relevant files and registry entries for XP Home Security 2011

Malicious Files Added by XP Home Security 2011:
c:\[random].exe
c:\Program Files\XP Home Security 2011
c:\Program Files\XP Home Security 2011\HS2011.exe
c:\WINDOWS\system32\[random].exe
c:\WINDOWS\system32\winhelper86.dll
c:\WINDOWS\system32\winlogon86.exe
c:\WINDOWS\system32\winupdate86.exe

XP Home Security 2011 Registry Entries:
Vista Security 2011 Registry Entries:
HKEY_CURRENT_USER\Software\HS2011
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “XP Home Security 2011″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “winupdate86.exe”

You may need to remove them in Clean Boot Mode even in Safe Mode.

Thanks,

Free Windows Admin Tool Kit Click here and download it now
April 5th, 2011 5:27am

Thanks for the reply.

However it has happened again to another user. Same situation. How come this is getting past our Forefront Client Security? Not only that, where did is come from? User was on CNN site when it happened. Don't think there is anything malicious there.

Fortunately, our users don't have admin rights, so none of those files appeared on the machine.

April 7th, 2011 11:51pm

Hey Miles --

I have a laptop with this incredible irritating problem, and in searching various help sites I keep seeing the same information you've posted on what to look for and delete from the harddrive and Registry.  The hang up is NONE of those directories/files/registry settings exists on the computer with the issue.  Zero.

 

I was able to start the computer as Administrator in Safe Mode and upgrade Malwarebytes and use Clean My PC Registry cleaner (helps turn off programs that run automatically every start up) and found half a dozen issues, but not (of course) this main problem.  The window that comes up says "XP Home Security - Unregistered Version."  Nothing about 2011 though.  Is this a different scam with a similar name?


Free Windows Admin Tool Kit Click here and download it now
April 17th, 2011 8:26pm

Hi,

That malware is a real problem for all AV editors, you can look at this good guide to remove it http://blog.teesupport.com/how-to-guide-remove-xp-home-security-2011-virus-xp-home-security2011-removal-guide/  ; in addition you can use Microsoft Safety Scanner https://consumersecuritysupport.microsoft.com/default.aspx?mkt=en-us&scrx=1&st=1&wfxredirect=1 (click on "I think my computer is infected")

April 17th, 2011 9:43pm

Hi,

That malware is a real problem for all AV editors, you can look at this good guide to remove it http://blog.teesupport.com/how-to-guide-remove-xp-home-security-2011-virus-xp-home-security2011-removal-guide/  ; in addition you can use Microsoft Safety Scanner https://consumersecuritysupport.microsoft.com/default.aspx?mkt=en-us&scrx=1&st=1&wfxredirect=1 (click on "I think my computer is infected&

Free Windows Admin Tool Kit Click here and download it now
January 15th, 2014 4:17pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics