Monday, June 13, 2011

How to remove XP Internet Security 2012

This is a tricky rogue. XP Internet Security promotes itself through trojans and uses fake Windows Automatic Updates and Windows Security Centers windows to install itself onto the victim's computers. Another thing is the rogue also disables most existing legit antivirus software, similar to how the rogue Paladin attempts to. Therefore, your only hope is to manually remove XP Internet Security. However, the rogue can also disable Task Manager and Registry Editor and you will also have to find a way to regain those features through trial and error.

EDIT: Blocking existing legits doesn't mean you can't download a new one. If you previously did not have Spyware Doctor/MalwareBytes/SUPERantispyware/SpyBot S&D you can still download it. But if you already have all of these, too bad....





MANUAL REMOVAL OF XP INTERNET SECURITY 2012:


KILL the following procceses: AV.exe


DELETE the following registry values:









  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'



  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'



  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'



  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'

Now delete the following files:


%AllUsersProfile%\Application Data\~%AllUsersProfile%\Application Data\~r%AllUsersProfile%\Application Data\.dll%AllUsersProfile%\Application Data\.exe%AllUsersProfile%\Application Data\%AllUsersProfile%\Application Data\.exe%UserProfile%\Desktop\XP Internet Security 2012.lnk%UserProfile%\Start Menu\Programs\XP Internet Security 2012\%UserProfile%\Start Menu\Programs\XP Internet Security 2012\Uninstall XP Internet Security 2012.lnk%UserProfile%\Start Menu\Programs\XP Internet Security 2012\XP Internet Security 2012.lnk


Whew! That was close...


Posted by at No comments:

Sunday, June 12, 2011

How To Remove SpywareSTOP

SpywareSTOP is a rogue antivirus program that propagates itself through Google Ads, popups on various websites, and various other ways. It was formerly called SpywareBOT (not to be confused with SpyBot S&D). It's website, www.spywarebot.com, is still active and the software is commonly downloaded, sadly. It is very sneaky (it's status is disputed, so some sources may say the program is legit), so most antivirus software does not detect it (similar to how the rogue RegGenie is a "spyware-free" download on Cnet's website when it is not). AVG LinkScanner says that the program's official website is safe, while McAfee's report says that there is potential spyware or adware on it.

Instant Removal of SpywareSTOP- Download MalwareBytes Antimalware (free) for instant removal of SpywareSTOP by completing the setup and running a scan (usually a quick scan is recommended) or download the trial version of PC Tools Spyware Doctor . (Note: The trial version of Spyware Doctor only detects threats. You have to pay $29.95 USD to buy the full version that removes them.)

Manual Removal of SpywareSTOP- KILL the following processes using the Windows Task Manager:
spywarestop.exe, setupxv.exe

PRESS on your keyboard the keys "Windows Logo" and "R." The Run box should come out. TYPE "regedit." The registry editor should come out. Now DELETE the following registry values:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareStop
  • HKEY_CURRENT_USER\Software\SpywareStop
  • HKEY_LOCAL_MACHINE\SOFTWARE\SpywareStop
  • Objects\{10F0C2A9-8E38-43e3-204D-45524C494E20}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareStop
  • HKEY_CLASSES_ROOT\CLSID\{10F0C2A9-8E38-43e3-204D-45524C494E20}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{10F0C2A9-8E38-43e3-204D-45524C494E20}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper
LOCATE and DELETE the following files:

  • %ProgramFiles%\SpywareStop\SpywareStop.pkg
  • %ProgramFiles%\SpywareStop\SpywareStop.db
  • %ProgramFiles%\SpywareStop\SpywareStop.exe
  • %ProgramFiles%\SpywareStop\IeExtension.dll
  • %ProgramFiles%\SpywareStop\PopupBlocker.dll
  • %ProgramFiles%\SpywareStop\program.info
  • %ProgramFiles%\SpywareStop\Uninstall.exe
  • %UserProfile%\Local Settings\Temp\[RANDOM CHARACTERS].tmp
  • %UserProfile%\Application Data\SpywareStop\config.xml
  • %UserProfile%\Start Menu\Programs\Startup\.protected
  • %UserProfile%\Application Data\SpywareStop\logs\1205156013.log
  • %UserProfile%\Application Data\SpywareStop\Sites.bl
  • %Windir%\.protected
  • %CurrentFolder%\log
  • %System%\drivers\etc\.protected
  • %SystemDrive%\.protected
  • C:\Documents and Settings\All Users\Start Menu\Programs\SpywareStop\SpywareStop Uninstall.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\SpywareStop\SpywareStop.lnk
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
  • SpywareStop
  • SpywareStop.exe
  • SpywareStop.lnk
  • SpywareStop on the Web.lnk
  • SpywareStop.url
  • spywarestop.srv.exe
You're done!

NOTE: Posts about how to delete files, delete registry values, kill processes, and unregister DLLs will be posted soon.
Posted by at No comments:
Subscribe to: Comments (Atom)