Monday, June 13, 2011

How to remove XP Internet Security 2012

This is a tricky rogue. XP Internet Security promotes itself through trojans and uses fake Windows Automatic Updates and Windows Security Centers windows to install itself onto the victim's computers. Another thing is the rogue also disables most existing legit antivirus software, similar to how the rogue Paladin attempts to. Therefore, your only hope is to manually remove XP Internet Security. However, the rogue can also disable Task Manager and Registry Editor and you will also have to find a way to regain those features through trial and error.

EDIT: Blocking existing legits doesn't mean you can't download a new one. If you previously did not have Spyware Doctor/MalwareBytes/SUPERantispyware/SpyBot S&D you can still download it. But if you already have all of these, too bad....





MANUAL REMOVAL OF XP INTERNET SECURITY 2012:


KILL the following procceses: AV.exe


DELETE the following registry values:









  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'



  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'



  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'



  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'



  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'

Now delete the following files:


%AllUsersProfile%\Application Data\~%AllUsersProfile%\Application Data\~r%AllUsersProfile%\Application Data\.dll%AllUsersProfile%\Application Data\.exe%AllUsersProfile%\Application Data\%AllUsersProfile%\Application Data\.exe%UserProfile%\Desktop\XP Internet Security 2012.lnk%UserProfile%\Start Menu\Programs\XP Internet Security 2012\%UserProfile%\Start Menu\Programs\XP Internet Security 2012\Uninstall XP Internet Security 2012.lnk%UserProfile%\Start Menu\Programs\XP Internet Security 2012\XP Internet Security 2012.lnk


Whew! That was close...


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)