XP AntiVirus 2012

Just a heads up with this Malware, log on as a different user account on the machine before you try cleaning it up. If you're on the account that was used when infected, it won't really let you do much of anything, but on another account you can do most of your utilities.

Good luck out there

Best thing you can do is restart your computer and login in safe mood and run malwarebytes or combofix. Then after removal restart the computer login to windows and update and run full scan with your malwarebytes and anti virus program to make sure its been removed.

We've had waves of this one coming into our office....a lot of variants of it are hiding files too...so get that unhide.exe tool handy.

Also, when you are done cleaning it up, you will most likely need to restore .exe file associations. You can find those here: http://www.dougknox.com/xp/file_assoc.htm

This has really been a pain in the rear at my workplace lately. Is there anything that can be done to help prevent installation/infection at all such besides keeping things updated? We use Trend Micro (not the best I know)

The FixNCR.reg thing helped me clean a family computer of it. mbam after it.

These fake security programs are so pointless, yet so annoying and destructive. I keep getting people's machines that I have to fix. Over time the removal tools are getting better at cleaning them though. The past 3 I've had to clean worked fine with just a simple Malwarebytes scan. Idealy in safe mode.

Red Squirrel said:

These fake security programs are so pointless, yet so annoying and destructive. I keep getting people's machines that I have to fix. Over time the removal tools are getting better at cleaning them though. The past 3 I've had to clean worked fine with just a simple Malwarebytes scan. Idealy in safe mode.

Click to expand...

PRetty much yea, but if you're unable to get things to scan try Rkill and combofix.

I had a computer last week with one of the XP antivirus variants. Pulled the harddrive since I couldn't download anything (IE wouldn't run, firefox wouldn't bring up the Safe To menu). Manually went through and removed some files, put the drive back in, got into Safe mode. Still had the annoying popup screens but enough where I could mount my USB thumbdrive and run combofix. Combofix got rid of most of it, but left a nasty rootkit behind. I had to run TDSSKiller on it and it removed an Alureon rootkit. Then Malwarebytes, Spybot, and MSE.

That was one of the first times I've seen Combofix fail to clean up a computer. So make sure you don't put 100% faith in it. Belts & suspenders mode. Run several different apps. Or better yet just reinstall.

Yeah I've go two laptops in at the moment with this.

Worryingly my usual route of removing the HDDs and scanning them on a SATA dock isnt working as the scanning PC is unable to give them a drive letter to mount them properly. Tried two different docks and PCs also scanned and repaored the boot sectors etc. still no go. Windows cant mount them.

Also Combofix wont run on them in safe mode which I tried as a last resort. Currently using the fourth AV rescue CD. Avira/Kaspersky and Panda all failed to find anything. Currently running the F-Secure and thats only found 3 items. I'd expect at least 8 items for a early detected drive-by like this.

Never trust just a sweep with Malwarebytes, I find so often it misses masses of stuff that others pick up. I still use it but never rely on it solely. Always use three other products after it to find the rest.

You can often run a second sweep of Malwarebytes and it will find other stuff the first scan missed.

iamkion132 said:

This has really been a pain in the rear at my workplace lately. Is there anything that can be done to help prevent installation/infection at all such besides keeping things updated? We use Trend Micro (not the best I know)

Click to expand...

Get Sandboxie.

Daglesj, try logging on with a different user. This XP AntiVirus 2012 really doesn't do anything on another account. I didn't even see running processes for it on another account.

Cmustang87 said:

Daglesj, try logging on with a different user. This XP AntiVirus 2012 really doesn't do anything on another account. I didn't even see running processes for it on another account.

Click to expand...

Tried that, doesnt work with another account either. Seems the writers of this malware have wised up to that one.

Anyone know this affects the pfiles of users?

Just worked through the following AV rescue boot CDs -

Avira - Fails to boot, just reloads at the kernel.
Kaspersky - Loads and found just one file.
Panda - Found nothing.
F-Secure - Took over 2 hours and found three files.
Trinity - Failed to load.
AVG - Failed to load.
Bit-Defender - Couldnt mount HDD to scan it.

Not good really.

You might try ubcd4win, so you can mount the registry and disable the startup item for the malware.