Wednesday, June 22, 2011

How to remove Windows XP Home Security 2012 Malware

Windows XP Home Security 2012 download is a payload for several variants of dropper infections. Legitimate and useful software products are not spread by droppers. The program would have been detected anyway sooner or later, but it was a trojan trap that was first to unveil the malicious program.
Further brief research on the software derived from the trojan trap proved the assumption that the software captured was a counterfeited security solution that borne strong traits of system oppressor.
Yet later its was found that its propagation routes were multifarious and, most likely, majority of the adware victims were enticed to manually download the counterfeit.
Removal of  Windows XP Home Security 2012 is available in manual and automated mode. However, it is strongly recommended to get rid of Windows XP Home Security 2012 automatically, for in the wild the adware  is seldom the only parasite in a computer memory. Hence it is essential that a computer system infected with the adware undergoes proper scan and disinfection, which is available  with automated security solution only – click here to start free scan for the beginning of the adware extermination.

Windows XP Home Security 2012 snapshot:



Windows XP Home Security 2012 automatical uninstaller:


Manual removal guide:
Delete infected files:
%AllUsersProfile%\Application Data\u3f7pnvfncsjk2e86abfbj5h
%LocalAppData%\kdn.exe
%LocalAppData%\u3f7pnvfncsjk2e86abfbj5h
%Temp%\u3f7pnvfncsjk2e86abfbj5h
%UserProfile%\Templates\u3f7pnvfncsjk2e86abfbj5h
Delete infected registry entries:
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation “TLDUpdates” = ‘1′
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “%1″ %*’
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “%1″ %*’
HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “%1″ %*’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe”‘
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%LocalAppData%\kdn.exe” -a “C:\Program Files\Internet Explorer\iexplore.exe”‘
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = ‘1′
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = ‘1′

3 comments:

Matt Geyer said...

In the manual steps if you delete the files first, the default open command will not work anymore and you've sorta bricked your computer. (google can't run exe files to fix that)

Another wonderful thing about this virus, if you try and search for how to remove it redirects your searches. Had to get the instructions on this page from my phone.

Matt Geyer said...

Kdn.exe, mine was avj.exe it's three random letter, in the current version

Also if you're still on xp like me, there's no %localappdata%
Try:
%userprofile%\local settings\application data

Anonymous said...

This site is just selling Spyware Doctor.