Tuesday, April 5, 2011

Eliminating XP Home Security 2011

XP Home Security 2011 is a fake anti-virus program that may have made its way into your computer through a trojan. If your computer has been infected and its real anti-virus program can’t detect it, you will have to eliminate it manually.

While some other solutions have been posted online, there seems to be a variant where those methods are not applicable. Here’s how it behaves and what you can do to get rid of it:

  • The XP Home Security 2011 icon appears on your system tray. Checking the Task Manager indicates that a program called iei.exe (or as what I’ve read, the file name maybe a string of random characters).
  • You will be unable to open any executable file. Other programs that are already running may continue to run.
  • After the iei.exe process is ended on the Task Manager, attempting to run any executable file will only bring it back up. You can’t even run cmd, msconfig or regedit.

  • Have a copy Trend Micro HiJackThis and Malwarebytes ready. (You can use a flash drive or better yet, a read-only storage device to bring these tools in to the infected computer.)
  • Reboot the computer to Safe Mode.
Using HiJackThis
  • Since you will be unable to run HiJackThis directly, go to My Documents (or any other directory on your computer with a file using Windows Explorer). Right-click on any file and choose the Open With -> Choose Program option.
  • If HiJackThis is not on the list, click the Browse button, locate it and click OK. This should allow HiJackThis to finally run.
  • On HiJackThis, click “Open the Misc Tools section.”
  • On the System Tools, click “Open Process Manager” and note the full path of the location of iei.exe. (Its value should be C:\Documents and Settings\<user name>\Application Data\iei.exe or something similar.)
  • Go back to Misc Tools, and click “Delete a file on reboot.” Enter the full path of iei.exe (as located by Process Manager). Note: If you browse through the directory, you will not find the particular file listed, but this is okay. Go ahead and proceed.
  • Click Yes when prompted to restart your computer. Remain on Safe Mode.
Using Malwarebytes
  • At this point, iei.exe should already be deleted. But when you try to open any program/executable, the “Open With” dialog box will appear. We will use Malwarebytes to fix this.
  • (If you have already installed Malwarebytes, skip this step.) Install Malwarebytes as you would normally, but when the “Open With” dialog box appears, go to Choose Program and browse through the location of the installer, and click OK.
  • As with HiJackThis, you will be unable to run Malwarebytes directly, so similarly right-click on any file on your computer, and “Open With” using the Malwarebytes executable from Program Files (not the installer).
  • Perform a quick scan and remove all the malware found. This should restore the .exe association on your computer.
  • Restart your computer on normal mode. Your computer should already be free of the XP Home Security 2011 virus.

And since your real anti-virus program is already functional again, I would recommend that you update it and perform a full system scan of your computer, just to make sure all remnants of the trojan/virus have already been purged out.

No comments:

Post a Comment