1 2 Previous Next 11 Replies Latest reply on Dec 29, 2011 6:08 AM by exbrit

    XP Antivirus 2012 - why did McAfee fail to find it?

      My pc became infected with a nasty programme calle xp antivirus 2012.  It stopped me getting to the internet and disabled a number of things trying to get me to buy fraudulent antivirus software.  It looks like a Microsoft product!  McAfee was useless in finding it and removing it and my definition file is fully up to date (I ran the update before a full scan twice!).  In the end after luck to diable it, internet searching and some hours I used free programmes from Malwarebytes and Microsoft to remove it and more hours to uno the damage done.

       

      It is clear from google searching that this virus has been around for a few weeks.

       

      Why when free software finds it and removes it does McAfee not find it?  Remember I pay for McAfee.  Is it because you want people to pay for your virus removal service?  Not happy - you need to get this virus into your database and fast.

       

      Message was edited by: SamSwift - moving to Top Threats and adding category on 11/07/11 18:58:09 IST
        • 1. Re: XP Antivirus 2012 - why did McAfee fail to find it?

          I had an excellent detailed answer to this problem emailed me by Email removed for privacy but he doesn't seem to have published it to the community. The virus was actually removed by McAfee in the end but I had problems opening any programs and he gave a detailed description of how to overcome the problem.

           

          Message was edited by: Peacekeeper on 28/06/11 4:36:08 PM
          • 2. Re: XP Antivirus 2012 - why did McAfee fail to find it?
            spc3rd

            Hi fireird1900!

             

                 The particular malware you became infected with is likely a type of fake-alert anti malware (aka scareware), designed to make you think your computer has massive security issues.  The cretins who create these types of malware have one objective...to try and separate you from your money!  Often these programs bombard you with overlapping popups, telling you your computer has some lengthy list of infections and even pretend to perform a "scan" of your system.  (ALL of which is fake of course).  This malware has been around for quite a while and is often seen under many different names.

             

            There are a number of useful techniques for handling this type situation which many of our distinguished moderators and other experienced contributors here can go into more detail about for you.  The unfortunate reality here is that most all of the major AV software providers, such as, McAfee, Kaspersky, Norton (Symantec), etc are not all that good at picking up on this type malware.  For this reason, it is recommended that you have an anti-malware program, such as, the FREE version of Malwarebytes to supplement your primary AV software.

             

            (Just be sure not to use an anti-malware program which utilizes real-time scanning.  Running two security programs like that can cause some serious problems).  The Malwarebytes FREE version, as well as, some other free anti-malware programs can provide on-demand scanning and thus, help enhance your computer's security.  Hopefully, our moderators and other experienced forum contributors will chime-in on your post here with some additional, helpful information.

             

            Message was edited by: spc3rd on 6/27/11 6:39:44 PM EDT

             

            Message was edited by: spc3rd on 6/27/11 6:40:42 PM EDT
            • 3. Re: XP Antivirus 2012 - why did McAfee fail to find it?
              Hayton

              Moved out of Home & Home Office into Security Awareness (Home User Assistance).

              • 4. Re: XP Antivirus 2012 - why did McAfee fail to find it?
                Peacekeeper

                Mcafee have updated Stinger to detect Fake AVs and are updating it daily. Note redownload required each run as does not auto update.

                http://www.mcafee.com/us/downloads/free-tools/fake-alert-stinger.aspx

                 

                Note this is a work in progress so if it does not work run MWB above and let Mcafee /here known what was not fixed.

                • 5. Re: XP Antivirus 2012 - why did McAfee fail to find it?

                  Because the virus is very strong,

                  Fake XP Anti-Spyware 2012 Step-by-Step Manual Removal Instructions

                  1. Press Ctrl+Alt+Del to open Taskmanager and stop fake XP Anti-Spyware 2012 Process:

                  [random].exe

                  2. Remove fake XP Anti-Spyware 2012 associated files listed below:

                  %AllUsersProfile%\Application Data\{random]
                  

                  Link labelled dangerous by WOT removed by moderator

                   

                  Message was edited by: Ex_Brit on 30/06/11 8:55:41 EDT AM
                  • 6. Re: XP Antivirus 2012 - why did McAfee fail to find it?
                    exbrit

                    The best removal guide on the web is http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012

                     

                    The link you posted is labelled dangerous by My Web of Trust (WOT).

                    • 7. Re: XP Antivirus 2012 - why did McAfee fail to find it?

                      I thought it might help everyone if I told people how I removed it.

                       

                      This virus is very clever and damaging.  It stops you getting to the internet taking you instead to the website for the fake virus remover.  It is not touched by McAfee, it stops Malwarebytes working (which I already had on my PC), it damages windows updates, internet explorer addins and much more.

                       

                      It took me a long time to remove the virus and get my PC applications working properly again.

                       

                      With just the virus running I used Alt Ctrl Del to see what applications were running (applications tab).  In my case there was just a programme called MCR.exe running.  I used search to find it and then the McAfee shredder to shred the virus.

                       

                      Apparently the virus can have any random three letter name.  Apparently it can disable the alt ctrl del function and can stop the search from working.  It can stop itself from being deleted too.  Fortunately on mine I was able to find it and then delete it.  This gave me breathing space to get to the internet. 

                       

                      I went back to a restore point (but dont think this did anything)

                       

                      I deleted and reinstalled malware bytes:

                       

                      http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?par t=dl-10804572&subj=dl&tag=button

                       

                      This was now working and found the virus components and removed them.

                       

                      Then I ran Microsft Safety Scanner which also found a lot more bits and pices to remove

                       

                      http://www.microsoft.com/security/scanner/en-us/default.aspx

                       

                      Rebooted and reran both of them again.

                       

                      Uninstalled and reinstalled windows update which was damaged  - I had to delete files manually and run a special code to get it to work - which I cant now find instructions for, if I find them I will post.

                       

                      Reinstalled flash macromedia (had to manually enable it)

                       

                      Then reconfigured the machine.

                       

                      ________________________

                       

                      If none of this works here are widely quoted instructions for manual removal

                       

                      Delete registry values:

                      HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'

                      HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'

                      HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'

                      HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'

                      HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\com mand "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'

                      HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode \command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'

                      HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\co mmand "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'

                      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'

                      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'

                       

                      Delete files:

                      %AllUsersProfile%\Application Data\u3f7pnvfncsjk2e86abfbj5h %LocalAppData%\kdn.exe %LocalAppData%\u3f7pnvfncsjk2e86abfbj5h %Temp%\u3f7pnvfncsjk2e86abfbj5h %UserProfile%\Templates\u3f7pnvfncsjk2e86abfbj5h

                      • 8. Re: XP Antivirus 2012 - why did McAfee fail to find it?

                        This site helpfully posts advice on how to remove XP Antispyware 2012, Vista Antispyware 2012, and Win 7 Antispyware 2012, which are all versions of the same scareware. This is phony spyware that tricks you into believing you have a virus and offers to remove it if you buy the software, when, in fact, it is a virus itself. The instructions from www.bleepingcomputer.com walk you through downloading and running three free programs: FixNCR.reg (which will fix the registry changes which allow the virus to work), RKill (which will stop the virus from running) and Malware Bytes Anti-Malware (which will scan your computer for infections caused by malware like XP Antispyware 2012, Vista Antispyware 2012, and Win 7 Antispyware 2012 and remove them).

                         

                        However, there is a much easier way to remove malware and viruses that doesn't require you to download or use any other programs than one which is already included in Windows 7, Vista and Windows XP. Unlike the ones mentioned above it is almost foolproof and nearly always effective. It is called System Restore and, with the correct use of the program, it will solve your problems even if your computer is totally frozen by the malware or virus, even after rebooting.

                         

                        First, you will have to reboot in Safe Mode, so that the malware or virus can't block your access to System Restore. The viruses we are talking about here will not let you access System Restore in Normal mode. This requires you to reboot and tap the F8 key while booting in order to be able to select Safe Mode.

                         

                        Once you have rebooted into Safe Mode (this will take awhile longer than a regular boot into Windows), you can use System Restore. There are a variety of ways to access System Restore: 1. Click on Start, Programs, System Tools, System Restore; 2. Click on Start, Settings, Control Panel, Help and Support, Undo changes to you computer with System Restore; 3. Click on Start, Run and then type restore or rstrui in the dialogue box and click on Run when you see System Restore as an option or click on restrui.exe if you see this file. There are other ways to access System Restore which you can find on the Internet.

                         

                        Follow the on-screen directions for restoring your system to an earlier point in time. Windows creates system restore checkpoints at regular intervals and you should be able to select one. You may also create your own. You must go back to a date and time that was before the infection. This is a critical point in removing the malware or virus. It may be necessary to check "Choose a different restore point" in order to be able to choose an earlier date. Note that any programs you may have installed after that date will be uninstalled. However, you can always re-install them.

                         

                        Another important point to remember when using System Restore is to not interrupt the process or attempt to do anything else on your computer while it is working. System Restore can take a long time, especially when operating in Safe Mode. Not allowing System Restore to complete properly will likely corrupt your system registry and you will probably have to reinstall Windows as a new install, which will also require reformatting and losing all your data.

                         

                        This is, by far, the easiest way to remove malware and viruses from your computer.

                        • 9. Re: XP Antivirus 2012 - why did McAfee fail to find it?
                          exbrit

                          Good advice.  Thank you dac10012.

                          1 2 Previous Next