XP Security 2011
As just one version of a multitude of rogue security applications, XP Security 2011 sticks to traditional malware strategies by using massive quantities of fallacious scanner results and pop-up warnings to scare the PC user. Although XP Security 2011 tells you to pay registration money to make all these issues go away, XP Security 2011's very presence on your computer is a significant security risk. XP Security 2011 may block anti-malware and general security programs from running and is known to hijack web browsers. Deleting XP Security 2011 with suitable anti-malware software is the only realistic choice if you want to be rid of these symptoms.
XP Security 2011 is a Threat with an Accommodating Naming Scheme
XP Security 2011 is just one of many faces displayed by a singular rogue security program. XP Security 2011 switches its name to suit the PC XP Security 2011 infects – you will not see XP Security 2011 on a Vista computer, but you might see Vista Security 2011! In addition to changing the operating system and optionally leaving off the year tag, XP Security 2011 can also alter the middle description word: so XP Security 2011, XP AntiSpyware 2011, Vista AntiVirus, Vista Security and Win 7 Security 2011 are all possible names for the same rogue security program.
The dangers from XP Security 2011 begin with fake warnings and errors that warn you about serious infections, as you can see with the examples below:
“Privacy Threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.”
“Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.”
XP Security 2011 reports that it is turned off. Antivirus software helps protect your computer against viruses and other security threats. Click Recommendations for suggested actions you can take.
“Windows Security Center
XP Security 2011 reports that it is currently turned off. A firewall helps to protect your computer from potentially harmful content on the Internet. Click Recommendations to learn how to fix this problem.”
“XP Security 2011 Firewall Alert!
XP Security 2011 has blocked a program from accessing the Internet.
Internet Explorer is infected with Trojan-BNK.Win32.Keylogger.gen. Private data can be stolen by third parties, including credit card details and passwords.”
You're safe in ignoring these warnings, since XP Security 2011 is making up these threats to cajole you into giving money to the criminals that seed XP Security 2011 around the web. Unfortunately, many of these alerts may be used to block programs from running, preventing you from using anti-malware scanners or Windows diagnostic applications.
XP Security 2011 also has a more dangerous web browser-attacking side. Popular web browsers may be corrupted by XP Security 2011 to launch a malicious version of themselves that enables hijacking functions like the display of this message:
Internet Explorer alert. Visiting this site may pose a security threat to your system!
Possible reasons include:
- Dangerous code found in this site's pages which installed unwanted software into your system.
- Suspicious and potentially unsafe network activity detected.
- Spyware infections in your system
- Complaints from other users about this site.
- Port and system scans performed by the site being visited.
Things you can do:
- Get a copy of XP Security 2011 to safeguard your PC while surfing the web (RECOMMENDED)
- Run a spyware, virus and malware scan
- Continue surfing without any security measures (DANGEROUS)
This fake warning is used to prevent the user from accessing anti-malware and other useful resource websites. Unless you stop this rogue security program from running in the first place, you may be unable to access the online resources required to delete XP Security 2011.
Securing Your PC from XP Security 2011
You can detect XP Security 2011 active in memory as an executable with three randomized letters, but stopping XP Security 2011 from running can be difficult – XP Security 2011 launches automatically whenever another executable is launched. In some cases, you may want to register XP Security 2011 for free with this key: '1147-175591-6550.' This may cause the PC threat to tone down its attacks, making it simpler to remove XP Security 2011.
Due to Registry corruption and other complexities, removing XP Security 2011 is better done by automated software than by manually deleting files. A reboot into Safe Mode may prevent XP Security 2011 from launching in many cases and even allow clean Internet access if you use the Networking version of this boot option. With access to the latest updated anti-malware software, you can be sure of deleting XP Security 2011 down to the very last Registry entry without any further problems.
File System Modifications
- The following files were created in the system:
# File Name 1 %AppData%\ave.exe 2 %Documents and Settings%\[AllUsers]\[RANDOM CHARACTERS] 3 %Documents and Settings%\[AllUsers]\Application Data\[RANDOM CHARACTERS] 4 %Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS].exe 5 %Documents and Settings%\[UserName]\Templates\[RANDOM CHARACTERS] 6 %Temp%\[RANDOM CHARACTERS] 7 %Temp%\pw.exe 8 %UserProfile%\AppData\Local\MSASCui.exe 9 %UserProfile%\AppData\Local\opRSK 10 %UserProfile%\AppData\Local\pw.exe 11 %UserProfile%\Local Settings\Application Data\MSASCui.exe 12 %UserProfile%\Local Settings\Application Data\opRSK 13 %UserProfile%\Local Settings\Application Data\pw.exe 14 %UserProfile%\Start Menu\Programs\XP Security 2011 15 C:\Documents and Settings\[USERNAME]\Local Settings\Application Data\ave.exe 16 C:\Documents and Settings\[USERNAME]\Local Settings\Application Data\y7V11 17 C:\Documents and Settings\[USERNAME]\Local Settings\Temp\y7V11 18 C:\Documents and Settings\[USERNAME]\Templates\y7V11 19 C:\Documents and Settings\All Users\Application Data\y7V11 20 C:\WINDOWS\Prefetch\AVE.EXE-3098ECAE.pf
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*HKEY_CURRENT_USER\Software\Classes\pezfileHKEY_CURRENT_USER\Software\Classes\pezfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "XP Security 2011"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-modeHKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*HKEY_CLASSES_ROOT\pezfileHKEY_CLASSES_ROOT\pezfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*
Additional Information on XP Security 2011
- The following domains were detected:
# Domain 1 cavertunelo.com 2 live-pc-care.com 3 live-pccare.com 4 pc-livecare.com 5 winlive-care21.com 6 securitypccare.com 7 win-live-care2010.com 8 security-pccare.com 9 pc-livecare2010.com 10 win-live-care.com 11 windows-live-care.com 12 one-care-antivirus.com 13 onecare-antivirus2010.com 14 antivirus-one-care2010.com
- The following messages's were detected:
# Message 1 System danger!
Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working the background right now. Perform an in-depth scan and removal now, click here.2 System Hijack!
System security threat was detected. Viruses and/or spyware may be damaging your system now. Prevent infection and data loss or stealing by running a free security scan.3 XP Security Tool 2011 ALERT
Internet Explorer alert.
Visiting this site may pose a security threat to your system
The PW.exe process can not be killed in task manager and the file can not be removed while the process is active. I did a REGEDIT search for pw.exe and deleted 2-3 instances that were mentioned, did a hard power-down (not giving the process the ability to re-install upon shutdown), rebooted and deleted the PW.exe file. All seems good now.
I am having this problem, but the process name is different and none of the stuff here is helping me.
The process that is causing me problems is: llr.exe
It brings up this XP Security 2011 every time I try to use an internet browser as well as several system things.
I can find anything else. And as far as I can tell there isn't an llr.exe anywhere on my computer that search is checking (and I already having it check hidden files). I also didn't find any weird registry items where this said they would be.
But whatever it is, it is claiming to be XP Security 2011.
in my case it was file aip.exe.
other than that, everything else seems to be the same
I am afraid there is a new version of this virus. Unfortunately I was not able to find an antivirus to remove it but just restored the system from backup.
Here are is my experience with all the advice I found:
-Spyware Doctor did not detect it at all
-regarding manual removal of processes, files and registry entries: there was no process 'pw.exe or MSASCui.exe', I found another one mcn.exe but ending it did not stop the malware from running; there were no files named as listed above and as for registry entries, I found only few of them (those with [browser]override) but nothing with 'pezfile' and I am too weak an IT 'specialist' to remove anything from registry unguided
-I tried with Malwarebytes, but as pre-warned the setup did not launch and renaming the file on another PC did not help at all
-I tried Trojan Killer, it seemed to have detected something similar in registry so I purchased it but it did not remove it either
-tried with few more antimalware softwares found somewhere to be supposed to be able to deal with the bug but they did not lauch or did not detect the bug
I am writing it because most sites advertise Spyware Doctor as a perfect soluction but it seems to be too weak for the current version so some new advise would be appreciated.
Folks, I found the little bugger with the updated version. Look for alk.exe go in safe mode and delete it out of the registry. Also kill it in a file search. Unfortuneatly this killed my access to the registry (How the computer identifies what program to execute the registry as, should be a simple fix)... but killed the virus thus far. It was imbedded in several places including IE execution. Anything with an alk.exe nomenclature I killed (deleted). Make sure you don't delete anything like googletalk.exe as a Ctrl+F with alk.exe would also find googletalk.exe. I also found one instance of PW.exe and killed that (actually deleted everything in that part of the registry... there were four items and I believe to be part of the source of this little bastard). I hope this helps everyone who is having trouble with this pain in the ass virus.
I GOT INFECTED 3/29/2011 AND SIMPLY REMOVED IT BY DOING A SYSTEM RESTORE TO 3/28/2011. JUST FINISHED DOING THAT AND EVERYTHING APPEARS FINE.
I got this virus the other day and I did a system restore back three months, everything looks wonderful I'm no longer getting pop ups and it appers to be gone except I can no longer use my Internet , my computer says I'm connected but explore says I'm not and firefox won't even load. Help please.
I found that this virus only seems to show its face when I log into one of the user accounts on my machine (my user account). On the rest of them I'm free to use the internet and any other program without it cajoling me to download the Malware. This way I can get the software to fix it without the safe mode route. However, I've not had any success in finding anything mentioned above. I stopped a process called enl.exe on my login, but haven't found anything related since, even though the virus reappears whenever I login to my account.
I have purchased Best Malware Protection. I do not have a receipt and I think I have paid for it twice. I cannot access a security or password dey. Each timeI try to ask for these I am sent screens with different packages to buy. All I want to know is how do I activate the system I have just bought and have spent the last four hours trying to find the keys to get into
My daughters computer is infected, running winxp pro, blue screens when i try to enter safe mode, sec 2011 will not permit internet access, tried a thumb drive and s2011 stops it, this virus is well done, road blocks many avenues, if i had made this one i would be watching to see what solutions are blogged and act to stop, i wonder how much money the creators are making on this scam.
I have been unable to open any programs whatsoever since my computer became infected. I can't access system restore. I can't access the registry. I am going to try rebooting in networking mode to see if that helps (the virus operates in safe mode). Otherwise it looks as though I'm going to have to format my hard drive.
Yup, I have the same as above. Can't open any programs, search, registry, system restore, etc. Can open programs only through the backdoor by clicking on an associated file...
Just now rebooted in safe mode with networking which guided me to a system restore to a previous date. Set it back a week and everything is back to normal. Keep your fingers crossed.
Thanks to all the previous commenters for your help!
I am having the same problems as mentioned above..if all you can access is your desk top try this to at least get to the internet
on your keyboard hold down the windows symbol (it is right beside the alt key) and the r key at the same time so that is the windows symbol on your key board and the r key a small box will come up at the bottom of your screen. Type in http://www.yahoo.com and that at least got me to the internet.
I have tried all the other spyware, malware, antivirus and nothing stops this devil of devils..I have no idea how to reformat or even what it means..and if I buy another pc...this virus could hit me again and again..the question is..is there anything to prevent this monster from hitting us in the first place??
thanks
Nancy Ontario
the bugger was in a system folder called:
C:\WINDOWS\1386
i have deleted the contents of the folder, but when i go up to delete the actual folder in the windows folder i cant find it???
am having a nightmare with this. cant open any file whatsover, regedit,sytem restore or any browser. tried in safe mode as well. cant find any of the above file names in file search.
most are fixing using system restore so how come i cant access it? i keep gettimg the 'choose which programme to open with' box and nothing will work.
GRRRRRRrrrrrrrr
ahhhhhh as i type (using another machine btw) my file scan for alk.exe has brought up a file named sidewalk.
C:\WINDOWS\1386\support\tools\support.cab
will keep you posted!!
In my case, when I am trying to do a clean install of windows after being infected, I end with a blue screen that tells me to remove newly attached hardware and if don't have a newly attached hardware then scan my computer for viruses and remove them before trying to install windows again.
I haven't installed any new hardware, but I have never had a problem formatting the hard drive before or installing windows from boot.
Is anyone having the same problem or knows the way around it?
I have been hit a few times with these type of viruses and every time ;the newer version is harder to remove!!! Anyway, I contracted this virus from a website calle "Let me watch this" It's a site with pirated copies of movies, etc... some of the links are legit and some are not!!! I try to stick to MEGAVIDEO links but ocassionally I'll take a chance and select a different one where I'd get infected. Anyway, I learened to protect my PC this way:
After I made a complete virus removal (back then it was "WINOWS LIVE ANTIVIRUS"), I created a new PC account but as a restricted user and I only use this account to surf the net and even watch movies, tv shows, etc. Anyhow, the virus is still capable of installing itself while in I'm in this "safe" user account. All I have to do is log off from that account and then log in as an administrator. Under this account, I'm able to locate and destroy the virus which is ALWAYS associated to the "restricted" account as the PC is 100% functional. Every member of the family must have a "restricted" user account and you can log in as an administrator whenever there's a problem BTW, you cannot install software under this account but the type of virus on this forum is very sneaky. Don't worry, your administrator account is pretty safe (so far for me anyway).
Sometimes the virus version is too new for my antivirus software to detect it but after a few days, they're able to provide the fix with an update so don't be discouraged if your antivirus software cannot find the virus but you know you are infected (in the "restricted" account)... after a few days, you'll be all good.
Hope this helps...
I got this virus a few days ago. It first started with me typing in paypal, then it went to Gimmee answers or something similar.
I have tried system restore in safemode networking, it opened the programme, but because I don't use the computer that much, there were no restore points.
I use it when I need to print paypal postage for my ebay items as I can't install the printer to my laptop.
Can anybody recommend a programme I can download for free to my laptop, so I can put it on a sd card and download it onto my infected pc.
I'm not at all IT literate and need something simple.
I now can't use the infected pc at all. Today it won't boot up properly, not even in safe mode. It says something about system is corrupted and I need to reinstall windows xp, then hit the repair button.
Looks like a reformat is in order.
I got a BIG probleme... XP Security 2011 do NOT allow me to open any application on my computer. I cant open internet, my anti-virus, fire wall... all my game too can't open so i cant download Spy Hunter and Windows task manager. The only thing i can open is Microsoft Office, Padnote and all Documents. (At the moment im on my brother computer)
I have try to delete file 1by1 by going in the location of the file but No file and no Hide File. I got totaly No idea what to do.. I need help.
I’d like to add that you may have to go to your control panel, in the folder options-> view tab, show hidden files and folders, and uncheck ‘hide protected protected operating system files’
A couple of rogue files on my computer were both hidden and disguised as protected OS files. Specifically two here: C:\Documents and Settings\[USERNAME]\Local Settings\Application Data\ave.exe
%Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS].exe
I found this malware under a diffrent name: JKR.EXE. I killed the process and removed all the mentions of it in the registrty of the machine. Also I found it as C:\WINDOWS\JKR.EXE-341525DE.pf. I removed that one as well...
@Kelly - You\'re a genius! I was looking at hidden files but I didn\'t think to make sure that I had unchecked \"hide protected operating system files\". I\'ve deleted the file now and it appears that I have function over my computer again. THANK YOU!
Also - the malware process I found was called \"jcr.exe\" and was located under C:\\Documents and Settings\\[username]\\Local Settings\\Application Date\\jcr.exe . Everything seems to be working now, which means that I can FINALLY load a spyware cleaner that should remove the registry files for me too.
Got this damn thing last night and spent all day chasing it and the only thing that I have found was an extension dhn.exe. Shutting down the process allows me to connect to the Internet at least but when I delete the file( which shows being created when I got attacked) it gives me a win32 error on most applications
Got this damn thing last night and spent all day chasing it and the only thing that I have found was an extension dhn.exe. Shutting down the process allows me to connect to the Internet at least but when I delete the file( which shows being created when I got attacked) it gives me a win32 error on most applications but the xp is gone
i can not figure this thing out!! i cant get on internet explorer. i had to open up road runner just to get online. xp home security has blocked me from getting into control panel, cant start in safemode... please help!! i finally got norton to scan and had 26 virus\\\'. i went to actual file names and deleted them from search and still have xp home security. it has vlocked me from everything on my comp. if i download spyware i cant open it.. plz plz help!!
iwan same guys help how to datel MS Removel too can you told me how too do?
I'm having the same problems as everyone else on my older computer that has Win XP. Has any agency found out who is scamming us? And, if so, what is being done about it? Will log on again from this computer (sadly, using Vista) if I find some software that does the trick...
We found that the virus had re-named itself wlc.exe
I have this virus now but I don\'t know how to restore my system. Can anyone tell me the steps to restoring my system. I know nothing about this kind of stuff so please explain in detail. I appreciate any help I can get.l Thanks
I was going to head on Facebook and the link from Google changed to Gimmie awnsers and from thre on I have been infected, I don't have any of the files in 'Processes' does anyone know a good free program that I can download? I would very much appreciate the help.(I can still open programs like World of Warcraft, they run very slow but they open eventually; also When I hit Start>All Programs, it says Empty, when I do Start>My Computer> it says 51 hidden. All my Short cut icons are transparent, (See through) except for 'Recycle Bin' and 'My Buetooth Places.'
Help!!!! I don\\\'t know what to do. I have the same problem except I can\\\'t get into anything at all. What do I do?
Do what Kelly says (^^2011-04-12^^) worked for me, hopefully it will for you too. G'luck!
This is the most insidious virus I've ever come across, has embedded itself in my registry editor, programs, start up, system restore and safe mode. I am only still able to access the internet through Google Chrome. Malwarebytes finds it, repairs it, comes up clean, and then I run it again and it finds more of it. I have tried everything I can and then some with the help of some very knowledgeable puter gurus. The 2011 version is the worst. My puter guy is coming to pick up my system on Tuesday with direction to wipe and reformat. This really sucks.
I was hit yesterday (22 May 2011)
I did above cleaning instruction to my Registry.
The virus was gone, but I cannot run all my .exe program including regedit, system restore, explorer. When you're inside it, it's OK,
I tried to restart my PC, running .exe program still failed !
Maybe I hit the wrong registry entry.
Fortunately, I found, I can enter my Windows Explorer through Control Panel and click Folders.
Then I can start Firefox by right clicking any html on my disc and open with Firefox.
I can Google and I found a registry fix called EXEFix.reg I run it and Voila,
everything back to normal.
Kelly you were spot on, my random characters were (on 27th May) nsc.exe. Got it!
How can we find out who is doing this? I think they need to be prosecuted for cyber terrorism. My computer seems unfixable.
This virus is horrible, i don\'t want to wipe computer because i have valuables, too much to hold on any external information holder. I\'ve been fighting with it for about 3 days now. soon enough ill have to completely restore, because i doubt ill find its source. This thing is hidden like no other, it can re-install itself after you have deleted it. 🙁 at early stages i was able to open regedit and other exe files. should of realized this was serious sh**. For everyone else who has this or will get it in the future, this is no easy fix virus. this is made by a professional without a doubt. all you can do is brainwash your PC to nothingness and start from scratch again. If you find how to manually delete this virus, you are God. Good luck everyone...
help! my pc is infected as i type...am unable to do anything...except start up pc..the internet is unable to run browser..how do i remove virus?
Dearests! The new XP Security 2011 virus is more sophisticated: it blocks EVERYTHING on the PC. That is there's NO System Restore, No System Recovery, McAfee stops working or tells you that your PC is perfectly protected. You can't open ANY programs you have on your PC. Internet is naturally blocked and you get some threatening messages urging you to buy their anti-virus programs. But what is interesting is that they DON'T BLOCK BANK SITES!!!
Be careful! I know how to fight these m....ers: take your PC to the nearest dumpster and buy a Mac! I love this world! Your PCs get attacked by those who are supposed to protect your PCs. By spreading viruses they force you to buy new software from them. Why do we (users) tolerate what they're doing to our computers? I'm sick and tired of this situation. I
I discovered a new simple fix you can all use
Make sure you have at least 2 internet browsers accessible from desktop. I was using google chrome when I got attacked. It opened a website which zone labs warned me about being suspicious and I went to it anyhow- It said it was trying to make changes to host....My mistake. Today, I happened to have opened up internet explorer which worked without being attacked by virus. This time, zone labs caught the virus trying to access the host again and I denied it and now it is quarantined and both browsers are free and clear of virus
Zone labs could have saved me first time, it definitively saved me the second time.
Hi All,
Just managed to fix the XP 2012 antivurus problem. I had adaware, spybot and norton all running still no luck. This is what I did. First, disconnect your lan cable, as the spyware will go online to retry to download and embed itself. Then, turn off pc and restart in safe mode, (hit f8 while pc is starting). when in safe mode, go to start>run, then type msconfig. go to the very end tab labelled tools and click on it. Scroll down and you will see an application called system restore. highlight it and hit launch button underneath. set a system restore date as far early as you can. once the pc has relaunched, load and run any good antivirus (I used spybot). run the program to detect and delete any remaining traces of virus. repeat a couple of times. then reconnect pc back onto internet.
i HAVE IT AS WELL. Here is what it's done: It has blocked my disk space and removed aly lage files from my desktop. like pictures, MS Office spread sheets, etc. Some of the icons are there, some are not.Yep, I've run all the spyware/malware/worm fixes, etc, and cleaned about 225 files.
If i try to down load a photograph or othe large file it says my disk is full, but it isnt even half full.
If I try to save and overwrite a lost fill on my desktop it says it's already there, but it isnt.
Any help?
Thanks in advance.
helpppp !!!!!!!!!!!!!! my laptop doin the same EXACT thing !!!! it won't let me open anything because of XP security 2012 .. i need answers
When I try to download anything to get rid of that stupid ad.yieldmanager I get a pop up saying my security settings will not allow that. How do I circumvent this? OK Thank you