Windows XP Fix, Windows Vista Fix claims that you should pay for a license to the rogue program in order to fix system errors, clean your registry and protect your computer against new threats with software updates. It's probably one of the most annoying and troublesome scareware that we've seen so far. Windows XP Fix moves software shortcuts found in various directories to Windows temporary folder, specifically %Temp%\smtmp, %Temp% refers to Windows temporary folder. What is more, the rogue application adds +h or otherwise known as hidden attribute to some of your files on folders. It's obvious that Windows Vista Fix or Windows 7 Fix wants to make you think that your files were deleted because of critical hard drive and system errors but at the same time it states that they could be restored if you pay for a full version of the rogue software. To remove Windows XP Fix, Windows Vista Fix or Windows 7 Fix from your computer and restore your files, please follow the steps in the removal guide below.
Here are some examples of a warning pop-up windows from this rogue program:
First of all, do not delete anything from Windows temporary folder; otherwise you won't be able to restore your software shortcuts and some other files. I'm saying this because I know that some of you guys use CCleaner or similar software to remove files from %Temp% folder that could be associated with malicious software. Although, that's a good idea when it comes to computer viruses, but Windows XP Fix is an entirely different side of the story. But that's not all, Windows XP Fix, Windows Vista Fix, Windows 7 Fix or in some cases malware droppers install the TDSS rookit as well. It could be either TDL3 or TDL4 version of this rootkit which is probably the most sophisticated piece of malicious software that I've ever seen. I think it should be already obvious that it's very hard or even impossible to remove this rogue application and associated malware manually. You will have to use anti-malware software and TDSS rootkit removal tools, either TDSSKiller from Kasperky lab Norton TDSS removal tool. For more information, please follow the removal steps below.
Additionally, you can activate the rogue program by entering this registration code 8475082234984902023718742058948 and any email as shown in the image below.
Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly. If you have any further questions, please leave a comment below. Good luck and be safe online!
Related malware:
Windows XP Fix, Windows Vista Fix or Windows 7 Fix removal instructions:
1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.
At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.
If you still can't see any of your files, Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter explorer and hit Enter or click OK.
2. Open Internet Explorer. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter iexplore.exe and hit Enter or click OK.
Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
3. Open Internet Explorer and download TDSSKiller or Backdoor.Tidserv Removal Tool. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller or Backdoor.Tidserv Removal Tool to remove the rootkit.
Alertane Windows XP Fix, Windows Vista Fix or Windows 7 Fix removal instructions:
1. First of all, you need to unhide the files and folders. Select Run... from the Start Menu or just hit the key combination CTRL+R on your keyboard. In the Open: field, enter cmd and hit Enter or click OK.
At the command prompt, enter attrib -h /s /d and hit Enter. Now, you should see all your files and folders. NOTE: you may have to repeat this step because the malware may hide your files again.
2. The rogue application places an icon or your desktop. Right click on the icon, click Properties in the drop-down menu, then click the Shortcut tab.
The location of the malware is in the Target box.
On computers running Windows XP, malware hides in:
C:\Documents and Settings\All Users\Application Data\
NOTE: by default, Application Data folder is hidden. Malware files are hidden as well. To see hidden files and folders, please read Show Hidden Files and Folders in Windows.
Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmark from the checkbox labeled:
- Hide extensions for known file types
- Hide protected operating system files
Click OK to save the changes. Now you will be able to see all files and folders in the Application Data directory.
On computers running Windows Vista/7, malware hides in:
C:\ProgramData\
3. Look for suspect ".exe" files in the given directories depending on the Windows version you have.
Example Windows XP:
C:\Documents and Settings\All Users\Application Data\24436516.exe
C:\Documents and Settings\All Users\Application Data\jTNIGvyiwfxUlB.exe
Example Windows Vista/7:
C:\ProgramData\24436516.exe
C:\ProgramData\jTNIGvyiwfxUlB.exe
Basically, there will be a couple of ".exe" file named with a series of numbers or letters.
Rename those files to 24436516.vir, jTNIGvyiwfxUlB.vir etc. For example:
It should be: C:\Documents and Settings\All Users\Application Data\24436516.vir
Instead of: C:\Documents and Settings\All Users\Application Data\24436516.exe
4. Restart your computer. The malware should be inactive after the restart.
5. Open Internet Explorer and download TDSSKiller. This malware usually (but not always) comes bundled with TDSS rootkit. Removing this rootkit from your computer is very important (if exists). Run TDSSKiller and remove the rootkit.
6. Download free anti-malware software from the list below and run a full system scan.
NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Associated Windows XP Fix, Windows Vista Fix or Windows 7 Fix files and registry values:
Files:
Windows XP:
- %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS]
- %AllUsersProfile%\Application Data\[SET OF RANDOM CHARACTERS].exe
- %UsersProfile%\Desktop\Windows XP Fix.lnk
- %UsersProfile%\Start Menu\Programs\Windows XP Fix\
- %UsersProfile%\Start Menu\Programs\Windows XP Fix\Windows XP Fix.lnk
- %UsersProfile%\Start Menu\Programs\Windows XP Fix\Uninstall Windows XP Fix.lnk
%UserProfile% refers to: C:\Documents and Settings\[User Name]
Windows Vista/7:
- %AllUsersProfile%\[SET OF RANDOM CHARACTERS]
- %AllUsersProfile%\[SET OF RANDOM CHARACTERS].exe
- %UsersProfile%\Desktop\Windows Vista Fix.lnk
- %UsersProfile%\Start Menu\Programs\Windows Vista Fix\
- %UsersProfile%\Start Menu\Programs\Windows Vista Fix\Windows Vista Fix.lnk
- %UsersProfile%\Start Menu\Programs\Windows Vista Fix\Uninstall Windows Vista Fix.lnk
%UserProfile% refers to: C:\Users\[User Name]
Registry values:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = '/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:'
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = '1'
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download "CheckExeSignatures" = 'no'
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use FormSuggest" = 'yes'
0 comments:
Post a Comment