Removing the Windows XP Repair scareware

Windows XP Repair is a fake system optimization and repair tool. It takes over the computer almost completely, and it’s a pain to remove. Worse yet, there’s at least one version floating around right now that standard no antivirus/antimalware tool I threw at it recognized.

Here’s how I removed it for someone.

First, boot the computer with no network cable plugged in and wireless turned off. After a what appears to be a normal boot sequence, a window called “Windows XP Repair” will appear and so some official-looking stuff. Just let it run its fake system scan. Don’t worry about its warnings; they’re lies. All of them. There’s nothing wrong with your computer. At least, nothing that this do-nothing program will fix.

After it finishes and gives you some options, click on the “Activate” button in the lower right. It will give you a space to enter a registration code and an e-mail address. Any e-mail address will do: a@b.com, billg@microsoft.com, or whatever. Then enter this long, obnoxious number in the field marked registration code: 8475082234984902023718742058948 . If you type that in right the first time, the people who wrote this software ought to pay you.

Now the program thinks you paid whatever criminal organization is behind this thing, and it will stop nagging you. Just close the program. If any new popups show up in the system tray, close them, then right-click on the icons they came from and click either Close or Exit.

To disable it, click Start, Run, and type C:\Documents and Settings\All Users\Application Data. You’ll see a couple of .exe files in there with random names and official-looking icons. (If Microsoft can ever track these people down, they should be able to sue them for trademark infringement.) You probably won’t be able to delete the files, but you can rename them. So rename them to something else.

Next, run Regedit. Navigate to the following keys and delete them:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[SET OF RANDOM CHARACTERS].exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “[SET OF RANDOM CHARACTERS]”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations “LowRiskFileTypes” = ‘/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:’
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments “SaveZoneInformation” = ‘1’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\”CheckExeSignatures” = ‘no’
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\”Use FormSuggest” = ‘yes’

Now reboot. The computer should come up normally. Once again click Start, Run, and type C:\Documents and Settings\All Users\Application Data. Delete the two exe files that you renamed earlier.

Now I urge you to download and run the Bit Defender Live CD and Microsoft Standalone System Sweeper to clean up any rootkits or any other payload this thing might have dragged along with it. And after you reboot, at bare minimum, visit ESET’s online scanner to get a second opinion about the system’s health. Then do it again tomorrow. These things change fast, and like I said, I pointed Microsoft Security Essentials right at the malware file, scanned it, and it came back clean. So it could pick up something tomorrow that it flagged as clean today. Viruses and malware change and travel faster than gossip.

Based on what I was able to find by scanning this particular computer, I think it used an exploit in an old version of Firefox, along with Java to infect the system. I uninstalled Java, and I suggest you do the same. The only important thing I can think of that uses Java these days is Open Office, and I believe only part of the database module uses it. Frankly, as many exploits as there are for Java, and as infrequently as Oracle patches them, you’re better off going without Java. As for Firefox, keep it up to date.

There is some business software that does need Java, such as Oracle’s flagship database and some CA products. So if you have a server with Java on it, firewall it off so it can’t access the Internet.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux