XP Security 2012 is another clone of rogue antivirus program that penetrates the system by pretending to be a software update. This software employs scan and detect process though it generates own result to delight computer users. In reality, XP Security 2012 is a fake program without any functional features. Graphical User Interface displays elements like Internet Security, Personal Security, Proactive Defense and Firewall but none of these will perform when a real virus attack takes place.
The malware came from the family of rogue program that name itself based on the detected victim’s operating system. Other members include Win 7 Antivirus 2012, XP Antispyware 2012 and XP Internet Security 2012 among others. All of them bear identical skins in which the image is attached below. Trojans are usually responsible in bringing these fraud programs inside the computer without your notice. Internet browser vulnerabilities and security flaw is the most common target to intrude one’s PC.
Graphical User Interface (GUI) of XP Security 2012
Once XP Security 2012 is inside the system, it shortly alters registry settings to gain overall control of the computer and performs the following:
- Block access to Internet, particularly security web sites
- Kill processes that belongs to security software like antivirus and firewall
- End any running application
- Download additional malware from a distant host
Lastly, XP Security 2012 will show off a bunch of security warnings stating several threats on the computer. There is nothing to worry about this situation. As stated earlier, rogue software uses this method to encourage victims into purchasing the registration key. However, it is urgent to remove XP Security 2012 with the help of authentic security software.
| Type | Rogue |
| Sub-Type | FakeAV |
| Aliases | Vista Security 2012, Win 7 Security 2012 |
| OS Affected | Windows XP |
| Detected By | MalwareBytes |
What are the Symptoms of XP Security 2012?
While XP Security 2012 is installed, it will launch on every Windows start-up. It takes advantage of this situation to run fake system scans and scare users by manipulating the result.
Every attempt of user to run installed application, this malware will block the process and declare that the file is infected. For example, when executing Notepad, it will show a misleading fake alert message like this:
XP Security 2012 Firewall Alert
XP Security 2012 has blocked a program from accessing the internet.
Notepad.exe is infected with Trojan-BNK.Win32.Keylogger.gen
Private data can be stolen by third parties, including credit card details and passwords.
Automatic Removal of XP Security 2012
STEP 1 – Registration
It is important that you enter the provided serial number and register XP Security 2012. While running in full version, you may take back Internet access previously blocks by the malware. It is common for rogue program to prevent infected computer from browsing the web to avoid downloading of removal tool.
A) To enter the registration code, click on “Registration” located at the top of XP Security 2012 console.
B) On registration box, click on “Manual Activation” and type any of the following key below on the box labeled Reg key: . Then click on “Activate Now.”
3425-814615-3990
1147-175591-6550
C) Once activated, XP Security 2012 will attempt to remove detected threats. After that, it will also update the program. These process will take a while. You may cancel “Removing… and “Updating…” process and proceed with the actual removal immediately.
Now that XP Security 2012 is running in full version, your computer will work normally even with the presence of the malware. Accessing the Internet will not be a problem and you can now download the removal tool as on next step.
Step 2 – Download Removal Tool
A) Download the removal tool and save it to any location on your hard drive. For quick access, it is recommended to save on your desktop.
B) After downloading, locate the file and double-click to install. If unable to execute, right-click on the file and select “Run as Administrator.”
C) Install the program with default configuration. No changes is required during the installation process. It will open and update the database afterwards.
Step 3 – Restart Computer in Safe Mode
A) From an OFF mode, turn on the computer and before Windows logo begins to load, press F8 on your keyboard.
B) Windows will display Windows Advanced Options Menu. Select Safe Mode from the option. While on Safe Mode, Windows will only load minimal files and registry enties excluding malicious components created by XP Security 2012.
Step 4 – Scan and Remove
A) While on Safe Mode of Windows, locate the installed removal program. Double-click to run it.
B) Choose the option where you can provide full scan on the computer. Doing full scan is necessary to find all files and registry entries that are related to XP Security 2012.
C) Once finished scanning, it will display all detected threats. Mark all items with check and click on “Remove Selected.” The program will prompt you to restart the computer, please do so.
IMPORTANT! Proceed to Step 3 of Manual Removal below to remove Rootkit Trojan associate with this malware.
How to Remove XP Security 2012 Manually
Step 1 – Fix Windows Registry and Delete Files
A) Press F8 on keyboard as soon as you turn on the computer. Select Safe Mode from the list. This method loads only minimal resources of Windows.
B) There is a possibility that the malware will prevent your from running executable files. XP Security 2012 also made changes to Windows registry that will launch a fake pop-up alerts when you attempt to run any programs. We need to resolve this issue by downloading the following file to fix the registry
FixReg-XP.reg (http://file-download.im-infected.com/FixReg-XP.reg)
Note: If malware prevents you from downloading the file, please get it using a separate clean computer. Transfer the file to an infected unit using optical disc such as CD and DVD, flash drive, external hard drive or memory modules.
C) Delete Windows registry entries. It is important to BACKUP YOUR REGISTRY FIRST.
- On Windows Start Menu, Click Start > Run. Alternatively, you can press [Windows Key] + R on your keyboard.
- Type in the field, regedit
- Find and delete the following registry entries
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1' HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kjt.exe" -a "%1" %*' HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kjt.exe" -a "%1" %*' HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kjt.exe" -a "%1" %*' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kjt.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kjt.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kjt.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"' HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1' HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'
D) Files related to XP Security 2012 must be deleted:
- Browse and delete malicious files below.
- Some files cannot be deleted instantly. Press Ctrl+Alt+Del to open Windows Task Manager, look for any virus-related files mentioned on this page and highlight it, click End Process. Try to delete the file once more.
C:\Documents and Settings\Local Settings\Temp\(random folder)\kjt.exe C:\Documents and Settings\All Users\Application Data\MKLOKI9065HJU34NMKOPP09OLST C:\Documents and Settings\Local Settings\Application Data\MKLOKI9065HJU34NMKOPP09OLST C:\Documents and Settings\Local Settings\Application Data\kjt.exe C:\DOCUMENTS AND SETTINGS\LOCAL SETTINGS\Temp\MKLOKI9065HJU34NMKOPP09OLST C:\Documents and Settings\Templates\MKLOKI9065HJU34NMKOPP09OLST
Note: MKLOKI9065HJU34NMKOPP09OLST and kjt.exe can be any random characters. The malware uses random file name whenever it is installed on the system.
Step 2 – Run Antivirus Program
A) You must be connected to Internet to be able to update your anti-virus program. This is needed to have the latest database available and detect newer threats. Some antivirus programs update itself on a regular basis. There is also an option for manual update through the console of antivirus application.
B) Once updated, thoroughly scan the computer and clean or delete all detected threats. If your AV software is unable to delete malicious files, better put them into quarantine.
Step 3 – Remove the Rootkit Trojan
Rootkit Trojan are the one responsible why your system is infected with XP Security 2012. This is also liable for most of the irregularities happening to your computer. Failure to remove rootkit Trojan may reinstate other infections including the rogue security application.
A) First, you need to download TDSS Killer from this location:
http://support.kaspersky.com/faq/?qid=208280684
Copy and paste the link to your browser. Once you are on the legitimate page of anti-rootkit, follow required instructions to download and install TDSSKiller.
B) When fully installed, click on the icon to run the program.
C) Press the button that says “Start Scan” to begin detection of malicious objects.
D) It will display a list of detected objects and their description. This tool will recommend the appropriate action (Cure or Delete). We suggest to Cure objects that were identified Suspicious.
E) To apply desired actions, click on Continue. It will display the result and advise to restart the computer.