Jump to content

XP Internet Security - Bogus MSASCui.exe?


Farmer
 Share

Recommended Posts

My wife's computer was infected with "XP Internet Security" rogue. In looking at running processes, there was no file "av*.exe" running. However, I noticed that one of the processes running was MSASCui.exe. A search revealed that it is part of Microsoft's "Windows Defender". I've never installed Windows Defender so the presence of the file seemed odd.

The file was located in \documents and settings\...... \application data, which also seemed odd. All file property fields were blank. The size was ~195kb.

For lack of anything else to do, I killed the MSASCui.exe process and all "XP Internet Security" windows closed immediately. I was then able to connect to AV sites (I had an IE instance running before I killed the process).

I ran Malwarebytes, McAfee scan, McAfee fakealertstinger, and Windows OneCare but the rogue persisted.

I renamed MSASCui.exe then fixed up registry references to it. Rebooted and all is well.

Is this just a bizarre set of happy coincidences or is it possible that MSASCui.exe was the culprit?

Link to post
Share on other sites

This rogue can use three or four random skins at install which correspond to the operating system it's installed on.

If MBAM didn't hit it then it's probably a new morphed version with a different install path maybe?

Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 are new rogues that are exactly the same program, but are shown with different names and interfaces depending on the version of Windows that it is run on. After I wrote this guide, I was told that this rogue goes under quite a few different names, which I have listed below:

Bleeping Computer Article

Link to post
Share on other sites

Are you running windows vista/7? for vista I know it is on by default. Windows 7 I'm not sure of. When I installed it for beta testing it was on by default.

It was on a Dell winxp pro laptop. At first, I assumed it was preinstalled by Dell. The thing that caught my attention was that the file was in \Documents and Settings\ rather than \Program Files\.

Link to post
Share on other sites

A quick question . . . how do you get rid the malware if you do not already have Malwarebytes (for the maladvertisement won't let me install it), McAfee already quarantined it, but did not get rid of it and you have tried killing it multiple times with Process Explorer? No matter what I do, it's just not going away. Any suggestions? All help would be appreciate :lol:.

Link to post
Share on other sites

Hi Braeoge -

This section contains many helpful ways to get Malwarebytes to operate , but you must use the specific repairs for your specific problem - It is useless trying to get one fix to work if it is not for the correct problem -

Thank You -

Thank you very much, noknojon! I will see if there are any friends in the area that will let me download Malwarebytes to a USB drive. The virus is XP Antispyware 2010 and every time I have tried to run Malwarebytes, it will not let me. Currently, the bug isn't even allowing me to run Mcafee. I know that renaming mbam.exe will solve the problem, but I cannot find the file on my computer (even though I have downloaded it multiple times) and the already renamed mbam file did not work either for the virus recognized it too. So, I don't think this is something I can solve at home from my computer. However, anymore suggestions would be extremely helpful.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.