by   April 12 2011   
Win 7 Anti Virus fake installed via advertisement runs process xiu.exe IE and FF. Win 7 Anti Virus comes in several different flavors it appears. This fake av program has had allot of work done to it. Many are offering suggestions on removal and all are correct but never easy. Renaming a browser because every exe starts this program ..

Win 7 Anti Virus fake installed via advertisement runs process xiu.exe IE and FF

Win 7 Anti Virus comes in several different flavors it appears. This fake av program has had allot of work done to it. Many are offering suggestions on removal and all are correct but never easy. Renaming a browser because every exe starts this program ..

I've not read about any AOL user browsers failing but it really doesn't matter once you have this very interesting malware application loaded on your computer your work is just begun.

Most say to startup in safemode which you could if you want to reboot your system.

Typically when I find my system has a new flavor of the day virus I leave everything running as it was and look to see what tasks have been added. Then with a pad of paper and pen write down everything you don't know from your running processes as all users from Taskmanager.

Next you can fireup a script to start killing the application so you can work better.

You might like to store this on a thumb drive for later use. I don't mind running it to kill even good processes like when Firefox has more than one plugin-container.exe running I can just end them all with a simple script.

I didn't make any fancy videos like a few did. I spent enough time working on this system a video would have been my time wasted.

But I do want to say it might be a very good idea once you have this application stopped to restore you system from a few hours before this all started.

XIU.EXE plus one junk process can be seen. The Random filename application should be written on a notepad (paper) so you can search your startup and registry for it later. The other application seems to be a random shorting name in most cases I've read about. You'll notice it once you start closing it down.

Once you do end the process (killprocess) you might see all your applications going buggy. Notepad is going to ask what exe it should be associated with. You can from what I experienced open the applications directly even run as administrator.

Not to waste time once you have some type of control over your system restore to a later date. Windows 7 should have created a simple restore point just about the same time you noticed this application. Or pick a different date.

After your restore update and run your antivirus application. to make sure things are cleaned out. Check your registry for the applications that were running.

======= OLD NOTES BELOW STOP HERE =============

Second time in less than 18 hours on different websites and different networks. (Different computers as well.)

It's once again war against the hacked advertisement servers. I'm still removing the fake anti virus which is tied to the browsers IE and FF from what I see. AOL doesn't seem to launch this fake program.

Malware C:\USERS\username\APPDATA\LOCAL\XIU.EXE 4/12/2011, 9:33:36 PM

Let me help you save a little time while you work to remove this virus from the actual path in which it is running from.

Location of application: C:\USERS\username\APPDATA\LOCAL\XIU.EXE

Now, if you have some major problems deleting it like I had running under Windows 7 Pro you might find this little script of mine helpful. Then you might be lucky or faster between the End Process and the Deleting of the file.

I do know it corrupted other applications that I openned during this battle so I recomend keeping your movements down to a minimum while you remove this app. AVG will detect it but the AVG 9.0 version on this computer was currupted and didn't stop the virus. This is a lesson for us all. Don't assume your Antivirus is working perfectly all the time. Test it from time to time. It is software and software does become corrupted at times.

Link to VBS script file that scans running processes and kills the XIU.EXE process with 60 second timer loop. (Thanks to Servers, Programming in VB is second nature.)

Images below and notes to follow later this week.

Win7_total_Security_taskmgr.png

 

Win7_total_Security.png

 

Win7_total_Security_popup_view.png

 

Win7_total_Security_program_view.png

 

Win7_total_Security_Security_Center.png

 

This fake application to some doing to remove.

The application you see in the screenshot of task manager shows the process that needs to be killed.

I had to write a short VB script to check every 30 seconds if it was running and end it so I could remove and get things going.

AVG was installed but damaged. Not sure if this application was the cause or not. I've recovered and will be testing to see if AVG was damaged.

Other than that it's a strange application and loads from your Users/Apps/ folder not your common files .. You'll find it easy enough.

  

 

Win 7 Anti Virus fake installed via advertisement runs process xiu.exe IE and FF. Win 7 Anti Virus comes in several different flavors it appears. This fake av program has had allot of work done to it. Many are offering suggestions on removal and all are correct but never easy. Renaming a browser because every exe starts this program ..