Getting rid of XP Home Security 2012 Malware/Virus

Recently caught the XP Home Security 2012 virus (strictly speaking ‘Malware’) on one of our XP machines.

Found this solution to work without any problems:

I’m impressed that MalWareBytes seems to be the best at detecting and getting rid of this Malware – so much so I bought a copy to run on my personal machine.

The MalWareBytes scan found the following which seemed to be related to the Home Security malware:

Registry Keys Detected: 1
HKCUSOFTWAREMicrosoftWindowsCurrentVersionExtStats{B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.

Files Detected: 3
C:Program FilesEA GAMESMOHAAEreg MOHAABgo_ez.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:Documents and SettingsJamesLocal SettingsApplication Dataqkm.exe (Trojan.ExeShell.Gen) -> Quarantined and deleted successfully.
C:Documents and SettingsJamesLocal SettingsTempcnrxsomawe.exe (Trojan.FakeMS) -> Quarantined and deleted successfully.

The first file detected intrigued me – this is an old FPS game: Medal of Honour Allied Assault, which I had fired up a few weeks earlier and played some online battles. I assume that was the attack vector – old game, probably with loads of vulnerabilities connecting to a dodgy game server. The attack then kicked in at the next MS security updates patch Tuesday.

After cleaning and re-booting I found I was still getting the message saying Automatic Windows Updates were switched off in the taskbar even though under System, Automatic Updates they are switched on. Re-registering Windows Updates using these commands solved that problem:

Click Start, select Run and type:

regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 atl.dll
regsvr32 wucltui.dll
regsvr32 wups.dll

Press [Enter] after each one and wait for the success message

Many thanks to the guys and gals at


Author: James

IT Manager - Network, Web coding, MS SQL and Online Mapping expert

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: