Update: this virus shows up with different names. The GUI is the same, only the name is different. Please note that original removal guide written for XP Internet Security 2010 works just fine no matter how this virus is named. The rogue program also goes under these names:
- XP Guardian
- XP Guardian 2010
- Windows XP 2010
- Windows XP Security
- XP Antivirus Pro
- AntiSpyware XP
- Antivirus XP
- Antivirus XP 2010
- XP AntiSpyware 2010
- XP Internet Security
- XP Smart Security 2010
- XP Internet Security 2010
- Total XP Security
- XP Security Tool
- XP Smart Security
- XP Smart Security 2010
- XP AntiMalware
- XP AntiMalware 2010
- XP Defender
- XP Defender Pro
- XP Security
- XP Security 2010
Antivirus XP 2010 video: (thanks to rogueamp)
While the XP Internet Security 2010 is active you may observe the following:
- All programs will be blocked, including anti-virus and anti-spyware software
- Internet Explorer and Firefox browsers will be hijacked and will display fake security alerts when surfing the Web
- A window impersonating Windows Security Center stating that you should purchase XP Internet Security 2010
- Numerous fake alerts stating that your PC security is compromised or that you have various malware running on your computer. Don't click on these alerts
XP Internet Security 2010 removal instructions:
Method #1
1. Go to Start->Run or press WinKey+R. Type in "command" and press Enter key.
2. In the command prompt window type "notepad". Notepad will come up.
3. Copy all the text in blue color below and paste into Notepad.
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
4. Save file as fix.reg to your Desktop. NOTE: (Save as type: All files)
5. Double-click on fix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.
6. Download one of the following anti-malware applications:
7. Install the selected application, update it an run a system scan.
8. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Method #2
1. Use another computer and download one of the anti-malware applications listed above (Method #1, step 6),
2. Create fix.reg file as said in Method #1 (steps 1-4). Copy an anti-malware application and fix.reg file to USB flash drive or any other removable device and transfer those files to the infected computer.
3. First of all run the fix.reg file. Then install the anti-malware application, update it and run a full system scan.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.
Manual removal:
Associated XP Internet Security 2010 files:
- %UserProfile%\Local Settings\Application Data\av.exe
- %UserProfile%\Local Settings\Application Data\ave.exe
- %UserProfile%\Local Settings\Application Data\WRblt8464P
- %UserProfile%\Local Settings\Temp\WRblt8464P
- %UserProfile%\Templates\WRblt8464P
- C:\Documents and Settings\All Users\Application Data\WRblt8464P
- HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
- HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
- HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
- HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
- HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
- HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
- HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
- HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
- HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
- HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
- HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
- HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
Share this information with other people:
No comments:
Post a Comment