XP Antivirus Pro

XP Antivirus Pro is a misleading computer security application that may cause various annoyances on affected computer. XP Antivirus Pro is promoted on scam security websites that hosts a malicious scripts that will run and execute malware on visitors computer. Removing XP Antivirus Pro may be difficult since this unwanted program was created to install easily but hard to remove.

TypeRogue
Sub-TypeFakeAV
Aliases 
OS AffectedWindows
Detected ByMalwareBytes

What are the Symptoms of XP Antivirus Pro Infection?

It will modify Windows Registry and add the following entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run “XP Antivirus Pro ”
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “%1″ %*
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “%1″ %*
  • HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “%1″ %*
  • HKEY_CLASSES_ROOT\secfile\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “%1″ %*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\av.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = “1″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = “1″

The threat will drop the following malicious files:

  • %Program Files\XP Antivirus Pro\av.exe
  • %UserProfile%\Local Settings\Application Data\av.exe
  • %UserProfile%\Local Settings\Application Data\[random]
  • %UserProfile%\AppData\Local\av.exe
  • %UserProfile%\AppData\Local\[random]

How to Remove XP Antivirus Pro Manually

1. Restart your computer in SafeMode
- After Power-On the computer, just before Windows start, press F8
- From the selections, Select SafeMode

2. Remove Registry entries that the threat added. You MUST BACKUP YOUR REGISTRY FIRST.
- Click Start > Run
- Type in the field, regedit
- Navigate and look for the registry entries mentioned above and delete if necessary

3. Delete malicious files that the threat added:
- Base on the given location above, browse and delete the file
- If no location is given, click Start>Search> and search for the files.
- If cannot be deleted, press Ctrl+Alt+Del to access Task Manager, see if the file is running in the process. If it is, select the file and click End Process. Perform file delete again.

4. Scan computer with Antivirus Program
- Update antivirus program
- Scan computer and delete all detected threats.

How to Easily Remove XP Antivirus Pro

1. Download and run Removal Tool to remove XP Antivirus Pro

2 Responses to“XP Antivirus Pro”

  1. Jack
    January 30, 2010 at 2:44 am #

    Thanks so much. It worked very well. Unfortunately, when I was removing registry entries I did not backup registry first. Now I cannot open any icon on my desktop. Every time I get a message: This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel. Any ideas how to fix it.

  2. Tammy
    January 30, 2010 at 7:09 pm #

    Jack:

    Since you removed the registry entries without putting the good values that belong.. — that is what broke it.
    Windows has no clue now how to run exe files.
    It’s fixable

    Try instructions here for using “unhookexec.inf” from Symantec:

    http:// www. symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99

    If browser won’t run — might have to download the app on another PC to transfer to the broken one.

    Then run malwarebytes antimalware to finish fixing it.

Leave a Reply

Your email address will not be published. Required fields are marked *

(Required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>