Removing XP Antivirus Pro
XP Antivirus Pro is a particularly nasty (and fun from my side) virus that's part of the "scareware" family. This virus also goes by XP Spyware 2010, XP Antispyware, and XP Antivirus Pro 2010.I know these directions aren't 100% comprehensive because every machine I've seen with this virus is slightly different. Some of these files or processes may not show up on your computer. If they don't, it's just one less thing to delete! However, this is the most comprehensive process for removing this virus I have to this date:
Boot into safe mode (F8 at startup)
Stop the processes in the task manager (they may not all show up):
av2010.exe
svchost.exe
wingamma.exe
av.exe
Uninstall Antivirus 2010 from the Control Panel (Add and Remove Program) if you can.
Delete these files from your computer:
C:\Program Files\AV2010
c:\Program Files\AV2010\AV2010.exe
c:\Program Files\AV2010\svchost.exe
C:\WINDOWS\system32\IEDefender.dll
c:\WINDOWS\system32\wingamma.exe
c:\Documents and Settings\All Users\Desktop\AV2010.lnk
c:\Documents and Settings\All Users\StartMenu\Programs\AV2010
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\AV2010.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\AV2010\Uninstall.lnk
Navigate to these registry keys and delete them (as long as they don't have a value they should be fine, and again they may not all show up): (Run --> regedit)
HKEY_CURRENT_USER\Software\AV2010
HKEY_CLASSES_ROOT\AppID\{3C40236D-990B-443C-90E8-B1C07BCD4A68}
HKEY_CLASSES_ROOT\AppID\IEDefender.DLL
HKEY_CLASSES_ROOT\CLSID\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO
HKEY_CLASSES_ROOT\IEDefender.IEDefenderBHO.1
HKEY_CLASSES_ROOT\Interface\{7BC7565C-5062-43CE-8797-DC2C271140A9}
HKEY_CLASSES_ROOT\TypeLib\{705FD64B-2B7B-4856-9337-44CA1DA86849}
HKEY_LOCAL_MACHINE\SOFTWARE\ Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FC8A493F-D236-4653-9A03-2BF4FD94F643}
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}012
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}013
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E972-E325-11CE-BFC1-08002bE10318}014
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run 'Windows Gamma Display'
Reboot the computer back into normal mode.
Try opening firefox or microsoft word or some program. If you can, skip the rest of this paragraph. You may run into a problem where it asks you what program you'd like to open that file with, as if it didn't recognize the file type. If that's the case, on a separate computer, just download Superantispyware (http://www.superantispyware.com/portablescanner.html). The file should be something like SAS_F34J56JH8P.COM (the letters and numbers after SAS_ are randomized). Boot the infected computer into safe mode again. Transfer the SAS file you just downloaded from the clean computer to the infected computer. Run it and do a full scan. Once it is done, make sure it removes all of the items it has found, then reboot into normal mode. If your programs do work, continue reading but skip the Superantispyware step as you've already done that.
If you can run all your programs again, go ahead and download Malwarebytes (http://www.malwarebytes.org/) Spybot (http://www.safer-networking.org/en/download/index.html) and Superantispyware (http://www.superantispyware.com/portablescanner.html).
Install Malwarebytes and Spybot. Make sure to update Malwarebytes and Spybot, then boot into safe mode again and scan with Malwarebytes. Remove whatever it finds, then run Spybot still in safe mode. The link for Superantispyware is portable version that doesn't install anything, and the definitions are updated only for that day. In other words, it's a one time scan that's only up to date when at the time you download it. After Spybot, run the Superantispyware file and do a full scan. The reason I'm suggesting 3 different scans is that this is a particularly nasty virus that we haven't fully understood yet.
Labels: virus, Viruses, xp antispyware, XP antivirus pro, xp antivirus pro 2010, xp spyware 2010
posted by dagerm89 @ 12:42 PM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home