Thursday, January 28, 2010

How to remove XP Internet Security 2010 (free removal guide)

XP Internet Security 2010 is a fake antivirus application. For some of you this program may look like a reliable virus removal tool, but in reality it's a total scam. When running, it will "scan" your computer for malware and present you with a list of false infections (that's what rogue programs usually do) to trick you into thinking that your computer is infected. Then XP Internet Security 2010 will state that those infections cannot be removed unless you purchase the program. You shouldn't purchase this bogus software! If you already have, inform your credit card company that you were tricked into paying for this software, and that it's a scam.

Update: this virus shows up with different names. The GUI is the same, only the name is different. Please note that original removal guide written for XP Internet Security 2010 works just fine no matter how this virus is named. The rogue program also goes under these names:
  • XP Guardian
  • XP Guardian 2010
  • Windows XP 2010
  • Windows XP Security
  • XP Antivirus Pro
  • AntiSpyware XP
  • Antivirus XP
  • Antivirus XP 2010
  • XP AntiSpyware 2010
  • XP Internet Security
  • XP Smart Security 2010
  • XP Internet Security 2010 
  • Total XP Security
  • XP Security Tool
  • XP Smart Security
  • XP Smart Security 2010
  • XP AntiMalware
  • XP AntiMalware 2010
  • XP Defender
  • XP Defender Pro
  • XP Security
  • XP Security 2010


Antivirus XP 2010 video: (thanks to rogueamp)


While the XP Internet Security 2010 is active you may observe the following:
  • All programs will be blocked, including anti-virus and anti-spyware software
  • Internet Explorer and Firefox browsers will be hijacked and will display fake security alerts when surfing the Web
  • A window impersonating Windows Security Center stating that you should purchase XP Internet Security 2010
  • Numerous fake alerts stating that your PC security is compromised or that you have various malware running on your computer. Don't click on these alerts
There shouldn't be any doubts about this software. It's obviously not legitimate and should be removed from a computer a soon as possible. The worst symptom is of course the first one from the above list. How can you remove this virus if you can't open any program? Hopefully, there is a way to overcome this infection and I'll show you how to that.


XP Internet Security 2010 removal instructions:

Method #1
1. Go to Start->Run or press WinKey+R. Type in "command" and press Enter key.


2. In the command prompt window type "notepad". Notepad will come up.


3. Copy all the text in blue color below and paste into Notepad.

Windows Registry Editor Version 5.00


[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

4. Save file as fix.reg to your Desktop. NOTE: (Save as type: All files)


5. Double-click on fix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.
6. Download one of the following anti-malware applications:
7. Install the selected application, update it an run a system scan.
8. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.

Method #2
1. Use another computer and download one of the anti-malware applications listed above (Method #1, step 6),
2. Create fix.reg file as said in Method #1 (steps 1-4). Copy an anti-malware application and fix.reg file to USB flash drive or any other removable device and transfer those files to the infected computer.
3. First of all run the fix.reg file. Then install the anti-malware application, update it and run a full system scan.
4. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET Smart Security.


Manual removal:

Associated XP Internet Security 2010 files:
  • %UserProfile%\Local Settings\Application Data\av.exe
  • %UserProfile%\Local Settings\Application Data\ave.exe
  • %UserProfile%\Local Settings\Application Data\WRblt8464P
  • %UserProfile%\Local Settings\Temp\WRblt8464P
  • %UserProfile%\Templates\WRblt8464P
  • C:\Documents and Settings\All Users\Application Data\WRblt8464P
Associated XP Internet Security 2010 registry values:

  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
  • HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"

Share this information with other people: 

No comments:

Post a Comment