XP-Antivirus Information and Removal

XPAntiVirus For the past few days, I have been following with the latest malware called XP-antispyware. I was of the opinion that this is only spread via its own website and when downloaded and installed. But today it proved me all wrong. I was searching google and when I opened one result, to my surprise, another popup opened breaking all my popup blockers stating that my computer had some spyware and that I needed to scan for spyware using XP-Antivirus. I just closed the Window and another dialog box appeared which I captured:
1
I didn’t press OK. Just clicked the red Cross and everything was fine. I have NOD32 Security Suite and I have the latest definitions installed. It should have caught this dangerous page but it didnt.
XP-Antivirus is still new and can affect even with

your antivirus installed. So be aware of the danger.

How to stay away from XP-Antivirus

As I have already mentioned that the detection of this malware is really very poor, so you should also be careful about what you are doing. Just stay away from the following sites:

  1. XpAntivirusonline.com
  2. XPOnlinescanner.com
  3. XPSecuritycenter.com
  4. XPAntispyware.com
  5. XPAntiviruspro.com
  6. XPAntivirus2008.com
  7. XPAntivirus-scanner.com
  8. XPAntivirus.com
  9. XPAntivirussite.com
  10. XPCleanerpro.com
  11. XPAntivirussecurity.com

In the last one month or so, the creators of this malware have created so many sites and it is expected that the variants will keep on coming. Please note that this malware can install automatically so please DONOT try to open any of the sites above.

How to remove XP-Antivirus

If you are infected with this malware. Please follow the instructions below to remove xp-antivirus:

Remove the following processes:

  • %program_files%\xpantivirus\xpantivirusupdate.exe
  • xpantivirus.exe
  • download.exe
  • %program_files%\xpantivirus\sysbackup\ntoskrnl.exe
  • install_xp.exe
  • %program_files%\xpantivirus\sysbackup\ntoskrnl.exe.md5
  • %program_files%\xpantivirus\sysbackup\explorer.exe.md5
  • %program_files%\xpantivirus\unins000.exe
  • xpantivirusupdate.exe
  • %program_files%\xpantivirus\sysbackup\explorer.exe
  • %program_files%\xpantivirus\unins000.exe
  • install_xp.exe
  • %program_files%\xpantivirus\xpantivirusupdate.exe
  • %program_files%\xpantivirus\sysbackup\ntoskrnl.exe
  • %program_files%\xpantivirus\sysbackup\explorer.exe
  • %program_files%\xpantivirus\xpantivirus.exe
  • %program_files%\xpantivirus\xpantivirus.exe
    Where %program_files% is your Program Files directory e.g, C:\Program Files.
    To remove all these processes, open your task manager, go to processes tab and remove all the above processes whichever are running.

Remove the following folder created by XP-Antivirus:

  • %program_files%\xpantivirus
  • %common_programs%\xp antivirus

    Remove the following registry keys:

  • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run xp antivirus
  • HKEY_CURRENT_USER\software\xp antivirus
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xpantivirusfilter displayname
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xpantivirusfilter errorcontrol
  • HKEY_CURRENT_USER\software\xp antivirus\options firstrunminimize
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 nno setup: user
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 installdate
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 installlocation
  • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\menuorder\start menu\programs\xp antivirus
  • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run xp antivirus
  • HKEY_CURRENT_USER\software\xp antivirus\options autoupdate
  • HKEY_CURRENT_USER\software\xp antivirus\options billingurl
    HKEY_CURRENT_USER\software\xp antivirus\options enableantirootkit
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 urlupdateinfo
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xpantivirusfilter
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 displayname
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 helplink
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 inno setup: app path
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 inno setup: icon group
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 inno setup: setup version
  • HKEY_CURRENT_USER\software\xp antivirus\options firstrunurl
  • HKEY_CURRENT_USER\software\xp antivirus\options billingurlapproved
    HKEY_CURRENT_USER\software\microsoft\windows\shellnoroam\muicache c:\program files\xpantivirus\xpantivirus.exe
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 publisher
  • HKEY_CURRENT_USER\software\xp antivirus\options updateurl
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xpantivirusfilter imagepath
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xpantivirusfilter start
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xpantivirusfilter type
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xpantivirusfilter\enum
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xpantivirusfilter\enum count
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 nomodify
  • HKEY_CURRENT_USER\software\xp antivirus\options aff
  • HKEY_CURRENT_USER\software\xp antivirus\options registerurl
  • HKEY_CURRENT_USER\software\xp antivirus\options startminimized
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xpantivirusfilter\enum initstartfailed
  • HKEY_CURRENT_USER\software\xp antivirus\options enablesysbackup
  • HKEY_CURRENT_USER\software\xp antivirus
  • HKEY_CURRENT_USER\software\xp antivirus\options checkhidden
  • HKEY_CURRENT_USER\software\xp antivirus\options enableadvanced
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 norepair
  • HKEY_CURRENT_USER\software\xp antivirus\options versionurl
  • HKEY_CURRENT_USER\software\xp antivirus\register
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{9a19966f-ae0e-4699-8cce-9b6f5f1c352c}
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 quietuninstallstring
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 uninstallstring
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\xp antivirus_is1 urlinfoabout
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xpantivirusfilter\enum nextinstance
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xpantivirusfilter\security
  • HKEY_LOCAL_MACHINE\system\currentcontrolset\services\xpantivirusfilter\security security
  • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run xp antivirus
    If your homepage has been changed by XP-Antivirus, please change it to default.
    This will hopefully remove the malware from your system. If you have any queries, please comment.
    [XP-Antivirus removal instructions via 411-Spyware.com]

Posted

in

, ,

by

Sanix

Comments

9 responses to “XP-Antivirus Information and Removal”

  1. AntivirusExpert

    I think that manual removal is the most effective way to get rid of XP antivirus, though regretfully not the easiest. For ordinary users out there, deleting entries from the Windows registry can quickly become a worse experience than this scam itself. However, it mutates so fast that antimalware programs work on certain PC’s and don’t work on others, so manual check and step-by-step guide is always a better idea than a blind belief in some “powerful remover”.

  2. Techie Bob

    Manual remove does work but i have found you have to double check ourself to get all of the files removed. If some are left behind you end up still getting the popups. Also, be careful with the registry entries, if you are not sure then don’t mess with your registry or you may end up re-installing windows!

  3. Sanix

    Thank you AntivirusExpert and Techie Bob for your expert comments. May be we should also work on a removal tool for this malware because it is spreading rapidly. I’ll try to make one removal tool specifically for XP-Antivirus.

  4. Pwhndvve

    Honi soit the dazzlingly buy cytotec then announced estivities.

  5. Rahul

    Run smitfraud.exe to remove XP Antivirus. It’s a free download.

  6. Haz

    Disable System Restore, Run “SmitFraudFix” & Followed By “RogueFix” (Run Both In Safe Mode)
    Run “Disk Heal: & Lastly “SuperAntiSpyware”.
    Enable System Restore:-)

  7. TechBuzz

    Very useful information. Also, you can check a great free tool.

  8. Viola Marks

    thanks

  9. jolin

    Amazing article with useful information! but i prefer using a pc cleaner to help me, such as tuneup360