Dishonest antivirus software which tricks users into buying or installing it, usually by infecting a user's computer, or by pretending the computer is infected.
The native Windows System Restore funcutionality can complicate disinfection. See:
before proceeding.The directory and file names used by XP Antivirus are generated based on a hash of the HDD serial number.
Individual installation names can be determined by examining the path of the shortcut icons as in the example image.[...] will be used to represent the directory and file names in the disinfection instructions.
From the Windows Start Menu, select Run, type regedit into the "Open:" field and then click OK.Delete the following keys if they are found:
Delete the following values to disable the program from automatically running with Windows start:
To re-enable options for the screen saver and desktop, delete the following values:
To reset the Desktop settings, the following can be deleted:
Delete the following directories and file if they exist:
Some infections create the following set of files and directories, delete them if they exist:
Note: [Name] represents the local user account name.Follow the disinfection instructions for Trojan-Downloader:W32/Exchanger if the following file exists:
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
XPAntivirus is a family of rogue security programs that claim to detect and remove malicious software, but give fake and exaggerated scan results in an attempt to trick people into purchasing the program.Members of the XPAntivirus family are distributed under several different names, including:
As with most rogueware, an XPAntivirus variant is commonly downloaded and installed via trojans without consent and even hijacks the user's desktop to display misleading and alarming messages.
Rogue:W32/XPAntiVirus is distributed and installed with interfaces similar to the following:
The actual installation details vary depending on the specific variant in question. Below are details of three possible installations.
A directory is created in the Program Files folder as follows:
Where [...] represents the generated directory and file names used by XPAntivirus.The directory and file names used by XPAntivirus are generated based on a hash of the HDD serial number (see screenshot in Disinfection section).Another folder is created in the Application Data folder using the same naming scheme:
Where [NAME] represents the account name.
Another instance of infection may have the following set of files and directories installed:
And the following registry keys are added:
XPAntivirus may also be installed by the malware Trojan-Downloader:W32/Exchanger.The following files are created in the computer's system directory:
Note: CbEvtSvc.exe is detected as Trojan-Downloader:W32/Exchanger.The following directory and shortcut links are also created:
The following registry entries alter the desktop wallpaper and screensaver:
The following registry entries disable the wallpaper and screensaver options:
Registry launchpoints used for autostart:
Additional registry entries are also added:
Once installed, XP Antivirus pretends to scan the computer system. The program then displays fake alert messages indicating the system has been compromised.
XPAntivirus variants display the following types of warnings:
XPAntivirus variants display the following message from the System Tray:
The computer's wallpaper is changed to display the following message:
Note: All of the warning messages above were generated from a clean test machine.
The detection Rogue:W32/XPAntivirus also detects the downloader component for the XPAntiVirus rogueware.The component downloads and executes XPAntiVirus rogueware variants on the infected computer system.The interface for the downloader component may appear as below:
Ask questions in our Community .
Check the user guide for instructions.
Submit a Sample
Submit a file or URL for analysis.