Rogue software details: XPPoliceAntivirus
XPPoliceAntivirus is a rogue security application. In order to remove it, find out what files and registry entries to look for below.
Known system changes:
Files
c:\Desktop\XP Police Antivirus.lnk
c:\StartMenu\XP Police Antivirus.lnk
c:\Desktop\XP Police Antivirus..lnk
Folders
c:\ProgramFiles\XPPoliceAntivirus
Registry entry
Key: HKEY_CLASSES_ROOT\Interface\
{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}
Value:
Data:
Key: HKEY_CLASSES_ROOT\Interface\
{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
Value:
Data:
Key: HKEY_CURRENT_USER\Control Panel\don’t load
Value: scui.cpl
Data: No
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System
Value: DisableRegistryTools
Data: 1
Key: HKEY_CURRENT_USER\Software\XP Police Antivirus
Value:
Data:
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Value: PoliceAV
Data: C:\Program Files\XPPoliceAntivirus\xppolice.exe
Key: HKEY_CLASSES_ROOT\CLSID\
{b6b571fb-b71d-449c-ad70-82e966328795}
Value:
Data:
Key: HKEY_CLASSES_ROOT\TypeLib\
{16406580-14CE-4441-B904-AD56CC8064CA}
Value:
Data:
Key: HKEY_CLASSES_ROOT\WinApp.WinSafe
Value:
Data:
Key: HKEY_CLASSES_ROOT\WinApp.WinSafe.1
Value:
Data:
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Browser Helper Objects\
{b6b571fb-b71d-449c-ad70-82e966328795}
Value:
Data:
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System
Value: DisableTaskMgr
Data: 1
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Value: PoliceAV
Data: C:\Documents and Settings\%userprofile%\Desktop\
RESEARCH\fe3700b340ca47362573c9200a8976d4.exe
Source: Lavasoft Malware Lab’s Rogue Gallery.