I recently had the "xp antivirus pro 2010" fake antivirus but was finally able to remove it with Spyware Doctor, though I still have a few problems.
Here are the steps I took:
I first saw the infection when my browser (I.E. 7) closed and I got a message saying that it was infected.
Task manager showed the "av.exe" process as well as about 25 "smss32.exe" processes, so I knew that those were obviously the virus.
I tried using Malwarebytes, then Avast, but found that both were blocked.
Because I could not start my browser correctly, I used a different computer, and found a solution which recommended the use of "msconfig" to block smss32 on startup, then going into the C:\WINDOWS\System32 folder and deleting smss32.exe, winlogon32.exe, helper.dll, and 41.exe.
I tried the above solution, and when the computer booted back up after the use of msconfig, I found that my wireless internet adapter could not see any networks, and that my task manager had been disabled. I then used Hijackthis to kill anything related to smss32, then went into the system32 folder and deleted the smss32.exe, winlogon32.exe, helper.dll, and 41.exe files, then rebooted again.
After the reboot, I got stuck in the logon-logoff loop, which I eventually fixed with a solution I found online that used BartPE to edit the userinit registry file. I also deleted some clearly virus files structured as: <innocuous filename><x number of spaces>.exe
After successfully logging back in, I found that the fake antivirus was still there. I reenabled my internet connection by restarting windows wireless zero configuration, which had apparently been what the virus disabled. I was able to use Malwarebytes after renaming mbam.exe to mbam.com, however, the only thing I was able to use it for was to reenable the task manager. The task manager showed that apparently smss32 was gone, so I was partially successful.
At this point I used Spyware Doctor to remove the fake antivirus successfully, after which I was able to use my computer somewhat normally.
However, I have found 2 problems:
1) Windows firewall is not working, and I can't find a way to enable it. The security center tells me to use "Windows Firewall" to reenable the firewall, however, all options in Windows Firewall are greyed out, so I can do nothing.
2) Also, for some reason, all .exe files are now described as "secfile", though they had previously been described as "application", I think. I checked the registry, and found that under HKEY_CURRENT_USER\Software\Classes\.exe, (Default)=secfile and Content Type=application/x-msdownload
Will simply changing "secfile" to "application" fix the .exe file problem or is there something else I need to do?
Edited by Atomizer, 15 February 2010 - 04:33 PM.