It sounds like I'm right in assuming that just because it's listed does not mean that it's still infected - agree?
Not necessarily. It could be that the entry is created because there is still a software component active. But we'll establish that.
Do the following from a Windows XP administrator account:
Start the security center.
Start Run... and launch wbemtest.
Replace default with SecurityCenter in the first input box
Click Enum Classes
You will see 1 or 2 objects (AntiVirusProduct.instanceGUID...)
If there is only one:
select it and Delete it.
If there are two:
Double click the first entry
Scroll down until you see displayName, if it is something like Smart Internet Protection 2011, then you've to delete this entry, otherwise it is the second entry you need to delete.
Select the correct entry
The moment you delete the entry, Security Center will update its status (that's why I asked you to start the Security Center).
Click Close, Close and Exit.
Now you have deleted the WMI entry for SIP that the Security Center uses to display its status.
Reboot your machine.
If the entry reappears, then there is still a component of SIP installed that recreates the entry.
You'll need to find that component and remove it.
Edited by Didier Stevens, 16 February 2011 - 03:42 PM.
SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.
Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"