Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Fake XP SecurityCenter Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

XP SecurityCenter is rogue antimalware application installed through dubious means like a link in a spam mail or through a link in a hacked website. It’s look-alike of the legitimate Windows Security Center and it does what other rogue antimalware apps do that is to scare the unfortunate victim by throwing various pop-up messages about the state of the health of their PC.

XP SecurityCenter shows various non-existent infections afflicting the victim’s PC and insists on payment when the victim tries to remove the infections.

In this instance the installer was dropped by a trojan downloader which was downloaded when I clicked on a link found in a celebrity malicious spam (include link) mail. The installer is about 340KB named Install.exe, well recognized over at VirusTotal with about 78% detection rate.

When the installer is executed it connects to which hosts many rogue antimalware domains like,,,,, and to download the remaining part of the application. The successful installation is phoned home to a member’s account at is hosted at IP which also hosts The registrar of is DIRECTI INTERNET SOLUTIONS PVT. LTD, the domain was created on 2008-09-03 by the registrant Hawkwing Professional Services Limited based in Belize, a country in Central America. lists an interesting offer on its home page.

Once installed the scare tactics start and the need to register XP SecurityCenter is stressed many times. When the victim clicks the Register now button the fake app opens the default browser and connects to the buy page at which espouses the benefits of XP SecurityCenter. The page also uses fradulent logos purported to be awards from various well known computer magazines/websites.

I clicked on the BUY ONLINE button, I was directed to their payment processor, 128 bit SSL secured certificate issued by Verisign. Here ends my experience with Fake XP SecurityCenter. Now is the time to clean up.

Files and Folders Infected

C:\Program Files\XPSecurityCenter\install.exe
C:\Program Files\XPSecurityCenter\comp.dat
C:\Program Files\XPSecurityCenter\htmlayout.dll
C:\Program Files\XPSecurityCenter\unzip32.dll
C:\Program Files\XPSecurityCenter\pthreadVC2.dll
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
C:\Program Files\XPSecurityCenter\un.ico
C:\Program Files\XPSecurityCenter\XPSecurityCenter.exe
C:\Program Files\XPSecurityCenter\wscui.cpl
C:\Program Files\XPSecurityCenter\XPSecurityCenter.dll
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\Uninstall.lnk
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcm80.dll
C:\Program Files\XPSecurityCenter\data\daily.cvd
C:\Program Files\XPSecurityCenter\XP_SecurityCenter.cfg
C:\Documents and Settings\All Users\Desktop\XPSecurityCenter.lnk
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcp80.dll
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT\msvcr80.dll
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter\XPSecurityCenter.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\XPSecurityCenter
C:\Program Files\XPSecurityCenter
C:\Program Files\XPSecurityCenter\Microsoft.VC80.CRT
C:\Program Files\XPSecurityCenter\data

Registry changes detected

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xp securitycenter
HKEY_LOCAL_MACHINE\SOFTWARE\XP_SecurityCenter (Rogue.XPSecurityCenter)

Associated Domains

XP SecurityCenter Removal

It was very easy to remove this infection with Malwarebytes’ Anti-Malware. Please download the free version of Malwarebytes’ Anti-Malware, update and run a quick scan to get rid of this infection.

More Screenshots of Fake XP SecurityCenter

{ 3 comments… read them below or add one }

daniel conklin March 4, 2009 at 4:33 AM

This solution worked great for me…


Samatva September 7, 2009 at 2:25 AM

This program has morphed into “AntivirusPro 2010” – still making the rounds trying to coerce folks into giving up the $$$


Dennis March 1, 2010 at 12:56 AM

i was able to do a system restore back a couple of days and now it’s gone


Leave a Comment

Previous post:

Next post: