XP Antivirus 2012

XP Antivirus 2012 Description

ScreenshotXP Antivirus 2012 is a rogue anti-virus application that exclusively affects computers with the Windows XP operating system. XP Antivirus 2012 is one of the many different disguises of the Ppn.exe executable file. Ppn.exe is characterized by its ability to slip on different disguises, depending on the operating system it is infecting. XP Antivirus 2012 is one of many possible names it can take, when invading a Windows XP operating system.

XP Antivirus 2012 and the Many Faces of Ppn.exe

One of the main advantages Ppn.exe has over other files is its ability to change its name and appearance. The creators of rogue security applications often circumvent real security programs by creating clones of their harmful software. Clones are copies of the same program. They tend to have different names and often a different graphics theme. However, creating clones is not an easy task for criminals. The makers of Ppn.exe avoided the problem of constantly having to make clones of rogue security programs in a rather clever way. Instead of making clones, they gave the file the ability to download different skins to change its name and appearance each time. Giving Ppn.exe new faces and disguises to choose from is much easier than having to create entirely new versions of the same program. This new development quickly caught the attention of computer security experts all over the world.

How Ppn.exe Disguises Itself as XP Antivirus 2012

Just like a criminal master of disguise, Ppn.exe can choose from a virtual closet full of masks and disguises. There are three main sets of possible disguises. Each of these has skins corresponding to the three most widespread versions of the Windows operating system: Windows Vista, Windows 7, and Windows XP. When Ppn.exe is being installed, it checks the operating system of the computer it is invading. Then, it downloads a disguise corresponding to the operating system it found. XP Antivirus 2012 is one of the possible skins for computer users using the Windows XP operating system. Similar disguises in the other two sets of skin would be named something like Win 7 Antivirus 2012 or Vista Antivirus 2012.

What XP Antivirus 2012 Does to Your Computer

XP Antivirus 2012 has several avenues of attack, all of these designed to make the computer user panic and reveal his/her credit card information. Some of these are done directly in the foreground, while some are done without the computer user's knowledge. Here is a list of XP Antivirus 2012 actions that are clearly visible and easy to detect.

- XP Antivirus 2012 starts up without your authorization. XP Antivirus 2012 is often the first thing the computer user will see after Windows starts up.

- XP Antivirus 2012 will perform fake system scans, detect numerous false infections on your system.

- XP Antivirus 2012 alarms the computer user with a constant barrage of alerts, error messages, and pop-up notifications.

Using Trojans and dangerous scripts, XP Antivirus 2012 performs several actions in the background. Here is a list of possible actions that Trojans associated with XP Antivirus 2012 perform without your knowledge.

- Block or hide executable files, programs, and restrict access to system folders on your own computer.

- Block access to the Internet or change your browser settings to redirect you to XP Antivirus 2012's own websites.

- Can alter your security settings, registry, and other important system files to make your computer more vulnerable to attacks.

XP Antivirus 2012 belongs to the FakeXPA family of rogue security programs and nas among its clones Antivirus 2010, Antivirus 360, AntivirusBEST, Nortel Antivirus, Alpha Antivirus, Anti-virus Professional, Cyber Security, MaCatte Antivirus 2009, Eco Antivirus, Antivir, Personal Security, Ghost Antivirus, Antivirus 7, Antivirus GT, Earth Antivirus, Antivirus 8, AVG Antivirus 2011, E-Set Antivirus 2011, XP Antivirus 2013.

Aliases: Win32:Zwangi-CZ [PUP], AdWare.Win32.Fednu.dz, AdWare/Win32.Zwangi.gen [Antiy-AVL], OneStepSearcher.AG [AVG], Trojan.SuspectCRC!IK, Adware.Win32.Zwangi.a (v), Adware.OneStep, not-a-virus:AdWare.Win32.Zwangi.heur [Kaspersky], a variant of Win32/Adware.OneStep.AI [NOD32], Suspicious file [Panda], UDS:DangerousObject.Multi.Generic [Kaspersky], Trojan.Generic.KD.273651 [BitDefender], HEUR:Trojan.Win32.Generic [Kaspersky], Generic Trojan [Panda] and Cryptic.CZI [AVG].

Technical Information

Screenshots & Other Imagery

Tip: Turn your sound ON and watch the video in Full Screen mode to fully experience how XP Antivirus 2012 infects a computer.

XP Antivirus 2012 Video

File System Details

XP Antivirus 2012 creates the following file(s):
# File Name Size MD5 Detection Count
1 %ALLUSERSPROFILE%\QuestScan\questscan172.exe 26,112 5bffd0b4493b22b8385b73e17638fff6 8
2 %USERPROFILE%\Local Settings\Application Data\vxe.exe 339,968 45d35cc0fbd7ffdf35f7ef86730cdc15 2
3 %ALLUSERSPROFILE%\QuestScan\questscan173.exe 26,112 e53fb610fb4c8800db4dd1209066d2e0 2
4 %TEMP%\Low\aka.exe 339,968 8759b185ac5d846a6665f47e0a9bdf13 1
5 %SystemDrive%\Documents and Settings\adrian.agnew\Local Settings\Application Data\mmc.exe 344,064 1434c50385a6e81f7ba5d081aafa9e0e 1
6 %AppData%\Local\random.exe N/A
7 %UserProfile%Local SettingsApplication Datapw.exe N/A
8 %UserProfile%AppDataLocalMSASCui.exe N/A
9 %AppData%\Local\.exe N/A
10 %Temp%\random.exe N/A
11 %UserProfile%Local SettingsApplication Datavz.exe N/A
12 %UserProfile%AppDataLocalvz.exe N/A
13 %AllUsersProfile%\random.exe N/A
14 %AppData%\Roaming\Microsoft\Windows\Templates\random.exe N/A
15 %UserProfile%Local SettingsApplication DataMSASCui.exe N/A
16 %UserProfile%AppDataLocalpw.exe N/A
17 %UserProfile%AppDataLocalopRSK N/A
18 %UserProfile%Local SettingsApplication DataopRSK N/A
19 oqf.exe 367,104 718b31c6d90a7731f88f92400cc1a212 0
20 qvf.exe 348,160 f6dd62fb6849e79d8025036a097e8f80 0

Registry Details

XP Antivirus 2012 creates the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1' = '"%UserProfile%\Local Settings\Application Data\.exe" /START "%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftSecurity Center "AntiVirusOverride" = "1"
HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftSecurity Center "FirewallOverride" = "1"
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" - '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload'
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "%1" %*'

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.

HTML is not allowed.