Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Saturday, November 13, 2010

Remove XP Antispyware 2011 and XP Guard (Uninstall Guide)

Tell your friends:
XP Antispyware 2011, XP Guard or XP Internet Security 2011 are only a few names of the same fake security program. Basically, it's a name changing rip-off rogue application that deliberately reports false system security threats. Some other names of this misleading program are listed below. This fake program (XP Antispyware 2011, XP Guard or any other name from the list) is quite aggressive. It comes from fake online scanners, infected websites or bundled with other malware and masquerades as the security update for Windows. The rogue program drops an executable on the computer which blocks legitimate anti-virus and anti-spyware programs and causes some other problems. XP Internet Security 2011 or XP Antimalware 2011 also modifies Windows registry and makes the removal process even more complicated. Thankfully, we've got the remove instructions to help you to remove XP Antispyware 2011, XP Guard or XP Internet Security 2011 from your computer. Please follow the instructions below carefully.

This rogue program goes by many different program names listed below.
  • XP Antispyware
  • XP Antispyware 2011
  • XP Anti-Virus
  • XP Anti-Virus 2011
  • XP Total Security
  • XP Total Security 2011
  • XP Security
  • XP Security 2011
  • XP Internet Security
  • XP Internet Security 2011
  • XP Antimalware
  • XP Antimalware 2011
  • XP Guard
  • XP Home Security 2011




While XP Antispyware 2011 is running, it will pretend to scan your computer for malicious code. Obviously, it will find numerous infections, e.g. e-mail worms, trojans, spyware and other malicious software on your computer. Then it will ask you to pay for a full version of the program to remove the infections which do not even exist. Please do not fall victim to this scam. As a typical rogue, XP Antispyware 2011, XP Security or any other other name, will display fake security warnings and notification from your Windows taskbar. The text of some of the fake alerts is:
System danger!
Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working the background right now. Perform an in-depth scan and removal now, click here.
Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

Privacy threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.






So, as you can see, the rogue program does all its best to scare you into thinking that your computer is infected with spyware, trojans and other viruses. It will even claim that your sensitive information will be stolen and sold. Don't worry, all these alerts are fake. You just need to remove the rogue program and maybe some related malware from your computer and you will be good to go. XP Antispyware 2011 or XP Guard will also hijack Intenet Explorer and Mozilla Firefox. The problem is that you won't be able to download malware removal software. The rogue program will display a fake alert that the site you are visiting is dangerous. Of course, that’s not true. The fake message reads:
Internet Explorer alert. Visiting this site may pose a security threat to your system!
Possible reasons include:
- Dangerous code found in this site's pages which installed unwanted software into your system.
- Suspicious and potentially unsafe network activity detected.
- Spyware infections in your system
- Complaints from other users about this site.
- Port and system scans performed by the site being visited.


Things you can do:
- Get a copy of XP Antispyware 2011 to safeguard your PC while surfing the web (RECOMMENDED)
- Run a spyware, virus and malware scan
- Continue surfing without any security measures (DANGEROUS)


Last, but not least, XP Antispyware 2011 will block certain programs on your computer. So, first of all you will have to stop the rogue program and fix the registry. If your PC is heavily you will need to use a different computer than the infected one to download and transfer all the necessary files required to remove the rogue program. By the way, if you have already purchased this bogus program then you should contact your credit card company and dispute the charges or even cancel your credit card. Then please follow the removal instructions below. If you have any questions or additional information about XP Antispyware 2011, XP Guard or XP Internet Security 2011, please leave a comment. Good luck and be safe online!


XP Antispyware 2011, XP Guard, XP Internet Security 2011 removal instructions:

1. Click Start->Run or press WinKey+R. Type in "command" and press Enter key.


2. In the command prompt window type "notepad" and press Enter key. Notepad will come up.


3. Copy all the text in blue color below and paste to Notepad.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

4. Save file as fix.reg to your Desktop. NOTE: (Save as type: All files)


5. Double-click on fix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.

6. Download recommended anti-malware software (direct download) from the list below and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

7. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32.


Alternate removal instructions:

Make sure that you can see hidden and operating system protected files in Windows. For more in formation, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmarks from the checkboxes labeled:
  • Hide extensions for know file types
  • Hide protected operating system files
Click OK to save the changes.


1. Go into C:\Documents and Settings\[UserName]\Local Settings\Application Data\ folder.

For example: C:\Documents and Settings\Michael\Local Settings\Application Data\


2. Find hidden executable file in this folder. In our case it was called wmi.exe, but I'm sure that the file name will be different in your case. Rename wmi.exe to wmi.dl_ and click Yes to confirm file rename. Then restart your computer.





3. After a restart, open Internet Explorer. Download xp_exe_fix.reg and save it to your Desktop. Double-click on xp_exe_fix.reg to run it. Click "Yes" for Registry Editor prompt window. Click OK.



4. Download recommended anti-malware software (direct download) from the list below and run a full system scan.

NOTE: in some cases the rogue program may block anti-malware software. Before saving the selected program onto your computer, you may have to rename the installer to iexplore.exe or winlogon.exe. With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.

5. New threats appear every day. In order to protect your PC from such (new) infections we strongly recommend you to use ESET NOD32.



Associated XP Antispyware 2011, XP Guard, XP Internet Security 2011 files and registry values:

Files:
  • C:\Documents and Settings\All Users\[SET OF RANDOM CHARACTERS]
  • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS]
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe
  • C:\Documents and Settings\[UserName]\Templates\[SET OF RANDOM CHARACTERS]
  • C:\Documents And Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]
For example: [SET OF RANDOM CHARACTERS] = d5a8krfpei0913mt2ts3px3c78qw

Registry values:
  • HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'
  • HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1' = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" /START "%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'
  • HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'
  • HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" /START "%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" - '"%1" %*'
  • HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" /START "%1" %*'
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*'
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload'
  • HKEY_CLASSES_ROOT\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CLASSES_ROOT\exefile\shell\runas\command "IsolatedCommand" = '"%1" %*'
  • HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" /START "%1" %*'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"'
Share this information with other people:

51 comments:

Anonymous said...

The registry fix is greatly appreciated. This malware affects the user profile to prevent launches of most exe ... this fixed it.

If you are not too attached to your user profile, delete it and create a new one.

Anonymous said...

Thank you so much, i sucessfully removed the virus.It still doesn't let me download new updated as still works on internet exlorer with no add ons. So i installing Mozilla Firefox from some other computer. Thank you.... Sonia Mattewal

Anonymous said...

Thank you very much for taking the time and effort to post these instructions. I'm not a real technical computer user, but I realized very quickly that this rogue anti-virus software was malware. It is a nasty and irritating virus. Fortunately I already had Malwarebytes downloaded and once I ran it after running your executable file - no more problem.Chris Eastwood. Dallas.

Anonymous said...

Thanks for the help. Took a little digging to find the offending file but your alternate instructions worked well.

Anonymous said...

Thanks worked like a charm!

Anonymous said...

Thanks, I am usually skeptical about some site that tend to "help" and end up infecting you more. But this is legit and works great. Really Appreciated.

Anonymous said...

Alternate removal instructions worked well.
Thanks for the post and really appreciated.

Anonymous said...

so for the associated registry values, I need to delete these all together if i have any registry values that match your list?

Anonymous said...

and what if my registry values are in a different location? e.g. the values:
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'
HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'

i have the same values, "(Default)" = 'exefile'
and "Content Type" = 'application/x-msdownload'

but they are in HKEY_CURRENT_USER\Software\Classes\exefile and
HKEY_LOCAL_MACHINE


And thanks, method 1 worked great for me to ammend the registry to get going again. just brilliant!

Anonymous said...

Many thanks for the tips. I was able to remove the program (on my XP PC) by deleting the .exe files that were named things like "lej.exe" or "csm.exe" from my C:\Documents and Settings\Andrew\Local Settings\Application Data\ folder. I had to click the options to show hidden files, as you said.

The registry fixes (which I didn't actually understand) worked I think. :-)

I too was cautious about following instructions from a blog but this saved me a lot of trouble.

Thanks again.

Anonymous said...

thanks it was easy and succesfull

Bill W said...

I renamed that wmi.exe file to wmi.dl_ and restart my computer as instructed, but windows cannot start.

Anonymous said...

Thanks a lot for the post. There are so many instructions/softwares out there, but I do not know which one to trust. I followed the instructions after I read Chris Eastwood's comments. It was very simple to do!

Malwarebytes works very well. I have McAfee installed on my PC, but it never performs when there is real threat or virus on my PC. :-( It could not even scan when infected.

Linda said...

Heyy, if i remove the virus like this , would all my files and pictures and eetc be lost too, or would this only remove the virus?
Please reply asap. Thank you.

Anonymous said...

Thanks! This worked to remove the malware from my computer.

Anonymous said...

Thanks for the guide! The only comment I'll make is that renaming the Malewarebytes installer did not allow it to be run and may have caused some exe fille association issues.

After Malwarebytes did not work, I ran SuperAntiSpyware without a problem.

Appreciate it!

Nanjundi said...

Thanks a lot. It worked!.

My infected pc didn't have HKEY_CLASSES_ROOT\secfile, so steps 3,4,5 didn't work automatically.
I had to manually search for the keys and remove them using regedit.

xp_exe_fix.reg came to my rescue when I thought I had messed up my xp.

Excellent instructions.

Liv said...

Such a simple and clear guide. Thank you so much.

I used the first method and everything worked perfectly. That is, create fixreg - once run, my hijacked browsers worked again so I could download Malwarebytes and do a full system scan.

Must also add that Malwarebytes is one nifty program - certainly for keeps.

Once again, thanks. You saved me a migraine!

Best regards.

Anonymous said...

I was pretty skeptical about this at first. How the heck was this suppose to work?

But it did! Hard to believe that it's so easy to remove this virus.

Thank you SOOOOO much! : )

Anonymous said...

very very tank you so much :) :) :() :))

Anonymous said...

Help, this isn't working! I tried Alternative 1 and when I tried to run fix.reg, it said "the specified file was not a registry script. You can only import binary registry files from within the registry editor." And with Alternative 2, there were no hidden executable files within my "Application Data" folder. There is a system file with a ridiculously long, nonsensical name, 3 application files with only 3 letter names (eg. "btc"), a DAT file, a database file, and something called "configuration settings." So basically, I'm following all your instructions and it's still not working. Any help would be greatly appreciated!

Anonymous said...

Success!!!!!! THANK YOU ! This bugger was NASTY!

What worked for me (for those suffering from due to this malware)- alternative Method (the 2nd listed method)
Specifically it allowed me to : 1. regain internet access 2. Run Anti-Virus scanners 3. Prevented the XP Total security 2011 program pop ups from loading (specifically PRM.exe, what was causing it initially, never appeared in the task manager).
I felt much more comfortable with the renaming of the specific hidden files that were causing the problem as i knew that would disrupt the execution. Thank you SO Very Much! Greatly appreciated!

Anonymous said...

Option #1 worked perfectly for me. Easy step by step instructions. THANK YOU !

Benoit
Gatineau
Qu├ębec
Canada

Anonymous said...

should i do either of these processes in safe mode?

Anonymous said...

Thanks a lot. You saved my life! :-)

Anonymous said...

Thank you very much! Option 1 worked for me as well.

Kharlan said...

Alternative Removal Instructions worked successfully for me! This guide is very helpful

Thanks!

Anonymous said...

that was very good. thanks for sharing.

Anonymous said...

Salamat!.. i mean Thank! =)

Anonymous said...

Thanks so much for this. :) :)

Anonymous said...

Good tips. Don't use Stopzilla or the PCtools antivirus. They say they are free but they will not remove anything without paying them first. BS!
This virus keeps getting worse and worse.

Anonymous said...

THANKS...for your guidance to removal this FAKE Antivirus..It's Works and Good Jobs..
Salute..

Anonymous said...

thanks...i thought it was the real update that made my problem...but until i found this site it calm me down.. hoosh thanks!! -G

venkatesh said...

Thank you so much.......it works great for me.....really thank ful to you................

Anonymous said...

This seems to have worked. I followed the alternative instructions. The hidden execution file was located in C:\Documents and Settings\user\Local Settings\Application Data\ApplicationHistory

I thought this was strange, but so far it seems to be working.

Thank you!

Beky said...

I can't thank you enough for this. I was freaking out when this came up on my computer, since I saw it completely kill another coworker's hard drive just last month. I was able to use the alternate method you listed, and super anti-spyware is now doing a system scan (and boy has it found a lot... not too thrilled with the job Trend Micro has been doing on my computer then!!) Thanks again!!!

Beky said...

by the way -- the program was "ifu.exe" ... the 2nd-3rd letter combination seemed especially cruel !!

Anonymous said...

Your instructions work like a charm. Thanks a ton!!!

Anonymous said...

Thank you!

Al said...

The link to download xp_exe_fix.reg doesn't work for me ??? Has it been corrupted?

Admin said...

No, it's not corrupted. The links works for me. Try to download it again. Your download should automatically begin in a few seconds.

Virus Everywhere said...

Cool. Method 1 for me. The virus scan found lots of things, including a Bad:(1)Good:(0) message in some files :( Scary. And what about that lmq.exe !!! Thanks a lot for the relief

Harold said...

The registry keys were an awesome help. Thanks for helping get us back on track!!!

Anonymous said...

The fix.reg file works great for me.It is quick and easy. Thanks a lot!

Anonymous said...

thanks a lot

Anonymous said...

The reg.fix did the trick. Great advice! Thank you much

Anonymous said...

I had issues with the first option. But the Second option worked great!!! This was for my daughters computer and there always seems to be issues on her computer. Thanks for the link to the antivirus too. I'll give them a try. Thanks for your help and easy instructions!!

Anonymous said...

U have mentioned in the note section of point6 that the installed program should be updated before proceeding...but the hitman pro program directly scans the system. So, does this particular program have any bug??

Ryan B said...

I too have Windows XP and got the XP Anti Spyware Virus. This is what worked for me:

I used a free program called Super Anti Spyware. I have used it previously, and it effectively removed the Windows Repair virus when Malwarebytes could not. It’s totally free and it continues to rock my socks off! Go to “http://www.superantispyware.com/” and download the free edition and then transfer it to your infected computer using a cd or usb drive.

Also, in order to fix the EXE problem where programs won’t load because of a broken file association, I visited “http://www.pcreview.co.uk/forums/exe-files-wont-open-t532346.html” and followed Venkatesh’s link “http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip”. Inside the zip folder, I found a reg file, which I transferred via usb/ cd, then simply double clicked, and pressed “okay”.

Abracadabra, my computer was fixed! Hope this works for you too!

PS. I was able to open Superantispyware and after a couple of scans and quarantines remove the virus completely. Then I used the reg file. If doing them in this order does not work, you might try the reverse (Use reg file first, then wipe out the virus with SuperAntiSpyware).

PS.S. Make sure to update SuperAntiSpyware, if possible, before scanning. And continue to scan until nothing else needs to be removed.

Admin said...

Hitman Pro automatically updates whenever it detects a new version of the program. You can't update it manually. And that's ok, because it sends any suspicious file to the "cloud" and then checks if it's malicious or not. Hitman Pro is a good scanner, no need to worry. Good luck!

Anonymous said...

Alternate removal instructions worked like a charm. The hidden executable file was named .tef.

Thanks!