Your computer is infected with malicious software? Do you have popups on your PC?
If so, search this blog for removal instructions or find computer threats by category.

Tuesday, June 7, 2011

Remove XP Antispyware 2012, XP Internet Security 2012 (Uninstall Guide)

Tell your friends:
XP Antispyware 2012, XP Internet Security 2012, XP Security 2012 are only a few names of the same fake rogue anti-virus application. It pretends to scan your computer for viruses and reports non-existent security threats in order to scare you into thinking that your computer is infected with malicious software. The scan is free but if you want to remove the fraudulently-reported infections, you need to pay. Just for the record, XP Antispyware 2012 cannot remove any malware from your computer and once you've paid, it just states that your computer is perfectly fine and protected against the latest Windows security threats. This rogue AV software simply lulls users into a false sense of security, believing that their systems are protected which is even worse than knowing that your computer is not protected at all. Anyway, if you are infected with this fake antivirus application, please follow the steps in the removal guide below to remove XP Antispyware 2012, XP Internet Security 2012 or XP Security 2012 from your computer as soon as possible.

This rogue security program goes by many different names listed below.
  • XP Antispyware 2012
  • XP Antivirus 2012
  • XP Security 2012
  • XP Home Security 2012
  • XP Internet Security 2012
  • XP Total Security 2012




While running, this rogue antivirus constantly displays fake security alerts and notifications about serious security threats every few minutes.


Privacy threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.


What is more, the fake AV may open up Internet Explorer and load random pornographic websites. It could be anything actually, fake pharmacy or health care web pages, gay porn and similar websites. However, most of the time it just blocks other applications, including Internet Explorer, stating that it's infected with Trojan-BNK.Win32.Keylogger.gen.

It also displays a fake Internet Explorer Security Alert which basically says that pretty much every website that you're about to visit is malicious and may infect your computer. It blocks other web browsers too.



This rogue antivirus application also displays a fake Windows Security Center window which states that your computer is not protected and that you should install anti-virus software. Of course, it promotes rogue anti-virus applications, XP Antispyware 2012, XP Security 2012 and others.



XP Antispyware 2012 prompts the users of the infected computer to register the program in order to remove the threats which do not even exist. Here's a screenshot of what the fake payment page looks like:




Quick removal:

1. Update: You can use this debugged serial key 9443-077673-5028 or 3425-814615-3990 to register the rogue application in order to stop the fake security alerts. Just click the Registration button and then select "Activate manually". Don't worry, this is completely legal. If the debugged serial keys do not work anymore, please follow the removal instructions below.



Once this is done, you are free to install anti-malware software and remove the rogue anti-virus program from your computer properly.

2. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.

XP Antispyware 2012, XP Internet Security 2012 removal instructions are outlined below in case the . If you need help removing this annoying malware from your computer just leave a comment below. And if you have any additional information that you think may help our readers, just let us know. Good luck and be safe online!


Alternate removal instructions:

Make sure that you can see hidden and operating system protected files in Windows. For more in formation, please read Show Hidden Files and Folders in Windows.

Under the Hidden files and folders section, click Show hidden files and folders, and remove the checkmarks from the checkboxes labeled:
  • Hide extensions for know file types
  • Hide protected operating system files
Click OK to save the changes.


1. Go into C:\Documents and Settings\[UserName]\Local Settings\Application Data\ folder.

For example: C:\Documents and Settings\Michael\Local Settings\Application Data\


2. Find hidden executable file in this folder. In our case it was called wmi.exe, but I'm sure that the file name will be different in your case. Rename wmi.exe to virus.exe and click Yes to confirm file rename. Then restart your computer.




3. After a restart, copy all the text in bold below and paste to Notepad.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

4. Save file as fix.reg to your Desktop. NOTE: (Save as type: All files)


5. Double-click on fix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.

6. Open Internet Explorer. Download xp_exe_fix.reg and save it to your Desktop. Double-click on xp_exe_fix.reg to run it. Click "Yes" for Registry Editor prompt window. Click OK.



7. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.

NOTE: With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


XP Antispyware 2012, XP Internet Security 2012, XP Security 2012 removal instructions:

1. Click Start->Run or press WinKey+R. Type in "command" and press Enter key.


2. In the command prompt window type "notepad" and press Enter key. Notepad will come up.


3. Copy all the text in blue color below and paste to Notepad.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

4. Save file as fix.reg to your Desktop. NOTE: (Save as type: All files)


5. Double-click on fix.reg file to run it. Click "Yes" for Registry Editor prompt window. Then click OK.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove this virus from your computer.

NOTE: With all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.


Associated XP Antispyware 2012, XP Internet Security 2012, XP Security 2012 files and registry values:

Files:
  • C:\Documents and Settings\All Users\[SET OF RANDOM CHARACTERS]
  • C:\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS]
  • C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe
  • C:\Documents and Settings\[UserName]\Templates\[SET OF RANDOM CHARACTERS]
  • C:\Documents And Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS]
Registry values:
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" -a "%1" %*'
  • HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exee" -a "%1" %*'
  • HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" -a "%1" %*'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"C:\Documents and Settings\[UserName]\Local Settings\Application Data\[3 RANDOM CHARACTERS].exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'
Share this information with other people:

283 comments:

«Oldest   ‹Older   1 – 200 of 283   Newer›   Newest»
Kevin said...

I just wanted to chime in and say thanks for this! The manual removal process saved one of the computers in my office! Thanks again!

Giovanni Le said...

Hi there, the first option won't work for me because my APPDATA is messed up or something and won't let me download the Malware and for the alternate version, it won't let me access that folder, it says access denied! :(

ginger said...

hi thanks for the info, i used method one i dont knwo if the virus is completed deleted though cuz i input that keycode u gave, so i was thinking that the fake antivirus program might just disappear just cuz i already put in a keycode? and also, my firefox dont work, only IE works cuz i changed the proxy connection setting, does this mean i still have that virus?

Anonymous said...

thanks so much for ur help! the first method worked i was able to install malwarebytes. But I still have a question; how do i know for sure the xp antivirus 2012 is removed? we inserted the reg key, so its kinda like we accepted the program...so now how do i check to see if it is completed deleted? im worrying about this cuz my IE works, but now firefox doesnt load its sayin somethings wrong with proxy...

Frank said...

Got infected with this nasty virus yesterday. This solved it for me after 2 hours of frustration! Thanks, a great help!!!!!

Anonymous said...

A million thanks :)

Kat said...

I tried using the notepad method and now when I try to run anything I get "not valid win32". Help lol

Hadar said...

I tried like 6 differnt ways to remove this thing, offered by different sites and blogs - and this is the only one that actually worked!
Thanks!

Anonymous said...

Thanks! Gracias!

Donna said...

didn't work

Anonymous said...

Thanks a lot. Method one worked right away!

Kenny, Richmond, CA

Anonymous said...

Worked the first time and I'm not an IT tech! Thank you soo much.

Anonymous said...

:/ I think they've keyed on to the reg key being distributed as a getaround and banned that key.

Anonymous said...

nice dude! thanks! :)

Pat said...

THANK YOU!

My brother in law got this virus on my computer a couple of days ago. Method 1 worked perfectly at removing it. I’m saying it again, THANK YOU!

Anonymous said...

None of the above options are working for me any more suggestion. I tried registering with the above number and it gives the message "invalid code".. Also I'm not able to open fix.reg as the virus blocks it.. currently my desktop is black w/out any icons.. for method two I don't have "folder option" in control panel...

Anonymous said...

Method 2 did the charm. Full scan X2 then restart the computer.
Thank you so much.

Bob said...

Thanks sooo much for the fix you posted. I had tried a couple of others as well as your fist manual without success . . but the second manual process was the charm and saved 2 office computers! Very easy as well with the reg.exe that i am assuming you created. Thx again!

Anonymous said...

Working so far. After running reg file I can open my browser to download SpyBot..however even though I renamed the installer file still won't let me run it.. anyone else have this problem?

Anonymous said...

the key 1147-175591-6550 is invalid!!!!!

Anonymous said...

Help! I did made the fix.reg file and now i cannot open an .exe files....

Anonymous said...

Hello. Thanks for the help so far but now I can't open any program, without locating the exe ?

Anonymous said...

Amazingly effective. Very useful. Thank you very much for your help!

Anonymous said...

Don't even bother. Downloading spybot is the same as downloading a parasitic spyware. The only thing it does is take control of ur system an infect it! :(

Anonymous said...

Keep in mind the "activation" key may not work. It did not for me.

However, I killed the process by using going into task mgr. The process on my pc was ghq.
It may pop up again, however, keep killing it.

other than that, these steps worked!

Thanks!

Anonymous said...

Thanks Dude . . . .

Anonymous said...

Thank y'all! Tried Method 2 and it worked great!

Zsolt, Shreveport, LA

Anonymous said...

Thankyou

May the road rise up to meet you.
May the wind always be at your back.
May the sun shine warm upon your face,
and rains fall soft upon your fields.
And until we meet again,
May God hold you in the palm of His hand.

Anonymous said...

the reg key invalled.
what can i do ?

Admin said...

Reg key is OPTIONAL, it doesn't remove the rogue program. Please follow the removal instructions.

Anonymous said...

Registery Key Doesn't Works...please Give me a new key..

Anonymous said...

Thnx A lot.I m from Pakistan..............You Are a REal Computer Freak...........Thnx Bro Wish you best of Luck.......

Anonymous said...

who ever wrote this virus should fed to sharks. Bit by bit. Just backin up some files and photos to external drive before attempting your tips. Do you know if this removes all of it? In the sense that is internet banking going to be safe or could there potentially be some spy ware left behind that could be a risk in the future? Raisa from UK

Anonymous said...

Method 1 saved my wife's laptop. THANK YOU!

Anonymous said...

You are a Legend! Straight forward steps, and its gone within the hour, Method 2 by far the best! Another shout out goes to Google Chrome for running properly when explorer and firefox failed, otherwise i would have been screwed!!! I would like to punch whoever created this scareware in their reproductive organs for being a blight on humanity, and for almost ruining my night by not letting me print my tickets!

Anonymous said...

The alternate options worked.! Thanks a bunch.

74989be4-9b22-11e0-b271-000f20980440 said...

the virus wont let me open my documents or my computer help!!!

Anonymous said...

Thank you. I used method 3 (alternative method) because I could not get to the page to cut an paste the HKEY entries. I did find the xxx.exe (3 chars) program under Local/Application Data/ and renamed as you instructed. However, when I restarted my PC, the system did not know how to run IExplorer.exe or Firefox.exe and asked me "Choose a program to open this file type." Somehow, I got IE to connect to the internet where I was able to download the patch and repair the registry. After that, I did MalwareBytes and SuperAntispyware (also recommended by my IT shop).

Anonymous said...

This blog is my one stop for all malware removal advice. Outstanding work as ever.
Regards Devilish Pcs.

Anonymous said...

U rock! Thanks for saving my A$$. Keep up the great work.

Anonymous said...

I had to keep end tasking xfv.exe so I could open any other programs. Managed to download and install malwarebytes now. Running a scan now, so fingers crossed

Anonymous said...

Find, rename, restart, delete. 3rd time I've seen an iteration of this in 2 years, each time on a different computer. Whoever designed this is a jerk.

Anonymous said...

im pretty sure that you visited "PORNTUBE", thats why, you get that, ^_^

Anonymous said...

Thanks sooooooo much!!! Keeping my fingers crossed that its over!!! I couldn't use the codes so I just followed the removal instruction to command and notepad. =)

Anonymous said...

Thank you!

Anonymous said...

Thank you for these fix instructions. Worked for me.

Anonymous said...

Thanks a million! Solution two worked! This will be my first stop now for malware removal.

Rick said...

perform safe mode boot with networking. Ran 'fix.reg'. Open WinExplr and download Malwarebytess Ant-Malware. Now running scan. So for 2 infected objects found. Unsure how long before the scan completes but things are looking better.

Thx for the tip.

Anonymous said...

Thanks worked for me. Any idea what the vulnerability is? I just visited a website and didn't click on any installer to get this thing as soon as I saw the popup I killed the process.

Anonymous said...

Thanks, i've had the virus for a few days. Scanning my computer with Malwarebytes' Anti-Malware now. Keep up the good work

Anonymous said...

I tried method one and it said invalid key! Help me! :(

Anonymous said...

2. "Find hidden executable file in this folder. In our case it was called wmi.exe, but I'm sure that the file name will be different in your case. Rename wmi.exe to wmi.dl_ and click Yes to confirm file rename. Then restart your computer."

I cannot find the wmi.exe in my folder.. help?>__<

Anonymous said...

it says invalid reg key

Anonymous said...

the regestration key dosnt work to my pc ..help me plzzzzzz

Anonymous said...

One other method that seems to work well with just about any nasty viral infection and is much simpler than trying to edit the registry manually is to use system restore in safe mode, with a restore point prior to the infection time.

To start System Restore using the Command prompt, follow these steps:
Restart your computer, and then press and hold F8 during the initial startup to start your computer in safe mode with a Command prompt.
Use the arrow keys to select the Safe mode with a Command prompt option.
If you are prompted to select an operating system, use the arrow keys to select the appropriate operating system for your computer, and then press ENTER.
Log on as an administrator or with an account that has administrator credentials.
At the command prompt, type %systemroot%\system32\restore\rstrui.exe, and then press ENTER.
Follow the instructions that appear on the screen to restore your computer to a functional state.

Upon restart, you'll be able to launch MBAM, run a full scan, and remove this crap from your system for good. This approach has worked for me every time I've used it since learning about it. Not sure why it's not more publicized. I found out about it in the comments of one of these message threads.

Anonymous said...

Thank you, a thousand thank yous. Iam not proud to admit that I fell for this scam a few months ago and paid the $59.95!!!! Not until it popped up again this morning that I sussed I had been duped and blog. Can I get my money back do you know?- Jackie xxx

Bruce Bruce said...

the virus seem to have subsided, however, i seem to be having problems opening icons on my desktop, ie, my computer files, etc... it asks me to look for the program to open the file with... please help, and thank you for the post.

Anonymous said...

Thank you so much!

Anonymous said...

The registry key for the first step isn't working for manual. Is there another?

Admin said...

No, unfortunately there isn't.

Anonymous said...

what should we do about the key then?

Admin said...

The key was optional. Please follow the manual removal instructions.

Sara said...

Mine was under axv.exe and i followed instructions on here and that bastard seems to be gone, hopefully i got it all off my computer now!

Anonymous said...

Thanks! Your guide helped a lot. The virus ceased to come up again. But when I run a few programs or try to use system restore in control panel, nothing happens. Why is that?

Anonymous said...

Worked Perfectly For Me. Thanks so much!!

Jimm, UK.

Anonymous said...

Good advice, but I've had Nod32 in my system for the past year. Even though the version is current and did not require an update, this horrid virus still got through last night while my daughter was trying to finish an important project for school. Fortunately, I have two other computers in the house (with AVG free) that remain virus free. I had a similar problem two years ago (again, with Nod32 on the system), so I'm a little disappointed that I can't depend on E-set to protect my system anymore.

Anonymous said...

I had to spend about 6 hours going through all the instructions on this page (mostly due to waiting for the Malwarebytes full scan), but it appears to have solved the problem ... THANKS!
PvH

graynecis said...

The key doesn't work now.. please help..huhuhu

Anonymous said...

I have tried method 2 and now however, when I restarted my PC, the system did not know how to run IExplorer.exe or Firefox.exe and asked me "Choose a program to open this file type.
How do I proceed ?

Anonymous said...

I have used method 2 however when I restarted my PC, the system did not know how to run IExplorer.exe or Firefox.exe and asked me "Choose a program to open this file type." How can I proceed ?

Anonymous said...

the second solution rocks!!!!tnxxxxx

Anonymous said...

So, why doesn't McAfee security software prevent this virus?

Anonymous said...

Hey admin.. Tell us how to open firefox and other apps like skype after removing the virus and restarting the computer..

Admin said...

Open Internet Explorer. Download FixNCR.reg and run it.

Anonymous said...

when i rename my bad exe file to dl_, i can't open any programs! no explorer, no mbam, no clock. please help

Anonymous said...

second method worked for me too. I also have NOD32, quite mad it didn't pick this virus up.

Anonymous said...

I solved my problem by revealing the hidden files method you mentioned above. This has been the only thing that worked!!! I spent almost 6 hours trying to figure this out. Thanks so much!!!

Anonymous said...

Thanks so much for this!! This virus blocked my access to the internet, so had to Smartphone my way to your solution -- Method 1 got me back on the internet for the rest of the fix. You saved my laptop and my day!!

Anonymous said...

Wow! Thanks so much! This stupid "virus" attached to my laptop this morning and I've been freaking out all day trying to fix it. I'd feel a little better if at least I surfing porn, instead of just regular news. The second input key worked for me. You guys Rock. Keep up the great work! Is it ok for that new xp shield to stay on the task bar after using the code?

freddy said...

Apparently this virus dies after 6 days, so if you set your clock 6 days ahead from the time of infection it will disappear on startup. Still need to get rid of the xxx.exe file in application data folder and then run the FIXNcr.reg file admin has awesomely posted or you may have problems running programs. Thanks admin!

Anonymous said...

I have malwarebytes already installed on my PC so how did it still manage to get attacked by this virus?? Going to try the removal now

Anonymous said...

Thanks guys, this process worked perfectly first time.

Anonymous said...

This virus has claimed two of my room mates computers now mine, but I was able to clear registry values, deleted the virus named it self .olg exe. I was able to remove enough of it to launch Malwarebytes did scan restart did another scan which found even more then upon the third scan found the rest. Dodged that bullet

Anonymous said...

Thank you very much! Method 2 worked for me, too, with just a slight modification. Since none of my browsers would work after changing the file extension from .exe to .dl_, I downloaded your .reg file on a different computer, saved it on USB storage, and transfered it onto the now uninfected unit. Thanks again!

Tony

Anonymous said...

Contracted this nasty virus yesterday. Rendered my machine virtually useless. Was contemplating wipeing my machine and rebuilding before I found your blog. Method one, key two did the trick Thank you so much for all your hard work in finding the remody and for sharing it.
YOU ARE A STAR!!!
Thank you!

Anonymous said...

And, it is necessary to inspect it.

C:\WINDOWS\system32\unkkp.dll or ebhxzg.dll

Removable Disk:autorun.inf
Removable Disk:RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx

Anonymous said...

Thank you very much - would have lost years of information without this help!!

Anonymous said...

PLEEASE HELP!!!...I did everything to a T but when I run fix.reg it says its not a registry script and that I can only import binary registry files from within the registry editor......Please can some one help me and tell me how to get this worked out please!!

Anonymous said...

In my case i had to copy regedit.exe from a working machine as the malware seems to have deleted that too.
Thanks anyway

Anonymous said...

Method 1 worked for me up to the Malwarebytes. The program ran about 3-4 hours on my computer and then crashed. I repeated this with the same results. Is there a workaround to this? Is it safe to use the computer?

Anonymous said...

I've never had to do anything like this before, this page has been a great help and I reccomend it highly. Thankyou.

Anonymous said...

thanks so much..
this steps make me easy to removed all the viruses. it really worked!

Anonymous said...

This article pointed me in the right direction.
My daughter had XP Security 2012 on her laptop.
I managed to start it in "Safe" mode with network connection. This gave me access to Internet.
Downloaded and ran Malwarebytes, which cleared some of the infection but the laptop would no longer recognise "exe" files.
Restarted again in Safe mode, got into "System Restore" and reset computer to three months earlier.
Ran Avast! quick scan, then rebooted and ran Avast! boot scan (which bypasses the operating system.
Looks as though the system is now clear.

Anonymous said...

Trying so hard to do this. After double clicking fix.reg then clicking yes for the registry question step 6 is where I'm confused. The computer that I'm working on doesn't let me do anything on the internet so I don't understand how do download these programs once I get to this step. Now trying alternate option and running into same problem on step 3. Any help would be appreciated! :)

Anonymous said...

Thanks so much - the registery key worked for me.How do I completely remove it from my computer - it does not show up in my list of programs but still shows as an open program at the bottom of the page. What is it called besides "XP Internet Security 2012?

Anonymous said...

Found the one that was infecting my friends computer under c:\documenta and settings\networkservice\local settings\application data\dtm.exe
Maybe this will help someone else

Anonymous said...

please help me i can not get it to work i can go to yes than ok than it just exits out of it

Anonymous said...

Thank you so much for your insight and technical expertise! Kudos!!I was able to eliminate "XP Internet Security 2012" in a relatively short time. Saved me from a nightmare!! One thing I did do was delete the corrupting file. In my case it was spn.exe. I renamed it to spn.dl_, rebooted and all was okay. I then deleted the file and emptied the trash. I also loaded Semantic's Norton 360 to hopefully catch any recurrences. I hope this helps someone else who is experiencing this problem.

Anonymous said...

I followed the suggestion and could not run the fix.exe and nothing happeded after the reboot. So I was able to kill the virus processes through the task mgr by stopping any three lettered program. Doing that got the pop ups to stop and allowed me to get to the Internet. I still couldn't run any programs. I was able to download malwarebytes but needed to name it iexplore.exe for it to run. It seemed to remove the virus and my pc is running much than before it got infected. The info above was a lot of help thanks for being a virus fighter.

Anonymous said...

Thank you!!!! The second method worked great for me! (My file was ell.exe just for information.)

A million times thanks!

Anonymous said...

thank u very much! you solved my problem

Anonymous said...

OK, so you solved my problem. BUT. I still have the command window up and it wont let me lose it? Its saying that "Windows cannot end thid program. It may need more time to complete and operation." And im worried that if i do close it this stupid virus will come back, i have done the run.exe and that seemed to have worked. But when i try deleting the whole thing off my computer it either cant find it on 'My computer' Or i cant find it in the program list? Thanks for the excellent instructions, though if you could please explain how to delete this off your computer for good that would b greatly appreciated. Cheers.

JHE said...

The method of opening in safemode and using system restore to an earlier date, as suggested above - see June 22, 2011 12:30 AM - worked perfectly for me. Many thanks

Anonymous said...

Ok. Thanks the code did not work more ... There is another code? Thank you.

Anonymous said...

THANK YOU!!!!! absolute life-saver. btw, I used Method 1 and the 2nd activation key worked just fine.

Anonymous said...

Thank you for this. I used Method 1 (nervously)and code 2 and all seems to have worked ok. I have rencently started using free anit viurs (Avast) but have had this problem so am thinking about going back to purchase Norton Internet Security as I never had problems when using it. If I use Avast and now the free Antispyware that you recommend, should that be enough?

Anonymous said...

Hi. I followed the steps above, and seemed to have gotten rid of the xp malware.. No more pop ups or anything... BUT after my computer booted back up, I cannot access IE or Firefox. I show that I have a good wireless connection, but when I click either IE or Firefox, it says 'Server Not Found.'

Anonymous said...

method 1 didnt work i saved it as fix.reg and all files but when i double click it it open in notepad

Anonymous said...

Thank you for this information. This is really help me out in this problem..

Thanks A lot..

Anonymous said...

just advanced systemCare free . set it up. go to utilities /admin tools / start up manager. delete the file. Name might be different.. for me it was rc.exe. its is like to be in unknown category . delete it. it work fine for me. very easy

Anonymous said...

nu reusesc cu niciuna dintre metode..nu stiu de ce..va rog ajutati-ma

your_friend said...

I just got that virus from nowhere and i figured out something a little bit different lol. (keep that in mind, if you use the serial key method, you are installing virus to your computer and DO NOT purchase)
Looking from above comments, the virus.exe has different kind of names and mine was rjo.exe. you can stop the "program" from the task manager and start fixing your registry. just keep this in mind, the virus will block your access from browsing anything online so if you did not have anti-virus installed, you can burn it to a disk or use USB flash drive from another computer.
Afterward, i went to my registry and deleted the following entry
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\rjo.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\rjo.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\rjo.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\rjo.exe" -a "%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\rjo_CURRENT_USER\Software\XP Internet Security 2012
HKEY_LOCAL_MACHINE\SOFTWARE\XP Internet Security 2012
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP Internet Security 2012
and then i found the rjo.exe (the virus) from my user appdata then deleted.
after all these, i did a restore and now my system is back to normal.

Anonymous said...

Wow. I had credit card in hand but decided to check the web first to see if XP Antivirus 2012 was legit. Glad I did. Thanks for the fix; I used the second code and Method 1. If I can fix this, anyone can. Thanks for saving my computer and my $59.99.

Anonymous said...

You are the best!!! Thank you.

Anonymous said...

Nickel! facile, rapide et efficace
Nickel! easy, fast and efficient

Anonymous said...

My friend asked me to help him via teamviwer and i tried to help him out but it wouldnt let me install anything because of stupid virus.

I followed your advice and method 1 with fix.reg file and it did do the magic, i was able to install malware-bytes then and run full scan, clean system and restart computer and viola!:)

Thanks one more time for your help

Anonymous said...

Thanks for all who contributed to solve this problem especillay the Administrator.
For those who will start solving the problem, if you choose the first method you must run the FixNCR.reg after startup, otherwise the applications will not work. thank you all. keep on the good work.

Anonymous said...

it works wonderfuly Thankyou

Anonymous said...

when i try to download MalwareBytes Anti-malware, it tells me to download re-image? what should i do?

GaryCN said...

Method 1 code 2 worked then spybot search and destroy. but now I am unable to get Microsoft Security Center to start and Windows Update fails. It returns a "the website has encountered a problem" error

Anonymous said...

Neither of them worked for me as my Internet access has been restricted. I did as Anonymous suggested and ended the program via Task Manager which worked perfectly. I imagine I will have to continuously have to do so but oh well!

Anonymous said...

I got around the blocking of all my programs by dragging the malware's boxes almost all the way off the screen. 2 days later the fake software was gone. Does it automatically delete itself after xome specified time?

Anonymous said...

I'm a total computer rookie/newbie. I followed your instructions - it took a while but, I THINK it worked. If it didn't, I'll be back. Thanks a lot, Lad.

Anonymous said...

awesome..second solution fixed the problem...thank you

Anonymous said...

Method 2 and "xp_exe_fix.reg" worked and then MalwareBytes search and delete successfully. But now I have the same problem as GaryCN that Windows Update fails. It returns a "the website has encountered a problem" error.

GaryCN said...

The one questionable entry in my Application Data folder dated about the time my problem started is "5xt64cq2ecuwr4y7423e5ikoxy1v364xnh603" I still am unable to turn on Automated Updates in the Security Center. Everything else seems OK after going through with this fix. But the App Data folder has quite a few sepperate folders contained within it. Microsoft Update also will not run in a manual mode.

Anonymous said...

GaryCN,

Did you run "FixNCR.reg" that was posted by Admin after your fix? Did "FixNCR.reg" fix the windows update error?

Anonymous said...

I just went to Start->Programs->Accessories->System Tools->System Restore and chose a system checkpoint from last month and restored my laptop. working normally and surfing at will

Chuck said...

Thanks. The manual removal was fast.I appreciate your efforts.My computer is working well.

Anonymous said...

Thanks a lot for the instructions. After running fix.reg, I could down load the MalwareBytes antivirus software with IE with an optional selection. To run the antivirus software, I had to open a command window instead of normal window mode.

After scanning and removing the viral files with the MalwareBytes software, I still went to the directories and made sure that those files are deleted. If one of .exe wont let me delete, I need to stop the its process in a Task manager window.

Again, my notebook works again.

BTW, I had ESET NOD32 Antivirus running on my notebook. Why it didn't catch this bad virus in the first place?

Actually I made a system and other files backup when I upgraded my HD but I totally forgot about it. Now it is a good time to make another backup just in case this happen again.

colleen said...

think it's working- thanks so much.... it was my daughter's laptop that was infected... just not so sure what this registry helper thingy is...

Anonymous said...

Picked up this bugger yesterday (July 14th 2011)
tried running malwarebytes in safe mode and it didnt work...So after following step 1 it cleaned my dell mini 9 after a 1 hour 8 minute full scan. THANK YOU FOR PROVIDING THIS INFO !

Anonymous said...

I have no idea why I got this thing. I haven't used that computer in a while. I had it on all day yesterday but didn't do much with it though. This morning I was just surfing HuffPo with a few other appliances website sites open, next thing I know, I'm spending 1.5 hrs trying to figure out where the heck this Syware came from and why I don't have access to MSCONFIG anymore either. For anyone needing to know:

Open the RUN resource.
Type in MSCONFIG.

Windows tell you to "Open With".

Change "Files of type" from Programs to All Files. Then browse for msconfig in one of two places:

C:\WINDOWS\system32\dllcache
C:\WINDOWS\pchealth\helpctr\binaries

You will find the bugger (vac.exe for me) enlisted itself to run on a reboot, so turn it off under the Startup tab.

I also now have to figure out how to wrangle back Windows Update control. I can't access the Windows Updating website anymore without getting the [Error number: 0x80070240].

Ugh.I mean, I can do it--I can figure it out, but what a waste of my effing time.

Freaking crooks.

Anonymous said...

By the way (I'm the anon who just posted MSCONFIG advice), I've just picked up this common wisdom over the years and it should be added to the top of this help website (which is great, so thanks!)

The first thing you should do is open TaskManager (right click Windows toolbar).

End process to culprit.

Open MSCONFIG (Run > msconfig).

Turn off anything in the Startup file that isn't supposed to be there.

THEN go about removing the malware WITHOUT rebooting anything until you get to a point that you have to.

Anonymous said...

I get: command - attempt to access invalid address

Anonymous said...

Thank you these directions worked perfectly except the first registration code was invalid according to the spyware company.

Anonymous said...

I thought I would try the suggestion from post date 6/22/11 to do a system restore to an earlier date. That seemed to be an easier solution to me since I do not feel confortable changing and deleting registry files. I have restored to an earlier date and so far so good. No pop ups and I am able to access the internet. So I think it may have worked but I am running my spy sweeper now. Keeping my fingers crossed! Thanks again for all of the suggestions!

Anonymous said...

Look forward to a solution for fixing the Windows update issue.

Anonymous said...

Thanks saved one of my users today with the second serial #.

One of the reg keys that i use to get the programs to open after renaming the and deleteing the .exe to dl_is:

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

This have saved me a lot of headaches.


And thank you for posting up this info!

Anonymous said...

thank you so much~ brother.

Anonymous said...

i used the system restore outlined above and it worked

Anonymous said...

Just use Linux. I never get anything like this on Linux and I have used Ubuntu since 03. I'm here because a friend of mine got this just after having the computer for one month. lol

Anonymous said...

HERMANAZOOOO ME SLAVARON CON NUMERO SERIAL . GRACIAS....... de verdada GRACIAS....

Anonymous said...

thank you so much your a life saver

Anonymous said...

The key worked great for me!

Thanks!

Anonymous said...

it said that the registration key is invalid. so i can't proceed the rest..

Anonymous said...

I did first method (fix.reg), then full scan with Malwarebytes and AVG. I think everything is gone but now I can't turn on windows security automatic update. I still have the red shield with white X in bottom right corner. How do I fix this?

gecko said...

after performing fix 1, my laptop (Acer Aspire One) now doesn't recognize .exe files. If I open my browser it brings up the 'open with' box, and I cannot pick a default.

I cannot open MS Word, but I can open a word document. Calculator doesn't work.

Is this a hangup of the adjusted registry or Spybot removal? I installed AVG Full edition (the trial version)

I'll keep looking online but any fix you may suggest would be much appreciated

Anonymous said...

Method 3 have worked perfect for me.. My computer also couldnt recognize .exe files, but after restart everything went back to normal.. thank you very much for help.. great support

Anonymous said...

sooooooooooooooo thanks
it is very usful article

thank u sooo much for helping me save my computer

Anonymous said...

hellpppppp i do the first method and when idoble clic the fix mi programs stop to work and mi windows cant start exe files what i do D:

Anonymous said...

im the guy who cant open exe files i solve that i think i wrothe wrong the code any way thanks

Anonymous said...

I tried what one user said about setting the date forward 6 days and it seems like it worked.. And it finally allowed me to open the malwarebytes I had installed!

Anonymous said...

Thank you everyone here, looks like my problem resolved, it was cgu.exe. I never wrote blogs before, here on I will remember to write my experience, blogs helps quite a few of us.

all the best

Anonymous said...

Thank you! So SweeeeT!!

Anonymous said...

Besides jpb.exe, there was also jvsr.exe, kaks.exe, rrrq.exe, xdog.exe and a system file with a very complex name in the \application data subdirectory. I halted any of those running processes in taskmanager and deleted the files, but when I rebooted, most of my files had no file associations with them, including wireless network connections. I couldn't even run regedit. However, the xp_exe_fix.reg did run and after rebooting, all was well. Thanks so much for the info and the xp_exe_fix.reg file. Don H

Anonymous said...

As an addition to my previous post, I was browsing the site dailymail.co.uk and scrolled over one of the sidebars when I was nailed by this one. Also, I am running a current version of Nod 32 antivirus. Didn't help. Don H

Paresh said...

Hey dude....Hatsoff to u......saved my valubale time.....God Bless u !

Anonymous said...

Thank you very much!

Anonymous said...

eh, what does one do when "Run" freezes everytime ya try ta use it?

Anonymous said...

Cannot run .exe files after running super antispyeware. Now what? I cannot use anything on my computer...not even a system restore.

airKyu said...

thank you so much... with yourdirection.. i can fix some problem myself... it's not easy. right?!? ^O^

Anonymous said...

Thank you for this. I used Method 1 and it seems to have worked ok.
Thank u again from french user.

Anonymous said...

thank you very much but now i can not open any program what to do ? please help

Anonymous said...

As everyone i would also like to thank u a lot for ur support to solve out this problem.

Ray needs help said...

Can't get either method to work. First option tells me attempt to access invalid address. The second I can not find the folder options.

Anonymous said...

I tried to input serials 1147-175591-6550 or 2233-298080-3424 to register the rogue application as you advised and could not do it. It says "wrong key".

Anonymous said...

great.....thaks alotttttttttttttttttttttttttttttttttttttttttttttttt mannn uuuuuuuuuuuummmmmaaaaaaaaaahhhhhhhhhhhhhh

rubak said...

thanks alot great for me.........

Anonymous said...

Whoa man, there aren't enough words in all languages in the whole world to express my gratitude towards you! This virus is some really annoying shit.

Anonymous said...

Thank you!

Kimberly Huddle said...

You guys rock! I just saved both my own manager and another colegue in my office using this. By the way, just as an FYI, Malwarebytes and Superantispyware did find the problem but apparently dont do a perfect job of cleaning up after it. After they removed the problem a lot of shortcuts still didnt work and Windows XP still didn't appear to know what to do with an ".EXE" file. When I would try and launch programs (*.EXE) it kept asking what program or application I wanted to use to open the program. Importing the second .REG file (xp_exe_fix.reg) you included in your manual instructions resolved these issues for me.

Rose Solano said...

thank you so much a lot the key 2233-298080-3424 activated......


thank you thank you so much...


my father didn't shouted me anymore...

Anonymous said...

People, you need to read this guy's instructions completely. Entering the code only puts the virus to sleep for a while so you can actually use your computer enough to remove it. Just because your computer seems to be working fine after entering one of the codes, doesn't mean you have gotten rid of it. You still need to remove the virus. I don't know why I bother to add this post since the attention deficit crowd that needs to hear it will never read this far. They will eventually have to rely on detailed people like us to fix their problems. My complements to the author of these removal instructions.

Anonymous said...

Hi. I had this virus a few weeks ago, and I used the first set of steps to manually remove this from my computer. Well, apparently, this virus/malware attached itself to my "Rundll32.exe". After removing the virus with "SuperAntiSpyware," it completely ruined one of the usernames on my computer, and now, we can't pull up any programs whatsoever, without it asking "what program would you like to open this with?"...or something to that effect! How do I fix this problem, or rather correct it? Please help! Thank you.

Admin said...

Please follow step #3 in alternative removal guide:

3. After a restart, open Internet Explorer. Download xp_exe_fix.reg and save it to your Desktop. Double-click on xp_exe_fix.reg to run it. Click "Yes" for Registry Editor prompt window. Click OK.

Anonymous said...

Hi again, would the same "xp_exe_fix.reg" instructions work for Firefox? I don't use IE anymore. Do I Google search for "xp_exe_fix.reg" to find it, or is there a link to get to it? A computer tech recommended that I create a new user account and get rid of the other one, but I don't want to do that! Will this bring the "Rundll32" back, and make the user account functional again? Thanks!

Admin said...

Yes, it works for Firefox too. Here's a downlaod link: http://bit.ly/8ZhB1V

Anonymous said...

systeemherstel werkt ok. Als je er niet bij kan dan opstarten met F8 ingedrukt houden en veilige modes kiezen. Ga naar bureau acc. systeemherstel en kies een datum voor de elende begon.

Anonymous said...

Hello, I recently got this fake program on my computer. I tried the registration codes, but they are not working this time. Last time, the code 2233-298080-3424 worked. Is there a new code? I tried both codes and neither is working. Can someone help?

Anonymous said...

Thanks for this fix. Hate having files that shouldn't be there so am just wondering if it's safe to delete the file that was originally ebh.exe and per instructions changed to ebh.dl_

Have run malwarebytes and all seems ok.

Anonymous said...

I'm having the same problem, i can't get any of the registration codes to work either.

Anonymous said...

i just tried to do the third step, and now it wont let me get back into control panel with out the FIREWALL alert popping up. and i tried the second step up until it wouldn't let me open notepad with the FIREWALL alert popping up. and the first one with the registration codes wouldn't work? please help someone? email is Delkins37@gmail.com

Anonymous said...

I would try downloading SUPERAntiSpyware (even the free version will do). If your able to run a scan, it will save your system as it did for me an hour ago.

Anonymous said...

reg key codes no longer work, not sure I'm comfortable with a manual workaround any ideas

Anonymous said...

thank you so so much! been trying to fix this virus for ages.

Anonymous said...

Thank you!!! Just for everyone's info, mine was named feh.exe

Anonymous said...

serials 1147-175591-6550 or 2233-298080-3424 or 3425-814615-3990. I have not used them yet, still in the reading phase trying to get my courage up. Sheila

Anonymous said...

OMG THANK YOU SOOOOOOOOOOOOOOOOOOOOOOOOOOOO MUCCCCCCCCCCCCCCCCCCCCCCHHHH :)

Anonymous said...

3425-814615-3990 key worked!

thank you

Anonymous said...

THANK YOU!
I got hit by this and it was blocking every browser I have (IE, Firefox, & Chrome) from accessing any web page AND was blocking me from even opening Vipre!

The serial provided here worked for me perfectly. I used the first method then scanned with Vipre and it seems to have disappeared completely from my system.

Anonymous said...

Thanks Guys. You saved my day. I was able to remove this using 3425-814615-3990 and following other instructions

Anonymous said...

Amazing!!! Thank you so much for the clear and easy to follow instruction. I have been struggling to install the anti-malware software onto my hijacked computer for a couple of hours before I found this blog.

THANK YOU!

Anonymous said...

tanx alot you saved my ass :d

lauren h said...

Hi, I used the first method, but then still found a file here :\Documents and Settings\[UserName]\Application Data\[SET OF RANDOM CHARACTERS]. It did not end in .exe, but it was created about the time the virus first showed up.

So then I followed method two- all okay, did two Malware scans to remove everything. Except now I can't connect to to the internet at all, on any wireless network. Any ideas? Could I have accidnetally deleted a needed file? If it matters, I am now getting the message "tssd_win32.exe has encoutered a problem and needs to close" every time I start the computer. I googled it and there seems to be no conclusive answer on that, and nothing linking it to this problem. Help!

This has been very helpful so far! Thank you!

Anonymous said...

Thank you so much, I couldn't even open my avast virus protection. that code 3425-814615-3990 saved me today!!!

Anonymous said...

So I've had an older version of this d*** thing before and gotten rid of it. So when it popped up again this evening I went thru the same steps I did last time. But this time when I look rebooted my computer the d***thing was still there only now my cursor is frozen and I can't today do anything. HELP!!!

Anonymous said...

This was a great site with all the important details how to get rid of this virus!!! Thanks!

Anonymous said...

Wow, unbelievable! Thank you so much. Just prior to getting te XP fake virus, I registered for an online class. Thanks to you, I can now continue with my class. Thanks so much and Happy Holidays!!!

Anonymous said...

Thanks :) I was about to chuck my laptop out the window.

«Oldest ‹Older   1 – 200 of 283   Newer› Newest»