XP Anti-virus 2011
XP Anti-Virus 2011 or also known as Vista Anti-virus 2011 and Win 7 Anti-virus 2011 is a rogue program that will be installed on multiple operating system. XP Anti-virus 2011 is a variant that will be installed on the system running under Windows XP as detected by the Trojan. It has the capability to gather system’s specifications to match the OS and make itself look like a legitimate application. Regardless of the name, these are all the same program developed to persuade computer users and convince them to buy the licensed version by deceptive means. Either by pop-up alerts or task bar warning messages, XP Anti-virus 2011 will declare that computer is dealing with virus problems and removal must be accomplished using the paid version of XP Anti-virus 2011.
Instead of patronizing this potentially unwanted application, immediately run a full scan of the PC using a legitimate security product. Anti-malware application is known to combat rogue programs like XP Anti-virus 2011. On this page is our suggested removal tool that was tested to remove counterfeit applications. Download, install and update the database before running a full scan on the system. Remove all detected threats and if possible run a scan while the computer is in Safe Mode.
Screen Shot Image:
Alias: XP Antivirus 2011, Vista Antivirus 2011, Win 7 Antivirus 2011
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Technical Details and Additional Information:
If XP Anti-Virus 2011 is installed, unnecessary fake alerts are demonstrated as an scare tactics to mislead victims. Some of this will contain these messages:
XP Anti-virus 2011 Firewall Alert
XP Anti-virus 2011 has blocked a program from accessing the internet
Internet Explorer is infected with Trojan-BNK.Win32.Keylogger.gen
Private data can be stolen by third parties, including credit card details and passwords.
Malicious Files Added by XP Anti-Virus 2011:
Added Registry Entries:HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\Associated Files and Folders:.exe" /START "%1" %*' HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*' HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*' HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*' HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload' HKEY_CLASSES_ROOT\exefile\shell\open\command "IsolatedCommand" = '"%1" %*' HKEY_CLASSES_ROOT\exefile\shell\runas\command "IsolatedCommand" = '"%1" %*' HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\ .exe" /START "%1" %*' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\ .exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\ .exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode' HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\ .exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"' HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile' HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload' HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1' = '"%UserProfile%\Local Settings\Application Data\ .exe" /START "%1" %*' HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*' HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*' HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*' HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application' HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload' HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1' HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\ .exe" /START "%1" %*' HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*' HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*' HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" - '"%1" %*' HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'
%AllUsersProfile%\[random] %AppData%\[random] %UserProfile%\Local Settings\Application Data\.exe %UserProfile%\Templates\[random] %Temp%\[random]
File Location for Windows Versions:
- %AllUserProfile% for Vista/7 user is C:\ProgramData while for Windows XP/2000 this is C:\Documents and Settings\All Users\
- %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
- %AppData% for Vista/7 refers to C:\Users\<Current User>\AppData\Roaming, while for Windows XP/2000 user it is C:\Documents and Settings\<Current User>\Application Data.
- %Temp% refers to C:\Windows\Temp\.
How to Remove XP Anti-virus 2011
Manual Removal
1. Unload any running XP Anti-virus 2011 process by pressing Ctrl+Alt+Del on your keyboard. This will open Task Manager. Look for the following process and click on End Process.
(random characters).exe
2. If there is an antivirus program installed, connect to Internet and update it to have the latest database and pattern files.
3. Thoroughly scan the computer and clean/delete all infected files. Check if there are remnants of virus-related files, delete if found.
4. Edit Windows registry and delete XP Anti-virus 2011 entries. [how to edit registry]
5. Close registry editor, changes will be save automatically.
6. Remove XP Anti-virus 2011 start-up entry by going to Start > Run, type msconfig on the "Open" dialog box. System Configuration Utility will open. Go to Startup tab and uncheck these Startup items.
(random characters).exe
7. Click on Apply and reboot the computer for changes to take effect.
Jacob
Mar 09, 2011 @ 02:14:22
You can’t just simply end the processes anymore, the new versions of that virus override your administrator access, when you restart your computer while you have this virus, it won’t let you run anything. The only way to get rid of this virus nowadays is to run in safe-mode and do a full scan, for my computer the scan takes hours, which is why this is my most hated virus.
Rosey
Mar 11, 2011 @ 08:32:49
I have lost two desktop file folders. How can I recover them?? These folders contained my shortcuts and the other sensitive information. I immediately used Revo Uninstaller and ex’d Firefox altogethere from my laptop, after running antivirus — I wasn’t taking any chances! I’m a novice at this detecting creepy malware/trojans nibbling away at MY stuff!! A shame, a REAL shame….
Jessica
Mar 11, 2011 @ 17:14:26
So, my mother’s computer has been infected with this crap. And, as Jacob has said, it’s hidden it’s stuff so I can’t just delete it the manual way. I was wondering why all those guides didn’t help…
Anyways, I ran Malwarebytes in safe mode and did a full scan, got rid of some junk with it… Booted back up in normal mode and it was STILL THERE! The hell do I do now? This is ridiculous…
Bill
Mar 11, 2011 @ 17:58:14
This virus attacked on 3/10/2011. Besides the symptoms noted above, it also disabled McAfee Internet Security. I’ve turned this problem over to a professional.
ifthethunderdontgetya™³²®©
Mar 13, 2011 @ 03:46:09
Yeah, this thing is nasty.
But you can stop it cold, use rkill.
Rkill only stops the malware in the registry so you can take control of your computer again, you need something else to clean the stuff out.
But at least you can get started. Search for rkill, you’ll find it.
~
Sandy
Mar 15, 2011 @ 00:10:20
I had something similar on my laptop a few months ago and was able to remove it manually. It has definitely mutated because now I can’t seem to get around it. All executables are blocked, even in safe mode. Ready to throw computer out the window.
jim
Mar 26, 2011 @ 12:59:30
3 things I learned getting rid of this:
1) Rename an exe to com to get it to run–e.g. rename mbam.exe to mbam.com (and rkill.exe to rkill.com)
2) roguekiller will fix the registry entry that keeps things from running: en.kioskea.net/faq/11626-roguekiller-tutorial
3) After it’s gone, if you want to turn Windows Updates back on, you need to “install” au.inf to fix the registry entries for update. This inf file is part of the original windows intallation. To find it, go to “run” and enter “inf”. It will take you to your inf directory. Scroll down to au.inf, right-click and choose “install.”
gina
Mar 28, 2011 @ 00:24:09
Really didn’t have to go thru so many registry changes to get rid of it for me. I installed Microsoft Security Essentials and it removed it for me through its Quick Scan option.
Sik
Mar 31, 2011 @ 00:58:49
My girlfriend got this on her computer. It seems it used Youtube to get in. We used Spy Bot – Search and Destroy to remove it. It removed everything except some funweb tools or something it said was in use. Rebooted telling spy bot to run on boot, and it got rid of all of it.
What I want to know is, if they know who put this crap out to try to get people to buy their program, is any cybercrime enforcement agency going after these jerks? To use a Trojan or whatever to try to sell a product is highly illegal.
Bob31
Apr 02, 2011 @ 00:17:00
I did a system restore, returned 2 days before i first noticed the problem and it got rid of the problem!
VirusHater
Apr 03, 2011 @ 04:26:00
Nothing here will work anymore. The virus is…evolving or something. Two days ago I killed it after almost 4 hours. I got it again today and I can’t even access Control Panel. Even in safe mode I can’t open up MalwareByte, or my own anti-virus. System Restore is a no-go eithere. The virus has shut me out of my own computer. Get ready to have to hand this problem to a professional if you get it. It’s at the level where we can’t do anything anymore.
Iain
Apr 03, 2011 @ 07:04:54
I just got this today. Couldn’t start any program on my username BUT managed to start in safe mode and using Administrator instead of my personal password I was able to run Malwarebytes and access the registry. Will keep you posted on how it works out.
Mike
Apr 03, 2011 @ 16:51:30
I’ve tried everything suggested but still can’t access the web or applications unless I open them via a saved file. Safe mode won’t accept my password. System restore won’t open eithere and my own anti-virus has disappeared! I’m concerned that my sensitive data has been accessed so I just don’t turn on my wi-fi. Does anyone know which processes I must end in task manager or do I just end all those ending in .exe?
George Gargarella
Apr 05, 2011 @ 00:16:21
Running XP
I went into Safe Mode with F8 on startup.
Selected Administrator
Selected Restore to two days ago.
Ran my anti virus software
So far looks OK.
mike
Apr 05, 2011 @ 00:19:14
u can get on the internet by going to search in start type what ever u want and it will find it on what ever your main browser is no need for restarting or paying.
JimR
Apr 05, 2011 @ 02:59:23
Using the System Restore option mentioned on the post of 5 April 2011 at 12:16 am worked quick for me. Then I checked and found some of the problem files which i deleted.
stan
Apr 05, 2011 @ 03:04:40
wow! i guess im on the right track guys! i use the safemode! cool!!!
landontk
Apr 05, 2011 @ 23:19:31
Nasty little critter.. George has it correct. Safe mode,admin,restore to earlier state. Worked like a charm..
concept
Apr 06, 2011 @ 22:05:08
I got this virus earlier today and it hit my computer with a vengence. It kept popping up the stupid fake “scanning” thing, and it would not let me open pretty much anything.
First I restarted in safe mode (with and without networking) a few times and the program STILL was able to run and block me from running things.
Here’s what worked for me:
1. Restarted in safe mode with no command prompt
2. Chose my personal login name (not administrator — not saying that administrator wouldnt have worked though… I simply don’t know)
3. When Windows first started loading I got a pop up message talking about Safe Mode which basically said something like (paraphrasing): “Press YES to continue in Safe Mode, Press NO to use the system restore to restore your computer to a previous period”. I chose NO.
4. The System Restore thing DID load at that point, even though the stupid virus was loaded to and running a fake scan as usual.
5. I chose to restore the system to 2 days ago, before I got the virus.
6. When it was done I let it restart in normal mode (not safe mode) and to my surprise the virus appeared to be gone.
7. I ran a Quick Scan with Malwarebytes Anti-Malware. It detected 3 malicious things, a trojan, a data stealing thing, and something else, I forgot. I removed them all. Not sure if they were related to that virus or if they were on there previously (I hadn’t run a scan in like a week)
8. I rebooted as per Malwarebytes’ instructions.
9. I ran Malwarebytes Anti-Malware again. First I updated my database, which was outdated. Then I ran another scan and it found nothing. Problem seems to be solved, thank god.
Good luck people.
David
Apr 07, 2011 @ 09:50:20
I had the XP Antivirus 2011 and downloaded Spybot S & D to get rid of it. It seemed to work but now my Windows Automatic Updates for Windows Security Center has been turned off and everytime i try to turn it on it does nothing. I followed JIM March 15, 2011 at 12:10 a.m. instructions but could not find the “au.inf” in the ‘inf.directory. Anyone have any suggestions on how to get Windows Automatic Updates turned back on?
Marc
Apr 08, 2011 @ 01:55:38
System Restore followed by a Malware Bytes scan is working so far so good.
Teresa
Apr 08, 2011 @ 02:43:27
I am finally doing the system restore after running malware bytes and it finding lots of other minor things. I ran full scan again and it said i was clean while the virus is still in my tray.
I tried rouguekiller as well, didn’t work.
System restore has worked!
Louis
Apr 08, 2011 @ 05:42:47
My wife got this today..nasty, couldn’t run virus protection, or any of the suggested software or restore from system tools. Had to go to Safe mode, system restore to two day’s back… and it worked. Thanks to this post and everyone’s notes I only spent an hour getting back up. It would have taken less time if I read all the comments before jumping into the steps outlined which no longer work. Able to get to my virus software now and am running it as i write… safe surfing and Thanks. I’ll be back when I get…my wife get’s another virus.
RJS
Apr 09, 2011 @ 13:25:11
My wife got this nasty extortion-ware on our desktop computer.
Right-click the Start bar and choose “Task Manager” (or press Ctrl-Alt-Del). Go to the “Processes” tab.
Find and kill three-letter “exe” processes. Note: MCM.exe, jqs.exe and alg.exe are normal, but you can kill them anyway.
That should stop the malware from messing with some of your stuff, but by the time you see it it has already messed up stuff in your registry. You might be able to run your virus scanner or Malwarebyte or SpyBot or get into RegEdit from a command line.
Redford
Apr 10, 2011 @ 04:15:53
After countless hours of following all the steps to rid my system of XP Anti-Virus 2011 I simply only needed to follow step #1 ” Press Ctrl+Alt+Del on keyboard to stop process associated to “XP Anti-Virus 2011?. When Windows Task Manager opens, go to Processes Tab and find and end the following process:(random characters).exe
I then searched and located the file and moved it to my recycle bin.
I then ran the Malwarebytes Anti-Malware and rebooted. Done!
So far so good. (fingers crossed)
JR
Apr 10, 2011 @ 06:12:34
This is getting really kind of scary and annoying. I launched safe mode and did the system restore, but nothing’s working! HELP?? But its really weird- the anti-virus thing only appears on my account! It works fine on other users, but not mine? What do I do? Security essentials scans, but it doesn’t detect it! What now?
Hate Hackers
Apr 10, 2011 @ 13:59:42
The evolution of this fraud tool has taken another evolutiionary step. Proceedure used to clean effectively (so far). At least I finally have not gotten the blue screen. Scan the HD from another computer via usb with both Malwarebytes and Microsoft Security essentials. It is apparant that this program now opens the flood gates to other malwares. After scanning from another computer and once it finally boots: boot in safe mode, when the “running in safemode” window pops up before all processes begin to run go directly to “system restore” and restore to when everything was ok, maybe a day or two before issues began. The version I am dealing with if allowed to run blocks Microsoft Security Essentials and Malwarebytes! It if allowed to run also blocks Task Manager and System restore operation. There should be an extended all expense paid visit to Federal prison for the authors of this public menace.
Trevor
Apr 12, 2011 @ 17:09:20
I’ve been fighting this for days… I noticed that I can run malware bites and spybot after I end a very cleverly named process called “Conhost”. Really… what dumbass hacker names their virus that does a fake takeover “conhost”. REEEAAAAL tough.
Laurence
Apr 13, 2011 @ 09:05:04
I got this virus on my PC and it virtually prevented me from running any of my applications on my PC, it was so frustrating. But someone told me about a free downloadable anti-virus application called Stopzilla which is obtainable from download.com. It successfully cleans and removes Viruses, Malware of which the XP Anti-virus 2011 is one. It really worked. I tried it after having failed at trying a number of other alternatives, and as I said it works well. So far so good Ive had no more attacks of the virus.
Frank
Apr 13, 2011 @ 14:36:25
I had this problem earlier but I detected it immediately.
It messed up one of my limited accounts.
I went on my administrator and deleted the account.
No problems so far….right?
iemma23
Apr 13, 2011 @ 17:12:35
My computer was infected with XP anti-virus 2011. Completely unable to open a browser or email. I was told to eithere wait 6 days and the virus would self destruct or turn ahead the clock on the computer and the same would happen immediately. I waited the 6 days and sure enough it was gone without a trace. I am too much a novice to try the safe mode removal so I was delighted to see it gone.
chandan
Apr 14, 2011 @ 05:21:13
g.ag. Md xp
Ali
Apr 15, 2011 @ 16:44:24
Hello Everybody,
This “XP Anti Virus 2011″ infected one of our laptops 2 nights ago all of a sudden.
First, we got an alert to install or update McAfee (so I was told) and when the “Later” option was picked, the laptop suddenly lost the internet connection and this “XP Anti Virus 2011″ started showing a list of about 11 viruses that needed cleaning.
Clicking the McAfee icon wouldn’t launch McAfee.
Nothing in Control Panel worked. Couldn’t remove McAfee or this “XP Anti Virus 2011″ due to “Add/Remove” (programs) not opening.
Also, was unable to install “Norton 360″.
Anyway, after reading comments here, I restored the laptop to a previous date before the infection and wasn’t getting any “XP Anti Virus 2011″ fake alerts anymore.
Anyway, downloaded and installed “Rogue Killer”, “Malware Byte’s Anti Malware” and “StopZilla” after reading about them here.
Run the “Rogue Killer” and picked both 1,2 and 3 options and 3 reports were created. What are these reports for ? It didn’t say anything about removing any infected files. Has it removed any viruses atall ?
Afterwards, I ran StopZilla and but I paused it because it was taking too long to finish scanning.
I then started “Malware Byte’s Anti Malware” and it found and deleted a few viruses. It was fater than StopZilla.
I then started running StopZilla again and when about 64% was complete it found 1 infected file which “Malware Byte’s Anti Malware” missed. I paused it before going to bed because it was taking too long to scan.
Today, after waking-up, I tried resuming StopZilla but it only allowed me to remove the 1 infected file it found last night.
I’ve now started StopZilla again from the beginning and 57% is complete and it’s found no infected file so far.
Later on, I will scan the laptop with Norton 360.
1. Now, my question is, how come “Malware Byte’s Anti Malware” missed that 1 file that StopZilla found ?
Does that mean, Stopzilla is better than “Malware Byte’s Anti Malware” ?
I have a feeling, maybe “Malware Byte’s Anti Malware” has removed some infected files which StopZilla would’ve missed because if I remember correctly the former found a lot of infected files when a certain percentage of scan was finished and the latter found less than that when that same percentage was finished when it was on scan.
Now running StopZilla 14 day trial.
Which one should I stick with ?
Rogue Killer, Malware Byte’s Anti Malware, Stopzilla or Norton 360 ?
I can’t trust one to do the job fully but I can’t afford to buy everything on the market.
What is the solution ?
Camie
Apr 16, 2011 @ 05:54:55
I had it just today, and now my computer is running fine.
If the above doesn’t work, you can always try system restore to a different date, such as a month ago or the most recent day other than the day it pops up.
I’m not sure if it entirely takes the virus outs, but at least you can still go onto your computer and access internet without it popping up.
Stan
Apr 17, 2011 @ 08:04:02
There must be different versions of this out there. The one I’m looking at on a laptop I’m fixing could be killed in task manager at gtt.exe. It still comes up in safe mode though. If you can indentify the filename and location, its best to delete it in recovery console or by pulling the drive and deleting it manually. Even in save mode, killbox wouldn’t run it kept popping up.
The people that make these and the credit card merchant providers that allow it to go on make me sick.
Andri
Apr 18, 2011 @ 17:03:12
I got this virus and nothing seemed to work. So I rebooted in safe mode by tapping f8 on startup. I logged on as Administrator in Save mode, chose “No” thus going to System restore, and restored my computer to six hours earlier. Rebooted and my computer was back; no virus anymore.
Jennifer Lucas
Apr 19, 2011 @ 03:50:43
Stopzilla didn’t do a thing. When I called customer support they said I didn’t have a virus and that I must have down loaded a bad program. Then customer service offered me a tech session for $200. Waste of time and money. Clearly it’s a virus.
harish
Apr 19, 2011 @ 09:43:24
OMG !! Followed every single instruction it worked for thankyou very much for this post,,,,,just would have throned my pc to the garbage,,,,,what relief,,,,malwarebytes works really well…..that rkill stuff also works great….
Laurence
Apr 19, 2011 @ 11:21:51
The good thing about Stopzilla, or any of the other anti-virus s/w you decide to use, is that after the virus has been removed then I suggest you do an immediate backup of your essential files, or all files, to CD ROM or DVD, so that if the virus were to come back then at least you have a more recent backup of your hard drive files.
Leighsky
Apr 19, 2011 @ 20:26:29
I did a system restore to two days before. The virus is gone, but now Windows thinks that ALL of my files needs to be opened using a program or file of some sort. Even the ones used to open other files…
Ali
Apr 21, 2011 @ 21:18:49
Guys i dont know if we should all be posting this, we could email this stuff to each other because i think the people who made the virus look at this stuff and change the virus
C
Apr 23, 2011 @ 19:46:59
I found a number to put into the registration box for the fake xp antivirus. I was able to trick it into thinking I bought their stupid product, but I didn’t. I ran several scans, but after the scan was over, all the above mentioned sites wanted to charge a lot of money to buy thier products. I don’t know if the scans did anything but I don’t see any sign of the virus, but I suspect it is dormant in my PC. I scanned with the real Microsoft security essentials and downloaded that program as well. Its free. I don’t see signs of it, but like I said, I just don’t know if its still there. This is horrible. I wonder if tricking the malware was the right thing to do or if it is tracking my every move. Anyone that wants that number for registration, just let me know.
C
Apr 23, 2011 @ 19:53:23
By the way, stopzilla and all the other antispywares mentioned all wanted money. I don’t know why they claim to be free. They all found something different.
athEIst
Apr 24, 2011 @ 15:49:59
I crashed the hard disc. Still had internet but this XP 2011 took over. I would like to see whoever created this captured, hanged until almost dead and then eviscerated.
e
Apr 25, 2011 @ 09:43:22
i want that fake number that you have c
K L
Apr 25, 2011 @ 16:52:51
I didn’t find random numbers, but found 3 letter. nrj.exe was the culprit. I ended the process and anytime I try to get into control panel it starts up again. I’m running malware programs now, but if the first doesn’t work I’ll try one more and if that doesn’t work I’m going to try a restore point. This is the second time this laptop got this. (I’m not the user)
Any ideas where this virus is being picked up. How do you avoid? This virus is such a pain to get rid of.
Pooh
Apr 27, 2011 @ 22:37:22
use ctr-alt-del to stop the process. It will be {random 3 letters. exe}. This will temporarily give you access to programs. Create a new user account as system administrator then delete the infected user acct. This worked for me.
Kris Joseph
Apr 27, 2011 @ 23:02:03
download malwarebytes rename the file extension from exe or msi to scr eg mbam.exe >mbam.scr install perform quick scan remove selected do not update automatically before do it after the system has prompted to restart and done so it worked for me.
Joshua Patrick Ramos
Apr 29, 2011 @ 12:09:32
I tried many things on this virus but no one worked like in the manual removal I tried to update my Kaspersky Internet Security 2011 to the latest database then full scanned my computer but didnt find any virus at all!!! So now its like a war between me and this Fake XP anti-virus 2011!!! So in this virus I conclude that you will be challenged if you really are good in computer technology!!! I hope that this post will always be updated. why? because that fake Anti-Virus 2011 improves as time passes by right so soon there will be fake Anti-virus 2012!!! so just suggesting that they may update it so that if other instruction there were not working they will fix it :DDD
Still… getting rid with this virus…
Rob Kincaid
Apr 29, 2011 @ 13:41:39
I AM AN IDIOT!!! I had just ordered some documents from my bank. Then I decided to check my e-mail. First I went to my spam folder and there was a message from DHL saying I had a package comming and this e-mail contained my tracking info. I thought it was from my bank. Also, the day before I had recieved an important e-mail that was in the spam folder. It sometimes happens. So anyways, like a complete moron I opened the fake DHL mail and downloaded the attatchment to my desktop. Then I clicked on it. OH MY GOD!!! This virus/malware completely took over my computer. It turned off my AVIRA av and took it’s place. Downloaded Malware bytes on another pc and imported via thunb drive. Changed the name and extension several times. It would not install. Tried stopping varius processes via task manager. No help. What worked? Re-start in safe mode, choose system restore during start-up, and went back 2 days. System then restarted and everything was OK. Then I installed and ran SUPERantispyware. It found a bunch of crap. Then I ran Avira. It also found some crap. Quarantined my crap in the crap quarantine for later inspection. Both these av have a free version and I recommend both. Next I ran Wise reg cleaner and Wise disk cleaner. More crap gone. 24 hours later and all is still well. Thanks alot to all of you who posted comments. The proceedure in the article did not work, but you savy commentors saved my stupid butt!
hbalt
Apr 30, 2011 @ 22:56:28
Hey guys when it first popped up I paid for it because it looked legit (correct file names, microsoft look alike etc).. Anyone know if I can get my money back?
mlee
May 01, 2011 @ 04:56:14
The safe-mode, system restore method mentioned in several posts above worked for me. Especially good since it didn’t require any downloads of anti-spy or virus programs, of whcih I am quite suspicious. Thanks very much. None of the other sites I checked for this virus removal solution had this system restore solution.
Mike
May 02, 2011 @ 19:32:20
I got this virus late one night by clicking on a news story. I was just about to take my computer into the local PC repair guy ( $150 ) when I saw this thread.
I used the safe mode system reset strategy and the virus was gone!
Mike
May 02, 2011 @ 19:39:31
Oh, If I find the motherF****R who built this virus I am going to pound him into the ground with my laptop.
Brandy
May 03, 2011 @ 13:35:24
This isn’t my first go round with this virus and usually I can just restore to an earlier date and it does fine. However, this time it will not let me go back a month at all, it only gives me the time period of which the virus started. Any help with that guys?
Tim
May 04, 2011 @ 16:51:32
Sent an fyi to Microsoft as they are using their security shield icon and make reference to internet explorer. I originally thought this was a microsoft warning, but then when it requested money, it brought up a red flag for me. I sent a nasty email to xp anti-spyware, as that is the only way to contact them.
andy
May 04, 2011 @ 17:19:07
just reformat. by now most people should have learned to back everything up. external harddrives are cheaper than the geek squad.
Jay
May 06, 2011 @ 16:28:59
I agree Andy. Being proactive is the key.. Backup your computer before the problems start. I use Carbonite ($35yr), it’s alright the only complaint is they throttle the upload speed so 10 gb takes like 4 days to upload. After initial backup it works pretty good. I’m in the field, so I’ve dealt with these issues for a few years. If it looks like it going to take more then 2 hours to resolve the problem. Just reinstall the o.s.
hilly
May 08, 2011 @ 06:05:15
This virus first cropped up on my mother’s computer a while ago and it took all sorts of creativity to destroy, and it took hours!!!! and lucky me, my sister’s computer just contracted the new and improved version that i am still struggling with. it would not let me connect to the internet or connect any usbs/flash drives. luckily i had previously installed malawarebytes on her computer, but unfortunately i was not able to use it until i manually deleted all the files listed above. it is currently still scanning……
dan
May 08, 2011 @ 14:34:48
Had this malware before, i found the only way to get rid of it was to disconnect from the internet and do a complete reformat of the hard drive. That did get rid of it, tried all the other methods but a complete reformat will always work.
Donna
May 09, 2011 @ 01:37:31
Thanks to all who took the time to post the solutions to this virus. I’m 66 and my husband is 68. This is the first virus we have encountered on our home computer after years of using computers. Staples and Best Buy both wanted $199 to fix (they really wanted to sell us a new computer). Thanks to this website and each of you, I had the confidence to fix it myself. God bless each of you. I couldn’t get to safe mode but went through Start/Accessories/System Tools/System Recovery (as one of you suggested). The screens in system recovery described exactly what would happen and how to proceed. We restored to three days earlier and it solved the problem. I learned a lot today.
rachel
May 09, 2011 @ 03:09:19
It’s seriously shutting my pc off every time I almost fix it. I’m so mad.
rubios_us
May 09, 2011 @ 15:18:15
I just got it the virus and was able to fix it in just a few steps. Hope this helps you as I was very concerned until I figured out what to do quickly. Here’s what I did:
1. Run the System Restore from the System Tools option in the Accessories program. Programs >> Accessories >> System Tools >> System Restore
2. Select “Restore my compter to an earlier time” and hit next>>
3. Select the last restore date closest to right before you got the virus. Restore points are usually marked in bold dates.
4. The system will begin it’s restore to that time before you got the virus. It will reboot. Log in as normal. The Virus expected you to run a restore and has corrupted your programs files so you can’t use them. This is sort of a panic attempt on their behalf. Don’t worry. Go on to next step after you’re completely up and running.
5. Run the System Restore (again) from the System Tools option in the Accessories program. Programs >> Accessories >> System Tools >> System Restore
6. Select “Restore my compter to an earlier time” and hit next>>
7. Select the restore date one date earlier than you selected in step 3.
8. When the restore is complete, this should put your system back to a known good state with no furthere signs of the Virus.
The reason you have to do a restore twice is that the virus corrupted the restore point you selected in order to keep you scared. None of your normal system programs will work, ie. Internet Explorer. When you have restored it the second time, the next restore point you selected will have full capabilties with no corruption. Hope this helps.
DMShuman
May 10, 2011 @ 00:41:53
for XP
You can get your .exe programs running again by downloading the following reg file at
dougknox.com/xp/file_assoc.htm.
Click on EXE file assocation link. Download xp_exe_fix.zip. Unzip and double click on the include reg file. You will be able to run your applications again. The easy way to fix windows update is to reinstall windows autoupdate service…
At the run command type in %windir%\inf
right click on AU.inf and select install
You may need your I386 disk or if you install SP 3 for XP when asked for missing DLL browse over to %windir%\ServicePackFiles\i386.
Hope this helps.
Jay
May 11, 2011 @ 23:57:06
Repair “running of .exe files”.
Method 1
Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\pezfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@=”\”%1\” %*”
[HKEY_CLASSES_ROOT\.exe]
@=”exefile”
“Content Type”=”application/x-msdownload”
Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.
Method 2
Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.
[Version]
Signature=”$Chicago$”
Provider=www.myantispyware.com
[DefaultInstall]
DelReg=regsec
AddReg=regsec1
[regsec]
HKCU, Software\Classes\.exe
HKCU, Software\Classes\pezfile
HKCR, .exe\shell\open\command
[regsec1]
HKCR, exefile\shell\open\command,,,”"”%1″” %*”
HKCR, .exe,,,”exefile”
HKCR, .exe,”Content Type”,,”application/x-msdownload”
Save this as fix.inf to your Desktop (remember to select Save as file type: All files in Notepad.)
Right click to fix.inf and select Install. Reboot your computer.
Shauna
May 13, 2011 @ 00:38:44
I was hit with this about an hour ago. I immediately unplugged myself from the internet and shut down my laptop. I then restarted in Safemode, and planned to run my AVG anti-virus program. However, the XP Anti-virus 2011 program beat me to the punch, and began its fake scan – IN SAFE MODE. I am going to try a system restore next. This thing embeds itself into your registry files…
wink
May 13, 2011 @ 02:05:52
I can’t understand why someone has not tracked the persons responsible and subjected them to the aggrevation we have all suffered. Only seems fair.
Shauna
May 14, 2011 @ 01:20:22
I completed a system restore twice – as recommended above. However, restoring my system to over a week ago did not get rid of the bug. The virus then locked me out of all of my programs – I could not open anything.
JAY – I followed your instructions and am now able to run .exe files. What should I do now? Do I try a system restore again?
tilmsmith
May 14, 2011 @ 03:44:24
I just tried the fix recommended by Rubios_us posted May 9. All good through step 4. However, can’t get to step 5 because executable files have been corrupted. Any suggestions on how to get around this?
Brendan
May 14, 2011 @ 04:05:54
Note: I am not good with computers but this is helping me at least be able to start to work through this.
I got this virus lastnight and at first was completly shut out of everything. I got on another computer and looked this up and found a reg key that at least allows me to do stuff now , its 1147-175591-6550 after entering that I am now able to atleast use all functions on my computer and am getting someone else to remove this thing completly
HELP
May 14, 2011 @ 08:32:40
I’ve manged to turn on the Malwarebyte’ Anti-Malware by using safe mode system. And it deleted virus – in my case “avl.exe”, but after rebooting computer it was still there! How come this antivirus doesn’t work?! Is there any other better programme which can get rid of this virus? If somebody knows please answer! PLEASE!!!
Derek
May 17, 2011 @ 12:16:55
System Restore worked for Me In XP Worote them a Nasty Note ,, I thought i was going to reformat
db
May 18, 2011 @ 07:44:38
support.kaspersky.com/viruses/solutions?qid=208280684
try this utility
Craig
May 18, 2011 @ 16:37:54
Successfully (or so I think) removed most of the offending virus elements with combination of safe mode, anti-malwarebytes, etc. But like some others on here, now have found that my personal profile is corrupted where any program I try to open gives me the “Run As…” pop-up window. I have to run everything as an Administrator to get it to work. Also when I attemped to open iTunes, it acted like it was the first time it had ever been used. When it did open I noticed that my entire music library was no longer linked. Wondering if I just need to delete my profile and create a new one.
Corey
May 19, 2011 @ 19:25:32
I don’t usually write reviews, but I had to for this product. I actually worked and it worked fast for my laptop. I downloaded the rkill.com and ran it on my infected pc. I was back up and running in less than 5 min…maybe 3. I really got rid of the xp anti-virus 2011 problems i was having.
Me
May 19, 2011 @ 21:04:51
So for whatever reason my system restore doesn’t have any dates set in it (even though I created one only 4 days ago). and nothing else seems to work. And I would rathere not have to delete my user account, because well…I just don’t want to.
Malware Bytes didn’t work, Avira has always been a bit of a waste, the rogue killer apparently did nothing EXCEPT when I did #5 or 6 it gave me my desktop icons back from the virus I managed to get rid of on the 15th(when I created the restore point that has gone missing).
Me
May 19, 2011 @ 21:18:51
@Jay:
I tried method 1 & 2.
Method 1 no matter what I do says it’s not a registry file, and that I can’t import binary whatevers into the registry outside of registry editor.
the second fails to understand what type of program file it is and asks if I should search for the program to run it online or locally.
david
May 19, 2011 @ 21:31:50
I just experienced the new version of this virus and it blew my system away and took me by complete suprise!!
One minute i was checking some webpage.. then AVG threw up a box saying there was a malicious file, it gave me the choice to stick it in the vault – i did.. but after i was told windows firewall was off.. when i tried to stick it on again.. ” cannot open file, missing rundll32 ” this same message occured for everything.
I decided to opened AVG interface by other means, when i did, i removed the malcious file from the vault and as soon as i did.. i was attacked by XP anti-virus 2011, it looked very legit, .. it just so happens that this whole event happened right after i had a windows update.. so i assumed it was part of the update.
It looked so legit, that i thought it was microsofts idea of charging now for the xp firewall and additionally adding in anti-virus.. it also switched off AVG.
It pushes you to buy the full licence program.
Im shocked at how vunerable i was.. i thought my security was pretty good, but this is a disgrace .
by the way users, heres an easier fix…. open up MSCONFIG ..then TOOLS and choose SYSTEM RESTORE… restore it to a day before and it will fix everything.
Im fine now.. but 1st thing i have done was, get latest windows updates, AVG, windows defender and firefox updates.
hope this helps someone
malik
May 19, 2011 @ 22:42:46
System Restore takes care of it, no big deal.
Adiriana Ortega
May 20, 2011 @ 04:29:31
pls refund me this protection didnt work for my computer
Meg
May 21, 2011 @ 17:45:05
When you open the xp anti-virus ad, place this number in the register key, it will run the system and clear everything up. It is the only thing that worked for me. 1147-175591-6550
Melissa S
May 24, 2011 @ 23:25:40
I did a systems restore and three weeks later it came back!!! I hate this virus so much
Ujjawal
May 25, 2011 @ 13:19:01
when this creepy virus asks for registration go to manual registration and enter this key-
1147-175591-6550?
Cody
May 25, 2011 @ 19:25:26
i can’t even get task manager open. it says the admin turned allowance to it off.
Joe Cavaorgava
May 25, 2011 @ 22:19:25
The virus made it look like my data was completely wiped out. I found it all again. Turns out the virus marked all the files as “hidden.” Once you’ve followed the instructions and eliminated the file, open the Control Panel and go to Folder Options. Click “Show hidden files and folders.” This will display your files in “ghosted” form. Then, under “View,” click “Reset All Folders.” Good luck!
Michael
May 26, 2011 @ 14:24:31
No need to throw away your PC or get a professional. With Trojans like this one that are Fake Virus Program Alerts there are only 2 tools you need to combat and remove the trojan.
First is RKill which you can find and download at bleepingcomputer.com or elsewhere. Run Rkill which kill any malware/trojan .exe and registry key running.
After executing RKill then run MBAM (Malwarebytes Anti-Malware) to perform a scan and then remove infected files. MBAM, Malwarebytes, can also be downloaded at bleepingcomputer.com or elsewhere.
With these 2 programs you can stop Trojans like this and remove them from you PC.
Aslana
May 26, 2011 @ 19:23:28
THANKS TO THE CODE PROVIDERS !!!!!!!
Just tried the code and it let me in, thanks, now to remove it because once your in, it will record all passwords and sensitive identity information and send to their servers. Use the code then get Microsoft security essentials
As I’m using microsoft essentials right now and as it scanned it found rogue: win32/fakerean which was that xp 2011 antivirus rogue program as the scan ended, the xp fake icon at drawer disappeared it removed it and now I will install the ms bytes just to make sure
Aslana
May 26, 2011 @ 20:16:00
One more thing definitely run the malwarebytes,after the me security scan because it finds the hidden files, I saw all the hikey files there and moved them so using both seems to work but use the code to be able to get back on your Internet, thanks Meg and ujjawal for that awesome bit of advice, follow those instructions and code number
daemon
May 26, 2011 @ 20:50:06
im 13 but i cant get this virus off but i can acces the web by deleting the process explorer (not iexplorer)and go to control alt delete place and then applications new task and then find program i exporer and get on but i realy need help any ideas?.. oh man secrurty pop up just happened after 10 min.
daemon
May 26, 2011 @ 20:51:37
by the way i am knowlegeble with the computer i have goten rid of viruses but this is advanced…
CJ
May 27, 2011 @ 01:53:42
I just got rid of this BLEEP BLEEP BLEEPITY BLEEPING thing off of my computer!!!
Before doing so, I transferred all my vital file to CD. Then I just ran AVG (the free version). It found two threats and took care of them.
I was surprised!
jon
May 27, 2011 @ 15:34:42
Restore in safe mode worked for me.Afterwords i ran malwarebytes and it found several things I quarantined.Thanks for the help.
Also, someone mentioned Stopzilla, which i believe is a similar virus.
Brian Gilbert
May 28, 2011 @ 00:01:33
To all of the above:
The following instruction are not for the faint of heart and will you need to open the Windows System registry with the regedit command and we willing to kill process from the task manager.
Please think of the procedure as a scene from the 1970′s movie M*A*S*H:
1) First do not panic, panic is a killer, just shut your system down in a polite way (I just pull the plug).
2) Go get a drink (pick your poison).
3) Take a deep breath (tobacco or canibis is optional) .
4) Turn the system back on and under most MS OS hit the F8 key. This will give the option to start the system in “Safe Mode” just do it.
5) After you have logged in, press the Ctrl/Alt/Del keys as fast as you can and watch the the list of processes that start. Kill the one under the log-in name that starts at the same time at the message the pops up.
6) Run your browser (it does not matter which one) look for the same process name kill it. Oh yes before you kill it you need to write it down.
7) Do step 6) again, (please just work with me) this time just let it do its thing, it will present a screen the wishes you to continue just do it. It will take about 4 to 5 minutes and present a list of “virus”. Accept and depending on the version of the software you can enter the online “code” 1147-175591-6550 that will make it “less of a hassle”.
8) Now using the regedit tool find the process name delete and the pre-fetch file entry delete related to it; save that in information. You are not done yet, now exit out and should you not just be ready to proceed then return to step’s 2) and/or 3) returning to step 9).
9) Using the file search function locate that pre-fetch file and delete it, and remove it from the “trash can” also.
10) This is the Key Point: should you make any changes to the Windows registry this is the time to opt-out just do a soft reboot and with at least XP Pro things did not change. Should you be willing to take the plunge after making the changes you need to not only shut down the system but to turn the power off!
This worked for me.
Should anyone have furthere problems I will actually infect a spare system and try to reproduce the results for the other users.
Best Regards
Brian j. Gilbert
Gabor47
May 31, 2011 @ 13:46:48
It is time to introduce a law, according which anyone caught with creating a virus should be put in prison for at least 20 years. That would somewhat deter idiots, who create viruses just to irritate others.
kaungmyat
Jun 01, 2011 @ 03:10:19
Xp Anit-virus 2011 free download.
now free download.
kaungmyatnoe
Jun 01, 2011 @ 03:15:58
xpAnit-virus 2011 free download.
How to virus remover xpAnti-virus 2011
kaungmyatnoe
Jun 01, 2011 @ 03:17:11
XP Anti-Virus 2011 or also known as Vista Anti-virus 2011 and Win 7 Anti-virus 2011 is a rogue program that will be installed on multiple operating system.
kaungmyatnoe
Jun 01, 2011 @ 03:18:40
It is time to introduce a law, according which anyone caught with creating a virus should be put in prison for at least 10 years.
Met
Jun 02, 2011 @ 03:36:00
Can you get this virus from anything at random?
Vic
Jun 03, 2011 @ 05:54:45
I just found this on my kids’ PC (I THANKFULLY use a Mac)… running system restore right now… going back a month, just to be safe!! will let you know how it works out.
Vic
Jun 03, 2011 @ 06:00:14
well, so far so good… it appears to be gone after doing the system restore… (oh thank goodness!!!) I am thinking it is time to upgrade the kids to a Mac so I don’t have to worry with this crap anymore!!!
Reddy
Jun 04, 2011 @ 14:00:19
System Restore did the trick. Thanks for the info. Also, if you have purchased this stupid software, call your credit card company to dispute the charges. They will credit you back the money. Good Luck!!!
Michael
Jun 06, 2011 @ 23:30:24
To all concerned;
I would like to say thank you for all the information on how to remove this problem. I tend to agree with Mike on the jail time idea. I am having to restore my “game” machine and have found all the information useful. Vic’s idea about the upgrading the kid’s machines is a good one. But I would look at going to a Linux based system instead, you can just down load the soft ware and install it. It is a free os and works great. If you wanted to get a disk set it will only cost about $10 for a five full sets of Ubuntu 11.04. And by the way Ubuntu is completely Windows virus proof. That is why it is on my netbooks. Just a thought.
Mike
Jun 15, 2011 @ 21:41:55
This has been around for quite some time and has hit a lot of users. I’ve been hit twice in the last 2 years. What gets me is that our security software vendors as well as Microsoft seem oblivious to this. If they can’t take action with such a well known virus how do we know they are doing anything to protect us from other less known threats?
nitram
Jun 18, 2011 @ 21:32:49
how i got rid of xp essentials. i unpluged my pc for 2 hours to cool off. then pluged it in and turned it on. as soon as it booted up i clicked on start all programs and got to system restoreas soon as system restore window pops up don,t waste time their widow poped up but i got restore in time before their pop up took over my pc. once you restore to a earlier date your aggravation will be gonebelieve this works don,t download what others are telling you you might just end up with more problems
Bear
Jun 22, 2011 @ 23:50:57
A big thanks to all. And especially Bob31
I used system restore. It seemed the simplest way to start out.
And it worked for me.
Now if we could just get the creator of this piece of work alone in a room for a minute. I have a baseball bat I’d like to introduce to him.
Have a good day all.
Coco
Jun 25, 2011 @ 17:33:51
Hey guys I got this nasty thing like 4 days ago and it started to scare me because I thought those were a lot of viruses that it scanned so I just shut it down and left the battery and hard drive out. Do you guys thing I’ll still be able to system restore it to fix the problem?
honeyrose
Jul 18, 2011 @ 08:40:17
I have this virus. I was running MS Security Essentials when it got in but it somehow turned that off. I looked in Processes and could not see any rogue .exe files. Then I tried to run System Restore but it seems to have disabled that too as it will not run (although I have not tried Rubios suggestion to run it twice.) Nor can I go into Safe Mode to fix it as the Virus also appears when I log into SafeMode. It blocks me from downloading malwarebytes and similar fixes. I did manage at one stage to find some of my hidden files before it cut in again so I am hoping they are just hidden. I assume it mutates into different forms. Now about to seek professional help as I cannot afford to lose some of my work files.(Had these backed up on an ext HD but of course it broke the week beforehand. Sod’sLaw). Thinking of installing MS Home Server for future backup of my home network.
jesse
Nov 20, 2011 @ 00:19:20
I want to know who made this virus, it has cost me thousands of dollars and many hours, my work computer is on the verge of crashing
i have tried everything, including rkill, but it didnt stop it
i want to meet the idiot who made this, I will pay 100 thousand dollars to the person who catches this guy and brings him to me
Beachlover46
Dec 26, 2011 @ 06:57:02
I got this virus 5 months ago and everything was corrupted including my anti virus software. I could not install Malwarebytes as the Internet explorer was infected. System Restore did not work as I didn’t have an earlier enough date prior to infection. Starting in safe mode didn’t work as the virus got into that too.
So I gave up and left my laptop off considering what to do about it. A few days ago I turned it on after 5 months and no fake alerts or any sign of the virus was noticed. I uninstalled the corrupt anti virus software I had and installed Malwarebytes and Avast and ran scans until all corrupt files were detected and deleted. Avast does a special reboot scan and this was very thorough. The only issue I have is that automatic updates won’t turn on.
But certainly leaving the computer in hibernation for 5 months must have disabled the virus and I was able to install software to remove it.
Hope this information helps someone.
Demonownz
Dec 28, 2011 @ 05:03:05
I just encountered that virus recently and it was easy to remove. Access the task manager by pressing ctrl+alt+delete and it came up. Malwarebytes deleted it and worked fine. Until the next day when everything started opening as notepad form, it’s a separate issue.
sfoeur
Dec 30, 2011 @ 01:16:06
I downloaded a new developed antivirus Anvi Smart Defender yesterday. Not sure if Anvi Smart Defender can scan new virus on computer.