How to Remove XP AntiSpyware

March 21, 2010 at 4:17 pm

by Gina Trapani

It's been awhile since I've had to deal with a malware-laden PC, but my long streak of luck ran out
this weekend when a family friend--who describes himself as computer illiterate--called. "Every
time I try to do anything on the computer," he told me, "I get a message saying it's infected, and I
have to pay $69 to clean it, but I tried to do that and I couldn't." He couldn't even navigate to the
Mozilla site to download Firefox; Internet Explorer was completely hijacked.

So, armed with a thumbdrive loaded with Firefox and AdAware installation files, I headed over
there to take a look. Here's what I found:

* The Norton AV trial subscription that came with Windows XP had expired and stopped
protecting the machine, which was connected directly to my friend's broadband ISP with Windows
Firewall turned off.
* Windows XP hadn't been updated since before SP2 had come out, because a friend of my
friend told him not to trust any automatic updates. Because they might be spyware.
* Rogue software called XP AntiSpyware had taken over the machine.

AntiSpyware XP was the problem that prompted my friend to call, and it was the most hostile,
insidious, and difficult-to-kill malware I've ever seen. It looked completely authentic and felt
impossible to stop. Masquerading as a spyware killer itself, in the system tray, its icon was an
almost perfect replica of the Windows Security Center icon. When you tried to visit a web site in
Internet Explorer or do much of anything, XP AntiSpyware launched, and its window looked just
like Windows Security Center. Once launched, it would start scanning your PC automatically, and
tell you, in alarming red pop-ups, that dozens of files were infected and that you should delete
them. There was no quit, there was no uninstallation available in Add/Remove Programs, and all
the program's options in its Settings area were grayed out/disabled. If you tried to run the real
Windows Security Center or a program like AdAware, AntiSpyware would show up instead and
start scanning again. If you tried to launch the Windows Task Manager (with Ctrl+Alt+Del), a
message came up saying your computer administrator had disabled it--even though I was logged
on as an administrator. There was no way to tell what startup entry the program was in msconfig,
and when I restarted Windows in Safe Mode (F8 during boot) and tried to launch AdAware, this
software started instead.

What a mess.

To fix it, I installed Chrome (which came bundled with AdAware). While AdAware itself wouldn't
launch, Chrome thankfully would, and after some Googling, I found this lifesaving article, which
describes what "XP AntiSpyware" really is:

During installation, XP AntiSpyware 2010 (XP Antivirus Pro 2010) will configure itself to run
automatically every time when you run any program that have “exe” extension (99% of Windows
applications). The rogue also uses this method of running to block the ability to run any programs,
including antivirus and antispyware applications.

When XP AntiSpyware 2010 (XP Antivirus Pro 2010) is started, it will perform a system scan
and detect a large amount of infections. All of these infections are fake, so you can safely ignore
them. What is more, while the rogue is running, it will display various fake security warning and
notifications from Windows task bar that have “Spyware infection has been found” or “Tracking
software found” header. However, all of these alerts are fake and like false scan results should be
ignored.
 Last but not least, XP AntiSpyware 2010 (XP Antivirus Pro 2010) will hijack Internet Explorer
and Firefox and display fake warnings when you opening a web site.

The solution was two-fold: first, you had to do a manual registry edit that stopped the program
from starting in place of AdAware or any other spyware scanner. The lifesaving article had the
registry fix-it entries, which I will reprint here for posterity.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

Here's what I did: I backed up the Windows registry, copied this text into Notepad, saved the file
as fixme.reg, double-clicked it to apply the changes, and restarted Windows. Only then did I get
the first sign of progress: once the registry was fixed, Internet Explorer was actually able to load
web pages. Sweet.

Second, you had install a real spyware killer to kill XP AntiSpyware. (Imagine me trying to explain
this to my computer illiterate friend. By now his eyes were glazed over.) Microsoft Security
Essentials didn't detect it. At the article's suggestion, I installed Malwarebytes Anti-Malware and
scanned away, cleaning off everything it found, including AntiSpyware.

From there the machine was usable, but still not ready for primetime. I ran Windows Update and
got the machine Service Pack 3 and all the updates beyond that. (That alone was an hour and a
half of progress bars and restarts. Did I mention this was a slow, year-and-a-half old HP PC from
Costco?) I turned on Windows Firewall, and set up Microsoft Security Essentials. I uninstalled
Norton AV to get rid of its nagging pop-ups, and because my friend said that Windows was slow
to start up, I ran msconfig and unchecked the stuff he didn't need to start up automatically (Java,
Quicktime, and some other annoying "helper" apps). When I was done, the machine was
speedier, usable, and not littered with both legit and malicious system tray pop-ups about infected
files and software updates.

If I had more time, I would have formatted the hard drive and reinstalled Windows from scratch,
and then installed a hardware router with a firewall on it between the computer and his cable
modem. At any rate, I advised my friend to change all of his passwords before he did anything
else on the machine.

Then, I tried to explain to him that some notifications and updates (like Windows Updates) are
good and needed and he should get them, and others are malware trying to get his money (like
Antispyware XP). But how does someone like him know the difference?

If you're dealing with a malware situation and simply installing a spyware cleaner like AdAware
ain't working, you may have to Google the specific problem you're having, like I did. Otherwise,
check out my published-in-2006-but-still-holds-up article on cleaning your computer illiterate
relatives' and friends' PCs, How to fix Mom and Dad's computer.

UPDATE: I should point out that the screenshot included in this post is NOT from the machine I
cleaned, and it looks slightly different. My guy's PC must have had a different version of
AntiSpyware, which seems to exist in many incarnations. However, if you click on the screenshot
above you'll see a pretty funny typo--"Protect your Widows PC."

Filed under Windows

There’s a few linux based live cd’s that will boot into a stripped down linux and let you run clamav
on an infected machine. Check out
http://www.volatileminds.net/opendiagnostics/index.php/OpenDiagnostics_Live_CD

Linux live cd’s that contain clamav are a great way to try to get nasty malware that make it tough
to work with the machine when in windows.
Chad Stephen Albert Chad Stephen Albert [+3]
Mar 21 10 at 4:26 pm

I have ran into that one a few times at work. It is a nasty one. It is the only one I have ran into that
I have had to have the computer shipped to me to fix. I was completely unable to repair this
remotely.
Jeremy Townsend Jeremy Townsend [+2]
Mar 21 10 at 4:35 pm

You, Gina, are a saint. You are doing God’s Work (as Jeff would say). Many people are REAL
people, and you just rescued another one. It may be frustrating, but it is the right thing to do.

You’re Awesome,
Lance
Lance Rulau Lance Rulau
Mar 21 10 at 4:37 pm

Gina?

Sounds like you’ve 100% qualified for this Nerd Merit Badge!

Of course, that is, unless you already have it.

Thanks posting this recap – it’s always interesting to see how others go about this kind of stuff!
mrhaydel [+6]
Mar 21 10 at 4:40 pm

I second Chad’s comment. I used ClamAV a few days ago to get ride of this from a neighbor’s
computer a few days ago. It worked great the first time. I also took this a step further to prepare
for next time installed Trinity Rescue Kit (TRK) on a pen drive. TRK has several free AV tools
including ClamAV and AVG.
Troy Peterson Troy Peterson
Mar 21 10 at 4:40 pm

I had a similar experience a few weeks ago while trying to remove some malware called Personal
Security [see this Bleepingcomputer article] from a friend’s PC. I ended up booting the machine
from the UBCD4WIN live CD and deleting the program files that made up the malware.

Once that was done, I was able to restart the machine normally and install and run Malwarebytes
to complete the cleanup. I’m sure that if I’d had more time, I would have been able to figure out
how to edit the Windows registry from a Linux live CD — but, any port in a storm.
geekman
Mar 21 10 at 4:46 pm
Hi Gina, I had the same exact problem a few weeks ago with a friend’s laptop.
I didn’t bother trying to remove the malware though: I just backed up what I could and reinstalled
Windows reformatting the HD.
Is there a moral here? Switch to a Mac…
Ruggero Domenichini rujero
Mar 21 10 at 4:54 pm

Gina, I had exactly this same issue why my in-laws. The issue was essentially behavioral: my FIL
was a fanatic about clicking pop-ups that claimed he was at risk of spyware, so he was constantly
getting these nasty fake antimalware programs, like the XP Antispyware. While I did manage to
install a wireless router (for me during visits) with hardware firewall, it had little impact.

After the last time doing this, I backed up their photos, make a record of their sites etc. And then I
went to the Apple store and bought then an iMac. Loaded all their photos and other bits, showed
them how to do things in MacOSX, and left them to it. As far as I know, my FIL still clicks and
downloads all the fake antimalware, but of course none of it works in MacOSX. I have not had to
do any work on their PC since the Mac, a change from several times a year with their Dell.

I am safe until this stuff starts getting created for Mac I suppose.
cmason
Mar 21 10 at 5:17 pm

Gina, sorry to tell you but this actually a very old infection,there is actually Antispyware 2010, yes
they actually increment the versions to appear more legitimate. But this one was one of the first of
what became a whole generation of such infections (most security programs detect them as
fake_alert). Unfortunately they all use the familiar windows interface to trick users in to installing
their product, then they deliver the infection payload that vareis. They use built in windows
policies to prevent access to task manager, windows update, registry editors, sometimes even
the control panel all together, all this with a goal to prevent removal. Frequently infection will also
modify permissions for the registry and infected files so that they can’t be found and removed.

I noticed that you turned off Java Updates in msconfig. Security exploits in Java are commonly
path by which these infections get in. Another one is Acrobat Reader. While constant update
reminders are annoying, having the updated Java, much like windows is a very important step in
making sure that this doesn’t happen again. Next time you talk to Leo ask him about this, him and
Steve Gibson frequently discuss Java and Acrobat “remote code execution exploits” on Security
Now…

Also, switching to Mac is not a solution, its only a way to ignore the problem… its only matter of
time before we start seeing the same type of infections for Macs and more popular they get the
larger target they become…. Just be careful where you go and if doubt use Google:

http://www.google.com/safebrowsing/diagnostic?site=smarterware.org
boris
Mar 21 10 at 5:48 pm

Ahh, I have had the privilege of fixing this spyware many times over. I use a program called
Combofix to stop it and remove most of it then I use Malwarebytes and Superantispyware to
remove the rest of it.

We probably clean this one out once a week as our business is computer repair.
dweebsonduty
Mar 21 10 at 6:16 pm

Strange that Microsoft Security Essentials didn’t detect it for you. I treated my uncle’s computer
with this problem via Crossloop a couple of weeks ago and simply transferred the Microsoft
Security Essentials installer through Windows Live Messenger file transfer. Ran it, installed it, and
the spyware was gone.
Ted Avery Ted Avery [+12]
Mar 21 10 at 8:03 pm

“when I restarted Windows in Safe Mode (F8 during boot) and tried to launch AdAware, this
software started instead.”

Wow… That’s insane. At that point I probably would have just reinstalled Windows and tried to
salvage any files that my friend needed.
AJ West
Mar 21 10 at 9:25 pm

Good on you for saving the day, though like you, I find that explaining the difference between
legitimate and false popups is surprisingly difficult.

And personally, if it’s looking like a case of multiple malware infection, I’d grab DrWeb LiveCD or
Avira’s Antivir Rescue System – both live CDs so that you don’t even boot the infected Windows.
@soyelmango
Mar 22 10 at 1:36 am

I just removed this from a PC last week. Yeah, a nasty piece of work indeed. Wanted to flatten it
and do a re-installation, but they wanted their data retained. Not the most agile user, but I
demoted her account to standard, and will have to hope she doesn’t re-acquire.
William Brine Nathaniel Kabal
Mar 22 10 at 1:52 am

Is it only me or am I a bit paranoid, but I wouldn’t trust a computer with no updates since SP2 with
firewall off for that long.

I would copy data, destroy partition and start over re-installing Windows and everything else.

From my experience anti-viruses are great to prevent incoming viruses, but once the
virus/trojan/malware is in, I would not trust just one AV to find everything and be able to remove.

Once a computer has been open season for a while, I can’t help but feel like I can’t trust it
anymore.
Alain Donais
Mar 22 10 at 4:38 am

Did you have any issues with the user being renamed to “SAM”? I did when I had to clear this off
a friend’s computer, and I still don’t think I can remove that user….
joec
Mar 22 10 at 6:07 am

@boris … while in theory I agree with you, I have been hearing that same logic for the last ten
years. I haven’t had to do that kind of scanning after I switched. Sure, the mac isn’t for everyone,
but after I switched my family over, my holidays with them have been way more peaceful and
headache free.
Alex Choi rtfmplease
Mar 22 10 at 7:15 am

I ran into this a few weeks ago on my sister-in-law’s computer. Definitely a pain in the butt. The
whole official looking pop-up window fooled me. I got tired after an hour of dealing with all the
programs being hijacked so ended up reinstalling Windows. Though I did first use a Live Ubuntu
CD, which was really nice, to get access to the drive and backup the data before reinstalling. I
wish I did more googling at the time now.
trivialm
Mar 22 10 at 7:24 am

I deal with this b@stard of a program on a weekly basis (for work). Depending on how many
times I’ve done it that week I’ll do a variety of these two methods. FYI, these methods are for
workstations on a domain.

1. Run legit antivirus w/ antispyware from the server on the infected machine. (Doesn’t always
work)

2. Log in as a new user, one that has never logged on to that machine before. Let the profile
build, but before it is finished loading, right click the taskbar and load up Task Manager. Once you
have that running, you have control of the Antispyware application and can run whatever
apps/services you need to in order to regain control of the workstation. No registry editing is
needed.
Gene Miller Gene Miller
Mar 22 10 at 8:05 am

Hey Gina, nice work.

I’ve been using the Malware Removal Guide from the forums at Majorgeeks.com for over five
years. It’s updated regularly.

Of course, I hope you never have to use it. But, who are we kidding? :)
Bryan Villarin
Mar 22 10 at 9:41 am

Interestingly enough today i had to clean up another computer infected with one of those Fake
Anti-virus and i had very good luck with McAfee’s Stinger tool
http://fileforum.betanews.com/detail/McAfee-FakeAlert-Stinger/1269012477/1
They just released a new version specifically targeting those fake anti-virus apps.
MxxC
Mar 22 10 at 10:34 am

I work at UC San Diego’s Residential Networking, we do free viral removal for all UCSD affiliates,
here’s our process:

1. Run Hitachi’s Drive Fitness Test (DFT). About 30% of the time, people have failing hard drives
so it’s always best to check before spending a good deal of time manually cleaning a computer
only to find out the work was in vain and the computer has hardware issues. If it fails, we call up
the customer, have them purchase a new hard drive, and reinstall the OS for them using the COA
on the bottom of their laptops, and pull the data from the old hard drive (this is all done with a
fresh copy of Microsoft Security Essentials and the latest service packs on their machine so their
computer isn’t reinfected.. If the test passed, we go on.

2. F8 into Safe Mode with Networking

3. Our network runs through a firewalled server with tools we download and run.
4. Run rkill.com to remove any active processes.
5. Run combofix, it sometimes takes more than once to run
6. Check the logs for missed things and manually remove files
7. Run CCleaner to remove any malware hidden in temp folders.
8. Run Autoruns to remove malicious startup entries
9. Run Process Explorer to see if any malicious processes are still running, and if there are any
dll hooks from malicious programs.
10. Install and run Malwarebytes Anti-Malware full
11. Install and run Microsoft Security Essentials.
12. Verify with Autoruns/process explorer (to make sure its all gone).
13. Update programs with filehippo or ninite.
14. Install the latest service packs.
15. Give the customer a detailed description of how to stay safe and avoid reinfection.

Obviously this is the bare bones of what we do, we add on any necessary registry hacks and
networking fixes on a case-by-case basis.

Hope that helps.

Jonathan Shan Jonathan Shan
Mar 22 10 at 12:47 pm

Most computer users, including IT professionals, will do whatever they can to not have to reinstall
an operating system. Run anti-virus software, remove the virus. That might fix that problem, but
how can you really be sure?

Once a computer it has been comprised, it can NEVER be trusted again, at least not until all
connected hard disks have been wiped and the operating system reinstalled.

It is the clever intruder who installs two pieces of malware, one is obvious to draw your attention,
and one is silently logging your keystrokes.
ZLoether [+15]
Mar 22 10 at 2:06 pm

Funny, I encountered this one yesterday on a fully patched XP system with F-Secure for
Workstations on it. Beats me how it got in.

I solved it by running the Taskmanager as another user with administrative rights, killed the .exe
proccess that the spyware consists of and upgraded the Anti-Virus to include proccess control,
browsing protection etc. Works fine for the moment but I guess I should check those registry
entries!
shri
Mar 22 10 at 10:56 pm

Yet again, Gina, you’ve proven yourself one of the true superstars of the Internet, social media
and the information age. Rock on.
adventurejason
Mar 23 10 at 3:52 pm

Please sign in to post a comment. New user? Create an account.

Or use your Facebook account:

Connect
« TWiG Live from SXSW
Celebrate Ada Lovelace Day by Coding Something Meaningful »
You are here
You're browsing a post on Smarterware, a blog about great software by Gina Trapani. Find out
more about Smarterware. Thanks for reading.
Most Recent Posts

* Celebrate Ada Lovelace Day by Coding Something Meaningful

* How to Remove XP AntiSpyware
* TWiG Live from SXSW
* The Complete Guide to Google Wave Now in Print!
* Four Google Apps Marketplace Apps Worth Trying
My Books
The Complete Guide to Google Wave
The Complete Guide to Google Wave is the essential user manual for Google's new collaboration
tool. It's also free to read in its entirety online.

Upgrade Your Life

Upgrade Your Life: The Lifehacker Guide to Working Smarter, Faster, Better is a compendium of
tips and tricks for working more efficiently in the digital age. Find out more about Upgrade Your
Life.
Popular Posts

* » Unplug Your Laptop Regularly (When In Doubt) (15)

* » The First Google Wave Search You Must Know (16)
* » Android 2.1's Best Features in Screenshots (37)
* » Simple Guidelines for Workday Quality Over Quantity (19)
* » Why (and How) to Root Your Android Phone (10)