How to Remove XP AntiSpyware

March 21, 2010


It's been awhile since I've had to deal with a malware-laden PC, but my long streak of luck ran out this weekend when a family friend--who describes himself as computer illiterate--called. "Every time I try to do anything on the computer," he told me, "I get a message saying it's infected, and I have to pay $69 to clean it, but I tried to do that and I couldn't." He couldn't even navigate to the Mozilla site to download Firefox; Internet Explorer was completely hijacked.

So, armed with a thumbdrive loaded with Firefox and AdAware installation files, I headed over there to take a look. Here's what I found:

  • The Norton AV trial subscription that came with Windows XP had expired and stopped protecting the machine, which was connected directly to my friend's broadband ISP with Windows Firewall turned off.
  • Windows XP hadn't been updated since before SP2 had come out, because a friend of my friend told him not to trust any automatic updates. Because they might be spyware.
  • Rogue software called XP AntiSpyware had taken over the machine.

AntiSpyware XP was the problem that prompted my friend to call, and it was the most hostile, insidious, and difficult-to-kill malware I've ever seen. It looked completely authentic and felt impossible to stop. Masquerading as a spyware killer itself, in the system tray, its icon was an almost perfect replica of the Windows Security Center icon. When you tried to visit a web site in Internet Explorer or do much of anything, XP AntiSpyware launched, and its window looked just like Windows Security Center. Once launched, it would start scanning your PC automatically, and tell you, in alarming red pop-ups, that dozens of files were infected and that you should delete them. There was no quit, there was no uninstallation available in Add/Remove Programs, and all the program's options in its Settings area were grayed out/disabled. If you tried to run the real Windows Security Center or a program like AdAware, AntiSpyware would show up instead and start scanning again. If you tried to launch the Windows Task Manager (with Ctrl+Alt+Del), a message came up saying your computer administrator had disabled it--even though I was logged on as an administrator. There was no way to tell what startup entry the program was in msconfig, and when I restarted Windows in Safe Mode (F8 during boot) and tried to launch AdAware, this software started instead.

What a mess.

To fix it, I installed Chrome (which came bundled with AdAware). While AdAware itself wouldn't launch, Chrome thankfully would, and after some Googling, I found this lifesaving article, which describes what "XP AntiSpyware" really is:

During installation, XP AntiSpyware 2010 (XP Antivirus Pro 2010) will configure itself to run automatically every time when you run any program that have “exe” extension (99% of Windows applications). The rogue also uses this method of running to block the ability to run any programs, including antivirus and antispyware applications.

When XP AntiSpyware 2010 (XP Antivirus Pro 2010) is started, it will perform a system scan and detect a large amount of infections. All of these infections are fake, so you can safely ignore them. What is more, while the rogue is running, it will display various fake security warning and notifications from Windows task bar that have “Spyware infection has been found” or “Tracking software found” header. However, all of these alerts are fake and like false scan results should be ignored.

Last but not least, XP AntiSpyware 2010 (XP Antivirus Pro 2010) will hijack Internet Explorer and Firefox and display fake warnings when you opening a web site.

The solution was two-fold: first, you had to do a manual registry edit that stopped the program from starting in place of AdAware or any other spyware scanner. The lifesaving article had the registry fix-it entries, which I will reprint here for posterity.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

Here's what I did: I backed up the Windows registry, copied this text into Notepad, saved the file as fixme.reg, double-clicked it to apply the changes, and restarted Windows. Only then did I get the first sign of progress: once the registry was fixed, Internet Explorer was actually able to load web pages. Sweet.

Second, you had install a real spyware killer to kill XP AntiSpyware. (Imagine me trying to explain this to my computer illiterate friend. By now his eyes were glazed over.) Microsoft Security Essentials didn't detect it. At the article's suggestion, I installed Malwarebytes Anti-Malware and scanned away, cleaning off everything it found, including AntiSpyware.

From there the machine was usable, but still not ready for primetime. I ran Windows Update and got the machine Service Pack 3 and all the updates beyond that. (That alone was an hour and a half of progress bars and restarts. Did I mention this was a slow, year-and-a-half old HP PC from Costco?) I turned on Windows Firewall, and set up Microsoft Security Essentials. I uninstalled Norton AV to get rid of its nagging pop-ups, and because my friend said that Windows was slow to start up, I ran msconfig and unchecked the stuff he didn't need to start up automatically (Java, Quicktime, and some other annoying "helper" apps). When I was done, the machine was speedier, usable, and not littered with both legit and malicious system tray pop-ups about infected files and software updates.

If I had more time, I would have formatted the hard drive and reinstalled Windows from scratch, and then installed a hardware router with a firewall on it between the computer and his cable modem. At any rate, I advised my friend to change all of his passwords before he did anything else on the machine.

Then, I tried to explain to him that some notifications and updates (like Windows Updates) are good and needed and he should get them, and others are malware trying to get his money (like Antispyware XP). But how does someone like him know the difference?

If you're dealing with a malware situation and simply installing a spyware cleaner like AdAware ain't working, you may have to Google the specific problem you're having, like I did. Otherwise, check out my published-in-2006-but-still-holds-up article on cleaning your computer illiterate relatives' and friends' PCs, How to fix Mom and Dad's computer.

UPDATE: I should point out that the screenshot included in this post is NOT from the machine I cleaned, and it looks slightly different. My guy's PC must have had a different version of AntiSpyware, which seems to exist in many incarnations. However, if you click on the screenshot above you'll see a pretty funny typo--"Protect your Widows PC."

There’s a few linux based live cd’s that will boot into a stripped down linux and let you run clamav on an infected machine. Check out
http://www.volatileminds.net/opendiagnostics/index.php/OpenDiagnostics_Live_CD

Linux live cd’s that contain clamav are a great way to try to get nasty malware that make it tough to work with the machine when in windows.

I have ran into that one a few times at work. It is a nasty one. It is the only one I have ran into that I have had to have the computer shipped to me to fix. I was completely unable to repair this remotely.

Jeremy Townsend [+2]
Mar 21 10 at 4:35 pm

You, Gina, are a saint. You are doing God’s Work (as Jeff would say). Many people are REAL people, and you just rescued another one. It may be frustrating, but it is the right thing to do.

You’re Awesome,
Lance

Lance Rulau
Mar 21 10 at 4:37 pm

Gina?

Sounds like you’ve 100% qualified for this Nerd Merit Badge!

Of course, that is, unless you already have it.

Thanks posting this recap – it’s always interesting to see how others go about this kind of stuff!

mrhaydel [+7]
Mar 21 10 at 4:40 pm

I second Chad’s comment. I used ClamAV a few days ago to get ride of this from a neighbor’s computer a few days ago. It worked great the first time. I also took this a step further to prepare for next time installed Trinity Rescue Kit (TRK) on a pen drive. TRK has several free AV tools including ClamAV and AVG.

Troy Peterson
Mar 21 10 at 4:40 pm

I had a similar experience a few weeks ago while trying to remove some malware called Personal Security [see this Bleepingcomputer article] from a friend’s PC. I ended up booting the machine from the UBCD4WIN live CD and deleting the program files that made up the malware.

Once that was done, I was able to restart the machine normally and install and run Malwarebytes to complete the cleanup. I’m sure that if I’d had more time, I would have been able to figure out how to edit the Windows registry from a Linux live CD — but, any port in a storm.

geekman
Mar 21 10 at 4:46 pm

Hi Gina, I had the same exact problem a few weeks ago with a friend’s laptop.
I didn’t bother trying to remove the malware though: I just backed up what I could and reinstalled Windows reformatting the HD.
Is there a moral here? Switch to a Mac…

rujero
Mar 21 10 at 4:54 pm

Gina, I had exactly this same issue why my in-laws. The issue was essentially behavioral: my FIL was a fanatic about clicking pop-ups that claimed he was at risk of spyware, so he was constantly getting these nasty fake antimalware programs, like the XP Antispyware. While I did manage to install a wireless router (for me during visits) with hardware firewall, it had little impact.

After the last time doing this, I backed up their photos, make a record of their sites etc. And then I went to the Apple store and bought then an iMac. Loaded all their photos and other bits, showed them how to do things in MacOSX, and left them to it. As far as I know, my FIL still clicks and downloads all the fake antimalware, but of course none of it works in MacOSX. I have not had to do any work on their PC since the Mac, a change from several times a year with their Dell.

I am safe until this stuff starts getting created for Mac I suppose.

cmason
Mar 21 10 at 5:17 pm

Gina, sorry to tell you but this actually a very old infection,there is actually Antispyware 2010, yes they actually increment the versions to appear more legitimate. But this one was one of the first of what became a whole generation of such infections (most security programs detect them as fake_alert). Unfortunately they all use the familiar windows interface to trick users in to installing their product, then they deliver the infection payload that vareis. They use built in windows policies to prevent access to task manager, windows update, registry editors, sometimes even the control panel all together, all this with a goal to prevent removal. Frequently infection will also modify permissions for the registry and infected files so that they can’t be found and removed.

I noticed that you turned off Java Updates in msconfig. Security exploits in Java are commonly path by which these infections get in. Another one is Acrobat Reader. While constant update reminders are annoying, having the updated Java, much like windows is a very important step in making sure that this doesn’t happen again. Next time you talk to Leo ask him about this, him and Steve Gibson frequently discuss Java and Acrobat “remote code execution exploits” on Security Now…

Also, switching to Mac is not a solution, its only a way to ignore the problem… its only matter of time before we start seeing the same type of infections for Macs and more popular they get the larger target they become…. Just be careful where you go and if doubt use Google:

http://www.google.com/safebrowsing/diagnostic?site=smarterware.org

boris
Mar 21 10 at 5:48 pm

Ahh, I have had the privilege of fixing this spyware many times over. I use a program called Combofix to stop it and remove most of it then I use Malwarebytes and Superantispyware to remove the rest of it.

We probably clean this one out once a week as our business is computer repair.

dweebsonduty
Mar 21 10 at 6:16 pm

Strange that Microsoft Security Essentials didn’t detect it for you. I treated my uncle’s computer with this problem via Crossloop a couple of weeks ago and simply transferred the Microsoft Security Essentials installer through Windows Live Messenger file transfer. Ran it, installed it, and the spyware was gone.

Ted Avery [+13]
Mar 21 10 at 8:03 pm

“when I restarted Windows in Safe Mode (F8 during boot) and tried to launch AdAware, this software started instead.”

Wow… That’s insane. At that point I probably would have just reinstalled Windows and tried to salvage any files that my friend needed.

AJ West
Mar 21 10 at 9:25 pm

Good on you for saving the day, though like you, I find that explaining the difference between legitimate and false popups is surprisingly difficult.

And personally, if it’s looking like a case of multiple malware infection, I’d grab DrWeb LiveCD or Avira’s Antivir Rescue System – both live CDs so that you don’t even boot the infected Windows.

stephenhau [+1]
Mar 22 10 at 1:36 am

I just removed this from a PC last week. Yeah, a nasty piece of work indeed. Wanted to flatten it and do a re-installation, but they wanted their data retained. Not the most agile user, but I demoted her account to standard, and will have to hope she doesn’t re-acquire.

Nathaniel Kabal [+3]
Mar 22 10 at 1:52 am

Is it only me or am I a bit paranoid, but I wouldn’t trust a computer with no updates since SP2 with firewall off for that long.

I would copy data, destroy partition and start over re-installing Windows and everything else.

From my experience anti-viruses are great to prevent incoming viruses, but once the virus/trojan/malware is in, I would not trust just one AV to find everything and be able to remove.

Once a computer has been open season for a while, I can’t help but feel like I can’t trust it anymore.

Alain Donais
Mar 22 10 at 4:38 am

Did you have any issues with the user being renamed to “SAM”? I did when I had to clear this off a friend’s computer, and I still don’t think I can remove that user….

joec
Mar 22 10 at 6:07 am

@boris … while in theory I agree with you, I have been hearing that same logic for the last ten years. I haven’t had to do that kind of scanning after I switched. Sure, the mac isn’t for everyone, but after I switched my family over, my holidays with them have been way more peaceful and headache free.

rtfmplease
Mar 22 10 at 7:15 am

I ran into this a few weeks ago on my sister-in-law’s computer. Definitely a pain in the butt. The whole official looking pop-up window fooled me. I got tired after an hour of dealing with all the programs being hijacked so ended up reinstalling Windows. Though I did first use a Live Ubuntu CD, which was really nice, to get access to the drive and backup the data before reinstalling. I wish I did more googling at the time now.

trivialm
Mar 22 10 at 7:24 am

I deal with this b@stard of a program on a weekly basis (for work). Depending on how many times I’ve done it that week I’ll do a variety of these two methods. FYI, these methods are for workstations on a domain.

1. Run legit antivirus w/ antispyware from the server on the infected machine. (Doesn’t always work)

2. Log in as a new user, one that has never logged on to that machine before. Let the profile build, but before it is finished loading, right click the taskbar and load up Task Manager. Once you have that running, you have control of the Antispyware application and can run whatever apps/services you need to in order to regain control of the workstation. No registry editing is needed.

Gene Miller
Mar 22 10 at 8:05 am

Hey Gina, nice work.

I’ve been using the Malware Removal Guide from the forums at Majorgeeks.com for over five years. It’s updated regularly.

Of course, I hope you never have to use it. But, who are we kidding? :)

Bryan Villarin
Mar 22 10 at 9:41 am

Interestingly enough today i had to clean up another computer infected with one of those Fake Anti-virus and i had very good luck with McAfee’s Stinger tool http://fileforum.betanews.com/detail/McAfee-FakeAlert-Stinger/1269012477/1
They just released a new version specifically targeting those fake anti-virus apps.

MxxC
Mar 22 10 at 10:34 am

I work at UC San Diego’s Residential Networking, we do free viral removal for all UCSD affiliates, here’s our process:

1. Run Hitachi’s Drive Fitness Test (DFT). About 30% of the time, people have failing hard drives so it’s always best to check before spending a good deal of time manually cleaning a computer only to find out the work was in vain and the computer has hardware issues. If it fails, we call up the customer, have them purchase a new hard drive, and reinstall the OS for them using the COA on the bottom of their laptops, and pull the data from the old hard drive (this is all done with a fresh copy of Microsoft Security Essentials and the latest service packs on their machine so their computer isn’t reinfected.. If the test passed, we go on.

2. F8 into Safe Mode with Networking
3. Our network runs through a firewalled server with tools we download and run.
4. Run rkill.com to remove any active processes.
5. Run combofix, it sometimes takes more than once to run
6. Check the logs for missed things and manually remove files
7. Run CCleaner to remove any malware hidden in temp folders.
8. Run Autoruns to remove malicious startup entries
9. Run Process Explorer to see if any malicious processes are still running, and if there are any dll hooks from malicious programs.
10. Install and run Malwarebytes Anti-Malware full
11. Install and run Microsoft Security Essentials.
12. Verify with Autoruns/process explorer (to make sure its all gone).
13. Update programs with filehippo or ninite.
14. Install the latest service packs.
15. Give the customer a detailed description of how to stay safe and avoid reinfection.

Obviously this is the bare bones of what we do, we add on any necessary registry hacks and networking fixes on a case-by-case basis.

Hope that helps.

Jonathan Shan
Mar 22 10 at 12:47 pm

Most computer users, including IT professionals, will do whatever they can to not have to reinstall an operating system. Run anti-virus software, remove the virus. That might fix that problem, but how can you really be sure?

Once a computer it has been comprised, it can NEVER be trusted again, at least not until all connected hard disks have been wiped and the operating system reinstalled.

It is the clever intruder who installs two pieces of malware, one is obvious to draw your attention, and one is silently logging your keystrokes.

ZLoether [+17]
Mar 22 10 at 2:06 pm

Funny, I encountered this one yesterday on a fully patched XP system with F-Secure for Workstations on it. Beats me how it got in.

I solved it by running the Taskmanager as another user with administrative rights, killed the .exe proccess that the spyware consists of and upgraded the Anti-Virus to include proccess control, browsing protection etc. Works fine for the moment but I guess I should check those registry entries!

shri
Mar 22 10 at 10:56 pm

Yet again, Gina, you’ve proven yourself one of the true superstars of the Internet, social media and the information age. Rock on.

adventurejason
Mar 23 10 at 3:52 pm

Great timing Gina, this article helped saved my father-in-law to be, computer. Seriously, this is huge, it helped me completely turn everything around. Some similar issues in both our situations. All is well for now. :)

Gina, great story and reminder to all of us. I do light office work and some computer nerd duties at a small screen printing company when they need a little extra help. I went in one day and there was a new anti-virus on the computer asking to be updated. Since I had installed the anti-virus, and anti-malware software on the computer it totally confused me and stopped me from clicking the “OK” button. I asked the business owner if he had installed a new anti-virus and he told me “no”. Like the rogue program on your friend’s computer It too would pop up a screen with a false list of problems after a “scan”. The more I tried to clean it out using my old tried and true methods, the worse the computer ran until it was completely unusable. I booted into safe mode, found and removed the executable, then I was able to reboot and download Malwarebytes. It cleaned the computer of any remaining traces of the rogue anti-virus. It was a truly frustrating, yet satisfying experience.

I was unable to find out how the rogue program made it on the computer, it was running Windows firewall, AVG, and Spybot S&D. My only guess is somebody was visiting porn sites.

I contacted their customer service to remove this from my computer and they emailed me to set my calendar ahead 8 days, then in 8 days to reset my calendar correctly. Supposedly the program expire and delete itself after 8 days. The other options were to not use your computer for 8 days or download one of their programs for removal ???? Yeah…right!! I have not tried this because of already going through the process of stripping my computer with the original software and restoring this way. Next time I will try the above method first, I have run across this program before and been able to get rid of it more easily than in this instance.

gmf
Apr 4 10 at 3:44 am

HELP!
Do you know anyone who actually fell for this scam and bought the Antispyware protection?? thats what my mother did and she paid 80 dollars with her credit card!
Will she get her identity stolen? We just called the bank what else can we do to prevent this??

I too am wondering if anyone knows of what happens after someone falls for this and pays the $70. I will be using the hints here to help a friend friend tomorrow to remove this. They paid the money and even spoke with someone from “customer support”. I will update here after I go through the process and am not on my phone.

philmiller
Apr 14 10 at 6:01 pm

Do *not* pay for this, especially with a credit card. For those folks who have already done so, it probably wouldn’t be a bad idea to cancel those cards. (See link below.)

To safely get rid of such crap, there is lots of very good, effective advice, this site included. Cry for help — use a friend’s computer or go to the public library if you have to — and you’ll get it.

Things can get worse:
http://news.bbc.co.uk/1/hi/technology/8622665.stm

Keep up the good fight, Gina et al!

lgforbes
Apr 18 10 at 8:47 am


Comments are closed. Thanks for reading!