We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now


Help to remove XP Antispyware 2011

Medium Priority
Last Modified: 2012-08-13
I have now three computers that are infected at three different customers of mine.

So far I have not been successful to find anything to remove XP Antispyware 2011.

I tired SpyHunter recommended here http://www.wiki-security.com/wiki/Parasite/XPAntispyware2011 but it does not work.

Tried this link to manually remove XP Antispyware 2011 and I can't find the files that it suggests to remove

I have not tried the tool on the above site as I'm not sure if it is safe.

Does anyone have a suggestion for in how to remove XP Antispyware 2011?

Two sites are protected by Trend WFBS and one is protected by Apanda. All three sites have an Untangle firewall installed with the paid subscription and somehow XP Antispyware 2011 made it in to the network.
Watch Question

Use Task Manager 'Ctrl-Shift-Esc) to find the 'Process' that looks odd (bumch of letters, such as 'xdflksrifj.exe' then stop this process.  Find this file, and delete.  Also, delete the AntiSpyware folder created on your drive.  Lastly, clear out your Temp files (I use the free app SpybotSD with a lot of success at http://safer-networking.org' to do this and clear spyware).

I tend to go at these manually, boot into Safe Mode and use sysinternals autoruns.exe to list startup items where you can usually find the offending item, deselect it from running and go delete the files and/or folders still in safe mode.

Some of these programs are evident as desktop shortcuts, icons on the start menu or folders in Program Files which makes it easier. Otherwise you'll be looking in Temp files and Program Data and the like for the guilty party.

Once you stop the malware from starting up you can reboot and use the usual tools to check there are no other problems.


There is no XP Antispyware 2011 folder that I can find on the drive
Nothing under processes that looks like a file with a bunch of letters

The one computer is complety highjaked...I can't open any programs or download anything
Top Expert 2011

Here are some instructions to remove this malware infection...


It does involve downloading and running Malwarebytes amongst other tools.
Author of the Year 2011
Top Expert 2006

Download the tools you need to a clean computer and burn them to CD or USB stick.

Follow the instructions "yobri" linked to and review the details in this EE Article:

https://www.experts-exchange.com/A_4922.html (Rogue-Killer-What-a-great-name)

When your system gets hijacked to the point where you can't do basic functions, you need something that will stop the "Rogue" processes.

RogueKiller, Rkill or TheKiller will all perform that function.

About TheKiller
•Download TheKiller to your Desktop

•Note that TheKiller is renamed as explorer.exe
•Run it by double click
•Press OK button after program finish
•Do not restart your system after this step, but immediately run the next scan: MalwareBytes, TDSSKiller - and post the logs that are generated.

We may ask you to run HitmanPro and Combofix also.
Top Expert 2007

Use the TheKiller to kill processes before running other apps. Download the tools using another PC.

I wouldn't recommend HitmanPro at the moment.... Combofix as already suggested is a better choice.
Just run it once and attach the log.

Please download ComboFix by sUBs:

Download and run it from your Desktop.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts. Only run ComboFix once.

When finished, it will produce a log. Please save that log and attach it in your next reply.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If needed, here's the Combofix tutorial which includes the installation of the Recovery Console:
One suggestion I did not see was to get one of the infected drives, remove it from the system, and slave it to a good system. Then you can scan it using malwarebytes or similar software.

After doing the initial scan and "stopping the bleeding" as younghv would say, then you can try putting the drive back in the original system and booting from a CD or flash drive. Finally, you will need to boot from the hard drive and run a malwarebytes scan to clean out the registry.
Author of the Year 2011
Top Expert 2006

The reason you won't see that "Slave" recommendation here is that modifying/deleting files while the Windows OS is not running CAN create an unbootable system.

It may be one of those 'kitchen sink' things we all try when nothing else works, but this is a very well-know chunk of malware and the Asker has been given the step-by-step instructions for effecting the repair.

Thanks. I've had a lot of success using the "slave" option and never created an unbootable HDD yet, but I'm always looking for best practices. I'll put those steps in my notes and use them next time.

can you not open programs in Safe Mode ?
Author of the Year 2011
Top Expert 2006

There is no need for "Safe Mode" to be used in repairing this infection - and there almost never is.

The tools designed to fix these problems are all developed to be run in "Normal Mode".
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Author of the Year 2011
Top Expert 2006

The method you describe did not "do the trick".
The reason Internet Explorer did not work is because "SpyBot" cannot repair this infection.

You were given the exact instructions for how to correct this situation and - for whatever reason - you decided to ignore the Experts telling you the proper way to address this.

I don't object to your closing this out, but future readers should understand clearly that UBCDWIN4 and Spybot SD are not the solution to be used.


Well it did work for me. I already had 2 computers infected and both are ok now. Spybot even listed the malware as
Antispyware 2011
To use the UBCDWIN4 was recomended to me in another forum

Al I was loocking for is a easy way to fix this.


My question is...how do you know that UBCDWIN4 with SpyBot can not fix XP Antispyware 2011.

have you tried it without succes?
Author of the Year 2011
Top Expert 2006

You and anyone else using "Boot CD's" are one system file modification away from having an unbootable computer.

No one should be using them unless all other efforts have failed.

As far as how do I know it didn't work?
Simple - it is in your own closing comment:

"After that I had to delete the user profile becuase Internet explorer did not work anymore.
I created a new profile. No more pop ups after that "

If you had properly repaired the infection (as instructed here):

1. Internet Explorer would have worked;
2. You would not have had to delete the old profile; and
3. You would not have had to create a new profile.

I have no way of knowing what "other" forum you are relying on, but the advice you're getting is not at the level you will get here on EE.

And one more thing - the director of research at SpyBot contacted me a couple of months ago and offered me some special incentives if I would start using (and recommending) SpyBot.

I posed some very simple questions for him about how SpyBot works compared to Malwarebytes and he (and the President of SpyBot) never responded.

Anyone who thinks SpyBot is in the same class as Malwarebytes simply doesn't know what they're talking about.


What is your afiliation to Malwarebytes?

I have had great success with Boot CD's before and I will continue to use them.

And if you can prove to me that SpyBot does not work I will consider it. I'm asking you to try it and not base it on another source...

As far as having an unbootable PC I can fix that with windows repair option from the install CD which I have already done numerous times
Author of the Year 2011
Top Expert 2006

I have no affiliation of any kind with Malwarebytes - or any other developer.
My only goal here is to provide the best advice I can for members of Experts-Exchange.

You obviously have your own way of doing things, so I will go my own way and you can go yours.


@younghv  the author wrote "I can't open any programs or download anything"

so I suggested Safe Mode to get to a point where tools could be run in normal mode.

See you next tuesday.
Top Expert 2007

"To use the UBCDWIN4 was recomended to me in another forum"

Actually, there isn't any reputable help-support forum that would actually suggest that unless it's the last option.

I concur with younghv, the simplest way to remove this infection would've been what's stated in Bleepingcomputer's 'name-changing' rogue tutorial.
Every Malware Experts, malware analysts and anti-malware developers will advise to clean infected PCs within Windows and in normal mode as tools these days are optimized to run from normal mode.
BootCDs are only suggested when all options have been exhausted, usually when the PC can no longer boot.

The infection may have been neutralized and the symptoms gone but that doesn't necessarily mean the system is clean. The fact that IE wasn't working properly afterwards proves that Spybot wasn't successful in completely cleaning the infection as younghv mentioned.

I guess you're accustomed to using BootCD in removing viruses....that way you don't have to know what kind of infections you're dealing with, and with the downside of making the PC unbootable you already have plan B to implement. That may be the long way home and more risky but if it works for you then good luck.


Solve it with UBCDWIN4
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.