windows XP iinfected with XP Antivirus 2012 popup/spyware

I have a windows XP client that is infected with XP Antivirus 2012 spyware/popup. Is there any good removal tool that i can use instead of reinstall OS?

Who is Participating?
Follow the suggested guide at Bleepingcomputer to remove XP-antivirus 20012.

You would need to run FixNCR.reg to stop the block, and then RKill or Roguekiller to stop the malicious process before actually running MalwareBytes(do not reboot after running RKill otherwise the bad processes will start again).

Also run TDSSKiller, in case it comes bundled with rootkit.

If the problem persists, also run combofix and show us the log.
If the problem persists, download ComboFix and post thelog for us to check.

You need to STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
The guide on the link below may help as well.

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Just removed this from a clients system yesterday. Here's the guide I used.
After removing it run this aswell to make sure nothing else has infected the system while its be compromised.
I would suggest using  , CCLEANER or MalwareBytes.

Both are capable of removing this XP Antivirus from the XP machines.

officertangoAuthor Commented:
i was able to download the spyware doctore, but when it try to install, the xp antivirus 2012 stops it. can i install in dos/command?
This nasty little programs stops .exe's and .coms from running you need the registry fix from bleeping computers to reenable the use of exe's then run rkill to stop the programs processes then you can install,update and run malware bytes to remove the program. however depending how long its been on the system other trojans may have infected the system, this was the case in the laptop I fixed yesterday. I used the standalone scanner from a usb key to remove that trojon then I also had to fix windows update has it had been corrupted by the virus for that I used this fix it tool.
Also do the scan and removal process from Safe Mode.  Should be more effective in Safe Mode.
the best way to remove this malware is to scan it using two different AV engines.....I would suggest using Malwarebytes and either AVG or AVAST.....

reboot the machine in SAFE MODE, run Malwarebytes, reboot the machine into SAFE MODE again, run AVG or AVAST, reboot again then make another pass on both Anti-Virus programs...

you should be safe after that....
If you want advice from those who have successfully removed this before (including myself), either follow jamietoner's link from Bleeping Computer or use the information in this EE article by younghv.
☠ MASQ ☠Commented:

Ccleaner deletes temporary file storage, the malware you have shifts your data into your temporary file system, if you run Ccleaner you will also remove all your data!

There's no need to run the cleanup tools you need in Safe Mode either, if you run RKill or RogueKiller first (see the link in willcomp's post above) they will allow you to run MBAM etc in normal mode.

Running cleanup in Safe Mode is a method of last resort as anti-malware tools need to be able to see all processes running (both good and bad) to work correctly.
If you have more than one user account on the PC, I have found it easier to logon with an account that is not infected.

Look in the Local Settings\Application Data\ folder for odd files, look in the Template folder for odd files.  Also, run the scans a couple of times.  Malware Bytes has worked the best for me.  Safe Mode is gresat if you can do it that way.  I've been removing it remotely, so that hasn't been an option.

Good luck.
This is a fairly common chunk of malware and all three of these posts properly address the problem:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.