windows XP iinfected with XP Antivirus 2012 popup/spyware

I have a windows XP client that is infected with XP Antivirus 2012 spyware/popup. Is there any good removal tool that i can use instead of reinstall OS?


thanks
officertangoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MINDSUPERBCommented:
MINDSUPERBCommented:
The guide on the link below may help as well.

http://www.malwareguides.com/xp-antivirus-2012-virus-removal-guide.html

Ed
jamietonerCommented:
Just removed this from a clients system yesterday. Here's the guide I used.
http://www.bleepingcomputer.com/virus-removal/remove-xp-antivirus-2012
After removing it run this aswell to make sure nothing else has infected the system while its be compromised.
http://connect.microsoft.com/systemsweeper
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

evil-insideCommented:
I would suggest using  , CCLEANER or MalwareBytes.

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html

http://www.piriform.com/ccleaner

Both are capable of removing this XP Antivirus from the XP machines.

officertangoAuthor Commented:
i was able to download the spyware doctore, but when it try to install, the xp antivirus 2012 stops it. can i install in dos/command?
jamietonerCommented:
This nasty little programs stops .exe's and .coms from running you need the registry fix from bleeping computers to reenable the use of exe's then run rkill to stop the programs processes then you can install,update and run malware bytes to remove the program. however depending how long its been on the system other trojans may have infected the system, this was the case in the laptop I fixed yesterday. I used the standalone scanner from a usb key to remove that trojon then I also had to fix windows update has it had been corrupted by the virus for that I used this fix it tool.
http://support.microsoft.com/kb/971058
evil-insideCommented:
Also do the scan and removal process from Safe Mode.  Should be more effective in Safe Mode.
FPeritoCommented:
the best way to remove this malware is to scan it using two different AV engines.....I would suggest using Malwarebytes and either AVG or AVAST.....

reboot the machine in SAFE MODE, run Malwarebytes, reboot the machine into SAFE MODE again, run AVG or AVAST, reboot again then make another pass on both Anti-Virus programs...

you should be safe after that....
willcompCommented:
If you want advice from those who have successfully removed this before (including myself), either follow jamietoner's link from Bleeping Computer or use the information in this EE article by younghv. http://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6550-2012-Malware-Variants.html
☠ MASQ ☠Commented:
DO NOT USE CCleaner ON THIS TYPE OF INFECTION !!!

Ccleaner deletes temporary file storage, the malware you have shifts your data into your temporary file system, if you run Ccleaner you will also remove all your data!

There's no need to run the cleanup tools you need in Safe Mode either, if you run RKill or RogueKiller first (see the link in willcomp's post above) they will allow you to run MBAM etc in normal mode.

Running cleanup in Safe Mode is a method of last resort as anti-malware tools need to be able to see all processes running (both good and bad) to work correctly.
rpggamergirlCommented:
Follow the suggested guide at Bleepingcomputer to remove XP-antivirus 20012.

You would need to run FixNCR.reg to stop the block, and then RKill or Roguekiller to stop the malicious process before actually running MalwareBytes(do not reboot after running RKill otherwise the bad processes will start again).

Also run TDSSKiller, in case it comes bundled with rootkit.
http://support.kaspersky.com/viruses/solutions?qid=208280684


If the problem persists, also run combofix and show us the log.
If the problem persists, download ComboFix and post thelog for us to check.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe


You need to STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
dgjnetCommented:
If you have more than one user account on the PC, I have found it easier to logon with an account that is not infected.

Look in the Local Settings\Application Data\ folder for odd files, look in the Template folder for odd files.  Also, run the scans a couple of times.  Malware Bytes has worked the best for me.  Safe Mode is gresat if you can do it that way.  I've been removing it remotely, so that hasn't been an option.


Good luck.
younghvCommented:
This is a fairly common chunk of malware and all three of these posts properly address the problem:

http:#a37289607
http:#a37289804
http:#a37289976
LeeTutorretiredCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows XP

From novice to tech pro — start learning today.