Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here!

How to remove XP Security Tool 2010

XP Security Tool 2010 or XP Security Tool is an updated version of earlier appeared XP Internet Security 2010, which is a rogue antispyware program. Both programs are identical except for their names and partially modified executable files, which is necessary in order to remain undetected by legitimate antispyware and antivirus applications. As before, this malware uses trojans to install itself. When the trojan is started, it will download and install XP Security Tool 2010 onto your computer with your permission and knowledge.

During installation, XP Security Tool 2010 configures itself run automatically every time when you start an application (files with “exe” extension). The rogue also uses this method of running to block the ability to run any programs, including security applications.

Immediately after launch, XP Security Tool 2010 will start to scan your computer and reports a lot of various infections that will not be fixed unless you first purchase the software. Important to know, all of these infections are a fake and do not actually exist on your computer. What is more, the rogue will also hijack Internet Explorer and Firefox and display fake warnings when you opening a web site.

As you can see, XP Security Tool 2010 is a scam and should be removed from your computer upon detection. Do not be fooled into buying the program! Instead of doing so, follow the removal guidelines below in order to remove XP Security Tool 2010 and any associated malware from your computer for free.

Use the following instructions to remove XP Security Tool 2010 (Uninstall instructions)

Step 1. Repair “running of .exe files”.

Method 1

Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"

Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.

Method 2

Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.

[Version]
Signature="$Chicago$"
Provider=Myantispyware.com

[DefaultInstall]
DelReg=regsec
AddReg=regsec1

[regsec]
HKCU, Software\Classes\.exe
HKCU, Software\Classes\secfile
HKCR, secfile
HKCR, .exe\shell\open\command

[regsec1]
HKCR, exefile\shell\open\command,,,"""%1"" %*"
HKCR, .exe,,,"exefile"
HKCR, .exe,"Content Type",,"application/x-msdownload"

Save this as fix.inf to your Desktop (remember to select Save as file type: All files in Notepad.)
Right click to fix.inf and select Install. Reboot your computer.

Step 2. Remove XP Security Tool 2010 associated malware.

Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.

Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.

MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.

As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.

malwarebytes-antimalware1
Malwarebytes Anti-Malware Window

Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer for XP Security Tool 2010 infection. This procedure can take some time, so please be patient.

When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
Note: list of infected items may be different than what is shown in the image below.

mbam
Malwarebytes Anti-malware, list of infected items

Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove XP Security Tool 2010. MalwareBytes Anti-malware will now remove all of associated XP Security Tool 2010 files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.

Note: if you need help with the instructions, then post your questions in our Spyware Removal forum.

XP Security Tool 2010 creates the following files and folders

%AppData%\ave.exe

XP Security Tool 2010 creates the following registry keys and values

HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\.exe\shell
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
HKEY_CURRENT_USER\Software\Classes\secfile
HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\secfile\shell
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | @ = “”%AppData%\ave.exe” /START “%1″ %*”
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | IsolatedCommand = “”%1″ %*”
HKEY_CURRENT_USER\Software\Classes\.exe | @ = “secfile”
HKEY_CURRENT_USER\Software\Classes\.exe | Content Type = “application/x-msdownload”
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command | @ = “”%AppData%\ave.exe” /START “%1″ %*”
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command | IsolatedCommand = “”%1″ %*”

March 16, 2010 on 2:11 pm | In Malware removal, Rogue Anti Spyware | 170 Comments |


170 Comments »

RSS feed for comments on this post.

  1. Thanks a lot! Just caught the problem today and you’re post couldn’t have come at a better time.

    Comment by Adict — March 17, 2010 #

  2. And it works! Thank you.

    Comment by Dmitry — March 18, 2010 #

  3. it works great….same as “dmitry” it worked just when i needed.coooool…..

    Comment by bestarticleworld — March 20, 2010 #

  4. I created the fix.reg as above. When I try to run it, seems it doesn’t execute. I do not get any Yes/NO or confirmation prompt. Malwarebytes too is not getting installed.

    I have Windows XP Security Tool 2010 seems to block both fix.reg and Malwarebytes.

    Please help. I also tried SDFix but that too didn’t owrk. Once the runthis.bat file is run, the blue screen stating checking files….appears. But after sometime the blue screen of SDFix disappears and nothing happens inspite of waiting for about 30 mins.

    I have Win XP SP2. And my computer got infected on 19th March 2010.

    Thanks for reading,
    Jignesh

    Comment by Jignesh — March 20, 2010 #

  5. Jignesh, use method 2 of first step.

    Comment by Patrik — March 20, 2010 #

  6. I do not get any response when i type command or cmd into the run box. My pointer looks like it is thinking, and then nothing pops up. Is there another way to get to the hkeys to remove them?

    Thanks,

    Comment by joel — March 20, 2010 #

  7. Joel, Click Start, Run, type notepad and press Enter. Notepad opens. Then follow the steps above.

    Comment by Patrik — March 21, 2010 #

  8. I had this problem on an XP SP3 comp at work (I do a bit of IT). I couldn’t get MBAM to run by double-clicking it. I had to right click on it and then click “Start” to get it to work. TY for the instructions, though. It’s good to know ahead that MBAM can cut it.

    Comment by Dantheman — March 22, 2010 #

  9. When i tried method 2 on step 1, the propmpt said \windows cannot open this file\

    It then directed me to browse the programs to open the file

    also, method 1 did not work as it said my cpu required binarh script

    any help would be appreciated

    Comment by JB — March 25, 2010 #

  10. JB, try method 1 once again. but in the Save dialog check twice: File type: All Files; File encoding: ANSI.

    Comment by Patrik — March 26, 2010 #

  11. Same problem, XP security tool keeps running and will not let me on Internet. Done the first method and still no joy, every time I click Internet explored the security tool firewall pops up and then says I’m working offline and runs a scan!!! Any ideas, driving me crazy

    Comment by Kelly — March 26, 2010 #

  12. Kelly, follow the first step instructions, then (don`t reboot your computer) click Start, Run, type regedit and press Enter.
    Registry editor opens.
    Navigate in the left panel to HKEY_LOCAL_MACHINE \ SOFTWARE \ Clients \ StartMenuInternet \ IEXPLORE.EXE \ shell \ open \ command

    I the right part of window click twice to “@”. You will see a screen with the contents like below: “C:\Documents and Settings\user\Local Settings\Application Data\av.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”
    Remove left part, leave only “C:\Program Files\Internet Explorer\iexplore.exe”.

    Reboot your PC, then go to step 2.

    Comment by Patrik — March 26, 2010 #

  13. they’ve basically killed all of these workarounds. cant access system restore, task manager, regedit. EVEN IN SAFE MODE. anti malware and spydoctor programs won’t run. i’ve had this before and was able to get rid of it, but not this time, looks like a clean wipe is the only option. back up your data, folks.

    Comment by JR — March 27, 2010 #

  14. JR, probably your PC is infected with trojan-rootkit that blocks any antispyware programs. Ask for help in our Spyware removal forum.

    Comment by Patrik — March 27, 2010 #

  15. Just done it (Method 1). It seems to have worked. Thank you for your help.

    Comment by Cristiano — March 27, 2010 #

  16. Thank you!! It worked great and removed that sucker!

    Comment by Jeff — March 27, 2010 #

  17. I used method 2. Seems to have worked for now, no signs of the rouge XP Security Tol program anymore, though I’m not taking any chances, I’m currently scanning with MBAM…

    Comment by Eduardo — March 30, 2010 #

  18. Thank you for the informative article above! I just want to add a couple of points to clarify certain operations:

    1. The registry changes assume that the repairs are applied by the same account that was infected. This might not be the case for machines with multiple logins.

    2. Starting with Windows 2000, the registry hive named HKEY_CLASSES_ROOT is generated by combining both the HKEY_LOCAL_MACHINE\Software\Classes and HKEY_CURRENT_USER\Software\Classes keys and their subkeys (see <a href="http://msdn.microsoft.com/en-us/library/ms724475(VS.85).aspx" title="Microsoft article"). If keys overlap then the values associated to HKEY_CURRENT_USER\Software\Classes are assigned to the resulting HKEY_CLASSES_ROOT key, ignoring the values specified by HKEY_LOCAL_MACHINE\Software\Classes.

    With this information, and verifying that the HKEY_LOCAL_MACHINE\Software\Classes .exe and exefile key and subkey values reflect what’s mentioned above, you simply need to delete these subkeys (.exe and exefile) from the HKEY_CURRENT_USER\Software\Classes. Once deleted, the HKEY_CLASSES_ROOT .exe and exefile subkeys will then reflect their key values found in the HKEY_LOCAL_MACHINE\Software\Classes. If you’re using REGEDIT as the GUI to delete these keys, don’t forget to refresh your window (press F5) to see the new key values.

    Finally, to prevent future infestations, you might want to consider changing the permissions for the HKEY_CURRENT_USER\Software\Classes key to a “Read” only value. Typically, the “default” key values assigned to the HKEY_LOCAL_MACHINE\Software\Classes during an application’s install program don’t need to be configured/changed on a per account basis.

    Comment by WhisperingChaos — March 31, 2010 #

  19. Method 1 worked for me. Thank you so much!

    My security software alerted me to a process initiated called ave.exe, which I blocked, but the block was ignored. After I did Method 1 I did a search for ave.exe and there was a copy in windows/prefetch – I deleted that too.

    Again, thanks a bunch :)

    Comment by Jo — April 1, 2010 #

  20. Just removed noted keys.. it worked great to remove the xp security malware

    Comment by NickChris — April 2, 2010 #

  21. Wow! Just got it off, thanks a lot. The program attacked my computer and turned off my key board. I sent the file as a doc file via the network and then had to cut and paste using the mouse. What a job. I just wish we could find the guys that write and send these out and take them behind the barn for a little hands on virus protection.

    Comment by Scott — April 3, 2010 #

  22. When I tried the first method, a Registry Editor window comes up, it says:
    Are you sure you want to add the information in C:\Documents and Settings\sn313523\Desktop\fix.reg to the registry?

    I click “Yes” and then it says:
    Cannot import C:\Documents and Settings\sn313523\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor.

    So Method 1 doesn’t work for me.

    When I try Method 2 a Window comes up saying:
    Error
    Installation failed.

    Please help :I

    Comment by Michael — April 3, 2010 #

  23. Aha! Thank you! I thought my poor laptop was a goner once Malwarebytes got compromised but I managed to repair it in safe mode using method 1. Thank you!

    Comment by Shawn — April 3, 2010 #

  24. Thanks alot, it worked!

    Comment by Mike — April 3, 2010 #

  25. THANK YOU FOR THIS!

    Those pop ups were getting a heckuva lot annoying.

    Comment by xWolfofSorrow — April 4, 2010 #

  26. Michael, check please:
    1. you have “Windows Registry Editor Version 5.00″ as first line
    2. in the save dialog you have selected “ANSI” in the encoding field.

    Comment by Patrik — April 4, 2010 #

  27. I got as far as asking Malaware to quarantine the infections and then nothing happened, no response, just the egg timer. And clues?

    Comment by Patrick — April 4, 2010 #

  28. Boot your PC in Safe mode, the run Malwarebytes and perform a scan.

    Comment by Patrik — April 4, 2010 #

  29. I tried method 1 step 1, and I copied all the information correctly and saved the file correctly. However, when I tried to add the file to the registry, I received the error message: “Cannot import X:\Documents and Settings\Owner\Desktop\fix.reg: The spexified file is not a grefistry script. You can only import binary registry files from within the registry editor.

    What do I do to fix this?

    Comment by johnmalone — April 4, 2010 #

  30. Thanks a lot. It worked like a dream. I wasn’t able even to start ad-aware. I appreciate your time in helping us.

    Comment by neotyx — April 4, 2010 #

  31. johnmalone, in the Save dialog you have selected ANSI in the Encoding field ?

    Comment by Patrik — April 4, 2010 #

  32. just tried method 1 and then my firefox begins to work. Downloaded mbam-setup.exe and installed it. Now and I waiting for the scanning results. Works excellent so far. Saw purchase and register button at the bottom of the scanning screen. Do I need to buy this software to be able to delete the infected files it found?
    Thanks.

    Comment by charly — April 5, 2010 #

  33. Charly, you can remove any infections for free.

    Comment by Patrik — April 5, 2010 #

  34. Hi People (Patrik in particular as ive noticed youve answered most peoples questions on the above posts!)

    First of all – many thanks for the above steps of how to remove this rogue piece of anti-spywere as this has now worked for me as it is no longer present on my system and i didnt need to download the malware bytes programme either as the 1st of 2 steps you mentioned has reolved it – the only problem i now have is (and this is because im a total idiot) – is when i created the 2 files –
    1)fix.inf and 2) fix.reg, i clicked on the fix.reg and clicked the ‘merge’ file option which came up with the message ” are you sure you want to add the information to the registry?” and clicked yes then rebooted my pc – so although the spyware has now gone – i now have the issue that when i try to open for example internet explorer or even an mp3 on my desktop – it comes up with the ‘open programme with’ diaolog as if the computer doesnt recognise how to open it up ? as normally if i clicked on either of them they would just load up accordingly – so i even when i click internet explorer for example – and it comes up with the ‘open with’ dialog, then i click on the internet logo it says the file cannot be found, so it seems that since i mistakenly merged the file – files and prgrammes will not open or load up like they normally would do ?

    Is there any advice or anothe rpiece of registry info any one can give me to rectify this issue as its driving me nuts (all my own fault i know) but if any has any advice on this i would really really appreciate it :0)

    Thanks

    Si

    Comment by Si — April 5, 2010 #

  35. In relation to my above post aswell – i forgot to mention – on my start menu when i normally select microsoft internet explorer – the only one im getting on the list is
    ”Internet Explorer (No Add-Ons)” so its not functioning correctly ?? Any ideas aswell on the above ?

    Kind Regards,

    Si.

    Comment by Si — April 5, 2010 #

  36. Hi Guys,

    I have followed the instructions for removal however when i open Internet Explorer i still get pop-ups even when this Program is completely removed. Any help will be much appreciated.

    Thanks

    Comment by Ekrem — April 5, 2010 #

  37. I did Step 1 Method 1 and rebooted my computer… now I can’t open ANYTHING and I keep getting the error message “This file does not have a program associated wit it for performing this action. Crease an association in the Folder Options control panel”…..

    Help! How do I fix this? (and still remove the antispyware…)

    Comment by Katrin — April 5, 2010 #

  38. I have tried it and it worked, but the next day it came back. How do I keep it from coming back ever. I keep on getting these constantly and get rid of them, but they keep on coming back

    Comment by lindsey — April 5, 2010 #

  39. Si, you need download and run Malwarebytes to remove XP Security Tool 2010 associated malware.

    Comment by Patrik — April 5, 2010 #

  40. Ekrem, you need scan your PC with Malwarebytes Anti-malware.

    Comment by Patrik — April 5, 2010 #

  41. Katrin, try method 2.

    Comment by Patrik — April 5, 2010 #

  42. lindsey, looks like your PC is infected with a trojan that can reinstall the rogue. Open a new topic in our Spyware removal forum, I will check your PC.

    Comment by Patrik — April 5, 2010 #

  43. I tried step 1 and it came up with “Registery Editting has been disabled by your Administrator. I’m on the administrator account on my PC. (There’s only 1 account)

    I discovered this virus 5 minutes ago. Could the virus already have blocked off editting?

    Comment by John — April 6, 2010 #

  44. I have scanned my PC numerous times with Malware Bytes. I have done several quick / Full scans still pop-ups persist. I tried turning of System restore. Still getting pop-ups any help will be much appreciated.

    Comment by Ekrem — April 6, 2010 #

  45. I have the same problem as Lindsey have.. is there any way to complete remove this?
    Thanks.

    Comment by mindy — April 6, 2010 #

  46. method 2 worked like a charm. thanks for the detailed write-up!

    Comment by paul — April 6, 2010 #

  47. John, try method 2.

    Comment by Patrik — April 7, 2010 #

  48. Ekrem, if the instructions above does not help you, then ask for help in our Spyware removal forum.

    Comment by Patrik — April 7, 2010 #

  49. Hi – I have tried method 1 but get a an error some keys are open by the system or other process
    Tried method 2 and an error – installation failed

    Help :(

    Comment by James — April 7, 2010 #

  50. James, download exeHelper from here and save it to your desktop.
    Double-click on exeHelper.com to run the fix.

    Comment by Patrik — April 8, 2010 #

  51. Thank you!! Method 2 worked beautifully! :)

    I’ve scanned, quarantined and rebooted without one “security” notification. Woop!

    Thanks again!

    <3.melissa

    Comment by Melissa — April 8, 2010 #

  52. Thanks! I followed your instructions and it got rid of XP security 2010.

    Comment by Jam — April 8, 2010 #

  53. Hey guys, thanks a lot !! I was a little shocked when this happened. I thought running avast! would keep my PC secure, but guess not. Running step 1 and reboot seems to have cleaned up the obvious symptoms. Now doing step 2

    Comment by Salim — April 10, 2010 #

  54. It’s alright to go ahead and delete fix.reg once I’ve gotten rid of this crap, right?

    Comment by Henstington — April 11, 2010 #

  55. Hi Patrik, thanks for getting back to me on this -as mentioned before the security tool thing is no longer existant on my pc which is good and i have follwed your advised in downloading the alti-malware software and i ran a scan as instructed on the software and left it running for a day and a half but if found nothing, so i just ended the scan then as surely if there was anything on it it would of found it by now surely ?

    My main issue i have now is that when i load up internet explorer – it takes me straight to a blank webpage that says
    ” Internet Explorer is currently running without add-ons ”, and majority of sites i go on its constantly coming up with the message
    ” Do you want to allow software such as ActiveX Controlls and plu-ins to turn on, and wether i click yes or no – the message box will always appear again 2minutes later ”
    I have even tried following the microsoft internet explorer trouble shoot guide and tried turning the feature on but im still having no joy as what i have stated above keeps persistantly happening ?

    Is there anything else you can suggest that can help me with this ??

    Many Thanks,

    Si.

    Comment by Si — April 11, 2010 #

  56. Henstington, yes, manually remove fix.reg.

    Comment by Patrik — April 11, 2010 #

  57. Si, have you tried running it from the start menu instead of the desktop short cut?

    Comment by Patrik — April 11, 2010 #

  58. unfortunately i see this helpful guide too late,i got this bloody malware and just got to format,the funny thing is that my sister got infected few days ago and i fixed his PC with no problems,but i have been infected with the new rogue and when i saw all .exes broken i panic.

    Comment by dan — April 11, 2010 #

  59. I used method 2, then I downloaded the MBAM and installed it, but the .exe to excecute it dissapears so it doesnt run.. :( any ideas ?

    Comment by Jon — April 11, 2010 #

  60. hey I did the 1st method first step, and the thing isn’t popping up anymore, but MBAM isn’t finding the files, any help?

    Comment by Downfall — April 11, 2010 #

  61. Thank you, method 1 worked just fine. Thank you very much :)

    Comment by Hamza — April 11, 2010 #

  62. Jon, repeat first step, then run Malwarebytes (don`t reboot before malwarebytes).

    Comment by Patrik — April 12, 2010 #

  63. Downfall, try update Malwarebytes and scan once again.

    Comment by Patrik — April 12, 2010 #

  64. Thank you very much…Method 2 worked for me. Your advice couldn’t have come at a better time!

    Comment by Pat — April 12, 2010 #

  65. Can you please help? I recently had XP Security Tool 2010 and I got it off my laptop but when I get on Google or any other search engine and I type something and get the results and click on a link I want, I get redirected to another website than the one I wanted. What is this and why does this keep happening? Is it related the XP Security Tool 2010? Help please

    Comment by MJ — April 12, 2010 #

  66. Thanks a million, looks like method 2 worked for me so I am hoping that this will do it.
    Who wrote this has too much time on their hands for sure.

    Comment by Michael — April 12, 2010 #

  67. MJ, looks like your computer is infected with TDSS trojan. Follow the instructions.

    Comment by Patrik — April 12, 2010 #

  68. April 13th 2010
    Comment by Pensioner
    Thanks a lot so far so good Firewall is ‘happy again’! back on and no unwanted dialog boxes appearing.

    Comment by Pensioner — April 13, 2010 #

  69. Hello, I was infectd with Security Tool in my new Windows 7. It blanked my desktop screen (turned it black, icons disappeared) and it blocked any attempts to load anti spyware programmes, telling me they were infected, except for one (which is free)called “Superantispyware”. It was able to override the error messages from Security Tool, and peformed a complete scan for me. It identified lots of malware, including three rogue security programmes, one of which I presumed was Security Tool, as it didn’t name them. After the scan, Superantispyware invited me to delete all the malware it had found, and to reboot my computer. When I rebooted, Security Tool had gone and my desktop and icons were restored. So I would suggest that others try this. Just download the Superantispyware at google. Good luck, Miriam

    Comment by Miriam Henry — April 13, 2010 #

  70. I had this same problem a while back,unable to solve it ended up having to do a reinstallation of XP, phew! So thanks once again I used Method 2 and it only took a few minutes following the above instructions.

    Comment by Pensioner — April 14, 2010 #

  71. Started off with XP Internet Security, seemed to remove it, then popped up with Antivirus XP, did fixexe and ran Malwarebyte several times, once in safe mode. Got the website redirect today, sure enough a few minutes later up pops XP Security Tool 2010. (The others did not have 2010 in their “titles”). Malwarebyte is running, but so far has found NOTHING. So confused.

    Feel like I’m up against a wall here. Harddrive could probably use a good re-formatting, but I would love to avoid it if possible. Pretty non-techie, too – is this what is called a “trojan” since it keeps re-infecting? Or am I reinfecting from the internet? I have a firewall up with McAfee. So far seems pretty harmless compared to what I’ve seen can happen, so is there hope??

    Any help is greatly appreciated.

    Comment by Sarah — April 14, 2010 #

  72. Also, used a thumb drive to load Malwarebyte and Fix.exe, should I be suspicious of this thumb drive now with other computers? I have a couple of pics I’d like to pull off to the Mac – would that be a risk? (from what I’ve heard, it shouldn’t be) After that I’d have no problem trashing the drive.

    Thanks again.

    Comment by Sarah — April 14, 2010 #

  73. Sarah, open a new topic in our Spyware removal forum. I will check your PC.
    And to second question, I think, no risk here.

    Comment by Patrik — April 14, 2010 #

  74. I want to thank you and Malwarebytes.
    You have saved me a lot of headaches.
    I had to use method 2 as method 1 did not take.
    Who are these people and can we meet them and give them a dose of their own medicine?
    Thanks again.

    Don

    Comment by Don Purnell — April 14, 2010 #

  75. Well, the process worked but my system got re-infected within an hour.
    I am running Zone Alarm extreme security and don’t get how this junk continues to come through.

    Don

    Comment by Don — April 14, 2010 #

  76. I tried Method 1, and got an error:

    Cannot import C:\Documents and Settings\sn313523\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor.

    And when trying method two, after clicking “install” nothing happens. Should something happen when I do this? If so, what is it?

    Comment by Nate — April 15, 2010 #

  77. Don, looks like your computer is infected with a hidden trojan (probably Vundo trojan) that reinstalls this malware. Open a new topic in our Spyware removal forum. I will check your computer.

    Comment by Patrik — April 15, 2010 #

  78. Nate, check twice your fix.reg. It should have “Windows Registry Editor Version 5.00″ as first line, in Save dialog you should select ANSI in encoding field.

    Comment by Patrik — April 15, 2010 #

  79. Worked perfectly (method 1), thank you

    Comment by bandjougou — April 15, 2010 #

  80. Thank you so much. Method 1 worked perfect. Again thank you so much for this info

    Comment by Seth — April 15, 2010 #

  81. Method 1 worked like a charm. Nice work fellas, I was bricking it a bit – this is my works computer!!!

    Comment by Shatners Bassoon — April 15, 2010 #

  82. thank you so much! i did both steps 1 & 2 & the XP security tool 2010 is gone i think. i am now trying to search on how to fix my windows update so it will install kb979683. everytime i go to a page with the steps listed to fix it, the page is completely blank. this is so odd! i am on my cousins pc right now, teh one who had the malware, & i went home to search it on my own pc & the pages loaded just fine there.

    Comment by audra — April 15, 2010 #

  83. Worked like a charm (method 1), saves me reloading,thank you very much.

    Comment by Larry — April 16, 2010 #

  84. Hi Patrik, I have just loaded up internet explorer from start menu – rather than from the short-cut off the desktop as advised and this seems to load up google straight away without any fuss as thats what ive got set as my home page.

    The only issue i still have, is that when i navigate to youtube for example of especially which requires something with Flash to run (and ive always had flash player installed + running on my comp b4 all this happened!) – it keeps coming up with the box

    ‘ Do you want to allow software such as ActiveX Controlls and plu-ins to turn on, -yes/no’ again ? Any ideas what i can do ??

    Comment by Si — April 16, 2010 #

  85. ok its gone. i scanned twice. but i still get redirects when i search using all browsers . please help me

    Comment by charles — April 16, 2010 #

  86. Thank You. Used method #2. Worked like a charm. Thank you very much.

    Comment by Charlie — April 17, 2010 #

  87. Si, to turn off this message:
    Run Internet Explorer, select Tools > Internet Options > Security > Local Intranet > Custom Level

    Under the Run ActiveX controls and plug-ins select enable

    Comment by Patrik — April 17, 2010 #

  88. charles, probably your computer is infected with TDSS trojan. Try the instructions.

    Comment by Patrik — April 17, 2010 #

  89. How can I download malwarebytes. I’m confused

    Comment by Giancarlos — April 17, 2010 #

  90. Having had a couple of attempts with method 1 fail, I tried method 2 which seems to have cracked it. I am very grateful. Excellent advice thanks.

    Comment by Simon — April 18, 2010 #

  91. Giancarlos, open the page, scroll down to Download links and click to an one.

    Comment by Patrik — April 18, 2010 #

  92. i have done both of the above and neither of them have worked and av read all throgh this and changed the things that have told to other people by saving it and things like that. any ideas of what i can do as i have this on my and laptop and am jst about to go crazy so any help will do thanks?

    Comment by stacey — April 18, 2010 #

  93. Hi Patrik, i followed the method you have advised of above in relation to the active x controlls pop up box issue i keep getting, but even after selecting the options you have mentioned, this didnt seem to work as immediately the same pop up box appeared ??

    Comment by Si — April 19, 2010 #

  94. Why is everybody ignoring my post? Just download Superantispyware and you will get rid of it…honest!

    Comment by Miriam Henry — April 19, 2010 #

  95. WHY ALL THE GEEK SPEAK. THIS FREE TOOL KILLS IT DEAD
    DOWNLOAD THE FREE SCANNER TO A JUMP DRIVE ALSO.
    http://www.superantispyware.com/blog/
    CHEERS CHRISTOPHER

    Comment by Chris — April 20, 2010 #

  96. Thanks a Lott, it works very well.
    Thank you very much

    Comment by Mani Taoufik — April 20, 2010 #

  97. the people that having problems doing the above if you put your clock on your P.C forward by 8 days that will stop it working so you can do the info above, as that EXE that stopping you

    Comment by peter — April 20, 2010 #

  98. Si, open a new topic in our Spyware removal forum. I will check your PC.

    Comment by Patrik — April 20, 2010 #

  99. So I followed these instructions and it looks like the virus is gone, but now windows wont let me open any anyi-virus programs. i cant open norton, avg, or Malwarebytes Anti-malware

    also, once i run that.inf for the first time, do i have to delete it?

    Comment by Tony T — April 20, 2010 #

  100. Tony, try repeat the first step. If it does not help, then ask for help in our Spyware removal forum.

    Comment by Patrik — April 21, 2010 #

  101. Like Katrin, when I rebooted my machine, it took control of my administrator function and won’t let me run any anti-virus programs (even if I change the name to try to throw the virus off from detecting it)–it just asks me which program do I want to open it with. I tried #2 but after clicking start/run, it won’t allow me to type “notepad”. It just closes out on me. I’m at a loss of what to do!

    Comment by Beatrice — April 21, 2010 #

  102. first reg.fix option worked for me on 2 different machines both xp pro. does this fix work on vista etc as well?

    Comment by chris s — April 22, 2010 #

  103. I tried #2 but after clicking start/run, it won’t allow me to type “notepad”

    Beatrice, you need type “command” w/o quotes and press Enter. Command console opens. Now type notepad and press Enter.

    Comment by Patrik — April 22, 2010 #

  104. Chris, yes the fix works on Vista too.

    Comment by Patrik — April 22, 2010 #

  105. Arrgggh!!
    I tried method 1, which seemed to stop those scans and alerts popping up and allowed me to browse. When I go to the malwarebytes site it takes me to Spyware Doctor which i already have on my pc, when i click on run smart update it fails and says my subscription is out of date, which I know is still ok until end of Aug. My norton still wont open, so I tried installing it again and i also installed spyware doctor…then guess what happened? The xp security tools 2010/my security engine came back! The original fix.reg wont work and when I go to run and type command it now says “command Attempt to access invalid address”. So got any more ideas please. Been sat here since 6 pm and its now 9.30 pm!!!

    Comment by Mandy — April 22, 2010 #

  106. Patrik: Sorry, i meant to include that I typed “command” to type “notepad” but after typing command, I get an error message:
    C:\WINDOWS\system32\command.com
    C:\WINDOWS\SYSTEM32\AUTOEXEC.NET. The system file is not suitable for running MS-DOS and Microsoft Windows applications. Choose ‘Close’ to terminate the application.

    This virus has disabled all my admin functionality. I can’t open any programs/files that’s been downloaded to a CD or memory stick. I can’t boot from my CD drive (even though I already went in to system set up and changed the order so that my CD drive would run first when I boot up my system). I can’t do system restore or access the internet. I think my computer’s toast…

    Comment by Beatrice — April 22, 2010 #

  107. Mandy, you have tried method 2 ?

    Comment by Patrik — April 23, 2010 #

  108. I can’t try method 2 on account of getting as far as typing “command” a box appears with “command Attempt to access invalid address” and won’t let me proceed any further. :-(

    Comment by Mandy — April 23, 2010 #

  109. Beatrice, try the following instructions:
    1. Copy notepad.exe from c:\windows\system32 to your desktop
    2. rename notepad.exe to notepad.com (try also notepad.scr) and then run it
    3. notepad opens, follow the steps above

    Comment by Patrik — April 23, 2010 #

  110. Mandy, ok. Try the steps from my previous comment (to Beatrice).

    Comment by Patrik — April 23, 2010 #

  111. I have removed the rogue spyware by using my system cd and recovery discs. I have installed norton 2010. How do I stop the xp security tool 2010 and my security engine attacking my laptop again?
    Thanks

    Comment by Mandy — April 23, 2010 #

  112. Hi Patrik,

    I followed your instructions and renamed the notepad.exe file (with both names) on my desktop but I got the usual “Choose the program you want to use to open this file:” It won’t allow me to run it…

    Comment by Beatrice — April 23, 2010 #

  113. I also noticed that even though I name the file with a different extension, it still attaches the exe to the new name (ex. notepad.scr.exe).

    Comment by Beatrice — April 23, 2010 #

  114. Mandy, to protect your computer, install also an antispyware program (SpyBot, AdWare, etc).

    Comment by Patrik — April 23, 2010 #

  115. Beatrice, you need uncheck “Hide file extensions for known types” option.
    Click Start.Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Uncheck the Hide file extensions for known types option.Click Yes to confirm. Click OK.

    Now try rename notepad.exe once again.

    Comment by Patrik — April 23, 2010 #

  116. I’ve had serious problems with getting rid of this. I’ve tried both methods and thought i’d been successful after it didn’t appear after a restart.

    But the malwarebytes scan seemed to keep getting stuck while scanning the rundll32 file, and – after two attempts at running the scan – the xp security tool kicked back in.

    Any help would be greatly appreciated.

    Comment by Paul — April 25, 2010 #

  117. Also, when I try to install method 2, I get a windows dialog box which says \windows cannot open this file: grpconv.exe\ it then givese the option to either use the web service to find the appropriate program or to select from a list.

    Comment by Paul — April 25, 2010 #

  118. Brilliant – thanks.

    Comment by Simon K — April 25, 2010 #

  119. thanks heaps method 2 worked for us with some help from my patient wife cheers.

    Comment by Ben Thomas — April 25, 2010 #

  120. Paul, try use exehelper (look my comments above).

    Comment by Patrik — April 27, 2010 #

  121. I tried both methods. I got it all cleared I think, but when I open up my Security Center it says that my firewall and virus protection is not being monitored. I was wondering how it can be turned back on?

    Comment by Rebecca — April 27, 2010 #

  122. Rebecca, your antivirus is enabled ?

    Comment by Patrik — April 28, 2010 #

  123. Yes it is enabled and I can’t do a system restore besides on the date that my computer got infected.

    Comment by Rebecca — April 28, 2010 #

  124. i got the virus protection and firewall to work. I just cant get the system restore to work right.

    Comment by Rebecca — April 28, 2010 #

  125. I have struggled with this for 2 days. I had the xp security tool popups, and ran AVG as soon as they appeared. AVG did not clean it. I tried to run antimalware and it would not open. I restarted in safe mode, and popups appeared there. I tried cntrl alt del at start up to see the processes to stop (another forum tip), and did not see a process to choose. I no longer have the popups but I was at the point where when I attempt to open any program, the “Open With” screen appears. I decided to try the option #1 above. I know nothing about registry files and was reluctant to modify them. With my desktop essentially inoperable anyway I took the chance. I was able to reinstall the Antimalware, update it, and run the scan. The infected files were successfully removed. I am so grateful to everyone that posted their experiences, and the guru that came up with this fix. My virus came from an infected email that had “Facebook” as the sender, and “New Password” in the subject. I thought it was a real email when I opened it. There should be some way to hunt down the virus programmers and make them pay us for the time and money spent removing their evil.

    Comment by Laverne — April 29, 2010 #

  126. you guys are great and have saved my computer

    Comment by james kerr — April 29, 2010 #

  127. hi there, I was just wondering if this is a real site or not. I have the clean up anti virus on my computer and i really need to get it off. but i am a little unsure whether this program is legit or not

    Comment by Rachel — April 29, 2010 #

  128. Hi Patrick,

    Ive signed up + registered a user name for myself so i log into the forum but how do you create a new post ? & is there something specific you would like me to call the thread/topic so you can go straight to it to do a check on my pc

    Comment by Si — April 29, 2010 #

  129. Rachel, “clean up anti virus” is a fake antivirus. Follow the instructions to remove it.

    Comment by Patrik — April 30, 2010 #

  130. Si, log into forum, the follow the steps (2-4).

    Comment by Patrik — April 30, 2010 #

  131. I used the instructions to clean two laptops using XP, one will now not access the Internet one will. I used the same steps for both, help! over 5 hours spent on research and diagnosis so far.

    Comment by Brian — May 1, 2010 #

  132. Hallo patrik ich kann
    editor nicht öffnen was muss ich tun ?

    Comment by Klaus — May 2, 2010 #

  133. Brian, try the following:
    Click Start, Run, type regedit and press Enter.
    Registry editor opens.
    Navigate in the left panel to HKEY_LOCAL_MACHINE \ SOFTWARE \ Clients \ StartMenuInternet \ IEXPLORE.EXE \ shell \ open \ command

    I the right part of window click twice to “@”. You will see a screen with the contents like below: “C:\Documents and Settings\user\Local Settings\Application Data\av.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”
    Remove left part, leave only “C:\Program Files\Internet Explorer\iexplore.exe”.
    Reboot your PC and try open any site.

    Comment by Patrik — May 2, 2010 #

  134. Hi Patrik, Many thnaks for your help with this – the active x controll pop up appears to of now stopped (thankfully) – HOWEVER, in a total seperate issue to the active x controll & XP security tool issue i did have but is now resolved, I think recently i may have a trojan or some form of other virus that has now come onto my comp (unrelated to any of what i did have on pc) my computer is decided to occasionally and randomly load up a few blank web pages every now and again, and with this i kept getting a windows debug fix message /promt, and after looking this up on google, ive manageed to disable these debug pop-ups, however – when i load my pc up first thing i now get a (explorer.exe.error) message/pop-up saying:

    0x76f2345a referenced memory of 0x76f2345a

    I have ran malware system scan and within the 1st 20 mins of scanning it did find 3 Infections, however when i do perform a ‘quick’ scan like you reccommend, it seems to take for ever to scan and never actually finishes scanning, so how do i stop or pause the scan – and actually delete the threat thats on there that malware bytes has found.
    Ive tried temporarily pausing the scan and tried clicking on the other tabs in malwarebytes (i.e quarantine) etc but it just doesnt do anything. My only options seem to be to perform scan (which never seems to end!), pause scan or exit ?

    If you could tell me were i can go from here i would be incredibly greatfull :0)

    Many Thanks again.

    Comment by SI — June 2, 2010 #

  135. SI, please start a new topic in our Spyware removal forum. I will check your PC.

    Comment by Patrik — June 2, 2010 #

  136. I cant do any of this to get rid of the cirus because after the Dell welcome in part my computer goes blank and will not even sign into safe mode! what can i do??? i need to get this sorted the laptop isnt mine im really worried any help on what i could do even if i need to wipe the computer completely im happy to do anything!

    Comment by Kim — July 8, 2010 #

  137. I meant virus*

    Comment by Kim — July 8, 2010 #

  138. Kim, you can open F8 menu (advanced menu) ? if yes, you have tried Last Good Configuration option ?

    Comment by Patrik — July 9, 2010 #

  139. I got the Security Tool virus, and followed both methods and they work while I am in the current session, but once I restart my computer the Security Tool popups return. Any suggestions?

    Comment by Scott — July 25, 2010 #

  140. Scott, looks like your PC also infected a hidden trojan that reinstalls the rogue. Please start a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — July 25, 2010 #

  141. Got seurity tool virus last week, followed the rkill and malwarebytes programmes and seemed to get rid of it. Everything worked a treat after that. However while working on computer yesterday the desktop froze and I couldn’t open any icons. Tried to restart but still won’t open properly. When it opens as far as desktop still can’t open icons. Start won’t work, right click mouse won’t work, ctrl,alt,del won’t work. Ran malwarebytes scan and removed 8 infected files, still no joy.
    Where do I go from here?

    Comment by Diane — August 4, 2010 #

  142. Just downloaded superantispyware in safe mode and it won’t run, I get a message saying: “The system administratos has set policies to prevent this installation”

    Comment by Diane — August 4, 2010 #

  143. Diane, please begin a new topic in our Spyware removal forum. I will help you.

    Comment by Patrik — August 4, 2010 #

  144. Everytime i type command this freaking security tool stops it from opening.

    Comment by whyohwhy — August 4, 2010 #

  145. whyohwhy, try the instructions.

    Comment by Patrik — August 5, 2010 #

  146. I used two method step 1 and use ANSI but this message appear “THE SPECIFIED FILE IS NOT A REGISTRY SCRIPT.YOU CAN ONLY IMPORT BINARY REGISTRY FILES FROM WITHIN THE REGISTRY EDITOR ”
    what can i do?

    Comment by soli — August 16, 2010 #

  147. soli, try second method of first step.

    Comment by Patrik — August 22, 2010 #

  148. ok i did every thing still dosent work

    Comment by ↑arianna↑ — August 23, 2010 #

  149. arianna, ask for help in our Spyware removal forum.

    Comment by Patrik — August 23, 2010 #

  150. You can’t load anything while the virus is active

    Comment by Rob — September 25, 2010 #

  151. Security Tool has me beat. I’ve tried everything above. No success with any of it for me, unfortunately. I can’t do anything except in Safe Mode and I can’t get Internet access on the infected laptop. I run XP. Please, any suggestions welcome.

    Comment by Guy — November 16, 2010 #

  152. I tried the Spyware removal forum, but it said download Hijack This log. How can I? My internet access is blocked. I have broadband wireless mobile and the connection isn’t being recognized.

    Comment by Guy — November 16, 2010 #

  153. Guy, anyway start a new topic in our Spyware removal forum. I will help you to remove this malware.

    Comment by Patrik — November 17, 2010 #

  154. Did the job, thank you so much.

    Comment by Gerry — November 17, 2010 #

  155. I carried out method one. When I reboot the computer I am faced with a blue screen and a STOP:0x0000007B message. Any ideas?

    Comment by Jason — March 5, 2011 #

  156. Jason, try boot your PC in Last good configuration mode.

    Comment by Patrik (Myantispyware admin) — March 8, 2011 #

  157. I got rid of the 2010 virus but now programs are coming up with “This file does not have a program associated with it for performing this action. Create an association in the Set Associations control panel”
    I checked with regedit and:
    [HKEY_CLASSES_ROOT\.exe]
    said exefile
    and Content Type had application/x-msdownload
    How can I edit to have the exe files associated at startup?

    Comment by Ron — March 27, 2011 #

  158. Ron, try repeat the step 1.

    Comment by Patrik (Myantispyware admin) — March 28, 2011 #

  159. i ran everything in method 1 and as far as i can see it worked? but when i reboot now i can’t run anything because it goes to a blue screen that tells me i need to restart and that there is a problem with new hardware or software… does not do it in safe mode… this is a small business computer and i am gonna miss a couple of deadlines unless this computer illiterate guy can fix it!! lol

    Comment by Logan — March 29, 2011 #

  160. Logan, try boot your PC in Last good configuration, then perform a scan with Malwarebytes.

    Comment by Patrik (Myantispyware admin) — March 31, 2011 #

  161. Thanks a lot……..it worked.

    Comment by Bhavani — April 6, 2011 #

  162. Had infected computer with xp security 2011, tried method 1 for which I got same response as Soli. Tried method 2 which has worked, all seems to back to normal and running a malwarebytes scan to check.

    Comment by robert — April 8, 2011 #

  163. Thanks So much! The one I got today was called XP Security 2011, but the same process (I used method 1) worked fine.

    Comment by orange — April 15, 2011 #

  164. wow great effort. thanks a ton

    Comment by Muthu — April 18, 2011 #

  165. SOLVED THANKYOU VERY MUCH BOSS

    Comment by Muthu — April 18, 2011 #

  166. how am i suppossed to copy all the Stuff in the notepad?my Internet is blocked i can only access through my phone..please reply back to my mail thanks :)

    Comment by Sadia — April 19, 2011 #

  167. I downloaded it, but this xp crap won’t let me open it or run anything. What the hell can I do to stop it? Very frustrated… someone needs to kill the fucktards who created that shit!

    Comment by kevin — May 31, 2011 #

  168. السلام عليكم
    شكراً لك على هذا البرنامج الرائع.
    تحياتي…

    Comment by ايمن الاسدي — June 1, 2011 #

  169. Free at last, free at last! You rock!!!!

    Comment by Angela — June 2, 2011 #

  170. This works great,
    Thanks so much

    Comment by Anton — June 11, 2011 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


My Anti Spyware - Free antispyware programs and Spyware Removal Instructions.