How to remove XP Antispyware 2011

Thursday, November 11th, 2010 at 6:49 am
Home » Rogue Antispyware » XP Antispyware 2011

XP Antispyware 2011 description

XP Antispyware 2011 comes to substitute XP Antispyware 2010 and XP Antispyware 2009. Each of those programs is malicious and they should not be used as real security applications.

XP Antispyware 2011 is distributed by trojans. It imitates actions of spyware removers; it may display system scan, infection summaries and security alerts. None of them is real as XP Antispyware 2011 fabricates the warnings just to scare people into purchasing the program. If clicked upon, the pop-ups demand paying for keeping XPAntispyware 2011 onboard. XP Antispyware 2011 is definitely not a thing you would like to have on your PC. It generates pop-ups, it lowers security settings and it targets your money. Remove XP Antispyware 2011 right after it appears on a screen.

XP Antispyware 2011 is a Rogue Antispyware software

How to manually remove XP Antispyware 2011

To remove XP Antispyware 2011 spyware you must block XP Antispyware 2011 sites, stop and remove processes, unregister DLL files, search and delete all other XP Antispyware 2011 files and registry utility. Follow the XP Antispyware 2011 detection and removal instructions below.

The most typical software removal method is to remove XP Antispyware 2011 by using "Add or Remove Programs" service. However there may be hidden XP Antispyware 2011 files, running processes and registries in your computer, so XP Antispyware 2011 may recreate all other files after reboot.

XP Antispyware 2011 manual removal instructions

Stop and remove XP Antispyware 2011 processes:
pw.exe
MSASCui.exe Read more how to kill XP Antispyware 2011 processes

Locate and delete XP Antispyware 2011 registry entries:
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'
HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1' = '"%UserProfile%\Local Settings\Application Data\.exe" /START "%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'
HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" - '"%1" %*'
HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload'
HKEY_CLASSES_ROOT\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe" Read more how to delete XP Antispyware 2011 registry entries
Download RegistryBooster 2010 to scan errors caused by XP Antispyware 2011

Detect and delete other XP Antispyware 2011 files:
%UserProfile%\Local Settings\Application Data\opRSK
%UserProfile%\Local Settings\Application Data\pw.exe
%UserProfile%\Local Settings\Application Data\MSASCui.exe
%UserProfile%\AppData\Local\opRSK
%UserProfile%\AppData\Local\pw.exe
%UserProfile%\AppData\Local\MSASCui.exe
%AllUsersProfile%\t3e0ilfioi3684m2nt3ps2b6lru
%AppData%\Local\.exe
%AppData%\Local\t3e0ilfioi3684m2nt3ps2b6lru
%AppData%\Roaming\Microsoft\Windows\Templates\t3e0ilfioi3684m2nt3ps2b6lru
%Temp%\t3e0ilfioi3684m2nt3ps2b6lru

We strongly recommend you to use spyware remover to track XP Antispyware 2011 and automaticaly remove XP Antispyware 2011 processes, registries and files as well as other spyware threats.

Download does not start? Try a mirror download here

Tags: , , , , , ,

15 Responses to

XP Antispyware 2011

  1. Sheila
    April 4th, 2011 at 6:22 pm

    I have been trying to find a way to get rid of XP Antispyware 2011 for 3 days. It completely controls my computer now. I have tried things like writing script to edit the registry that a tech on another site seemed to have success with, many people were helped with that one. It did nothing for mine though. I went into Safe Mode and it is even attacking my computer there, it keeps sending popups until the computer actually overheats and shuts down, it is a laptop. This is not just malware, this is destruction of property. It destroyed a $3,000 Lenovo computer that is just barely a year old. Your instructions are useless, I have seen them and similar ones on other sites. This program doesn’t call itseslf pw.exe anymore, I cannot find it in the task manager. I have closed virtually everything in task manager even crashing my computer to try to find what this thing is and it does not show up in the processes, they are sneakier than that now. Update your info to help people like me.

    Reply

    Brian Reply:
    April 6th, 2011 at 10:14 am

    You’re right, the files aren’t the same as sites like this are listing. When I searched for it under the local profile it was labeled as Kay.exe. I think basically any executable file you find in your %UserProfile%\Local Settings\Application Data\ folder should be deleted, especially if it’s hidden. There were also several random character system files (with no extension) that I found throughout my local profile in some of the locations that were labeled above such as the %AppData%\Local\t3e0ilfioi3684m2nt3ps2b6lru, but not the same characters.

    Now, the thing that I’ve come to notice is I can’t run any .exe files now. Regedit, Malwarebytes install, etc. They all bring up the “open with” window as if they are an unrecognizable file. I’m currently looking for a way around this without having to reformat. I’ll post back if I find anything.

    Reply

    Sally Reply:
    April 6th, 2011 at 5:15 pm

    Shelia,
    I am on day one – I have been working on this one all afternoon. Agree it is no longer pw.exe How frustrating!

    Reply

    Matt Reply:
    May 15th, 2011 at 9:21 am

    “it keeps sending popups until the computer actually overheats and shuts down”

    More likely it’s just crashing because it runs out of ram. I wrote a program when I was a kid that did the same thing.

    “It destroyed a $3,000 Lenovo computer”

    Your overpriced computer is fine. Software almost never damages hardware, especially on a PC. Worst case scenario is you’ll have to reinstall windows (probably your best course of action at this point).

    Reply

  2. Tj
    April 8th, 2011 at 6:23 pm

    I logged in at my deviant art page and got the first pop up. I was able to stop the program initially and got a message if I want to close ijo.exe. I’m trying to follow the manual removal instructions but :( . Even in safe mode it boots. I’m trying to find solutions from my phone.

    Anti malaware was able to run, found some programs but when it rebooted computer still infected.

    Reply

  3. Rhys
    April 14th, 2011 at 4:22 pm

    I found the source of mine,
    Located:
    C:\documents and settings\administrator\local settings\application data
    It was under the name txd.exe
    The only problem now is that im getting the “open with” box for all programs

    Reply

    Ea Reply:
    June 19th, 2011 at 11:01 am

    same here
    i need help on how to get my programs workings again

    Reply

  4. anwar
    April 19th, 2011 at 12:04 am

    im on my first day of this and i dont get how it happened all i know its that its killing my computer
    i found a procees file its wfd.exe it stops the thing but if you open anything it goes right back on

    Reply

    Luciana Reply:
    April 19th, 2011 at 2:31 am

    Stopping malicious process is not enough to deal with frauds. Once you kill the process, run a search for the same name on your computer and delete the file. Remove all the things related to XP Antispyware 2011.

    Reply

  5. Kurai EX
    April 30th, 2011 at 8:37 am

    Ahh, yes, i just simply do this:

    1. task manager
    2. end process with 3 letters.exe
    3.windows>run>%appdata%
    4.del same 3 letter.exe
    5.del random chain of about 6 lettersish with no extension

    that should bout do it :P

    Reply

  6. dood
    May 5th, 2011 at 8:46 pm

    the exe was named bdm.exe in task manager under process for me.
    its designed to change the name for the exe file so different people have different names to make it harder to detect and remove.
    ive had this particular peice of malware a couple times before and the last time i had was a bout a year ago and i think it was called pw.exe.
    this time it was bdm.exe.
    it intially executed O78Ad7j.exe along with bdm.exe.
    Its also designed to load the executable when your browser loads therby loading the damn malware.
    You can search your registry for references to the .exe file,whatever yours is named and delete those.
    that usually at least gets it to stop loading with your web browser making it possible to go online and find where all the rest of this fnkin reg entries are, that didnt reference the exe file.
    If you delete all the suspicious junk from your user profile(s) (documents and settings)
    on top of deleting the references in the registry that usually cripples MOST of the malware/spywares “auto load/execute” functions that i have had the displeasure of dealing with over the decades,including this one.
    But that just disables most of them,they still have alot of registry files that where created that dont reference the executable.
    All the registry keys they listed in the above removal instructions are exactly where they said they would be.
    The only difference was the name of the executable,which changes on purpose.
    Now for you people that are getting the “open with” windows it sounds to me like something changed the file association for the exe file or whatever file type/extension your trying to open.
    I think the problem is in the “HKEY_CLASSES_ROOT” and/or “HKEY_CURRENT_USER” settings in the “.exe” and/or “exefile” subkey.
    but im not 100% sure.
    Just a gut feeling.

    Reply

  7. Jack
    May 7th, 2011 at 3:05 pm

    Very helpful, I deleted all the registries, though I couldn’t find most of them, then I deleted the files, couldn’t find any of them except udf.exe; it seems that it creates a new name for itself with each go.

    Reply

  8. Jim C
    May 23rd, 2011 at 8:55 am

    What worked for me was to run System Restore (run msconfig to access) and I picked a dqy a few days ago, before this plague hit me. So far, so good.

    Reply

Trackbacks

Leave a Reply

Download does not start? Try a mirror download here
«
»