Home Malware Programs Rogue Anti-Spyware Programs XP Anti-Spyware

XP Anti-Spyware

Posted: April 9, 2011

XP Anti-Spyware performs the same kinds of malicious and deceptive attacks on your PC as many other confirmed rogue security programs, including creating fake pop-up alerts, taking control over your browser and shutting down programs without your permission. Since XP Anti-Spyware changes its name for each new infected computer, you'll only see XP Anti-Spyware on a PC running Windows XP, but there are countless proliferations of XP Anti-Spyware known by slightly different names. Infection by XP Anti-Spyware results in a heavy loss of control over your computer and reduced security, so you should quickly remove XP Anti-Spyware rather than giving money to its fraudulent product activation scam.

Just a New Edition of Older Rogue Dangers

XP Anti-Spyware is part of an overall rogue program infestation that changes its name with the use of year-based suffixes and operating system-based affixes. XP Anti-Spyware can also be seen by the names of Vista Anti-Spyware on a Vista system, XP Anti-Spyware 2011, XP Security 2011, XP Security and Win 7 Anti-Spyware 2011, for just a few examples. The name isn't as important as what XP Anti-Spyware does - which is always harmful behavior for your PC.

You can acquire an XP Anti-Spyware infection through the following methods:

  • By downloading XP Anti-Spyware deliberately after seeing it promoted on a malicious website or a general website with poor security for uploading files. Never download an application without searching for reviews on its reputation from a wide range of sources.
  • By downloading XP Anti-Spyware after an online scanner tells you to do so. Many fake system scanners hosted by dangerous websites will inform you that your PC is infected before offering you a rogue security program in a download link. Don't trust a scanning service unless you know that the source it comes from has a good reputation.
  • By visiting a malicious website that downloads and installs XP Anti-Spyware without your permission through the exploitation of weaknesses in web browser security. Keeping plugins, popups, Flash and JavaScript all disabled for unsafe websites can help you avoid this.

Once XP Anti-Spyware has seated itself firmly on your hard drive and buried startup entries into your Registry, it will start showing off errors like these:

System danger!
Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working the background right now. Perform an in-depth scan and removal now, click here.

Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

System Hijack!
System security threat was detected. Viruses and/or spyware may be damaging your system now. Prevent infection and data loss or stealing by running a free security scan.

Attention: DANGER!
ALERT! System scan for spyware, adware, trojans and viruses is complete.
Windows 7 Total Security detected 35 critical system objects.

Privacy threat!
Spyware intrusion detected. Your system is infected. System integrity is at risk. Private data can be stolen by third parties, including credit card details and passwords. Click here to perform a security repair.

XP Anti-Spyware doesn't make any real attempt to scan your PC before generating these errors, so you don't have to worry about any spyware, keyloggers, adware, viruses or other infection XP Anti-Spyware may supposedly detect.

Attacks by XP Anti-Spyware You May Not See Coming

This isn't the end of your troubles from XP Anti-Spyware, though. XP Anti-Spyware can also hijack your web browser. This will change your homepage and search results, force you to visit malicious websites and prevent access to security-oriented websites through fake warning messages.

You may also find that various programs, especially anti-virus scanners and utilities like Task Manager and MSConfig, don't work when XP Anti-Spyware is active. Finally, even deleting files may be disabled! Stopping all of these serious types of attacks requires that you first stop XP Anti-Spyware from launching during the Windows startup.

The easiest way to stop XP Anti-Spyware and similar rogue anti-spyware programs from launching is to use Safe Mode, which can be found in an alternate startup menu for Windows. Hitting F8 before Windows loads will let you get to Safe Mode and delete XP Anti-Spyware without the rogue threat interfering. However, you should use a worthwhile anti-malware program for this purpose rather than deleting the files yourself, since the latter has been reported to cause a variety of system problems.

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %UserProfile%\AppData\Local\MSASCui.exe
    2 %UserProfile%\AppData\Local\opRSK
    3 %UserProfile%\AppData\Local\pw.exe
    4 %UserProfile%\Local Settings\Application Data\MSASCui.exe
    5 %UserProfile%\Local Settings\Application Data\opRSK
    6 %UserProfile%\Local Settings\Application Data\pw.exe

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*HKEY_CURRENT_USER\Software\Classes\pezfileHKEY_CURRENT_USER\Software\Classes\pezfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-modeHKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*HKEY_CLASSES_ROOT\pezfileHKEY_CLASSES_ROOT\pezfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*

2 Comments

  • teefer2.sys says:

    I've caught this thing twice. It's really freaking hard to remove. Avira couldn't even detect it in Safe Mode. Fortunately, now, I've blocked all of the involved sites this page lists. Hopefully that'll be the last I hear of it.

  • system tool virus removal windows xp says:

    I woke up and i had this problem also. When i followed the instructions i told my system administrator about the website and he manually took out sysguard.exe

Loading...