Remove XP Security 2012

Removal instructions

Severity scale:  (68 / 100)

XP Security 2012 is a fake security program that pretends to be a malware removal tool. This rogue anti-spyware usually comes unnoticeably without any permission asked, so if you find XP Security 2012 on your computer you are most likely to have got it through a Trojan. These Trojans not only install this fake anti-spyware thing but also change the Registry and drop fake random files which later are detected as malware.

Security experts announce that when installed on different OS, XP Security 2012 appears in different name, though the malcode stays the same. So, when using Win 7 Antispyware name, the trial version of this parasite infects only Windows XP OS. Installed without any knowledge and consent, program firstly applies the tactics typical for this type of malware. It usually triggers fabricated general system scans that return the results which can be easily predetermined. Don’t get surprised after being informed that various threats of different severity are detected, please ignore such alerts:

Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.

XP Security 2012 Alert
Security Hole Detected!
A program is trying to exploit Windows security holes! Passwords and sensitive data may be stolen. Do you want to block this attack?

XP Security 2012 Alert
Internet Explorer alert. Visiting this site may pose a security threat to your system!
Possible reasons include:
- Dangerous code found in this site’s pages which installed unwanted software into your system.
- Suspicious and potentially unsafe network activity detected.
- Spyware infections in your system
- Complaints from other users about this site.
- Port and system scans performed by the site being visited.

Things you can do:
- Get a copy of Vista Security 2012 to safeguard your PC while surfing the web (RECOMMENDED)
- Run a spyware, virus and malware scan
- Continue surfing without any security measures (DANGEROUS)

XP Security 2012 also generates fake positives that report infections that are expected to make you doubt about your PC security. Keep in mind that clicking on any pop-up add will automatically get you into XP Security 2012 "official" website. These sites must be avoided because they only aggressively promote its “full” commercial version. Don’t buy this scam, because you will only support the scammers. Having XP Security 2012 “licensed” version is useless because it will lead you into finding your computer dramatically slow and vunerable to other viruses. To sum up, it must be clear that XP Security 2012 must be removed as soon as possible, so please, don’t waste any minute and delete this scam.  Also, you can use one of these codes 3425-814615-3990, 2233-298080-3424 or 9443-077673-5028 to register the rogue program. Once activated, it won't block web browsers and anti-spyware software.

Automatic XP Security 2012 removal:

Malwarebytes Anti Malware

Download | review

Tested and Confirmed! Malwarebytes Anti Malware removes XP Security 2012 (2011-06-08 13:45:40)

STOPzilla

Download | review

Tested and Confirmed! STOPzilla removes XP Security 2012 (2011-06-08 13:45:40)

Spyware Doctor

Download | review | tutorial

We are testing Spyware Doctor's efficiency at removing XP Security 2012 (2012-04-10 17:16:46)

XoftSpySE Anti Spyware

Download | review

XP Security 2012 manual removal:

FORUM:
Discuss XP Security 2012 in
spyware removal forum

Kill processes:
kdn.exe, ppn.exe and similar, three or more letter randomly named , processes

HELP:
how to kill malicious processes

Delete registry values:
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation "TLDUpdates" = '1'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%LocalAppData%\kdn.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = '1'
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = '1'

HELP:
how to remove registry entries

Delete files:
%AllUsersProfile%\Application Data\u3f7pnvfncsjk2e86abfbj5h
%AppData%\kdn.exe
%LocalAppData%\u3f7pnvfncsjk2e86abfbj5h
%Temp%\u3f7pnvfncsjk2e86abfbj5h
%UserProfile%\Templates\u3f7pnvfncsjk2e86abfbj5h
%LocalAppData%\[random characters].exe

HELP:
how to remove harmful files

QR code for XP Security 2012 removal instructions:

QR is short for Quick Response. They can be read quickly by the mobile phones. QR codes can store more data than standard barcodes, including url links, geo coordinates, and text.

The reason we add QR code to the website is that parasites like XP Security 2012 are really hard to remove on infected computer. you can quicly scan the QR code with your mobile device and have manual removal instructions to uninstall XP Security 2012 right in your pocket.

Simply use the QR scanner and read removal instructions from mobile device.

Additional resources:

1

0

K. Grey

Thanks fot the helpful information, however I found that my harmful process was named under lrl.exe

Reply »

2011 06 12

0

1

John

After removing this malware with malwarebytes, my internet explorer, outlook express, nor windows explorer work. Did I not catch everything or is there something else I need to do?

Reply »

2011 06 14

0

0

NOMAD

use combofix and then malwarebyres anti malware. That took care of my problem

Reply »

2011 06 20

0

0

Maestro

Ill second the combofix/malwarebytes method. It worked for me as well.

Reply »

2012 01 04

0

0

Jason

The process name varies and will appear in the registry key(s). Mine was uyn.exe

Reply »

2011 06 21

0

0

Adam

I can verify Jason and K. Greys comments about the variety of the process name, on my Dads computer it was called rlm.exe. Fortunately the file name always seems to be always three letters long, once I identified it I was able to remove it.

Reply »

2011 06 21

0

0

Batclaw

When I got this it used tnj.exe not instead of kdn.exe
Example
"C:Documents and Settings...Local SettingsApplication Datatnj.exe" -a "C:Program FilesMozilla Firefoxfirefox.exe"

Reply »

2011 06 23

0

0

Dennis

Hi Dummies
Just go to an earlier restore point, shut down and restart and make an new restore point. After restart delete all previouse restore points and let malware check your system.
And done wiyh that
gretings from [edited]@gmail.com

Reply »

2011 06 25

0

1

Amanda

I did that seems to work

Reply »

2011 11 26

0

0

Maria

I am doing what you suggest because it seems lke the only right way. However, when i restart to delete all previous restore point and let malware check m y system; which will be the restore point if something should happen again like if that stupid fake program installs itself again, if all previously made restore points are deleted. IM confused.

Reply »

2012 01 16

0

0

kenneth

Once you have finished removing the infection, just create a restore point for the now working computer so youll have something to restore it to later should the issue arrise again. :)

Reply »

2012 01 17

1

0

Bo

We are trying to delete the XP Security 2012 malware program using MalwareBytes, but we cannot actually load the MalwareBytes software. We have successfully downloaded the install .exe file for MalwareBytes, but whenever we try to run it. XP Security 2012 software blocks the install program from launching. Does anyone know how to get past this or have other suggestion?

Reply »

2011 06 26

0

0

JC

I did everything listed here and ran multiple anti-malware scanners, but it wont go away! I had to give it a fake product key so its not doing anything harmful right now, but I want it gone!

Reply »

2011 06 30

0

0

JohnF

My virus file was called orw.exe, but it can have many names.

Im no expert, but... Open your task manager and watch the processes.

Now open IE or Firefox and watch for a new process to show up when security center runs. That will be the file you search for and delete at the end of all this.

Reply »

2011 07 06

0

0

gunhed

Followed the instructions... other than the obvious .exe filename difference, it worked!

Once I was able to determine the process name, I simply killed the process, dumped the offending files into another folder, deleted them, and was able to run MalwareBytes afterward. It all seems to be working now... thanks!

Reply »

2011 07 20

1

0

Bex29782

My computer wont let me restore it to an earlier time and the xp security virus wont let me get on the internet to fix it! Ive tried to delete the files but its took over my computer and wont even let me open files!! Gonna have to completely wipe my hard drive!! :( Get it off asap people!!

Reply »

2011 07 24

0

0

Rhambeaux

Virus wont let you run system restore from control panel. I ran msconfig which then allowed me to use system restore. Restored system.
Then I was able to run virus scan and registry repair tool. So far so good.

Reply »

2011 12 15

0

0

DDDDDDD

Use CTRL - SHIFT - ESC right after log in to bring up Task Manager. Then kill the process thats bringing up the window. Mine was named csc.exe. Once youve killed the process,. you can do the manual stuff above, but I also run Malwarebytes (Free) for a full scan to get rid of it.

Reply »

2011 08 02

0

0

Sam

Start in safe mode (F8 on boot) then install Malewarebytest. perform a complete scan to clean your system.

Reply »

2011 08 03

0

1

hasan

how to remove xp security 2012

Reply »

2011 08 04

0

0

mike

in the past killing the process has been effective, but this time it just restarts automatically. Started in safe mode, but malwarebytes wont run, the stupid malware just starts again. Tried reinstalling malware bytes, but same reaction....what to do?

Reply »

2011 08 04

2

0

Vinay

1. Running Malwarebytes :

The so called virus in this case blocks all .exe files to be executed hence ;
first rename the setup file to .bat extension and then the setup will run so you can install it.

Once installed again the .exe file in C:/Program Files/.../Malwarebtes Antimalware.exe will not work so again rename that to .bat extension and then run the application.

This time it will work and then do the full scan and it will be cleaned.

2. Other alternative Solution is running Kaspersly Virus Removal Tool in safe mode
http://support.kaspersky.com/viruses/avptool2011?level=2


3. Another Alternative[Ultimate last resort ] Kaspersky Rescue Disk
http://support.kaspersky.com/viruses/rescuedisk?level=2

Reply »

2011 08 12

0

0

geo

You are awesome changing to .bat is borderline genius

Reply »

2011 12 13

0

0

Jazz

Thank you so much. follow your instruction I was able to remove it!

Reply »

2011 12 17

0

0

Tom

WOW!!!! As the neighborhood computer troubleshooter, Ive battled these rogue "fake security" programs dozens of times in the last couple of years, and have NEVER seen such an elegant solution as simply changing the malwarebytes (or other trusted software) to a batch file!!! Pure genius. One of those, "why the hell didnt I think of that?" moments.

Reply »

2011 12 22

0

0

john

found instructions to work but mine was installed as ivh.exe

Reply »

2011 08 15

0

0

Bert

I had do kill gju.exe proces.

Reply »

2011 08 21

0

0

radrr

Hi, my application name of XP Security 2012 was rsp.exe.

Reply »

2011 08 21

0

0

Happy Remover Guy

The program probably assigns 3 random Alpha characters to create the .exe name. Mine was .hrb! :)

Deleted the registry entries above and everything seems square. Thanks for the info! Even n00bs can fix it. Cheers.

Reply »

2011 11 28

0

0

Frank

There may be a companion parasite that reloads XPS 2012 and acts as a redirector and messes with file associations. On the system I just worked on the xps 2012 file was xul.exe. The companion was _68-ex.exe. I had to go through the registry twice to clean the entries, and the three files we are instructed to delete did not exist.

Reply »

2011 11 30

0

0

Ignasijus

I had do kill gju.exe proces.

Reply »

2011 12 01

0

0

anonymous

I found that it only seems to run under one profile, so if you have other user accounts on the computer you might be able to log in as one of them to do the Malwarebytes scans. I also then renamed the infected profile, and the user was able to log in again creating a new profile in the process, and thus far has not had the XP security 2012 show up again.

Reply »

2011 12 02

0

0

anonymous

my computer wont even let me enter safe mode after I select it. All of a sudden a blue screen appears for a millisecond and restarts my computer what can I do?

Reply »

2011 12 05

0

0

Mike

I had to kill ixh.exe.

Reply »

2011 12 06

0

0

waone

mine is hoy.exe. im trying clean it now

Reply »

2011 12 07

0

0

mrsverdantgreen

Hubbys was tpb.exe. Instructions worked wonderfully, thanx so much!

Reply »

2011 12 07

0

0

Bob

Spybot worked for me

Reply »

2011 12 08

0

0

Jeff

System restore, then a malware-bytes scan was and poof, it was gone.

Reply »

2011 12 21

0

0

Cody

Thank you so much! Ive had this program for weeks and have been begging friends to look it up for me. Its a blessing to have my internet back! :D

Reply »

2011 12 25

0

0

EJ

The registration key 3425-814615-3990 doesnt work. Does someone has an updated one?

Reply »

2011 12 27

1

0

Cody

Dude, theres no point in doing that.

Reply »

2011 12 27

0

0

Ant

Go into safe mode (usually hit the F12 button on the load up page before the windows logo) once in safe mode restore to a few days previous to infection and then itt will be gone, then scan computer for malware and anti virus.

Reply »

2011 12 28

0

0

LC

I had just downloaded Malwarebytes and was about to install it when McAfee started automatically downloading an update. I waited for it to finish, as the update process is a big memory hog on my old computer, and at the end of the installation, McAfee notified me it had removed a trojan named gey.exe. This was the 3-letter name the XP Security 2012 was using. And it was totally gone - I rebooted, and it didnt come back! McAfee did the job automatically.

Reply »

2011 12 31

0

0

Angela

My virus name was jua.exe. First I killed the process to be able to access thee internet. Then i searched for it and deleted it. But then after for some reason I wasnt able to open .exe files so I went to the registry data by typing in regedit on the command prompt and had to change the exe value to exefiles (I followed this video: http://www.youtube.com/watch?v=HCVHM_pJo80) After I downloaded malwarebytes and they took care of the rest :)

Reply »

2012 01 03

0

0

mikey

Ive done everything listed above, but I still cant renew my ip address! This is driving me crazy. tried to use system restore, but it wont let me. My files seem to be clear, although in my system32/drivers folder, I got a warning from AVG that my netbt.sys file is infected. b

Reply »

2012 01 09

0

0

shiva

sir, the registration key working fine--3425-814615-3990 -- now it is accepted this , what else i do sir, is that my poplem solved?//
As now computer is working normal with all firewall protection , auto update ,pc protection all ON

Reply »

2012 01 12

0

0

Chaos

psf.exe on mine and thanks for the .bat tip it worked beautifully.^-^

Reply »

2012 01 13

Post Comment:

Attention: Use this form only if you have additional information about XP Security 2012 parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.

Home page Name



«


* All field required