It is a component of malware or spyware, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Name: winxn
Filename: winxn.exe
Registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | WinXn

Command: %Temp%\winxn.exe
Startup Type: HKCU->Run
HijackThis Category: O4
HijackThis Line:

O4 – HKCU\..\Run: [WinXn] %Temp%\winxn.exe

Combofix/RSIT Line:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“WinXn”=%Temp%\winxn.exe

Description: malware

How to remove: use HijackThis + Kaspersky virus removal tool

It is a fake security program, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Anti-Malware Lab associated files and folders:

C:\Documents and Settings\All Users\Application Data\da1933\AB120_121.exe
%UserProfile%\Application Data\Anti-Malware Lab
%UserProfile%\Application Data\Anti-Malware Lab\cookies.sqlite
%UserProfile%\Desktop\Anti-Malware Lab.lnk
%UserProfile%\Start Menu\Anti-Malware Lab.lnk
%UserProfile%\Application Data\Anti-Malware Lab\Instructions.ini
%UserProfile%\Start Menu\Programs\Anti-Malware Lab.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Anti-Malware Lab.lnk

Anti-Malware Lab associated registry keys and values:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Anti-Malware Lab

Core filename: AB120_121.exe
Command: C:\Documents and Settings\All Users\Application Data\da1933\AB120_121.exe
HijackThis shows Anti-Malware Lab:

O4 – HKCU\..\Run: [Anti-Malware Lab] “C:\Documents and Settings\All Users\Application Data\da2933\AB120_121.exe” /s /d

Description: Anti-Malware Lab is a fake antivirus software that installed through the use of trojans without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, this malware will display numerous fake security alerts and block legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake antivirus! Instead, follow the removal guide below to remove Anti-Malware Lab from your computer for free using legitimate free antimalware software.

How to remove: use the Anti-Malware Lab removal guide or the steps below.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

4. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:Commands
[emptytemp]
[resethosts]

Click the red Moveit! button. Close OTM.

It is a fake security program, you should immediately remove it using a legitimate antispyware or antivirus software. If that does not help, then ask us for help in the Spyware removal forum.

XP Antivirus 2012 associated files and folders:

%AppData%\[RANDOM CHARACTERS].exe

XP Antivirus 2012 associated registry keys and values:

HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\.exe\shell
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
HKEY_CURRENT_USER\Software\Classes\pezfile
HKEY_CURRENT_USER\Software\Classes\pezfile\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\pezfile\shell
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\open
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\open\command
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\runas
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\start
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\start\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | @ = “”%AppData%\[RANDOM CHARACTERS].exe” /START “%1″ %*”
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | IsolatedCommand = “”%1″ %*”
HKEY_CURRENT_USER\Software\Classes\.exe | @ = “pezfile”
HKEY_CURRENT_USER\Software\Classes\.exe | Content Type = “application/x-msdownload”
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\open\command | @ = “”%AppData%\[RANDOM CHARACTERS].exe” /START “%1″ %*”
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\open\command | IsolatedCommand = “”%1″ %*”
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command | “(Default)” = ‘”%AppData%\[RANDOM CHARACTERS].exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe”‘
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command | “(Default)” = ‘”%AppData%\[RANDOM CHARACTERS].exe” -a “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command | “(Default)” = ‘”%AppData%\[RANDOM CHARACTERS].exe” -a “C:\Program Files\Internet Explorer\iexplore.exe”‘

Core filename: [RANDOM CHARACTERS].exe
Description: XP Antivirus 2012 is a fake antivirus program that installed through the use of trojans without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, XP Antivirus 2012 will display numerous fake security alerts and block legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake software! Instead, follow the removal guide below to remove XP Antivirus 2012 from your computer for free using legitimate free antimalware software.

How to remove: use the XP Antivirus 2012 removal instructions.

It is a fake security program, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

PC Security Guardian associated files and folders:

C:\Documents and Settings\All Users\Application Data\da1933\AB120_121.exe
%UserProfile%\Application Data\PC Security Guardian
%UserProfile%\Application Data\PC Security Guardian\cookies.sqlite
%UserProfile%\Desktop\PC Security Guardian.lnk
%UserProfile%\Start Menu\PC Security Guardian.lnk
%UserProfile%\Application Data\PC Security Guardian\Instructions.ini
%UserProfile%\Start Menu\Programs\PC Security Guardian.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\PC Security Guardian.lnk

PC Security Guardian associated registry keys and values:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | PC Security Guardian

Core filename: AB120_121.exe
Command: C:\Documents and Settings\All Users\Application Data\da1933\AB120_121.exe
HijackThis shows PC Security Guardian:

O4 – HKCU\..\Run: [PC Security Guardian] “C:\Documents and Settings\All Users\Application Data\da2933\AB120_121.exe” /s /d

Description: PC Security Guardian is a fake antivirus program that installed through the use of trojans without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, this malware will display numerous fake security alerts and block legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake antivirus! Instead, follow the removal guide below to remove PC Security Guardian from your computer for free using legitimate free antimalware software.

How to remove: use the PC Security Guardian removal guide or the steps below.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

4. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:Commands
[emptytemp]
[resethosts]

Click the red Moveit! button. Close OTM.

It is a fake security program, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Windows Power Expansion associated files and folders:

%AppData%\Microsoft\[RANDOM CHARACTERS].exe

Windows Power Expansion associated registry keys and values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe | Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe | Debugger
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell = “%AppData%\Microsoft\[RANDOM CHARACTERS].exe”

Core filename: [RANDOM CHARACTERS].exe
Description:Windows Power Expansion is a fake antivirus program that installed through the use of Microsoft Security Essentials Alert trojan without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, this malware will display numerous fake security alerts and block legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake antivirus! Instead, follow the removal guide below to remove Windows Power Expansion from your computer for free using legitimate free antimalware software.

How to remove: use the Windows Power Expansion removal instructions.

It is a fake security program, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Windows Remedy associated files and folders:

%AppData%\Microsoft\[RANDOM CHARACTERS].exe

Windows Remedy associated registry keys and values:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe | Debugger
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe | Debugger
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell = “%AppData%\Microsoft\[RANDOM CHARACTERS].exe”

Core filename: [RANDOM CHARACTERS].exe
Description:Windows Remedy is a fake antivirus program that installed through the use of Microsoft Security Essentials Alert trojan without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, this malware will display numerous fake security alerts and block legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake antivirus! Instead, follow the removal guide below to remove Windows Remedy from your computer for free using legitimate free antimalware software.

How to remove: use the Windows Remedy removal instructions.

It is a fake security program, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

System Defender associated files and folders:

C:\Program Files\System Defender
C:\Program Files\System Defender\System Defender.dll
%AppData%\Microsoft\Internet Explorer\Quick Launch\System Defender.lnk
%UserProfile%\Desktop\System Defender.lnk
%UserProfile%\Start Menu\Programs\Startup\{RANDOM}.lnk
C:\Documents and Settings\All Users\Application Data\{RANDOM}.avi
C:\Documents and Settings\All Users\Application Data\{RANDOM}.ico
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\{RANDOM}.lnk

System Defender associated registry keys and values:

HKEY_CLASSES_ROOT\CLSID\{RANDOM}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{RANDOM}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | {RANDOM}

Core filename: {RANDOM}
Description: System Defender is a fake antivirus program. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, System Defender will display numerous fake security alerts and may block the legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake software! Instead, follow the removal guide below to remove System Defender from your computer for free using legitimate free antimalware software.

How to remove: use the System Defender removal instructions or the steps below.

1. Reboot your computer in Safe mode with networking.
2. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

It is a fake security program, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Antivirus Monitor associated files and folders:

%Temp%\{RANDOM}\
%Temp%\{RANDOM}\{RANDOM}.exe

AAntivirus Monitor associated registry keys and values:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PhishingFilter | “Enabled” = “0″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyOverride” = “”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyServer” = “http=127.0.0.1:11215″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings | “ProxyEnable” = “1″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | {RANDOM}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | {RANDOM}

Core filename: {RANDOM}.exe
Command: C:\Documents and Settings\All Users\Application Data\{RANDOM}\{RANDOM}.exe
HijackThis shows Antivirus Monitor:

O4 – HKCU\..\RunOnce: [{RANDOM}] C:\Documents and Settings\All Users\Application Data\{RANDOM}\{RANDOM}.exe

Description: Antivirus Monitor is a fake antivirus program that installed through the use of trojans without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, Antivirus Monitor will display numerous fake security alerts and block all the legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake software! Instead, follow the removal guide below to remove Antivirus Monitor from your computer for free using legitimate free antimalware software.

How to remove: use the Antivirus Monitor removal instructions or the steps below.

1. Reboot your computer in Safe mode with networking.
2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.
3. Download HijackThis from here and save it to your desktop.
4. Run HijackThis. Click to Scan button. After HijackThis completes the system scan, check the box to the left of the following items:

O4 – HKCU\..\Run: [{RANDOM}] %Temp%\{RANDOM}.exe

Please be very careful, do NOT check any other boxes! Next, click on Fix checked on the bottom left side of the HijackThis screen. Close HijackThis.
5. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

It is a fake security program, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Internet Security Essentials associated files and folders:

C:\Documents and Settings\All Users\Application Data\da1933\AB120_121.exe
%UserProfile%\Application Data\Internet Security Essentials
%UserProfile%\Application Data\Internet Security Essentials\cookies.sqlite
%UserProfile%\Desktop\Internet Security Essentials.lnk
%UserProfile%\Start Menu\Internet Security Essentials.lnk
%UserProfile%\Application Data\Internet Security Essentials\Instructions.ini
%UserProfile%\Start Menu\Programs\Internet Security Essentials.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security Essentials.lnk

Internet Security Essentials associated registry keys and values:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Internet Security Essentials

Core filename: AB120_121.exe
Command: C:\Documents and Settings\All Users\Application Data\da1933\AB120_121.exe
HijackThis shows Internet Security Essentials:

O4 – HKCU\..\Run: [Internet Security Essentials] “C:\Documents and Settings\All Users\Application Data\da2933\AB120_121.exe” /s /d

Description: rogue antispyware program

How to remove: use the Internet Security Essentials removal guide or the steps below.

1. Reboot your computer in Safe mode with networking.

2. Reset proxy settings of your browser (this malware hijacked them) by doing: run Internet Explorer, Click Tools -> Internet Options. Select Connections Tab and click to Lan Settings button. Uncheck “Use a proxy server” box. Click OK and click OK again.

3. Download Malwarebytes Anti-malware. Install, perform a scan and let it remove what it found. Reboot afterwards (important).

4. Download OTM by OldTimer from here and save to your desktop.
Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):

:Commands
[emptytemp]
[resethosts]

Click the red Moveit! button. Close OTM.

It is a fake security program, you should immediately remove it using an antivirus and antispyware program. If that does not help, then ask us for help in the Spyware removal forum.

Windows User Satellite associated files and folders:

%AppData%\[RANDOM CHARACTERS].exe

Windows User Satellite associated registry keys and values:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell = “%AppData%\[RANDOM CHARACTERS].exe”

Core filename: [RANDOM CHARACTERS].exe
Description: Windows User Satellite is a fake antivirus program that installed through the use of trojans without user knowledge and permission. When is started, it will perform a fake scan and state that your computer is infected with viruses, spyware and malware. Moreover, Windows User Satellite will display numerous fake security alerts and block legitimate and trustful applications used on your computer. In order to cure your PC, the program will suggest you to purchase its full version. Most important, do not pay for the fake software! Instead, follow the removal guide below to remove Windows User Satellite from your computer for free using legitimate free antimalware software.

How to remove: use the Windows User Satellite removal instructions.