Microsoft security software detects and removes this threat.

Win32/FakeXPA is a family of programs that claims to scan for malware and displays fake warnings of malicious programs and viruses. They then ask you to pay for and register the software to remove these fake threats from your PC. Some members of Win32/FakeXPA can also download other malware and have been observed in the wild downloading variants of Win32/Alureon.

What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

You can also visit the Microsoft virus and malware community for more help.

Restore files from backup

This threat might delete files that won't be restored when it is detected and removed. You might need to restore the deleted files from a backup.

Threat behavior

Rogue:Win32/FakeXPA has been distributed with many different names. The user interface and other details change depending on each individual branding.

FakeXPA distributions

For detailed information on the particular subvariants of this family, including their methods of installation and additional Payloads, please select the appropriate link from the list below:

Branding/Name of distribution Example of brand
Antivirus 2009
Antivirus 2010
Antivirus BEST
Cyber Security No example available
Green AV
Personal Antivirus
Personal Security
XP Antivirus
Antivirus 7
Antivirus GT
AVG Antivirus 2011

Some variants of Rogue:Win32/FakeXPA's installer have been observed installing an additional malware component, which it writes to the same folder as the fake scanner. This component has a file name like win.exe.


Overwrites security software files

When run, some variants of the rogue check the registry to determine the installation location of software from the following companies:

  • Avast
  • AVG
  • Kaspersky
  • McAfee
  • Norton

If any of these are present, the rogue will use low-level NTFS (New Technology File System) disk writes to overwrite portions of their corresponding executable files. Once this has occurred, the files can no longer be run. This effectively disables the security software in question. The following files are targeted:

  • afwServ.exe
  • AvastSvc.exe
  • avastUI.exe
  • avgam.exe
  • avgcclix.dll
  • avgcsrvx.exe
  • avgfws.exe
  • avgnsx.exe
  • avgrsx.exe
  • avgtray.exe
  • avgwdsvc.exe
  • avp.exe
  • ccSvcHst.exe
  • mcagent.exe
  • mcmscsvc.exe
  • mcnasvc.exe
  • mcregist.exe
  • McSACore.exe
  • mcshield.exe
  • mcsysmon.exe
  • MPFSrv.exe
  • MskSrver.exe

Note that the disk writes are done in a manner that lets them to occur even if the file is already in use. If the operating system had already accessed a copy of the file before the malware was run, the changes may not be apparent to the user until your PC is restarted. These changes only succeed if the hard disk drive containing the files is in the NTFS format.

After the rogue has finished running, it might display the following dialog:

Analysis by David Wood & Hamish O'Dea


Refer to each of the different brands above for symptoms specific to that brand.


Alert level: Severe
This entry was first published on: Aug 17, 2010
This entry was updated on: Mar 12, 2014

This threat is also detected as:
  • XP Antivirus (other)
  • Antivirus 2009 (other)
  • Antivirus 2010 (other)
  • Antivirus 360 (other)
  • Total Security (other)
  • AntivirusBEST (other)
  • GreenAV (other)
  • Alpha Antivirus (other)
  • AlphaAV (other)
  • Cyber Security (other)
  • Cyber Protection Center (other)
  • Nortel (other)
  • Eco AntiVirus (other)
  • MaCatte (other)
  • Antivirus (other)
  • Antivir (other)
  • Personal Security (other)
  • Antivir 2010 (other)
  • Antivirus7 (other)
  • Antivirus GT (other)
  • Earth Antivirus (other)
  • Trojan:Win32/FakeXPA (Microsoft)
  • Antivirus 8 (other)
  • AV8 (other)
  • AVG Antivirus 2011 (other)
  • E-Set Antivirus 2011 (other)
  • BitDefender 2011 (other)