XP Total Security 2011

XP Total Security 2011 is a deceiving security program that pop-up too much alerts and warning messages aiming to persuade users into obtaining its licensed version. XP Total Security 2011 virus is ordinarily distributed by Trojan infection that often cause by security fault. Most recent version of Trojan easily muscle its entry undetected by antivirus program with rootkit method. This technique conceals Trojan’s presence by masking illicit activities while maintaining normal operation.

This cleverly developed rogue software is restricted to XP operating systems only. It manages to transform into Win 7 Total Security 2011 or Vista Total Security 2011 based on PC’s operating system. Existence of XP Total Security 2011 provides quite a lot of annoyances including browser redirection where-in requested web page will be re-routed to a different server. As expected this web site was built to download more threats on already infected PC. Additionally, XP Total Security 2011 periodically reveals identified threats and security intrusions.

Furthermore, XP Total Security 2011 obstructs execution of any installed software indicating that opening is averted due to virus infection. The same dialog box prompts for immediate treatment using full working version of XP Total Security 2011. This deceptive method to market rogue program is frequently utilized by rogue developer. So be aware about security programs usually advertised by unknown source.

Screen Shot Image:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

XP Total Security 2011 Removal Procedures

XP Total Security 2011 REMOVAL TOOL:
To automatically remove XP Total Security 2011 without going through the complicated process of finding and deleting files and registry entries, download, install and scan with Malwarebytes Anti-Malware. This tool has proven competent when dealing with rogue security application.

There is an instance that Trojan linked to XP Total Security 2011 blocks download and execution of MBAM. Situation like this requires a separate clean computer to download the file. Don’t forget to rename it to something like [anything].exe before executing on the compromised PC.

1. Press Ctrl+Alt+Del on keyboard to stop process associated to “XP Total Security 2011”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
(random 3 characters).exe

2. You need to update your installed antivirus application to have the latest database.

3. Thoroughly scan the system and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to XP Total Security 2011.

4. Registry entries created by XP Total Security 2011 must also be remove from the Windows system. Please refer below for entries associated to the rogue program.
– For Windows 2000/XP: Go to Start > Run, type “regedit” on dialog box then press Enter on keyboard.
– For Windows Vista/7: Go to Start > Search Program and Files, type “regedit” and press Enter.

5. Exit registry editor.

6. Get rid of XP Total Security 2011 start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
(random 3 characters).exe

7. Click Apply and restart Windows.

Technical Details and Additional Information:

Malicious Files Added by XP Total Security 2011:

Windowws 7 and Windows Vista Operating Systems
%AppData%\Local\[random 3 characters].exe

Windows XP Operating System
%UserProfile%\Local Settings\Application Data\[random 3 characters].exe

File Location for Windows Versions:

  • %AllUserProfile% for Vista/7 user is C:\ProgramData while for Windows XP/2000 this is C:\Documents and Settings\All Users\
  • %UserProfile% is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
  • %AppData% for Vista/7 refers to C:\Users\<Current User>\AppData\Roaming, while for Windows XP/2000 user it is C:\Documents and Settings\<Current User>\Application Data.
  • %Temp% refers to C:\Windows\Temp\.

XP Total Security 2011 Registry Entries:
HKEY_CURRENT_USER\Software\Classes\.exe “(Default)” = ‘exefile’
HKEY_CURRENT_USER\Software\Classes\.exe “Content Type” = ‘application/x-msdownload’
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon “(Default)” = ‘%1’ = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “%1” %*’
HKEY_CURRENT_USER\Software\Classes\exefile “(Default)” = ‘Application’
HKEY_CURRENT_USER\Software\Classes\exefile “Content Type” = ‘application/x-msdownload’
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon “(Default)” = ‘%1’
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “%1” %*’
HKEY_CLASSES_ROOT\.exe\DefaultIcon “(Default)” = ‘%1’
HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “%1” %*’
HKEY_CLASSES_ROOT\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “%1” %*’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”‘
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”‘

32 Responses

  1. Jose says:

    what name can I rename the malewarebytes too? because if I change it to something else,it may become unusable,right?

  2. rajendra says:

    Dear Sir,

    My pc is affected by XP total security. and not working any function .pls how remove this?

    Rajendra Patel

  3. krishnaraj says:

    My pc is affected by XP total security.how to this frommy pc?

  4. rs says:

    i just got this evil sod just by *viewing* a webpage for song lyrics, the first link off google… it seems to have mutated bad cos it wouldn’t let me run ANY progs, enter the registry / windows explorer / system restore, or run anything from external drives, etc. so none of the removal solutions online work. it shuts down MS Security Essentials and hijacks the MS security centre too :(

    only option was a complete reformat. be warned…

  5. ViralExecutioner says:

    google Rkill and download from Technibbles to a flash drive, boot into safe mode with network (F8 for the boot menu), and run rkill. This should allow you to run Malwarebytes (MWB). I would also run Superantispyware as well just to be safe.
    ***some OS’s won’t let you install these programs in safe mode, so you may have to boot normally, run rkill, download/install, and then reboot into safe mode wn.

  6. gibby says:

    not all these will be installed on all but this is what i had to do on a laptop with xp installed to remove it after this do a check with malewarbytes and make sure your cache is clean and temp files are clean as well

    you have to boot up in safe mode with command promt to do this
    once in command promt screen type regedit.exe then your registry files will show
    then you need to do below remove the list

    HKEY_CURRENT_USER\Software\Classes\.exe “(Default)” = ‘exefile’
    HKEY_CURRENT_USER\Software\Classes\.exe “Content Type” = ‘application/x-msdownload’
    HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon “(Default)” = ‘%1’ = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1” %*’
    HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command “(Default)” = ‘”%1″ %*’
    HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CURRENT_USER\Software\Classes\exefile “(Default)” = ‘Application’
    HKEY_CURRENT_USER\Software\Classes\exefile “Content Type” = ‘application/x-msdownload’
    HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon “(Default)” = ‘%1’
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1” %*’
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command “(Default)” = ‘”%1″ %*’
    HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command “IsolatedCommand” – ‘”%1″ %*’
    HKEY_CLASSES_ROOT\.exe\DefaultIcon “(Default)” = ‘%1’
    HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1” %*’
    HKEY_CLASSES_ROOT\.exe\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CLASSES_ROOT\.exe\shell\runas\command “(Default)” = ‘”%1″ %*’
    HKEY_CLASSES_ROOT\.exe\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CLASSES_ROOT\exefile “Content Type” = ‘application/x-msdownload’
    HKEY_CLASSES_ROOT\exefile\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CLASSES_ROOT\exefile\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’
    HKEY_CLASSES_ROOT\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1” %*’
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”‘
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode’
    HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”‘

    then reboot but nothing will run yet as you have removed some files that need to be rewrote
    so once you have rebooted reboot again in safe mode with command promt and re add these 2 to your registry

    HKEY_CLASSES_ROOT \ exefile \ shell \ open \ command.
    Double-click the (Default) value in the right hand pane and delete the current value data, and then type:
    “%1” %* exactly as shown including the quotes and asterisk.
    Navigate to HKEY_CLASSES_ROOT\.exe
    In the right-hand pane, set (default) to exefile
    Exit the Registry Editor

  7. rider says:

    It took me about 4 hours to get rid of this – not easy!! I tried many of the remedies suggested online, none worked on its own. I am no computer genius so had to keep trying other things, or trying in a certain order. This is what finally worked:

    I am running XP Home. Rebooting to safe mode and trying to run antivirus software would work temporarily but not permanently. Back in normal windows mode the problem would crop up again…

    The virus gives you the option to enter a manual code to “purchase” the software. CHoose this, and enter the code 1147-175591-6550. This will get the program to stop bugging you and should allow you to access the internet and go about your regular business. To actually get rid of the infection, and correct changes to the registry, do the following:

    Download the program called “Malwarebytes” that is readily available online. Free version worked fine.

    Reboot the computer into “Safe Mode with Networking” (tap F8 while re-starting)
    This will allow you to access the internet, which the virus will not allow you to do while running in normal mode if you have not entered the code noted above.

    Run a full scan of Malwarebytes previously downloaded. Mine took 45 minutes to run. It will identify the problems and take corrective action once you prompt it at the end of the scan. The log is automatically saved.

    Reboot to normal mode. Check that your firewall and the normal “XP Total Security” is working again – not the fraud.

    That should work! Good luck.

  8. Mick Thielen says:

    I found the removal was tricky on the XP box in question, because the malware was regularly restarting, although it revealed itself in “Process Explorer,” (available from download.com), and I could stop it from there while in safe mode (with networking).

    It left the system crippled by creating a Broken EXE Association. No programs knew how to run after disabling the malware EXE, which resided this time in the Application Data folder. I found a fix for the broken EXE at

    http : //filext.com/faq/broken_exe_association.php.

    This fised the EXE file association, so that I could run MBAM, which took out everything needed to fix the malware situation.

    The last thing to fix now is the likewise broken Windows Updates. I have a case in before Microsoft at this point.

  9. Kashaan Hussyn says:

    Thanx rider bro, it works,…

  10. Ruben ONeill says:

    How can I get refunded from them? $69.95, I just had to download this yesterday,and now I read about their scam…please help

    Thank you

  11. Ruben ONeill says:

    how do I get my money back?

  12. saqhib says:

    the pourchase code worked, thanks

    eset v4 did not block this

    it is a work laptop and I am not an administrator

    still running in background I guess

    reluctant to type in any passwords, etc

    anyone know how to delete xp security without having access to malwarebytes, rkill or the registry ?

  13. sadiemason says:

    rider you rock – thanx 4 ur help!

  14. althea says:

    gud day. tnx a lot mr. rider. you’re a great help for me. thanks for sharing what you knew… God bless

  15. Nadia says:

    Rider, thank you so much!

  16. Nadia says:

    I spoke too soon, it won’t let me run mbam :(

  17. Nadia says:

    Someone please help. I keep trying the exe extension fix and nothing I do will run mbam. I just want this thing off my computer. Please please someone help me

  18. Nadia says:

    I right clicked the mbam and did “run as” with my password n it worked. So pissed this is my whole night.

  19. Adam says:

    Hello Rider and others,

    I had a terrible time getting rid of this crappy virus, but after trying everything which was listed above (reg edit, safe mode, malwarebytes, etc), the ONLY thing which I found which was able to get rid of it was the free STINGER utility tool through McAfee. This is a free utility which is found on the McAfee website. I do pay for McAfee virus protection, and the utility did seem to work through the virus protection. I am not sure how helpful it would have been for someone who does not pay for the virus protection but it is definitely worth a shot trying. As stated, I tried everything which Rider stated earlier, and the virus was stopping me from opening any EXE file or going to any website. I used the product reg key that Rider posted to get access to the internet and downloaded MCAFEE STINGER under FREE TOOLS. Good luck to everyone with same issue!


  20. ben says:

    Used combofix first from admin account under safe mode with command prompt, then again in regular windows, then malwarebytes. Seems to have worked. Non admin was infected. First time I tried to run malware bytes from admin I got bsod loop. Download combofix.exe to a flash drive to run it in safe mode, run again from flash drive in windows. Then run malwarebytes and delete all risk files. Also shut off all processes before running combofix or malwarebytes. Xp pro sp3

  21. Adam says:

    STINGER utility I mentioned before did not get rid of it permanently. Once computer was re-started the computer was reinfected. Finally got rid of it through Malwarebytes, but truth be told note exactly sure how.

  22. Jason says:

    Thank you so much rider for the code trick! Can’t believe it worked, but happy that it did :)
    After a reboot I downloaded rkill (free, fast, awesome) then ran MalwareBytes

  23. renzo says:

    sir, how can i remove xp total security 2011 ??? please help me .

  24. renzo says:

    rider, thank you so much! it actually works! You ROCK! \m/

  25. challuch says:

    To those who are concerned with getting their money back, contact your credit card company and make them aware of the fraud. Also, contact your state attorney general with the company info you obtain from your credit card company.

  26. Alfred says:

    Hi people my recomendation is do not purchase the product maybe it will work good the first time and then you will lose the link. I paid $69.00 for the program to get my PC to work then I lose the program I e-mail them three times and call them on the support team no respond they return the e-mails with the same messages its in auto responder. This sofware that hack in to in your PC and block you from using your computer or internen this is a three paty purchase its a “SCAM” “SCAM” I paid the $69.00 to use my PC or taked to best buy and pay $199.00 tell me was this is a SCAM.

  27. Cleezy says:

    Read Rider’s and Nadia’s posts and you’ll be good…

  28. Munir Helayel says:

    Thanks Rider. Last week I used the registration number you provided followed the instructions and was able to neutralize the virus and managed to reach a site with many options to get an antivirus, since my Windows defender failed big time. My choice was Stopzilla, reasonably priced, which completely fixed the problem.

  29. LizC says:

    Thank you Rider and Nadia! Worked for me after following your steps!

  30. V Wat says:

    I am in the process of trying to get rid of this. It wouldn’t let me run MBAM at first so I knew it was a virus BUT it did let me run Spybot [Search and Destroy] and after a full scan with that it let me run MBAM. Hopefully MBAM will find what Spybot couldn’t.

  31. Bill H says:

    Great post from Rider. Worked perfectly for me. You’re too modest.

  32. Joycee says:

    Just a word of warning for when you do manage to get rid of this “XP Total security 2011” IT WILL STILL BE SITTING IN SYSTEM RESTORE! So System restore must be stopped from running. Try and get your files backed up onto a pen or disk, then stop System Restore running. Once you have stopped it running all your restore points will be lost, but they would have contained the trojan and if you did a restore in future, you would be back to square one!
    After you have stoped it, you then go back in and start it again so you can make a new clean restore point.
    If you have Windows XP, Stopping and starting System Restore.
    Do a right click on My Computer and choose “Properties” from the list, Click the tab at the top that says “Sytem Restore” put a tick in the little square that says ” Stop System Restore Running.” Click on “Apply” You will get a warning that you are stopping System Restore, and will loose your restore points. Click Ok to agree the warning. and ok out of the screen.
    Now go back and do a right click on “My Computer” Choose “Properties” then choose “System Restore” again from the tab at the top. This time take the tick OUT of the box. Click apply and watch for it to say it is monitoring again, then ok out of it.
    To make a new clean restore point.
    Go to Start – Programmes – Accessories – System Tools – System Restore. Put a dot in Create a restore point. give it a name, as it will save the date automatically. Then ok it, the restore point will be created in seconds and shown to you. Then just click ok

Leave a Reply

Your email address will not be published. Required fields are marked *