XP Total Security 2011

20 February 2011 Rogue 33 Comments

XP Total Security 2011 is a deceiving security program that pop-up too much alerts and warning messages aiming to persuade users into obtaining its licensed version. XP Total Security 2011 virus is ordinarily distributed by Trojan infection that often cause by security fault. Most recent version of Trojan easily muscle its entry undetected by antivirus program with rootkit method. This technique conceals Trojan’s presence by masking illicit activities while maintaining normal operation.

This cleverly developed rogue software is restricted to XP operating systems only. It manages to transform into Win 7 Total Security 2011 or Vista Total Security 2011 based on PC’s operating system. Existence of XP Total Security 2011 provides quite a lot of annoyances including browser redirection where-in requested web page will be re-routed to a different server. As expected this web site was built to download more threats on already infected PC. Additionally, XP Total Security 2011 periodically reveals identified threats and security intrusions.

Furthermore, XP Total Security 2011 obstructs execution of any installed software indicating that opening is averted due to virus infection. The same dialog box prompts for immediate treatment using full working version of XP Total Security 2011. This deceptive method to market rogue program is frequently utilized by rogue developer. So be aware about security programs usually advertised by unknown source.

Screen Shot Image:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

XP Total Security 2011 Removal Procedures

XP Total Security 2011 REMOVAL TOOL:
To automatically remove XP Total Security 2011 without going through the complicated process of finding and deleting files and registry entries, download, install and scan with Malwarebytes Anti-Malware. This tool has proven competent when dealing with rogue security application.

There is an instance that Trojan linked to XP Total Security 2011 blocks download and execution of MBAM. Situation like this requires a separate clean computer to download the file. Don’t forget to rename it to something like [anything].exe before executing on the compromised PC.

MANUAL REMOVAL PROCEDURE:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “XP Total Security 2011″. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
(random 3 characters).exe

2. You need to update your installed antivirus application to have the latest database.

3. Thoroughly scan the system and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to XP Total Security 2011.

4. Registry entries created by XP Total Security 2011 must also be remove from the Windows system. Please refer below for entries associated to the rogue program.
- For Windows 2000/XP: Go to Start > Run, type “regedit” on dialog box then press Enter on keyboard.
- For Windows Vista/7: Go to Start > Search Program and Files, type “regedit” and press Enter.

5. Exit registry editor.

6. Get rid of XP Total Security 2011 start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
(random 3 characters).exe

7. Click Apply and restart Windows.

Technical Details and Additional Information:

Malicious Files Added by XP Total Security 2011:

Windowws 7 and Windows Vista Operating Systems
%AllUsersProfile%\n8iks20lmnw8yh108dnct6shdt5
%AppData%\Local\[random 3 characters].exe
%AppData%\Local\n8iks20lmnw8yh108dnct6shdt5
%AppData%\Roaming\Microsoft\Windows\Templates\n8iks20lmnw8yh108dnct6shdt5
%Temp%\n8iks20lmnw8yh108dnct6shdt5

Windows XP Operating System
%AllUsersProfile%\n8iks20lmnw8yh108dnct6shdt5
%AppData%\n8iks20lmnw8yh108dnct6shdt5
%UserProfile%\Local Settings\Application Data\[random 3 characters].exe
%UserProfile%\Templates\n8iks20lmnw8yh108dnct6shdt5
%Temp%\n8iks20lmnw8yh108dnct6shdt5

File Location for Windows Versions:
%AllUserProfile% for Vista/7 user is C:\ProgramData while for Windows XP/2000 this is C:\Documents and Settings\All Users\
%UserProfile% is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
%AppData% for Vista/7 refers to C:\Users\<Current User>\AppData\Roaming, while for Windows XP/2000 user it is C:\Documents and Settings\<Current User>\Application Data.
%Temp% refers to C:\Windows\Temp\.

XP Total Security 2011 Registry Entries:
HKEY_CURRENT_USER\Software\Classes\.exe “(Default)” = ‘exefile’
HKEY_CURRENT_USER\Software\Classes\.exe “Content Type” = ‘application/x-msdownload’
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon “(Default)” = ‘%1′ = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “%1″ %*’
HKEY_CURRENT_USER\Software\Classes\exefile “(Default)” = ‘Application’
HKEY_CURRENT_USER\Software\Classes\exefile “Content Type” = ‘application/x-msdownload’
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon “(Default)” = ‘%1′
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “%1″ %*’
HKEY_CLASSES_ROOT\.exe\DefaultIcon “(Default)” = ‘%1′
HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “%1″ %*’
HKEY_CLASSES_ROOT\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “%1″ %*’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”‘
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 characters].exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”‘

What to do next...

Comments and Suggestions

On this area you can find Visitor's personal suggestions. We cannot control and evaluate each recommended procedure from visitors so please use it at your own risks. If your inquiry pertains to XP Total Security 2011 payment refund or lost serial key, kindly check the FAQ for rogue program first.

33 Comments

Jose
Mar 04, 2011 @ 16:14:38
what name can I rename the malewarebytes too? because if I change it to something else,it may become unusable,right?
rajendra
Mar 27, 2011 @ 05:22:27
Dear Sir,
My pc is affected by XP total security. and not working any function .pls how remove this?
Regards,
Rajendra Patel
Mehsana
krishnaraj
Mar 30, 2011 @ 12:24:43
My pc is affected by XP total security.how to this frommy pc?
rs
Apr 03, 2011 @ 07:39:01
i just got this evil sod just by *viewing* a webpage for song lyrics, the first link off google… it seems to have mutated bad cos it wouldn’t let me run ANY progs, enter the registry / windows explorer / system restore, or run anything from external drives, etc. so none of the removal solutions online work. it shuts down MS Security Essentials and hijacks the MS security centre too :(
only option was a complete reformat. be warned…
ViralExecutioner
Apr 04, 2011 @ 17:15:38
google Rkill and download from Technibbles to a flash drive, boot into safe mode with network (F8 for the boot menu), and run rkill. This should allow you to run Malwarebytes (MWB). I would also run Superantispyware as well just to be safe.
***some OS’s won’t let you install these programs in safe mode, so you may have to boot normally, run rkill, download/install, and then reboot into safe mode wn.
enjoy!
gibby
Apr 05, 2011 @ 23:34:25
not all these will be installed on all but this is what i had to do on a laptop with xp installed to remove it after this do a check with malewarbytes and make sure your cache is clean and temp files are clean as well
you have to boot up in safe mode with command promt to do this
once in command promt screen type regedit.exe then your registry files will show
then you need to do below remove the list
HKEY_CURRENT_USER\Software\Classes\.exe “(Default)” = ‘exefile’
HKEY_CURRENT_USER\Software\Classes\.exe “Content Type” = ‘application/x-msdownload’
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon “(Default)” = ‘%1′ = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1″ %*’
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command “(Default)” = ‘”%1″ %*’
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’
HKEY_CURRENT_USER\Software\Classes\exefile “(Default)” = ‘Application’
HKEY_CURRENT_USER\Software\Classes\exefile “Content Type” = ‘application/x-msdownload’
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon “(Default)” = ‘%1′
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1″ %*’
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command “(Default)” = ‘”%1″ %*’
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command “IsolatedCommand” – ‘”%1″ %*’
HKEY_CLASSES_ROOT\.exe\DefaultIcon “(Default)” = ‘%1′
HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1″ %*’
HKEY_CLASSES_ROOT\.exe\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
HKEY_CLASSES_ROOT\.exe\shell\runas\command “(Default)” = ‘”%1″ %*’
HKEY_CLASSES_ROOT\.exe\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’
HKEY_CLASSES_ROOT\exefile “Content Type” = ‘application/x-msdownload’
HKEY_CLASSES_ROOT\exefile\shell\open\command “IsolatedCommand” = ‘”%1″ %*’
HKEY_CLASSES_ROOT\exefile\shell\runas\command “IsolatedCommand” = ‘”%1″ %*’
HKEY_CLASSES_ROOT\exefile\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “%1″ %*’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”‘
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode’
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = ‘”%UserProfile%\Local Settings\Application Data\[random 3 letters].exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”‘
then reboot but nothing will run yet as you have removed some files that need to be rewrote
so once you have rebooted reboot again in safe mode with command promt and re add these 2 to your registry
HKEY_CLASSES_ROOT \ exefile \ shell \ open \ command.
Double-click the (Default) value in the right hand pane and delete the current value data, and then type:
“%1″ %* exactly as shown including the quotes and asterisk.
Navigate to HKEY_CLASSES_ROOT\.exe
In the right-hand pane, set (default) to exefile
Exit the Registry Editor
Computer Brain
Apr 14, 2011 @ 09:29:45
Hey guys, I am a local computer support guy and have came across this and the Vista version quite a bit recently. I have found the best way to get around this is to right click internet explorer and run as administrator to download Malwarebytes to the local drive. Once it is downloaded right click on the setup file and run as administrator to install and update Malwarebytes then do a FULL scan which will take about 2 hours and remove anything it found. All this can be done while in normal mode, if you can open Task Manager look for a strange xxx.exe file and end it whenever you see the Total Security program running, I have seen it called kcq.exe, abe.exe, etc.
Good luck in your removal process!
rider
Apr 17, 2011 @ 06:07:44
It took me about 4 hours to get rid of this – not easy!! I tried many of the remedies suggested online, none worked on its own. I am no computer genius so had to keep trying other things, or trying in a certain order. This is what finally worked:
I am running XP Home. Rebooting to safe mode and trying to run antivirus software would work temporarily but not permanently. Back in normal windows mode the problem would crop up again…
The virus gives you the option to enter a manual code to “purchase” the software. CHoose this, and enter the code 1147-175591-6550. This will get the program to stop bugging you and should allow you to access the internet and go about your regular business. To actually get rid of the infection, and correct changes to the registry, do the following:
Download the program called “Malwarebytes” that is readily available online. Free version worked fine.
Reboot the computer into “Safe Mode with Networking” (tap F8 while re-starting)
This will allow you to access the internet, which the virus will not allow you to do while running in normal mode if you have not entered the code noted above.
Run a full scan of Malwarebytes previously downloaded. Mine took 45 minutes to run. It will identify the problems and take corrective action once you prompt it at the end of the scan. The log is automatically saved.
Reboot to normal mode. Check that your firewall and the normal “XP Total Security” is working again – not the fraud.
That should work! Good luck.
Mick Thielen
Apr 19, 2011 @ 05:25:46
I found the removal was tricky on the XP box in question, because the malware was regularly restarting, although it revealed itself in “Process Explorer,” (available from download.com), and I could stop it from there while in safe mode (with networking).
It left the system crippled by creating a Broken EXE Association. No programs knew how to run after disabling the malware EXE, which resided this time in the Application Data folder. I found a fix for the broken EXE at
http : //filext.com/faq/broken_exe_association.php.
This fised the EXE file association, so that I could run MBAM, which took out everything needed to fix the malware situation.
The last thing to fix now is the likewise broken Windows Updates. I have a case in before Microsoft at this point.
Kashaan Hussyn
Apr 20, 2011 @ 21:14:37
Thanx rider bro, it works,…
Ruben ONeill
Apr 21, 2011 @ 15:41:30
How can I get refunded from them? $69.95, I just had to download this yesterday,and now I read about their scam…please help
Thank you
Ruben
Ruben ONeill
Apr 21, 2011 @ 18:03:07
how do I get my money back?
saqhib
Apr 25, 2011 @ 15:15:41
the pourchase code worked, thanks
eset v4 did not block this
it is a work laptop and I am not an administrator
still running in background I guess
reluctant to type in any passwords, etc
anyone know how to delete xp security without having access to malwarebytes, rkill or the registry ?
sadiemason
May 03, 2011 @ 03:39:51
rider you rock – thanx 4 ur help!
althea
May 04, 2011 @ 04:48:54
gud day. tnx a lot mr. rider. you’re a great help for me. thanks for sharing what you knew… God bless
Nadia
May 04, 2011 @ 06:19:22
Rider, thank you so much!
Nadia
May 04, 2011 @ 06:32:16
I spoke too soon, it won’t let me run mbam :(
Nadia
May 04, 2011 @ 06:45:22
Someone please help. I keep trying the exe extension fix and nothing I do will run mbam. I just want this thing off my computer. Please please someone help me
Nadia
May 04, 2011 @ 06:53:55
I right clicked the mbam and did “run as” with my password n it worked. So pissed this is my whole night.
Adam
May 07, 2011 @ 16:57:13
Hello Rider and others,
I had a terrible time getting rid of this crappy virus, but after trying everything which was listed above (reg edit, safe mode, malwarebytes, etc), the ONLY thing which I found which was able to get rid of it was the free STINGER utility tool through McAfee. This is a free utility which is found on the McAfee website. I do pay for McAfee virus protection, and the utility did seem to work through the virus protection. I am not sure how helpful it would have been for someone who does not pay for the virus protection but it is definitely worth a shot trying. As stated, I tried everything which Rider stated earlier, and the virus was stopping me from opening any EXE file or going to any website. I used the product reg key that Rider posted to get access to the internet and downloaded MCAFEE STINGER under FREE TOOLS. Good luck to everyone with same issue!
mcafee.com/us/downloads/downloads.aspx
ben
May 07, 2011 @ 16:59:12
Used combofix first from admin account under safe mode with command prompt, then again in regular windows, then malwarebytes. Seems to have worked. Non admin was infected. First time I tried to run malware bytes from admin I got bsod loop. Download combofix.exe to a flash drive to run it in safe mode, run again from flash drive in windows. Then run malwarebytes and delete all risk files. Also shut off all processes before running combofix or malwarebytes. Xp pro sp3
Adam
May 09, 2011 @ 20:16:43
STINGER utility I mentioned before did not get rid of it permanently. Once computer was re-started the computer was reinfected. Finally got rid of it through Malwarebytes, but truth be told note exactly sure how.
Jason
May 19, 2011 @ 23:21:29
Thank you so much rider for the code trick! Can’t believe it worked, but happy that it did :)
After a reboot I downloaded rkill (free, fast, awesome) then ran MalwareBytes
renzo
May 20, 2011 @ 06:06:25
sir, how can i remove xp total security 2011 ??? please help me .
renzo
May 20, 2011 @ 06:22:11
rider, thank you so much! it actually works! You ROCK! \m/
challuch
May 20, 2011 @ 17:02:19
To those who are concerned with getting their money back, contact your credit card company and make them aware of the fraud. Also, contact your state attorney general with the company info you obtain from your credit card company.
Alfred
May 21, 2011 @ 16:44:58
Hi people my recomendation is do not purchase the product maybe it will work good the first time and then you will lose the link. I paid $69.00 for the program to get my PC to work then I lose the program I e-mail them three times and call them on the support team no respond they return the e-mails with the same messages its in auto responder. This sofware that hack in to in your PC and block you from using your computer or internen this is a three paty purchase its a “SCAM” “SCAM” I paid the $69.00 to use my PC or taked to best buy and pay $199.00 tell me was this is a SCAM.
Cleezy
May 21, 2011 @ 20:16:13
Read Rider’s and Nadia’s posts and you’ll be good…
Munir Helayel
May 23, 2011 @ 17:05:00
Thanks Rider. Last week I used the registration number you provided followed the instructions and was able to neutralize the virus and managed to reach a site with many options to get an antivirus, since my Windows defender failed big time. My choice was Stopzilla, reasonably priced, which completely fixed the problem.
LizC
May 30, 2011 @ 04:34:42
Thank you Rider and Nadia! Worked for me after following your steps!
V Wat
May 31, 2011 @ 19:52:34
I am in the process of trying to get rid of this. It wouldn’t let me run MBAM at first so I knew it was a virus BUT it did let me run Spybot [Search and Destroy] and after a full scan with that it let me run MBAM. Hopefully MBAM will find what Spybot couldn’t.
Bill H
May 31, 2011 @ 22:22:47
Great post from Rider. Worked perfectly for me. You’re too modest.
Joycee
Jun 05, 2011 @ 01:54:46
Just a word of warning for when you do manage to get rid of this “XP Total security 2011″ IT WILL STILL BE SITTING IN SYSTEM RESTORE! So System restore must be stopped from running. Try and get your files backed up onto a pen or disk, then stop System Restore running. Once you have stopped it running all your restore points will be lost, but they would have contained the trojan and if you did a restore in future, you would be back to square one!
After you have stoped it, you then go back in and start it again so you can make a new clean restore point.
If you have Windows XP, Stopping and starting System Restore.
Do a right click on My Computer and choose “Properties” from the list, Click the tab at the top that says “Sytem Restore” put a tick in the little square that says ” Stop System Restore Running.” Click on “Apply” You will get a warning that you are stopping System Restore, and will loose your restore points. Click Ok to agree the warning. and ok out of the screen.
Now go back and do a right click on “My Computer” Choose “Properties” then choose “System Restore” again from the tab at the top. This time take the tick OUT of the box. Click apply and watch for it to say it is monitoring again, then ok out of it.
To make a new clean restore point.
Go to Start – Programmes – Accessories – System Tools – System Restore. Put a dot in Create a restore point. give it a name, as it will save the date automatically. Then ok it, the restore point will be created in seconds and shown to you. Then just click ok

XP Total Security 2011

XP Total Security 2011 Removal Procedures

Technical Details and Additional Information:

What to do next...

Comments and Suggestions

33 Comments

Leave a Reply Cancel

Disclaimer:

Request Help Now