XP Total Security 2011

Here we go again, with that annoying multi-rogue malware – XP Total Security 2011 is just one of the many names taken by a Trojan dropper called Win32/FakeRean. This malware names itself according to which operating system you're using, and XP Total Security 2011 is one of the names that it uses when it infects a computer running Windows XP. Therefore, XP Total Security 2011 is not trustworthy, and XP Total Security 2011 obviously is not affiliated with Microsoft. The bottom line is that XP Total Security 2011 is a scam designed to scare money out of you.

What Happens During an XP Total Security 2011 Infection

Because XP Total Security 2011 is literally identical to all of the other fake security programs represented by Win32/FakeRean, skin and name aside, XP Total Security 2011 causes symptoms that are identical to those caused by all of the other fake anti-virus applications that Win32/FakeRean installs. So the problems you'll notice when XP Total Security 2011 is present on your PC will include the following:

  • A fake home screen for XP Total Security 2011 will appear while Windows starts, before the desktop loads, and from the interface, XP Total Security 2011 will run a fake scan of your computer. Because XP Total Security 2011 can't actually detect threats, the list of results that XP Total Security 2011 gives you is always completely made up. However, XP Total Security 2011 will tell you that these "threats" are very dangerous, and XP Total Security 2011 will urge you to visit the XP Total Security 2011 website to purchase a license.
  • Although Windows will load and you will see the desktop, you will not be able to do much with your computer. XP Total Security 2011 will create almost constant pop-up security warnings, which will say that XP Total Security 2011 has detected an intrusion, an attack, or some kind of malware – but the details given are always so vague that they are not believable. (Real security software always tells you which file is infected, when the infection was found, and precisely what malware was detected.) The alerts will always try to get you to go to the payment site for XP Total Security 2011, to pay the bogus "license" fee.
  • XP Total Security 2011 will make changes to your system, including the Registry, to prevent you from removing its phony software. For example, XP Total Security 2011 will change your file associations for .exe files, which will cause every program you try to run (with the exception of XP Total Security 2011 and your web browser) to fail. This includes Task Manager and Regedit, which can't be used to remove XP Total Security 2011. XP Total Security 2011 will also hijack your web browser, causing it to redirect you to the payment page for XP Total Security 2011 regardless of which site you try to view.
  • Because many fake anti-virus applications can be removed using Safe Mode, XP Total Security 2011's bundled rootkit ensures that you can't remove XP Total Security 2011 that way. XP Total Security 2011 can actually run while Windows is in Safe Mode!

Clearly, XP Total Security 2011 doesn't have anything to offer in the way of added security for your computer. What some users of PCs infected with XP Total Security 2011 fail to appreciate is that paying the money that the malware demands does not do anything to change XP Total Security 2011's attack on your system. Even if you do pay the money, XP Total Security 2011 will continue to behave in precisely the same way, demanding that you pay a license fee. Fortunately, with the proper guidance and security software, you can remove XP Total Security 2011 from your PC.

How an Infection with XP Total Security 2011 Begins

In order to make it appear that XP Total Security 2011 appears out of nowhere, making XP Total Security 2011 more believable as a pre-installed program, XP Total Security 2011 depends on a Trojan in order to infect new systems. The Trojan may be downloaded when you view a fake scanner website, or it may be hidden in a file that you download or that is attached to a spam email. Once the Trojan is downloaded to your computer, it drops the files for XP Total Security 2011, choosing the name for the fake security program based on which version of Windows you're running, along with a phrase taken at random from a list. The Trojan will name the executable file for XP Total Security 2011 randomly, using three letters. The malware will make changes to the Registry, and it will eventually cause the system to restart. XP Total Security 2011 may make it appear that this installation process is a Windows update.

XP Total Security 2011 goes back to early 2010, when Win32/FakeRean began causing infections. There have been slight changes in the way that the malware names its files since then, but otherwise, XP Total Security 2011 is the same bogus anti-virus program. In all its superficially different forms, including XP Total Security 2011, this malware is the basis of a Russian Internet-based scam.

File System Details

XP Total Security 2011 may create the following file(s):
# File Name Detections
1. %UserProfile%\AppData\Local\MSASCui.exe
2. %UserProfile%\Local Settings\Application Data\MSASCui.exe
3. %UserProfile%\Local Settings\Application Data\[3 RANDOM LETTERS].exe
4. %UserProfile%\Local Settings\Application Data\pw.exe
5. %AppData%\Local\[3 RANDOM LETTERS].exe
6. %UserProfile%\AppData\Local\pw.exe
7. %AppData%\Local\t3e0ilfioi3684m2nt3ps2b6lru
8. %UserProfile%\Templates\t3e0ilfioi3684m2nt3ps2b6lru
9. %AppData%\t3e0ilfioi3684m2nt3ps2b6lru
10. %AllUsersProfile%\t3e0ilfioi3684m2nt3ps2b6lru
11. %UserProfile%\Local Settings\Application Data\opRSK
12. %Temp%\t3e0ilfioi3684m2nt3ps2b6lru
13. %AppData%\Roaming\Microsoft\Windows\Templates\t3e0ilfioi3684m2nt3ps2b6lru
14. %UserProfile%\AppData\Local\opRSK

Registry Details

XP Total Security 2011 may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "IsolatedCommand" - '"%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[3 RANDOM LETTERS].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'
HKEY_CURRENT_USER\Software\Classes\.exe "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload'
HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[3 RANDOM LETTERS].exe" /START "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[3 RANDOM LETTERS].exe" /START "%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[3 RANDOM LETTERS].exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"'
HKEY_CURRENT_USER\Software\Classes\.exe "(Default)" = 'exefile'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[3 RANDOM LETTERS].exe" /START "%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon "(Default)" = '%1' = '"%UserProfile%\Local Settings\Application Data\[3 RANDOM LETTERS].exe" /START "%1" %*'
HKEY_CLASSES_ROOT\exefile\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\[3 RANDOM LETTERS].exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode'

1 Comment

Thank you for all this good information!

Trending

Most Viewed

Loading...