XP Security 2011

XP Security 2011 Description

ScreenshotXP Security 2011 is not a security program. Rather, it is one of the many faces of one of the rogue antivirus applications currently making the rounds of the Internet. In other words, XP Security 2011 is one of the names used by what might be termed a multi-rogue program, which names itself according to what it finds on the infected PC. Therefore, XP Security 2011 is far from trustworthy.

Symptoms of XP Security 2011 Infection

The symptoms caused by XP Security 2011 are average for a fake security program, but that doesn't mean that they are any less disruptive. If you have XP Security 2011 on your computer, you will likely notice the following:

  • XP Security 2011 repeatedly runs fake scans of your computer, which always turn up results. XP Security 2011 will tell you that in order to remove the threats it has found, you must activate the software or purchase a license on the XP Security 2011 website. The scanner interface loads every time Windows starts, and you can't click past it.
  • Security alerts frequently appear, containing vague warnings about threats to your computer. These alerts will include a prompt to "activate" or "register" XP Security 2011, on the phony XP Security 2011 website.
  • XP Security prevents you from opening other applications, and gives you an error message saying that whatever program you were trying to run is infected. Even Task Manager is disabled in this way.
  • When you try to go online, you are only able to view the payment site for XP Security 2011. If you try to go to any other sites, you will ultimately find yourself back at the fake site for XP Security 2011.

In addition to these issues that you can identify, there will be some that you don't see, because XP Security 2011 prevents you from accessing anything that would let you remove its fake program from your PC. For example, XP Security 2011 disables the Windows firewall, as well as Microsoft Security Center's antivirus alerts. This means that because of XP Security 2011's presence on your PC, your computer will be especially vulnerable to infection with other malware.

Origins of XP Security 2011

As previously mentioned, XP Security 2011 is part of an infection that names itself according to the system that it infects. So XP Security 2011 only occurs on computers that are running Windows XP. The rest of the name is chosen from a list of possible suffixes. "Security 2011" is only one of the name variations you can wind up with; others include Antispyware 2011, Home Antivirus 2010, and Anti-Virus 2011. Users of Windows Vista or 7 will find that this malware calls itself these same things, using "Vista" or "Win 7" in place of "XP." How does this rogue antivirus application do its renaming trick? It all has to do with how this malware infects your computer.

This fake security software uses a Trojan in order to infect PCs. There is just one Trojan at the heart of the whole thing, regardless of which name the malware takes in the end. The Trojan is typically hidden in a fake video codec, phony program update, or infected freeware file. The point is that you download the Trojan without being aware that anything unusual is happening. Once the Trojan is on your PC, it checks to see which version of Windows you're using, chooses a name from a list, and sets up all of the files that are necessary to run the fake security software. So, the next time you start up Windows XP, XP Security 2011 will be there, pretending to scan your computer for threats and hold the whole system hostage.

The latest version of this multi-rogue malware was released in February 2011, but prior to that, there were other versions of the same malware that caused infections of XP Security 2011. The name "XP Security 2011" began to be used in fall 2010. Regardless of what it calls itself and what it may tell you about your computer, XP Security 2011 (and all of its other incarnations) is completely useless and incapable of keeping your PC secure. Therefore, there is no good reason to pay money for the malware. You can remove XP Security 2011 without paying for it. Ultimately, XP Security 2011 is a scam, operated by Russian crooks.ScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshot

Technical Information

Screenshots & Other Imagery

XP Security 2011 Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

XP Security 2011 creates the following file(s):
# File Name Detection Count
1 %UserProfile%\AppData\Local\MSASCui.exe N/A
2 %AppData%\ave.exe N/A
3 %UserProfile%\AppData\Local\pw.exe N/A
4 %UserProfile%\Local Settings\Application Data\MSASCui.exe N/A
5 C:\Documents and Settings\[USERNAME]\Local Settings\Application Data\ave.exe N/A
6 %Temp%\pw.exe N/A
7 %UserProfile%\Local Settings\Application Data\pw.exe N/A
8 %Documents and Settings%\[UserName]\Local Settings\Application Data\[RANDOM CHARACTERS].exe N/A
9 %UserProfile%\Local Settings\Application Data\opRSK N/A
10 %Documents and Settings%\[AllUsers]\[RANDOM CHARACTERS] N/A
11 C:\Documents and Settings\[USERNAME]\Templates\y7V11 N/A
12 C:\Documents and Settings\All Users\Application Data\y7V11 N/A
13 %UserProfile%\AppData\Local\opRSK N/A
14 %Documents and Settings%\[UserName]\Templates\[RANDOM CHARACTERS] N/A
15 C:\WINDOWS\Prefetch\AVE.EXE-3098ECAE.pf N/A
16 C:\Documents and Settings\[USERNAME]\Local Settings\Temp\y7V11 N/A
17 %UserProfile%\Start Menu\Programs\XP Security 2011 N/A
19 %Documents and Settings%\[AllUsers]\Application Data\[RANDOM CHARACTERS] N/A
20 C:\Documents and Settings\[USERNAME]\Local Settings\Application Data\y7V11 N/A

Registry Details

XP Security 2011 creates the following registry entry or registry entries:
Registry key
HKEY_CLASSES_ROOT\pezfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "XP Security 2011"
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\pezfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\pw.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode

More Details on XP Security 2011

The following URL's were found:
Tip: We recommend blocking the domain names as well as the IP addresses associated with them.
  • antivirus-one-care2010.com
  • cavertunelo.com
  • live-pc-care.com
  • live-pccare.com
  • one-care-antivirus.com
  • onecare-antivirus2010.com
  • pc-livecare.com
  • pc-livecare2010.com
  • security-pccare.com
  • securitypccare.com
  • win-live-care.com
  • win-live-care2010.com
  • windows-live-care.com
  • winlive-care21.com
The following messages associated with XP Security 2011 were found:
System danger!
Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working the background right now. Perform an in-depth scan and removal now, click here.
System Hijack!
System security threat was detected. Viruses and/or spyware may be damaging your system now. Prevent infection and data loss or stealing by running a free security scan.
XP Security Tool 2011 ALERT
Internet Explorer alert.
Visiting this site may pose a security threat to your system