Virus Alert - XP Total Security 2011

Category: Viruses

Somehow I got a virus called XP Total Security, and I can't get rid of it. It blocks my security software, and it won't let me download any new anti-virus tools. It's even asking me for money... how do I get rid of this thing?

How to Remove XP Total Security 2011

An especially nasty fake anti-malware program is making the rounds. It goes by many names including XP Total Security, XP Home Security Vista Anti-Virus, Win 7 Anti-Spyware, Win 7 Internet Security, and "2011" variants that sound like the latest and greatest anti-malware tool. But they're all the same evil malware in various disguises.

This malware is delivered to your computer via a Trojan horse: a file that purports to be something else such as a movie or handy utility. It installs itself as an executable file whose name is three letters long; unfortunately, the three letters are randomly generated so I can't tell you a file name to look for. Once installed, it pretends to be a security update for Windows installed via Automatic Updates.

The malware launches whenever your launch another executable file. It also modifies Windows registry settings so that whenever you launch Internet Explorer or Firefox from the Windows Start menu, the malware launches instead and displays a fake firewall warning.
XP Total Security Virus

Like other rogue anti-malware, this one fakes a "full scan" of your computer when it starts. It then displays multiple alarming warnings of "infected files" - all of them false positives. It tells you that you must purchase the "full" version" of the fake anti-malware program to eliminate the infections. Don't do it, and don't try to remove the "infected" files manually. All of them are legitimate system files that Windows needs to operate.

The rogue aggressively deters efforts to remove it or get help. If you try to run a legitimate anti-malware app, the rogue will block its startup and display a fake "infected file" alert. Try browsing to a popular anti-malware site and the rogue will block the URL, telling you (falsely) that the page you are trying to visit is dangerous and blocked "for your protection."

The Cure For XP Total Security

Malwarebytes Anti-Malware is one legitimate cure for the XP Total Security rogue and its aliases. Try downloading MBAM to your computer. If the rogue blocks the download, you will have to use an uninfected machine to download MBAM to a CD or USB flash drive that you can use on your infected computer.

After downloading the mbam-setup.exe file, you will have to rename its extension from .exe to .com. That's because the rogue launches itself in place of all .exe files. Then launch to install MBAM. You're not done renaming just yet.

  • Navigate to your Program Files\Malwarebytes' Anti-Malware folder and locate the file mbam.exe. Rename that file to and run it to launch MBAM.
  • Click the Update tab to download any updates to MBAM. Then run a "Quick Scan," which may take a while.
  • When the scan is complete click Show Results. Make sure that every item in the Results list is checked, then click Remove Selected.
  • When the disinfection is complete, you may be prompted to restart MBAM. Notepad will open to display a log file, which you may save for future reference.
  • Reboot your computer. Rename back to mbam.exe.

The fake Total Security rogue is now removed. Malwarebytes notes that the paid version of MBAM can detect and block the installation of this rogue anti-malware. If your current security software didn't, you may want to invest in MBAM as an extra layer of security.

Have YOU had experience with XP Total Security 2011, or one of its evil cousins? Post a comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 1 Jun 2011

For Fun: Buy Bob a Snickers.

Prev Article:
Backing Up Multiple Computers

The Top Twenty
Next Article:
Which 4G Phone is Fastest?

Most recent comments on "Virus Alert - XP Total Security 2011"

(See all 54 comments for this article.)

Posted by:

06 Jun 2011

Bob, I have installed the free version of MBAM.Ever since doing so, when I click on Windows Defender, I get a yellow sign saying that a problem has prevented Defenders from starting. I have to click on re-start, and Defender begins running correctly. Is MBAM the source of the problem here? I would really like to keep MBAM on my computer to stop viruses like XP Total Security.

EDITOR'S NOTE: I've not heard of a conflict between Defender and MBAM. But you can find out by removing MBAM and see if the problem persists. Or you can just live with it, since it seems both are working fine despite the warning.

Posted by:

Tom Van Dam
10 Jun 2011

I can't say that I had the same exact virus but a nasty one. It happened at work on one of my user's computer. It disabled Task Manager, kept trying to run a system restore (not sure if it was legit or not), and "removed" the icons from the desktop and start menu. I used SuperAntiSpyware to scan the system which cured the problem. I then started to restore the icons and found that attributes had been changed to hidden so none of them would show. After resetting the attribute, most of them came back but I still had to rebuilt some shortcuts to get everything back to where it was.

Posted by:

10 Jun 2011

One scan of mbam will clean up all of this rogueware? If you run the install and run in safemode will you have to change the extension? I have found that it takes more than a scan of mbam to fully clean a machine infected with rogueware,...but I will try this method soon.

Posted by:

10 Jun 2011

I was infected with the a version of the XP Total Security 2011 on my home computer – running Windows VISTA. The interesting thing is, I have an active subscription to McAfee and was not protected. After working with McAfee on the problem, I finally got my computer clean, cut in the process, several of my installed programs no longer worked. For example if I launched MS Word (2007), it actually started the 2007 Installation process. If I launched other programs (e.g., Adobe Photoshop Elements) I got the standard windows notification that the .exe was not found, do you want to browse for it. Anyway, I’m still not sure how many installed programs have been lost, but it appears that I will need to reinstall most of my applications. McAfee, didn’t have any explanation for this and tried to pass it off as a coincidence that it happened at the exact same time. Any ideas? Can this malware virus do this, or do you think McAfee inadvertently did something while remotely controlling my computer? Any insight would be appreciated.

Posted by:

10 Jun 2011

I have windows XP sp 3 and dealt with this, more than once.It's called a fakerean.I use windows task manager to isolate the process then shut it down so my AV program can update and/or run.I run a quick scan then a full scan.Problem solved.

Posted by:

10 Jun 2011

I'm a newbie thought PC Matic would take care of issues like this? does this mean I have to get a new program everytime something comes up?

EDITOR'S NOTE: No, something like MBAM is generally not needed unless you have a problem that your current software does not handle.

Posted by:

Heavy D
11 Jun 2011

This is coming alittle late, my first instance with "System Tools 2011" was Jan 1 2011 on Myspace.

And i when i unistalled it, windows would not work, so I formated and reinstalled windows.

I went on Myspace after it was there again, so i stopped using Myspace, and have not encountered again.

Oh, and I was not even asked if I wanted to download anything, it just installed. And I do work as a computer IT.

Posted by:

11 Jun 2011

I always launch Microsoft Security Essentials when accessing any potentially risky websites (those I haven't used before). So when the rogue Total Security starts I access MSE and start a scan. It will work because it has already been launched. While that runs I close down the rogue program.

Posted by:

Bob C
11 Jun 2011

KASPERSKSY VIRUS REMOVAL TOOL will get rid of this and others as well.
Download is FREE

Posted by:

11 Jun 2011

I have dealt with several instances of this virus. In most cases AntiVirus was present, but it loaded via a social media connection (such as FaceBook) where most people have granted the program rights to install small programs (such as a game or Farmville).

If you log into the infected PC as a different user you are unlikely to encounter the infection, as it has attacked in the profile space of the original user. At this point Malwarebytes IS an effective cleaner without modification.

Once clean the original user profile will still show damage. A new profile (username) can be generated and data mass copied from the old profile without worries. On a network this requires a new user account in the domain.

As a user always be suspicious of free cleaners that offer themselves to you. And any cleaner that finds a problem but says you need to download something to fix the found problem should be considered suspect.

Posted by:

Andrew G.
11 Jun 2011

Yes I had a problem with this the other day but Spybot - Search & Destroy took care of it just fine.

Posted by:

11 Jun 2011

Running WinXP SP3,ran into this issue about 2 weeks ago. The file was a numbered(i.e, 12345.exe)or something like that. Once I found the folder where the file had installed itself, tried to delete it but kept getting "File is in use by another program". The simple solution was to reboot in Safe Mode and I was then able to delete the file. Ran full system scan, haven't had any problems since

Posted by:

12 Jun 2011

I found it blocked Malwarebytes installing.
In task manager it was listed as hbv.exe

It resides in \Documents and Settings\"username"\Local settings\Application data with hidden & system attributes

Have to Show hidden files & folders as well as untick " Hide extensions for known file types" & "Hide protected operating system files" before it can be seen. After stopping it with task manager I deleted hbv.exe
Then run regedit & delete all keys associated with
Afterwards I installed Malwarebytes & did scan, didn't find any more traces of this infection

Posted by:

12 Jun 2011

I had to remove it from my girlfriends daughters netbook. As noted it did start anytime you opened a browser. I however first found the program in task manager and ended the task. then I disabled all start up programs in msconfig and restarted the computer. Then I did a system restore to before she remembered the problem. Then a scan with Windows Security essentials and found and deleted the offending files and not a problem since. I believe the key to it was figuring out the process to end in Task Manager and then doing the system restore to predate the registry to the problem. I got it on the first try so the details are a bit shaky. I had dealt with a similar problem a year and a half ago so I had an idea of what might work.

Posted by:

12 Jun 2011

As a system builder I've cleaned this virus at least twice so far, both times with Malwarebytes. I then put the paid version on the computers (and charge for it) to keep it from happening again. I do a couple things different to the article.
1) Install the latest version of Malwarebytes AND the latest definitions to the infected PC.
2) Boot the infected PC into safe mode and run Malwarebytes (I've not had to rename any files)

Hope this helps someone. :-)

Posted by:

13 Jun 2011

I had a problem with this rogue malware too. I used system restore to get rid of it.

Posted by:

Herb Klug
19 Jun 2011

Bob - You are a lifesaver!! I read the article, How to Remove XP Total Security 2011, one night and two days later I was infected. Your directions on how to get rid of it worked perfectly. I would normally say I don't know how to thank you, but I found the webpage where I can send a gift to you so the Audi is on it's way. (Actually, it's the granola bar, but I wanted to give you a thrill for a moment.) Your columns are great. Please keep up the good work.

Posted by:

Abi CAlcano
27 Jun 2011

I had one of this nasty malware and I had to buy a new HDD because at that time I did not know about this awesome site (askbobrankin.con)

Posted by:

09 Jul 2011

Changed the system date by 8 days and then it no longer ran and I was able to remove it with malware bytes without any problems.

Posted by:

18 Jan 2014

How do you even know if you got an infected computer in the first place??????

There's more reader feedback... See all 54 comments for this article.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
About Us     Privacy Policy     RSS/XML

Article information: AskBobRankin -- Virus Alert - XP Total Security 2011 (Posted: 1 Jun 2011)
Copyright © 2005 - Bob Rankin - All Rights Reserved