Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Total Security 2009 (System Security) Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

This scareware uses the season’s template “My Computer Online Scan” to install itself. This template uses a combination of gif images and JavaScript to simulate an online scan and fake warning messages about non-existent malware on the victims’ system. While the popups and warning messages are infrequent compared to other rogue security software, this one takes control of the victims system on restart. It shuts down all other software except itself and any attempt to run any executable is blocked.

For example trying to start the MS Paint application is blocked with a curt message that “Application cannot be executed. The file mspaint.exe is infected. Please activate your antivirus software.” Starting any security programs or system processes like task manager, applets in control panel are also blocked this way.


Internet Explorer is allowed to execute but not Firefox.

The trojan installer file is named install.exe (976420 Bytes) detected in various names as Trojan.Crypt.ZPACK, Win32/Obfuscator.FW and FakeAlert-DZ by 8 out of 41 available virus engines at VirusTotal. The file was new to VirusTotal at the time of submission.

Total Security 2009/System Security Associated Files and Folders

  • C:Documents and SettingsAll UsersApplication Data1708828417088284
  • C:Documents and SettingsAll UsersApplication Data1708828417088284.exe
  • C:Documents and SettingsAll UsersApplication Data17088284pc17088284ins
  • C:Documents and Settingsmalwarehelp.orgStart MenuProgramsTotal SecurityTotal Security 2009.lnk
  • C:Documents and Settingsmalwarehelp.orgDesktopTotal Security 2009.lnk
  • C:Documents and SettingsAll UsersApplication Data17088284
  • C:Documents and Settingsmalwarehelp.orgStart MenuProgramsTotal Security

Some of the file names may be randomly generated.

Total Security 2009/System Security Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallsystemsecurity2009
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun17088284
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall17088284_ DisplayIcon C:Documents and SettingsAll UsersApplication Data1708828417088284.exe
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall17088284_ InstallLocation C:Documents and SettingsAll UsersApplication Data17088284
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSystemSecurity2009 DisplayIcon C:Documents and SettingsAll UsersApplication Data1708828417088284.exe,0
  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSystemSecurity2009

Total Security 2009/System Security Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://www.easynettest. com
  • http://onlinebillingsolution. net

The IP where easynettest. com resides is also home to the following domains:

  • http://bestwebsitesecurity. com/
  • http://greatsecuritytestinternet. com/
  • http://internetprotectioncheck. com/
  • http://bestsecurityjobs. com/
  • http://bestwebsitesecurity. com/
  • http://cheapsecurityscan. com/
  • http://safetyscantool. com/
  • http://scantoolsite. com/
  • http://securityread. com/
  • http://securityscantooldirect. com/
  • http://securityscantoolguide. com/
  • http://securityscantoolworld. com/
  • http://securitysupplycenter. com/
  • http://securitytoolworld. com/
  • http://yourcommunitysecurity. com/
  • http://yoursecuritynetwork. com/
  • http://businesssecuritytool. com/
  • http://visualsecuritysupply. com/

Note: Visiting the domains mentioned above may harm your computer system.

Total Security 2009/System Security Removal (How to remove Total Security 2009/System Security)

The free versions of MalwareBytes’s Anti-Malware Free edition and SuperAntiSpyware appear to remove this rogue security software in Windows safe mode.

  1. Download and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
  2. Also download CCleaner.
  3. Boot in to Windows Safe mode.
  4. Click to scan with your chosen software. Check mark all instances of the rogue security software and delete them.
  5. Turn System Restore off and on.
  6. Install, scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

Total Security 2009/System Security — Screenshots

Total Security 2009/System Security — video

Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: