For example trying to start the MS Paint application is blocked with a curt message that “Application cannot be executed. The file mspaint.exe is infected. Please activate your antivirus software.” Starting any security programs or system processes like task manager, applets in control panel are also blocked this way.
Internet Explorer is allowed to execute but not Firefox.
The trojan installer file is named install.exe (976420 Bytes) detected in various names as Trojan.Crypt.ZPACK, Win32/Obfuscator.FW and FakeAlert-DZ by 8 out of 41 available virus engines at VirusTotal. The file was new to VirusTotal at the time of submission.
Total Security 2009/System Security Associated Files and Folders
- C:Documents and SettingsAll UsersApplication Data1708828417088284
- C:Documents and SettingsAll UsersApplication Data1708828417088284.exe
- C:Documents and SettingsAll UsersApplication Data17088284pc17088284ins
- C:Documents and Settingsmalwarehelp.orgStart MenuProgramsTotal SecurityTotal Security 2009.lnk
- C:Documents and Settingsmalwarehelp.orgDesktopTotal Security 2009.lnk
- C:Documents and SettingsAll UsersApplication Data17088284
- C:Documents and Settingsmalwarehelp.orgStart MenuProgramsTotal Security
Some of the file names may be randomly generated.
Total Security 2009/System Security Associated Registry Values and Keys
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall17088284_ DisplayIcon C:Documents and SettingsAll UsersApplication Data1708828417088284.exe
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstall17088284_ InstallLocation C:Documents and SettingsAll UsersApplication Data17088284
- HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUninstallSystemSecurity2009 DisplayIcon C:Documents and SettingsAll UsersApplication Data1708828417088284.exe,0
Total Security 2009/System Security Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- http://www.easynettest. com
- http://onlinebillingsolution. net
The IP 18.104.22.168 where easynettest. com resides is also home to the following domains:
- http://bestwebsitesecurity. com/
- http://greatsecuritytestinternet. com/
- http://internetprotectioncheck. com/
- http://bestsecurityjobs. com/
- http://bestwebsitesecurity. com/
- http://cheapsecurityscan. com/
- http://safetyscantool. com/
- http://scantoolsite. com/
- http://securityread. com/
- http://securityscantooldirect. com/
- http://securityscantoolguide. com/
- http://securityscantoolworld. com/
- http://securitysupplycenter. com/
- http://securitytoolworld. com/
- http://yourcommunitysecurity. com/
- http://yoursecuritynetwork. com/
- http://businesssecuritytool. com/
- http://visualsecuritysupply. com/
Note: Visiting the domains mentioned above may harm your computer system.
Total Security 2009/System Security Removal (How to remove Total Security 2009/System Security)
- Download and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
- Also download CCleaner.
- Boot in to Windows Safe mode.
- Click to scan with your chosen software. Check mark all instances of the rogue security software and delete them.
- Turn System Restore off and on.
- Install, scan and clean the temporary files with CCleaner.
You should now be clean of this rogue.
Total Security 2009/System Security — Screenshots
Total Security 2009/System Security — video
Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.