Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

XP Security Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

XP Security belongs to the family of Trojan:Win32/FakeRean infecting users running Windows XP. It is installed by a trojan dropper file which is capable of installing a rogue with any one of the names from its stable, with a matching fake Windows Security Center.

It uses any one of the following names: XP Smart Security, XP Smart Security 2010, XP Antimalware 2010, XP Antimalware, XP Security Tool 2010, XP Internet Security, XP Defender Pro, XP Security, XP Security Tool, Antivirus XP.

XP Security Scareware

A rogue security software such as XP Security belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. Users should not fall for the fake alerts and must not buy the scareware. They need to be removed immediately from your system.

When ran the Trojan drops a hidden, system file named ave.exe in the %AppData% folder which in turn drops a hidden, system file named y7V11 in multiple directories including %AppData% and %Temp% folders. You may need to enable viewing hidden folders and protected operating system files in folder options control panel to see them. The scareware modifies the registry so that:

  • The scareware executes (ave.exe) every time a .exe file is run, an innovative way to autostart with Windows or to restart when killed via TaskManager. It also makes it difficult to install and run security programs.
  • Makes Internet Explorer as the default browser and promptly hijacks it to display a scare message whenever it is run.
  • Hijacks Firefox normal mode and Firefox safe mode (no addons), so that the scareware starts whenever Firefox is run and a fake alert is displayed.
  • Disables Windows Firewall
  • Disables genuine Windows Security Center notifications

XP Security Aliases

The trojan dropper is about 204288 bytes in size and is detected by more than 50% of the antivirus engines available at VirusTotal.

This scareware is given the following names by different antivirus software vendors:

  • Trojan.Win32.FakeAV!IK
  • W32/FakeSec.B.gen!Eldorado
  • Win32:MalOb-AL
  • Trojan.Win32.FraudPack.aovc
  • Win32/Kryptik.DBC
  • Mal/EncPk-NP
  • Mal/FakeAV-BT

Typical XP Security Scare Messages

System danger! Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working in the background right now. Perform an in-depth-scan and removal now.

Severe system damage! Spyware and viruses detected in the background. Sensitive system components under attack! Data loss, identity theft and system corruption are possible. Act now, click here for a free security scan.

Virus Infection! System security was found to be compromised. Your computer is now infected. Attention, irreversible system changes may occur. private data may get stolen.. click here now for an instant anti-virus scan.

Malware Intrusion! Sensitive areas of your system were found to be under attack. Spy software attack or virus infection possible. Prevent further damage or your private data will get stolen. Run an anti-spyware scan now.

Virus intrusion! Your computer security is at risk. Spyware, worms and Trojans were detected in the background. Prevent data corruption and credit card information theft. Safeguard your system and perform a free security scan now.

XP Security Associated Files and Folders

  • C:\Documents and Settings\All Users\Application Data\y7V11
  • C:\Documents and Settings\\Local Settings\Application Data\ave.exe
  • C:\Documents and Settings\\Local Settings\Application Data\y7V11
  • C:\Documents and Settings\\Local Settings\Temp\y7V11
  • C:\Documents and Settings\\Templates\y7V11
  • C:\WINDOWS\Prefetch\

Some of the file names may be randomly generated. The term in the above entries denotes the name of the Windows user account in the test machine.

XP Security - Fake Windows Security Center

XP Security Associated Registry Values and Keys

  • HKEY_CLASSES_ROOT\.exe\DefaultIcon
  • HKEY_CLASSES_ROOT\.exe\shell
  • HKEY_CLASSES_ROOT\.exe\shell\open
  • HKEY_CLASSES_ROOT\.exe\shell\open\command
  • HKEY_CLASSES_ROOT\.exe\shell\runas
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command
  • HKEY_CLASSES_ROOT\.exe\shell\start
  • HKEY_CLASSES_ROOT\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Classes\.exe
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Classes\secfile
  • HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity=1117626655
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\ StartMenuInternet\IEXPLORE.EXE\shell\open\command “C:\Documents and Settings\\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\ “C:\Documents and Settings\\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\ C:\Documents and Settings\\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications=1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications=1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications=1

The term in the above entries denotes the name of the Windows user account in the test machine.

XP Security Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • pc-livecare. com
  • winlive-care21. com
  • win-live-care .com
  • live-pc-care. com
  • pc-livecare2010. com
  • antivirus-one-care2010. com
  • windows-live-care. com
  • security-pccare. com
  • securitypccare. com
  • win-live-care2010. com
  • windows-live-care. com
  • cavertunelo. com
  • one-care-antivirus. com
  • live-pccare. com
  • onecare-antivirus2010. com

Note: Visiting the domains mentioned above may harm your computer system.

XP Security Removal (How to remove XP Security)

When removed improperly, the left over registry entries messes up the opening of .exe files.

Use an alternate browser like Chrome to download the following or use a removable drive to transfer them to the affected computer:

  1. Right click and save the registry file trojan_fakerean_exe_fix.reg, make sure that you are saving the file with a .reg extension.
  2. MalwareBytes’s Anti-Malware
  3. CCleaner Slim version
  • Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
  • Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • Turn System Restore off and on
  • Install, scan and clean the temporary files with CCleaner Slim version.

You should now be clean of this rogue.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

XP Security Scareware — Video

Note: The XP Security installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 0 comments… add one now }

Leave a Comment