Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

XP Security Tool 2010 Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

XP Security Tool 2010 belongs to the family of Trojan:Win32/FakeRean infecting users running Windows XP. It is installed by a trojan dropper file which is capable of installing a rogue with any one of the names from its stable, with a matching fake Windows Security Center.

It uses any one of the following names: XP Smart Security, XP Smart Security 2010, XP Antimalware 2010, XP Antimalware, XP Security Tool 2010, XP Internet Security, XP Defender Pro, XP Security, Antivirus XP.

A rogue security software such as XP Security Tool 2010 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. Users should not fall for the fake alerts and must not buy the scareware. They need to be removed immediately from your system.

xp security tool 2010 1 590x420 XP Security Tool 2010 Analysis and Removal

When ran the Trojan drops a hidden, system file named ave.exe in the %AppData% folder which in turn drops a hidden, system file named y7V11 in multiple directories including %AppData% and %Temp% folders. You may need to enable viewing hidden folders and protected operating system files in folder options control panel to see them. The scareware modifies the registry so that:

  • The scareware executes (ave.exe) every time a .exe file is run, an innovative way to autostart with Windows or to restart when killed via TaskManager. It also makes it difficult to install and run security programs.
  • Makes Internet Explorer as the default browser and promptly hijacks it to display a scare message whenever it is run.
  • Hijacks Firefox normal mode and Firefox safe mode (no addons), so that the scareware starts whenever Firefox is run and a fake alert is displayed.
  • Disables Windows Firewall
  • Disables genuine Windows Security Center notifications

XP Security Tool 2010 Aliases

The trojan dropper is about 204288 bytes in size and is detected by more than 50% of the antivirus engines available at VirusTotal.

This scareware is given the following names by different antivirus software vendors:

  • Trojan.Win32.FakeAV!IK
  • W32/FakeSec.B.gen!Eldorado
  • Win32:MalOb-AL
  • Trojan.Win32.FraudPack.aovc
  • Win32/Kryptik.DBC
  • Mal/EncPk-NP
  • Mal/FakeAV-BT

Typical XP Security Tool 2010 Scare Messages

System danger! Your system security is in danger. Privacy threats detected. Spyware, keyloggers or Trojans may be working in the background right now. Perform an in-depth-scan and removal now.

Severe system damage! Spyware and viruses detected in the background. Sensitive system components under attack! Data loss, identity theft and system corruption are possible. Act now, click here for a free security scan.

Virus Infection! System security was found to be compromised. Your computer is now infected. Attention, irreversible system changes may occur. private data may get stolen.. click here now for an instant anti-virus scan.

Malware Intrusion! Sensitive areas of your system were found to be under attack. Spy software attack or virus infection possible. Prevent further damage or your private data will get stolen. Run an anti-spyware scan now.

Virus intrusion! Your computer security is at risk. Spyware, worms and Trojans were detected in the background. Prevent data corruption and credit card information theft. Safeguard your system and perform a free security scan now.

XP Security Tool 2010 Associated Files and Folders

  • C:\Documents and Settings\All Users\Application Data\y7V11
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\y7V11
  • C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\y7V11
  • C:\Documents and Settings\malwarehelp.org\Templates\y7V11
  • C:\WINDOWS\Prefetch\AVE.EXE-3098ECAE.pf

Some of the file names may be randomly generated. The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine.

XP Security Tool 2010 Associated Registry Values and Keys

  • HKEY_CLASSES_ROOT\.exe\DefaultIcon
  • HKEY_CLASSES_ROOT\.exe\shell
  • HKEY_CLASSES_ROOT\.exe\shell\open
  • HKEY_CLASSES_ROOT\.exe\shell\open\command
  • HKEY_CLASSES_ROOT\.exe\shell\runas
  • HKEY_CLASSES_ROOT\.exe\shell\runas\command
  • HKEY_CLASSES_ROOT\.exe\shell\start
  • HKEY_CLASSES_ROOT\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Classes\.exe
  • HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
  • HKEY_CURRENT_USER\Software\Classes\secfile
  • HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
  • HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity=1117626655
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\ StartMenuInternet IEXPLORE.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\ StartMenuInternet\IEXPLORE.EXE\shell\open\command “C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\ “C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\ C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride=1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications=1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications=1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications=1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall=0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications=1

The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine

XP Security Tool 2010 Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • pc-livecare. com
  • winlive-care21. com
  • win-live-care .com
  • live-pc-care. com
  • pc-livecare2010. com
  • antivirus-one-care2010. com
  • windows-live-care. com
  • security-pccare. com
  • securitypccare. com
  • win-live-care2010. com
  • windows-live-care. com
  • cavertunelo. com
  • one-care-antivirus. com
  • live-pccare. com
  • onecare-antivirus2010. com

Note: Visiting the domains mentioned above may harm your computer system.

XP Security Tool 2010 Removal (How to remove XP Security Tool 2010)

When removed improperly, the left over registry entries messes up the opening of .exe files.

Use an alternate browser like Chrome to download the following or use a removable drive to transfer them to the affected computer:

  1. Right click and save the registry file trojan_fakerean_exe_fix.reg, make sure that you are saving the file with a .reg extension.
  2. MalwareBytes’s Anti-Malware
  • Double click to run the downloaded (trojan_fakerean_exe_fix.reg) registry file, Click Yes to merge the registry data. This will delete the offending registry keys blocking the .exe files.
  • Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  • Turn System Restore off and on

You should now be clean of this rogue.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

XP Security Tool 2010 Scareware — Screen shots

XP Security Tool 2010 Scareware — Video

Note: The XP Security Tool 2010 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

More Trojan FakeRean clones on Windows XP: XP Defender Pro Analysis and Removal, XP Internet Security Analysis and Removal, XP Security Analysis and Removal, XP Security Tool Analysis and Removal, Antivirus XP Analysis and Removal, XP AntiMalware Analysis and Removal, XP AntiMalware 2010 Removal and Analysis, XP Smart Security Analysis and Removal, XP Smart Security 2010 Analysis and Removal.

You may also like to read



{ 28 comments… read them below or add one }

Anonymous March 19, 2010 at 11:40 PM

Thank you so much for your help! I reviewed several sites, but they all proved unhelpful. Your step-by-step explanation not only helped me to get rid of the virus, but my computer is now running much smoother than before. Plus, by helping me solve the problem on my own, you saved me nearly $200, which was a minimum price I was quoted by local computer repair shops.

Thank you again!

Reply

Matthew Jones March 25, 2010 at 12:34 AM

Guys! PLEASE HELP!?!?!??! My girlfriend was using my computer when XP ANTIMALWARE 2010 came up on the tool bar! Without telling me she used her credit card to purchase the software! Now not only is it installed on my laptop they also have her credit card details! I have cancelled the card and there hasn’t as yet been any dodgy transations on it BUT PLEASE can someone help me to get this off my computer??!!? Any advise PLEASE?!?! I am not a big computer user to idiot terms please! I do not know what to do!?!?!? I HATE THESE HACKERS!

JOner

Reply

Shanmuga March 25, 2010 at 7:25 AM

XP AntiMalware 2010 is one of the aliases used by Trojan FakeRean. The removal instructions in this post should get rid of it too.

Chris March 25, 2010 at 8:11 AM

I appreciate the info you’ve provided, but I don’t think I’m downloading/running the registry file correctly. It saves as a text file and when I double click it, it just opens in notepad. I am not asked to merge the registry data. I used regedit to import it into the registry, but I still have been unable to run the Anti-Malware because it can’t find the .exe file. Thanks

Reply

Shanmuga March 25, 2010 at 8:25 AM

Chris, right click on the downloaded file, choose rename and remove “.txt”. Make sure the name of the file is “trojan_fakerean_exe_fix.reg”. It should work now.

Matthew Jones March 25, 2010 at 10:22 PM

Guys thanks for the help but I do not understand how to use the above information. Please can someone explain step by step what I have to do? In laymans terms.

Thanks so much

Matthew

Reply

Chris March 26, 2010 at 4:24 AM

Thanks. I previously tried renaming it with no luck. It downloaded with the reg extension but opens as a text file. So I still haven’t figured out how to make it work. I did manage to get Anti-Malware to run and seem to have exorcised XP Security Tool. I’m still dealing with Security Guard, though.

Reply

Drew March 29, 2010 at 8:38 PM

I’ve download the trojan_fakerean_exe_fix.reg with the reg extension and not text. But I’m having trouble with downloading the MalwareBytes’s Anti-Malware. Can you please help me out?

Reply

Kenny March 31, 2010 at 1:27 AM

Thanks for this procedure; I’m going to give it a shot. but I think I may have bigger problems. I thought I was fully protected by the McAfee Security Suite, but last night, I started getting all the symptoms of this Trojan. I ran a full scan on my system with McAfee, and it found a quarantined several files, but when I restarted the computer, I got the BSOD. I restarted in safe mode (with networking), and downloaded and installed MalwareByte’s Anti-Malware. It found several (about 11) infected files, and it removed them for me. I thought everything was cleared up, but this morning, it all started again. I re-ran MalwareByte, and it found two infected files and cleaned them. When I restarted, I got the BSOD again, and I can now only open in safe mode.

I will try your steps (assuming they can be executed from Safe Mode) once my latest McAfee scan is finished, but do you think I’m barking up the wrong tree?

Reply

Aly April 5, 2010 at 9:47 PM

Hi All- I just got this trojan/malware again, and I am trying to figure out why? What programs can I get to block my computer from getting it again? I don’t want to purchase software that will only keep it safe for a year.. I have many free programs, like malware bytes, avast, clamware, etc and also the Windows security features and updates. Is there an active malware blocking program?

Please help if you can. Thanks!

Reply

eric April 6, 2010 at 12:22 AM

What is up with this program?
It’s been around for year but the past month or two,it’s getting relentless.
just today, I removed it from a customers computer, who i’d removed it from two wekeks ago.
my question:
what programs are good for PREVENTING the infection from happening?
I’m seeing it get past norton,mcafee,avg, avira, windows defender, and malwarebytes.

i can fix it no problem, but i want to know how to prevent it.

Reply

James April 6, 2010 at 10:29 AM

Having a problem with this still. Someone in my family downloaded this thing (they tend to download the stupidest crap…) and I ran the edited registry and now I’m trying to install MBAM and as soon as it “installs” and I try to run it I get an error message (Unable to execute file: “Insert location here”….CreateProcess failed; code 2. The system cannot find the file specified.) I get it twice and every time I try to launch, it happens. Is the trojan preventing it from installing or something? I downloaded it on a separate computer and brought it over on a USB.

Thanks in advance for any potential advice.

Reply

Shanmuga April 6, 2010 at 1:34 PM

James, download random named mbam from http://mbam.malwarebytes.org/program/random.php. If you still have problem, rename the setup file to anything for eg: notmbam.exe or explorer.exe. Sometimes you may also need to rename the mbam.exe found in the program files folder to get it up and running. Just remember to update before scanning.

Brandon April 7, 2010 at 9:18 AM

EXCELLENT information and instructions! KILLED IT. My girlfriend managed to royally mess up her new laptop. It literally took an hour (42 minutes of mbam scanning) to make this thing run like new. No longer does she get hounded by fake windows security. I really appreciate you guys. Now she won’t EFF up my computer :) lol. Don’t know what else to say but THIS ROCKED! Thank you very much.

Reply

mohan April 11, 2010 at 2:39 AM

Hi, Thank you very much. It worked.

Reply

Sam April 18, 2010 at 8:26 PM

Thank you… I was wondering if the link to trojan_fakerean_exe_fix.reg is little more than a exe reassociation registry fix ? Or does it do more ? I have used just such a file from Dougs XP Fixes and Tips and then ran Malware AM Program, only to become re-infected in a couple of days. With what seems to be an enhanced malware infection. In other words it seems that XP Security Tool 2010 is learning from my efforts and I am running out of things to try. Any help out there ? Tnx again..

Reply

Shanmuga April 18, 2010 at 10:41 PM

@sam, In addition to .exe file re-association, this reg file also deletes certain keys created by Trojan fakerean.

Sam April 18, 2010 at 11:09 PM

Again, tnx. Here it is 4 hrs 30 minuts later and I have been reinfected again. I am using my, thus far uninfected laptop. First use of Trojan_fakerean/Malwarebytes AM I found 5 infections, they were succesfully removed . My second use folowing your procedures, I cleaned 9 infections. As I said it seems to be getting wider and wider. In effect learning.
This last time I noticed it first as it took over Win Firewall, at that point I began 2nd appliction of process outlined by you . It is clean and I am scared to do anything with it..

I am going to follow your suggested links to forums but I am afraid that is looking more and more like I need to do a wipe/reformat…..Grrrrr

Reply

Grant April 21, 2010 at 12:53 PM

I did the reg fix and downloaded and installed malware bytes. I did the update to 04/20/2010 and did a scan and it found nothing. So i went through the Documents and Settings folder and found some strange files with date/times of when i was infected (like an hour ago) :

1329389005
H2AT6812bbH

These files are in a bunch of folders under Documents and Settings (you need to search with Hidden file option on).

The VERY strange thing is i found the ave.exe file in //Local Settings/Application Data/ave.exe. So i ran malware bytes on it and it CAME UP CLEAR!! It said it WASNT malware… wtf!?

Reply

David April 25, 2010 at 6:41 PM

Thanks for this info. I also had a problem with the .reg file just opening with notepad when double clicking it, even with the .reg extension. I got round this by going to Start->Run and typing regedit into the box to run regedit, killing ave.exe in task manager manually straight away, and then dragging the .reg file onto regedit.
I also couldn’t install Chrome, and IE wouldn’t even let me view this page until I visited here via a proxy, which allowed me in ok.

MBAM has now apparently cleared various files and is reporting no further problems, however the Internet Explorer browser remained hijacked and I could still only visit sites like this one via a proxy. There was nothing in the hosts file, clearing local DNS cache didn’t seem to make any difference and there is no proxy setup in IE settings. Rebooting after the above fix didn’t seem to work either. Couldn’t work out how to un-hijack the browser, but having left the PC off overnight and come back today, it seems to be fixed now, which is nice.

(Tried commenting here yesterday but couldn’t get the Captcha images due to going through a proxy!)

D

Reply

Hayden May 10, 2010 at 3:25 AM

Hmm. I’m sorry to inform you that there are 189 aliases, as proved by Wikipedia…
But anyways. I hated having to re-format my entire computer before reading this, It would’ve helped. But my friend said he’s encountered it twice, and removed it all with System Restore. He set it as a shortcut and used it before the virus has time to notice. He sets it the day before it launched and it goes bai-bai. But what do you mean by step one and the fist bullet? I don’t understand.

Reply

Mary November 22, 2010 at 11:07 AM

This worked after a few tries, thanks! I ended up renaming the .reg file to fakereg.reg because I got paranoid that the Trojan was a learning program! Thankfully, I had Google Chrome installed a few months ago.

Also, it seemed that no executable files could run between the time I ran the .reg file, downloaded the Anti-malware program and ran the Anti-malware program. Here were the steps I took that seemed to help:

I had the .reg file on my desktop so that I didn’t have to pull up Explorer to find it. During the scan, I had no windows open, and I didn’t touch any keys (took over an hour to get through my hard drive). Also, the anti-malware program did not delete all of the files, so on the last (successful) try, after the scan was completed and before I rebooted the computer, I went straight to the quaranteed files tab, deleted all of them, and then went directly to the Start menu to reboot the computer.

This is nasty stuff. One of the clues that it was working is that the last (successful) time, the apolyptic Trojan pop-ups weren’t happening during the whole scan.

Thanks to the Wicked Smaht folks who got me out of this. I am not comfortable working with computers. You rock!

Reply

Gill November 25, 2010 at 2:57 AM

If the file keeps saving as a text, allow it to. Go into the saved notepad file and go to save as. Remove the .Txt from the end of the file and save. My computer was automatically saving the file as a .Txt no matter what I did. I also did all of this while in safemode, I don’t know what part that played, but that’s my story. Good luck.

Reply

Jerome Roy April 8, 2011 at 11:11 AM

Thank you so much for your step by step instructions. Worked perfectly where all else failed. Saved me from formatting my PC and losing all my data.

Reply

Sam April 21, 2011 at 7:46 PM

David brought up a good point, after this virus/trojan is removed, IE7 still will not work. I continue to get the Cannot display the webpage error. I remember reading somewhere that this virus changes one setting in IE and simply changing it back to what it is supposed to be fixed the IE problem that was caused by this virus. Does anyone know what that setting in IE is.

Reply

omh May 3, 2011 at 5:57 AM

Try running any browser as an admin, by right clicking and choosing “run as”.
on the next window, un-check the box and you should have access to the internet again. It worked for me, without having to restart in safe mode.

Reply

p2p May 13, 2011 at 10:49 AM

I have a PC running XP and can’t get rid of XP security 2011,the information given here are helpful to clean it out.Thanks for sharing.

Reply

ranger June 26, 2011 at 7:27 AM

this so far going step by step did get rid of it .. thanks for info

Reply

Leave a Comment

Previous post:

Next post: