How to remove XP Security Tool virus
XP Security Tool belongs to the family of Trojan:Win32/FakeRean infecting users running Windows XP. It is installed by a trojan dropper file which is capable of installing a rogue with any one of the names from its stable, with a matching fake Windows Security Center.
It uses any one of the following names: XP Smart Security, XP Smart Security 2010, XP Antimalware 2010, XP Antimalware, XP Security Tool 2010, XP Internet Security, XP Defender Pro, XP Security, XP Security Tool, Antivirus XP.
A rogue security software such as XP Security Tool belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. Users should not fall for the fake alerts and must not buy the scareware. They need to be removed immediately from your system.
Snapshot of XP Security Tool 2011 virus
XP Security Tool Aliases
The trojan dropper is about 204288 bytes in size and is detected by more than 50% of the antivirus engines available at VirusTotal.
This scareware is given the following names by different antivirus software vendors:
Trojan.Win32.FakeAV!IK
W32/FakeSec.B.gen!Eldorado
Win32:MalOb-AL
Trojan.Win32.FraudPack.aovc
Win32/Kryptik.DBC
Mal/EncPk-NP
Mal/FakeAV-BT
How to manually remove this virus:
Remove XP Security Tool Associated Files and Folders
C:\Documents and Settings\All Users\Application Data\y7V11
C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe
C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\y7V11
C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\y7V11
C:\Documents and Settings\malwarehelp.org\Templates\y7V11
C:\WINDOWS\Prefetch\AVE.EXE-3098ECAE.pf
Remove XP Security Tool Associated Registry Values and Keys
HKEY_CLASSES_ROOT\.exe\DefaultIcon
HKEY_CLASSES_ROOT\.exe\shell
HKEY_CLASSES_ROOT\.exe\shell\open
HKEY_CLASSES_ROOT\.exe\shell\open\command
HKEY_CLASSES_ROOT\.exe\shell\runas
HKEY_CLASSES_ROOT\.exe\shell\runas\command
HKEY_CLASSES_ROOT\.exe\shell\start
HKEY_CLASSES_ROOT\.exe\shell\start\command
HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\.exe\shell
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
HKEY_CURRENT_USER\Software\Classes\secfile
HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\secfile\shell
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity=1117626655
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\ StartMenuInternet IEXPLORE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\ StartMenuInternet\IEXPLORE.EXE\shell\open\command “C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\ “C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\ C:\Documents and Settings\malwarehelp.org\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications=1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall=0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications=1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall=0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions=0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications=1
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall=0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications=1
Block XP Security Tool Associated Domains
This scareware was observed accessing the following domains during installation and operation:
pc-livecare. com
winlive-care21. com
win-live-care .com
live-pc-care. com
pc-livecare2010. com
antivirus-one-care2010. com
windows-live-care. com
security-pccare. com
securitypccare. com
win-live-care2010. com
windows-live-care. com
cavertunelo. com
one-care-antivirus. com
live-pccare. com
onecare-antivirus2010. com
Auto Removal:
To remove this virus Automatically, We Suggest the following removal tools:
Sorry to report that on May 08 when I came upon this page looking for help, the XP Security Tool 2011 had already got past Malware Bytes Anti-Malware and disabled it on the hardrive (a virtual machine running inside Vista’s firewall and additional anti-virus. It did not leave the same signature on the XP virtual machine. It had also disabled XP’s real firewall and security center. So it took shutting down the computer and rebooting into a Linux distro from which I could access the Vista XP virtual machine and manually (painstakingly) track down the culprits including a UGH.EXE file that duplicated itself in the root directory and the user home directory. It apparently also hooked into the MBR and trashed the partition table for the real hardware instead of the virtual machine. This is a seriously destructive virus in addition to its nuisance effects.
my friend is unable to download or open anything on his computer with this virus….any way to remove>?
does not have virus protection
Absolutely the worst trojan I have ever experienced. This thing is nasty!
Malwarebytes did find it last night, and I had thought it had removed it. but it’s here again. I also use the sysinternals.com process explorer, which was helpful to find the executable as it was running on the system. However, I can’t actually see the file in explorer or the cmd shell to delete it!
Hopefully the registry keys mentioned in this article will disable it long enough for malware bytes to finish the cleaning.
I lost two days of coding production (so far) to this damned thing!
Um sad to say but on the cover it shows huge letters sanyig YouR COMPUTER is infected with spyware and when we try to download somthing when it’s downloading on the bottom it keeps poping up a buble sanyig warning and additional words please help me!!!!!!!!! O and when the download gets done nothing pops up apart from the warning thing!!!! Help usssss!!!!!!!!!
Nasty is an understatement. I ran Malware Bytes anti-malware in XP in safe mode. It got rid of the virus, but now my .exe files are no longer referenced. Huge pain!
Please help!! My computer saus i am conecnted to the Internett wich is right but when i go to any browser i have and type a website lets say YouTube I won’t be able to get launch it. It says it is loading but it does not load!! I can be on Skype, steam whatever but my web browsers does not work!! Please help
I had the same thing as Paul…malware bytes found it and removed it, but now my startup isn’t responding as usual, and all my .exe’s are referencing the wrong object, with seemingly no way to fix it…any suggestions?
I just cleaned two machines using Malware Bytes anti-malware in XP safe mode. Both machines also had the .exe file association problem. Do a search for “SAS xp home security 2011″. Their forum has a link to download a file association fix. Name is SAS_FixEXEfile.com – worked great on both machines. Only problem remaining is automatic updates showing off in Security Center.
yea, i got it today and I’m not aloud to get on the internet or anything (im on my other comp right now) any ideas?
When i have a problem such as those fake pop up thtaers i usually question a friend to re-install my XP clearing everything in the C and leaving the D files untouched i realized that my AVG anti-virus free version is useless on those fake thtaers im still using it but i will have a setup of that microsoft anti-virus in my PC just in case