How to remove Total XP Security?
What is Total XP Security?
Total XP Security is one of those fraudulent applications that change their names according to the OS they find in the targeted PC. Total XP Security, just like Total Vista Security, has nothing to do with computer’s protection but is aggressively promoted as anti-malware program. Do NOT agree with the suggestion to purchase TotalXPSecurity and remove the trialware of the scam straight after noticing it.
People usually encounter Total XP Security on annoying pop-up ads and system scanners that are triggered by the same badware. These alerts are loaded trying only to deceive victims into believing that their machines are full of parasites and make them think about purchasing the scam. In fact, all these alerts are showed by the stealthy Trojans that sneak into the system and install Total XP Security as well. They usually pass through the user’s authentication and simply surprise him by unexpectedly showing the scam named Total XP Security. The additional malicious tactics of Total XP Security is used only for making people think that there is actual security risk on their computers and eliminating it is urgently needed. These imaginary parasites are claimed to be removable with only Total XP Security’s “full” version, which undoubtedly requires paying the money for the registration. This rogue anti-spyware also involves browser hijacking techniques and malicious domains also distributing the same malware.
Keep in mind that it is nothing wrong about purchasing good and legitimate anti-spyware but Total XP Security is not from this category. This program typically makes your computer operate slower and generally lets more malware inside. Make sure your computer is not infected with Total XP Security and if you suspect this badware is inside your machine remove it as soon as possible. Get rid of Total XP Security without wasting any time!
Total XP Security is Extremely dangerous
Total XP Security is a corrupt Anti-Spyware program Total XP Security may spread via Trojans Total XP Security may display fake security messages Total XP Security may install additional spyware to your computer Total XP Security may repair its files, spread or update by itself Total XP Security violates your privacy and compromises your security
for Total XP Security detection
Note: Spyware Doctor trial provides detection of parasite like Total XP Security and assists in its removal for free. You can remove detected files, processes and registry entries yourself or purchase a full version.
Manual Total XP Security removal
Important Note: Although it is possible to manually remove Total XP Security, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Spyware Doctor or other malware and spyware removal applications found on 2-viruses.com.
Stop these Total XP Security processes:
Remove these Total XP Security Registry Entries:
Remove these Total XP Security files:
It is impossible to list all file names and locations of modern parasites. You can identify remaining parasites, other Total XP Security infected files and get help in Total XP Security removal by using free Spyware Doctor scanner. It comes with free real-time protection module that helps preventing Total XP Security and similar threats.
Total XP Security is classified as Rogue Anti-Spyware. After infecting a user’s system, it proceeds to scare its victim into buying the “product” by displaying fake security messages, stating that your computer is infected with spyware and only Total XP Security can help you to remove it after you download the trial version. As soon as the victim downloads Total XP Security trial version, it pretends to scan your computer and shows a grossly exaggerated amount of non-existent errors. Then, Total XP Security offers to buy the full version to fix these false errors. If the user agrees, Total XP Security does not only fix the errors, but it also takes the user’s money and may even install additional spyware into the victim’s computer.
Some Rogue Anti-Spyware, such as Total XP Security, may offer users to buy it after the victim clicks on a banner or a pop-up while surfing the internet. Usually, a Trojan is installed to a victim’s computer after clicking on the advertisement. It then proceeds to download or even install Total XP Security, which is another way for Rogue Anti-Spyware to spread itself.
Most of rogue Anti-Spyware, such as Total XP Security, is nearly impossible to remove manually.
Instructions were fairly good, but there are a few variants
The executable I found was ave.exe rather than av.exe
Do not remove
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = “av.exe” /START “iexplore.exe”
Rather change the (Default) data value to read only ‘iexplore.exe’. Do similar for firefox entries.
Do not delete the “…Override” registry keys but do set all of the values to ’0′ rather than ’1′
Delete the following registry entries with extreme prejudice. (right click regedit tree on the left and select delete)
HKEY_CURRENT_USER\Software\Classes\secfile
HKEY_CURRENT_USER\Software\Classes\.exe
I have been dealing with this terrible infection for a few days. I followed the instructions and found the following:
It was now named ave.exe rather than av.exe (thank you Pat). It was hiding in another location and difficult to find – I think that was because it called itself a system file and was “hidden” so I had to show hidden and system files to see and delete it.
I followed the regedit instructions and then restarted. Now no programs at all will run. The pattern is if I try to start a program directly I get a message that says, “This file does not have a program associated with it for performing this action. Create an association in the Folder Options control panel.” Any idea what to do next? I get that same message when I try to run regedit.
The only thing I seem to be able to do is select some documents that can open. For example, I can not start Word directly, but can open some Word documents. Also, I went to the program files themselves (rather than the shortcuts), but clicking on them brings the same message — “This file does not…”
The only thing I can think of is at one point in the regedit process, one of the registry keys I was supposed to delete was followed by another that said something like — “%1? %*. Could it be that the virus added its key to activate its program, but left a trap for a relatively ignorant user like me so that if its key was deleted, the computer would go onto the next line which maybe caused other programs to stall? I am guessing with lots of ignorance.
Also, let me say that my XP Home was all up-to-date, and I had recently installed McAfee AntiVirus Plus 2010. The McAfee did not even recognize the infection, let alone prevent it or be able to remove it. I also used the two latest McAfee Stingers (to run these I had to restart in safe mode and as Administrator rather than my normal login) and the stingers also could not recognize or remove it.
The one possibility is that loading the McAfee may have left my Firewall down. I always keep the firewall on, but after this infection I checked the other two computers (it was a three-user version) and the firewalls on all three computers were off.
Any thoughts or help?
Richard
It is simpler – virus modified registry entries to pass execution of all executables (.exe) through its process. When there are .doc files, they are launched by executing specific executable directly while passing .doc filename as parameter.
You can execute normal programs from task manager. You whould need to restore .exe file associations.
Mcafee is quite bad at detecting rogue threats like that. I would recommend using different removers, Spyware doctor or malwarebytes for example. They target such parasites rather than common virus infections and are faster at detecting and removing them.
Thank you. Can you either explain, or give me a link, for how to restore .exe file associations?
Richard
ok first off, you never delete .exe, exefile, .lnk, or lnkfile entries from the registry. They are what tell windows how to run exe files and shortcuts. to correct your mistake go to a run menu Start->Run and type in command com (don’t think you can shortcut with cmd, because it won’t work) in the little black window that opens, type notepad.exe. paste the below text into notepad and save as a .reg file. double click on the .reg file and launch it. it’ll say something about importing into the registry. click yes. should tell you it was successfully imported. Click OK. you can now run .exe files. anyone who tells you to delete anything from HKEY_Classes_Root without backing it up first is inexperienced, these are the values that tell windows how to run or open file types. and as an FYI command com does not use the windows registry keys to run .exe files.
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\.exe]
@=”exefile”
“Content Type”=”application/x-msdownload”
[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@=”{098f2470-bae0-11cd-b579-08002b30bfeb}”
Evan, Thank you for your extra fix. You saved me alot of time. Kudos to you.
HI
I seem to have the same problem as Richard, I tried Evan’s suggestion but this hasn’t worked and still cannot open a number of programs including Internet explorer, Firefox, Word etc
Any help would be much appreciated
Thanks
I also have the same problem as Richard but when I try to open the .reg it gives me the error of:
Cannot Import. [Filepathname]. The specified file is not a registry script. You can only import binary files from within the registry editor.
What does this mean?
And thanks in advance.
I am trying to click on the fixit.reg file I created from suggestion above. I am receiving the error message… “cannot import because the specified file is not a registry script. You can ony import binary registry files from within the registry editor” Any suggestions?
Is there a program to remove this or does it have to be done maually? I just dont think I have the patience to do this, and I work nights and zombie in the day, afraid I’ll screw something up.
@Brenda
Edit: I have run scans from embarq(my local provider) and a micr windows scanner
The easiest way to fix the registry is to use the find command in regedit and search for ave.exe or av.exe. U will come upon the following keys and when u do remove everything before /START blah blah blah. Leave the rest of the value. Problem solved. Then figure out where the ave.exe or av.exe file is on your hard drive and remove it.
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = “av.exe” /START “%1? %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command “(Default)” = “av.exe” /START “%1? %*
HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = “av.exe” /START “%1? %*
HKEY_CLASSES_ROOT\secfile\shell\open\command “(Default)” = “av.exe” /START “%1? %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = “ave.exe” /START “firefox.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = “ave.exe” /START “firefox.exe” -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = “ave.exe” /START “iexplore.exe”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = “0?
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = “0?
Graw! I am having a similar problem as Kristen and Danny. Though when I save the suggested strings of text in notepad, then doubleclick it from my desktop, it just opens it again in notepad. I don’t have the option to save it as a .reg
I just save it as “All Files” and make the file name fix.reg but that is not changing anything.
I didn’t even try to remove this infection manually. I used Super AntiSpyware, which appeared to have removed it, but now I can’t open anything at all. I somehow stumbled upon a way to get firefox open – tho I dont know how and now I am afraid to close it. I downloaded a registry repair tool, but I can’t open the file I downloaded because I get the original window to choose a program to open it with. Someone please help -
So I agree with Evan……..who posts a fix for removal of anti-spyware..only to have something else go wrong with the computer? follow the link and download “exe file association fix” to restore the file associations. thanks to Doug knox. http://www.dougknox.com/xp/file_assoc.htm if the link dont work copy and paste into the browser. follow directions on web page.
I just fixed this problem after spending an hour on my computer. For those having problems running the “fixit.reg” script, you have to ensure that the first line of your reg file is “Windows Registry Editor Version 5.00″. Now having said that, I ran the fixit.reg script and afterwords none of my exe files worked.
I was able to fix my exe problem as such: 1) I opened Task Manager, selected File->New Task, and entered “cmd” in the ensuing dialog box. This opened a command prompt window. 2) I typed “regedit” from the command line to launch the application. 3) I imported a backup copy of my registry (I had made a copy before using fixit.reg). After the import, all of my exe files started working again.
Windows XP SP2
Latest variation looks exactly like a windows update icon and opens up a windows update dialog box which of course pollutes your system with crap.
***Very important new development – check Scheduled Tasks***. You might see dozens of entries to run hidden executables or load from malware sites. This is another way it restores itself. Malwarebytes’ Anti-Malware doesn’t find these (yet). Boot in Safe Mode so that the Task Scheduler isn’t running and delete these.
Malwarebytes’ may detect corruption in existing DLLs which when removed can cripple your system. A Windows XP repair installation may be required. Remember to login in Safe Mode and backup critical data to external storage prior to doing this.
In the worst case, you might need to rebuild completely. In that event and if you have the option, consider moving to a lesser targeted O/S.
OK I have my laptop infected with the Total XP security and I think it disabled my mouse. So can somebody explain to me how to fix this without a mouse.
I was first infected with Antivirus XP, then Antispyware XP, and most recently, Total XP. I successfully remove them, and sure enough a week or so later they reappear. I use a combo of the suggested regedit instructions, Malwarebytes, and finally Combofix (be careful, use with caution). Yet i continue to get a newer version of this weekly. I am sure i am removing it, but i don’t know why it contioinues to return. The “common denominator” or consistant variable is when I do a google search, and select the site listed at the top three. The malware return in some form or another. My Google is also always opening in Netherland, and I am in USA. I am Uninstalling my Google tool bar and reinstalling just to check?! Any one have any ideas? Or has anyone seen this repeating attacks? I am running Firefox 5.0.
also i am using Avast 5.0.462
J-bird: Check your proxy settings and hosts file. Remove proxy (if it is set) and empty hosts file. (C:\Windows\System32\Driver\Etc\hosts). Also, scan with spyware doctor.
I found the hosts file and opened it in notepad, but it will not save. What file extension do i need? I read that i need to change the name of the original hosts.file and then resave the revised and cleared hosts.file, but it wont save.
Any suggestions?
for anyone concerned, here is a brief list of the redirects…
74.125.45.100 test1111.com
74.125.45.100 test1112.com
74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com 74.125.45.100 privatesecuredpayments.com 74.125.45.100 secure.privatesecuredpayments.com 74.125.45.100 getantivirusplusnow.com 74.125.45.100 secure-plus-payments.com 74.125.45.100 (xx)getantivirusplusnow.com 74.125.45.100 (xx)secure-plus-payments.com 74.125.45.100 (xx)getavplusnow.com 74.125.45.100 (xx)securesoftwarebill.com
89.248.168.188 (xx)google.ae
J-Bird : are you on xp? on vista or 7 you need to edit it as administrator (right-click on notepad icon, run as administrator and then open the file).
@admin
i am on xp pro
I can open the file, I can edit the file, but when i try to save the file i get
“Cannot create the C:\\Windows\system32\drivers\etc\hosts file.
Make sure that the path and filename are correct.”
Or if i try to save as , It saves it as a .txt file. I choose the options
File name: hosts
Save as Type: All Files
Encoding: ANSI (but i have tried all options Unicode, Unicode big Endian, UTF-8)
and it always saves as a .txt file.
What is the extension i need to use?
It should have no extension. Try rebooting into safe mode and edit file then.
Will do, BTW. Thanks for your help.
I have been reading about spyware doctor, and there is many who recommend against it due to the fact that you have to buy it to remove the buy now pop ups from malicious malware. Seems like one sort of supports the other! At your recommendation, i did download and install, and now it too wants money. Not sure i like where this is going.
J-bird: Spyware doctor was long before rogues became active and it will be after rogues cease to exist.
Even free version gives some advantage: It lists viruses that infect and you can track down which files are infected. Also, it blocks some virus attacks. If you choose not to believe me, you can read about it in wikipedia or PCMag, etc.
About paying for it: If you do not want it, or it does not detect your version of parasites, do not pay for it. Remove parasites one by one manually. However, there is no single free for all full anti-malware tool.
About hosts file: It looks like something protects your hosts file from opening. It is likely that this is virus process or an antivirus. I would try using killbox or similar utility to remove old version…
I tried rebooting in safe mode and still the same “Cannot create…” Message.
So i tried this and it seems to have worked. Do you see anything wrong with this attempt.
step 1: Open (C:\Windows\System32\Driver\Etc\hosts) as administrator in notepad
step 2: save to desktop as hosts.file (it will appear as hosts.file.file)
step 3: change the name. Highlight and erase the .file so it only reads hosts (will appear as hosts.file)
step 4: delete corrupted hosts file in (C:\Windows\System32\Driver\Etc\hosts)
step 5: copy and Paste the new hosts.file from desktop to this location.
step 6: reboot
Just as a heads up they have modified the executable again it is now calling itself vma.exe
@admin
I do appreciate your comments. You have a very good point about the manual removals. When I ran it, it did detect a lot of infections that malwarebytes did not find. But you do understand my skepticism in light of the numerous attacks, and the resulting loss of hair over this issue. I will give it a second chance.
J-bird: all products will ask you to pay at some point. Including Mbam: its real-time protection module, which is critical for avoiding infections is not available in free version.
After using every tool at my disposal (including MalwareBytes) to remove bad registry entries, scheduled tasks, corrupted files, and rootkits, and getting a clean scan, then repairing the Windows installation and updating, the infection was back in full force the next day. I finally had to admit defeat and rebuild to a non-Windows O/S.
The major sign that I was still not clear of infection was that some browsers were returning redirected pages – guessing proxy redirection.
We received some blacklisting notices dating from when the computer was infected and connected to the Internet, so it’s likely the computer was hijacked and sending out spam.
Important note: if you are infected, assume a keylogger is installed, so change any potentially compromised passwords ASAP from another uninfected computer.
This rogue is definitely worthy of being classified as extremely dangerous.
Yimin : I would recommend getting good anti-malware and antivirus, both with real time protection. There is a trick these viruses use: changing windows update server, which is not detected by most antivirus/antimalware programs. thus once you update windows, you get infected again. Also, you have to check hosts file and proxy manually.
And not relying on after-the-fact scans with malwarebyte free 
Most of these problems can be avoided having good antivirus and anti-malware
admin: We had licensed and legal commercial versions of trusted and respected anti-virus products installed and up-to-date at the time of infection. I think just bad luck to be hit with something newer than the latest update.
One note – checking of scheduled tasks and proxy redirection should be indicated in the removal instructions. Otherwise it will come back.
Yimin : Antivirus software, no matter how good it is, focuses on broader spectrum of parasites. Thus they are a bit slower on 0 day vulnerabilities and fresh trojans, promoting rogues. That is why firewalls and anti-malware with real time protection is important too. I agree – it depends from luck as well.
Thank you for the note about scheduled tasks.
Does uhm.. Spyware Doctor work with programs like AVG? Or will I have to remove AVG somehow to use SD?
I can’t get to a removal tool for AVG right now since Total XP Security’s got my IE on lockdown, more or less. Proxy redirects and what not.
I only got here because someone sent me a link via MSN.
Spyware doctor works with AVG if you have anti-spyware/malware version only. There is a version with antivirus as well, though I would use different antivirus (not avg, AVAST, avira, or nod32/kaspersky) for better overall coverage.