Home > Threats > Total Security

What is Total Security

Posted on 12 September 2009 under Rogue Programs

1. What is Total Security?

It is a rogue program, intended to scare user by displaying fake security alerts and warnings about computer insecurity. All of the fake messages lead to Total Security registration, which means user has to pay for bogus licensed program version. Do not make any payments, because Total Security is a scam and will not clean and protect the computer.
The first odd thing that will be noticed is changed desktop background. Now it is blue with "Warning! You're in danger!" notice in the middle of the screen. While browsing the internet, Total Security will also imitate Firewall, telling that internet browser is infected and will offer to activate the program.

Total Security is added to programs startup list, that is why computer scan is performed every time Windows are booted. The program will also generate scan result report, which contains assumed virus names, including harmless system files. Earlier popular rogue programs like TrustedAntivirus and SecurePCCleaner are found in the report, which even are not present on computer system. Legitimate Windows system files like alg.exe or cmdial32.dll are referred as trojans and dialers, also explorer.exe (as a trojan), which even does not exist in system32 directory.

If you decided to remove Total Security using Add/Remove Programs, your request will stay unresponsive, because rogue program will stay active anyways. The program is not even found in Programs Files directory, but it has an entry in Start menu, pointing to malicious 16033074.exe file, which is the main alert, warning and repeated scan causer.

Total Security's fake alert example: Harmful and malicious software detected. Such programs may damage your computer and steal your private information. Online Security Scanner requires Total Security components to repair your computer. Please click OK to download and install Total Security tool.

1.1. Program tactics.

To secure itself from killing main process or complete program removal, Total Security will block access to:
  • Windows utilities such as Task Manager (taskmgr.exe), Registry Editor (regedit.exe), Command Prompt (cmd.exe).
  • All the items in Control Panel.
  • Trusted antispyware programs like Spyware Doctor or Malwarebytes' Anti-Malware, computer system analyzer Hijackthis.
  • Attempt to run any of mentioned items is followed by a warning message that "application cannot be executed", as a reason giving explanation that particular file (eg. taskmgr.exe) is infected. User is prompted to activate fake antivirus software.

1.2. How to enable programs, that have been blocked by Total Security?

- Method 1 -
  1. Go to Windows directory and open System32 folder (C:\Windows\system32).
  2. Rename file taskmgr.exe to iexplore.exe.
  3. Double click renamed file to open Task Manager.
  4. Under processes tab find malicious process, which name is random string of digits (in this case the process name is 16033074.exe) and end it.
  5. To assure the right process is killed, download Hijackthis executable file to desktop and rename it to "iexplore" (without quotes); if file extensions are enabled, ".exe" should be added in the tail of the file name (iexplore.exe). Double click renamed file and choose "Do a system scan only". Search for the entry O4 - HKLM\..\Run: [16033074] C:\Documents and Settings\All Users\Application Data\16033074\16033074.exe. Process 16033074.exe is the one has to be ended through Task Manager. Remember, in each case of infection the string may be different (in this case "16033074").
- Method 2 (advanced user) -
  1. Restart the computer in Safe Mode with Command Prompt (Safe Mode menu can be accessed by pressing F8 as the operating system boots).
  2. After cmd.exe has been loaded, type in "regedit" (without quotes) and press Enter.
  3. In an opened Registry Editor window navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  4. In column Name search for 8 digit value (in this case 16033074). The 8 digit value is random on each computer, so before removing this registry item, assure that the value in column Data is "C:\Documents and Settings\All Users\Application Data\16033074\16033074.exe". Then right click on 16033074 and delete this registry item.
  5. Close Registry Editor and restart the computer by typing in "SHUTDOWN -r -t 01" (without quotes).

2. Total Security screen shot:

Total Security

3. How to remove Total Security:

  1. Internet connection might be disabled or Internet browser might be blocked by Total Security, so it won't be possible to download any files to infected computer. In this case please download all files required for Total Security removal to another computer and then transfer them on the infected one using CD/DVD or USB flash drive.
  2. To remove Total Security download Spyware Doctor and install the program (for the installation guide click here). Before installation, make sure all other programs and windows are closed.
  3. After the installation, computer scan should be started automatically. If so, please move to the next step. If not, click "Status" on the left side menu and press "Scan Now" button to run computer scanner as shown in the picture below:

  4. After the scan has been completed and scan results have been generated, press "Fix Checked" button to remove Total Security.

  5. Restart the computer to complete Total Security removal procedure.

Warning! Before making any changes to system registry, make sure you set System Restore Point and make backup of important files.

4. Total Security files:


5. Hijackthis entries:

O4 - HKLM\..\Run: [16033074] C:\Documents and Settings\All Users\Application Data\16033074\16033074.exe