Saturday, September 26, 2009

Removing Total Security (tsc.exe) Rogue Anti-Spyware

This article is a guide on how to remove Total Security rogue anti-spyware. Please note the version I’m describing is different from an older Total Security 2009, with C:\Program Files\TSC\tsc.exe as executable and winsource.dll—GUID {D263FA6D-84CC-48A8-9AF6-C664362B7A5B}—as browser helper object.

“Total Security” aka “Total Security 2009” is a fake security software trying to ride off BitDefender Total Security’s trusted name. Total Security 2009 has no affiliation with BitDefender and is as useless as BitDefender is legit. Total Security 2009 is a new version of “System Security” rogue. This fake anti-spyware tool slips into your computer through a Trojan or a virus, launches a faux system scan, and detects inexistent infections to scare users, then shows popups and spoof system alerts, and prevents execution of legit programs. If you click any of these Total Security 2009 pop-up ads, you’ll be tricked into wasting money on the full version of Total Security 2009. Clicking on Updates button, the tool shows an “Updating” balloon message, but there is no network activity.

Total Security GUI Registered Total Security GUI

Removing Total Security / Total Security 2009 / Cyber Security Rogue using Chortkeh Virus Removal for Total Security

Download Chortkeh Virus Removal for Total Security and run “Chortkeh Virus Removal for Total Security.cmd” answering Windows confirmation dialogs “Allow” if asked. Please note it closes all running instances of Microsoft Windows Internet Explorer once executed, and restarts your system immediately after finishing virus removal, so save and close any unsaved works before proceeding with the removal. Run the CMD file once your system booted up to check to see if the virus still exists.

Download Link
  • Download Chortkeh Virus Removal for Total Security / Total Security 2009 (CMD file) by Komeil Bahmanpour
Knowing More about Total Security Rogue Anti-Spyware/Anti-Virus

Please note the version I’m describing is different from an older Total Security 2009, with C:\Program Files\TSC\tsc.exe as executable and winsource.dll—GUID {D263FA6D-84CC-48A8-9AF6-C664362B7A5B}—as browser helper object (Internet Explorer add-on). So if you can find the TSC folder—instead of TS—in your Program Files directory underwhich tsc.exe is nested, and winsource.dll instead of iehelpmod.dll in your System32 folder, your Windows is infected with an older version of this virus, somewhat different from what I’m describing.

The main executable is tsc.exe nested inside TS folder under Program Files folder. Also inside System32 folder, there’s an iehelpmod.dll file which is registered as a browser helper object (Internet Explorer add-on) with GUID {35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}. The launch technique is using Task Scheduler “TS” job and is backed-up by the “IE Help” browser add-on.

How to Remove the Fake/Rogue Total Security Manually

Boot with a Windows ERD Commander 6 CD. When your Windows installation is detected, from System Recovery Options, click Microsoft® Diagnostics and Recovery Toolset to launch MSDaRT Tools. “Choose a recovery tool” dialog shows up. To delete files/folders listed below, use Explorer, and to delete Registry entries listed below, use ERD Registry Editor.

Files/Folders to Delete
Path Sample Path Description
%ProgramFiles%\TS\tsc.exe C:\Program Files\TS\tsc.exe Main program file Remove the TS folder.
%SystemRoot%\System32\iehelpmod.dll C:\Windows\System32\iehelpmod.dll “IE Help” browser helper object (Internet Explorer add-on)
%SystemRoot%\Tasks\TS.job C:\Windows\Tasks\TS.job Task Scheduler “TS” job
%AllUsersProfile%\Microsoft\Windows\Start Menu\TS\ C:\ProgramData\Microsoft\Windows\Start Menu\TS\ Start Menu links Remove the TS folder.
%CommonProgramFiles%\TSUninstall\Uninstall.lnk C:\Program Files\Common Files\TSUninstall\Uninstall.lnk Uninstall link Remove the TSUninstall folder.
%AppData%\Microsoft\Internet Explorer\Quick Launch\TS.lnk C:\Users\{User Name}\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\TS.lnk Quick Launch link
Registry Entries to Delete
Path Description
HKCR\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC} Registered Class ID for iehelpmod.dll
HKLM\SOFTWARE\Classes\CLSID\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC} “IE Help” (iehelpmod.dll) added as a browser helper object
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{35A5B43B-CB8A-49CA-A9F4-D3B308D2E3CC}
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\TS Uninstall information for Programs and Features Control Panel item

A few Security Center-related Registry keys like AntiSpywareOverride, AntiVirusOverride, and FirewallOverride are likely to being modified by the virus under HKLM\SOFTWARE\Microsoft\Security Center\Svc, which are virtual and user-unmodifiable, so you need to open “Check security status” in Windows 7 or “Security Center” in Windows Vista, and set “Firewall” and “Malware protection” sub-items to “On”.

Good hunting!

2 comments:

  1. Thanks.. it also applies to the same program manifesting as 'Cyber Security'

    Most helpful fix I've been able to find for this problem.

    ReplyDelete
  2. Thanks for a complete procedure.

    ReplyDelete




Copyright © 1999-2014 Komeil Bahmanpour. All rights reserved.

Reproduction is permitted provided that the source is acknowledged and a link is included to the relevant page.