XP Defender Pro and Vista Defender Pro
XP Defender Pro and Vista Defender Pro are rogue security programs that aggressively spreads through malicious web sites. It forces and entry to computers by exploiting software vulnerabilities. XP Defender Pro virus can penetrate a system without a notice and undetected by an antivirus program. It has the power to embed itself on legitimate system files.
At first stage, it will attempt to hijack Internet browsers and redirect it to a website that will perform virus scan on the computer. The scan will display fake results and attempt to convince users to use XP Defender Pro as a virus remover. Next, it will request to download and install the trial version of fake antivirus software. If completed, it will launch a virus scan and keeps on detecting files and viruses that were not present on the PC. This trick will deceive users and force them to register the program, claiming it as the only solution in removing computer threats. Even with the activated version of XP Defender Pro threats will remain on the computer as long as this rogue security program stays.
The only possible way to resolve this issue is by making use of effective anti-malware product to fully scan the computer.
Screen Shot Image:
Technical Details and Additional Information:
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Characteristics (Analysis)
Malware Behavior
Presence of XP Defender Pro and Vista Defender Pro on target computer will produce excessive alert messages to mislead victims. Some of these alerts are the following:
XP Defender Pro Firewall Alert!
XP Defender Pro has blocked a program from accessing the Internet
Internet Explorer is infected with Trojan-BNK.Win32-Keylogger.gen
Private data can be stolen by third parties, including credit card details and passwords.Stealth intrusion!
Infection detected in the background. Your computer is now attacked by spyware and rogue software. Eliminate the infection safely, perform a security scan and deletion now.
System hijack!
System security threat was detected. Viruses and/or spyware may be damaging your system now. Prevent infection and data loss or stealing by running a free security scan.
Severe system damage!
Spyware and viruses detected in the background. Sensitive system components under attack! Data loss, identity theft and system corruption are possible. Act now, click here for a free security scan.
XP Defender ALERT
System integrity threat!
Warning! Sensitive data may be sent over your Internet connection right now!Details
Attack from: 235.91.44.40 port: 6301
Attacked port: 4637
Threat: Macro.PPoint.ShapeShift
HKCU\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* HKCU\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* HKCR\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* HKCR\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %* HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe" HKCU\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %* HKCU\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %* HKCR\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %* HKCR\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "%1" %* HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe" HKLM\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"Associated Files and Folders:
-Files on Windows XP- C:\Documents and Settings\All Users\Application Data\GhGh6sjflqpE %UserProfile%\Local Settings\Application Data\av.exe %UserProfile%\Local Settings\Application Data\ave.exe %UserProfile%\Local Settings\Application Data\GhGh6sjflqpE %UserProfile%\Local Settings\Application Data\WRblt8464P %UserProfile%\Local Settings\Temp\GhGh6sjflqpE %UserProfile%\Templates\GhGh6sjflqpE -Files on Windows Vista- C:\ProgramData\GhGh6sjflqpE C:\Users\All Users\GhGh6sjflqpE %UserProfile%\AppData\Local\av.exe %UserProfile%\AppData\Local\ave.exe %UserProfile%\AppData\Local\GhGh6sjflqpE %UserProfile%\AppData\Local\WRblt8464P %UserProfile%\AppData\Local\Temp\GhGh6sjflqpE %UserProfile%\AppData\Roaming\Microsoft\Windows\Templates\GhGh6sjflqpE
How to Remove XP Defender Pro and Vista Defender Pro
1. Stop XP Defender Pro or Vista Defender Pro process by pressing Ctrl+Alt+Del. Windows Task Manager will open. Look for the following process:
av.exe or ave.exe
Highlight and delete the process. Click on End Process.
2. Connect to Internet and update your installed anti-virus program. This is necessary to identify newer variants of this virus.
3. Run a full virus scan and clean/delete all detected infected file(s).
4. Edit Windows registry and delete XP Defender Pro entries (Refer to Technical Details). [how to edit registry]
5. When done with removal of registry entry, exit registry editor by closing the program. It automatically saves changes made.
6. Remove XP Defender Pro start-up entry by going to Start > Run, type msconfig on the "Open" dialog box. System Configuration Utility will open. Go to Startup tab and uncheck the following Start-up item(s):
[random]tssd.exe
7. Click Apply and restart Windows.
XP Defender Pro Removal Tool:
In order to completely remove the threat, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected machine.
Online Virus Scanner:
Another way to remove a virus without the need to install additional anti-virus application is to perform a thorough scan with free Online Virus Scanner that can be found on websites of legitimate anti-virus and security provider.
abc defg
Mar 21, 2010 @ 03:14:48
Wanted to say thanks, and let you know that the manual removal instructions were very helpful, and worked great. Thanks to you, I’m rid of this insidious virus!
Alexandru Fira
Mar 25, 2010 @ 15:40:28
You are wasting your time. Switch to Linux !
ha long
Apr 03, 2010 @ 05:06:51
Key
Laney
Apr 04, 2010 @ 00:24:09
What is the key
Lyskar
Apr 04, 2010 @ 04:30:41
Use Windows security essentials, it’s free, from Microsoft and provides basic protection. or ask your internet provider; some offer a free license on the antivirus of their choice.
onur
Apr 21, 2010 @ 18:24:58
Is there likely to crash my computer?
resul
Apr 25, 2010 @ 09:59:51
hepiniz orospu cocugusunuz
earl
May 19, 2011 @ 13:05:54
this program is worse than you are claiming.. it locks you out of your bios and takes over your pc. and sends your info on it to another remote pc..