XP Defender Pro is new clone of XP Internet Security 2010, which is a rogue antispyware program. The fake security program only looks like a real antispyware application, but unlike it, can not remove viruses and trojans, as well as protect your computer from possible infections.
XP Defender Pro is installed onto your computer through the use of trojans completely invisible, it does not output any warnings and requests to install. During installation, the rogue configures itself to run every time when you run any program (files with .exe extension) on your computer. Once started, it begins to scan your computer and in the process finds a lot of infected files, trojans, viruses, and so on. These results are nothing but deception, XP Defender Pro uses the results of scanning as a method designed to scare you into thinking that your computer in danger.
In order to create the fully simulation that you computer is infected, XP Defender Pro will display various fake security warnings and hijack Internet Explorer and Firefox, so it will display fake warnings when you opening a web site. However, all of these alerts and warnings are a fake and like false scan results should be ignored!
If you get infected with XP Defender Pro, please do not be fooled into buying it. Instead of doing so, follow the XP Defender Pro removal guide below in order to remove this malware, and any other clones of XP Internet Security 2010.
Use the following instructions to remove XP Defender Pro (Uninstall instructions)
Step 1. Repair “running of .exe files”.
Method 1
Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\secfile]
[-HKEY_CLASSES_ROOT\secfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.
Method 2
Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.
[Version]
Signature="$Chicago$"
Provider=Myantispyware.com
[DefaultInstall]
DelReg=regsec
AddReg=regsec1
[regsec]
HKCU, Software\Classes\.exe
HKCU, Software\Classes\secfile
HKCR, secfile
HKCR, .exe\shell\open\command
[regsec1]
HKCR, exefile\shell\open\command,,,"""%1"" %*"
HKCR, .exe,,,"exefile"
HKCR, .exe,"Content Type",,"application/x-msdownload"
Save this as fix.inf to your Desktop (remember to select Save as file type: All files in Notepad.)
Right click to fix.inf and select Install. Reboot your computer.
Step 2. Remove XP Defender Pro associated malware.
Download MalwareBytes Anti-malware (MBAM). Once downloaded, close all programs and windows on your computer.
Double-click on the icon on your desktop named mbam-setup.exe. This will start the installation of MalwareBytes Anti-malware onto your computer. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to “Update Malwarebytes’ Anti-Malware” and Launch “Malwarebytes’ Anti-Malware”. Then click Finish.
MalwareBytes Anti-malware will now automatically start and you will see a message stating that you should update the program before performing a scan. If an update is found, it will download and install the latest version.
As MalwareBytes Anti-malware will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main menu. You will see window similar to the one below.
Malwarebytes Anti-Malware Window
Make sure the “Perform quick scan” option is selected and then click on the Scan button to start scanning your computer for XP Defender Pro infection. This procedure can take some time, so please be patient.
When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click “Show Results”. You will see a list of infected items similar as shown below.
Note: list of infected items may be different than what is shown in the image below.
Malwarebytes Anti-malware, list of infected items
Make sure all entries have a checkmark at their far left and click “Remove Selected” button to remove XP Defender Pro. MalwareBytes Anti-malware will now remove all of associated XP Defender Pro files and registry keys and add them to the programs’ quarantine. When MalwareBytes Anti-malware has finished removing the infection, a log will open in Notepad and you may be prompted to Restart.
Note 1: if you can not download, install, run or update Malwarebytes Anti-malware, then follow the steps: Malwarebytes won`t install, run or update – How to fix it.
Note 2: if you need help with the instructions, then post your questions in our Spyware Removal forum.
XP Defender Pro creates the following files and folders
%AppData%\ave.exe
XP Defender Pro creates the following registry keys and values
HKEY_CURRENT_USER\Software\Classes\.exe
HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\.exe\shell
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start
HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
HKEY_CURRENT_USER\Software\Classes\secfile
HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\secfile\shell
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | @ = “”%AppData%\ave.exe” /START “%1″ %*”
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command | IsolatedCommand = “”%1″ %*”
HKEY_CURRENT_USER\Software\Classes\.exe | @ = “secfile”
HKEY_CURRENT_USER\Software\Classes\.exe | Content Type = “application/x-msdownload”
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command | @ = “”%AppData%\ave.exe” /START “%1″ %*”
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command | IsolatedCommand = “”%1″ %*”
I’m posting this because i felt i owed it to the people of previous posts. #2 seems to have worked so far. Just make sure you follow the instructions to the TEE for example, “make sure you save as ‘fix.inf’, and not ‘fix.info'”. Thanks so much from the previous posters.
Thank you very much for the fix! To those having issues with the Method 1 fix.reg file, make sure you include the “Windows Registry Editor Version 5.00” line at the top of the file. Leaving it off will cause the “The file is not a registry script…” error.
Thank you so much. 1st I went through step 1 and it did work, but after rebooting some icons were missing and some apps were not working like outlook, IE,… After rebooting several times without any success, I went through step 2 and everything is cool now. Going to bed, no nightmares expected 🙂
when i open the nptepad to do either #1 and #2 the virus shuts down notepad help?!
jordan, you need run notepad through the use command (command console).
Tried #1 and #2 and malwarebytes each time I think I have it it ends up coming back as bad as ever what can I do????
NYTREEMAN, open a new topic in our Spyware removal forum. I will help you.
I did steps #1 and #2 and Malwarebytes seems to have removed XP defender (thank you!!), but I still cannot get on the internet with firefox, chrome, etc.
I did try a “manual fix” of the registry at one point – could I have prevented these programs from accessing the internet myself?
Thank you!
Thanks for posting this topic, I also has same issue, with method 2 , I deleted the virus and now its workign fine, i rebooted my system
Thanks once again..hats off!!!!!
normally i wouldn’t comment on stuff like this, but this seriously saved me. i used method 1. i don’t understand what it did, but you spelled out the steps so clearly that i couldn’t mess up. thank you so much!
Thanks for the help.
Turner, what shows your browser when you trying open any site ?
Brilliant!
Step 1, method 2 did it (fix.inf) followed by Step 2.
Thanks a million.
I completed step 1 of method two with no problem. Downloaded the malware but after i click run, nothing happens. the setup does not open. Help!
Hi, i have a problem.
I’ve run out of options and need to ask for help.
This thing has stopped me from using safe mode, I just get the blue screen, i can’t system restore because it has changed group policy settings,
No Folder Options anymore, also no task manager.
Step 1 Method 2 seemed to do something, it calmed the fan noise and sedated the constant popups, I’m still getting the warning messages in the lower right.
Malwarebytes installs, it runs, it found about 300 infections, ¬_¬
When it completes there is a popup box,
“scan complete click show results”
I click OK on that, Malwarebytes closes.
I’ve tried renaming the download, and like i said no folder options, so showing file extensions is out at the mo.
I’ve even been on a manual hunt through system folders, but it would help to have safe mode and be able to see hidden folders…
Just occured to me to try a new user, i will update, but im not retyping this 😛
Supposing users doesn’t work, any help is appreciated
thanks
New user, i’ve pretty much got this new one set up exactly how it was on the other now, and no immediate problems.
i’ve still got that infected user lurking though.
Still, i can be patient.
Lauren, try run Malwarebytes from Safe mode. If it does not help, try the instructions. Also you ask us for help in our Spyware removal forum.
Cal, reboot your computer in safe mode and perform a scan once again.
Cal, follow the first step instructions above, reboot your PC.
Click Start, Run, type regedit and press Enter.
Registry editor opens.
Navigate in the left panel to HKEY_LOCAL_MACHINE \ SOFTWARE \ Clients \ StartMenuInternet \ IEXPLORE.EXE \ shell \ open \ command
I the right part of window click twice to “@”. You will see a screen with the contents like below: “C:\Documents and Settings\user\Local Settings\Application Data\av.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”
Remove left part, leave only “C:\Program Files\Internet Explorer\iexplore.exe”.
Now, try download and run Malwarebytes.
I couldn’t rid it of The first time appear in my daughter’s computer so I’ve format the HD. This time I google it and found you guys then I tried step 1 method 1 and didn’t work. Tried step 1, method 2, reboot the computer and the annoying pop up disappear like magic, I’m hoping forever.
Thank u very much
Thank you so much!! It worked! I just want to check whether or not I have to delete the bugs once they are in the quarantine section. Thanks again
hey thanks a lot
I tried method 2 and the after rebooting the computer gets stuck on the blue welcome screen. Any suggestions?
Hey thanks for that advice, unfortunately the moment i started reading it hours ago the computer died and i couldn’t even boot it.
No safe, no normal, no last known working, all gave a different blue screen.
After playing with the Ram inside, (worth a try i thought) without success, I ended up doing a full system recovery with a backup folder and am now setting everything back to how it was.
Stay away from watchathf.com !!
Thnx again.
I successfully removed the malware following method #2. Mozzilla works fine but Internet Explorer and Chrome still do not work.
I removed the malware using method #2. Mozzilla is back to normal but Chrome still doesn’t work.
Patrik, my browser gives the following message:
This webpage is not available.
The webpage at microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome might be temporarily down or it may have moved permanently to a new web address.
More information on this error
Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You!Thank You! D. x
This virus is giving me hell, i have a major assesment due in 2 days and im suffering, nothing is working for me, but i am performing an A squared free scan as we speak, does anyone know if this program is succedful for removing this virus?
Aaron, try boot your PC in last good configuration.