XP Windows Defender Scam

  peter_rsvp 08:59 19 Mar 2010

Good Morning
No-one else to turn to who knows a whole lot more than me!

My home computer has been attacked by some malware .. it’s sophisticated and strong stuff.
The irony is that it was my wife who innocently opened her mail and let it in.
I haven’t lost any money but it’s knocked out my I.E. and AVG …
The thing calls itself Windows Defender Pro and places an immoveable ‘shield’ icon in the desktop tray.
On startup it runs fake scan and warns of all sorts of nasties … Then it directs you to a ‘fix’ where you put in your card details. I didn’t, of course, but the unfortunate thing is that it has captured I.E. and every time I try to open any site it comes up with the same screen offering this fake fix.
It has also disabled AVG and I suspect that it is using the AVG platform to run because in the ‘processes’ section of the task manager, AVG processes are working away.
Everything else works as normal, ICQ, Messenger, Outlook Express etc. I have tried everything I know ..
I’ve used ‘task manager’ to stop processes one by one but the only thing that removes the shield icon is stopping Windows Explorer which stops everything else of course
I did have Mozilla FF but deleted it some time ago .. I thought I might be able to get to the internet using that .. hmmmm .. just for research cos it doesn’t solve the problem.
I’ve come to work this morning to try to find something about this .. … the only thing I can find is very current and it seems that I might have been caught in the early stages of this thing
Have a look here
click here
click here

I’m beginning to think that I have to re-format the hard drive .. ?


  Strawballs 09:22 19 Mar 2010

Try going into safe mode on startup and uninstalling AVG to see if that helps

  oldbeefer3 09:26 19 Mar 2010

Have you done the basics such as downloading, updating and running Malwarebytes (which is free)? You may have to turn off System Restor to stop the bug reloading.

  Fruit Bat /\0/\ 09:37 19 Mar 2010

XP Defender Pro Manual Removal Instructions:

Use task manager to end process

Search for and remove

Run regedit and remove
HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “%1? %*

HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “%1? %*

HKEY_CLASSES_ROOT\.exe\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “%1? %*

HKEY_CLASSES_ROOT\secfile\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “%1? %*

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command “(Default)” = “%UserProfile%\Local
Settings\Application Data\ave.exe” /START “%Program Files%\Mozilla Firefox\firefox.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “%Program Files%\Mozilla Firefox\firefox.exe” -safe-mode

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)” = “%UserProfile%\Local Settings\Application Data\ave.exe” /START “%Program Files%\Internet Explorer\iexplore.exe”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “AntiVirusOverride” = “1?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center “FirewallOverride” = “1?

  birdface 09:40 19 Mar 2010

Not this one is it.

click here

  peter_rsvp 09:59 19 Mar 2010

Thanks guys .. very informative so far .. I already had advice on MBAM from another source so I'm putting that on a stick and taking home tonight ..
Buteman, it is very similar ... and i guess the procedure might be the same for removal ..
Fruitbat, thanks for that .. broadly speaking that's what is contained in Buteman's link ..
Great! .. thanks again

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Samsung Galaxy S9 review

ManvsMachine and other artists put Apple's iMac Pro to the test using powerful rendering tools

What to expect at Apple's 27 March education event

Comment filmer l’écran d’un iPhone ?