XP Defender Pro

[wolfhardisworthy]

Hi All,

I have a machine that is infected with XP Defender Pro. Initially tried MalwareBytes, but it wouldn't run. Found many sites that had manual uninstall procedures, all talking about deleting ave.exe and a heap of registry entries. Went through those, and also removed any occurrence of ave.exe in registry, as well as a few items in the HKLM/software/microsoft/windows/currentversion/run folder that looked dodgy.

Following those, XP Defender Pro *appears* not to be running, and malwarebytes starts, but after about 3 seconds, closes down again. Obviously there are still bits of XPDP or other malware still hanging around. Also, although antivirus software I have installed runs, it doesn't update. It will run, and I've got that scanning at the moment, but as it has an old signature, and hasn't picked up the XPDP type of malware in the past, I can't guarantee it will work now.

Please can someone give me some advice or help to get this machine cleaned.

Many thanks,

Eric

[Firefox]

Hello wolfhardisworthy, and welcome to the forums here at Malwarebytes.org

You can try these instructions in the self guide section see if you can get it removed LOCATED HERE otherwise follow the below instructions:

Please read the following so that you can begin the cleaning process:

We don't work on Malware removal in the general forums.

Please read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

If you are a corporate customer please send an email to corporate-support@malwarebytes.org. (NOTE: An order number is required for corporate support.)

Also, when replying, please use the "ADD REPLY" button or erase what the person you are replying to said, as this makes the forum easier to read.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someone has replied to your post.

Thank you

[Biker Mike]

looks like another fun one, I am on my 2nd day with this, mine would run mbam, but would reboot the pc while running mbam, or at end of scan, it would just shut down mbam, used several other scanners, only thing left to clean is the what some call google redirect, search with google, click on a search result and you get redirected to something other than what you clicked on, mbam did point to a rogue installer called ZWCFSY.SYS which it did delete, but I also found a ZWCFSY in in the no plug and play in device manager

in dev manger harware view hidden no plug and play

also what helped is as soon as you reboot bring up task manager, before the virus disables it as it boots up which enabled me to stop AVE.exe process.

mbam found

JS/EXPLOIT.PDFKA.NXB TROJAN

WIN32/ADWARE.WILDTANGENT APPLICATION

I deleted all wild tangent

mbam did find in the registry some hijack for explorer and firefox, but I still have that problem

[noknojon]

Welcome Biker Mike -

It sounds like the infecion is still lurking in there -

Please follow the directions left , above , by Firefox so yours can also be fully removed - (Free) -

Thanks -

[Biker Mike]

Welcome Biker Mike -

It sounds like the infecion is still lurking in there -

Please follow the directions left , above , by Firefox so yours can also be fully removed - (Free) -

Thanks -

are you saying to re-install mbam as per the directions, even if mbam is running?

[noknojon]

Only follow the instructions as per the sheet - If you have MBAM installed just Manually Update and a Quick Scan for your records and to help your expert -

Click on the screen icon or in programs , open the main face and click updates -

Thanks -

EDIT - Please use the ADD REPLY Tab at the bottom of the screen when responding - Thanks -

[Biker Mike]

Only follow the instructions as per the sheet - If you have MBAM installed just Manually Update and a Quick Scan for your records and to help your expert -

Click on the screen icon or in programs , open the main face and click updates -

Thanks -

I notice all the post say do a quick scan,, after many quick scans, yesterday, and then getting no detections, I ran a full scan and did find additional infections, quick scan may not be enough.

just finished quick scan,, nothing found and the hijack problem still there

[noknojon]

@ Mike -

Just add a small note with your reply to the forum area - Delete any infections that appear in the scan - Do not leave them there -

You are doing ALL the right things - You can run a Full Scan if you have the time -

Thanks -

[Biker Mike]

ok I guess you mean fast reply,, still have the problem , I google mbam , click on the result and I am hijacked to some other site, mbam did find reg keys and said it fixed them yesterday, not getting any more reg key defects , DNS maybe? ofr did it move or hide the registry key that is doing this

[noknojon]

Hi Mike -

Just keep on with the process - The sooner you list it in the other area , then the sooner we can help you -

Thanks -