Home Malware Programs Rogue Anti-Spyware Programs XP Defender

XP Defender

Posted: June 18, 2008

Threat Metric

Threat Level: 10/10
Infected PCs: 9
First Seen: July 24, 2009
Last Seen: January 9, 2019
OS(es) Affected: Windows

XP Defender Screenshot 1Instead of defending your PC from malware and other dangers, XP Defender is itself, a form of malware that's identified as a rogue anti-malware program. Like the other members of its family (identified by SpywareRemove.com malware experts as WinPC Defender), XP Defender displays pop-up alerts with fraudulent security information, system scans that detect nonexistent infections and even browser redirects to fake warning pages, all to make you want to purchase its registered version to remove these threats. However, the purchased version of XP Defender is just as lacking in security features as the unpurchased version, and you should use an actual anti-malware product to get rid of XP Defender for free after your computer displays any of the symptoms noted here.

XP Defender: Windows XP's Version of an Ancient Recurring Scam

XP Defender acts like an individual and reputable product that tends to your computer's overall safety and, in particular, malicious software-related attacks, but XP Defender actually has been identified as a minor variant of very similar rogue anti-malware scanners from the FakeRean family. Other fake anti-malware programs that are associated with XP Defender's family include examples like Ultimate Defender, SystemDefender, IE Defender, Advanced XP Defender, WinDefender2008, PCTotalDefender, PC Defender 2008, Personal Defender 2009, WinDefender 2009, Perfect Defender 2009, Total Defender, Malware Defender 2009, WinPC Defender, PC Privacy Defender, Smart Defender Pro, Rogue.UltimateDefender, FraudTool.LastDefender.b and Security Defender Pro 2015. Other than minor aesthetic differences, SpywareRemove.com malware researchers consider these members of FakeRean to be close to identical to each other, particularly in terms of their major malicious functions.

After being installed by any of several methods (spam e-mail links, Blackhole Exploit Kit attacks and fake online scanners are favored delivery strategies), XP Defender adds an auto-start entry to the compromised PC's Registry and launches its attacks as soon as Windows starts. Besides faking system-scanning features, XP Defender also may create multiple types of fake system alerts and pop-ups, all of which will warn you about attacks that aren't taking place, as well as malicious software that's not installed on your PC.

The major drive of XP Defender's attack plan is to make you think that buying XP Defender will save your PC from the many imaginary PC threats that XP Defender warns you about, although SpywareRemove.com malware analysts strongly discourage spending any money on XP Defender whatsoever. XP Defender also may be accompanied by other forms of malware and is especially often included alongside Trojans with downloading capabilities.

How XP Defender Lays into Your PC with Its Idea of Preemptive Defense

XP Defender's defining traits may be its fraudulent security functions, but SpywareRemove.com malware analysts also have seen reasons to be concerned over XP Defender's secondary functions, which can cripple your PC's security as XP Defender attempts to prevent itself from being removed. Such attacks can include:

  • Web browser hijacks that force you to view a fake warning page in lieu of a legitimate website. XP Defender may make particular efforts to redirect your browser away from PC security-themed sites.
  • Program-blocking attacks that force all other executable files to be filtered through XP Defender, which may deny them or allow them at its leisure. In most cases, XP Defender will block the other program and display a fake damage/infection alert.
  • System changes that disable basic security functions, particularly the Windows Firewall, update manager and UAC.

These attacks cause your computer to be more vulnerable to attacks from other types of malware than it would be under ordinary circumstances. Consequentially, SpywareRemove.com malware experts recommend deleting XP Defender with a tried and true anti-malware program as soon as you can do so.

XP Defender Screenshot 2XP Defender Screenshot 3XP Defender Screenshot 4XP Defender Screenshot 5XP Defender Screenshot 6XP Defender Screenshot 7

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



XPdefender.exe File name: XPdefender.exe
Size: 1.37 MB (1376256 bytes)
MD5: d899a7ea0342fe74cc8db09edef4963d
Detection count: 82
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2009
XPdefender_Installer[1].exe File name: XPdefender_Installer[1].exe
Size: 164.68 KB (164685 bytes)
MD5: 946adae281b06bb971536004fa91b60e
Detection count: 75
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2009
9eRroX92aY.exe File name: 9eRroX92aY.exe
Size: 3.79 MB (3793862 bytes)
MD5: 88d6e030eeac28b85f1f5b87c12a0899
Detection count: 53
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: December 11, 2009
%AllUsersProfile%\Desktop\XP Defender.lnk File name: %AllUsersProfile%\Desktop\XP Defender.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%Documents and Settings%\[UserName]\Application Data\ave.exe File name: %Documents and Settings%\[UserName]\Application Data\ave.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%CommonAppData%\pcdfdata\.exe File name: %CommonAppData%\pcdfdata\.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%CommonAppData%\pcdfdata\app.ico File name: %CommonAppData%\pcdfdata\app.ico
Mime Type: unknown/ico
Group: Malware file
%CommonAppData%\pcdfdata\config.bin File name: %CommonAppData%\pcdfdata\config.bin
File type: Binary File
Mime Type: unknown/bin
Group: Malware file
%CommonAppData%\pcdfdata\defs.bin File name: %CommonAppData%\pcdfdata\defs.bin
File type: Binary File
Mime Type: unknown/bin
Group: Malware file
%CommonAppData%\pcdfdata\support.ico File name: %CommonAppData%\pcdfdata\support.ico
Mime Type: unknown/ico
Group: Malware file
%CommonAppData%\pcdfdata\uninst.ico File name: %CommonAppData%\pcdfdata\uninst.ico
Mime Type: unknown/ico
Group: Malware file
%CommonAppData%\pcdfdata\vl.bin File name: %CommonAppData%\pcdfdata\vl.bin
File type: Binary File
Mime Type: unknown/bin
Group: Malware file
%CommonStartMenu%\Programs\XP Defender\Remove XP Defender.lnk File name: %CommonStartMenu%\Programs\XP Defender\Remove XP Defender.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%CommonStartMenu%\Programs\XP Defender\XP Defender Help and Support.lnk File name: %CommonStartMenu%\Programs\XP Defender\XP Defender Help and Support.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%CommonStartMenu%\Programs\XP Defender\XP Defender.lnk File name: %CommonStartMenu%\Programs\XP Defender\XP Defender.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "av.exe" /START "%1? %*HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "av.exe" /START "%1? %*HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "av.exe" /START "firefox.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "av.exe" /START "firefox.exe" -safe-modeHKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “(Default)" = "av.exe" /START "iexplore.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1?HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1?HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "ave.exe" /START "%1" %*HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "ave.exe" /START "%1" %*HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "ave.exe" /START "%1" %*HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "ave.exe" /START "%1" %*HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "ave.exe" /START "firefox.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "ave.exe" /START "firefox.exe" -safe-modeHKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "ave.exe" /START "iexplore.exe"

Additional Information

The following cookies were detected:
xpdefender
The following messages's were detected:
# Message
1System Security Alert
Unknown program is scanning your system registry right now! Identity theft detected.
2System Security Alert
Vulnerabilities found
Background scan for security breaches was finished. Serious issues were detected. Safeguard your system against exploits, malware and viruses right now by activating Proactive Defense.
3XP Defender Firewall Alert
Iexplore.exe is infected with Hoax.HTML.Agent.i. Private data can be stolen by third parties, including credit card details and passwords.

Related Posts

2 Comments

  • ernie bass says:

    if everybody knows this is a xpdefender i a scam why doesnt somebody find these people and shoot them

  • A Rosenhan says:

    xpdefender just cost me two days of work, lost files, and a big headache. I ended up having to reload everything, with a somewhat old backup. How come this scam continues to be allowed ? There h as got to be a money trail, can't some Attorney Generals or BBBs do something about this ? I could never find an physical address or phone for this bunch of jerks. Likewise, I think a couple of the "fixes" that are advertised for this are also scams.

    Any thoughts ?

Loading...