Removing Malware, Please help

[ir_cow]

so like the title says my main computer got a virus that pretends to be Windows defender and runs under Programdata/defender.exe but no anti-virus or malwar picks it up. it even runs in safe mode!. what happens is it spams warnings and closes any/all programs when i open them. I really can't do anything windows or safemode and i used about 6 bootable anti-virus cds and none detect it!

 

lucky for me i keep a backup but still i would rather just remove it than reinstall everything. anyone have a idea how to remove it?

 

btw i got it from google.com, Firefox started to slow down and froze, than my computer restarted by itself. BAM it started to spam me, so i suggest people update everything. IDK how google of all place would give you malware but it must have been a ad that auto executed or something... i'm the only one who uses the computer and internet explorer is uninstalled so it must be some exploit in firefox is all i can think of.

[wevsspot]

Hey HBC. I can feel your pain. I've been on a virus all weekend long (freechase) and it has been kicking my butt.

 

You're going in the right direction with the safe boot, and it's unfortunate that none of the out of the box AV/Spyware removal apps are working. You can attempt a brute force removal but will require a lot of manual work.

 

Boot your rig in safe mode

Turn off System Restore

Open task manager and kill the defender.exe process

Uninstall firefox (and chrome if you have it)

Locate the file folder that contains the .exe and delete the entire folder

Purge the prefetch file

Manually search your OS drive for any files containing "defender" carefully review and delete if applicable

Open the registry editor and delete any keys, data or values that point to the defender.exe

Reboot and run HiJack this and post up the HJT log and I'll take a look at it

 

Wev

[ir_cow]

No go, i tried my best but i did find out how it came to be. apparently Java got infected that than installed that fake defender program. I was able to clean java but i still can't stop the malware. it just keeps coming back. this has been very painful but i was smart enough to back everything up every week just in case something came about.

[Psywar]

Did you try Malwarebytes? That program usually removes those fake virus scanners 98% of the time.

 

Use Malwarebytes first if you have not already:

 

Below is a Manual Process of Removing Windows PC Defender (Fake) but be careful because messing with the registry and deleting .dll files can screw up your PC even more.

 

Windows PC Defender manual removal:

Kill processes:

WP345d.exe eb.exe fix.exe ppal.exe

 

Delete registry values:

HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}

HKEY_CLASSES_ROOT\WP345d.DocHostUIHandler

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" => "http://search-gala.com/?&uid=201&q={searchTerms}"

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "UID" = "201"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "89770891803"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows PC Defender"

 

 

Unregister DLLs:

mozcrt19.dll sqlite3.dll cid.dll ddv.dll tempdoc.dll

Delete files:

8424.mof mozcrt19.dll sqlite3.dll WP345d.exe WPCD.ico vd952342.bd wpcd.cfg Windows PC Defender.lnk cookies.sqlite Instructions.ini cid.dll CLSV.tmp ddv.dll eb.exe eb.sys energy.sys exec.tmp fix.exe FS.drv kernel32.drv PE.drv PE.tmp ppal.exe runddlkey.drv tempdoc.dll search.xml

 

Delete directories:

C:\Documents and Settings\All Users\Application Data\3ad5ffe

c:\Documents and Settings\All Users\Application Data\345d567

c:\Documents and Settings\All Users\Application Data\345d567\WPCDSys

c:\Documents and Settings\All Users\Application Data\WPCDSys

%UserProfile%\Application Data\Windows PC Defender

[TheHippi]

Do you have a spare flash drive that you can install Ubuntu or something on? I know there are a few Linux antivirus programs that will look for Windows malware, that might be a little more successful than just a bootable antivirus.

 

You might also be able to do it from just a ubuntu live cd; I don't know if you can download stuff when running one.

[Ricky C]

Try this, its what we do at work and it works all of the time.

 

Boot the PC into safemode using f8 before startup.

 

install malware bytes while in safemode.

 

Ignore option to update.

 

Run a full scan.

 

 

Wait for it to complete, and then remove the malware. Reboot the PC and all will be fine.

[VaporX]

Okay first lets make something clear, any program or tech that tells you he can 100% for sure clean an infection without doing a complete format is a liar. While it is possible to clean systems the ONLY way to be 100% sure is to format.

 

That being said with many of the extortionware attacks I have seen the cleaning is not to hard. Boot into safe mode and clean out the temp folders from the general temp and the user account temp areas. Go through msconfig and make sure there is nothing starting you do not want to start. Thats should be it.

 

Another option is to always keep an extra account on your Windows 7 system. If you primary account gets infected go into the alt account, most of the time it will be clean. Use it to create a new account and move your data into the new account and then delete your old account.

 

just a few quick tricks.

[ir_cow]

well unless Malwarebytes is bootable i can't use it. even in safemode this malware runs and spams + closes all apps. i have yet to try linux bootable but if 6 cds up-to-date does not detect it i don't know what will. i'm' just going to format when i have time and never install java if i can avoid it.

 

i've cleaned temp, edit to reg manual and auto, manual deleted the program and yet it still comes right back. i think it replaced defender so no program is looking for it to be infected. i also did multiple 5-7 hour deep cleans and nothing came up except a linux iso (which is funny).

Edited August 30, 2011 by hornybluecow

[ir_cow]

i did it! this was some nasty malware. it sat in ProgramData under defender.exe yet no anti-virus pick it up (i used 7 different ones). so when i went ahead and deleted it, it came right back and even booted in safe mode. when i was backing up last weeks files before reformatting i noticed my 2nd drive had a bunch of files hidden in the root. so i started to think and my guess is the malware was installed on the second drive which is why no anti-virus picked it up because i didn't want to scan an extra TB i didn't have to. all in all i deleted the root files on my second drive and deleted the defender. booted into windows not thinking this would work, but yet it did and i'm typing this now. currently running a reg cleaner and another virus scanner to remove whatever was left.

 

most people would just have reformatted id there data was backed up already but i really didn't want to reinstall EVERYTHING. last time i did that took about a week to get everything fully working again. lots of plugins for Photoshop, Maya and Zbrush...

Edited September 3, 2011 by hornybluecow

[medbor]

how can yoube sure that there is not a keylogger left behind?

If a computer is compromized, the first thing a virus does is make sure there is a open way in to the computer.

Sure you won't notice anything right now, but don't come crying when all your precious information are on the internet (creditcards, passwords, emails...)

Now when it works again, copy out all that you nee to save (photos, savefiles and what not) and then do a complete format of al drives in the system.

Sorry but that is the only way to be sure (or even close to it). Just remember that your computer is not healthy because the symptoms are not there.

[Phil]

Congrats at sorting it out. If it were me, I'd now run ComboFix just to be sure it's gone.

[SpikeSoprano]

Hey, glad you got rid of it, now install malwarebytes on your system and keep it updated and use it at least once a week, really dont know how you got it threw java unless you went to a rouge site to update it, so in other words watch how you surf and what you click accept to and you should be fine. Happy surfing !