ir_cow Posted August 29, 2011 Posted August 29, 2011 so like the title says my main computer got a virus that pretends to be Windows defender and runs under Programdata/defender.exe but no anti-virus or malwar picks it up. it even runs in safe mode!. what happens is it spams warnings and closes any/all programs when i open them. I really can't do anything windows or safemode and i used about 6 bootable anti-virus cds and none detect it! lucky for me i keep a backup but still i would rather just remove it than reinstall everything. anyone have a idea how to remove it? btw i got it from google.com, Firefox started to slow down and froze, than my computer restarted by itself. BAM it started to spam me, so i suggest people update everything. IDK how google of all place would give you malware but it must have been a ad that auto executed or something... i'm the only one who uses the computer and internet explorer is uninstalled so it must be some exploit in firefox is all i can think of. Share this post Link to post Share on other sites More sharing options...
wevsspot Posted August 29, 2011 Posted August 29, 2011 Hey HBC. I can feel your pain. I've been on a virus all weekend long (freechase) and it has been kicking my butt. You're going in the right direction with the safe boot, and it's unfortunate that none of the out of the box AV/Spyware removal apps are working. You can attempt a brute force removal but will require a lot of manual work. Boot your rig in safe mode Turn off System Restore Open task manager and kill the defender.exe process Uninstall firefox (and chrome if you have it) Locate the file folder that contains the .exe and delete the entire folder Purge the prefetch file Manually search your OS drive for any files containing "defender" carefully review and delete if applicable Open the registry editor and delete any keys, data or values that point to the defender.exe Reboot and run HiJack this and post up the HJT log and I'll take a look at it Wev Share this post Link to post Share on other sites More sharing options...
ir_cow Posted August 29, 2011 Posted August 29, 2011 No go, i tried my best but i did find out how it came to be. apparently Java got infected that than installed that fake defender program. I was able to clean java but i still can't stop the malware. it just keeps coming back. this has been very painful but i was smart enough to back everything up every week just in case something came about. Share this post Link to post Share on other sites More sharing options...
Psywar Posted August 29, 2011 Posted August 29, 2011 Did you try Malwarebytes? That program usually removes those fake virus scanners 98% of the time. Use Malwarebytes first if you have not already: Below is a Manual Process of Removing Windows PC Defender (Fake) but be careful because messing with the registry and deleting .dll files can screw up your PC even more. Windows PC Defender manual removal: Kill processes: WP345d.exe eb.exe fix.exe ppal.exe Delete registry values: HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF} HKEY_CLASSES_ROOT\WP345d.DocHostUIHandler HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes "URL" => "http://search-gala.com/?&uid=201&q={searchTerms}" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer "PRS" = "http://127.0.0.1:27777/?inj=%ORIGINAL%" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "UID" = "201" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform "89770891803" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Windows PC Defender" Unregister DLLs: mozcrt19.dll sqlite3.dll cid.dll ddv.dll tempdoc.dll Delete files: 8424.mof mozcrt19.dll sqlite3.dll WP345d.exe WPCD.ico vd952342.bd wpcd.cfg Windows PC Defender.lnk cookies.sqlite Instructions.ini cid.dll CLSV.tmp ddv.dll eb.exe eb.sys energy.sys exec.tmp fix.exe FS.drv kernel32.drv PE.drv PE.tmp ppal.exe runddlkey.drv tempdoc.dll search.xml Delete directories: C:\Documents and Settings\All Users\Application Data\3ad5ffe c:\Documents and Settings\All Users\Application Data\345d567 c:\Documents and Settings\All Users\Application Data\345d567\WPCDSys c:\Documents and Settings\All Users\Application Data\WPCDSys %UserProfile%\Application Data\Windows PC Defender Share this post Link to post Share on other sites More sharing options...
TheHippi Posted August 29, 2011 Posted August 29, 2011 Do you have a spare flash drive that you can install Ubuntu or something on? I know there are a few Linux antivirus programs that will look for Windows malware, that might be a little more successful than just a bootable antivirus. You might also be able to do it from just a ubuntu live cd; I don't know if you can download stuff when running one. Share this post Link to post Share on other sites More sharing options...
Ricky C Posted August 29, 2011 Posted August 29, 2011 Try this, its what we do at work and it works all of the time. Boot the PC into safemode using f8 before startup. install malware bytes while in safemode. Ignore option to update. Run a full scan. Wait for it to complete, and then remove the malware. Reboot the PC and all will be fine. Share this post Link to post Share on other sites More sharing options...
VaporX Posted August 30, 2011 Posted August 30, 2011 Okay first lets make something clear, any program or tech that tells you he can 100% for sure clean an infection without doing a complete format is a liar. While it is possible to clean systems the ONLY way to be 100% sure is to format. That being said with many of the extortionware attacks I have seen the cleaning is not to hard. Boot into safe mode and clean out the temp folders from the general temp and the user account temp areas. Go through msconfig and make sure there is nothing starting you do not want to start. Thats should be it. Another option is to always keep an extra account on your Windows 7 system. If you primary account gets infected go into the alt account, most of the time it will be clean. Use it to create a new account and move your data into the new account and then delete your old account. just a few quick tricks. Share this post Link to post Share on other sites More sharing options...
ir_cow Posted August 30, 2011 Posted August 30, 2011 (edited) well unless Malwarebytes is bootable i can't use it. even in safemode this malware runs and spams + closes all apps. i have yet to try linux bootable but if 6 cds up-to-date does not detect it i don't know what will. i'm' just going to format when i have time and never install java if i can avoid it. i've cleaned temp, edit to reg manual and auto, manual deleted the program and yet it still comes right back. i think it replaced defender so no program is looking for it to be infected. i also did multiple 5-7 hour deep cleans and nothing came up except a linux iso (which is funny). Edited August 30, 2011 by hornybluecow Share this post Link to post Share on other sites More sharing options...
ir_cow Posted September 3, 2011 Posted September 3, 2011 (edited) i did it! this was some nasty malware. it sat in ProgramData under defender.exe yet no anti-virus pick it up (i used 7 different ones). so when i went ahead and deleted it, it came right back and even booted in safe mode. when i was backing up last weeks files before reformatting i noticed my 2nd drive had a bunch of files hidden in the root. so i started to think and my guess is the malware was installed on the second drive which is why no anti-virus picked it up because i didn't want to scan an extra TB i didn't have to. all in all i deleted the root files on my second drive and deleted the defender. booted into windows not thinking this would work, but yet it did and i'm typing this now. currently running a reg cleaner and another virus scanner to remove whatever was left. most people would just have reformatted id there data was backed up already but i really didn't want to reinstall EVERYTHING. last time i did that took about a week to get everything fully working again. lots of plugins for Photoshop, Maya and Zbrush... Edited September 3, 2011 by hornybluecow Share this post Link to post Share on other sites More sharing options...
medbor Posted September 3, 2011 Posted September 3, 2011 how can yoube sure that there is not a keylogger left behind? If a computer is compromized, the first thing a virus does is make sure there is a open way in to the computer. Sure you won't notice anything right now, but don't come crying when all your precious information are on the internet (creditcards, passwords, emails...) Now when it works again, copy out all that you nee to save (photos, savefiles and what not) and then do a complete format of al drives in the system. Sorry but that is the only way to be sure (or even close to it). Just remember that your computer is not healthy because the symptoms are not there. Share this post Link to post Share on other sites More sharing options...
Phil Posted September 3, 2011 Posted September 3, 2011 Congrats at sorting it out. If it were me, I'd now run ComboFix just to be sure it's gone. Share this post Link to post Share on other sites More sharing options...
SpikeSoprano Posted September 3, 2011 Posted September 3, 2011 Hey, glad you got rid of it, now install malwarebytes on your system and keep it updated and use it at least once a week, really dont know how you got it threw java unless you went to a rouge site to update it, so in other words watch how you surf and what you click accept to and you should be fine. Happy surfing ! Share this post Link to post Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now