defender.exe virus - anyone battle this one yet?

The place for all kinds of software for all kinds of operating systems.

Moderator: Dposcorp

defender.exe virus - anyone battle this one yet?

Postposted on Sun Sep 04, 2011 1:53 am

"Security Defender"

I haven't had the pleasure to meet & greet this fella on any of my own, but I just got drafted into fixing a computer (family!) that has this sneaky rat on it.

Obviously a google search is man's best friend when counter-attacking a virus (why re-invent the wheel?), so 4 pages look like they're dealing with this in a similar manner (link 1, link 2, link 3, and link 4).

So I took the long manual road to combat this.

1. First I rebooted the computer in "Safe Mode with networking" (not that I needed the network anyways). Oh, it's running Vista Home 32bit with 2gb RAM, /me sighs.

2 .Secondly, I search for all suggested keywords through the registry, and deleted the matched results.

3. Thirdly, deleted any physical files that came up as well (one was in C:\ProgramData\defender.exe, and the other was in C:\Windows\system32\{random characters}.exe).

4. Made sure no links/shortcuts existed, removed any suspicious entries in the Run/RunOnce registry keys, removed anything suspicious in the msconfig Startup.

5. Her computer was a legal registered (and current) copy of ESET nod32 antivirus on it, not even sure WHY this virus can bypass this, but it has, and continues to do so. Perhaps, it's more of a malware issue and not a virus? Anywoot, I run the ESET ecls.exe command line scanner before rebooting.

6. Her computer reboots, and appears to be FIXED! woot! Celebratory dinner follows! Drop her off after dinner, say my goodbyes and drive an hour to get home...

7. She calls me up later in the evening crying IT'S BACK like a damn minecraft creeper! :evil:

Image

So, I quit, I throw in the towel, eff all this crap - it's all retarded anyways. I just tell her next time we meet, I'll backup your Documents folder, reformat, boost you up to 4 gigs of RAM, and install Windows 7 Professional 64bit and call it a day.

What would you have done differently?
thegleek
Darth Gerbil
Gold subscriber
 
 
Posts: 7360
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI

Re: defender.exe virus - anyone battle this one yet?

Postposted on Sun Sep 04, 2011 6:09 am

thegleek wrote:What would you have done differently?

Not a thing. You make one serious attempt at cleaning the computer.

If that doesn't work, you nuke it from orbit. It's the only way to be sure.
Lucky Jack Aubrey
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2183
Joined: Wed Feb 18, 2004 8:13 am
Location: Dallas, TX

Re: defender.exe virus - anyone battle this one yet?

Postposted on Sun Sep 04, 2011 7:01 am

I have defeated this before, but god did it take me a long time to figure out how. Here are my steps, and it doesn't come back:

- Before turning it into safe-mode, ensure that it is unchecked from msconfig startup and services. If this is left checked, for whatever reason it will come back.

- Reboot computer into safe-mode WITHOUT networking, with networking will allow it to come back.

- After boot, remove all traces from registry and program files as you already did.

- Quick Scan from Microsoft Security Essentials (Update First)

- Quick Scan from Spyware Doctor (Update First)

- Full Scan from Microsoft Security Essentials

- Full Scan from Spyware Doctor

- Reboot computer.

- After boot, remove all traces from registry and program files as you already did.

- Quick Scan from Microsoft Security Essentials (Update First)

- Quick Scan from Spyware Doctor (Update First)

- Full Scan from Microsoft Security Essentials

- Full Scan from Spyware Doctor

Yes, you must repeat the steps to ensure it was fully eradicated. I have never had this process fail in removing this particular virus, or many others for that fact. I have never had anything picked up in the "repeat" stage, but I always feel better after doing it. Another thing you have to take into account is there could be a "feeder" program re-installing the virus. Take a look through the installed programs and ensure there isn't something they are using that is acting as a gateway.
StuG
Graphmaster Gerbil
Silver subscriber
 
 
Posts: 1459
Joined: Wed May 23, 2007 11:19 pm
Location: Florida

Re: defender.exe virus - anyone battle this one yet?

Postposted on Sun Sep 04, 2011 7:09 am

Malwarebytes? I am usually down for the reformat though. Most infected computers I get have multiple layers of excitement going on, old drivers and "helper" programs that make starting over a better option.
Coran Fixx
Graphmaster Gerbil
 
Posts: 1493
Joined: Tue Aug 05, 2003 10:00 pm
Location: Hazzard County, MO

Re: defender.exe virus - anyone battle this one yet?

Postposted on Sun Sep 04, 2011 9:33 am

My guess is it came back because she got another e-mail from whoever infected her the first time, and opened the attachment again. Until you get her to stop doing that, it will keep coming back.

There could also be a trojan the anti-virus missed that is re-installing it. I generally scan with at least two anti-malware tools after any infection. My two tools of choice these days are Malwarebytes and MS Security Essentials. Scan with one, then the other, and repeat until both tools give the system a clean bill of health. Or nuke from orbit... you know the drill.

Edit: Are there any other machines on her network that could have re-infected it?
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37632
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: defender.exe virus - anyone battle this one yet?

Postposted on Sun Sep 04, 2011 10:24 am

StuG wrote:- Before turning it into safe-mode, ensure that it is unchecked from msconfig startup and services. If this is left checked, for whatever reason it will come back.

Yup, missed that too. I only unchecked it during safe mode, not prior or after.

StuG wrote:- Reboot computer into safe-mode WITHOUT networking, with networking will allow it to come back.

I only rebooted it using 'safe mode WITH networking' based off of these instructions.

just brew it! wrote:My two tools of choice these days are Malwarebytes and MS Security Essentials.

/me sighs. Been too long out of the IT loop I guess, but I should have downloaded both of these and ran like StuG suggests above.

just brew it! wrote:Edit: Are there any other machines on her network that could have re-infected it?

Nope, she lives alone with her lonely laptop. No other computer around. She hooks directly into the cable modem, so no wireless opportunities either.
thegleek
Darth Gerbil
Gold subscriber
 
 
Posts: 7360
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI

Re: defender.exe virus - anyone battle this one yet?

Postposted on Sun Sep 04, 2011 10:33 am

You may want to convince her to get a router as well, aside from Windows Firewall that will add a layer of protection from incoming port scanning-type infestations. Without looking I don't even know if anyone makes wired-only routers any more or they may be no cheaper than wireless ones but you could always just turn off the wireless.
MadManOriginal
Graphmaster Gerbil
 
Posts: 1411
Joined: Wed Jan 30, 2002 7:00 pm
Location: In my head...

Re: defender.exe virus - anyone battle this one yet?

Postposted on Sun Sep 04, 2011 1:30 pm

MadManOriginal wrote:You may want to convince her to get a router as well, aside from Windows Firewall that will add a layer of protection from incoming port scanning-type infestations. Without looking I don't even know if anyone makes wired-only routers any more or they may be no cheaper than wireless ones but you could always just turn off the wireless.

As I upgraded my network with the D-Link DIR-644 XTREME N Gigabit Router (Wireless-N) {newegg link}, I have 5 "used" routers just sitting around collecting dust.

Linksys NR041 - cheap piece o' crap
Netgear RT314 - very old, my pride and joy back in the day...
Netgear FVS318 - the last router I used, does firewall, NAT, VPN, etc...
Belkin F5D6231-4 (Wireless) - another cheap piece o' crap wireless router
Cisco 871W (Wireless) - retailed for over $600
thegleek
Darth Gerbil
Gold subscriber
 
 
Posts: 7360
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI

Re: defender.exe virus - anyone battle this one yet?

Postposted on Mon Sep 05, 2011 12:24 am

I've dealt with that thing a couple of times. If I can sit down at the machine usually use the AVG rescue CD and Trinity Rescue Kit to run the initial virus scans in order to kill the infected files. After that, I do everything everyone else has suggested.

I second nuking the sucker if it's coming back. It could be user error, or it could a really serious infection. I had one that I swore was clean after an infection, but the ISP said it was sending spam. I don't want to say it had a root kit because I don't have any hard evidence, but it was bad whatever it was.
Flatland_Spider
Gerbil Elite
 
Posts: 824
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: defender.exe virus - anyone battle this one yet?

Postposted on Mon Sep 05, 2011 1:27 am

http://www.bleepingcomputer.com/virus-removal/remove-security-defender

I've followed their instructions on 4 or 5 different machines to remove. works fine.
wirerogue
Gerbil First Class
 
Posts: 133
Joined: Sun Aug 08, 2004 7:29 pm
Location: i'm a jackass

Re: defender.exe virus - anyone battle this one yet?

Postposted on Mon Sep 05, 2011 1:39 am

wirerogue wrote:http://www.bleepingcomputer.com/virus-removal/remove-security-defender

I've followed their instructions on 4 or 5 different machines to remove. works fine.

If you didn't read my OP, that was "link 1" of the 4 I had listed... :/
thegleek
Darth Gerbil
Gold subscriber
 
 
Posts: 7360
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 10:53 am

I am currently dealing with this virus and will probably end up wanting to reinstall W7 to make sure it's completely gone.

I'm not sure I'll be able to uninstall all of my Steam games properly before I reformat and reinstall because the virus won't allow me to run any executables (namely the Steam client).

Will this cause a problem in trying to reinstall my Steam games and run them once I have a fresh OS install because they weren't uninstalled properly?
Lenovo Y560 laptop, Intel i7 Q720 1.6 Ghz
ATi 5730 1 GB, 8 GB RAM DDR3, 500 GB 7200 RPM
WalkCMD
Gerbil First Class
 
Posts: 143
Joined: Thu Sep 03, 2009 1:25 pm
Location: Outside of Allentown, PA

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 11:05 am

Try downloading and installing the registry patch linked about halfway down this page (in the Step 3 section). I've successfully used this to re-enable EXE files on infected systems in the past.

Edit: Hmm... use at your own risk, I think it is actually designed for XP. But if your alternative is a full wipe and reinstall, I guess it can't make things any worse than they already are...
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37632
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 11:37 am

just brew it! wrote:Try downloading and installing the registry patch linked about halfway down this page (in the Step 3 section). I've successfully used this to re-enable EXE files on infected systems in the past.

Edit: Hmm... use at your own risk, I think it is actually designed for XP. But if your alternative is a full wipe and reinstall, I guess it can't make things any worse than they already are...


True, thx.
Lenovo Y560 laptop, Intel i7 Q720 1.6 Ghz
ATi 5730 1 GB, 8 GB RAM DDR3, 500 GB 7200 RPM
WalkCMD
Gerbil First Class
 
Posts: 143
Joined: Thu Sep 03, 2009 1:25 pm
Location: Outside of Allentown, PA

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 12:14 pm

I've had really good luck using combofix from safemode to remove many flavors of this virus. Combofix isn't the most userfriendly app out there, but is sure gets the job done. I usually follow up with a malwarebytes scan to cleanup any remnants. If that doesn't get rid of it, nothing will.

http://www.bleepingcomputer.com/downloa ... s/combofix

Combofix is rather picky about having other antivirus software installed though when you try to run it. You may have to remove yours first.
VinnyC
Gerbil
 
Posts: 17
Joined: Mon May 07, 2007 6:19 pm

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 12:40 pm

I'd get her a router ASAP. IMHO, a completely exposed Windows computer that's not being cared for by a competent administrator is just begging to be an important botnet node.
Firestarter
Gerbil XP
 
Posts: 478
Joined: Sun Apr 25, 2004 11:12 am

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 12:43 pm

Firestarter wrote:I'd get her a router ASAP. IMHO, a completely exposed Windows computer that's not being cared for by a competent administrator is just begging to be an important botnet node.

Um and yer way off base dude. She is single, lives alone in an apartment complex. There is no "administrator" for this type of situation.
thegleek
Darth Gerbil
Gold subscriber
 
 
Posts: 7360
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 12:54 pm

thegleek wrote:
Firestarter wrote:I'd get her a router ASAP. IMHO, a completely exposed Windows computer that's not being cared for by a competent administrator is just begging to be an important botnet node.

Um and yer way off base dude. She is single, lives alone in an apartment complex. There is no "administrator" for this type of situation.

There, try reading it again :lol: :wink:
Firestarter
Gerbil XP
 
Posts: 478
Joined: Sun Apr 25, 2004 11:12 am

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 1:01 pm

This comes back because it has a rootkit associated with it. Run TDSSKiller from Kapersky: http://support.kaspersky.com/faq/?qid=208283363

It took me a few days to finally get rid of this one for good.
"I take sibling rivalry to the whole next level, if it doesn't require minor sugery or atleast a trip to the ER, you don't love her." - pete_roth
"Yeah, I see why you'd want a good gas whacker then." - VRock
dextrous
Gerbil Elite
 
Posts: 563
Joined: Mon Nov 22, 2004 1:49 pm
Location: Ooooooooooklahoma

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 1:20 pm

thegleek wrote:"Security Defender"

I haven't had the pleasure to meet & greet this fella on any of my own, but I just got drafted into fixing a computer (family!) that has this sneaky rat on it.

.....
What would you have done differently?


I get two or three of these projects per month. The process is always the same, and much like you did. Its pretty much a hunt and peck affair. first thing is make a copy of the drive with copy commander or similar. Its normally a multipoint infection. Get control of the admin account via reset or the original account password in the very unlikely event it still works. Then disable the mutating startups, and restore. get into safe mode and run combofix. start running some antivirus/malware after that. Always check the dhcp and dns, and browser BHO. Most all the crapware out there now redirects the nameserver or dhcp somewhere in the registry settings, so check all that. Flush dns and reset router to force access back to your original nameservers. After that you will probably be stuck with the firefox and explorer search redirects.... I don't know how many thousand there are, but they are tough to tame. check for them by trying windows update and a few security sites and see if you get redirects or server not found. I usually start googling and running multiple fix routines sooner or later I get lucky. once I get access to windows update I do that.

Once in a while you will come on something that is new enough you have to do a manual remove, and normally that takes me a few days, because I am not that fluent in windows files and delete something that was necessary and have to restore the image or file and try again.

Once you get the beast running, run it for a few days and watch the behavior. If you can, look at the users history, and if its a bunch of couponing sites and facetrash and free gaming sites, prepare to see the computer again very soon.

I got three computers for my wife and daughter to use, because its inevitable fact of life that they are going to willfully click on some unbelievable offer and infect them with something that will take me a few evenings to purge.
cass
Minister of Gerbil Affairs
 
Posts: 2266
Joined: Mon Feb 10, 2003 9:12 am

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 2:01 pm

I have a relatively easy fix for this and other similar malware infections. Download rkill.exe from bleeping computer, this kills the running process(es). Much easier that booting into safe mode. Sometimes the infection wont let you run rkill.exe, in this case download the alternate package title "eXplorer.exe". Then download, install and update malwarebytes. Run full scan of malware bytes this should find the baddies and remove them. Before attempting to get online after removal, you may need to uncheck the proxy option in IE under internet options.

Hope this helps, this saves about an hour of work.
JovianLitany
Gerbil In Training
 
Posts: 1
Joined: Tue Sep 06, 2011 1:54 pm

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 2:36 pm

just brew it! wrote:Try downloading and installing the registry patch linked about halfway down this page (in the Step 3 section). I've successfully used this to re-enable EXE files on infected systems in the past.



Do this, but before you do go into the task manager. Defender spawns a process that hijacks your browser and .exe files. What you have to do to properly clean it is

1) Open task manager. There will be a process that is assigned 3 random letters. That is the defender process. Kill it and do not run any other files (it takes over pretty much every file type and runs it through it's own program and will respawn defender)

2) Run the registry fix. This re-associates .exe files with the proper windows programs and allows you to

3) Install malwearebytes

4) Update malwarebytes

5) Perform a quick scan (this catches it) and have malwarebytes clean the system

6) reboot

And you're set. Do not run any other programs until these steps are completed. It will cause defender to spawn again and you will have to start over. We had a pretty massive outbreak of this on our XP machines at work. It took hours to figure out how to properly deal with it the first time, but following these steps it's all of 10 minutes now.

Good luck
LaChupacabra
Gerbil First Class
Gold subscriber
 
 
Posts: 133
Joined: Tue Dec 30, 2008 10:59 pm

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 3:15 pm

LaChupacabra wrote:
just brew it! wrote:Try downloading and installing the registry patch linked about halfway down this page (in the Step 3 section). I've successfully used this to re-enable EXE files on infected systems in the past.



Do this, but before you do go into the task manager. Defender spawns a process that hijacks your browser and .exe files. What you have to do to properly clean it is

1) Open task manager. There will be a process that is assigned 3 random letters. That is the defender process. Kill it and do not run any other files (it takes over pretty much every file type and runs it through it's own program and will respawn defender)

2) Run the registry fix. This re-associates .exe files with the proper windows programs and allows you to

3) Install malwearebytes

4) Update malwarebytes

5) Perform a quick scan (this catches it) and have malwarebytes clean the system

6) reboot

And you're set. Do not run any other programs until these steps are completed. It will cause defender to spawn again and you will have to start over. We had a pretty massive outbreak of this on our XP machines at work. It took hours to figure out how to properly deal with it the first time, but following these steps it's all of 10 minutes now.

Good luck


I can't even open Task Manager - it won't allow me to even do that.
Lenovo Y560 laptop, Intel i7 Q720 1.6 Ghz
ATi 5730 1 GB, 8 GB RAM DDR3, 500 GB 7200 RPM
WalkCMD
Gerbil First Class
 
Posts: 143
Joined: Thu Sep 03, 2009 1:25 pm
Location: Outside of Allentown, PA

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 3:59 pm

WalkCMD wrote:I can't even open Task Manager - it won't allow me to even do that.


can you run the registry fix, type task manager into universal search and execute it directly>
LaChupacabra
Gerbil First Class
Gold subscriber
 
 
Posts: 133
Joined: Tue Dec 30, 2008 10:59 pm

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 4:12 pm

You did the right thing.. I've ran into this quite a few times... if its going to take longer than 20 mins to fix, reinstall.. and yeah, all my friends are off XP.
i7-4790K-32Gb DDR3-1866-Zotac GTX 780ti -Samsung EVO 250GB- Samsung EVO 1TB
elmopuddy
Gerbil Elite
Gold subscriber
 
 
Posts: 893
Joined: Thu Dec 27, 2001 7:00 pm
Location: Montreal, Canada

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 4:22 pm

Read and follow the directions at this link:

http://www.bleepingcomputer.com/virus-r ... y-defender

It involves using Malwarebytes and RKill in safe mode, but the one thing some people forget is to fix/replace their lhosts file also. If you don't fix it, you'll just get redirected to a site and download it again. This little bit of malware is annoying, but more easily removed if you follow the directions at Bleeping Computer web site. To fix your lhost file, you may need to also download a run a small batch file that removes a file lock the bug puts on your lhost file. A link for that batch file is also available at that site.
mutarasector
Gerbil In Training
 
Posts: 8
Joined: Sun Nov 16, 2008 10:59 pm

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 11:39 pm

This thread is obviously popular.... Why hasn't this ever been addressed before?

Are your virus experiences proprietary or something? I think shiz like this needs to be shared so others can LEARN from it.

So I dropped by her place and picked up her laptop. I'll try a lot of the steps ya'll posted above... Even if I'm successful, I think it'll just be refreshing to install Win7 over that crappy Vista junk.
thegleek
Darth Gerbil
Gold subscriber
 
 
Posts: 7360
Joined: Tue Jun 10, 2003 11:06 am
Location: Detroit, MI

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 11:47 pm

thegleek wrote:Even if I'm successful, I think it'll just be refreshing to install Win7 over that crappy Vista junk.

A nuke from orbit will take far less of your time and the loss (oh, did I erase your data? Oops.) of data will do far more to implant the message than a simple fix could ever do.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20183
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: defender.exe virus - anyone battle this one yet?

Postposted on Tue Sep 06, 2011 11:51 pm

3 applications are a must have in my system.

1) Zone Alarm (Firewall & it's free)
2) Microsoft Security Essential
3) Malwarebytes with monitoring enabled.
Intel i5 4670K @ 4.0GHZ|ATI Radeon HD 7970| 12 GB RAM| Xtreme Music with G500 5.1 | Panasonic "TH-L42E60".
Jigar
Maximum Gerbil
Silver subscriber
 
 
Posts: 4594
Joined: Tue Mar 07, 2006 4:00 pm

Re: defender.exe virus - anyone battle this one yet?

Postposted on Wed Sep 07, 2011 12:18 am

thegleek wrote:This thread is obviously popular.... Why hasn't this ever been addressed before?

Are your virus experiences proprietary or something? I think shiz like this needs to be shared so others can LEARN from it.

So I dropped by her place and picked up her laptop. I'll try a lot of the steps ya'll posted above... Even if I'm successful, I think it'll just be refreshing to install Win7 over that crappy Vista junk.

And make sure you give her a user account instead of the default admin account! With UAC, most people will be able to user their computer just fine with a normal user account, only giving their admin credentials when absolutely needed.

If you keep UAC at default, she'll just click 'ok' whenever that pesky confirmation dialog pops up, and you'll soon be removing virusses and adware from Windows 7. If you give her an admin account and disable UAC, you either hate her or hate yourself, or both.
Firestarter
Gerbil XP
 
Posts: 478
Joined: Sun Apr 25, 2004 11:12 am

Next

Return to General Software

Who is online

Users browsing this forum: No registered users and 1 guest