TR Forums

"Security Defender"

I haven't had the pleasure to meet & greet this fella on any of my own, but I just got drafted into fixing a computer (family!) that has this sneaky rat on it.

Obviously a google search is man's best friend when counter-attacking a virus (why re-invent the wheel?), so 4 pages look like they're dealing with this in a similar manner (link 1, link 2, link 3, and link 4).

So I took the long manual road to combat this.

1. First I rebooted the computer in "Safe Mode with networking" (not that I needed the network anyways). Oh, it's running Vista Home 32bit with 2gb RAM, /me sighs.

2 .Secondly, I search for all suggested keywords through the registry, and deleted the matched results.

3. Thirdly, deleted any physical files that came up as well (one was in C:\ProgramData\defender.exe, and the other was in C:\Windows\system32\{random characters}.exe).

4. Made sure no links/shortcuts existed, removed any suspicious entries in the Run/RunOnce registry keys, removed anything suspicious in the msconfig Startup.

5. Her computer was a legal registered (and current) copy of ESET nod32 antivirus on it, not even sure WHY this virus can bypass this, but it has, and continues to do so. Perhaps, it's more of a malware issue and not a virus? Anywoot, I run the ESET ecls.exe command line scanner before rebooting.

6. Her computer reboots, and appears to be FIXED! woot! Celebratory dinner follows! Drop her off after dinner, say my goodbyes and drive an hour to get home...

7. She calls me up later in the evening crying IT'S BACK like a damn minecraft creeper!



So, I quit, I throw in the towel, eff all this crap - it's all retarded anyways. I just tell her next time we meet, I'll backup your Documents folder, reformat, boost you up to 4 gigs of RAM, and install Windows 7 Professional 64bit and call it a day.

What would you have done differently?

thegleek wrote:

What would you have done differently?

Not a thing. You make one serious attempt at cleaning the computer.

If that doesn't work, you nuke it from orbit. It's the only way to be sure.

I have defeated this before, but god did it take me a long time to figure out how. Here are my steps, and it doesn't come back:

- Before turning it into safe-mode, ensure that it is unchecked from msconfig startup and services. If this is left checked, for whatever reason it will come back.

- Reboot computer into safe-mode WITHOUT networking, with networking will allow it to come back.

- After boot, remove all traces from registry and program files as you already did.

- Quick Scan from Microsoft Security Essentials (Update First)

- Quick Scan from Spyware Doctor (Update First)

- Full Scan from Microsoft Security Essentials

- Full Scan from Spyware Doctor

- Reboot computer.

- After boot, remove all traces from registry and program files as you already did.

- Quick Scan from Microsoft Security Essentials (Update First)

- Quick Scan from Spyware Doctor (Update First)

- Full Scan from Microsoft Security Essentials

- Full Scan from Spyware Doctor

Yes, you must repeat the steps to ensure it was fully eradicated. I have never had this process fail in removing this particular virus, or many others for that fact. I have never had anything picked up in the "repeat" stage, but I always feel better after doing it. Another thing you have to take into account is there could be a "feeder" program re-installing the virus. Take a look through the installed programs and ensure there isn't something they are using that is acting as a gateway.

Malwarebytes? I am usually down for the reformat though. Most infected computers I get have multiple layers of excitement going on, old drivers and "helper" programs that make starting over a better option.

My guess is it came back because she got another e-mail from whoever infected her the first time, and opened the attachment again. Until you get her to stop doing that, it will keep coming back.

There could also be a trojan the anti-virus missed that is re-installing it. I generally scan with at least two anti-malware tools after any infection. My two tools of choice these days are Malwarebytes and MS Security Essentials. Scan with one, then the other, and repeat until both tools give the system a clean bill of health. Or nuke from orbit... you know the drill.

Edit: Are there any other machines on her network that could have re-infected it?

StuG wrote:

- Before turning it into safe-mode, ensure that it is unchecked from msconfig startup and services. If this is left checked, for whatever reason it will come back.

Yup, missed that too. I only unchecked it during safe mode, not prior or after.

StuG wrote:

- Reboot computer into safe-mode WITHOUT networking, with networking will allow it to come back.

I only rebooted it using 'safe mode WITH networking' based off of these instructions.

just brew it! wrote:

My two tools of choice these days are Malwarebytes and MS Security Essentials.

/me sighs. Been too long out of the IT loop I guess, but I should have downloaded both of these and ran like StuG suggests above.

just brew it! wrote:

Edit: Are there any other machines on her network that could have re-infected it?

Nope, she lives alone with her lonely laptop. No other computer around. She hooks directly into the cable modem, so no wireless opportunities either.

You may want to convince her to get a router as well, aside from Windows Firewall that will add a layer of protection from incoming port scanning-type infestations. Without looking I don't even know if anyone makes wired-only routers any more or they may be no cheaper than wireless ones but you could always just turn off the wireless.

MadManOriginal wrote:

You may want to convince her to get a router as well, aside from Windows Firewall that will add a layer of protection from incoming port scanning-type infestations. Without looking I don't even know if anyone makes wired-only routers any more or they may be no cheaper than wireless ones but you could always just turn off the wireless.

As I upgraded my network with the D-Link DIR-644 XTREME N Gigabit Router (Wireless-N) {newegg link}, I have 5 "used" routers just sitting around collecting dust.

Linksys NR041 - cheap piece o' crap
Netgear RT314 - very old, my pride and joy back in the day...
Netgear FVS318 - the last router I used, does firewall, NAT, VPN, etc...
Belkin F5D6231-4 (Wireless) - another cheap piece o' crap wireless router
Cisco 871W (Wireless) - retailed for over $600

I've dealt with that thing a couple of times. If I can sit down at the machine usually use the AVG rescue CD and Trinity Rescue Kit to run the initial virus scans in order to kill the infected files. After that, I do everything everyone else has suggested.

I second nuking the sucker if it's coming back. It could be user error, or it could a really serious infection. I had one that I swore was clean after an infection, but the ISP said it was sending spam. I don't want to say it had a root kit because I don't have any hard evidence, but it was bad whatever it was.

http://www.bleepingcomputer.com/virus-removal/remove-security-defender

I've followed their instructions on 4 or 5 different machines to remove. works fine.

wirerogue wrote:

http://www.bleepingcomputer.com/virus-removal/remove-security-defender

I've followed their instructions on 4 or 5 different machines to remove. works fine.

If you didn't read my OP, that was "link 1" of the 4 I had listed... :/

I am currently dealing with this virus and will probably end up wanting to reinstall W7 to make sure it's completely gone.

I'm not sure I'll be able to uninstall all of my Steam games properly before I reformat and reinstall because the virus won't allow me to run any executables (namely the Steam client).

Will this cause a problem in trying to reinstall my Steam games and run them once I have a fresh OS install because they weren't uninstalled properly?

Try downloading and installing the registry patch linked about halfway down this page (in the Step 3 section). I've successfully used this to re-enable EXE files on infected systems in the past.

Edit: Hmm... use at your own risk, I think it is actually designed for XP. But if your alternative is a full wipe and reinstall, I guess it can't make things any worse than they already are...

just brew it! wrote:

Try downloading and installing the registry patch linked about halfway down this page (in the Step 3 section). I've successfully used this to re-enable EXE files on infected systems in the past.

Edit: Hmm... use at your own risk, I think it is actually designed for XP. But if your alternative is a full wipe and reinstall, I guess it can't make things any worse than they already are...

True, thx.

I've had really good luck using combofix from safemode to remove many flavors of this virus. Combofix isn't the most userfriendly app out there, but is sure gets the job done. I usually follow up with a malwarebytes scan to cleanup any remnants. If that doesn't get rid of it, nothing will.

http://www.bleepingcomputer.com/downloa ... s/combofix

Combofix is rather picky about having other antivirus software installed though when you try to run it. You may have to remove yours first.

I'd get her a router ASAP. IMHO, a completely exposed Windows computer that's not being cared for by a competent administrator is just begging to be an important botnet node.

Firestarter wrote:

I'd get her a router ASAP. IMHO, a completely exposed Windows computer that's not being cared for by a competent administrator is just begging to be an important botnet node.

Um and yer way off base dude. She is single, lives alone in an apartment complex. There is no "administrator" for this type of situation.

thegleek wrote:

Firestarter wrote:

I'd get her a router ASAP. IMHO, a completely exposed Windows computer that's not being cared for by a competent administrator is just begging to be an important botnet node.

Um and yer way off base dude. She is single, lives alone in an apartment complex. There is no "administrator" for this type of situation.

There, try reading it again

This comes back because it has a rootkit associated with it. Run TDSSKiller from Kapersky: http://support.kaspersky.com/faq/?qid=208283363

It took me a few days to finally get rid of this one for good.

thegleek wrote:

"Security Defender"

I haven't had the pleasure to meet & greet this fella on any of my own, but I just got drafted into fixing a computer (family!) that has this sneaky rat on it.

.....
What would you have done differently?

I get two or three of these projects per month. The process is always the same, and much like you did. Its pretty much a hunt and peck affair. first thing is make a copy of the drive with copy commander or similar. Its normally a multipoint infection. Get control of the admin account via reset or the original account password in the very unlikely event it still works. Then disable the mutating startups, and restore. get into safe mode and run combofix. start running some antivirus/malware after that. Always check the dhcp and dns, and browser BHO. Most all the crapware out there now redirects the nameserver or dhcp somewhere in the registry settings, so check all that. Flush dns and reset router to force access back to your original nameservers. After that you will probably be stuck with the firefox and explorer search redirects.... I don't know how many thousand there are, but they are tough to tame. check for them by trying windows update and a few security sites and see if you get redirects or server not found. I usually start googling and running multiple fix routines sooner or later I get lucky. once I get access to windows update I do that.

Once in a while you will come on something that is new enough you have to do a manual remove, and normally that takes me a few days, because I am not that fluent in windows files and delete something that was necessary and have to restore the image or file and try again.

Once you get the beast running, run it for a few days and watch the behavior. If you can, look at the users history, and if its a bunch of couponing sites and facetrash and free gaming sites, prepare to see the computer again very soon.

I got three computers for my wife and daughter to use, because its inevitable fact of life that they are going to willfully click on some unbelievable offer and infect them with something that will take me a few evenings to purge.

I have a relatively easy fix for this and other similar malware infections. Download rkill.exe from bleeping computer, this kills the running process(es). Much easier that booting into safe mode. Sometimes the infection wont let you run rkill.exe, in this case download the alternate package title "eXplorer.exe". Then download, install and update malwarebytes. Run full scan of malware bytes this should find the baddies and remove them. Before attempting to get online after removal, you may need to uncheck the proxy option in IE under internet options.

Hope this helps, this saves about an hour of work.

just brew it! wrote:

Try downloading and installing the registry patch linked about halfway down this page (in the Step 3 section). I've successfully used this to re-enable EXE files on infected systems in the past.

Do this, but before you do go into the task manager. Defender spawns a process that hijacks your browser and .exe files. What you have to do to properly clean it is

1) Open task manager. There will be a process that is assigned 3 random letters. That is the defender process. Kill it and do not run any other files (it takes over pretty much every file type and runs it through it's own program and will respawn defender)

2) Run the registry fix. This re-associates .exe files with the proper windows programs and allows you to

3) Install malwearebytes

4) Update malwarebytes

5) Perform a quick scan (this catches it) and have malwarebytes clean the system

6) reboot

And you're set. Do not run any other programs until these steps are completed. It will cause defender to spawn again and you will have to start over. We had a pretty massive outbreak of this on our XP machines at work. It took hours to figure out how to properly deal with it the first time, but following these steps it's all of 10 minutes now.

Good luck

LaChupacabra wrote:

just brew it! wrote:

Try downloading and installing the registry patch linked about halfway down this page (in the Step 3 section). I've successfully used this to re-enable EXE files on infected systems in the past.

Do this, but before you do go into the task manager. Defender spawns a process that hijacks your browser and .exe files. What you have to do to properly clean it is

1) Open task manager. There will be a process that is assigned 3 random letters. That is the defender process. Kill it and do not run any other files (it takes over pretty much every file type and runs it through it's own program and will respawn defender)

2) Run the registry fix. This re-associates .exe files with the proper windows programs and allows you to

3) Install malwearebytes

4) Update malwarebytes

5) Perform a quick scan (this catches it) and have malwarebytes clean the system

6) reboot

And you're set. Do not run any other programs until these steps are completed. It will cause defender to spawn again and you will have to start over. We had a pretty massive outbreak of this on our XP machines at work. It took hours to figure out how to properly deal with it the first time, but following these steps it's all of 10 minutes now.

Good luck

I can't even open Task Manager - it won't allow me to even do that.

WalkCMD wrote:

I can't even open Task Manager - it won't allow me to even do that.

can you run the registry fix, type task manager into universal search and execute it directly>

You did the right thing.. I've ran into this quite a few times... if its going to take longer than 20 mins to fix, reinstall.. and yeah, all my friends are off XP.

Read and follow the directions at this link:

http://www.bleepingcomputer.com/virus-r ... y-defender

It involves using Malwarebytes and RKill in safe mode, but the one thing some people forget is to fix/replace their lhosts file also. If you don't fix it, you'll just get redirected to a site and download it again. This little bit of malware is annoying, but more easily removed if you follow the directions at Bleeping Computer web site. To fix your lhost file, you may need to also download a run a small batch file that removes a file lock the bug puts on your lhost file. A link for that batch file is also available at that site.

This thread is obviously popular.... Why hasn't this ever been addressed before?

Are your virus experiences proprietary or something? I think shiz like this needs to be shared so others can LEARN from it.

So I dropped by her place and picked up her laptop. I'll try a lot of the steps ya'll posted above... Even if I'm successful, I think it'll just be refreshing to install Win7 over that crappy Vista junk.

thegleek wrote:

Even if I'm successful, I think it'll just be refreshing to install Win7 over that crappy Vista junk.

A nuke from orbit will take far less of your time and the loss (oh, did I erase your data? Oops.) of data will do far more to implant the message than a simple fix could ever do.

3 applications are a must have in my system.

1) Zone Alarm (Firewall & it's free)
2) Microsoft Security Essential
3) Malwarebytes with monitoring enabled.

thegleek wrote:

This thread is obviously popular.... Why hasn't this ever been addressed before?

Are your virus experiences proprietary or something? I think shiz like this needs to be shared so others can LEARN from it.

So I dropped by her place and picked up her laptop. I'll try a lot of the steps ya'll posted above... Even if I'm successful, I think it'll just be refreshing to install Win7 over that crappy Vista junk.

And make sure you give her a user account instead of the default admin account! With UAC, most people will be able to user their computer just fine with a normal user account, only giving their admin credentials when absolutely needed.

If you keep UAC at default, she'll just click 'ok' whenever that pesky confirmation dialog pops up, and you'll soon be removing virusses and adware from Windows 7. If you give her an admin account and disable UAC, you either hate her or hate yourself, or both.