Desktop Defender 2010 and Other Problems

Ciraxis117 · Jan 5, 2010

Hello,

Just two days ago, I started having problems with viruses infecting my system. A fake antivirus program, Desktop Defender 2010, has been installed unwillingly onto my computer and is messing with it big time.

I can locate it under Add/Remove Programs, but it will not be removed, as if it were that easy.

I have already ran the programs located in the Read and Run First thread, but the program remains on my system.

I have attached the appropriate logs and thank you for your time.

Ciraxis117 · Jan 5, 2010

Just the last of five logs.

TimW · Jan 8, 2010

First, you are running a very old version of MGTools!! We will deal with that later.

Second, you should not be allowing all users to have Admin. privileges!!

Users on this computer:
Is Admin? | Username
------------------
Yes | Administrator
Yes | BJ
| Guest (Disabled)
| HelpAssistant (Disabled)
Yes | Ken
Yes | Liz
Yes | Rachel
Click to expand...

Why is ComboFix not on your desktop? I don't even see it installed.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [Ulovamosareveg] rundll32.exe "C:\WINDOWS\iyasijihaf.dll",Startup
O4 - HKLM\..\Run: [Desktop Defender 2010] C:\Program Files\Desktop Defender 2010\Desktop Defender 2010.exe
O4 - HKLM\..\Run: [8e6cjtmudck6] C:\WINDOWS\system32\8e6cjtludc46.exe
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files\Fiddler2\Fiddler.exe" (file missing)
Click to expand...

After clicking Fix, exit HJT.

* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

Drivers to delete:
bzmgri
cel90xbe

Files to delete:
c:\windows\system32\8e6cjtludc46.exe
c:\windows\system32\l8e6cjtqudck4.exe
c:\windows\system32\drivers\bzmgri.sys
c:\windows\Yruruy.dat
c:\windows\Arexozuzeqijiw.bin
c:\windows\sr882388.exe
c:\windows\system32\config\systemprofile\Application Data\fvgqad.dat
c:\documents and settings\NetworkService\Application Data\fvgqad.dat
c:\documents and settings\Ken\Application Data\avdrn.dat
C:\WINDOWS\iyasijihaf.dll
c:\windows\system32\buhunafa.dll
c:\windows\system32\jevaziji.dll
c:\windows\system32\wilubore.dll
c:\windows\system32\yafodini.dll
c:\windows\system32\zilolowa.dll
c:\documents and settings\Ken\LOCAL Settings\Temp\cel90xbe.sys
c:\documents and settings\Ken\Start Menu\Programs\Startup\siszyd32.exe

Folders to delete:
c:\program files\Desktop Defender 2010

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Ulovamosareveg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Desktop Defender 2010
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 8e6cjtmudck6
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run Ccleaner to clean out only temp files and nothing else!

Now run Combofix

Now download the latest version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Then attach the below logs:
* C:\Avenger.txt
* C:\ComboFix.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

Ciraxis117 · Jan 9, 2010

Ahh, yes, I believe when I ran MGtools I used the older version I had on my system, sorry about that.

I have not yet disabled admin privileges for the other accounts, but I will surely do that.

It was quite strange, I used the program when I initially cleaned, but after reading that you did not see it installed, I noticed it was gone. Not a big deal, however, as I re-downloaded it.

I downloaded and ran all of your specified programs, including scripts, and my system seems to be running well now. Desktop Defender as been removed as planned and nothing is amiss that I can see.

I have attached the three logs you requested and thank you for such a nice fix.

TimW · Jan 11, 2010

You need to move ComboFix to your desktop!! It should not be run from here:
c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe --> it should be here:
c:\documents and settings\Administrator\Desktop\ComboFix.exe.

Why were you running the MGTools scan in safe mode?

Please do it again in normal mode. I just need to check that everything is gone.

Ciraxis117 · Jan 11, 2010

From what I can see, it is on my desktop and, yes, I do understand what my desktop is.

Ahh, well I was running in safe mode because of what the program was doing to me in normal mode, however now, when I try to boot in safemode, I get a blue screen error that will not let me log on.

This is a bit of what it says:

Stop: 0x0000008E (0xC0000005, 0xF70F1C66, 0xBA58782C, 0x00000000)
Ntfs.sys - Address F70F1C66 base at F70CE000, Datestamp 48025be5

TimW · Jan 11, 2010

If you look at your Combo log, you will see where it is running from. Are you able now to boot to normal, but suddenly can't boot to safe mode?

You can read this on the missing ntls file:
http://support.microsoft.com/kb/555531

chaslang · Jan 11, 2010

Ciraxis117 said: ↑

From what I can see, it is on my desktop and, yes, I do understand what my desktop is.
Click to expand...

The problem is that you did not put ComboFix.exe on your Desktop. You put a link to ComboFix.exe on your Desktop ( ComboFix.exe.lnk ) which is not the same thing. The link is pointing to the c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe which means this is where combofix is running from and this is not your Desktop.

Ciraxis117 · Jan 11, 2010

Ahh, I understand and I will mend that.

Only thing is, I cannot boot in normal mode because of that error. I read the article at the link you posted and will attempt to locate my XP disc in order to fix the issue.

Until then, I assume I cannot do any more cleaning.

TimW · Jan 14, 2010

No, you will have to be able to boot in order for us to continue with any malware removal. I suggest you post in the software forum for additional assistance and once you can boot, return to this thread.

Log in or Sign up

Desktop Defender 2010 and Other Problems

Ciraxis117 Private E-2

Attached Files:

SASLog.txt

MalwareLog.txt

Combofix log.txt

RootRepealLog.txt

Ciraxis117 Private E-2

Attached Files:

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Ciraxis117 Private E-2

Attached Files:

avenger.txt

combofix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

Ciraxis117 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Ciraxis117 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member