Need help with Ultimate Defender infection

I'm attempting to clean up a friend's computer that seemed to be badly infected with spyware so that it was very slow to respond when opening a program or shutting down the system. While there were some other infections the main offender in evidence (and still causing problems) is the so-called "Ultimate Defender" infection (hereafter referred to as "UD") which has:

1) Changed the desktop wallpaper to the blood red bio-hazard design with the "Your privacy is in danger!" statement at the bottom of the desktop.

2) Has, I believe, placed the 3 icons on the desktop labeled "Error Cleaner", "Privacy Protector", and "Spyware and Malware Protection".

3) Keeps opening browser windows displaying the UD page and purporting to show a number of spyware infections found on the system and urging the purchase of the UD software to cure them.

4) Frequently pops up onscreen what appear to be genuine OS warnings about the detection of various forms of viruses, malware, trojan horses, etc but are, in fact, bogus notices attempting to panic the user into clicking on dialogue buttons to allow further infections or cause a browser to open on the UD website.

I have cleaned out some system garbage with CCleaner, checked Add/Remove programs and found and removed one suspect media player. And I have followed the main malware removal instructions here through item 6B and cleared out some other stuff which has at least made the system reasonably responsive but UD is still present and causing problems as itemized above.

I worked through all the scans as instructed and once I had completed them (that is, finished all the scans suggested through item 6B but before renaming/running Hijack This) I also downloaded and ran the AVG anti-spyware software after first shutting down Counterspy (which I had run successfully already).

I then re-ran CCleaner and the scans with both Spybot and Counterspy hoping to get lucky and finish clearing out UD but wasn't surprised, given what I found on the web about UD, to find that didn't work.

I have the logs from all the scans I've done and wonder how I should proceed now to get help on this forum.

Should I post all the logs from all the scans (2 each from Spybot and Counterspy plus the others listed through 6B)? Should I start from the top of the malware removal instructions and do a set of all new scans through 6B and just post those (while saving the older scan logs in case they may be useful at some point)?

Let me know how to proceed so I don't waste time and space posting logs that may not be useful in diagnosing the current state of this system.


Thanks!

 

Update -- the blood red "biohazard symbol" desktop did not appear when I re-booted just now. Instead the desktop is all white. But when I right click on the desktop and choose properties I still see the non-standard "Properties" page with only a single "General" tab at the top like I've been seeing all along. It appears that UD is crippled (I'm no longer getting the browser opening to the UD web page either) but that the system is not back to normal.

Again, please advise me whether to run a complete new set of scans and post those logs only or whether to post the logs I already have.

Thanks!

 

I've worked my way carefully through the malware removal instructions. Also first did some system cleanup and also removed old JAVA RTE and installed the new one. Tried to carefully work through everything and don't think I skipped anything.

As mentioned in earlier posts my friend's main concern is the "Ultimate Defender" infection, but scans found (and in some cases apparently fixed) other spyware/malware also.

First 3 scans attached to this post and next 3 will accompany the following post.

 

Here are the remaining 3 log attachments.

Since last evening I've not once seen a browser open to the UD website nor have I seen any of the bogus OS "panic" messages. The blood red "biohazard symbol" scrolling wallpaper is also gone from the desktop of the one account that was infected with it. But in its place is just a plain white background and if I right click on it and select "Properties" I don't get the usual tabbed "Display Properties". Instead, I get a window with a single "General" tab at the top and what is labeled as a url but appears to be a file path on the C: drive but I don't see the file named in the path at that location. And there are no tools to faciliate changing/setting the desktop wallpaper (or the screen saver or themes, etc). How can I restore the normal wallpaper and other display functions on that one account? (The account is the one named "Mommy" and was the only account on the system to show that ugly blood red biohazard symbol wallpaper with the "Your Security is at Rick!" message at the bottom.)

The other 2 accounts (plus a 3rd that I created for my own use, Denny01) all appear to have normal Windows wallpaper on the desktop and show the usual tabbed "Display Properties" when I right click on the desktop and select "Properties."

In short, there's no evidence that Ultimate Defender is active any longer, at least not currently, but things aren't back to normal on the desktop for the "Mommy" account either.

So, here are the remaining 3 logs, including the HijackThis! log, installed and run per the malware forum instructions.

I'm comfortable backing up, editing and restoring the registry as well as zapping files. So, please and thank you, what now?!

 

Thank you very much for the help!

I'm not sure what happened with the file settings but I double-checked them (while only being logged on in one account) to insure hidden files and folders are shown and unchecked the box to insure all file extensions are displayed, then clicked "Apply to all folders". So I hope the log info is now complete in the latest logs.

All the scans you suggested seemed to run routinely without any hitches or anything unusual happening and I've attached the three logs for them as you requested. The system seems to be reasonably responsive (given it's an old Dell system running XP Home with a Celeron and only 256 MB of RAM) -- it's certainly much, much better than when I first began working on it -- and it appears to be working fine. I haven't seen any of the bogus OS security warnings nor have I been directed against my will to the UD website for the past two days. But...

I still have a problem with the desktop wallpaper on the "Mommy" account. While the dark red wallpaper/webpage bio-hazard symbol with the security warning text no longer appears, the desktop is just plain white and I can't reset it to a standard wallpaper image. When I right click on the desktop (when logged in on the "Mommy" account) and choose "Properties" I don't get the regular tabbed "Display Properties" window. Instead I see a window labeled "Properties" with only a single tab at the top ("General"). I can attach a screen shot of this if it would be helpful. The image is a "Print Screen" bitmap and is almost 1.4 MB however. I can, of course, compress/convert it to a jpg image before attaching it if you wish. What file size would you suggest in that case?

But maybe a description would be adequate:

At the very top left of this single "General" tab/page there is a small icon-like symbol that seems to be a cream-colored page with the upper right corner turned down, and a blue round shape (a globe I think) with what is perhaps supposed to represent blue text under it. Just to the right of that are the words "Not available".

then...

Protocol: File Protocol

Type: HTML Document

Connection: Not Encrypted

Address: file://C:\WINDOWS\privacy_danger\index.htm

Size: Not Available

Created: Not Available

Modified: Not Available


Hoping a reboot might help, I shut the system down for a couple of minutes, then rebooted to the "Mommy" account but with the same result. Right clicking on the plain white desktop on that account and choosing "Properties" still shows the window described above. The other accounts all have regular standard Windows desktop wallpaper and show the proper tabbed "Display Properties" window as expected.

Here are the latest logs and thank you again for your help.

 

In addition to the scans I did clear out the browser settings for both IE and Firefox as per the latest instructions and also downloaded and ran ATF Cleaner. I also deleted the files in Documents and Settings as instructed. All these operations appeared to work correctly and without any difficulty.

After checking with the owner of the 'mommy' account we decided to just delete her old account and create a new one as a way getting rid of the wallpaper problem. Will post later to let you know how that works.

 

I don't mean to be impatient but wonder if my newest post with the requested scans slipped through without being noticed? Maybe a "bump" on my part is in order now? I have 3 computers of my own and can easily wait quite awhile for assistance with one of those when I need it, but the machine I'm working on does belong to a friend with several school age daughters so I would like to finish this up as quickly as possible. I know this forum demands a lot of time from the people who try to help and certainly appreciate and understand the quality of the assistance that's available. I don't want to seem at all as if I'm trying to push my way to the front. Only want to be sure I didn't get overlooked somehow.

Thanks!

 

I've worked through all the final steps you suggested except for purging the restore points and creating a new one, which I will do as soon as I log out of MG after finishing this post.

All the old accounts show no symptoms of any spyware and the "mommy" account which was showing the worst continuing symptoms of infection, was, as mentioned previously, deleted and we created a new account to replace that one. Thus, as far as I can determine, the system seems to be clean of malware currently.

I've also worked through the "How to Protect Yourself..." post and installed some of the recommended freeware (including a firewall, anti-virus, active and passive anti-spyware and a couple of the special programs designed to block particular kinds of malware that might othewise slip through).

I am guilty as charged of not carefully making all files and extensions visible. I missed unchecking the "Don't show hidden system files" box but I really had already unchecked the box for "Don't show known file extensions" or whatever it says. Making sure all files and folders are displayed is one of the first things I do when I'm setting up a new system of my own, but I hadn't had to do it for so long that I got careless and wasn't thorough even though I told myself I was working carefully through the instructions. I apologize and appreciate your providing help and instructions even though I wasn't executing them as carefully as I should have.

I'll be returning the formerly infected computer to the owner this afternoon. We'll sit down at the screen so I can show her a couple of the new things I've installed on her system and explain about, among other things, the ZoneAlarm warning popups and how to turn the routine ones off by checking the little box. I've also prepared some printouts with instructions for her about making sure the OS, browsers and security software is updated regularly, running regular scans, and so on. And I'm including a strong recommendation that she and her children visit and make use of the Major Geeks website. I've also printed out and provided a link to the "How to Protect Yourself..." article here.

Thank you again for your help in clearing up and cleaning out the malware from this friend's system. You guys often make me look so good to my friends, like some computer wizard, though I always mention Major Geeks as a great source of downloads and a source of help and information about computer problems and issues that I frequently use.

Last, but not least, chaslang....great signature! lmao Wish I'd thought of it, or thought to use it!