System Defender has attacked me.

Discussion in 'Malware Help (A Specialist Will Reply)' started by rogvalcox, Feb 18, 2008.

  1. rogvalcox

    rogvalcox MajorGeek

    Unfortunately one of the kids here at the shop has managed to infect the system with System defender. Typically I am good with resolving Malware issues, however this one has gotten the best of me.

    I attempted the "Run and read me first" thread, however I can't run ComboFix or any of the tools/scanners other than CCleaner and MGTools. I can install Spybot and AVG Anti Spyware but cannot run them. I can't even install the Super spyware or whatever it's called. I also tried running such in safe mode to no avail.

    I did in the meantime get System Defender out of the Add/Remove Programs in the control panel, however it obviously is more complicated than that. In the meantime I still have the red circle with the white "X" in the system tray that keeps popping up and telling me I am infected, etc., but ofcourse I am not clicking on it.

    According to the "Run and Read me first" thread it says if you are still infected to attach "such and such" logs to a new thread and explain your problem. So I hope I am reading correctly and I have attached the MGlogs.zip file to this message.

    Thanks
    Roger
     

    Attached Files:

    rogvalcox, Feb 18, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's see if we can get you to be able to do the other scans.

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Feb 18, 2008
    #2
  3. rogvalcox

    rogvalcox MajorGeek

    Ok...thanks Tim...I am now home from work and will attempt your instructions in the morning and get back with you as soon as I attempt your reply.

    Thanks Again
    Roger
     
    rogvalcox, Feb 18, 2008
    #3
  4. rogvalcox

    rogvalcox MajorGeek

    Ok...here we go...

    I did everything you said, however...when the computer rebooted I got this error which would let me do nothing but "Continue". I am assuming it is related to Avenger trying to do what it does on reboot cause it has never come up in the past.

    http://i202.photobucket.com/albums/aa169/thesignguys/ScreenShot.jpg

    In the meantime...I hit continue and it goes away and creates the log file which I have attached along with the MGTools log.

    Also...Every since this booger invaded my machine, whenever I boot the computer I get a prompt that windows has detected new hardware and do I want to install it, which I always hit cancel cause like I said...every piece of hardware in this computer was optimized as far as drivers installed, etc., until this System defender came about. That and the fact that in the device manager it says it is an "Unknown Device" and I can't figure out what it could be cause everything looks to be installed and I can't seem to find any hardware that is missing in the device manager list...along with the fact that nothing appears to me missing in the every day runnings of this computer. So I am kind of leery about installing this ghost piece of hardware until I find out if this is a symptom of this System Defender thing or not. So I'm just curious what your take is on this situation?

    Now...back to our regularly scheduled program...the red circle with the white "x" is still in the system tray and is still popping up the annoying system infected message. I still can't run the scanner programs...I double click the shortcut in order to open Spybot and/or AVG Spyware and I get the hour glass for a brief second and the hard drive light flash a couple times but after waiting a minute or two...still nothing...So I will await further instructions.

    Thanks
    Roger
     

    Attached Files:

    Last edited: Feb 19, 2008
    rogvalcox, Feb 19, 2008
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    OK....let's try again ...and make sure that ALL of your security programs are disabled.

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Feb 19, 2008
    #5
  6. rogvalcox

    rogvalcox MajorGeek

    Ok...here are the new logs...other than that...everything is IDENTICAL to a "T", to my last response when we tried those step the first time.

    Every restart it recreates those files. That's what is really giving me the headache...there doesn't appear to be any services or processes that need killed and I have tried every possible angle as far as deleting all the known bad files from all the directories that are related to this issue, but it just keeps coming back!!

    Roger
     
    rogvalcox, Feb 19, 2008
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No logs .....
     
    TimW, Feb 19, 2008
    #7
  8. rogvalcox

    rogvalcox MajorGeek

    Sorry about that...here they are...I'm notorious for that in e-mails!!:eek:

    Roger
     

    Attached Files:

    rogvalcox, Feb 19, 2008
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    This is annoying .....please re-do the fix I gave you in safe mode ...if you still see no effect, I want you to go to Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

    Click-on the Detected Problems tab. Then select Click here to export the scan report

    When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.
     
    TimW, Feb 19, 2008
    #9
  10. rogvalcox

    rogvalcox MajorGeek

    In the midst of the bitdefender scan I am getting a notice that "files that are required for windows to run properly have been replaced with unrecognized versions" and it's asking me to put it the windows cd...which is no problem but should I cancel it with hopes it will come back after the scan is finished, cause it appears to still be scanning, or just leave the notice up to the side and then do the cd after the scan or just put the cd in and let processor fight out the prioritizing between the two?

    Roger

    P.S. Nevermind...I accidentally hit the mouse button and clicked it off, so maybe an SFC later or something like the such.
     
    Last edited: Feb 19, 2008
    rogvalcox, Feb 19, 2008
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You had very few items running on your system ...so sfc /scannow would be an excellent idea ...and then the scan.
     
    TimW, Feb 19, 2008
    #11
  12. rogvalcox

    rogvalcox MajorGeek

    I am only supposedly 20 minutes to the end of an hour and a half scan...so I'm not gonna stop it now, but I will probably work on that while I wait for a reply from you on the log BD scan log that I will attach.

    Roger
     
    rogvalcox, Feb 19, 2008
    #12
  13. rogvalcox

    rogvalcox MajorGeek

    Ok...I've attached the scan results from the bitdefender scan...

    Roger
     

    Attached Files:

    rogvalcox, Feb 19, 2008
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should try to unload the drivers first. See the below suggested fix.



    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [braviax] braviax.exe
    O20 - AppInit_DLLs: cru629.dat

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.
    • Run avenger.exe by double-clicking on it.
    • Check the 'Input script manually' box.
    • Click on the magnifying glass icon.
    • Copy everything in the Quote box below, and paste it in the box that opens:
    • Now click the 'Done' button.
    • Click on the traffic light icon and OK the prompt.
    • You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt
    Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
    C:\WINDOWS\Temp
    C:\Documents and Settings\Roger\Local Settings\Temp

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Make sure you tell me how things are working now!
     
    chaslang, Feb 19, 2008
    #14
  15. rogvalcox

    rogvalcox MajorGeek

    OK...Excellent...that seemed to get rid of that stuff and the red circle in the system tray!!!!

    I've attached the two logs you requested and in the meantime it's time to lock up and go home, but I will follow up with any new instructions in the morning!!

    Also...I can now open the scanner programs!!

    Thanks
    Roger
     

    Attached Files:

    rogvalcox, Feb 19, 2008
    #15
  16. rogvalcox

    rogvalcox MajorGeek

    Ok...I'm back on the clock now.

    I see there is no reply for further instructions, so in the meantime I will attempt the "Read and Run" again and hopefully that will wrap things up!!

    In the meantime...I will keep my eye on this thread to see if you have anymore to say, and will keep you posted on the results.

    Thanks Again for the time and effort...you have helped tremendously!!!!

    Roger
     
    rogvalcox, Feb 20, 2008
    #16
  17. rogvalcox

    rogvalcox MajorGeek

    Just so you know...I'm not trying to bump and I know I keep knocking myself out of line and it will be longer before you get to my thread, but I think I got it all taken care of. I was able to run all the steps in "Read and Run Me" successfully and it found a couple of things and cleaned them up.

    However...I'm still gonna post my logs if someone can take a peek at them and make sure they look good or if I'm still missing something....whenever you get time!!

    Thanks for all the help!!

    Roger
     

    Attached Files:

    rogvalcox, Feb 20, 2008
    #17
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs look good...If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
    5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    7. If we had you run Avenger, you can delete all files related to Avenger now.
    8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    10. If you are running Windows XP or Windows ME, do the below:
    * Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    11. After doing the above, you should work thru the below link:
    *How to Protect yourself from malware!
     
    TimW, Feb 20, 2008
    #18
  19. rogvalcox

    rogvalcox MajorGeek

    Thanks a bunch tim...I talked to chas and I am going to do the online malware university and who knows...maybe soon we'll be hanging in the breakroom here at MG

    Thanks Again
    Roger
     
    rogvalcox, Feb 21, 2008
    #19
  20. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are welcome ...we could always use the help. :)
     
    TimW, Feb 21, 2008
    #20

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds