Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Perfect Defender Malware?


  • Please log in to reply
20 replies to this topic

#1 Tekk

Tekk

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 04 December 2008 - 05:05 PM

A few days ago this started, apparently stemming from normally browsed sites. My roommate got a virus that imitates Windows Firewall and claims it has found a positive threat, and directs you to download Perfect Defender 2009. It blocks all helpful scans and programs, or otherwise renders them useless by the scans showing nothing.

Most installations are blocked, and all the programs I've managed to try have shown nothing. SmitRep found nothing. SmitFraudFix errors out before even beginning. Ad-Aware found nothing. Avast! found nothing. CCleaner and ATF Cleaner did work and cleaned up plenty of files, but it either had no effect or was forced to overlook the files that need deleting. System Restore also does nothing, as the program blocks it from reverting to a previous state.

Working in Safe Mode still renders most programs inoperable and still redirects any internet traffic to spam sites. So! With no other programs or thoughts left to turn to, I come here for help. Does anyone have an idea, or should reformatting become my final option?

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Edited by Animal, 04 December 2008 - 06:55 PM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:10:24 PM

Posted 04 December 2008 - 06:40 PM

http://www.bleepingcomputer.com/malware-re...t-defender-2009

Louis

#3 Tekk

Tekk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 04 December 2008 - 06:44 PM

Already went through all that, but thank you for trying to help. Sorry I forgot to mention that too, slipped my mind. Malwarebyte's does not install, it seems to be blocked as well. That guide was actually the first bit I tried...and Perfect Defender isn't installed on his computer yet. It's just the annoying pop-ups and whatnot that try to route him into buying it.

And thanks for that move Animal! Sorry I didn't see the Security forum earlier, my bad.

Edited by Tekk, 04 December 2008 - 07:10 PM.


#4 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:10:24 PM

Posted 04 December 2008 - 07:11 PM

If MBAM isn't installing, you can try to rename the file to something else like "blah.exe" or whatever you desire. Try that and see if it installs then.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#5 Tekk

Tekk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 04 December 2008 - 07:24 PM

Took your suggestion, scff and got it installed! It didn't quite finish the installation, but it went in. Unfortunately the program doesn't start in normal settings or in safe mode. It still refuses to come up.

#6 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:10:24 PM

Posted 04 December 2008 - 07:28 PM

Can you explain what you mean by it didn't finish installation?

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#7 Tekk

Tekk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 04 December 2008 - 07:29 PM

The setup ended with "Finishing" on the progress bar, but never passed that point.

#8 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:10:24 PM

Posted 04 December 2008 - 07:36 PM

Maybe try to uninstall and reinstall it to see what happens. If the same thing happens, let it sit there for a few minutes to see if it installs. If an error report comes up about the installation failing, can you give the details of what it says?

If it's something else, please say so.

One more thing, assuming with where your topic came from, is the OS on the infected computer Windows XP?

Edited by scff249, 04 December 2008 - 07:37 PM.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#9 Tekk

Tekk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 04 December 2008 - 08:03 PM

Alright! Installed Malwarebyte's correctly this time, no installation error. Unfortunately the program still doesn't start. The process is visible in the Task Manager, but no window pops up for the program itself.

As for the OS, yes. It's Windows XP Home SP3.

#10 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:10:24 PM

Posted 04 December 2008 - 08:23 PM

At least it installed this time. With this issue, try going to the MBAM folder in your Program files. Find mbam.exe in there and change the .exe part to something else like .bat, .com, .pif, or .scr and double click on that to run.

Edited by scff249, 04 December 2008 - 08:24 PM.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#11 Tekk

Tekk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 04 December 2008 - 08:34 PM

Okay! I ran it through a Quick Scan and huzzah, it worked! I found 13 items and deleted them. Any other programs I should run or things I should test?

Secondary thought, should I post the log of my first scan?

Edited by Tekk, 04 December 2008 - 08:38 PM.


#12 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:10:24 PM

Posted 04 December 2008 - 09:04 PM

Just post the log of your first scan for the time being so that the staff can review it. I'll see if I can find someone who can help as I'm not directly authorized to give any suggestions to what anti-malware tools to use (at least I assume according to forum rules if I interpreted it right).

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#13 Tekk

Tekk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 04 December 2008 - 09:14 PM

Okay! Incoming log for my first Quick Scan.

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

12/4/2008 6:30:11 PM
mbam-log-2008-12-04 (18-30-11).txt

Scan type: Quick Scan
Objects scanned: 48054
Time elapsed: 2 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpseti (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Adam\nah_uyvm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Adam\Application Data\Google\runhh6110411.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Adam\Application Data\Google\mscscc.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#14 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:10:24 PM

Posted 04 December 2008 - 09:25 PM

Forgot something. Open MBAM, update it, and do a full scan now and post that log.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo


#15 Tekk

Tekk
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:24 PM

Posted 04 December 2008 - 09:29 PM

Can't get it to update at the moment, but my database is listed as 12/03/08, so I assume it's...pretty much fine. I didn't want to restart anything yet to get into Safe Mode with Networking, so I could do that...or I can go run the scan in a normal startup. Wasn't sure which to do, so I just ran the scan in Safe Mode. If it's a better idea to try to get the updates and run a scan on a normal startup, let me know.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users