Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Defense Center Infection


  • Please log in to reply
No replies to this topic

#1 wsb9437

wsb9437

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:17 PM

Posted 28 June 2010 - 11:04 AM

Yesterday the family computer was attacked by Defense Center, and asked me to purchase their AV to prevent further infection. Of course I didn't, and found this site from a secure computer.

I followed the instructions here: http://www.bleepingcomputer.com/virus-remo...-defense-center

After the scan and reboot everything seems back to normal. However the safe-mode icon for MBAM was different from the regular mode (regular mode had a windows security center shield in the corner of the icon, safe mode did not). Am I paranoid, or is this normal?

I'm just not sure if I am completely clean, here are the MBAM logs ran from safe-mode as the walkthrough suggests.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4247

Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 7.0.6001.18000

6/27/2010 1:39:12 PM
mbam-log-2010-06-27 (13-39-12).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 255624
Time elapsed: 47 minute(s), 24 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
C:\Users\Family\AppData\Local\Temp\AUTMGR32.EXE (Trojan.Dropper) -> Unloaded process successfully.
C:\Users\Family\AppData\Local\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\Users\Family\AppData\Local\Temp\mschrt20ex.dll (Rogue.DefenseCenter) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dduriwakecofe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bsubeku (Trojan.Agent.U) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\secfile\shell\open\command\(default) (Rogue.MultipleAV) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (secfile) Good: (exefile) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Family\AppData\Local\Temp\AUTMGR32.EXE (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Temp\mschrt20ex.dll (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\VAusbmsp.dll (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R5BQPG3C\setup[1].exe (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8HRNS4H\139-direct[1].ex (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R8HRNS4H\setup[1].exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Temp\OpDGwgFvti.exe (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Temp\PRAGMAbb43.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Temp\RRbaYeIxjo.exe (Trojan.Hiloti.Gen) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Temp\tmp19D6.tmp.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Temp\topwesitjh (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Temp\VXuTVMSoqn.exe (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
C:\Users\Family\Desktop\nudetube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Family\Desktop\pornotube.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Family\Desktop\spam001.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Family\Desktop\spam003.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Family\Desktop\troj000.exe (Malware.Trave) -> Quarantined and deleted successfully.
C:\Users\Family\Desktop\youporn.com.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Users\Family\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Temp\0.1535011354304675.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Users\Family\AppData\Local\ewopiban.dll (Trojan.Agent.U) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users