Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Defense Center Virus, Won't Leave!


  • Please log in to reply
16 replies to this topic

#1 Turbophein

Turbophein

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 29 June 2010 - 10:14 AM

i signed up a couple days ago, did some reading found the how to: to remove defense center. i have done it 4 times now with no success. the first time it removed 20 infected files. now it only finds 2 corrupt files, supposedly removes them but when i do the scan again they are still there.

this virus is annoying to say the least.

thanks ahead of time guys.

BC AdBot (Login to Remove)

 


#2 Terry Turn

Terry Turn

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:09:13 AM

Posted 29 June 2010 - 10:47 AM

Hi
The following solution will remove the Defense Center pop up
> Restart the computer in safe mode
> Delete the following file from the location
C:\Program Files\Defense Center\defcnt.exe
Terry Turn

#3 Stuart North

Stuart North

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:43 AM

Posted 29 June 2010 - 10:58 AM

Hi There,

I have been trying to resolve this issue for one of my users today.

I had tried malware bytes previously (and a combo of Spybot S&D/ AdAwareSE/Proc Explorer (this is useful to have when Task manager gets disabled) )


it seems that Malware bytes for all the good it did, misses something, and 2 weeks later the problem occured again.

so this time i did the removals manually.

to start with get your system into Safemode (press f8 when the system is booting, then select safe mode with networking)

once you get to that state thats when you should do your scans make sure their full (deep) scans. I tend to use the free trials of various products and save the log files instead of buying the product, once you have a log of Malware bytes/ Adaware/Spybot, go through them individually and removethe nasties it highlights. (this is a time consuming process so dont start it at 4:45 and expect to be out at 5, I spent about 4 hours today tidying my guys system. (and i still need a hijackthis geek/guru to run over my log just to double check it.)

I made notes of the various files/registry entries it found (you will have to excuse the scribbles on the sheet as i was trying to work out what malware bytes removed last week and what was now causing the problem.)

to have a lookie at my list it can be downloaded from my site which is http://www.mmorpggeek.com/defense_centre_notes.pdf (i do have an online game forum attached to the site if you go hunting for it but this isnt an advert attempt {lol as i just mentioned i run a forum and get annoyed when people advertise others ;-) so sorry Mod/Admin if you take offense please feel free to download a copy of the file and rehost it on a bleeping computer site. and accept my humblest apologies :-) )

in todays case the taskmanager was disabled and when IE was opened it would hang the PC for about 10 minutes then gradually appear to work then it would crash totally.

after removing the registry entries (at the bottom of the attached PDF) IE was still being very slow to respond (i always start with Reg entries as they have a habit of rewriting things that you have deleted when you inadvertantly click yes to the would you like to reboot question which you get when cleaning PCs :-) )

when i deleted the _favdata.dat from the C:\docs settings \ all users\favourites folder IE decided it wanted to work like new again.

when you have removed te various entries and associated files (again listed in the pdf) give the system a reboot and double check your task manager, if its not disabled anymore thats a good sign that the registry entries havent been rewritten.

once you've got that sorted i suggest running a hijack this scan and making a copy of the log and then upload it to a thread here (probably best to be in this one i assume to keep things tidy) and then ask one of the many HJT gurus to have a quick browse of it.

annnnd then you will be at the same point im at now and hopefully the system will be clean.

if i find out anything juicy that i missed ill shout.

All the best

Stuart
(ill get my log uploaded tomorrow now as im finishing in 4 minutes :-) )





p.s if you follow Terrys advice you will just be wasting the time it takes to reboot as i found 41 other things that need to be removed, all are in the PDF) (the ones that say removed next to them were the ones malware bytes got first time round the rest remained.)

Edited by Stuart North, 29 June 2010 - 10:59 AM.


#4 Turbophein

Turbophein
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 29 June 2010 - 10:13 PM

Hi
The following solution will remove the Defense Center pop up
> Restart the computer in safe mode
> Delete the following file from the location
C:\Program Files\Defense Center\defcnt.exe



i tried to delete the whole file but it wouldn't let me. i did however delete most of the sub files in that folder except for one, it was file protected. i don't see the defense center logo though. so i will give a day or two and see what happens.

thanks

#5 Terry Turn

Terry Turn

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:09:13 AM

Posted 30 June 2010 - 03:14 AM

Have you tried deleting in safe mode?
Terry Turn

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:43 AM

Posted 30 June 2010 - 04:59 AM

Turbophein, can you please post the MBAM log that shows the files that keep returning?

Those rogues are extremely persistent most times and its not as simple as deleting the file because they have attached registry entries and usually a few in-build tricks that make it extremely hard to just delete them.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Turbophein

Turbophein
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 30 June 2010 - 09:32 AM

Scan type: Full scan (C:\|D:\|)
Objects scanned: 192139
Time elapsed: 40 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.59,93.188.161.189 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1611f922-5369-482a-a93b-0955b80aa282}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.59,93.188.161.189 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8563c901-b2d1-4eb2-ab14-1ed971357afc}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.59,93.188.161.189 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)


Have you tried deleting in safe mode?



yes i deleted them in safe mode...

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:43 AM

Posted 30 June 2010 - 10:55 AM

Hi again,

Please right click on your Internet Connection icon in the System Tray and select Status. In the Status window click the Options button.

Look under "this connection uses the following items" and highlight Internet Protocol (TCP/IP). Click Properties.

On the General tab, make sure "Obtain an IP address automatically" and "Obtain DNS server address automatically" are both ticked.
On the Alternate Configuration tab, make sure "Automatic private IP address" is ticked.

Click OK to exit the Properties and OK to exit the other windows as well.

Now, click Start > Run and type cmd in the runbox.

A command window will open. Type ipconfig /flushdns and press enter.


Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box into a new file:
@echo off
(ipconfig /all
nslookup google.com
nslookup yahoo.com
ping -n 2 google.com
ping -n 2 yahoo.com
route print) >>Log1.txt
start notepad Log1.txt
del %0
Go to the File menu at the top of the Notepad and select Save as.
Select save in: desktop
Fill in File name: test.bat
Save as type: All file types (*.*)
Click save.
Close the Notepad.
Locate and double-click tast.bat on the desktop.
A notepad opens, copy and paste the content it (log1.txt) to your reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Turbophein

Turbophein
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 03 July 2010 - 09:37 AM

i just did what you asked



Windows IP Configuration



Host Name . . . . . . . . . . . . : matt-55e2905a4c

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : hsd1.ma.comcast.net.



Ethernet adapter Local Area Connection:



Media State . . . . . . . . . . . : Media disconnected

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-12-3F-80-FC-27



Ethernet adapter Wireless Network Connection:



Connection-specific DNS Suffix . : hsd1.ma.comcast.net.

Description . . . . . . . . . . . : Atheros Wireless Network Adapter

Physical Address. . . . . . . . . : 00-0B-6B-34-1B-77

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.0.100

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DHCP Server . . . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

Lease Obtained. . . . . . . . . . : Saturday, July 03, 2010 10:27:09 AM

Lease Expires . . . . . . . . . . : Saturday, July 10, 2010 10:27:09 AM

Server: UnKnown
Address: 192.168.0.1

Name: google.com
Addresses: 72.14.204.104, 72.14.204.103, 72.14.204.147, 72.14.204.99

Server: UnKnown
Address: 192.168.0.1

Name: yahoo.com
Addresses: 69.147.125.65, 98.137.149.56, 67.195.160.76, 209.191.122.70
72.30.2.43



Pinging google.com [72.14.204.147] with 32 bytes of data:



Reply from 72.14.204.147: bytes=32 time=28ms TTL=52

Reply from 72.14.204.147: bytes=32 time=26ms TTL=52



Ping statistics for 72.14.204.147:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 26ms, Maximum = 28ms, Average = 27ms



Pinging yahoo.com [72.30.2.43] with 32 bytes of data:



Reply from 72.30.2.43: bytes=32 time=108ms TTL=52

Reply from 72.30.2.43: bytes=32 time=109ms TTL=52



Ping statistics for 72.30.2.43:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 108ms, Maximum = 109ms, Average = 108ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 12 3f 80 fc 27 ...... Broadcom 440x 10/100 Integrated Controller - Packet Scheduler Miniport
0x3 ...00 0b 6b 34 1b 77 ...... Atheros Wireless Network Adapter - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.100 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.100 192.168.0.100 25
192.168.0.100 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.0.255 255.255.255.255 192.168.0.100 192.168.0.100 25
224.0.0.0 240.0.0.0 192.168.0.100 192.168.0.100 25
255.255.255.255 255.255.255.255 192.168.0.100 2 1
255.255.255.255 255.255.255.255 192.168.0.100 192.168.0.100 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
None

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:43 AM

Posted 03 July 2010 - 09:54 AM

Please rerun MBAM now and post me the resulting log.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Turbophein

Turbophein
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 03 July 2010 - 12:31 PM

it found 19 errors

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.11

7/3/2010 11:14:44 AM
mbam-log-2010-07-03 (11-14-44).txt

Scan type: Full scan (C:\|)
Objects scanned: 174458
Time elapsed: 29 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e29b0adc-d188-41d0-840b-89cfb6b71802} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e29b0adc-d188-41d0-840b-89cfb6b71802} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e29b0adc-d188-41d0-840b-89cfb6b71802} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noqbayei (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noqbayei (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jpbvt.dll (Adware.EZlife) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D1819994-B4D1-456B-B305-FF2BE7F72969}\RP2\A0003089.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\LastGood\system32\drivers\aec.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\insrqckpp\wvehlfntssd.exe (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

#12 Turbophein

Turbophein
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 03 July 2010 - 12:37 PM

i also just deleted the locked files using MBAM unlocker. so there gone... i am running another full scan now...

EDIT:

wow it found 15 files in like 10 sec so far...

Edited by Turbophein, 03 July 2010 - 12:38 PM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:43 AM

Posted 03 July 2010 - 12:55 PM

Okay, post me the results of that full scan as well.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Turbophein

Turbophein
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:43 PM

Posted 03 July 2010 - 05:54 PM

i should of mentioned that i updated the MBAM software before doing the scan. it found 105 infected files this time....

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4271

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

7/3/2010 6:06:30 PM
mbam-log-2010-07-03 (18-06-30).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 187623
Time elapsed: 36 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 26
Registry Values Infected: 10
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 62

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\vicons.dll (Trojan.Agent.Gen) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cscrptxt.cscrptxt.1.0 (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{84c3c236-f588-4c93-84f4-147b2abbe67b} (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38061edc-40bb-4618-a8da-e56353347e6d} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7b6a2552-e65b-4a9e-add4-c45577ffd8fd} (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e0ec6fba-f009-3535-95d6-b6390db27da1} (Adware.EZlife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{35b5a4da-7252-4069-8d3a-a376a24d7625} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{35b5a4da-7252-4069-8d3a-a376a24d7625} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{35b5a4da-7252-4069-8d3a-a376a24d7625} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallMTF1011$ (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$NtUninstallWTF1012$ (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Sky-Banners (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\V71IQL7HI7 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adgj.aghlp.1 (Adware.EZLife) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr (Adware.Adrotator) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adshothlpr.adshothlpr.1.0 (Adware.Adrotator) -> Quarantined and deleted successfully.

Edited by Turbophein, 03 July 2010 - 05:55 PM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:43 AM

Posted 04 July 2010 - 01:26 AM

Did you post only part of the log because it was too long, or did it get cut off?

If it was too long to post, could you please post the the folders that were deleted?

How are things running now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users