Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was infected with defender.exe - Is it gone now?


  • Please log in to reply
No replies to this topic

#1 MarkBuckley

MarkBuckley

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:11 PM

Posted 22 June 2011 - 10:39 AM

Yesterday someone I don't know sent me an @message on Twitter, with a link in it. I received the message running TweetDeck under Windows XP, with Firefox as my default browser. When I clicked the link, a bogus "virus scan" program started, and all of my applications started closing. I couldn't even open the task manager. I'll put the link here anyone wants to figure out how it did what it did (Javascript?) but obviously don't go to it unless you know what you're doing. I added [REMOVE] in it so somebody doesn't click it by accident. http://www.philippine-dre[REMOVE]ams.com/clickbank/?hop=tweettwain

Whenever I rebooted, this bogus virus scanner popped right back up, so I rebooted into safe mode and used msconfig to look at what was starting. I found the offending program, which was C:\Documents and Settings\All Users\Application Data\defender.exe. I deleted it from startup, as well as the file itself. When I rebooted, everything seemed okay, but after an hour or so the bogus scanner started again, and defender.exe was back. At that point I deleted it again, and used Malwarebytes to do a quick scan. It found a lot of infected files (I think it was around 20). I let Malwarebytes remove them, and activated Enable Protection and Website Blocking from within Malwarebytes. With the computer sitting idle, every few minutes Malwarebytes would alert that it "blocked access to" or "blocked access from" various IP's. Some said "type: incoming" and some said "type: outgoing". Some of those IP's were:

82.80.245.166
218.7.221.62
222.69.107.30
218.8.129.93
60.173.11.56
219.146.254.210
222.64.10.80
121.10.120.182
69.162.102.178
93.174.93.237
82.80.245.166

At that point I deleted some registry keys that someone on a different forum suggested to someone with a similar problem, ran the Microsoft Malicious Software Removal Tool, turned on the Windows firewall (there hadn't previously been a software firewall running), and started Microsoft Security Essentials. I may have taken other steps as well that I don't recall. In any case, the "blocked access to" messages stopped. The "blocked access" messages stopped, and the bogus virus scanner hasn't returned. It's been about 12 hours.

So, is there anything else I should do? Is there some way to know for sure that my computer isn't infected with any more malware? Thanks.

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users