Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Defender.exe infection on XP Home

  • Please log in to reply
2 replies to this topic

#1 CharlieB53


  • Members
  • 9 posts
  • Local time:05:03 AM

Posted 10 August 2011 - 07:12 AM

Third attempt to clean G'son's laptop of the Defender.exe failed again. Frustration level is 'high'.

Restart in 'Safe' mode and run Regedit to remove the 'Run' key. Run 'Malwarebytes' to remove the infection, deleting all found files. Also ran SP3 update from a previous download.

Restart and attempt to install AVG, midway through install Zone Alarm pops up a warning a file is attempting to connect out, I Deny it, the Defender icon reappears on the desktop, the Defender window opens, killing the AVG install, and I'm back at square one.

Where is the 'Run' key that I missed?

Where is the source of the infection that Malwarebytes misses?

Looking at your posting http://www.bleepingcomputer.com/forums/topic34773.html and will try running DDS Tool to see what it finds immediately after next round, will run in Safe after Malwarebytes, then again after normal restart to compare the two.

If he didn't already have schoolwork on it I would Reformat and start over clean.

Any assistance will be greatly appreciated.



Edited by hamluis, 10 August 2011 - 09:43 AM.
Moved to Am I Infected from XP.

BC AdBot (Login to Remove)


#2 BobintheNoc


  • Members
  • 1 posts
  • Local time:02:03 AM

Posted 10 August 2011 - 01:32 PM

I've had a couple of Defender.EXE infections in the past two days. Most useful tools that helped me: Autoruns and Procexp, from Sysinternals/Microsoft.

The defender.exe process was found within the user profile, application data folder. There were several other dropped .exe files, including conhost.exe, csrss.exe, dwm.exe, most stored in c:\documents and settings\username\local settings\temp

The processes were running, and in memory, Windows task manager was unable to kill since they were marked as critical system processes. Process Explorer had no trouble killing them. After killing, the source .EXE can be deleted. If you don't kill them all, they respawn again. Since I couldn't kill and delete them all fast enough, I staged some txt files with the same names, had them in my paste buffer--after killing the live running process, then deleting the single .exe file, I'd paste the empty text file with the same name into the folder. Eventually, got them all.

Autoruns.exe from sysinternals show multiple points of loading, including HKLM\software\microsoft\windows\currentversion\run\ and same spot in user hkcu\software\microsoft\windows\currentversion\run, but there were some additional entries and tags on the ends of explorer.exe for the shell entries. Also, another location, labeled LOAD in registry contained references to the dropped .exe files (csrss, dwm, conhost)

Open process explorer, turn on the extra columns to show COMMAND LINE and IMAGE PATH, if you see stuff coming from anything like a temp folder to from the user profile area, chances are that it's not good.

Bob In The NOC

#3 CharlieB53

  • Topic Starter

  • Members
  • 9 posts
  • Local time:05:03 AM

Posted 15 August 2011 - 09:46 AM

Malwarebytes reported no infection

Defender kept appearing after being on-line for a little bit.

Managed to download and install free AVG and update. It was a royal PITA as something kept killing the installation process. After many attempts I got it done, then took a lot more before I finally got AVG updated. AVG did stop the download and installation of Defender, catching it and placing each attempt in quarantine, but have not yet found the trigger file that keeps calling out to where ever the source is. Latest version of Zone Alarm shows traffic even when I am not using anything. Checking the allowed programs I cannot find anything out of the expected allowed programs, suspect one of them is infected and no clue which.

After days of frustration I gave up and reformatted. G'son may never be allowed to use Mom's machine again. He screwed it up cause his didn't work anymore.

2nd machine (G'son's) didn't have the Defender but had the same redirection occurring in all browsers. Found SpyBot successful in removing most of the source, and manually reset (erased) all browsers histories and carefully reset Firefox about:config entries to delete all traces of Babylon Toolbar. 2d computer seems all clear, finally.

Thanks for trying, but I gave up on the first on, reformatting works, Thankfully she didn't have much on there to loose.

Consider this case closed, but if ever G'son messes up one again (and I'm SURE he will) I'll be back if I can't figure it out.

Take Care,

Charlie B

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users