dannymyung
asked on
Maleware Defense Problem
I have a Dell XPS M140 with a virus, Male-ware Defense. I have already ran Male-ware Bytes and AVG, but both of them can't remove this virus. Is anyone else have any problems with this Male-ware Defense and if so how do you remove it?
ASKER
ok this is the log file from hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:01 PM, on 12/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\AVG\AVG9\avgchsvx.ex
C:\Program Files\Intel\Wireless\Bin\Z
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-8
O3 - Toolbar: FireShot - {6E6E744E-4D20-4ce3-9A7A-2
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DL
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtr
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\Copy of mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {0CCA191D-13A6-4E29-B746-3
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D
O16 - DPF: {8100D56A-5661-482C-BEE8-A
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-1
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-D
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrss
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\A
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.ex
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlccco
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\W
--
End of file - 7825 bytes
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:01 PM, on 12/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\Program Files\AVG\AVG9\avgchsvx.ex
C:\Program Files\Intel\Wireless\Bin\Z
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\Wi
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-8
O3 - Toolbar: FireShot - {6E6E744E-4D20-4ce3-9A7A-2
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.ex
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DL
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quicks
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtr
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\Copy of mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {0CCA191D-13A6-4E29-B746-3
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D
O16 - DPF: {8100D56A-5661-482C-BEE8-A
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-1
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-D
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrss
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\A
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.ex
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponde
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlccco
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\E
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NI
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\W
--
End of file - 7825 bytes
I actually JUST removed this virus from a computer here.. Here is where its hiding at:
C:\Program Files\Malware Defense\mdefense.exe
Just start in safe mode, delete the folder Malware Defense from the computer.
Only thing i see in hijackthis log is O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-D
C:\Program Files\Malware Defense\mdefense.exe
Just start in safe mode, delete the folder Malware Defense from the computer.
Only thing i see in hijackthis log is O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-D
the best possible solution is to do a system restore to an earlier date
if this doesnt work. reinstall windows after a format.
even if you remove the virus.. this virus must have done the damage already to your registry files and some system files. long term its better to format and have aa fresh install
dont forget to backup..
************** system restore first *********
if this doesnt work. reinstall windows after a format.
even if you remove the virus.. this virus must have done the damage already to your registry files and some system files. long term its better to format and have aa fresh install
dont forget to backup..
************** system restore first *********
ASKER
so should i run the malwarebytes again to see if the virus is gone i just delete the log file that you told me
ASKER
yeah i tried that system restore but the virus is blocking it i guess it wont let me do system restore and the owner of the laptop dont want us to reinstall xp
use Avira AntiVir Rescue System.
http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html
ASKER
but how come everytime i run malwarebytes keep finding only 3 virus all the time and everytime i removed it is just keep going back to the system
try the above avira boot system , and run http://superantispyware.com/
ASKER
thanks for all the help but it seems reformatting is my last option because the virus really affected the registry unless anybody could tell me other option
What is the path of the viruses you are finding? Note that anything in the System Restore path is a protected file and no software will truly get rid of it even if it says it does. The only way to get rid of files infected in system restore points is to disable system restore which DELETES all your system restore points. Make sure you are currently able to reboot your computer before continuing.
Also you may wish to try other alternatives first as an infected restore point is better than none at all.
Disable System Restore:
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
"You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?"
After a few moments, the System Properties dialog box closes.
Reboot your system
repeat the above steps to turn system restore back on
create a system restore point:
start
all programs
accessories
system tools
system restore
click create restore point and follow the prompts
Also you may wish to try other alternatives first as an infected restore point is better than none at all.
Disable System Restore:
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
"You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?"
After a few moments, the System Properties dialog box closes.
Reboot your system
repeat the above steps to turn system restore back on
create a system restore point:
start
all programs
accessories
system tools
system restore
click create restore point and follow the prompts
Can you attach Mbam's logfile and Combofix's logfile?
is it running on Windows XP? You could try reimage http://www.reimage.com/registration.php?trial=seven
I suggest using the bootable version, runs better. Make sure your LAN is connected to the computer. Sounds like there are other viruses than Malware Defense.
I suggest using the bootable version, runs better. Make sure your LAN is connected to the computer. Sounds like there are other viruses than Malware Defense.
Did you run Combofix as already suggested, please attach the logfile.
A lot of nasties can now hide from Hijackthis scan so it's not really the best tool to use....plus your pc is running in diagnostic mode so if you had disabled some programs at startup then there's not much point in running Hijackthis because it only scans startup programs that are enabled.
A lot of nasties can now hide from Hijackthis scan so it's not really the best tool to use....plus your pc is running in diagnostic mode so if you had disabled some programs at startup then there's not much point in running Hijackthis because it only scans startup programs that are enabled.
dont format ur system for this problem.just run webroot internet security essential or G-data internet security.i am sure i will fix this problem and run Advanced system optimizer to repair ur registry.Thanks kart4578
I assume you hae a ANTIVIRUS program already installed, but if you can sill install software go out an get SPYSWEEPER with ANTI-VIRUS at WAL-MART or what ever store is close to you. Comes in a GREEN and YELLOW Box, MiniBox, or CD-SLEEVE. It will clean your system and intercept the sites like the one you encountered with a WARNING for the SITE before you proceed.
If you have anti-virus already, the INSTALL CD will also run a SCAN and CLEAN, if you don't I recommend running SYMANTEC-NORTON and Webroot SpySweeper in tandum. I encountered TROJANS and WORM that NORTON FLAGGED and WEBROOT QUARANTINED, it was an awesome collaboration.
With Symantec Antivirus, Webroot SpySweeper, and Acronis True Image Workstation on weekly backup, I have never been taken down in the last 10 years. COMPUTE with CONFIDENCE
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Download Combofix from http://download.bleepingcomputer.com/sUBs/ComboFix.exe and run it.
If this doesnt remove the rogue antivirus proram, run hijackthis and post the log here.