Seth Posted September 6, 2007 To the best of my knowledge, no malware expert would ever recommend Window's Defender. However, techs may be wondering how much malware removal income they'll lose since Vista comes with Defender. Probably not much. Case in point: I just finished disinfecting a Vista system protected by Window's Defender. Vista would not complete its boot. "Explorer can't start. Your computer is shutting down". That message would appear before the programs began to load and about 5 seconds later a shutdown would initiate. In that 5 seconds I noticed an icon on the desktop for "VirusProtectPro" (Rogue antimalware application). At that point I knew the shutdown was likely being caused by a malware infection. I needed to get control of the system, so I tried Safe Mode and Last Known Good Configuration to no avail. I now had no choice but to slave the drive and remove the malware. SAS log: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 09/06/2007 at 12:50 PM Application Version : 3.9.1008 Core Rules Database Version : 3301 Trace Rules Database Version: 1307 Scan type : Complete Scan Total Scan Time : 01:16:57 Memory items scanned : 293 Memory threats detected : 0 Registry items scanned : 5619 Registry threats detected : 0 File items scanned : 90118 File threats detected : 26 Adware.180solutions/ZangoSearch F:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS F:\USERS\WAYNE(A.K.A. DAD)\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\MUSNF7RO\SETUP[1].EXE Adware.MyWebSearch F:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE Malware.VirusProtectPro F:\PROGRAM FILES\VIRUSPROTECTPRO 3.7\UNINST.EXE Adware.Lop-Variant F:\PROGRAMDATA\ANTIEQ\BYTE IDOL MEOW.EXE F:\PROGRAMDATA\ANTIEQ\LTNOJQPV.EXE F:\PROGRAMDATA\ANTIEQ\RVGZJFJU.EXE F:\PROGRAMDATA\ANTIEQ\TVAHDTNR.EXE F:\USERS\CAROL NAYLOR\APPDATA\LOCAL\TEMP\LIST JOY.EXE F:\USERS\CAROL NAYLOR\APPDATA\LOCAL\TEMP\STA2CE9.EXE F:\USERS\CAROL NAYLOR\APPDATA\LOCAL\TEMP\STA4A1D.EXE F:\USERS\DAVID NAYLOR\APPDATA\LOCAL\TEMP\BIS5880.EXE F:\USERS\DAVID NAYLOR\APPDATA\LOCAL\TEMP\BIS7687.EXE F:\USERS\DAVID NAYLOR\APPDATA\LOCAL\TEMP\LIST JOY.EXE F:\USERS\DAVID NAYLOR\APPDATA\LOCAL\TEMP\STA7F7B.EXE F:\USERS\DAVID NAYLOR\APPDATA\LOCAL\TEMP\STAC376.EXE F:\USERS\DAVID NAYLOR\APPDATA\LOCAL\TEMP\STAC940.EXE F:\USERS\GUEST\APPDATA\LOCAL\TEMP\LIST JOY.EXE F:\USERS\GUEST\APPDATA\LOCAL\TEMP\STA1BD8.EXE Browser Hijacker.Favorites F:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\ONLINE SECURITY GUIDE.URL F:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\SECURITY TROUBLESHOOTING.URL F:\USERS\GUEST\FAVORITES\ONLINE SECURITY TEST.URL F:\USERS\PUBLIC\DESKTOP\ONLINE SECURITY GUIDE.URL F:\USERS\PUBLIC\DESKTOP\SECURITY TROUBLESHOOTING.URL Trojan.Smitfraud Variant F:\WINDOWS\SYSTEM32\IKLQCX.DLL Trojan.Unknown Origin F:\WINDOWS\SYSTEM32\__C00FCB20.DAT I installed the drive back into the computer and all was now well with Vista. Since the registry is not scanned on a slaved drive, I loaded SAS and scanned the registry only: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 09/06/2007 at 01:38 PM Application Version : 3.9.1008 Core Rules Database Version : 3301 Trace Rules Database Version: 1307 Scan type : Custom Scan Total Scan Time : 00:02:33 Memory items scanned : 0 Memory threats detected : 0 Registry items scanned : 8708 Registry threats detected : 39 File items scanned : 0 File threats detected : 13 Trojan.Media-Codec/V3 HKLM\Software\Classes\CLSID\{1C3C4699-B285-475F-BE47-0B26088CE876} HKCR\CLSID\{1C3C4699-B285-475F-BE47-0B26088CE876} HKCR\CLSID\{1C3C4699-B285-475F-BE47-0B26088CE876}\InprocServer32 HKCR\CLSID\{1C3C4699-B285-475F-BE47-0B26088CE876}\InprocServer32#ThreadingModel C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IESPLG.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{1C3C4699-B285-475F-BE47-0B26088CE876} Unclassified.Unknown Origin HKLM\Software\Classes\CLSID\{47B83D78-F986-4E96-9769-2C55EF14DA0B} HKCR\CLSID\{47B83D78-F986-4E96-9769-2C55EF14DA0B} HKCR\CLSID\{47B83D78-F986-4E96-9769-2C55EF14DA0B}\InprocServer32 HKCR\CLSID\{47B83D78-F986-4E96-9769-2C55EF14DA0B}\InprocServer32#ThreadingModel C:\WINDOWS\SYSTEM32\__C00B62B1.DAT HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{47B83D78-F986-4E96-9769-2C55EF14DA0B} HKCR\CLSID\{47B83D78-F986-4E96-9769-2C55EF14DA0B} Trojan.Smitfraud Variant HKLM\Software\Classes\CLSID\{de5ede53-9db0-422d-b32d-5c41c96d6f52} HKCR\CLSID\{DE5EDE53-9DB0-422D-B32D-5C41C96D6F52} HKCR\CLSID\{DE5EDE53-9DB0-422D-B32D-5C41C96D6F52}\InProcServer32 HKCR\CLSID\{DE5EDE53-9DB0-422D-B32D-5C41C96D6F52}\InProcServer32#ThreadingModel C:\WINDOWS\SYSTEM32\IKLQCX.DLL HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler#{de5ede53-9db0-422d-b32d-5c41c96d6f52} Malware.SpyLocked HKCR\videoaccessactivex.Chl HKCR\videoaccessactivex.Chl\CLSID HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Windows Safety Alert HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Windows Safety Alert#DisplayName HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Windows Safety Alert#UninstallString Malware.VirusProtectPro HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52} HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\BPumAnixoRp HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\bUvrcpmMlVrxH HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\epvfvvtj HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\flibxwljvi HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\InprocServer32 HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\InprocServer32#ThreadingModel HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\kgKzUwdy HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\ljujcmwjuzz HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\ProgID HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\Programmable HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\TypeLib HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\Version HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\VersionIndependentProgID HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\wfjs HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\yuigmkVgduuNI HKLM\Software\VirusProtectPro 3.7 HKLM\Software\VirusProtectPro 3.7#refid C:\Program Files\VirusProtectPro 3.7\blacklist.txt C:\Program Files\VirusProtectPro 3.7\Lang\English.ini C:\Program Files\VirusProtectPro 3.7\Lang C:\Program Files\VirusProtectPro 3.7\Logs C:\Program Files\VirusProtectPro 3.7\msvcp71.dll C:\Program Files\VirusProtectPro 3.7\msvcr71.dll C:\Program Files\VirusProtectPro 3.7\Quarantine C:\Program Files\VirusProtectPro 3.7\VirusProtectPro 3.7.url C:\Program Files\VirusProtectPro 3.7\vpp.dat C:\Program Files\VirusProtectPro 3.7 Share this post Link to post Share on other sites