Window's Defender and SAS.

Seth · September 6, 2007

To the best of my knowledge, no malware expert would ever recommend Window's Defender. However, techs may be wondering how much malware removal income they'll lose since Vista comes with Defender. Probably not much.

Case in point:

I just finished disinfecting a Vista system protected by Window's Defender. Vista would not complete its boot. "Explorer can't start. Your computer is shutting down". That message would appear before the programs began to load and about 5 seconds later a shutdown would initiate. In that 5 seconds I noticed an icon on the desktop for "VirusProtectPro" (Rogue antimalware application). At that point I knew the shutdown was likely being caused by a malware infection.

I needed to get control of the system, so I tried Safe Mode and Last Known Good Configuration to no avail. I now had no choice but to slave the drive and remove the malware.

SAS log:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 09/06/2007 at 12:50 PM

Application Version : 3.9.1008

Core Rules Database Version : 3301

Trace Rules Database Version: 1307

Scan type : Complete Scan

Total Scan Time : 01:16:57

Memory items scanned : 293

Memory threats detected : 0

Registry items scanned : 5619

Registry threats detected : 0

File items scanned : 90118

File threats detected : 26

Adware.180solutions/ZangoSearch

F:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS

F:\USERS\WAYNE(A.K.A. DAD)\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\MUSNF7RO\SETUP[1].EXE

Adware.MyWebSearch

F:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE

Malware.VirusProtectPro

F:\PROGRAM FILES\VIRUSPROTECTPRO 3.7\UNINST.EXE

Adware.Lop-Variant

F:\PROGRAMDATA\ANTIEQ\BYTE IDOL MEOW.EXE

F:\PROGRAMDATA\ANTIEQ\LTNOJQPV.EXE

F:\PROGRAMDATA\ANTIEQ\RVGZJFJU.EXE

F:\PROGRAMDATA\ANTIEQ\TVAHDTNR.EXE

F:\USERS\CAROL NAYLOR\APPDATA\LOCAL\TEMP\LIST JOY.EXE

F:\USERS\CAROL NAYLOR\APPDATA\LOCAL\TEMP\STA2CE9.EXE

F:\USERS\CAROL NAYLOR\APPDATA\LOCAL\TEMP\STA4A1D.EXE

F:\USERS\DAVID NAYLOR\APPDATA\LOCAL\TEMP\BIS5880.EXE

F:\USERS\DAVID NAYLOR\APPDATA\LOCAL\TEMP\BIS7687.EXE

F:\USERS\DAVID NAYLOR\APPDATA\LOCAL\TEMP\LIST JOY.EXE

F:\USERS\DAVID NAYLOR\APPDATA\LOCAL\TEMP\STA7F7B.EXE

F:\USERS\DAVID NAYLOR\APPDATA\LOCAL\TEMP\STAC376.EXE

F:\USERS\DAVID NAYLOR\APPDATA\LOCAL\TEMP\STAC940.EXE

F:\USERS\GUEST\APPDATA\LOCAL\TEMP\LIST JOY.EXE

F:\USERS\GUEST\APPDATA\LOCAL\TEMP\STA1BD8.EXE

Browser Hijacker.Favorites

F:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\ONLINE SECURITY GUIDE.URL

F:\PROGRAMDATA\MICROSOFT\WINDOWS\START MENU\SECURITY TROUBLESHOOTING.URL

F:\USERS\GUEST\FAVORITES\ONLINE SECURITY TEST.URL

F:\USERS\PUBLIC\DESKTOP\ONLINE SECURITY GUIDE.URL

F:\USERS\PUBLIC\DESKTOP\SECURITY TROUBLESHOOTING.URL

Trojan.Smitfraud Variant

F:\WINDOWS\SYSTEM32\IKLQCX.DLL

Trojan.Unknown Origin

F:\WINDOWS\SYSTEM32\__C00FCB20.DAT

I installed the drive back into the computer and all was now well with Vista. Since the registry is not scanned on a slaved drive, I loaded SAS and scanned the registry only:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 09/06/2007 at 01:38 PM

Application Version : 3.9.1008

Core Rules Database Version : 3301

Trace Rules Database Version: 1307

Scan type : Custom Scan

Total Scan Time : 00:02:33

Memory items scanned : 0

Memory threats detected : 0

Registry items scanned : 8708

Registry threats detected : 39

File items scanned : 0

File threats detected : 13

Trojan.Media-Codec/V3

HKLM\Software\Classes\CLSID\{1C3C4699-B285-475F-BE47-0B26088CE876}

HKCR\CLSID\{1C3C4699-B285-475F-BE47-0B26088CE876}

HKCR\CLSID\{1C3C4699-B285-475F-BE47-0B26088CE876}\InprocServer32

HKCR\CLSID\{1C3C4699-B285-475F-BE47-0B26088CE876}\InprocServer32#ThreadingModel

C:\PROGRAM FILES\VIDEO ACTIVEX ACCESS\IESPLG.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{1C3C4699-B285-475F-BE47-0B26088CE876}

Unclassified.Unknown Origin

HKLM\Software\Classes\CLSID\{47B83D78-F986-4E96-9769-2C55EF14DA0B}

HKCR\CLSID\{47B83D78-F986-4E96-9769-2C55EF14DA0B}

HKCR\CLSID\{47B83D78-F986-4E96-9769-2C55EF14DA0B}\InprocServer32

HKCR\CLSID\{47B83D78-F986-4E96-9769-2C55EF14DA0B}\InprocServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\__C00B62B1.DAT

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{47B83D78-F986-4E96-9769-2C55EF14DA0B}

HKCR\CLSID\{47B83D78-F986-4E96-9769-2C55EF14DA0B}

Trojan.Smitfraud Variant

HKLM\Software\Classes\CLSID\{de5ede53-9db0-422d-b32d-5c41c96d6f52}

HKCR\CLSID\{DE5EDE53-9DB0-422D-B32D-5C41C96D6F52}

HKCR\CLSID\{DE5EDE53-9DB0-422D-B32D-5C41C96D6F52}\InProcServer32

HKCR\CLSID\{DE5EDE53-9DB0-422D-B32D-5C41C96D6F52}\InProcServer32#ThreadingModel

C:\WINDOWS\SYSTEM32\IKLQCX.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\SharedTaskScheduler#{de5ede53-9db0-422d-b32d-5c41c96d6f52}

Malware.SpyLocked

HKCR\videoaccessactivex.Chl

HKCR\videoaccessactivex.Chl\CLSID

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Windows Safety Alert

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Windows Safety Alert#DisplayName

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Windows Safety Alert#UninstallString

Malware.VirusProtectPro

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\BPumAnixoRp

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\bUvrcpmMlVrxH

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\epvfvvtj

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\flibxwljvi

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\InprocServer32

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\InprocServer32#ThreadingModel

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\kgKzUwdy

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\ljujcmwjuzz

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\ProgID

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\Programmable

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\TypeLib

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\Version

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\VersionIndependentProgID

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\wfjs

HKCR\CLSID\{45C2FDBE-1D46-B98E-F9A9-9D44B93A9D52}\yuigmkVgduuNI

HKLM\Software\VirusProtectPro 3.7

HKLM\Software\VirusProtectPro 3.7#refid

C:\Program Files\VirusProtectPro 3.7\blacklist.txt

C:\Program Files\VirusProtectPro 3.7\Lang\English.ini

C:\Program Files\VirusProtectPro 3.7\Lang

C:\Program Files\VirusProtectPro 3.7\Logs

C:\Program Files\VirusProtectPro 3.7\msvcp71.dll

C:\Program Files\VirusProtectPro 3.7\msvcr71.dll

C:\Program Files\VirusProtectPro 3.7\Quarantine

C:\Program Files\VirusProtectPro 3.7\VirusProtectPro 3.7.url

C:\Program Files\VirusProtectPro 3.7\vpp.dat

C:\Program Files\VirusProtectPro 3.7

Sign In

Archived

Window's Defender and SAS.

Recommended Posts

Seth

Share this post

Link to post

Share on other sites

Browse

Activity