Jump to content

Certain items could not be removed (Defense Center-malware)


kbuck

Recommended Posts

This infection is on my laptop.

My laptop internet will not work so I am having to copy/paste to my desktop (thankfully) in order to post here.

This is what I have done so far in Real Mode:

Downloaded mbam.exe and installed program.

(Per instructions on website I do not remember seeing 2 checkmarks boxes - one for Update Malwarebytes Anti-M and one for Launch Malwarebytes Anti-M, I only saw the Update one which I checked.)

Started Malwarebytes prog and updated to the latest version-database 4315.

Ran a Full Scan and at the end when screen says scan is complete, click OK and Show Results button.

When I clicked OK first, the Show Results button disappeared and I was not able to see a log of any kind.

Shut down the computer and tried again this morning.

Upon startup Trend Micro Internet Security shows warning of suspicious activity with defcnt.exe and TM asked: Allow or Block.

So I blocked it.

Ran a Full Scan and this time I closed the screen (X'ed out of it) that showed the OK box and then I could click on the Show Results button.

This produced a log to show the results of the recent scan.

I went to the Quarantine folder and tried to remove all the infected files/folders as shown.

A message displayed:

Certain items could not be removed.

A log file has been saved to the logs folder.

Your computer needs to be restarted to complete the removal process.

Do you want to Restart now?

I clicked Yes.

I still can not access the internet on my laptop but it appears that my TaskManager is once again working.

I have copied/pasted the Mbam log file below:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4315

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

7/15/2010 9:21:35 AM

mbam-log-2010-07-15 (09-21-35).txt

Scan type: Full scan (C:\|)

Objects scanned: 225480

Time elapsed: 1 hour(s), 19 minute(s), 44 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 8

Registry Values Infected: 3

Registry Data Items Infected: 2

Folders Infected: 2

Files Infected: 20

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\Program Files\Defense Center\defhook.dll (Trojan.FakeAlert) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmadxbvpdibco (Trojan.DNSChanger) -> No action taken.

HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> No action taken.

HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center (Rogue.DefenseCenter) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> No action taken.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defense center (Trojan.FakeAlert) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> No action taken.

HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> No action taken.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

C:\Program Files\Defense Center (Rogue.DefenseCenter) -> No action taken.

C:\WINDOWS\PRAGMAdxbvpdibco (Trojan.DNSChanger) -> No action taken.

Files Infected:

C:\Program Files\Defense Center\defhook.dll (Trojan.FakeAlert) -> No action taken.

C:\Program Files\Defense Center\defcnt.exe (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\Kitty\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\Kitty\Local Settings\Temp\asdD7.tmp.exe (Trojan.FakeAlert) -> No action taken.

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HZXH1885\update[1].exe (Trojan.Dropper) -> No action taken.

C:\WINDOWS\Temp\PRAGMA5214.tmp (Trojan.Agent) -> No action taken.

C:\WINDOWS\Temp\wscsvc32.exe (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\Temp\AUTMGR32.EXE (Trojan.Dropper) -> No action taken.

C:\WINDOWS\Temp\mschrt20ex.dll (Rogue.DefenseCenter) -> No action taken.

C:\WINDOWS\PRAGMAdxbvpdibco\pragmabbr.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\PRAGMAdxbvpdibco\PRAGMAd.sys (Trojan.DNSChanger) -> No action taken.

C:\Program Files\Defense Center\splash.mp3 (Rogue.DefenseCenter) -> No action taken.

C:\Program Files\Defense Center\Uninstall.exe (Rogue.DefenseCenter) -> No action taken.

C:\Program Files\Defense Center\virus.mp3 (Rogue.DefenseCenter) -> No action taken.

C:\WINDOWS\PRAGMAdxbvpdibco\PRAGMAcfg.ini (Trojan.DNSChanger) -> No action taken.

C:\WINDOWS\PRAGMAdxbvpdibco\PRAGMAsrcr.dat (Trojan.DNSChanger) -> No action taken.

C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> No action taken.

C:\Documents and Settings\Kitty\Application Data\Microsoft\Internet Explorer\Quick Launch\Defense Center.LNK (Rogue.DefenseCenter) -> No action taken.

C:\Documents and Settings\John\Local Settings\Temp\pragmamainqt.dll (Rootkit.TDSS) -> No action taken.

C:\Documents and Settings\Kitty\Local Settings\Temp\pragmamainqt.dll (Rootkit.TDSS) -> No action taken.

What should I do next to make sure this malware is totally removed?

Many thanks,

kbuck

Link to post
Share on other sites

Hello kbuck, :)

As we don't work on Malware removal or diagnostics in this forum, please read carefully and follow the directions below.

  • If you have already submitted for assistance at one of the other support sites on the Internet, then you should not post a new topic here and stay working with the helper from that site until the issue is resolved.
  • Please print out, read, and follow the directions here, skipping any steps you are unable to complete.
  • Then post a NEW topic here, remember to describe your problem along with the necessary logs in that topic. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.
  • One of the expert helpers there will give you one-on-one assistance when one becomes available.
  • After posting your new topic, make sure under options (top right of your topic screen), you select Track this topic and choose one of the Email options (prefer Immediate Email Notification) so that you're alerted when someone has replied to your post.
  • Please be patient when waiting for an expert help as the expert helpers can get a bit busy.
  • Please try not to post back (bump) your topic within the first 48 hours. Expert helpers will find the topics which has a zero post count first. If you bump your topic, expert helpers may think the topic is replied and jump to other posts.
    If there is no reply from any experts after 48 hours, you can reply the topic for asking help again or send a Private Message to a Moderator asking for assistance.
  • Please do not alter the system (eg install or uninstall any software, conduct some fixes, use any removal/scanning tool) after posting unless it is told by the expert helper. Using these other tools often makes the cleanup task more difficult and time consuming.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org or via here for a prioritized support. Please remember to quote your cleverbridge Reference Number from the confirmation e-mail when requesting assistance.

NOTE: If for some reason you're unable to run some of the tools in the first link, then skip that step and move on to the next one. If you can't even run any tools in safe mode, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

Thank You :)

PS Please use the "ADDREPLY" t_reply.gif button at bottom of forum window instead of other ones when you start replying. :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.