Windows Defender has Malware seemingly has malware in it?

Discussion in 'Spyware Discussion' started by Troubled_By_Malware, Apr 10, 2009.

  1. I just downloaded Windows defender after battling all weekend to rid my
    system of a Malware trojan that my up to date McAfee Antivirus found, but
    would not fully clean as I'd rebouut, rescan and there it was again. I went
    through the painfully time consuming removal process described at:
    http://forums.mcafeehelp.com/showthread.php?t=227241 including having to
    rename everything before running the suggested packages. I was 99.9% sure it
    worked because I rebooted, and a McAfee scan founnd nothing, and mu browsers
    behaved as expected. This trojan would redirect you to random links after
    clicking on a link from a Google Search and I had none of that. Less than 30
    seconds after starting my first Windows Defender Scan, Mcafee finds the same
    trojan, and it says it found it in winidows defender. Details:
    Name: c:\windows\system32\gaopdxardpayglmkuoecuirmayoeyquqkqrimh.dll
    In Folder: c:\windows\system32
    Source:
    Detected As: DNSChanger.r
    Detection Type: Trojan
    Status: Cleaned (but I doubt it)
    Date ant Time: 4/9/2009 10:55:01
    Application:C:\Program Files\Windows Defender\MsMpEng.exe
    Username: NT AUTHORITY\System
    Client ID:0(my pc name)
    Any thoughts as to what might be going on?
     
    Troubled_By_Malware, Apr 10, 2009
    #1
    1. Advertisements

  2. Troubled_By_Malware

    Kayman Guest

    On Thu, 9 Apr 2009 20:24:01 -0700, Troubled_By_Malware wrote:

    > I just downloaded Windows defender after battling all weekend to rid my
    > system of a Malware trojan that my up to date McAfee Antivirus found, but
    > would not fully clean as I'd rebouut, rescan and there it was again. I went
    > through the painfully time consuming removal process described at:
    > http://forums.mcafeehelp.com/showthread.php?t=227241 including having to
    > rename everything before running the suggested packages. I was 99.9% sure it
    > worked because I rebooted, and a McAfee scan founnd nothing, and mu browsers
    > behaved as expected. This trojan would redirect you to random links after
    > clicking on a link from a Google Search and I had none of that. Less than 30
    > seconds after starting my first Windows Defender Scan, Mcafee finds the same
    > trojan, and it says it found it in winidows defender. Details:
    > Name: c:\windows\system32\gaopdxardpayglmkuoecuirmayoeyquqkqrimh.dll
    > In Folder: c:\windows\system32
    > Source:
    > Detected As: DNSChanger.r
    > Detection Type: Trojan
    > Status: Cleaned (but I doubt it)
    > Date ant Time: 4/9/2009 10:55:01
    > Application:C:\Program Files\Windows Defender\MsMpEng.exe
    > Username: NT AUTHORITY\System
    > Client ID:0(my pc name)
    > Any thoughts as to what might be going on?


    Preferred practice is to 'flatten' and rebuild a computer that has been
    exposed to malware.
    http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx
    http://technet.microsoft.com/en-au/library/cc512595.aspx

    Clean Install Windows XP
    http://www.elephantboycomputers.com/page2.html#Reinstalling_Windows - What
    you will need on-hand
    --and--
    http://www.michaelstevenstech.com/cleanxpinstall.html
    --or-- (even better because its illustrated and more reader friendly)
    How Do I Install WindowsXP
    http://xphelpandsupport.mvps.org/how_do_i_install_windows_xp.htm

    Step-By-Step Windows Vista: Installation
    http://www.w-tweaks.com/html/windows_vista_setup__step_by_s.html

    It is defenitely advantageous to create an 'image' of the operating system
    and create a data/file backup of the affected PC.
    The image can then restored to the impacted PC and the user's data/file is
    subsequently restored to the operating system.

    An experienced and properly prepared user can do that in substantial less
    time than scanning with complex and sophisticated AV applications.

    Alas, since many users are less prepared and/or lacking the experience;
    Scanning with an AV apps. is the only option, unless the user consults a
    computer technician.
    If you're one of the many less-experienced users, try to go through the
    succeeding steps 1-4:

    1.Clear the (IE) temporary Internet files and the history cache.
    Click 'Start' and then click 'Run'... then type (or copy/paste)
    "inetcpl.cpl" (w/out quotation marks) into the box, then click the 'OK'
    button.
    In Internet Properties panel 'General' tab, under 'Browsing history', click
    'Delete...'button, in 'Delete Browsing History' panel, click the 'Delete
    all...' button then place a checkmark into the box beside 'Also delete
    files and settings stored by add-ons', Click 'Yes' and exit the Internet
    Properties panel by clicking the 'OK' button.

    2.Clean HDD
    Click 'Start' and then click 'Run...' then type (or copy/paste) "cleanmgr"
    (w/out quotation marks into the box, then click the 'OK' button. Select
    your drive (presumably WinXP (C:) and click OK.
    http://support.microsoft.com/kb/310312
    --or--
    2a.Delete files using Disk Cleanup (if on Vista)
    http://windowshelp.microsoft.com/Windows/en-US/help/1264bc24-72a8-48aa-84e3-a355327139d91033.mspx

    3.Download/execute:
    Malwarebytes© Corporation - Anti-Malware
    http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol
    --or--
    http://majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
    --direct--
    http://www.malwarebytes.org/mbam/program/mbam-setup.exe
    --and--
    SuperAntispyware - Free
    http://www.superantispyware.com/superantispywarefreevspro.html
    --direct--
    http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

    Both free versions of MBAM and SAS are on-demand scanners and offer no
    'real-time' protection. Keep them installed and use them as
    'second-opinion' scanner which is purposely (by design) recommended by
    their respective authors.

    4.Download and execute HiJack This! (HJT)
    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

    Please, do not post HJT logs to this newsgroup.
    Fora where you can get expert advice for HiJack This! (HJT) logs.

    http://www.thespykiller.co.uk/index.php?board=3.0
    http://www.spywarewarrior.com/viewforum.php?f=5
    http://forums.tomcoyote.org/index.php?showforum=27
    http://www.bleepingcomputer.com/forums/forum22.html
    http://www.malwarebytes.org/forums/index.php?showforum=7
    http://www.5starsupport.com/ipboard/index.php?showforum=18
    http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

    NOTE:
    Registration is required in any of the above mentioned fora before posting
    a HJT log and read the 'stickies' (instructions/guidelines) for the
    respective HJT forum.

    Additional references:
    Malicious Software Removal Tool
    http://www.microsoft.com/security/malwareremove/default.mspx
    (Skip: Run an Online Scan of Your PC for Malicious Software).

    How to optimize or reset Internet Explorer
    http://support.microsoft.com/kb/936213
    Applies to: Windows Internet Explorer in Windows Vista

    How to use Reset Internet Explorer Settings (RIES)
    http://support.microsoft.com/kb/923737
    Read: "What you must know"
    Applies to: Windows Internet Explorer for Windows XP and
    Windows Internet Explorer 7 in Windows Vista

    GMER - is an application that detects and removes rootkits.
    http://www.gmer.net/index.php

    For additional assistance in relation GMER scan results consult either:
    http://www.thespykiller.co.uk/index.php?board=3.0
    --or--
    http://antirootkit.com/forums/index.php?sid=9e746bb696ac0bb38781ffe4361c3a17

    CCleaner - Free
    Cleans temporary internet files, cookies, history, recent urls, application
    MRUs, etc. ...(*Tune out the registry scanning/fixing option!*)
    http://www.ccleaner.com/download/builds/downloading-slim

    If Windows Defender is utilized go to Applications, under Utilities
    uncheck "Windows Defender" (so it won't delete the history of WD).
    If you wish, click 'Options' button the 'Settings' [check] 'Run CCleaner
    when the computer starts'.
    --or--
    Setup CCleaner to Automatically Run Each Night in Vista or XP
    http://www.howtogeek.com/howto/wind...-automatically-run-each-night-in-vista-or-xp/

    Routinely practice Safe-Hex.
    http://www.claymania.com/safe-hex.html

    Good luck :)
     
    Kayman, Apr 10, 2009
    #2
    1. Advertisements

  3. Kayman,

    Thanks for such a thorough response. I've seen many a forum post (and even
    complete websites; i.e securitytanfo.gom) that walk one through a cleansing
    process, but they all pare in comparison to what you have posted. I have XP
    and not Vista, but I imagine that won;t change things much. I am familiar
    with many of the tools you have posted. I haven't tried walking through them
    yet, but will, and am confident it will do the trick. Thanks!
     
    Troubled_By_Malware, Apr 11, 2009
    #3
  4. Troubled_By_Malware

    Kayman Guest

    On Sat, 11 Apr 2009 09:15:03 -0700, Troubled_By_Malware wrote:

    > Kayman,
    > Thanks for such a thorough response.


    YW.

    > I've seen many a forum post (and even complete websites; i.e securitytanfo.gom)
    > that walk one through a cleansing process, but they all pare in comparison to
    > what you have posted.
    > I have XP and not Vista, but I imagine that won;t change things much.


    Re-read my post!

    > I am familiar with many of the tools you have posted. I haven't tried walking
    > through them yet, but will, and am confident it will do the trick. Thanks!


    Additional references:

    Kaspersky® Virus Removal Tool
    http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
    http://www.kaspersky.com/support/viruses/avptool?level=2

    Dr.Web CureIt!® Utility - FREE
    http://www.freedrweb.com/cureit/

    a-squared (a²) Free or a-squared (a²) Command Line Scanner
    http://www.emsisoft.com/en/software/download/

    BitDefender10 Free Edition (*NOT FOR VISTA*)
    http://www.bitdefender.com/site/Downloads/browseEvaluationVersion/1/42/

    Sophos Anti-Virus (SAV32CLI), is a 32 bit free command line scanner used in
    an emergency as a disinfection utility for Windows NT, Windows 2000,
    Windows XP and Windows 2003.
    To use the Sophos command line software follow the steps below:
    a) Download SAV32CLI
    http://downloads.sophos.com/tools/sav32sfx.exe
    --and--
    extract the contents by double clicking the file.
    b) Add the latest virus identity files (IDE) to the folder; These can be
    downloaded here:
    http://www.sophos.com/downloads/ide/
    c) Read Scanning Options with SAV32CLI.
    http://www.sophos.com/support/knowledgebase/article/13252.html
    See removing malicious files with SAV32CLI for basic information on virus,
    spyware, Trojan and worm removal with SAV32CLI.
    http://www.sophos.com/support/knowledgebase/article/13251.html

    David H. Lipman's MULTI_AV.EXE from the URL:
    http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
    or
    http://212.98.39.7/ds/28400/28470/Multi_AV.exe

    http://www.pctip.ch/downloads/dl/35905.asp
    or
    http://212.98.39.7/downloads/dl/35905.asp

    http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

    NOTE:
    The above mentioned applications are not capable for real-time protection
    of your computer; They are on-demand scanners.

    Kaspersky® Virus Removal Tool, Dr.Web CureIt!® have no update feature (so
    they don't turn into full blown scanners). As soon as your computer is
    cleaned you are supposed to remove these tools from your operating system
    and revert back to your (updated) resident (real-time) AV application.
    Re: Kaspersky® Virus Removal Tool; To uninstall/move this program 'enable
    self-defense' must be unchecked!

    To scan your computer with the most up-to-date Kaspersky® AVPTool and
    Dr.Web CureIT!® virus databases next time you should download new
    Kaspersky® AVPTool and Dr.Web CureIt!® packages.

    BitDefender10 Free Edition, a-squared Free or a-squared Command Line
    Scanner, Sophos Anti-Virus (SAV32CLI) and the free version of Malwarebytes©
    and SuperAntispyware have an update feature; You may wish to keep a couple
    of them installed in addtion to your resident AV/A-S applications and scan
    frequently.

    After the software is updated, it is suggested scanning the system in Safe
    Mode (this does not apply to MBAM).

    "Malwarebytes actually performs better in Normal Mode" says Dustin Cook,
    Malwarebytes Researcher of MBAM.

    How do you boot to Safe Mode?
    By pressing/tabbing F8 (or F5 on some keyboards) continually during
    re-boot.

    A description of the Safe Mode Boot options in Windows XP
    http://support.microsoft.com/default.aspx?scid=315222
    Alternatively:
    Click Start==>Run... then type (or copy/paste) "msconfig" (without
    quotation marks), click OK. Then click onto BOOT.INI tab and 'check'
    /SAFEBOOT then OK and click Restart. To go back to Normal Mode, you must
    access the System Configuration utility again and click the General tab
    then click/check the radio button 'Normal Startup'- load all device drivers
    and services'.

    Start your computer in safe mode (Vista)
    http://windowshelp.microsoft.com/Windows/en-us/help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx
    http://www.bleepingcomputer.com/tutorials/tutorial61.html

    Good luck :)
     
    Kayman, Apr 11, 2009
    #4
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest

    Windows Defender and malware/adware?

    Guest, Apr 26, 2006, in forum: Spyware Discussion
    Replies:
    2
    Views:
    319
    Guest
    Apr 26, 2006
  2. Guest

    Defender not picking up any malware infestations

    Guest, Jul 21, 2006, in forum: Spyware Discussion
    Replies:
    5
    Views:
    332
    Guest
    Jul 22, 2006
  3. Guest

    Defender doesn't identify Malware!

    Guest, Jul 26, 2006, in forum: Spyware Discussion
    Replies:
    4
    Views:
    317
    Guest
    Jul 27, 2006
  4. Guest

    Virus, Malware, or Defender scan bug?

    Guest, Apr 25, 2007, in forum: Spyware Discussion
    Replies:
    8
    Views:
    1,692
    Guest
    Apr 29, 2007
  5. infected

    new malware not detected by Windows Defender

    infected, Feb 6, 2008, in forum: Spyware Discussion
    Replies:
    1
    Views:
    365
    Engel
    Feb 6, 2008
Loading...

Share This Page