Defender.exe - Clearing files from Startup tab in MSConfig

LancerChronics on 28/12/2010 at 00:37

Skip to "***" to save time.

So I just had a scare. Somehow, a trojan got onto my computer and hid itself in my appdata under the guise of "Windows Defender". Next thing I know this "automatic scan" starts running and detecting "viruses" everywhere.

When I tried to open up anything(Firefox or even Task manager), it would shut it down and claim it was "infected". Now that's when I call bull-****. Closer inspection showed that the window was an attempted mimicry of the Windows defender window, with low quality slapped together icons and slightly 'off' fonts. It kept asking me to activate "Windows Spyware Defender". So I shut down my computer. Rebooted in Safe mode, and deleted the culprit (Defender.exe) from my "Application Data" folder in "Documents and Settings". I then proceeded to run a newly updated AVG to make sure no more viruses were on my computer.

I rebooted my computer, and just had a hunch.

****
Opened up msconfig, and sure enough defender.exe (the false alarm virus) was set to run again on start-up. Thankfully, there was no longer a file to run from and it was benign. I've unchecked it and saved settings. But the fact that its still there irks me slightly. I've checked the Registry for the proper file associated with it, but there's nothing there. So, how do I remove it from that list so I can 100% put this behind me?

Renzatic on 28/12/2010 at 01:02

Oh man, these damn things.

Even though you deleted all the files in your documents and setting folder, you more than likely still have a bunch of entries in the registry. Worst case scenario is that you'll be having this same problem again real soon.

So I looked up Windows Defender Virus on Bleeping Computer, but all they had was deleting actual Windows Defender. So, your best bet is to do what they usually suggest. Get Malwarebytes Antimalware, (hoping that it isn't so new that they don't have a definition entry for it), install it (hoping that your ransomware BS you've got won't block it as a virus), jump into safe mode, and do a full scan. In about 20-40 minutes, you should have a bunch of red entries, which you'll tell Antimalware to delete.

That's usually enough to get rid of everything, but just in case, do some googling and see what you find out about it.

edit: (http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010) This is the best I could find on Bleeping Computer. See if it helps you out.

Al_B on 28/12/2010 at 01:08

Good that you got rid of that - it's one of the more annoying fake anti-virus software that's done the rounds in the last year or so.

If you want to remove it from the unchecked entries in msconfig then go to HKEY_LOCAL_MACHINE\Software\Microsoft\Shared Tools\MSConfig\startupreg and you should find it there and can delete it.

LancerChronics on 28/12/2010 at 02:46

thank you both. I've gone ahead and deleted the registry stuff, and that fixed the immediate problem.

I'm also downloading the anti-malware from the link you provided and will give it a full run, just in case.

Edit: holy hell! It's been running for less than a minute and its already found 7 objects! This is gonna be interesting. Thank god this happened on my old laptop, rather than my new computer. Though I'm definitely getting this program when I get back home!

Enchantermon on 28/12/2010 at 23:54

Quote Posted by LancerChronics

Though I'm definitely getting this program when I get back home!

Malwarebytes is the best program I've found for detecting and eliminating malware, and it's free to boot. Definitely don't forget to do this.

LancerChronics on 2/1/2011 at 06:36

Indeed.

Happened again.
On my New Computer.
Thankfully my reaction time was lightning, so it took less that 20 seconds for me to force shutdown my comp and boot in Safe Mode.

Guess what?
I picked it up while stumbling.
People are throwing viruses on StumbleUpon now.
Just a heads up.

And whoever put it out there recently updated it. Malwarebytes couldn't find it. Thankfully, I could.
All they did was move it from "/AppData" to "/AppData/Roaming", but it was enough to fool the Anti-Malware.

Renzatic on 2/1/2011 at 06:59

That's no surprise. Antimalware doesn't use heuristic style scanning. It'll only find bugs that have been defined for it in an update.

And maybe it's time you try another antivirus program. Antimalware should be the last ditch effort for stuff that gets by your main defenses. If something as common as this is getting through, you might want to move onto greener fields. Microsoft Security Essentials is surprisingly good, as is Avast. And you've got NOD32 and Kaspersky if you want to go the pay route. Also, I've been playing around Immunet Protect, which is a cloud based virus scanner that goes alongside your main scanner and supposedly gives you a nice extra layer of protection. It seems pretty decent so far.

But whichever you pick, you need something else. AVG doesn't sound like it's cutting it if it's letting stuff through.

LancerChronics on 2/1/2011 at 16:35

Quote Posted by Renzatic

You may be right, I'll look into the free ones. The one thing I loved about AVG is it didn't mess with any of my games or anything like that (like Norton sometimes does I heard). Hopefully the ones you mentioned don't either.

Hrmm, Comparison review: (http://dottech.org/freeware-reviews/14151)

I think I'll give Avast's Web Shield a try.