I ran into a strange virus/trojan last night called Windows Defender*. It installed on my computer (not sure how) and it looked like a virus-scan or spyware-removal dashboard. I tried to close it so that I could uninstall it, but it just went into the system tray. Right-clicking the system tray icon didn't show an 'Exit' or 'Shut Down' option, so I went to Task Manager to kill the process. Task Manager would open for a second, then close. I tried it over and over thinking "oh crap". I rebooted, and the 'Defender' app started up immediately and proceeded to end other processes. I tried Task Manager again, and it closed after a second. I opened up Firefox to try and look it up, and Firefox closed after a second. Everything I tried to open would close almost immediately (even running 'cmd' and 'msconfig.exe').
During one of the times Task Manager flashed open, I saw that one of the processes was 'defender.exe'. I opened Windows Explorer, which luckily stayed open, and searched for it. Sure enough, defender.exe was sitting in the Users directory (I'm running Vista). I tried to delete, but couldn't because the process was running. So I renamed it and rebooted. This time, it didn't run on startup, so I quickly went in and deleted defender.exe and went into msconfig.exe and removed it from startup. I also went into the registry and removed all entries that contained 'defender.exe'.
It was 1:30am by the time I got rid of it, so I shut down my machine and went to bed. Tonight, I plan on doing a full system scan: AVG, Ad-Aware, and a few of the programs mentioned in this thread. From what I gathered, it was just a bogus app that tries to get people to buy "full version" to get rid of whatever virus it says you have.
I think everything is ok now, but just want to make sure. Any thing else I should be doing or looking for?
==========
* Not THE Windows Defender, just trying to disguise itself as legit.
|