Remove "Malware Defender 2009".

is MAWARE!

Description and removal instructions

Title: Malware Defender 2009
Programs to remove Malware Defender 2009:

• Malwarebytes Anti Malware - Download
• Windows Defender - Download

Malware Defender 2009 is a rogue anti-spyware application. It is very similar to System Guard 2009 and Spyware Guard 2009, so we can assume that these applications were created by the same group of scammers. MalwareDefender 2009 is usually promoted along with trojan viruses, such as Vundo or similar. These trojans display fake security alerts and pop-up windows about various security threats and suggest to download Malware Defender 2009 in order to remove those infections or protect the system from further possible infections.

Once installed and active, MalwareDefender2009 is configured to load automatically when user starts his computer. The rogue performs fake system scan and displays various malware infections that can't be removed until user purchases the full version of Malware Defender 2009. However, all those infections are actually fake. They were made up in order to frighten the user, hopping that he will buy worthless spyware remover. Along with Malware Defender 2009 comes another infection called C:\Windows\System32\wcenter.exe. This trojan may also displays a fake Windows Security Center window with various security problems. It is already obvious that Malware Defender 2009 should be removed as soon as possible after detection. Otherwise it can cause more damage and even decrease system performance.

Related files: uninstall.lnk, Malware Defender 2009.lnk, install.exe, vifwnhzqoe.dll, hdddriver.dll, c.cgm, t.id, svchos.exe, win.exe, wcenter.exe, vmreg.dll, sysexplorer.exe, syscert.exe, sys.com, spoolsystem.exe, reged.exe, vbase.vdb, Uninstall.exe, queue.vdb, quarantine.vdb, mbase.vdb, conf.cfg, malwaredef.exe

Malware Defender 2009 properties:
• Changes browser settings
• Shows commercial adverts
• Connects itself to the internet
• Stays resident in background

Associated Malware Groups

The filename is associated with the malware groups:

Worm
Cloaked Malware
Fraudulent Security Program
Malicious Software

File Behavior

WCENTER.EXE has been seen to perform the following behavior:

The Process is packed and/or encrypted using a software packing process
Executes a Process
Found on infected systems and resists interrogation by security products
This Process Deletes Other Processes From Disk
Registers a Dynamic Link Library File
This process creates other processes on disk
Creates system tray popups, messages, errors and security warnings
Executed as a Process
Created as a process on disk
Terminated as a Process
Deleted as a process from disk

Country Of Origin

The filename WCENTER.EXE was first seen on Mar 5 2009 in the following geographical regions of the Prevx community:

SPAIN on Mar 5 2009
The UNITED STATES on Mar 5 2009
The EUROPEAN UNION on Mar 19 2009
ISRAEL on Mar 23 2009
CANADA on Apr 8 2009

File Name Aliases

WCENTER.EXE can also use the following file names:

91691668.EXE
22559631.SVD
40979185.EXE
96701621.EXE
81082236.SVD
21582368.EXE
TRZ8.TMP
04413735.EXE
57393807.EXE
43094249.EXE
76417256.EX_
WCENTER__.EXE
WCENTER_.EXE
WCENTER!!!.EXE
01CA3C44AB44EB46_WCENTER_EXE.PE
84241789.EXE
ORZ.EXE
46651967.EXE
71228345.DAT
42960139.EXE
41493911.EXE

Malware Defender 2009 snapshot:

Malware Defender 2009 manual removal:

Kill processes:
malwaredef.exe uninstall.exe reged.exe spoolsystem.exe syscert.exe wcenter.exe svchos.exe install.exe

Delete registry values:
HKEY_CLASSES_ROOT\CLSID\{3F0691F1-70E6-44A9-938A-1DC356674878}
HKEY_CLASSES_ROOT\CLSID\{8B2C743A-D44A-4A93-8233-ABEE8BF8ED62}
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defender 2009
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malware Defender 2009
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "updater"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "malwaredef"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad "DriversLoad"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad "HardwareDrivers"

Unregister DLLs:
hdddriver.dll vifwnhzqoe.dll

Delete files:
conf.cfg malwaredef.exe mbase.vdb quarantine.vdb queue.vdb uninstall.exe vbase.vdb reged.exe spoolsystem.exe sys.com syscert.exe sysexplorer.exe vmreg.dll wcenter.exe win.exe svchos.exe t.id c.cgm hdddriver.dll vifwnhzqoe.dll install.exe Malware Defender 2009.lnk Malware Defender 2009.lnk Uninstall.lnk

Delete directories:
c:\Program Files\Malware Defender 2009
c:\Documents and Settings\All Users\Application Data\Microsoft\Media Index\Drivers

Example:

Malwarebytes' Anti-Malware 1.41
Database version: 2863
Windows 5.1.2600 Service Pack 3

9/26/2009 4:41:21 PM
mbam-log-2009-09-26 (16-41-04).txt

Scan type: Quick Scan
Objects scanned: 110807
Time elapsed: 10 minute(s), 44 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 10

Memory Processes Infected:
C:\WINDOWS\system32\wcenter.exe (Trojan.FakeAlert) ->.

Memory Modules Infected:
C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\xocacthslj.dll (Rogue.ProofDefender) ->

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0b63-1535-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) ->
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) ->
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Rogue.ProofDefender) ->
HKEY_CLASSES_ROOT\CLSID\{21bfdc44-d1c4-43d2-9dc5-574e7ef3a718} (Rogue.ProofDefender) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Personal Guard 2009 (Rogue.PersonalGuard2009) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gasfkyidicjjtb (Rootkit.TDSS) ->

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\systemloading (Rogue.ProofDefender) ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) ->

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Microsoft Private Data (Rogue.ProofDefender) ->
C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft (Rogue.ProofDefender) ->

Files Infected:
C:\WINDOWS\system32\wcenter.exe (Trojan.FakeAlert) ->
C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\setup.exe (Rogue.ProofDefender) ->
C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\t.id (Rogue.ProofDefender) ->
C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\tr.c (Rogue.ProofDefender) ->
C:\Documents and Settings\All Users\Microsoft Private Data\Microsoft\xocacthslj.dll (Rogue.ProofDefender) ->
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) ->
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) ->
C:\WINDOWS\system32\wispex.html (Malware.Trace) ->
C:\WINDOWS\system32\gasfkycgogcvgg.dat (Rootkit.TDSS) ->
C:\WINDOWS\system32\gasfkyoyygqvbc.dat (Rootkit.TDSS) ->