Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Malware Defense Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Malware Defense extensively uses the Windows logo, icons and other design elements in its interface. This rogue software installs the notorious ‘fake windows security center‘ (wscsvc32.exe). The Virus Protection part of the fake windows security center urges the victim to activate Malware Defense license. ‘Fake security center alerts‘ about Windows Firewall detecting unauthorized activity are displayed every few minutes. The scare messages about non-existent malware come in many shapes and colors including Windows UAC like darkening of the screen and very frequent, making the computer unusable.

Once installed this scareware tried to get rid of MalwareBytes’s Anti-Malware

There is unauthorized antivirus software detected on your computer. It is recommended you to remocve it, otherwise it could conflict with Malware Defense. Press ‘OK’ to remove Malwarebytes’ anti-Malware_is1.

Trying to get rid of MBAM

Trying to get rid of MBAM

There is no cancel button, the legitimate MalwareBytes’ Anti-Malware uninstallation program is triggered even if the user does not press ‘OK’ and instead closes the alert window. An alert user will click ‘No‘ to stop the uninstallation.

Malware Defense plants internet shortcuts to, and on the desktop.

This rogue security software comes with an uninstaller, when run it asks for the reason for uninstallation. Once some text is typed into the box provided, the scareware proceeds to run what seems like an uninstallation routine. Malware Defense re-installs itself after some time or on restart.

A rogue security software such as Malware Defense belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

Malware Defense Aliases

This scareware is known by the following aliases:

  • CoreGuardAntivirus2009
  • Trojan.Vundo.Gen
  • Win32:Jifas-CO
  • Packed.Win32.Tdss
  • FakeAlert-FQ
  • Trojan:Win32/FakeCog
  • Adware/MalwareDefense
  • RogueAntiSpyware.Coreguard Antivirus 2009 Mal/FakeAV-CB

Typical Malware Defense Scare Messages

There are some serious security threats detected on your computer. Please, remove them ASAP. It is recommended you to activate (buy) Malware Defense license for your computer full protection.

Defenseless OS: Windows 2000/XP/Visata Description: Blocks access to computer. Attacks porn sites visitors. Protection: Please, click the balloon to et details.


Your computer and all your personal data are in serious danger. Please click the balloon to get details.

Malware Defense Scare messages

Malware Defense Scare messages

The trojan dropper file is named setup.exe and it is detected by only 8/41 (19.52%) of the antivirus engines available at VirusTotal. This file creates two files settdebux.exe and wscsvc32.exe in the temporary folder of the user and registers the processes to be executed at system start.

Malware Defense Associated Files and Folders

  • C:\Program Files\Malware Defense\mdefense.exe
  • C:\Program Files\malware Defense\help.ico
  • C:\Program Files\malware Defense\md.db
  • C:\Program Files\Malware Defense\mdext.dll
  • C:\Documents and Settings\\Start Menu\Programs\malware Defense\Malware Defense Support.lnk
  • C:\Documents and Settings\\Start Menu\Programs\malware Defense\Malware Defense.lnk
  • C:\Documents and Settings\\Start Menu\Programs\malware Defense\Uninstall Malware Defense.lnk
  • C:\Documents and Settings\\Local Settings\Temp\settdebugx.exe
  • C:\Documents and Settings\\Local Settings\Temp\wscsvc32.exe
  • C:\WINDOWS\Prefetch\
  • C:\Documents and Settings\\Desktop\Malware Defense.lnk
  • C:\Documents and Settings\\Desktop\Malware Defense Support.lnk
  • C:\Documents and Settings\\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Defense.lnk
  • C:\Documents and Settings\All Users\Desktop\
  • C:\Documents and Settings\All Users\Desktop\
  • C:\Documents and Settings\All Users\Desktop\
  • C:\System Volume Information\_restore{D3113EBC-D804-4C81-9A6A-F59373F8925A}\RP11\A0000980.dll
  • C:\System Volume Information\_restore{D3113EBC-D804-4C81-9A6A-F59373F8925A}\RP11\A0000982.exe
  • C:\System Volume Information\_restore{D3113EBC-D804-4C81-9A6A-F59373F8925A}\RP11\A0000989.exe
  • C:\System Volume Information\_restore{D3113EBC-D804-4C81-9A6A-F59373F8925A}\RP11\A0000996.exe
  • C:\System Volume Information\_restore{D3113EBC-D804-4C81-9A6A-F59373F8925A}\RP9\A0000963.exe
  • C:\Program Files\malware Defense
  • C:\Documents and Settings\\Start Menu\Programs\malware Defense

Some of the file names may be randomly generated.

Malware Defense Associated Registry Values and Keys

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware defense
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\settdebugx.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Malware Defense

Malware Defense Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://copyscaner. cn
  • http://onlinesecuretenants. cn
  • http://onlinesecureserver. cn
  • http://virusscaner. cn
  • http://seekingout. cn
  • http://scanerextended. cn
  • http://onlinesecurestorage. cn

Note: Visiting the domains mentioned above may harm your computer system.

Malware Defense Removal (How to remove Malware Defense)

The free version of MalwareBytes’s Anti-Malware Free edition appear to remove Malware Defense Scareware completely.

  1. Use an alternate browser like Firefox or Chrome to download and Install MalwareBytes’s Anti-Malware.
  2. Download CCleaner Slim version.
  3. Boot in to Windows Safe Mode.
  4. Choose a full-scan with MalwareBytes’s Anti-Malware. Once the scan is completed, click “Show results”, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. Restart into normal mode to complete the removal process.
  5. Turn System Restore off and on.
  6. Install, scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

Malware Defense Scareware — Screenshots

Malware Defense Scareware — Video

Note: The Malware Defense installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 9 comments… read them below or add one }

Davide January 13, 2010 at 10:01 PM

Removed! Thanks really a lot for your useful insights!


Michael J January 14, 2010 at 10:21 AM

Thank you so much for the easy to follow instructions. Everything worked. I did experience a few interesting things:

1. When trying to download the anti-malware, my browser was hijacked repeatedly. The URL kept changing after clicking the link in Google. I finally had to hand type the web address.

2. After I got the remover downloaded, the malware would not let me run the setup executable. I ended up renaming the setup file just so I could run the setup.

3. Once the setup ran, I ran into the same problem trying to run the malware remover program. Again, I renamed the executable and then it ran.

I wish smart people who can write this kind of code would spend their time in legitimate businesses.

Thanks again for your help.



Shanmuga January 14, 2010 at 10:34 AM

Glad to help. Thanks for your comments!

Bill Landau January 19, 2010 at 7:40 AM

Same problem as Michael J – downloaded Malwarebytes Antimalware on another computer, installed on the infected computer. It wouldn’t run – Task Manager showed the process, but no application. Tried renaming the executable, but with no success.

Anybody have any other ideas?


Shanmuga January 19, 2010 at 7:44 AM

Did you try in Safe mode?

Bill Landau January 19, 2010 at 8:31 AM

Yes. That was in safe mode. had the trick. Had to boot up normal, run Rkill, which kills all the running processes for Malware Defense. Then could install Malwarebytes Antimalware, which is running on the infected computer right now.

But thanks for a very helpful site. The one bit of a silver lining with all of these miserable malware writers is that there are quite a few sites helping out those of us who get bit.


Maria Albernai January 22, 2010 at 11:11 AM

I managed to get rid of malware defense it self, but I can’t seem to get rid of the fake Windows Security Alerts in the toolbar, and it consistently re-download malware defense….


Umayr Ahmad January 25, 2010 at 1:04 AM

I tried running rkill on my computer but i can’t since it keeps freezing… please! i need my computer for tomorrow but can’t get it to work…..i would appreciate any help.


Matt Gilbert March 23, 2010 at 11:48 PM

The solution is simple. Get rid of windoze. Install LINUX


Leave a Comment

Previous post:

Next post: