having issues removing system defender

[twinturbos52]

i got infected by the system defender malware yesterday and went through the process of using the latest malwarebytes and combofix. I do not have the logs of what I did initially, but I will post the most recent ones. Here it goes:

7pm central time - I ran malwarebytes using quick scan. It looked like it was working fine. The software was able to clean 741 infections, but system defender would pop up again immediately. I then decided to scan one more time using quick scan and full scan. Both times it gave me 741 infections. Afterwards, I tried running combofix, but it refused to load.

8:30pm - After running the last scan, I tried loading any of the 3 safe mode options and received an error stating that it was not able to load it properly. I think that the malware had something to do with it. However, I was able to get combofix running on my desktop, but I would come across this error:

"combofix has detected the following real time scanner(s) to be active: systen defender"

9pm - It took roughly 20 min for combofix to finish runnning. I then used malwarebyte again, and this time it was only able to detect 4 infected files. I deleted it, then ran malwarebytes again to be sure, and the same 4 files popped up again.

9:15pm - After that last combofix at 8:30 I was able to finally access safe mode, choosing safe mode with network. Tried running combofix again but still came across the same error:

"http://www.spywarevoid.com/remove-windows-system-defender-windowssystemdefender-removal.html"

and malwarebytes gave me the same results as mentioned at 9pm.

Short of performing a manual delete of the files and registry associated with it (I am not computer savvy at all and do not know how to perform this) using this website as reference: http://www.spywarevoid.com/remove-windows-...er-removal.html

I was not able to find any other articles relating to an easier method of resolving this issue.

Please help this poor soul, I think I got infected when I did a google search on Black Friday deals and ventured to the wrong site.

Here is the latest log for mbam:

Malwarebytes' Anti-Malware 1.40

Database version: 2750

Windows 5.1.2600 Service Pack 2 (Safe Mode)

11/17/2009 3:10:52 AM

mbam-log-2009-11-17 (03-10-52).txt

Scan type: Quick Scan

Objects scanned: 86086

Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[twinturbos52]

i got infected by the system defender malware yesterday and went through the process of using the latest malwarebytes and combofix. I do not have the logs of what I did initially, but I will post the most recent ones. Here it goes:

7pm central time - I ran malwarebytes using quick scan. It looked like it was working fine. The software was able to clean 741 infections, but system defender would pop up again immediately. I then decided to scan one more time using quick scan and full scan. Both times it gave me 741 infections. Afterwards, I tried running combofix, but it refused to load.

8:30pm - After running the last scan, I tried loading any of the 3 safe mode options and received an error stating that it was not able to load it properly. I think that the malware had something to do with it. However, I was able to get combofix running on my desktop, but I would come across this error:

"combofix has detected the following real time scanner(s) to be active: systen defender"

9pm - It took roughly 20 min for combofix to finish runnning. I then used malwarebyte again, and this time it was only able to detect 4 infected files. I deleted it, then ran malwarebytes again to be sure, and the same 4 files popped up again.

9:15pm - After that last combofix at 8:30 I was able to finally access safe mode, choosing safe mode with network. Tried running combofix again but still came across the same error:

"http://www.spywarevoid.com/remove-windows-system-defender-windowssystemdefender-removal.html"

and malwarebytes gave me the same results as mentioned at 9pm.

Short of performing a manual delete of the files and registry associated with it (I am not computer savvy at all and do not know how to perform this) using this website as reference: http://www.spywarevoid.com/remove-windows-...er-removal.html

I was not able to find any other articles relating to an easier method of resolving this issue.

Please help this poor soul, I think I got infected when I did a google search on Black Friday deals and ventured to the wrong site.

Here is the latest log for mbam:

Malwarebytes' Anti-Malware 1.40

Database version: 2750

Windows 5.1.2600 Service Pack 2 (Safe Mode)

11/17/2009 3:10:52 AM

mbam-log-2009-11-17 (03-10-52).txt

Scan type: Quick Scan

Objects scanned: 86086

Time elapsed: 2 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://search-gala.com/?&uid=233&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-----------------------------------------------------EDIT------------------------------------------

9:15pm - After that last combofix at 8:30 I was able to finally access safe mode, choosing safe mode with network. Tried running combofix again but still came across the same error:

"combofix has detected the following real time scanner(s) to be active: systen defender"

[twinturbos52]

crap, im making a mess of myself on this forum. I apologize ahead of time.

Here is the latest log from combofix:

ComboFix 09-11-17.01 - mike t 11/17/2009 2:36.4.2 - x86 NETWORK

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2558.2162 [GMT -6:00]

Running from: c:\documents and settings\mike t\Desktop\Combo-Fix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

AV: System Defender *On-access scanning enabled* (Updated) {BF0A0FFF-949F-47FA-9F54-943CCA2C1160}

FW: System Defender *enabled* {D7875185-5881-4D10-8187-E9872E32232D}

.

((((((((((((((((((((((((( Files Created from 2009-10-17 to 2009-11-17 )))))))))))))))))))))))))))))))

.

2009-11-17 06:57 . 2009-11-17 06:57 -------- d-----w- c:\program files\Trend Micro

2009-11-17 03:31 . 2009-11-17 03:32 -------- d-sh--w- c:\documents and settings\mike t\Application Data\System Defender

2009-11-16 14:17 . 2009-11-16 14:17 6 ----a-w- C:\kernel32.sys

2009-11-16 14:17 . 2009-11-16 14:17 -------- d-sh--w- c:\documents and settings\All Users\Application Data\WSDDSys

2009-11-16 14:15 . 2009-11-16 14:17 -------- d-sh--w- c:\documents and settings\All Users\225bc67

2009-11-16 04:11 . 2009-11-16 04:11 -------- d-----w- c:\program files\iPod

2009-11-16 04:11 . 2009-11-16 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

2009-11-16 04:11 . 2009-11-16 04:12 -------- d-----w- c:\program files\iTunes

2009-11-16 04:10 . 2009-11-16 04:10 -------- d-----w- c:\program files\Bonjour

2009-11-16 04:08 . 2009-11-16 04:08 -------- d-----w- c:\documents and settings\mike t\Local Settings\Application Data\Apple

2009-11-16 04:08 . 2009-11-16 04:08 -------- d-----w- c:\program files\Apple Software Update

2009-11-16 04:08 . 2009-08-29 01:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-11-16 04:08 . 2009-08-29 01:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-11-16 04:07 . 2009-11-16 04:11 -------- d-----w- c:\program files\Common Files\Apple

2009-11-16 04:07 . 2009-11-16 04:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple

2009-10-29 02:58 . 2009-10-29 02:58 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-16 04:14 . 2006-10-23 00:35 61248 ----a-w- c:\documents and settings\mike t\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-16 04:14 . 2007-01-01 22:15 -------- d-----w- c:\documents and settings\mike t\Application Data\Apple Computer

2009-11-16 04:10 . 2007-01-01 22:13 -------- d-----w- c:\program files\QuickTime

2009-11-13 15:39 . 2009-01-22 00:59 -------- d-----w- c:\documents and settings\mike t\Application Data\FrostWire

2009-10-06 00:43 . 2009-10-06 00:43 -------- d-----w- c:\documents and settings\mike t\Application Data\Macrovision

2009-09-25 05:56 . 2004-08-04 01:07 662016 ------w- c:\windows\system32\wininet.dll

2009-09-25 05:56 . 2004-08-04 01:07 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-09-11 14:33 . 2004-08-04 01:07 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-08 06:39 . 2008-08-31 20:41 3532 ----a-w- C:\drmHeader.bin

2009-09-07 08:44 . 2009-09-07 08:44 38052 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP2.exe

2009-09-07 08:44 . 2009-09-07 08:44 228000 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP3.exe

2009-09-07 08:44 . 2009-09-07 08:44 32432 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.dll

2009-09-07 08:44 . 2009-09-07 08:44 58540 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.sys

2009-09-07 08:44 . 2009-09-07 08:44 21168 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.dll

2009-09-07 07:49 . 2009-09-07 07:49 228000 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP1.exe

2009-09-07 07:45 . 2009-09-07 07:45 38052 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\APTemp\AP0.exe

2009-09-04 20:45 . 2004-08-04 01:07 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-08-26 08:16 . 2004-08-04 01:07 247326 ----a-w- c:\windows\system32\strmdll.dll

2006-05-06 16:42 . 2006-10-23 00:10 7260160 ----a-w- c:\program files\mozilla firefox\plugins\libvlc.dll

.

((((((((((((((((((((((((((((( SnapShot_2009-11-17_05.46.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2006-10-22 23:25 . 2009-11-17 07:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2006-10-22 23:25 . 2009-11-17 05:33 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]

"ISUSPM"="c:\documents and settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 222128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-18 185896]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 75584]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\Program Files\\Trillian\\trillian.exe"=

"c:\\StubInstaller.exe"=

"c:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"=

"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"c:\\Documents and Settings\\mike t\\Desktop\\World of Warcraft\\WoW-2.4.2.8278-to-2.4.3.8606-enUS-downloader.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Documents and Settings\\mike t\\Desktop\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=

"c:\\Program Files\\Opera\\opera.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Documents and Settings\\All Users\\225bc67\\WS225b.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"11321:TCP"= 11321:TCP:BitComet 11321 TCP

"11321:UDP"= 11321:UDP:BitComet 11321 UDP

"14712:TCP"= 14712:TCP:BitComet 14712 TCP

"14712:UDP"= 14712:UDP:BitComet 14712 UDP

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S2 mvcd;mvcd;c:\windows\system32\drivers\uklzcpy.sys --> c:\windows\system32\drivers\uklzcpy.sys [?]

S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/2/2008 9:19 PM 24652]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

.

Contents of the 'Scheduled Tasks' folder

2009-11-16 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-11-17 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-05-12 03:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.ask.com/?o=101676&l=dis

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

Trusted Zone: ercot.com

FF - ProfilePath - c:\documents and settings\mike t\Application Data\Mozilla\Firefox\Profiles\5kj8onqo.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=

FF - prefs.js: browser.startup.homepage - www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101664&gct=&gc=1&q=

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-17 02:39

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{234399AF-0FDB-9235-B859A4E3AC2ADE1B}\{19B8A235-5775-8B53-4D38DBAF8988D503}\{76727453-9A12-1EF5-D0F3E23CAC7A8CDF}*]

"XOGCPEUPGZA3BTOUPKIJ6FJXTE1"=hex:01,00,01,00,00,00,00,00,9a,27,1e,8a,da,80,81,

12,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

.

Completion time: 2009-11-17 02:43

ComboFix-quarantined-files.txt 2009-11-17 08:41

ComboFix2.txt 2009-11-17 07:46

ComboFix3.txt 2009-11-17 05:51

ComboFix4.txt 2009-09-07 07:52

Pre-Run: 7,008,595,968 bytes free

Post-Run: 6,968,057,856 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 9A148D5D26A97AE04A974330E0147302

[twinturbos52]

and finally here is a log from hijackthis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:47:17 AM, on 11/17/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Opera\opera.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101676&l=dis

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirec...p;gc=1&q=%s

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: ::1 localhost

O1 - Hosts: 91.212.65.122 browser-security.microsoft.com

O1 - Hosts: 91.212.65.122 spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 www.spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com

O1 - Hosts: 91.212.65.122 knocker

O1 - Hosts: 74.125.45.100 4-open-davinci.com

O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com

O1 - Hosts: 74.125.45.100 privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com

O1 - Hosts: 74.125.45.100 getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getantivirusplusnow.com

O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com

O1 - Hosts: 74.125.45.100 www.getavplusnow.com

O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com

O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com

O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com

O1 - Hosts: 74.125.45.100 paysoftbillsolution.com

O1 - Hosts: 89.248.168.186 google.ae

O1 - Hosts: 89.248.168.186 google.as

O1 - Hosts: 89.248.168.186 google.at

O1 - Hosts: 89.248.168.186 google.az

O1 - Hosts: 89.248.168.186 google.ba

O1 - Hosts: 89.248.168.186 google.be

O1 - Hosts: 89.248.168.186 google.bg

O1 - Hosts: 89.248.168.186 google.bs

O1 - Hosts: 89.248.168.186 google.ca

O1 - Hosts: 89.248.168.186 google.cd

O1 - Hosts: 89.248.168.186 google.com.gh

O1 - Hosts: 89.248.168.186 google.com.hk

O1 - Hosts: 89.248.168.186 google.com.jm

O1 - Hosts: 89.248.168.186 google.com.mx

O1 - Hosts: 89.248.168.186 google.com.my

O1 - Hosts: 89.248.168.186 google.com.na

O1 - Hosts: 89.248.168.186 google.com.nf

O1 - Hosts: 89.248.168.186 google.com.ng

O1 - Hosts: 89.248.168.186 google.ch

O1 - Hosts: 89.248.168.186 google.com.np

O1 - Hosts: 89.248.168.186 google.com.pr

O1 - Hosts: 89.248.168.186 google.com.qa

O1 - Hosts: 89.248.168.186 google.com.sg

O1 - Hosts: 89.248.168.186 google.com.tj

O1 - Hosts: 89.248.168.186 google.com.tw

O1 - Hosts: 89.248.168.186 google.dj

O1 - Hosts: 89.248.168.186 google.de

O1 - Hosts: 89.248.168.186 google.dk

O1 - Hosts: 89.248.168.186 google.dm

O1 - Hosts: 89.248.168.186 google.ee

O1 - Hosts: 89.248.168.186 google.fi

O1 - Hosts: 89.248.168.186 google.fm

O1 - Hosts: 89.248.168.186 google.fr

O1 - Hosts: 89.248.168.186 google.ge

O1 - Hosts: 89.248.168.186 google.gg

O1 - Hosts: 89.248.168.186 google.gm

O1 - Hosts: 89.248.168.186 google.gr

O1 - Hosts: 89.248.168.186 google.ht

O1 - Hosts: 89.248.168.186 google.ie

O1 - Hosts: 89.248.168.186 google.im

O1 - Hosts: 89.248.168.186 google.in

O1 - Hosts: 89.248.168.186 google.it

O1 - Hosts: 89.248.168.186 google.ki

O1 - Hosts: 89.248.168.186 google.la

O1 - Hosts: 89.248.168.186 google.li

O1 - Hosts: 89.248.168.186 google.lv

O1 - Hosts: 89.248.168.186 google.ma

O1 - Hosts: 89.248.168.186 google.ms

O1 - Hosts: 89.248.168.186 google.mu

O1 - Hosts: 89.248.168.186 google.mw

O1 - Hosts: 89.248.168.186 google.nl

O1 - Hosts: 89.248.168.186 google.no

O1 - Hosts: 89.248.168.186 google.nr

O1 - Hosts: 89.248.168.186 google.nu

O1 - Hosts: 89.248.168.186 google.pl

O1 - Hosts: 89.248.168.186 google.pn

O1 - Hosts: 89.248.168.186 google.pt

O1 - Hosts: 89.248.168.186 google.ro

O1 - Hosts: 89.248.168.186 google.ru

O1 - Hosts: 89.248.168.186 google.rw

O1 - Hosts: 89.248.168.186 google.sc

O1 - Hosts: 89.248.168.186 google.se

O1 - Hosts: 89.248.168.186 google.sh

O1 - Hosts: 89.248.168.186 google.si

O1 - Hosts: 89.248.168.186 google.sm

O1 - Hosts: 89.248.168.186 google.sn

O1 - Hosts: 89.248.168.186 google.st

O1 - Hosts: 89.248.168.186 google.tl

O1 - Hosts: 89.248.168.186 google.tm

O1 - Hosts: 89.248.168.186 google.tt

O1 - Hosts: 89.248.168.186 google.us

O1 - Hosts: 89.248.168.186 google.vu

O1 - Hosts: 89.248.168.186 google.ws

O1 - Hosts: 89.248.168.186 google.co.ck

O1 - Hosts: 89.248.168.186 google.co.id

O1 - Hosts: 89.248.168.186 google.co.il

O1 - Hosts: 89.248.168.186 google.co.in

O1 - Hosts: 89.248.168.186 google.co.jp

O1 - Hosts: 89.248.168.186 google.co.kr

O1 - Hosts: 89.248.168.186 google.co.ls

O1 - Hosts: 89.248.168.186 google.co.ma

O1 - Hosts: 89.248.168.186 google.co.nz

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [sansaDispatch] "C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

O4 - HKCU\..\Run: [iSUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 9732 bytes

[twinturbos52]

Correct me if I am wrong. I guess what I am trying to say is I think that this error: "combofix has detected the following real time scanner(s) to be active: systen defender" is preventing me from completely eradicating this malware, or there are other files I need to remove to prevent this malware from cloning itself, or it could be something else entirely.

I would appreciate it if yall can help guide me through this arduous task.

[twinturbos52]

bump

[twinturbos52]

morning bump

[twinturbos52]

can anyone please help this broke college student??

[screen317]

Hi and welcome to Malwarebytes.

My apologies for the delay. Do you still need help?

-screen317

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!