malware defender 2009

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

malware defender 200911th April 2009, 1:11 am

hey guys,
I have found this forum to see if anyone can help me remove the malware defender 2009 virus. It is really annoying me. cheers

Re: malware defender 200911th April 2009, 1:14 am

Hello.
This is a family forum, please don't use bad words.

Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
Link 1
Link 2
Double click DDS.scr to run
When complete, DDS.txt will open.
Save the report to your Desktop.
Copy and paste DDS.txt back here, I don't need to see attach.txt.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
malware defender 2009 DXwU4

Re: malware defender 200911th April 2009, 1:19 am

cheers, sorry for the cursive.

Re: malware defender 200911th April 2009, 1:25 am

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jason at 11:20:16.76 on Sat 04/11/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.759.196 [GMT 10:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\msa.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CreataCard\Gold\FMRemind.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Advanced Browser\browser.exe
C:\WINDOWS\system32\wcenter.exe
c:\program files\avira\antivir personaledition classic\avcenter.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avscan.exe
C:\Program Files\Malware Defender 2009\malwaredef.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jason\Local Settings\Temporary Internet Files\Content.IE5\YX0MZ1QI\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page =
uSearch Page = hxxp://internetsearchservice.com
uDefault_Search_URL = hxxp://internetsearchservice.com
uWindow Title = Windows Internet Explorer provided by Yahoo!7
uDefault_Page_URL = hxxp://au.yahoo.com
uSearch Bar = hxxp://internetsearchservice.com/ie6.html
uSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
mDefault_Page_URL = hxxp://au.yahoo.com
mDefault_Search_URL = hxxp://internetsearchservice.com
mSearch Page = hxxp://internetsearchservice.com
mStart Page = hxxp://au.yahoo.com
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://internetsearchservice.com
mSearchURL = hxxp://internetsearchservice.com
mSearchAssistant = hxxp://internetsearchservice.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: Webshots Toolbar: {c17590d2-ecb4-4b15-8820-f58798dcc118} - c:\program files\webshots\WSToolbar4IE.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: {80DAB143-0FD4-4758-8DD8-F131515F524A} - No File
uRun: [SMSystemAnalyzer] "c:\program files\iolo\system mechanic professional 6\SMSystemAnalyzer.exe"
uRun: [Spyware Begone] "c:\spywarebegone\SpywareBeGone.exe" -FastScan
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [Cognac] c:\docume~1\jason\locals~1\temp\1.tmp.exe
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroCheck] c:\windows\system32\\NeroCheck.exe
mRun: [PC-Checkup] "c:\program files\pc check-up\PCCheckUp.exe" -mini
mRun: [AntiSpyCheck 2.1.0] "c:\program files\antispycheck\AntiSpyCheck.exe"
mRun: [malwaredef] c:\program files\malware defender 2009\malwaredef.exe
mRun: [SpyHunter Security Suite] c:\program files\enigma software group\spyhunter\SpyHunter3.exe
dRun: [msnsc] c:\windows\system32\msnsc.exe
dRun: [Cognac] c:\windows\temp\12.tmp.exe
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\jason\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\creata~1.lnk - c:\program files\creatacard\gold\FMRemind.exe
IE: &Webshots Photo Search - c:\program files\webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} - hxxps://autxn.paywithpoli.com/ewcustomer/POLiPayOnline.cab
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - hxxp://www.oztion.com.au/secure/OA/sell/uploader/3.5/ImageUploader3.cab
DPF: {A2721B6E-0000-0000-0000-000000000000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: HardwareDrivers - {4F9BAB00-AAFF-47E0-896B-1F89BEB1AF5B} - c:\documents and settings\all users\application data\microsoft\media index\drivers\hdddriver.dll
SSODL: DriversLoad - {476C6EC2-EC03-4A00-A69A-171CFD096F1E} - c:\documents and settings\all users\application data\microsoft\media index\drivers\vtsooexoad.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2002-1-10 11840]
R2 AntiVirScheduler;AntiVir PersonalEdition Classic Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2002-1-10 68865]
R2 AntiVirService;AntiVir PersonalEdition Classic Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2002-1-10 151297]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2002-1-10 52032]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-04-11 11:02 --d----- c:\program files\Enigma Software Group
2009-04-10 20:33 --d----- c:\program files\Malware Defender 2009
2009-04-10 20:28 381,952 a------- c:\windows\system32\wcenter.exe
2009-04-10 20:28 51,197 a------- c:\windows\spoolsystem.exe
2009-04-10 20:28 47,872 a------- c:\windows\syscert.exe
2009-04-10 20:28 38,352 a------- c:\windows\reged.exe
2009-04-10 20:28 33,149 a------- c:\windows\sysexplorer.exe
2009-04-10 20:28 28,320 a------- c:\windows\sys.com
2009-04-10 20:28 18,941 a------- c:\windows\vmreg.dll
2009-04-10 08:48 100,356 a------- c:\windows\msa.exe
2009-04-09 20:20 --d----- c:\windows\system32\KB905474
2009-04-07 13:09 39,936 a------- c:\windows\promo.exe
2009-04-07 13:07 74,752 a------- c:\windows\system32\qP0e8DxE.exe
2009-04-07 13:07 0 a------- c:\windows\system32\qP0e8DxE.exe.a_a
2009-04-07 13:07 127,492 a------- c:\windows\system32\msxml71.dll
2009-04-06 20:20 54,156 a---h--- c:\windows\QTFont.qfn
2009-04-06 20:20 1,409 a------- c:\windows\QTFont.for

==================== Find3M ====================

2009-04-07 13:07 39,936 a------- c:\windows\system32\userinit.exe
2009-03-10 22:18 934,792 -------- c:\windows\system32\dllcache\WgaTray.exe
2009-03-10 22:18 239,496 -------- c:\windows\system32\dllcache\wgaLogon.dll
2009-02-24 10:19 178,550 a------- c:\program files\CreataCardnrltippin 2009
2009-02-09 20:20 1,847,424 a------- c:\windows\system32\win32k.sys
2009-02-09 20:20 1,847,424 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2007-06-26 03:25 1,854 a------- c:\program files\ReadMe!.txt
2006-10-27 05:16 1,426,944 a------- c:\program files\siw.exe
2006-01-25 06:29 1,445,888 a------- c:\program files\winsockxpfix.exe
2003-05-26 02:17 151,552 a------- c:\program files\T_Shutdown.exe

============= FINISH: 11:21:57.82 ===============

Re: malware defender 200911th April 2009, 1:28 am

Hello.
Userinit has been patched and needs to be fixed.

Download combofix from here
Link 1
Link 2
We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV. (Avira)
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Re: malware defender 200911th April 2009, 4:09 am

can't access combo.exe.
tried malware bytes, but still getting a small portion of the malware. this is so frustrating

Re: malware defender 200911th April 2009, 4:30 am

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-08-01 266497]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2006-09-08 15872]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-14 257088]
"NeroCheck"="c:\windows\system32\\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2007-02-16 282624]
"C-Media Mixer"="Mixer.exe" [2002-10-15 c:\windows\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2006-01-13 44544]

c:\documents and settings\Jason\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
CreataCard Gold 3 Forget Me Not Reminders Tray Icon.lnk - c:\program files\CreataCard\Gold\FMRemind.exe [2007-12-24 189952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i263_32.drv
"msacm.imc"= imc32.acm
"msacm.l3codecp"= l3codecp.acm
"VIDC.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0smrgdf c:\program files\iolo\System Mechanic Professional 6\

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-01-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-04-07 c:\windows\Tasks\At1.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At10.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At11.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At12.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At13.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At14.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At15.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At16.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At17.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At18.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At19.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At2.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At20.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At21.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At22.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At23.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At24.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At25.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At26.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At27.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At28.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At29.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At3.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At30.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At31.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At32.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At33.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At34.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At35.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At36.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At37.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At38.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At39.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At4.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At40.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At41.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At42.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At43.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At44.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At45.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At46.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At47.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At48.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At49.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At5.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At50.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At51.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At52.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At53.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At54.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At55.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At56.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At57.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At58.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At59.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At6.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At60.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At61.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At62.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At63.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At64.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At65.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At66.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At67.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At68.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-10 c:\windows\Tasks\At69.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At7.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At70.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\At71.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At72.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At8.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-07 c:\windows\Tasks\At9.job
- c:\windows\system32\qP0e8DxE.exe [2009-04-07 13:10]

2009-04-11 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-03-10 22:18]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PC-Checkup - c:\program files\PC Check-up\PCCheckUp.exe
HKU-Default-Run-msnsc - c:\windows\system32\msnsc.exe
HKU-Default-Run-Cognac - c:\windows\TEMP\12.tmp.exe

.
------- Supplementary Scan -------
.
uStart Page =
uSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uDefault_Search_URL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mStart Page = about:blank
mSearch Bar = 687474703a2f2f7777772e676f6f676c652e636f6d2f
mSearchMigratedDefaultURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
uInternet Settings,ProxyOverride =
mSearchURL = 687474703a2f2f7777772e676f6f676c652e636f6d2f
IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} - hxxps://autxn.paywithpoli.com/ewcustomer/POLiPayOnline.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-11 14:24:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-11 14:27:13 - machine was rebooted [Jason]
ComboFix-quarantined-files.txt 2009-04-11 04:27:01

Pre-Run: 24,436,391,936 bytes free
Post-Run: 24,450,039,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

288 --- E O F --- 2009-04-09 10:20:01

Re: malware defender 200911th April 2009, 1:41 pm

Hello.
Do you have the rest of the report? That's only half of it.

If not, you may need to run it again.

Re: malware defender 200911th April 2009, 9:38 pm

is all good now, ran malwarebytes and then combofix and it hasn't returned, thanks heaps for the help

malware defender 2009

descriptionmalware defender 200911th April 2009, 1:11 am

descriptionRe: malware defender 200911th April 2009, 1:14 am

descriptionRe: malware defender 200911th April 2009, 1:19 am

descriptionRe: malware defender 200911th April 2009, 1:25 am

descriptionRe: malware defender 200911th April 2009, 1:28 am

descriptionRe: malware defender 200911th April 2009, 4:09 am

descriptionRe: malware defender 200911th April 2009, 4:30 am

descriptionRe: malware defender 200911th April 2009, 1:41 pm

descriptionRe: malware defender 200911th April 2009, 9:38 pm

descriptionRe: malware defender 2009