Results 1 to 10 of 17

Thread: Defender.exe

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    Join Date
    Jul 2008

    Default Defender.exe

    Anti virus has been compromised. Spybot no longer working and when trying to access web site from google search results.
    Tried to remove Defender manually and this did appear to work and Virgin scan started but stoped part way through & now longer working now.
    Have run ERUNT and copy of DDS shown below.
    DDS (Ver_2011-06-23.01) - NTFSx86 NETWORK
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
    Run by Shirley King at 10:57:36 on 2011-07-31
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.506 [GMT 1:00]
    AV: Virgin Media Security Anti-Virus *Enabled/Updated* {5B5A3BD7-8573-4672-AEA8-C9BB713B6755}
    FW: Virgin Media Security Firewall *Enabled*
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    C:\Program Files\Virgin Media\Security\RPS.exe
    C:\Program Files\Virgin Media\Service Manager\ServiceManagerComHandler.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    ============== Pseudo HJT Report ===============
    uStart Page =
    uSearchMigratedDefaultURL = hxxp://{searchTerms}&sourceid=ie7&
    mStart Page = about:blank
    uSearchURL,(Default) = hxxp://
    uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
    BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
    BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - c:\program files\divx\divx plus web player\npdivx32.dll
    BHO: RepliGoIEHelperCtl Class: {91de4477-9cdc-4806-9bcb-28a963988e94} - c:\program files\cerience\repligo\RepliGoIEHelper.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: &RepliGo: {81f4066b-f330-4872-8094-3e9fbccec8c1} - c:\program files\cerience\repligo\RepliGoIEBar.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
    TB: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
    TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {A386D4B0-FDDB-4E1C-AE61-4F014013CD9B} - No File
    uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
    uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [V Stuff Backup] "c:\program files\virginmedia\v stuff backup\v_stuff_backup.exe" /delayed
    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
    uRun: [Backup & Storage] "c:\program files\virginmedia\v stuff backup\Backup & Storage.exe" /delayed
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
    mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
    mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
    mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
    mRun: [UpdReg] c:\windows\UpdReg.EXE
    mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
    mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
    mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
    mRun: [RepliGo Assistant] "c:\program files\cerience\repligo\RepliGoMon.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
    mRun: [B2C_AGENT] c:\documents and settings\all users\application data\lgmobileax\b2c_client\B2CNotiAgent.exe"
    mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
    mRun: [DivX Download Manager] "c:\program files\divx\divx plus web player\DDmService.exe" start
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [ServiceManager.exe] "c:\program files\virgin media\service manager\ServiceManager.exe" /AUTORUN
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [PCTools FGuard] c:\program files\spyware doctor\bdt\FGuard.exe
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    StartupFolder: c:\docume~1\shirle~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\aol90t~1.lnk - c:\program files\aol 9.0\aoltray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\extend~1.lnk - c:\windows\ehome\RMSysTry.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palm\Hotsync.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
    IE: &Google Search
    IE: &Translate English Word
    IE: Backward Links
    IE: Cached Snapshot of Page
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_43C348BC2E93EB2B.dll/cmsidewiki.html
    IE: Similar Pages
    IE: Translate Page into English
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
    LSP: mswsock.dll
    DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://
    DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://
    DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://,0,0,101/
    DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
    DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://
    DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://
    DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://
    DPF: {DBDC1CDA-B64B-49F7-9535-6317AA416E51} - hxxps://
    TCP: DhcpNameServer =
    TCP: Interfaces\{0327911A-0E8C-4A3B-B811-30F2DFBB88A6} : DhcpNameServer =
    Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    ================= FIREFOX ===================
    FF - ProfilePath - c:\documents and settings\shirley king\application data\mozilla\firefox\profiles\8rr57ers.default\
    FF - prefs.js: keyword.URL - hxxp://
    FF - component: c:\program files\spyware doctor\bdt\firefox\platform\winnt_x86-msvc\components\libheuristic.dll
    FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
    FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\google\update\\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrl.1.0.20926.0.dll
    FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
    FF - plugin: c:\program files\virgin media\service manager\nprpspa.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - Ext: Java Quick Starter: - c:\program files\java\jre6\lib\deploy\jqs\ff
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\divx\divx plus web player\firefox\html5video
    FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\divx\divx plus web player\firefox\wpa
    FF - Ext: Browser Defender Toolbar: {cb84136f-9c44-433a-9048-c5cd9df1dc16} - c:\program files\spyware doctor\bdt\Firefox
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
    ============= SERVICES / DRIVERS ===============
    R0 RadialpointIDSEH;RadialpointIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-6-20 25608]
    R3 vmwvusb;VMware View Generic USB Driver;c:\windows\system32\drivers\vmwvusb.sys [2011-7-20 39984]
    S2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\photoshopelementsfileagent.exe --> c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [?]
    S2 Browser Defender Update Service;Browser Defender Update Service;"c:\program files\spyware doctor\bdt\bdtupdateservice.exe" --> c:\program files\spyware doctor\bdt\BDTUpdateService.exe [?]
    S2 DolphinInterceptorStartup;Dolphin Utility Service;c:\windows\system32\dolserve.exe --> c:\windows\system32\dolserve.exe [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 135664]
    S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 96256]
    S2 Radialpoint Security Services;Virgin Media Security;c:\program files\virgin media\security\RpsSecurityAwareR.exe [2010-1-4 165408]
    S2 RadialpointIDSAgent;RadialpointIDSAgent;c:\program files\virgin media\security\avg\identity protection\agent\bin\AVGIDSAgent.exe [2011-7-28 5832712]
    S2 ServicepointService;ServicepointService;"c:\program files\virgin media\service manager\servicepointservice.exe" --> c:\program files\virgin media\service manager\ServicepointService.exe [?]
    S2 wsnm;VMware View Client;"c:\program files\vmware\vmware view\client\bin\wsnm.exe" -scmstartup --> c:\program files\vmware\vmware view\client\bin\wsnm.exe [?]
    S2 wsnm_usbctrl;VMware View USB Control;"c:\program files\vmware\vmware view\client\bin\wsnm_usbctrl.exe" -scmstartup --> c:\program files\vmware\vmware view\client\bin\wsnm_usbctrl.exe [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-13 135664]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 RadialpointIDSDriver;RadialpointIDSDriver;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSDriver.sys [2010-6-20 122376]
    S3 RadialpointIDSFilter;RadialpointIDSFilter;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSfilter.sys [2010-6-20 30216]
    S3 RadialpointIDSShim;RadialpointIDSShim;c:\program files\virgin media\security\avg\identity protection\agent\drivers\AVGIDSShim.sys [2010-6-20 25736]
    =============== Created Last 30 ================
    2011-07-28 20:17:37 -------- d-----w- c:\documents and settings\shirley king\local settings\application data\Threat Expert
    2011-07-28 19:55:35 -------- d-----w- c:\documents and settings\all users\application data\IObit
    2011-07-28 19:55:30 -------- d-----w- c:\program files\IObit
    2011-07-28 19:29:43 767952 ----a-w- c:\windows\BDTSupport.dll0701.old
    2011-07-28 19:29:43 767952 ----a-w- c:\windows\BDTSupport.dll
    2011-07-28 19:29:43 149456 ----a-w- c:\windows\SGDetectionTool.dll0701.old
    2011-07-28 19:29:43 149456 ----a-w- c:\windows\SGDetectionTool.dll
    2011-07-28 19:29:42 2074576 ----a-w- c:\windows\PCTBDCore.dll
    2011-07-28 19:29:42 1652688 ----a-w- c:\windows\PCTBDCore.dll0701.old
    2011-07-28 19:29:42 1533904 ----a-w- c:\windows\PCTBDRes.dll
    2011-07-28 19:27:02 -------- d-----w- c:\program files\Spyware Doctor
    2011-07-28 19:27:02 -------- d-----w- c:\program files\common files\PC Tools
    2011-07-20 08:56:10 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
    2011-07-20 08:56:03 39984 ----a-r- c:\windows\system32\drivers\vmwvusb.sys
    2011-07-20 08:55:28 -------- d-----w- c:\program files\common files\VMware
    ==================== Find3M ====================
    2011-07-28 19:04:01 53192 ----a-w- c:\windows\system32\drivers\rp_skt32.sys
    2011-07-28 19:03:57 48384 ----a-w- c:\windows\system32\drivers\rp_pkt32.sys
    2011-07-06 18:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-06 18:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-05 19:21:56 4184 --sha-w- c:\windows\system32\KGyGaAvL.sys
    2011-07-05 19:21:54 56 --sh--r- c:\windows\system32\8731209D39.sys
    2011-06-02 14:02:05 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-05-02 10:39:47 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
    2009-11-22 15:34:57 85504 ----a-w- c:\program files\Inherit.exe
    ============= FINISH: 10:58:15.39 ===============

    Please help

  2. #2
    Join Date
    Nov 2005


    hi scotsking,

    Your post is a few days old. If you still need help simply reply back.
    How Can I Reduce My Risk?

  3. #3
    Join Date
    Jul 2008


    Hi Shelf Life

    Yes I still need help please


  4. #4
    Join Date
    Nov 2005


    Lets try booting into safe mode and running Malwarebytes. To reach safe mode you would tap the f8 key during a computer restart. Chose the first option from the list: safe mode. Once at the safe mode desktop run malwarebytes.

    If it dosnt start try this while still in safe mode: using explorer navigate to:
    C\Program Files\Malwarebytes

    Right click on the mbam.exe icon and select rename.
    Rename it to then double click and see if it starts up.

    Also in safe mode navigate to C:\Documents and Settings\All Users and you may find the defender.exe you could delete, also look in C:\Documents and Settings\All Users\Application Data for the .exe

    To show all files in explorer:

    FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok
    How Can I Reduce My Risk?

  5. #5
    Join Date
    Jul 2008


    Hi Thanks for getting back to me.
    I have re-booted in safe mode and unable to run Malwarebytes message "Windows cannot access the specified device path or file You may mot have the appropriate permissions to access the item."

    Also I am unable to rename the mbam.exe message "Cannot rename mbam Access is denied make sure the disk is not full or write-protected and that the file is not currently in use"

    I cannot find any sign of defender.exe in the users folder or application data.

    Hope you can help


  6. #6
    Join Date
    Nov 2005


    ok try this instead. download each of these to your desktop;


    doubleclick one and allow it to run, It will produce a console windows that will open and close by itself. Once its done try running malwarebytes.
    If Malwarebytes wont start then try the next download and allow it to run then try malwarebytes again. Continue with the next two. Hopefully Malwarebytes will run.
    You can also repeat the process back in safe mode. Note that these dont not delete malware, they only attempt to stop certain processes from running.
    How Can I Reduce My Risk?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts