"security protection" (defender.exe) please help

I have a windows 7 laptop here that was infected with the "Security Protection" (defender.exe) malware. I was able to boot into safe mode and remove the hklm\software\microsoft\windows\currentversion\run entries for the malware, and also deleted c:\programdata\defender.exe and a rogue "conhost.exe" which was located under the user's appdata\roaming\microsoft folder. I also removed all items in prefetch.

This prevented the malware from loading at next boot and the OS seems to be ok. However, under task manager there is a strange process with the name of "1741608673:506016152.exe" with user name "SYSTEM" and description "506016152.exe". If I try to end the process it does not work. If I attempt "open file location" nothing happens. I can use taskkill, which tells me it terminated the process, but it doesnt go away. Even booting into safe mode it is still there.

Web access seems to be broken. I can ping sites like www.google.com but the actual browser gives me "internet explorer cannot display the web page". Initially the checkbox for proxy server was checked off (with nothing defined), but even after clearing this I still cannot get anywhere within IE8.

I tried installing malwarebytes antimalware and running a scan but it crashes about 10 seconds into the scan, and attempting to run mbam.exe after this results in "windows cannot access the specified device, path or file. You may not have the appropriate permissions to access this item". The same thing happens with hijackthis.exe. It crashes when I attempt to run it, and subsequent attempts at running it generate this same message.

It seems that this "1741608673:506016152.exe" is still leftover from the "security protection" malware. in the windows directory there is a 0kb file that is the same name as the first part of the rogue .exe.

The file is "c:\windows\1741608673" and in the task manager as mentioned there is an .exe named "1741608673:506016152.exe" that does not respond to termination requests, attempt to create a dump file of the process just hangs at "please wait while the process is written to the file..." and trying "open file location" does nothing.


Also, under msconfig,
I have the "security protection" (c:\programdata\defender.exe) disabled, and this other one is named:

"Jwuhafewoqaned" - (rundll32.exe "c:\users\user\appdata\local\mpimsry.dll",Startup)

both have been disabled. But I still have this strange .exe as mentioned above in the taskmgr, and am unable to run hijackthis or mbam.exe (both crash, then the actual .exe seems to get corrupted as I cannot run the program after that point unless it is reinstalled.

Please help

 

update: i was able to remove it fully by running tdskiller. turns out i had been rooted

 

hey man thanks for the help. will do tomorrow, leaving work now. :cool

 

cool thanks. i was pretty busy today so hope to get to it tomorrow. thanks for your help.