XP Internet Security 2010

[sconroy1]

My computer is infected with XP Internet Security 2010. MBAM won't run. I've tried a few solutions, including using spybot which many have been successful with, to no avail.

Here are the logs to start you off that you are requiring to be posted. As always thanks in advance!

DDS (Ver_09-12-01.01) - NTFSx86

Run by Stephen Conroy at 10:59:34.20 on Thu 02/25/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1463 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\mqsvc.exe

C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Stephen Conroy\Local Settings\Application Data\av.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Dell\Media Experience\DMXLauncher.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\AOL\1197034437\ee\AOLSoftware.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\Program Files\3M\PDNotes\PDNotes.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

c:\program files\common files\aol\1197034437\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

G:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.live.com

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll

BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [iSUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet

uRun: [DS3 Tool] c:\program files\motioninjoy\ds3\DS3_Tool.exe -mini

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe

mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE

mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall

mRun: [startCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe

mRun: [MsmqIntCert] regsvr32 /s mqrt.dll

mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"

mRun: [HostManager] c:\program files\common files\aol\1197034437\ee\AOLSoftware.exe

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: c:\docume~1\stephe~1\startm~1\programs\startup\maxtv.lnk - c:\program files\dmv\maxtv\MaxTV.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\pdnotes\PDNotes.exe

IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} - hxxp://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {1B00725B-C455-4DE6-BFB6-AD540AD427CD} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab

DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://adobe.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab

DPF: {A959E4A5-0B3D-449E-9998-348705BD4092} - hxxp://www.servicemagic.com/smod/smdesktop.CAB

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v10.cab

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\puresp.dll

Notify: AtiExtEvent - Ati2evxx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\stephe~1\applic~1\mozilla\firefox\profiles\yrichvqd.default\

FF - prefs.js: network.proxy.type - 2

FF - plugin: c:\documents and settings\patrick\application data\move networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\patrick\application data\move networks\plugins\npqmp071505000011.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll

FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07030901.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-10 64160]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-31 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-31 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-31 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-31 56816]

R2 dualshock3;DUALSHOCK3 Controller HID Minidriver (USB) Beta;c:\windows\system32\drivers\dualshock3.sys [2010-1-18 11392]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1028432]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [2010-1-18 33792]

S3 MotioninJoyXFilter;MotioninJoy Virtual Xinput device Filter Driver;c:\windows\system32\drivers\MijXfilt.sys [2010-1-18 48128]

S3 VKeyboard;Virtual Keyboard Device;c:\windows\system32\drivers\vkeyboard.sys --> c:\windows\system32\drivers\VKeyboard.sys [?]

S3 VPS3Joy;Virtual Playstation(3) Joystick;c:\windows\system32\drivers\vps3joy.sys --> c:\windows\system32\drivers\VPS3Joy.sys [?]

=============== Created Last 30 ================

2010-02-25 15:53:10 20 ----a-w- c:\documents and settings\stephen conroy\defogger_reenable

2010-02-04 16:50:59 0 dc----w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}

==================== Find3M ====================

2010-01-19 02:04:11 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01009.Wdf

2010-01-19 02:04:11 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_MijXfilt_01009.Wdf

2010-01-19 02:04:08 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf

2010-01-15 21:45:36 48128 ----a-w- c:\windows\system32\drivers\MijXfilt.sys

2010-01-13 15:52:50 7520 --sha-w- c:\windows\system32\KGyGaAvL.sys

2009-12-31 16:14:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys

2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe

2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll

2009-12-14 07:35:35 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll

2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll

2009-12-08 18:14:02 2185984 ------w- c:\windows\system32\dllcache\ntoskrnl.exe

2009-12-08 18:11:44 2142720 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-12-08 18:11:44 2142720 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-12-08 17:35:25 2020864 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-12-08 17:35:25 2020864 ------w- c:\windows\system32\dllcache\ntkrpamp.exe

2009-12-08 17:35:22 2063104 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-12-08 08:59:48 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll

2009-12-04 14:41:55 453760 ------w- c:\windows\system32\dllcache\mrxsmb.sys

2009-11-27 17:04:16 1291776 ----a-w- c:\windows\system32\quartz.dll

2009-11-27 17:04:16 1291776 ------w- c:\windows\system32\dllcache\quartz.dll

2009-11-27 17:04:15 17920 ----a-w- c:\windows\system32\msyuv.dll

2009-11-27 17:04:15 17920 ------w- c:\windows\system32\dllcache\msyuv.dll

2009-11-27 16:37:27 8704 ----a-w- c:\windows\system32\tsbyuv.dll

2009-11-27 16:37:27 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll

2009-11-27 16:37:27 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-11-27 16:37:27 84992 ------w- c:\windows\system32\dllcache\avifil32.dll

2009-11-27 16:37:27 48128 ----a-w- c:\windows\system32\iyuv_32.dll

2009-11-27 16:37:27 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll

2009-11-27 16:37:27 28672 ----a-w- c:\windows\system32\msvidc32.dll

2009-11-27 16:37:27 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll

2009-11-27 16:37:27 11264 ----a-w- c:\windows\system32\msrle32.dll

2009-11-27 16:37:27 11264 ------w- c:\windows\system32\dllcache\msrle32.dll

2009-08-15 15:21:32 16384 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat

2009-08-15 15:21:32 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009081520090816\index.dat

============= FINISH: 11:00:33.75 ===============

attach.zip

[miekiemoes]

Hi,

Please try the instructions posted here:

http://forums.malwarebytes.org/index.php?s...st&p=193288

Let me know if that solved your issue.

[samborski]

do I understand correctly, the free version will not remove xp internet security 2010 malware ?

also, rather than change the .exe files to .com, wouldnt going to SAFE Mode to run Malewarebytes work ?

[miekiemoes]

Hi,

Malwarebytes will detect and remove this infection either way, this includes the free version.

also, rather than change the .exe files to .com, wouldnt going to SAFE Mode to run Malewarebytes work ?

No, because that won't make a difference since this malware has hijacked the exe filetype association.

By the way, since you are a different user than the person who has started this thread, I suggest you start a new thread with your problem if you still need help afterwards. This to avoid confusion if multiple persons are posting in this same thread.

Thanks for understanding

[dsardone]

Hi there,

Before I peruse the self help guide for removing xp 2010, what would be your advice if malware bytes is not detecting xp 2010 at all? I had the virus in full force last week, was able to delete it. but am still having symptoms when I google search (sites are spam/hijacked, and my browser will turn into what appears to be a windows explorer folder, and crash. I think this is still the xp 2010 virus). Anyway, I updated MB today (I have free version)and after 3 scans, still nothing comes up at all. Nor with my antivirus (AVG), spybot or adaware. Would the next step be to download hijackthis?

THank you so much for your help.

[dsardone]

I'm sorry, I realize I should posting in my own thread and not someone else's. I will do that.

[miekiemoes]

Hi,

Malwarebytes is able to detect and remove this XP 2010 variant. If there are any additional problems afterwards, please start a new thread with your problems.

Thanks.

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.