Cannot Remove AntiVirus XP with MBAM

nomorevirus · March 1, 2010

I have use MBAM in the past to remove similar programs, but this time no such luck. So here is where I am at:

1.) I performed the following registry edit in order to run .exe without Antivirus XP 2010 blocking them:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]

[-HKEY_CURRENT_USER\Software\Classes\secfile]

[-HKEY_CLASSES_ROOT\secfile]

[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]

@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]

@="exefile"

"Content Type"="application/x-msdownload"

2.) I have followed all the available instructions on this site and others, but MBAM has only found and removed the following:

Hijacked.exeFile

Disabled.SecurityCenter

AnitiVirus XP 2010 no longer begins at start up, I am able to open various files and .exe programs without problem, but once I try to open Internet Explorer, AntiVirus XP 2010 begins to run and shuts everything down. I am able to access the internet in IE if I launch a browser through another program.

I've attached my HijackThis logfile. I will attempt to run and post an additional logfile after AV2010 is running.

I would appreciate any help that can be provided.

hijackthis_Log.txt

nomorevirus · March 1, 2010

Alright, here is the hijackthis log when AVXP is running. Also it seems that if I do not run the above registry edit before a restart then AVXP will lauch at startup.

hijackthis_Log_with_AVXP_running.txt

nomorevirus · March 2, 2010

Anyone have anything? Any other threads with info I could try? I'm dying over here.

Maniac · March 2, 2010

Hello nomorevirus! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install any software or hardware, while work on.

Step 1:

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

Please post the log in your next reply.

Note: The log can be found at the root of your installed hard drive entitled rkill.log

Step 2:

Launch Malwarebytes' Anti-Malware
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 3:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

In your next reply, please include these log(s):

* HijackThis Uninstall List

* HijackThis log (new)

* RKill log

* MalwareBytes' Anti-Malware log

nomorevirus · March 2, 2010

Hello, and thank you for responding.

1. RKill Log

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as Owner on 03/02/2010 at 14:26:34.

Processes terminated by Rkill or while it was running:

C:\WINNT\system32\UAService7.exe

C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe

C:\Documents and Settings\Owner\Desktop\rkill.exe

Rkill completed on 03/02/2010 at 14:26:39.

2. MBAM Log

Malwarebytes' Anti-Malware 1.44

Database version: 3815

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

3/2/2010 2:57:49 PM

mbam-log-2010-03-02 (14-57-49).txt

Scan type: Quick Scan

Objects scanned: 129473

Time elapsed: 14 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HijackThis Uninstall List

ABBYY FineReader 5.0 Sprint Plus

Acer eDisplay Management

Adobe Atmosphere Player for Acrobat and Adobe Reader

Adobe Flash Player 10 ActiveX

Adobe Photoshop Album 2.0 Starter Edition

Adobe Reader 8.1.6

Adobe Shockwave Player 11

Ahead Nero BurnRights

AOL Instant Messenger

Apple Application Support

Apple Software Update

ArcSoft Software Suite

ATI - Software Uninstall Utility

ATI Catalyst Control Center

ATI Control Panel

ATI Display Driver

Battle.net

Blackhawk Striker

Blackhawk Striker from Gateway (remove only)

Blasterball 2

Blasterball 2 from Gateway (remove only)

Blasterball Wild

Bounce Symphony from Gateway (remove only)

Comcast High-Speed Internet Install Wizard

Comcast Rhapsody

Creative Driver

Critical Update for Windows Media Player 11 (KB959772)

DAEMON Tools Toolbar

Diablo

DoMore

DVD

DVD Shrink 3.1.7

EPSON CardMonitor

EPSON Copy Utility

EPSON ES CX6400 Manual

EPSON Photo Print

EPSON PhotoStarter3.0

EPSON Printer Software

EPSON Scan

EPSON Smart Panel

Excavation from Gateway (remove only)

Final Draft 7

Five Card Frenzy from Gateway (remove only)

FLV Player 2.0 (build 25)

GameTap

Gateway Drivers and Applications Recovery

Gateway Ink Monitor

Gem Master 2

GrabIt 1.7.2 Beta 3 (build 996)

HiJackThis

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Image Transfer

InetDctr

Intel® 537EP Data Fax Modem

Intel® PRO Network Adapters and Drivers

Intel® PROSet

IrfanView (remove only)

iriver Music Manager

iRiver Updater

J2SE Runtime Environment 5.0 Update 6

Java 2 Runtime Environment, SE v1.4.2

Learn2 Player (Uninstall Only)

LiveUpdate 2.0 (Symantec Corporation)

Logitech Audio Echo Cancellation Component

Logitech Desktop Messenger

Logitech iTouch Software

Logitech MouseWare 9.75

Logitech QuickCam

Logitech Resource Center

Logitech Video Enumerator

Logitech

Maniac · March 2, 2010

Step 1:

Please uninstall the following applications:

ABBYY FineReader 5.0 Sprint Plus

Adobe Reader 8.1.6

DAEMON Tools Toolbar

LiveUpdate 2.0 (Symantec Corporation)

After finish our work, please download and install the latest version of ABBYY FineReader and Adobe Reader from:

http://www.abbyy.com/

http://www.adobe.com/

Step 2:

Please go into the Control Panel, Add/Remove and for now remove ALL versions of JAVA

Then run this tool to help cleanup any left over Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location and post it back when you reply
Then look for the following Java folders and if found delete them.
C:\Program Files\Java
C:\Program Files\Common Files\Java
C:\Windows\Sun
C:\Documents and Settings\All Users\Application Data\Java
C:\Documents and Settings\All Users\Application Data\Sun\Java
C:\Documents and Settings\username\Application Data\Java
C:\Documents and Settings\username\Application Data\Sun\Java

Step 3:

I see you are running Teatimer.

I suggest you to disable it because it can interfere with the changes you'll make on your system.

When everything is done and your log is clean again, you can enable it again.

If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer <== click me for instructions.

After you disabled Teatimer, download ResetTeaTimer.exe to your desktop.

Then run ResetTeaTimer.exe.

This will only take a few seconds.

Step 4:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

In your next reply, please include these log(s):

* JavaRa log

* ComboFix log

nomorevirus · March 3, 2010

Hey, it seems to be fixed! Thanks much.

Any idea why MBAM couldn't find whatever this was and remove it? If I purchase a full version of MBAM would it still prevent this nonsense?

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Mar 02 16:44:27 2010

Found and removed: C:\Program Files\Java\j2re1.4.2

Found and removed: C:\Windows\System32\jpicpl32.cpl

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410200

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\

------------------------------------

Finished reporting.

ComboFix 10-03-02.02 - Owner 03/02/2010 17:44:39.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.599 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Local Settings\Application Data\MSASCui.exe

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\75aNA5oy8.jpg

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\PXb600mB.jpg

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\YlYbbx.jpg

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\YYBAj7.jpg

c:\documents and settings\Owner\Start Menu\NOTEPAD.EXE

c:\recycler\S-1-5-21-159346707-5220257-1326429942-1003

c:\winnt\BackUp

c:\winnt\BackUp\S\50309000.DAT

c:\winnt\BackUp\S\50621000.DAT

c:\winnt\BackUp\S\50901000.DAT

c:\winnt\patch.exe

c:\winnt\repair\dvditna.bak1

c:\winnt\repair\dvditna.bak2

c:\winnt\repair\dvditna.ini

c:\winnt\repair\dvditna.ini2

c:\winnt\repair\dvditna.tmp

c:\winnt\system\oeminfo.ini

c:\winnt\system32\4566309.exe

c:\winnt\system32\bccdd.bak1

c:\winnt\system32\bccdd.bak2

c:\winnt\system32\bccdd.tmp

c:\winnt\system32\Cache

c:\winnt\system32\Cache\chart 1.bmp

c:\winnt\system32\Cache\ding.bmp

c:\winnt\system32\Cache\disk 1.bmp

c:\winnt\system32\Cache\document.bmp

c:\winnt\system32\Cache\mail unreaded.bmp

c:\winnt\system32\Cache\msg.bin

c:\winnt\system32\Cache\peoples 1.bmp

c:\winnt\system32\Cache\search find 2.bmp

c:\winnt\system32\Cache\web app.bmp

c:\winnt\system32\command.pif

C:\xcrashdump.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_6TO4

((((((((((((((((((((((((( Files Created from 2010-02-02 to 2010-03-02 )))))))))))))))))))))))))))))))

.

2010-03-01 20:51 . 2010-03-01 20:51 -------- d-----w- c:\program files\TrendMicro

2010-03-01 17:49 . 2010-03-01 17:49 -------- d--h--w- c:\winnt\PIF

2010-02-09 18:49 . 2010-02-09 18:49 664 ----a-w- c:\winnt\system32\d3d9caps.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-02 22:57 . 2004-11-25 05:17 384 ----a-w- c:\winnt\system32\DVCStateBkp-{00000003-00000000-00000001-00001102-00000004-10061102}.dat

2010-03-02 22:57 . 2004-11-25 05:17 384 ----a-w- c:\winnt\system32\DVCState-{00000003-00000000-00000001-00001102-00000004-10061102}.dat

2010-03-02 21:54 . 2004-06-17 06:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-03-02 21:35 . 2004-01-08 14:44 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-03-01 20:06 . 2009-11-19 02:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-01 06:23 . 2004-04-16 02:41 51584 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat

2010-02-03 15:59 . 2005-10-24 20:52 -------- d-----w- c:\program files\World of Warcraft

2010-01-22 09:25 . 2009-07-07 03:11 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-20 22:49 . 2008-05-04 19:32 -------- d-----w- c:\documents and settings\Owner\Application Data\U3

2010-01-12 05:50 . 2009-04-24 06:03 -------- d-----w- c:\documents and settings\Owner\Application Data\MSN6

2010-01-07 21:07 . 2009-11-19 02:05 38224 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys

2010-01-07 21:07 . 2009-11-19 02:05 19160 ----a-w- c:\winnt\system32\drivers\mbam.sys

2009-12-31 16:50 . 2003-03-28 16:54 353792 ----a-w- c:\winnt\system32\drivers\srv.sys

2009-12-21 19:14 . 2004-08-24 01:32 916480 ----a-w- c:\winnt\system32\wininet.dll

2009-12-16 18:43 . 2004-09-13 03:49 343040 ----a-w- c:\winnt\system32\mspaint.exe

2009-12-14 19:15 . 2009-12-14 19:15 2146304 ----a-w- c:\winnt\system32\GPhotos.scr

2009-12-14 07:08 . 2003-03-31 12:00 33280 ----a-w- c:\winnt\system32\csrsrv.dll

2009-12-08 19:26 . 2003-04-24 13:57 2145280 ----a-w- c:\winnt\system32\ntoskrnl.exe

2009-12-08 18:43 . 2003-04-24 13:57 2023936 ----a-w- c:\winnt\system32\ntkrnlpa.exe

2009-12-04 18:22 . 2002-11-18 16:27 455424 ----a-w- c:\winnt\system32\drivers\mrxsmb.sys

2009-10-27 01:42 . 2009-10-27 01:42 66936 --sha-w- c:\winnt\dlinfo_0.drv

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [N/A]

"WinPatrol"="c:\progra~1\BILLPS~1\WINPAT~1\WinPatrol.exe" [N/A]

"OASClnt"="c:\program files\McAfee.com\VSO\oasclnt.exe" [N/A]

"mswspl"="c:\progra~1\BILLPS~1\WINPAT~1\WinPatrol.exe" [N/A]

"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-07 50688]

"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 19968]

"kdx"="c:\winnt\kdx\KHost.exe" [N/A]

"CTHelper"="CTHELPER.EXE" [2004-03-11 28672]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [N/A]

"LVCOMSX"="c:\program files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 243248]

"DT ACR"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2007-10-22 81920]

"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]

"LogitechCommunicationsManager"="c:\program files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 497200]

"EPSON Stylus CX6400"="c:\winnt\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE" [N/A]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [N/A]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"SetDefaultMIDI"="MIDIDef.exe" [2003-06-20 49152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"SetDefaultMidi"="MIDIDEF.EXE" [2003-06-20 49152]

"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe [2004-3-2 274432]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Image Transfer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Image Transfer.lnk

backup=c:\winnt\pss\Image Transfer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^CurseClientStartup.ccip]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\CurseClientStartup.ccip

backup=c:\winnt\pss\CurseClientStartup.ccipStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]

2009-04-23 13:51 691656 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gateway Ink Monitor]

c:\program files\Gateway\Gateway Ink Monitor\GWInkMonitor.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]

2004-07-01 21:20 212992 ----a-w- c:\program files\iRiver\iRiver Manager\Updater\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LimeShop]

c:\program files\LimeShop\LimeShoprun.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]

2006-06-26 14:34 614960 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

2008-04-14 00:12 1695232 ---ha-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

c:\program files\MSN Messenger\msnmsgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

2001-07-09 10:50 155648 -c--a-r- c:\winnt\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\warez]

c:\program files\Warez P2P Client\warez.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]

c:\program files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\BitComet\\BitComet.exe"=

"c:\\WINNT\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=

"c:\\Program Files\\World of Warcraft\\WoW-1.8.0-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.8.3.4807-to-1.8.4.4878-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-1.8.4.4878-to-1.9.0.4937-enUS-downloader.exe"=

"c:\\Program Files\\AIM\\aim.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9464-to-3.0.8.9506-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.8.9506-to-3.0.9.9551-enUS-downloader.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.0.9767-to-3.1.1.9806-enUS-downloader.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.1.9835-to-3.1.2.9901-enUS-downloader.exe"=

"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

"c:\\Diablo\\diablo.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader

"6112:TCP"= 6112:TCP:Blizzard Downloader

"8887:TCP"= 8887:TCP:BitComet 8887 TCP

"8887:UDP"= 8887:UDP:BitComet 8887 UDP

"16794:TCP"= 16794:TCP:BitComet 16794 TCP

"16794:UDP"= 16794:UDP:BitComet 16794 UDP

R0 sptd;sptd;c:\winnt\system32\drivers\sptd.sys [2/20/2009 7:27 AM 721904]

S3 SaiHFF0C;SaiHFF0C;c:\winnt\system32\drivers\SaiHFF0C.sys [3/15/2004 2:16 PM 56576]

S3 SaiUFF0C;SaiUFF0C;c:\winnt\system32\drivers\saiuFF0C.sys [3/15/2004 2:16 PM 19584]

S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;c:\winnt\system32\drivers\wg121nd5.sys [3/2/2004 8:13 PM 337184]

.

Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\winnt\Tasks\McDefragTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-27 16:22]

2010-03-01 c:\winnt\Tasks\McQcTask.job

- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-27 16:22]

2010-03-02 c:\winnt\Tasks\User_Feed_Synchronization-{068BA5E8-C8F5-4CD2-9DE4-1E19C8A9C188}.job

- c:\winnt\system32\msfeedssync.exe [2006-10-17 08:31]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www6.comcast.net/a/

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchAssistant = about:blank

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: Add to Google Photos Screensa&ver - c:\winnt\system32\GPhotos.scr/200

Trusted Zone: internet

Trusted Zone: mcafee.com

DPF: ActiveGS.cab - hxxp://activegs.freetoolsassociation.com/ActiveGS.cab

DPF: {BD4C7EDB-A392-11D9-8BFB-0040953018D7} - hxxp://www.streamerp2p.com/sfiles/phasex.cab

DPF: {C53BDC3D-19A0-4062-BF34-0897A4E6A6A2} - hxxp://www.wildpockets.com/common/WildPocketsLoader-14009.cab

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

AddRemove-15tvbtn8 - c:\winnt\15tvbtn8.exe

AddRemove-4AF3F682-FE2A-488D-A11C-A0470A325E93 - c:\program files\WildTangent\Apps\GameChannel\Games\4AF3F682-FE2A-488D-A11C-A0470A325E93\Uninstall.exe

AddRemove-5A137FCB-35EA-4849-8239-AFEBD2F45B3B - c:\program files\WildTangent\Apps\GameChannel\Games\5A137FCB-35EA-4849-8239-AFEBD2F45B3B\Uninstall.exe

AddRemove-618CD711-AFB3-4EB4-9B48-ABD2AB370B21 - c:\program files\WildTangent\Apps\GameChannel\Games\618CD711-AFB3-4EB4-9B48-ABD2AB370B21\Uninstall.exe

AddRemove-70216ACD-1547-44E5-8966-615BE9569EAD - c:\program files\WildTangent\Apps\GameChannel\Games\70216ACD-1547-44E5-8966-615BE9569EAD\Uninstall.exe

AddRemove-97D31CB6-F2B5-4875-B6B0-8AF75AC414DB - c:\program files\WildTangent\Apps\GameChannel\Games\97D31CB6-F2B5-4875-B6B0-8AF75AC414DB\Uninstall.exe

AddRemove-A375E2C6-77CA-4F2F-AB6F-CD0A96D87B24 - c:\program files\WildTangent\Apps\GameChannel\Games\A375E2C6-77CA-4F2F-AB6F-CD0A96D87B24\Uninstall.exe

AddRemove-AA4162B8-1BB1-4110-8F93-0092D4DEF122 - c:\program files\WildTangent\Apps\GameChannel\Games\AA4162B8-1BB1-4110-8F93-0092D4DEF122\Uninstall.exe

AddRemove-ADFCE1E4-A420-437C-998D-EAF04E3601BE - c:\program files\WildTangent\Apps\GameChannel\Games\ADFCE1E4-A420-437C-998D-EAF04E3601BE\Uninstall.exe

AddRemove-BECB8A74-E07D-44A1-813D-1E390EB3047B - c:\program files\WildTangent\Apps\GameChannel\Games\BECB8A74-E07D-44A1-813D-1E390EB3047B\Uninstall.exe

AddRemove-C4D2212B-5331-470D-9BF7-96DB25A398C7 - c:\program files\WildTangent\Apps\GameChannel\Games\C4D2212B-5331-470D-9BF7-96DB25A398C7\Uninstall.exe

AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

AddRemove-{1336A42D-44B3-4063-B160-9F81ECE7D6D7} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {1336A42D-44B3-4063-B160-9F81ECE7D6D7}

AddRemove-{539E887B-98A5-4CDC-85D6-07371995D66E} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {539E887B-98A5-4CDC-85D6-07371995D66E}

AddRemove-{5E83229B-2295-4C3C-B97D-81156122759B} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {5E83229B-2295-4C3C-B97D-81156122759B}

AddRemove-{93F8CA95-311D-4DB1-8226-AD572B8CC0CE} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {93F8CA95-311D-4DB1-8226-AD572B8CC0CE}

AddRemove-{A399157E-EF92-4012-8F7A-DBDBDE3A269F} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {A399157E-EF92-4012-8F7A-DBDBDE3A269F}

AddRemove-{CA3420D8-75ED-41BC-AC6A-D41EA327649C} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {CA3420D8-75ED-41BC-AC6A-D41EA327649C}

AddRemove-{FAA23FA3-E415-488A-94BE-CD18942DC813} - c:\program files\wildtangent\apps\gamechannel.exe \removeitem {FAA23FA3-E415-488A-94BE-CD18942DC813}

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-02 18:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spia.sys >>UNKNOWN [0x87386938]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7592f28

\Driver\ACPI -> ACPI.sys @ 0xf73bccb8

\Driver\atapi -> atapi.sys @ 0xf7377b40

\Driver\iaStor -> iaStor.sys @ 0xf7357cd0

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e

ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e668e

ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1

NDIS: -> SendCompleteHandler -> 0x0

PacketIndicateHandler -> 0x0

SendHandler -> 0x0

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3167290857-1794671658-1875467217-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\ACPI\PNP0F03\4&35f762c4&0\LogConf]

@DACL=(02 0000)

"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,

00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\

"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,

00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff

[HKEY_LOCAL_MACHINE\System\ControlSet004\Enum\HID\Vid_046d&Pid_c016\7&2924c29b&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(544)

c:\winnt\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(7008)

c:\winnt\system32\WININET.dll

c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\winnt\system32\ctagent.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

c:\program files\Portrait Displays\Pivot Software\winphook.dll

c:\winnt\system32\ieframe.dll

c:\winnt\system32\webcheck.dll

c:\winnt\system32\WPDShServiceObj.dll

c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll

c:\winnt\system32\PortableDeviceTypes.dll

c:\winnt\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\winnt\system32\Ati2evxx.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe

c:\progra~1\McAfee\MSC\mcmscsvc.exe

c:\program files\common files\mcafee\mna\mcnasvc.exe

c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe

c:\program files\McAfee\MPF\MPFSrv.exe

c:\program files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

c:\winnt\system32\UAService7.exe

c:\progra~1\mcafee.com\agent\mcagent.exe

c:\winnt\system32\CTHELPER.EXE

c:\program files\Logitech\MouseWare\system\em_exec.exe

c:\program files\Acer Display\eDisplay Management\DTHtml.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

c:\program files\Portrait Displays\Pivot Software\floater.exe

c:\program files\Common Files\Portrait Displays\Shared\HookManager.exe

c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

c:\progra~1\McAfee\VIRUSS~1\mcshield.exe

c:\winnt\system32\defrag.exe

c:\winnt\system32\DfrgNtfs.exe

.

**************************************************************************

.

Completion time: 2010-03-02 18:52:44 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-02 23:52

Pre-Run: 3,019,915,264 bytes free

Post-Run: 3,506,503,680 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINNT

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - D2D6DA33B6682829F17AAB3E1058142B

Maniac · March 3, 2010

We're not ready! Please be patient!

Step 1:

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player

Step 2:

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

File::
c:\documents and settings\Owner\Application Data\wklnhst.dat

AWF::

MBR::

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

nomorevirus · March 4, 2010

ComboFix 10-03-02.08 - Owner 03/03/2010 7:56.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.492 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::

"c:\documents and settings\Owner\Application Data\wklnhst.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Application Data\wklnhst.dat

.

((((((((((((((((((((((((( Files Created from 2010-02-03 to 2010-03-03 )))))))))))))))))))))))))))))))

.

2010-03-03 02:47 . 2010-03-03 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2010-03-03 02:47 . 2010-03-03 02:47 -------- d-----w- c:\program files\NOS

2010-03-01 20:51 . 2010-03-01 20:51 -------- d-----w- c:\program files\TrendMicro

2010-03-01 17:49 . 2010-03-01 17:49 -------- d--h--w- c:\winnt\PIF

2010-02-09 18:49 . 2010-02-09 18:49 664 ----a-w- c:\winnt\system32\d3d9caps.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-03 13:11 . 2004-11-25 05:17 384 ----a-w- c:\winnt\system32\DVCStateBkp-{00000003-00000000-00000001-00001102-00000004-10061102}.dat

2010-03-03 13:11 . 2004-11-25 05:17 384 ----a-w- c:\winnt\system32\DVCState-{00000003-00000000-00000001-00001102-00000004-10061102}.dat

2010-03-03 12:47 . 2004-01-08 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-03-03 12:47 . 2004-01-08 14:38 -------- d-----w- c:\program files\Viewpoint