How to get rid of XP Antivirus?

[alohaguy53]

I recently purchased the Malwarebytes Pro to prevent infections. Today, I got an infection of something called XP Anti-Spyware. I am starting to think that I got conned by Malwarebytes into buying worthless protection. Anyway, XP Anit-Spyware is a malware that pops-up with a false positve telling me I have many infections. I am getting pop-ups for this speyware even in safe mode. I tried running malwarebytes, but it won't run. I tried running rootkill, but that didn't help. Please tell me how to get the malware processed stopped so I can run MBAM to getrid of this thing, since your software shouldn't have allowed in on my computer in the first place.

[LDTate]

Please don't attach the scan results, use Copy/Paste

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

Note: Close all browsers before running ATF Cleaner: IE, FireFox, etc.

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

[alohaguy53]

XP Antispyware won't let me access the internet, even in safe mode. So I downloaded it to another computer, saved it to the desktop and then transferred it to my external drive. When I then try to run it, it won't run. I am using XP by the way.

[alohaguy53]

XP Antispyware won't let me access the internet, even in safe mode. So I downloaded it to another computer, saved it to the desktop and then transferred it to my external drive. When I then try to run it, it won't run. I am using XP by the way.

Also, am I supposed to be doing whatever needs to be done in safe mode or normal mode?

[alohaguy53]

Also, am I supposed to be doing whatever needs to be done in safe mode or normal mode?

I just tried turning off my computer and restarting it in normal mode. I went and read the self-help guide to removing XP Anti-software. Then I tried opening the MBAM files in the programs list and changing mbam (no .exe file there) and then running it. It wouldn't run. I also tried to run the ATF Cleaner and it didn't work. So what next, and why did this thing get on my computer when I paid for the full Malwarebytes protection program?

[LDTate]

First off, no protection program be it anti-virus / anti-malware will "do it all".

You still have to be careful of sites you visit, what emails you open or what you download.

Try this:

Download this random named version of MalwareBytes to a flash / thumb drive.

Try running if from the flash drive on the infected computer.

http://www.malwarebytes.org/mbam-download-standalone-random.php

You might also try restarting the infected pc in Safe Mode before doing the above if Normal Mode doesn't work.

[alohaguy53]

I tried opening the computer in normal mode and trying to run the anonomous file of MBAM that you sent. I get a pop-up saying "XP Anti-spyware has blocked a program from accessing the internet". I exited the pop-up and got a box saying run or save the file, so I clicked run and nothing happens. I also tried doing this in Safe Mode and the file won't run.

[alohaguy53]

Just for the heck of it, I just tried to open Malwarebytes with the computer in Safe Mode (it hadn't worked before when I did it yesterday) but this time it opened, so I am running a quick scan. Will post the results when it is finished.

[LDTate]

Just for the heck of it, I just tried to open Malwarebytes with the computer in Safe Mode (it hadn't worked before when I did it yesterday) but this time it opened, so I am running a quick scan. Will post the results when it is finished.

Post the results and then try running MBAM in Normal Mode.

[alohaguy53]

Scan showed 4 registry infections and 3 filed infected. Sorry, I don't know how to copy file names to here. I am restarting the computer and will try to run MBAM in normal mode.

[alohaguy53]

I restarted the computer in normal mode and as it started up, I got the safe mode screen saying Windows couldn't start. So I clicked on "Use last know working configuration" or whatever it is. Windows loaded, but now, none of the programs will open, including IE, Outlook Express, Malawarebytes, Microsoft office.

[LDTate]

Try a new restart in normal mode.

[alohaguy53]

I just clicked on the internet and it opened. But when I try to open programs like word or excel or malwarebytes, it either asks me what program i want to use to open the application or I get an error message saying "application not found". I will try to do another restart and see what happens.

[LDTate]

Some infections will mess up the file associations.

Please download fixAssocations to your desktop.

Double-click on fixAssociations.com to perform the fix.

Please test to see if your executable programs now work - you may have to reboot first.

If that didn't work, if you have another user login try that user. If not, create a new user and try logging in as that user and see that user works.

[alohaguy53]

I restarted the computer in normal mode and the same thing happens. Only thing that works is the Internet Explorer. Nothing else will open. XP Antispywear seems to be gone. Small consolation if my OS is screwed up.

[LDTate]

Did you read my last post?

[alohaguy53]

I restarted the computer and fixassocaitions apparently didn't work. Only users I have on my laptop are me and administrator. Not sure how to set up a new one.

[LDTate]

See if this will work

Please download DDS and save it to your desktop.

• Disable any script blocking protection
  
• Double click dds.scr to run the tool.
  
• When done, DDS.txt will open.
  
• Click Yes at the next prompt for Optional Scan.
  
• Save both reports to your desktop.
  

---------------------------------------------------

Please Please copy / paste the scan reults.

DDS.txt

[alohaguy53]

Surry, how do I disable script blocking protection?

[LDTate]

Surry, how do I disable script blocking protection?

If your anti-virus program is running, it will show down on the left bottom. Right click on the icon and select disable or close.

If you can't find it, don't worry about it for now.

[alohaguy53]

Thanks for the help...I have to gopick up my daughter...will try this as soon as I get back in 30 to 40 minutes.

[LDTate]

OK

[alohaguy53]

I downloaded DDS to my desktop and then tried to run it...it started to run and then stopped and asked me what program I would like to run it with. So the only thing working on my computer seems to be IE.

[LDTate]

Did you purchase MalwareBytes?

[alohaguy53]

Yes I did purchase the full Malawarebytes about the 25th of March...anyway, I ran DDS directly from an earlier post you had made the log is copied...

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Kevin at 14:28:33.97 on Tue 04/12/2011

Internet Explorer: 7.0.5730.13

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1346 [GMT -7:00]

.

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

============== Running Processes ===============

.

C:\WINDOWS\System32\svchost.exe -k Cognizance

C:\WINDOWS\system32\svchost -k DcomLaunch

c:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

svchost.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe

C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\LSI SoftModem\agrsmsvc.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

c:\WINDOWS\system32\ifxspmgt.exe

C:\WINDOWS\system32\IFXTCS.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

c:\WINDOWS\system32\IfxPsdSv.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\SUYJ5VTI\dds[2].scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://my.yahoo.com/

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Credential Manager for HP ProtectTools: {df21f1db-80c6-11d3-9483-b03d0ec10000} - c:\program files\hewlett-packard\iam\bin\ItIEAddIn.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [spyware Protection] c:\documents and settings\kevin\application data\defender.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe

mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe

mRun: [acevents] "c:\program files\actividentity\activclient\acevents.exe"

mRun: [<NO NAME>]

mRun: [accrdsub] "c:\program files\actividentity\activclient\accrdsub.exe"

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start

mRun: [CognizanceTS] rundll32.exe c:\progra~1\hewlet~1\iam\bin\ASTSVCC.dll,RegisterModule

mRun: [iFXSPMGT] c:\windows\system32\ifxspmgt.exe /NotifyLogon

mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"

mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [selectRebates] c:\program files\selectrebates\SelectRebates.exe

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.com.exe" /runcleanupscript

StartupFolder: c:\docume~1\kevin\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\forget~1.lnk - c:\program files\broderbund\ag creatacard\agremind.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll

DPF: {00000035-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall35.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {BEA7310D-06C4-4339-A784-DC3804819809} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_7/PhotoCenter_ActiveX_Control.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg9\toolbar\IEToolbar.dll

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: ackpbsc - c:\program files\actividentity\activclient\ackpbsc.dll

Notify: acunlock - c:\program files\actividentity\activclient\acunlock.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: DeviceNP - DeviceNP.dll

Notify: igfxcui - igfxdev.dll

Notify: OneCard - c:\program files\hewlett-packard\iam\bin\ASWLNPkg.dll

AppInit_DLLs: APSHook.dll

LSA: Notification Packages = SbHpNp scecli ASWLNPkg

Hosts: 127.0.0.1 www.spywareinfo.com

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

.

==================== Find3M ====================

.

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: TOSHIBA_MK1656GSY rev.LH013C -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

.

device: opened successfully

user: MBR read successfully

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x8A7A9439]<<

c:\windows\system32\drivers\hpdskflt.sys Hewlett-Packard Corporation Hewlett-Packard Corporation Mobile Data Protection System

_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a7af7d0]; MOV EAX, [0x8a7af84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A74EAB8]

3 CLASSPNP[0xF74F7FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A787950]

5 hpdskflt[0xF7508FE1] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000008b[0x8A755030]

7 ACPI[0xF735E620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A75D398]

\Driver\atapi[0x8A870B28] -> IRP_MJ_CREATE -> 0x8A7A9439

kernel: MBR read successfully

_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [bP+0x0], CH; JL 0x2e; JNZ 0x3a; }

detected disk devices:

\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskTOSHIBA_MK1656GSY_______________________LH013C__#5&338916ab&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

detected hooks:

\Driver\atapi DriverStartIo -> 0x8A7A927F

user & kernel MBR OK

Warning: possible TDL3 rootkit infection !

.

============= FINISH: 14:30:38.08 ===============