Infected w/ Antivirus System PRO; Malwarebytes won't setup

Hello...so my laptop is infected with Antivirus System Pro I downloaded Malwarebytes, but when I try to install it, nothing happens. Please help! Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:24 PM, on 6/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\sysguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Harold\My Documents\My downloads\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 antivirsystem-pro.microsoft.com
O1 - Hosts: 94.232.248.66 antivir-system-pro.com
O1 - Hosts: 94.232.248.66 www.antivir-system-pro.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BHO - {71848431-9C3E-4217-9F76-4772C41E44E5} - C:\WINDOWS\system32\iehelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{48CF4D8B-0A48-4487-9778-D83CD1047A0A}: NameServer = 167.206.245.129,167.206.245.130
O17 - HKLM\System\CS1\Services\Tcpip\..\{48CF4D8B-0A48-4487-9778-D83CD1047A0A}: NameServer = 167.206.245.129,167.206.245.130
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7810 bytes


Thanks so much for the help ^_^

I see you have Viewpoint software installed.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: here and here

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint Manager (remove only)
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  

Next, please download ViewpointKiller by Prm753 from here.
Save it to a permanent folder (such as C:\ViewpointKiller) and unzip it there.
Open ViewpointKiller, and press the Start button.
A log will be produced in the same folder where you unzipped it to. Please post the contents of that log in your reply.

• Open HijackThis.
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
  O1 - Hosts: ::1 localhost
  O1 - Hosts: 94.232.248.66 antivirsystem-pro.microsoft.com
  O1 - Hosts: 94.232.248.66 antivir-system-pro.com
  O1 - Hosts: 94.232.248.66 www.antivir-system-pro.com
  O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
  O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
  O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
  O17 - HKLM\System\CCS\Services\Tcpip\..\{48CF4D8B-0A48-4487-9778-D83CD1047A0A}: NameServer = 167.206.245.129,167.206.245.130
  O17 - HKLM\System\CS1\Services\Tcpip\..\{48CF4D8B-0A48-4487-9778-D83CD1047A0A}: NameServer = 167.206.245.129,167.206.245.130
  O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Ok, I followed all of your instructions. Except for where it said to check the box that said, O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe, because it wasn't on the list.

After that, I tried to run malwarebytes setup, but it still wouldn't run. Then I tried going online, but any site I tried going to, Id get a Page Load Error "Address not found. Firefox can't find the server at :insert any website here:"

So because I couldn't get online, I restarted my computer. Now what happens is that when I get to the desktop, there is a little yellow shield icon on the toolbar that says "Downloading updates 0%". It's always there for a few seconds everytime I start my computer.

So here is the ViewpointKiller log. I typed it because I couldn't post from the infected computer because I can't go online on that one now, so I'm on another computer :/


------------------------------------------
ViewpointKiller Version 1.30 (beta)

The removal process was started on Sun Jun 21 23:39:48 2009

Preparing the remove Viewpoint Media Player...

Warning accepted, beginning removal process...

Viewpointkiller determined that "aim.exe" was not running
Viewpointkiller determined that "aim6.exe" was not running
Viewpointkiller determined that "aolsoftware.exe" was not running
Viewpointkiller determined that "aol.exe" was not running
Viewpointkiller determined that "MtsAxInstaller.exe" was not running

Preparing the close the viewpoint manager service if it is running...
Closing the "viewpoint manager service" failed, or the service was not running/

Searching for all known viewpoint media player registry values and keys...
Found and removed: SOFTWARE\viewpoint
Found and removed: SOFTWARE\viewpoint
Found and removed: interface\{9dbb28cd-1925-11d3-a498-00104b6eb52e}
Found and removed: SYSTEM\CurrentControlSet\Services\Viewpoint Manager Service
Fisnihed searching for and removing all known viewpoint media player registry values and keys

Searching for all known Viewpoint media player files and folders...
Found and removed: C:\Documents and Settings\All Users\Application Data\Viewpoint
Finished searching and removing all known viewpoint media player files and folders...

Finished reporting
---------------------------------
----------------------------------
Viewpointkiller version 1.30 (beta)

The removal process was started on Sun Jun 21 23:40:31 2009

Preparing to remove viewpoint manager...

viewpointkiller determined that "viewmgr.exe" was not running
Searching for all known viewpoint manager registry values and keys...
Found and removed: Software\microsoft\windows\currentversion\uninstall\viewpoint manager
Finished searching for and removing all known viewpoint manager registry values and keys

Searcing for all known viewpoint manager files and folders...
Finished searching for and removing all known viewpoint manager files and folders.

Finished reporting
-----------------------------
------------------------------
Viewpointkill version 1.30 (beta)

The removal process was started Sun Jun 21 23:40:35 2009

Preparing to remove Viewpoint toolbar...

Viewpointkiller determined that "fotomatdeviceconnect.exe" was not running
Viewpointkiller was able to close "iexplore.exe" sucessfully

Searching for all known viewpoint toolbar registry values and keys...
Finished searching for and removing all known viewpoint toolbar registry values and keys

Searcihng for all known viewpoint toolbar files and folders...
Finished searching for and removing all known viewpoint toolbar files and folders

Finished reporting
-------------------------------------------------

So has Antivirus System Pro been completely removed? After restarting my computer, the Antivirus System Pro icon was no longer in my toolbar and the popups stopped. But,now I can't get online. Does this line from ViewpointKiller log have anything to do with it? Viewpointkiller was able to close "iexplore.exe" sucessfully

One last thing, why does that yellow update sheild show up on my toolbar when I start windows now?

Thanks a lot!

• Download combofix from here
  Link 1
  Link 2
  

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

• See HERE for how to disable your AV. (Mcafee)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouse click combofix's window whilst it's running. That may cause it to stall.
  

How do I do that if I can't go online from the infected computer?

Transfer the file to a USB Stick or CD from another computer.

Alright, will do.

So, I ran combofix, but it said that I do not have Recovery Console installed and that I can't have combofix install it for me because I "do not appear to be connected to the internet" and to connect before clicking ok...

Just skip that step and keep going.

So now it says that it has detected the presence of rootkit activity and need to reboot, and to write down some stuff because it may be needed later. I write down all that stuff and press ok, yeah?

yes please.

Ok, I wrote it down and it rebooted. Now it's asking me to install Windows Recovery Console... I just skip it and keep going anyway, right?

Yes, please do so.

Ok, so combofix finished and log has been created. I haven't tried going online yet...should I try? If I can't then I have to type that entire log... :/

Try it if you want, please post all the contents of the ComboFix log on your next reply, the log might be to big to post in one post so please split the log into two posts or more if required. If you do not remember where you saved the ComboFix log it should be somewhere in your C:\ drive.

Hey, this took days to type, but here is my ComboFix log (finally)

Combo fix 09-06-21.01 - Harold 06/22/2009 14:55.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.262 [GMT -4:00]
Running from E:\Combo-Fix.exe
Av: McAfee VirusScan *On-access scanning disable* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Perfonal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE RECOVER CONSOLE INSTALLED!!
.

(((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))
.
c:\Windows\sysguard.exe
c:\windows\syssvc.exe
c:\windows\system32\drivers\UACbodaeijpifbwpuwmr.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\UACantaqjpxueykctvtq.log
c:\windows\system32\UACevanelddgwpsrxfbc.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjoelffqwvtrqhylkm.dll
c:\windows\system32\UACmydyjkexaokfhkygs.dll
c:\windows\sytem32\UACppvqghbgjxkqpousx.dll
c:\windows\system32\UACqltobirviqmjxrqak.dll
c:\windows\system32\UACsfbjnpulsranfbago.dll
c:\windows\system32\UACtetirfwowipfuunvd.dat
c:\windows\system32\UACwufklllfrhnoqlvn.log
D:\Autorun.inf
D:\Desktop.ini

.
(((((((((((((((((((( Drivers/Services)))))))))))))))))))))))))))))))
.
------\Service_UACd.sys

(((((((((((((((( Files created from 2009-05-22 to 2009-06-22 )))))))))))))))))))))))
.
No new files created in this timespan

.
(((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))
.
2009-06-22 03:47 . 2008-10-11 03:17 ------- d------w- c:\program files\WebEx
2009-06-20 12:24 . 2007-09-28 18:36 -------- d------w- c:\program files\McAfee
2009-06-10 01:35 . 200812-03 17:08 --------- d------w- c:\documents and settings\Harold\Application Data\ZoomBrowser EX
2009-06-10 01:04 . 2008-12-03 17:05 -------- d----w- c:\documents and settings\Harold\Application Data\CameraWindowDC
2009-06-10 01:00 . 2006-09-10 00:36 130424 -c—a-w- c:\documents and settings\Harold\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-09 03:01 . 2008-08-12 05:07 ------ d------w- c:\documents and settings\Harold\Application Data\gtk-2.0
2009-05-22 02:31 . 2008-0812 05:05 ------- d----w- c:\program files\GIMP2.0
2009-05-07 15:32 . 2004-08-04 08:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2004-08-04 08:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2004-08-04 08:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 08:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.
(((((((((((((((((((( Reg Loading Points )))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\Windows\CurrentVersion\Run]
“ctfmon.exe”=”c:\windows\system32\ctfmon.exe” [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“igfxtray”=”c:\windows\system32\igfxtray.exe” [2005-11-03 98304]
“HP software update”=”c:\program files\hp\hp software update\hpwuschd2.exe” [2005-02-17 49152]
“hpwirelessassistant”=”c:\program files\hpq\hp wireless assistant\hp wireless assisntant.exe” [2005-12-14 507904]
“eabconfg.cpl”=”c:\program files\HPQ\Quick Launch Buttons\EabServr.exe” [2005-12-07 409600]
“RecGuard”=”c:\windows\SMINST\RecGuard.exe” [2005-10-11 1187840]
“SynTPenH”=”c:\program files\synaptics\synTP\synTPEnh.exe” [2005-11-11 761945]
“mcagent_exe”=”c:\program files\McAfee.com\Agent\mcagent.exe” [2007-11-01 582992]
“nmctxth”=”c:\program files\common Files\Pure Netowkrs Shared\Platform\nmctxth.exe” [2008-01-08 451896]
“sunjavaupdatesched”=”c:\program file\java\jre1.6.0.03\bin\jusched.exe” [2007-09-25 132496]
“quicktime task”=”c:\program files\quicktime\QTTask.exe” [2009-01-05 413696]
“ituneshelper”=”c:\program files\itunes\ituneshelper.exe” [2009-03-13 342312]
“high definition audio property page shortcut”=”CHDAudPropShotrcut.exe” – c:\windows\system32\CHDAdPropShortcut.exe [2005-11-08 61952]

[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\mcmscsvc]
@=””
[hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\MCDOS]
@=””
[HKLM\~\startupfolder\C:^documents and settings^All Users^Start Menu^programs^startup^adobe reader speed launch.lnk]
Path=c:\documents and settings\all users\start menu\programs\startup\adobe reader speed launch.lnk
Backup=c:\windows\pss\adobe reader speed launch.lnkCommon Startup
[hklm\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^corel registration.lnk]
Path=c:\documents and settings\all users\start menu\programs\startup\corel registration.lnk
Backup=c:\windows\pss\corel registration.lnkCommon Startup
[hklm\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^CorelCENTRAL 9.LNK]
Path=c:\documents and settings\all users\start menu\programs\startup\CorelCENTRAL 9.LNK
Backup=c:\windows\pss\CorelCENTRAL 9.LNKCommon Startup
[hklm\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^corelcentral alarms.LNK]
Path=c:\documents and settings\all users\start menu\programs\startup\corelcentral alarms.LNK
Backup=c:\windows\pss\corelcentral alarms.LNKCommon Startup
[hklm\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^desktop application director 9.LNK]
Path=c:\documents and settings\all users\start menu\programs\startup\desktop application director 9.LNK
Backup=c:\windows\pss\desktop application director 9.LNKCommon Startup
[hklm\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^hp photosmart premier fast start.lnk]
Path=c:\documents and settings\all users\start menu\programs\startup\hp photosmart premier fast start.lnk
Backup=c:\windows\pss\hp photosmart premier fast start.lnkCommon Startup
[hklm\~\startupfolder\c:^documents and settings^Harold^start menu^programs^startup^MEMonitor.lnk]
Path=c:\documents and settings\Harold\start menu\programs\startup\MEMonitor.lnk
Backup=c:\windows\pss\MEMonitor.lnkStartup
hklm\~\startupfolder\c:^documents and settings^Harold^start menu^programs^startup^WKCALREM.LNK]
Path=c:\documents and settings\Harold\start menu\programs\startup\WKCALREM.LNK
Backup=c:\windows\pss\WKCALREM.LNKStartup
[hkey_local_machine\software\microsoft\shared tools\msconfig\services]
“AOL topspeedmonitor”=2 (0x2)
“AOL acs”= 2 (0x2)
[hkey_local_machine\software\microsoft\security center]
“AntiVirusDisableNotify”=dword: 00000001
[hkey_local_machine\software\microsoft\security center\monitoring\mcafeeantivirus]
“disablemonitoring”=dword: 00000001
[hkey_local_machine\software\microsoft\security center\monitoring\mcafeefirewall]
“disablemonitoring”=dword: 00000001
[hklm\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
“enablefirewall”= 0 (0x0)
[hklm\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\\system32\\sessmgr.exe”=
“c:\\program files\\common files\\aol\\loader\\aolload.exe”=
“c:\\program files\\common files\\aol\\acs\\aoldial.exe”=
“c:\\program files\\common files\\aol\\acs\\aolacsd.exe”=
“c:\\program files\\common files\\aol\\topspeed\\2.0\\aoltsmon.exe”=
“c:\\program files\\common files\\aol\\topspeed\\2.0\\aoltpspd.exe”=
“c:\\program files\\common files\\aol\\\\1157857800\\EE\\aolservicehost.exe”=
“c:\\program files\\common files\\aol\\system information\\sinf.exe”=
“c:\\program files\\common files\\aolCoach\\en_en\\player\\AOLNySEV.exe”=
“c:\\program files\\america online 9.0a\\waol.exe”=
“c:\\program files\\common files\\aol\\1157857800\\EE\\aolsoftware.exe”=
“c:\\program files\\common files\\aol\\1157857800\\EE\\aim6.exe”=
“c:\\program files\\aim6\\aim6.exe”=
“c:\\program files\\common files\\mcafee\\MNA\\McNaSvc.exe”=
“%windir%\\network diagnostic\\xpnetdiag.exe”=
“c:\\program files\\Bonjour\\mDNSresponder.exe”=
“c:\\program files\\itunes\\itunes.exe”=
[hklm\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
“58216:TCP”=58216:TCP:Pando P2P TCP Listening Port
“58216:UDP”= 58216:UDP:Pando P2P UDP Listening port
“67:UDP”=67:udp:dhcp discovery service
.
Contents of the “scheduled tasks” folder
2009-04-15 c:\windows\task\mcdefragtask.job
-c:\progra~1\mcafee\mqc\QcConsol.exe [2007-09-28 17:32]

----ORPHANS REMOVED-------
BHO{71848431-9C3E-4217-9F76-4772C41E44E5} – c:\windows\system32\iehelper.dll
.
-----------Supplementary Scan-----------
.
uStart Page = about:blank
IE: &AOL Toolbar search – c:\program files\AOL Toolbar\toolbar.dll\SEARCH.HTML
IE: E&xport to Microsoft excel – c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
.
Catchme 0.3.1398 W2K/XP/Vista – rootkit/stealth malware detector by Gmer, http://gmer.net
Rootkit scan 2009-06-22 15:02
Windows 5.1.2600 Service Pack 3 NTFS
Scanning hidden processes…
Scanning hidden autostart entries…
Scanning hidden files…
Scan completed successfully
Hidden files: 0
--------------LOCKED REGISTRY KEYS------------------
[HKEY_USERS\S-1-5-21-423974968-1000956814-4023622619-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (Restricted Code)
@Allowed: (read) (restricted Code)
.
Completion time: 2009-06-22 15:04
ComboFix-quarantined-files.txt 2009-06-22 19:04
Pre-Run: 29,049,679,872 bytes free
Post-Run: 29,125,824,512 bytes free
166 ---E O F------ 2009-06-18 21:53

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

When I try that, it says "Windows cannot find "ComboFix". Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

My computer is running normally again . Except that I can't get online for some reason. My wireless connection is connected with good signal, but after running ViewpointKiller I can't go online anymore. ???

Hello.

• Open HijackThis
  
• Then click "View list of backups"
  
• Check the boxes in front of these lines:
  
  
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
  O17 - HKLM\System\CCS\Services\Tcpip\..\{48CF4D8B-0A48-4487-9778-D83CD1047A0A}: NameServer = 167.206.245.129,167.206.245.130
  O17 - HKLM\System\CS1\Services\Tcpip\..\{48CF4D8B-0A48-4487-9778-D83CD1047A0A}: NameServer = 167.206.245.129,167.206.245.130
  
  
  
• Press "Restore"
  
• Close Hijack This.
  

Reboot normally.
Have internet connection now?

Yes, problem solved!

Thanks SO much to Origin and Belahzur ^________^ My computer is running AOK once again.

I can't thank you guys enough!!!

I have no idea how it got infected in the first place. Is there a thread where I can learn how to better protect my computer? I'd really like to get rid of McAfee...

Thanks a lot once again