I'm trying to replace the (useless) antivirus program on this PC - it's a program called 'Madesafe' that Windows Security centre recognises as an antivirus program and a google seems to imply that the company was a legitimate one, however I cannot get it to uninstall cleanly. Anyone else come across this one? After running the supplied uninstall program, which seemed to work but didn't, I resorted to manually removing all program and registry traces, but still get warning pop-ups from it. Google doesn't have a great deal of info on it, so suggestions please...

"I've always been mad, I know I've been mad, like the most of us..."

Many security programs are very invasive like Norton, and you have to download a special program to completely remove it from the computer. If Madesafe is a legitimate program, go to the website to see if there is a program to completey remove the software.

Heya John,

You could try the uninstaller that comes with Ccleaner. Create a restore point and then run the registry cleaner.

Alternatively, you could go with the Windows Installer CleanUp Utility. It is a fairly intensive program, I would create a back-up before using it.

Thanks for replies. The company who made the software doesn't appear to exist any longer - hopefully they lost a lot of money.... Anyway, no mention anywhere of an uninstaller. I've used both CCleaner and Revo uninstaller to no effect. Shall think about the Windows cleanup utility, but I've had a bad experience with that in the past - it doesn't run well on machines, like this one, with nasty software problems. Thanks anyway.

"I've always been mad, I know I've been mad, like the most of us..."

Heya John,

Run Combofix and post the log it creates, we should be able to track down all of its nasty autostart and registry entries and use it to remove them.

It is designed for use against malware, but with what you are experiencing that's exactly how Madesafe is acting.

Instructions are below:

Download Combofix to your desktop.

Note: It is important that it is saved directly to your desktop

Click here to download Combofix by sUBs

Close any open browsers and windows except for Combofix

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note: Do not mouseclick combofix's window while it's running it can cause the program to freeze/hang.

In some cases your Antivirus or other realtime scanner will display an alert after you downloaded Combofix or while you use Combofix, please disable your scanners, delete the copy off the desktop and download Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them. There's nothing wrong with Combofix, heuristic detection can report this false positive because of combofixs removal technique.

Thanks for reply - only just got back & won't be able to give it a go until this afternoon. Will post back then.

"I've always been mad, I know I've been mad, like the most of us..."

ComboFix 08-08-06.02 - New User 2008-08-07 8:29:08.1 - NTFSx86
Running from: C:\Documents and Settings\New User\Desktop\ComboFix.exe
* Created a new restore point

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\New User\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
C:\Documents and Settings\New User\Application Data\ShoppingReport
C:\Documents and Settings\New User\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\New User\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\New User\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\New User\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\New User\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\New User\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\New User\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Documents and Settings\New User\Start Menu\Antivirus 2009
C:\Documents and Settings\New User\Start Menu\Antivirus 2009\Antivirus 2009.lnk
C:\Documents and Settings\New User\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk
C:\Program Files\Antivirus 2009
C:\Program Files\Antivirus 2009\av2009.exe
C:\Program Files\FunWebProducts
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\3.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\4.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\5.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\5.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\SrchAstt\5.bin\MWSSRCAS.DLL
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
C:\Program Files\TheSpyBot
C:\Program Files\TheSpyBot\TheSpyBot.exe
C:\Program Files\TheSpyBot\TheSpyBot.lic
C:\Program Files\TheSpyBot\TheSpyBot0.dll
C:\Program Files\TheSpyBot\TheSpyBot0.tb
C:\Program Files\TheSpyBot\TheSpyBot1.dll
C:\Program Files\TheSpyBot\Thespybot1.tb
C:\Program Files\TheSpyBot\TheSpyBot3.dll
C:\Program Files\TheSpyBot\Uninstall.exe
C:\Program Files\XP Antivirus
C:\Program Files\XP Antivirus\xpa.exe
C:\WINDOWS\BMa7cbf353.txt
C:\WINDOWS\BMa7cbf353.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apsurusc.ini
C:\WINDOWS\system32\atorcqxw.ini
C:\WINDOWS\system32\AyHOVvut.ini
C:\WINDOWS\system32\AyHOVvut.ini2
C:\WINDOWS\system32\bbJjPXbc.ini
C:\WINDOWS\system32\bbJjPXbc.ini2
C:\WINDOWS\system32\BHiknXyb.ini
C:\WINDOWS\system32\BHiknXyb.ini2
C:\WINDOWS\system32\bipipqcx.ini
C:\WINDOWS\system32\cyxvdpxo.ini
C:\WINDOWS\system32\dbreojqu.ini
C:\WINDOWS\system32\duhbxrpm.ini
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\fmdnoagy.ini
C:\WINDOWS\system32\frpugffi.ini
C:\WINDOWS\system32\fuwwpgfa.ini
C:\WINDOWS\system32\GghiRXyb.ini
C:\WINDOWS\system32\GghiRXyb.ini2
C:\WINDOWS\system32\hacngbhw.ini
C:\WINDOWS\system32\hdolbkcw.ini
C:\WINDOWS\system32\hjQAdfii.ini
C:\WINDOWS\system32\hjQAdfii.ini2
C:\WINDOWS\system32\ikrpoapu.ini
C:\WINDOWS\system32\jhlyenut.ini
C:\WINDOWS\system32\JmmnoXyb.ini
C:\WINDOWS\system32\JmmnoXyb.ini2
C:\WINDOWS\system32\JmSBKRqr.ini
C:\WINDOWS\system32\JmSBKRqr.ini2
C:\WINDOWS\system32\kggloage.ini
C:\WINDOWS\system32\kqykqdvg.ini
C:\WINDOWS\system32\kvvjnrbk.ini
C:\WINDOWS\system32\ldledyag.ini
C:\WINDOWS\system32\lmantens.ini
C:\WINDOWS\system32\LStCffii.ini
C:\WINDOWS\system32\LStCffii.ini2
C:\WINDOWS\system32\lswrlgdw.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mphjcota.ini
C:\WINDOWS\system32\mvexdsuc.ini
C:\WINDOWS\system32\nljhodyl.ini
C:\WINDOWS\system32\noovdckc.ini
C:\WINDOWS\system32\nymqvuws.ini
C:\WINDOWS\system32\otujjlnt.ini
C:\WINDOWS\system32\qgjdpfmn.ini
C:\WINDOWS\system32\qxuiptyc.ini
C:\WINDOWS\system32\RuvuCJjl.ini
C:\WINDOWS\system32\RuvuCJjl.ini2
C:\WINDOWS\system32\rwnfoxpl.ini
C:\WINDOWS\system32\sbrlkvcb.ini
C:\WINDOWS\system32\scui.cpl
C:\WINDOWS\system32\smcfjbyw.ini
C:\WINDOWS\system32\spkracos.ini
C:\WINDOWS\system32\swnnsjnu.ini
C:\WINDOWS\system32\TEeeKkkj.ini
C:\WINDOWS\system32\TEeeKkkj.ini2
C:\WINDOWS\system32\tigxqymg.ini
C:\WINDOWS\system32\tknrpwkb.ini
C:\WINDOWS\system32\tyocseop.ini
C:\WINDOWS\system32\u2g.f
C:\WINDOWS\system32\ucydwupv.ini
C:\WINDOWS\system32\UuuvFfhk.ini
C:\WINDOWS\system32\UuuvFfhk.ini2
C:\WINDOWS\system32\vgkhsbmo.ini
C:\WINDOWS\system32\vthlwdmn.ini
C:\WINDOWS\system32\wcbosmbe.ini
C:\WINDOWS\system32\weuqraxe.ini
C:\WINDOWS\system32\wgfbbmpi.ini
C:\WINDOWS\system32\whdkkxyu.ini
C:\WINDOWS\system32\xkaymlqo.ini
C:\WINDOWS\system32\YGjklnnn.ini
C:\WINDOWS\system32\YGjklnnn.ini2
C:\WINDOWS\system32\yqfedgxr.ini
C:\xcrashdump.dat

.
((((((((((((((((((((((((( Files Created from 2008-07-07 to 2008-08-07 )))))))))))))))))))))))))))))))
.

2008-08-05 19:56 . 2006-06-20 12:40 <DIR> d-------- C:\Documents and Settings\Administrator.KELLYGURNEY\IXP000.TMP
2008-08-05 19:56 . 2008-08-05 19:56 <DIR> d-------- C:\Documents and Settings\Administrator.KELLYGURNEY
2008-08-05 18:30 . 2008-08-05 18:30 96,559 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-08-05 18:30 . 2008-08-05 18:30 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-08-05 18:27 . 2008-08-05 18:27 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-08-05 18:27 . 2008-08-07 08:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-05 18:27 . 2008-08-07 08:36 1,698,848 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-08-05 18:27 . 2008-08-07 08:38 368,672 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-08-05 18:27 . 2008-08-07 08:36 14,352 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-08-05 18:27 . 2008-08-07 08:38 2,284 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-08-05 18:25 . 2008-08-05 18:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-08-05 17:48 . 2008-08-05 17:48 <DIR> d-------- C:\Program Files\CCleaner
2008-08-05 17:33 . 2008-08-05 17:36 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-08-05 16:02 . 2008-08-05 16:02 <DIR> d-------- C:\Program Files\VS Revo Group
2008-07-29 20:21 . 2008-07-29 20:21 218,376 --a------ C:\WINDOWS\system32\klogon.dll
2008-07-29 20:20 . 2008-07-29 20:20 24,774 --a------ C:\WINDOWS\system32\drivers\klopp.dat
2008-07-21 18:34 . 2008-07-21 18:34 121,872 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2008-07-17 10:15 . 2008-07-17 10:15 <DIR> d-------- C:\Documents and Settings\New User\Application Data\Motive
2008-07-14 15:46 . 2008-07-14 15:46 <DIR> d-------- C:\Program Files\Platte
2008-07-10 14:32 . 2008-07-10 14:33 1,428,599 --ahs---- C:\WINDOWS\system32\atorcqxw.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 17:06 --------- d-----w C:\Program Files\Privacy Watcher
2008-08-05 15:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-30 18:25 36,852 ----a-w C:\Documents and Settings\New User\Application Data\wklnhst.dat
2008-06-23 16:57 --------- d-----w C:\Documents and Settings\New User\Application Data\AdobeUM
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="C:\Program Files\CyberLink\PowerBackup\PBKScheduler.exe" [2004-06-08 18:33 69721]
"EPSON Stylus C42 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE" [2002-02-19 04:03 74240]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"OPSE reminder"="C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" [2003-07-07 10:29 729088]
"Motive SmartBridge"="C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe" [2006-02-06 18:52 462935]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-12-08 07:45 543232]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 12:09 63712]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-07-29 20:20 206088]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-10-31 21:15 163840 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-11-11 07:07 90112 C:\WINDOWS\SOUNDMAN.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - C:\Program Files\BT Home Hub\Help\bin\matcli.exe [2007-09-25 21:09:08 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BT Home Hub\\Help\\SmartBridge\\BTHelpNotifier.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 18:06]
S2 Ndiskio;Ndiskio;C:\MadeSafe\Nse\bin\NDISKIO.SYS []
S3 FXDRV;FXDRV;D:\Fxdrv.sys []
S3 nvcfsr;nvcfsr;C:\MadeSafe\Nvc\bin\nvcfsr.sys []
S3 nvcoafl51;nvcoafl51;C:\MadeSafe\Nvc\bin\nvcoafl51.sys []
S3 nvcoaft51;nvcoaft51;C:\MadeSafe\Nvc\bin\nvcoaft51.sys []
S3 nvcoarc51;nvcoarc51;C:\MadeSafe\Nvc\bin\nvcoarc51.sys []
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-07-30 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

Notify-__c008A7D8 - C:\WINDOWS\system32\__c008A7D8.dat
Notify-__c008BF04 - C:\WINDOWS\system32\__c008BF04.dat
Notify-rqRifEVN - rqRifEVN.dll
Notify-vtUoolli - vtUoolli.dll

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.facebook.com/
R0 -: HKLM-Main,Search Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 -: HKCU-SearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 08:37:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
r Running Proce
.
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\BT Home Hub\Help\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2008-08-07 8:43:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-07 07:43:31

Pre-Run: 72,756,629,504 bytes free
Post-Run: 72,617,975,808 bytes free

243 --- E O F --- 2008-05-17 13:27:14

"I've always been mad, I know I've been mad, like the most of us..."