Please help fix xp antivirus 2010

[somnyrds2000]

I have now gone through all the steps to remove the virus. Here are the log files. I hope that you can help me.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-02-25 20:39:58

Windows 5.1.2600 Service Pack 3

Running: 55cbvrgp.exe; Driver: C:\DOCUME~1\THEKID~1\LOCALS~1\Temp\pwldipoc.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat BA73CD20

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

MALWARE LOG FILE

Malwarebytes' Anti-Malware 1.35

Database version: 1904

Windows 5.1.2600 Service Pack 3

2/24/2010 8:34:02 PM

mbam-log-2010-02-24 (20-34-02).txt

Scan type: Full Scan (C:\|)

Objects scanned: 178694

Time elapsed: 2 hour(s), 2 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Attach.zip

DDS.zip

[Maniac]

Hello somnyrds2000! Welcome to MalwareBytes' Anti-Malware Forums!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

• The process of cleaning your system may take some time, so please be patient.
  
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  
• Instructions that I give are for your system only!
  
• If you don't know or can't understand something please ask.
  
• Do not install any software or hardware, while work on.
  

Your database version is very very old.

Your database version is:

Database version: 1904

Current version is:

Database version: 3795

Now:

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

* MalwareBytes' Anti-Malware log

* DDS log (new)

* GMER log (new)

[somnyrds2000]

Thank you so much for getting back to me. I have run Malware to try and get it to update, as soon as the update has finished and Malware tries to re-boot it says this "av.exe has encountered a problem and needs to close. We are sorry for the inconvenience". What do I do from here?

[Maniac]

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

1. rkill.exe
   
2. rkill.com
   
3. rkill.scr
   
4. rkill.pif
   
5. WiNlOgOn.exe
   
6. uSeRiNiT.exe
   

Please post the log in your next reply.

Note: The log can be found at the root of your installed hard drive entitled rkill.log

[somnyrds2000]

Thanks for helping me with this...here is the log file you requested. Please let me know what to do next

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Ran as The Kid on 02/27/2010 at 23:03:45.

Processes terminated by Rkill or while it was running:

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Documents and Settings\The Kid\Local Settings\Application Data\av.exe

C:\Documents and Settings\The Kid\Desktop\rkill.exe

Rkill completed on 02/27/2010 at 23:03:48.

[Maniac]

Let's try to update MalwareBytes' Anti-Malware again:

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[somnyrds2000]

I changed Malware from .exe to .com a few days ago to try and get rid of the virus. Should I change it back to .exe ?

[Maniac]

No, it's not necessarily.

[somnyrds2000]

Ok...I am running the scan now without the update. When I clicked on update the same thing happened. The update ran and then closed the program followed by the message, "av.exe has encountered a problem and needs to close. We are sorry for the inconvenience".

Here is the Malware log

Malwarebytes' Anti-Malware 1.35

Database version: 1904

Windows 5.1.2600 Service Pack 3

2/28/2010 9:21:12 AM

mbam-log-2010-02-28 (09-21-12).txt

Scan type: Quick Scan

Objects scanned: 78563

Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Maniac]

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

[somnyrds2000]

So I need the windows xp disk for this process correct?

[Maniac]

Again, do not necessarily have the CD.

[somnyrds2000]

I am trying to find the link to download combofix...do you have a direct link to start the download?

[Maniac]

Try with this:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

or:

http://www.forospyware.com/sUBs/ComboFix.exe

[somnyrds2000]

Thank you! The only thig I forgot was to rename combofix! Should I do it over?

combo_fix_log.zip

hijackthis.zip

[Maniac]

No, you shouldn't!

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

File::
c:\windows\Aguloyopogicaben.dat
c:\windows\Fxidimoc.bin

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

[somnyrds2000]

ok Combofix is running now

[somnyrds2000]

It says...NIRCMCDC is not recognized as an external command, operable program or batch file

[Maniac]

Please, locate to C:\ and delete ComboFix folder. Then delete your copy of ComboFix and download a new fresh copy from:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Finally, try again.

[somnyrds2000]

Thanks!! Here you go...

NEW_combo_fix_log.zip

NEW_hijackthis.zip

[Maniac]

Step 1:

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step 2:

• Open HijackThis, click Config, click Misc Tools
  
• Click "Open Uninstall Manager"
  
• Click "Save List" (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

In your next reply, please include these log(s):

* HijackThis Uninstall List

* HijackThis log (new)

* MalwareBytes' Anti-Malware log

[somnyrds2000]

I dont know if I should change Malware back to .exe from .com, let me know if you want me to. No malware updates were detected. Here are the logs.

UNINSTALL LIST:

A960ENG3

ABBYY FineReader 5.0 Sprint Plus

Acrobat.com

Ad-Aware SE Personal

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Photoshop Album 2.0 Starter Edition

Adobe Reader 9.1

AOL Instant Messenger

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ArcSoft Camera Suite

BCM V.92 56K Modem

Beginner Guitar MasterClass

BitTorrent 3.4.2

BlackBerry Desktop Software 5.0.1

BlackBerry Desktop Software 5.0.1

BlackBerry Device Software Updater

BlackBerry

NEW_NEW_hijackthis.zip

[Maniac]

Step 1:

Please uninstall the following applications:

ABBYY FineReader 5.0 Sprint Plus

Adobe Reader 9.1

After finish our work, please download and install the latest version of these programs from:

http://www.adobe.com

http://www.abbyy.com

Step 2:

I also see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• 
  
• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  

Step 3:

Please change extension from .com to .exe . If no change, reinstall the program.

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.

2. Restart your computer (very important).

3. Download and run this utility. mbam-clean.exe

4. It will ask to restart your computer (please allow it to).

5. After the computer restarts, install the latest version from here. mbam-setup.exe

[somnyrds2000]

I got Malware to update!!

It removed some things...here are the log files

1st:

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/28/2010 1:45:13 PM

mbam-log-2010-02-28 (13-45-02).txt

Scan type: Quick Scan

Objects scanned: 125011

Time elapsed: 9 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 10

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\lpygzkjfkdd.dll (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\SYSTEM32\akalxnzjnedd.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\SYSTEM32\beghghk.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\SYSTEM32\mzapnzjnedd.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\SYSTEM32\windowsx1.dll (Trojan.FakeAlert) -> No action taken.

C:\WINDOWS\SYSTEM32\apphelp.bat (Worm.Spambot) -> No action taken.

2nd

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

2/28/2010 1:45:18 PM

mbam-log-2010-02-28 (13-45-18).txt

Scan type: Quick Scan

Objects scanned: 125011

Time elapsed: 9 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 10

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\SYSTEM32\lpygzkjfkdd.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\akalxnzjnedd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\beghghk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\mzapnzjnedd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\windowsx1.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\SYSTEM32\apphelp.bat (Worm.Spambot) -> Quarantined and deleted successfully.

[Maniac]

It still your database version is old.

Your:

Database version: 3510

Current:

Database version: 3807

Please update it:

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.