I cannot get rid of Win32/Cryptor viruses on my computer

kwes0124 · 07-09-2009, 05:32 PM

ok, so my computer got quite a few viruses somehow. i got rid of some of them but there are still 14 that i cannot get rid of. I run AVG Free 8.5 and it says it got rid of them but it always finds them again when i run it the next time. When i turn on my computer it is VERY SLOW, it takes several minutes for the desktop to appear, and several more minutes for the icons and such to appear. Sometimes it doesnt even get past the welcome screen, or the icons and start menu just never appear. There are two error boxes, one says "ViewMgr has encountered a problem and needs to close. We are sorry for the inconvenience" the other says "Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience ". If i click on the ViewMgr one my computer freezes, the second one seems legit because my computer doesnt freeze when i click dont send. I have to alt+f4 the first one or else i cant get rid of it. If the computer starts and i get past those windows then it works pretty well, except for the internet. The computer freezes most of the time i try to start the internet. I downloaded several recommended programs that are supposed to be good at getting rid of Win32/Cryptor onto a flash drive and then put them on the infected computer, but non of them have worked, they just dont run. I run AVG but it doesnt get rid of all the viruses. There was originally 40 something viruses, and AVG has got it done to about 14, but no matter what i do the 14 always come back. About 7 are located in C:\WINDOWS\system32\svchost.exe but have different numbers after it, [1260], [1484], [1648], [1696], [1832], [1584], and [1096]. And the other 7 are weird, they are all the same thing \\?\globalroot\systemroot\system32\UAClpayblkbmumdhdn.dll
AVG says all the viruses found are Win32/Cryptor.

Here is the DDS.txt thing:

DDS (Ver_09-06-26.01) - NTFSx86
Run by Kody at 18:52:16.01 on Thu 07/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1373 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TEMP\e.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Family Safety\fssui.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Kody\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=0071211
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol search\AOLSearch.dll
uURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol search\AOLSearch.dll
mURLSearchHooks: N/A: {00a6faf6-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,
BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\srchastt\1.bin\MWSSRCAS.DLL
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Windows Live OneCare Family Safety Browser Helper Class: {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - c:\program files\windows live\family safety\fssbho.dll
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol search\AOLSearch.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [My Web Search Bar] rundll32 c:\progra~1\mywebs~1\bar\1.bin\MWSBAR.DLL,S
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [fssui] "c:\program files\windows live\family safety\fssui.exe" -autorun
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\nkbmon~1.lnk - c:\program files\nikon\pictureproject\NkbMonitor.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZKxdm011YYUS
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: __c00DD842 - c:\windows\system32\__c00DD842.dat
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kody\applic~1\mozilla\firefox\profiles\btf9npem.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - chrome://google-gzfb-partner/locale/partner.properties
FF - component: c:\documents and settings\kody\application data\mozilla\firefox\profiles\btf9npem.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-23 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-2-28 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-23 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 298776]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2008-9-3 43816]
R2 fsssvc;Windows Live OneCare Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2007-12-17 523816]
R2 sopidkc;sopidkc Service;c:\windows\system32\sopidkc.exe [2004-8-4 124416]
S1 56c4bfd1;56c4bfd1;c:\windows\system32\drivers\56c4bfd1.sys --> c:\windows\system32\drivers\56c4bfd1.sys [?]
S1 84a1a6e4;84a1a6e4;c:\windows\system32\drivers\84a1a6e4.sys --> c:\windows\system32\drivers\84a1a6e4.sys [?]
S1 ccfbepjb;ccfbepjb;\??\c:\windows\system32\drivers\ccfbepjb.sys --> c:\windows\system32\drivers\ccfbepjb.sys [?]
S1 glaide32;glaide32;\??\c:\windows\system32\drivers\glaide32.sys --> c:\windows\system32\drivers\glaide32.sys [?]
S2 dhcpsrv;Dhcp server;c:\windows\dhcp\svchost.exe --> c:\windows\dhcp\svchost.exe [?]
S2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-25 24652]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-12-11 29744]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 sndintd;sndintd;\??\c:\windows\system32\sndintd.sys --> c:\windows\system32\sndintd.sys [?]
UnknownUnknown ecctencp;ecctencp; [x]

=============== Created Last 30 ================

2009-07-09 13:47 <DIR> --d----- c:\windows\system32\MpEngineStore
2009-06-28 11:55 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-07-09 11:06 6,656 a------- c:\windows\system32\drivers\asyncmac.sys
2009-06-05 00:04 159,232 a------- c:\windows\system32\tpsaxyd.exe
2009-06-04 18:42 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-06-04 18:42 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2009-05-15 11:04 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-15 11:04 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-15 11:04 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2008-05-25 14:03 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLec.DAT
2008-05-25 14:03 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLds.DAT

============= FINISH: 18:53:22.65 ===============

And the attached file does not contain the ARK.txt because gmer would not run on the computer. It did the same thing the other programs did. I click on it and the hour glass pops up for about two seconds then just stops and nothing happens. idk how else to get it to work i tried multiple times. But Attach.txt is attached, just not the ARK.txt
I hope you can help me.

CatByte · 07-09-2009, 05:47 PM

Hi,

Please do the following:

Download Combofix from any of the links below. You must rename it before saving it.
Save it to your desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".

Link 1
Link 2

During the download, rename Combofix to Combo-Fix as follows:

--------------------------------------------------------------------

It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.

-----------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
- When finished, it will produce a report for you.
- Please post the "C:\Combo-Fix.txt" for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

-----------------------------------------------------------

kwes0124 · 07-09-2009, 07:07 PM

umm i wasnt sure if i was supposed to copy and paste it in or attach it so i just copy and pasted it
here it is:

ComboFix 09-07-09.06 - Kody 07/09/2009 20:50.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1610 [GMT -4:00]
Running from: c:\documents and settings\Kody\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\91505456.ini
c:\documents and settings\Kody\Application Data\FunWebProducts
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\Internet Explorer\msimg32.dll
c:\program files\MicPhone
c:\program files\MicPhone\antit.dll
c:\program files\Microsoft Common
c:\program files\Microsoft Common\svchost.exe
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\00017143.bin
c:\program files\MyWebSearch\bar\Cache\0003FF31
c:\program files\MyWebSearch\bar\Cache\00417DEE.bin
c:\program files\MyWebSearch\bar\Cache\00417E2C.bin
c:\program files\MyWebSearch\bar\Cache\00417EA9.bin
c:\program files\MyWebSearch\bar\Cache\00469B32.bin
c:\program files\MyWebSearch\bar\Cache\00469C7A.bin
c:\program files\MyWebSearch\bar\Cache\00469DC2.bin
c:\program files\MyWebSearch\bar\Cache\00469E6E.bin
c:\program files\MyWebSearch\bar\Cache\0096C8D4
c:\program files\MyWebSearch\bar\Cache\0096C913.bin
c:\program files\MyWebSearch\bar\Cache\0096CA7A.bin
c:\program files\MyWebSearch\bar\Cache\0096CB26.bin
c:\program files\MyWebSearch\bar\Cache\0096CBB2.bin
c:\program files\MyWebSearch\bar\Cache\0096CBE1.bin
c:\program files\MyWebSearch\bar\Cache\010B26A0
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
c:\windows\9g2234wesdf3dfgjf23
c:\windows\dhcp
c:\windows\Install.txt
c:\windows\jestertb.dll
c:\windows\KBPK090604.log
c:\windows\KBPK090605.log
c:\windows\ro122730.dat
c:\windows\system32\certstore.dat
c:\windows\system32\comsa32.sys
c:\windows\system32\dncyool32.sys
c:\windows\system32\drivers\ndis.sys
c:\windows\system32\drivers\UACyappbnyglteptam.sys
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\msncache.dll
c:\windows\system32\mssfc.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\sfcfiles.dat
c:\windows\system32\sopidkc.exe
c:\windows\system32\sysloc
c:\windows\system32\sysloc\sysloc.dll
c:\windows\system32\tpsaxyd.exe
c:\windows\system32\tpszxyd.sys
c:\windows\system32\UACckxodojbyyifvsi.dat
c:\windows\system32\UACekvyyqexgkkcdwv.dll
c:\windows\system32\UAChufxirspqntwqtt.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjrybvkqruuywhsh.log
c:\windows\system32\UAClpayblkbmumdhdn.dll
c:\windows\system32\UACncdiwkaksljkgyu.dll
c:\windows\system32\UACrloymeivmvtprum.log
c:\windows\system32\UACwumoqxvvdlusnti.dll
c:\windows\system32\UACyblhbowilrbepxl.dll
c:\windows\system32\wiawow32.sys
c:\windows\system32\wtukd32.exe
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
c:\windows\TEMP\mpj109623.dll
c:\windows\TEMP\mta79431.dll

Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\i386\sfcfiles.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_6to4
-------\Legacy_dhcpsrv
-------\Legacy_MSNCACHE
-------\Legacy_sndintd
-------\Legacy_sopidkc
-------\Service_6to4
-------\Service_dhcpsrv
-------\Service_glaide32
-------\Service_msncache
-------\Service_sndintd
-------\Service_sopidkc

((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 17:47 . 2009-07-09 17:47 -------- d-----w- c:\windows\system32\MpEngineStore
2009-07-09 15:47 . 2004-08-04 11:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 00:14 . 2007-12-25 16:34 -------- d-----w- c:\program files\Warcraft III
2009-07-09 22:49 . 2009-06-06 19:29 -------- d-----w- c:\program files\Enigma Software Group
2009-07-09 15:14 . 2008-03-23 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-09 15:06 . 2004-08-10 18:50 6656 ----a-w- c:\windows\system32\drivers\asyncmac.sys
2009-06-05 20:53 . 2008-05-23 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-05 19:10 . 2007-12-11 22:11 -------- d-----w- c:\program files\Google
2009-06-05 01:13 . 2009-06-05 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\91505456
2009-06-05 01:13 . 2009-06-05 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\11495464
2009-06-05 01:03 . 2009-06-05 01:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR
2009-05-15 15:24 . 2008-05-23 23:02 -------- d-----w- c:\documents and settings\Kody\Application Data\AVGTOOLBAR
2009-05-15 15:04 . 2009-05-19 23:35 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-15 15:04 . 2009-05-19 23:35 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-15 15:04 . 2008-05-23 23:02 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-15 15:04 . 2008-05-23 23:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-15 15:04 . 2008-02-28 22:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-15 15:04 . 2008-05-23 23:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-15 15:03 . 2009-05-19 23:35 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-15 15:03 . 2009-05-19 23:35 3288344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-15 15:03 . 2009-05-19 23:35 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-15 15:03 . 2009-05-19 23:35 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-15 15:03 . 2009-05-19 23:35 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-15 15:02 . 2009-05-19 23:34 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-15 15:02 . 2009-05-19 23:34 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2008-04-27 02:06 . 2008-04-27 02:06 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[7] 2009-07-10 00:50 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\dllcache\ndis.sys

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-27 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928]
"fssui"="c:\program files\Windows Live\Family Safety\fssui.exe" [2007-12-17 243240]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-11 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-21 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-15 15:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\WINDOWS\\system32\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

S1 56c4bfd1;56c4bfd1;c:\windows\system32\drivers\56c4bfd1.sys --> c:\windows\system32\drivers\56c4bfd1.sys [?]
S1 84a1a6e4;84a1a6e4;c:\windows\system32\drivers\84a1a6e4.sys --> c:\windows\system32\drivers\84a1a6e4.sys [?]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2008 7:02 PM 325896]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2008 7:02 PM 108552]
S1 ccfbepjb;ccfbepjb;\??\c:\windows\system32\drivers\ccfbepjb.sys --> c:\windows\system32\drivers\ccfbepjb.sys [?]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 12:24 PM 908568]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 12:24 PM 298776]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [9/3/2008 7:24 PM 43816]
S2 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/17/2007 11:13 AM 523816]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/25/2007 2:40 PM 24652]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/11/2007 6:11 PM 29744]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-11 00:16]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
Notify-__c00DD842 - c:\windows\system32\__c00DD842.dat

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZKxdm011YYUS
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\Kody\Application Data\Mozilla\Firefox\Profiles\btf9npem.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - chrome://google-gzfb-partner/locale/partner.properties
FF - component: c:\documents and settings\Kody\Application Data\Mozilla\Firefox\Profiles\btf9npem.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 20:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2045840655-3736074713-113770698-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:64,e6,1a,1c,59,70,53,52,41,7d,99,21,a8,47,e3,8b,70,8b,9a,ef,fe,ed,45,
96,88,9d,19,01,bf,f9,3b,f2,ca,39,9c,2f,bd,38,66,06,0a,60,84,46,a9,da,84,8c,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
Completion time: 2009-07-10 21:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 01:02

Pre-Run: 451,688,005,632 bytes free
Post-Run: 455,226,327,040 bytes free

324 --- E O F --- 2009-05-15 02:04

CatByte · 07-09-2009, 08:12 PM

Hi,

Please do the following:

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/393395-i-cannot-get-rid-win32-cryptor-viruses-my-computer.html#post2231762

Collect::
c:\windows\system32\drivers\56c4bfd1.sys
c:\windows\system32\drivers\84a1a6e4.sys
c:\windows\system32\drivers\ccfbepjb.sys

KillAll::

Folder::
c:\documents and settings\All Users\Application Data\91505456
c:\documents and settings\All Users\Application Data\11495464

Driver::
56c4bfd1
84a1a6e4
ccfbepjb

DDS::
uInternet Settings,ProxyServer = http=localhost:7171
uInternet Settings,ProxyOverride = *.local;<local>
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZKxdm011YYUS

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

Ensure you are connected to the internet and click OK on the message box.

kwes0124 · 07-09-2009, 08:47 PM

ComboFix 09-07-09.06 - Kody 07/09/2009 22:29.2.2 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1773 [GMT -4:00]
Running from: c:\documents and settings\Kody\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kody\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\11495464
c:\documents and settings\All Users\Application Data\11495464\11495464.glu
c:\documents and settings\All Users\Application Data\91505456

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_56c4bfd1
-------\Service_84a1a6e4
-------\Service_ccfbepjb

((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-09 17:47 . 2009-07-09 17:47 -------- d-----w- c:\windows\system32\MpEngineStore
2009-07-09 15:47 . 2004-08-04 11:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 00:14 . 2007-12-25 16:34 -------- d-----w- c:\program files\Warcraft III
2009-07-09 22:49 . 2009-06-06 19:29 -------- d-----w- c:\program files\Enigma Software Group
2009-07-09 15:14 . 2008-03-23 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-09 15:06 . 2004-08-10 18:50 6656 ----a-w- c:\windows\system32\drivers\asyncmac.sys
2009-06-05 20:53 . 2008-05-23 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-05 19:10 . 2007-12-11 22:11 -------- d-----w- c:\program files\Google
2009-06-05 01:03 . 2009-06-05 01:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR
2009-05-15 15:24 . 2008-05-23 23:02 -------- d-----w- c:\documents and settings\Kody\Application Data\AVGTOOLBAR
2009-05-15 15:04 . 2009-05-19 23:35 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-15 15:04 . 2009-05-19 23:35 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-15 15:04 . 2008-05-23 23:02 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-15 15:04 . 2008-05-23 23:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-15 15:04 . 2008-02-28 22:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-15 15:04 . 2008-05-23 23:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-15 15:03 . 2009-05-19 23:35 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-15 15:03 . 2009-05-19 23:35 3288344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-15 15:03 . 2009-05-19 23:35 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-15 15:03 . 2009-05-19 23:35 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-15 15:03 . 2009-05-19 23:35 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-15 15:02 . 2009-05-19 23:34 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-15 15:02 . 2009-05-19 23:34 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2008-04-27 02:06 . 2008-04-27 02:06 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

------- Sigcheck -------

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys
[7] 2009-07-10 00:50 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\dllcache\ndis.sys

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-27 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928]
"fssui"="c:\program files\Windows Live\Family Safety\fssui.exe" [2007-12-17 243240]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-11 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-21 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-15 15:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\WINDOWS\\system32\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2008 7:02 PM 325896]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 12:24 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 12:24 PM 298776]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/25/2007 2:40 PM 24652]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2008 7:02 PM 108552]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [9/3/2008 7:24 PM 43816]
S2 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/17/2007 11:13 AM 523816]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/11/2007 6:11 PM 29744]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-11 00:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZKxdm011YYUS
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\Kody\Application Data\Mozilla\Firefox\Profiles\btf9npem.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - chrome://google-gzfb-partner/locale/partner.properties
FF - component: c:\documents and settings\Kody\Application Data\Mozilla\Firefox\Profiles\btf9npem.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 22:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2045840655-3736074713-113770698-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:64,e6,1a,1c,59,70,53,52,41,7d,99,21,a8,47,e3,8b,70,8b,9a,ef,fe,ed,45,
96,88,9d,19,01,bf,f9,3b,f2,ca,39,9c,2f,bd,38,66,06,0a,60,84,46,a9,da,84,8c,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(380)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\ZuneBusEnum.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-10 22:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-10 02:36
ComboFix2.txt 2009-07-10 01:02

Pre-Run: 455,229,468,672 bytes free
Post-Run: 453,065,347,072 bytes free

190 --- E O F --- 2009-05-15 02:04

CatByte · 07-10-2009, 01:00 AM

Hi,

Please do the following:

Download TFC to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean

It's normal after running TFC cleaner that the PC will be slower to boot the first time.

NEXT

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- very important
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

NEXT

Run an on-line scan with Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

In your next reply please include

MBAM Log
Kaspersky report

Also please describe how your computer is running now and if there are any outstanding issues.

kwes0124 · 07-10-2009, 10:17 AM

I ran the MBAM and this is the report:

Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 2

7/10/2009 10:14:59 AM
mbam-log-2009-07-10 (10-14-59).txt

Scan type: Quick Scan
Objects scanned: 84428
Time elapsed: 2 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 62
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d778513b-1c40-4819-b0c5-49e40b39afd0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\drivers\asyncmac.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

However, my internet connections are gone, they are non existent. So i could not run the Kaspersky On-line Scanner.

CatByte · 07-10-2009, 12:16 PM

Hi,

Please try the following to restore the internet connection:

Please reset IE

Go to Start > Control Panel, and choose Network Connections.
Right click on your default connection, usually Local Area Connection for cable and DSL or Dial-up Connection if you are using Dial-up, and choose Properties.
Click the Networking tab
Double-click on the Internet Protocol (TCP/IP) item.
Write down the settings in case you should need to change them back.
Select the radio button that says "Obtain DNS servers automatically".
Click OK twice to get out of the properties screen and restart your computer.
If not prompted to reboot go ahead and reboot manually.

In I.E.

Check internet options settings.
Tools > Internet Options > Connections
LAN settings
Choose "automatically detect settings"
uncheck both proxy settings boxes

In FireFox

Click on Advanced -> Network -> Setttings…
the No Proxy option should be selected

If still no joy, try this:

if your network icon appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair.

If you have no task bar icon do this:

Click on the Start button.
Click on the Settings menu option.
Click on the Control Panel option.
When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
click on the Repair menu option.

Let the repair process perform its tasks and when it has finished, your Internet connection should be working again.

kwes0124 · 07-10-2009, 12:31 PM

The connections arnt there. I've already went to control panel then network and internet connections then network connections and the connections arnt there. Where the local connection and the other connection used to be there i just a white screen. There is no network icon at the bottom either. Again there is no connections in the network connections menu

CatByte · 07-10-2009, 12:38 PM

How do you normally connect?

Please do the following:

Go to Start->Run->Type CMD and click Ok.
The MSDOS Window will be displayed.
At the command prompt, type the following commands and press Enter after each line:

ipconfig /flushdns (The space between g and / is needed)
regsvr32 netshell.dll
regsvr32 netcfgx.dll
regsvr32 netman.dll

Exit

Restart the computer.

kwes0124 · 07-10-2009, 12:45 PM

i have comcast highspeed internet, and the cable connects to a model then to a router then directly into my computer. THeres normally a local connection and one other connection in the network connections menu. They were there after the viruses infected my computer, but they wouldnt work. Then after some of the scans they vanished.

And i did as instructed and the computer is restarted.

CatByte · 07-10-2009, 01:32 PM

Hi,

Go to Start > Run type devmgmt.msc > OK
What does Device Manager show under Network Adapters? Are there any yellow or red marks?

Please post the output of ipconfig /all from a command prompt.

1. Click on Start then Run
2. Type cmd and press Enter or click OK
3. Type ipconfig /all and press Enter
4. Right click on the command prompt window title bar, select Edit then Mark
5. Use the mouse to select all the output from the ipconfig command, them click the right mouse button. This will copy the data to the clipboard.
6. paste the data you copied here.

kwes0124 · 07-10-2009, 01:39 PM

Yes, under Network Adapters there are yellow marks, no red tho. Everything under Network Adapters has a Yellow Circle with a black ! inside it.

And after putting cmd in the Run box, and typing ipconfig /all, this came up in the box:

Windows IP Configuration

An internal error occurred: The request is not supported.

Please contact Microsoft Product Support Services for further help.

Additional information: Unable to query host name.

CatByte · 07-10-2009, 02:00 PM

Please do the following:

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

Code:

FCopy::
c:\windows\system32\dllcache\ndis.sys | c:\windows\system32\drivers\ndis.sys

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you.
Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

kwes0124 · 07-10-2009, 02:17 PM

ComboFix 09-07-09.08 - Kody 07/10/2009 16:09.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1529 [GMT -4:00]
Running from: c:\documents and settings\Kody\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kody\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\ndis.sys --> c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 )))))))))))))))))))))))))))))))
.

2009-07-10 20:06 . 2009-07-10 00:50 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2009-07-10 20:06 . 2009-07-10 00:50 182912 ----a-w- c:\windows\system32\dllcache\ndis.sys
2009-07-10 14:11 . 2009-07-10 14:11 -------- d-----w- c:\documents and settings\Kody\Application Data\Malwarebytes
2009-07-10 14:11 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-10 14:11 . 2009-07-10 14:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-10 14:11 . 2009-07-10 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-10 14:11 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-09 17:47 . 2009-07-09 17:47 -------- d-----w- c:\windows\system32\MpEngineStore
2009-07-09 15:47 . 2004-08-04 11:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-10 18:22 . 2007-12-25 16:34 -------- d-----w- c:\program files\Warcraft III
2009-07-10 16:15 . 2008-03-23 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-09 22:49 . 2009-06-06 19:29 -------- d-----w- c:\program files\Enigma Software Group
2009-06-05 20:53 . 2008-05-23 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-05 19:10 . 2007-12-11 22:11 -------- d-----w- c:\program files\Google
2009-06-05 01:03 . 2009-06-05 01:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR
2009-05-15 15:24 . 2008-05-23 23:02 -------- d-----w- c:\documents and settings\Kody\Application Data\AVGTOOLBAR
2009-05-15 15:04 . 2009-05-19 23:35 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-05-15 15:04 . 2009-05-19 23:35 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe
2009-05-15 15:04 . 2008-05-23 23:02 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-15 15:04 . 2008-05-23 23:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-15 15:04 . 2008-02-28 22:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-15 15:04 . 2008-05-23 23:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-15 15:03 . 2009-05-19 23:35 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll
2009-05-15 15:03 . 2009-05-19 23:35 3288344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-05-15 15:03 . 2009-05-19 23:35 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll
2009-05-15 15:03 . 2009-05-19 23:35 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2009-05-15 15:03 . 2009-05-19 23:35 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll
2009-05-15 15:02 . 2009-05-19 23:34 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-05-15 15:02 . 2009-05-19 23:34 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2008-04-27 02:06 . 2008-04-27 02:06 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-10_00.59.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-10 18:50 . 2004-08-04 11:00 14336 c:\windows\system32\dllcache\asyncmac.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-27 29744]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928]
"fssui"="c:\program files\Windows Live\Family Safety\fssui.exe" [2007-12-17 243240]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-11 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-21 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-15 15:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\WINDOWS\\system32\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2008 7:02 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2008 7:02 PM 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 12:24 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 12:24 PM 298776]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [9/3/2008 7:24 PM 43816]
R2 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/17/2007 11:13 AM 523816]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/25/2007 2:40 PM 24652]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/11/2007 6:11 PM 29744]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512]
.
Contents of the 'Scheduled Tasks' folder

2009-07-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-07-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-11 00:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.dell.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
FF - ProfilePath - c:\documents and settings\Kody\Application Data\Mozilla\Firefox\Profiles\btf9npem.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - chrome://google-gzfb-partner/locale/partner.properties
FF - component: c:\documents and settings\Kody\Application Data\Mozilla\Firefox\Profiles\btf9npem.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-10 16:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2045840655-3736074713-113770698-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:64,e6,1a,1c,59,70,53,52,41,7d,99,21,a8,47,e3,8b,70,8b,9a,ef,fe,ed,45,
96,88,9d,19,01,bf,f9,3b,f2,ca,39,9c,2f,bd,38,66,06,0a,60,84,46,a9,da,84,8c,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1668)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-10 16:13
ComboFix-quarantined-files.txt 2009-07-10 20:13
ComboFix2.txt 2009-07-10 02:36
ComboFix3.txt 2009-07-10 01:02

Pre-Run: 453,254,057,984 bytes free
Post-Run: 453,236,805,632 bytes free

178 --- E O F --- 2009-05-15 02:04

CatByte · 07-10-2009, 04:59 PM

Hi,

it would appear as though the Network Interface Card (NIC) driver has been removed somehow during our malware removal.

either:

Download and save NIC Driver to CD, Floppy or USB memory from your Computer Manufacturer (if it is an onboard Network Interface Card)

or

Download and save NIC Driver to CD, Floppy or USB memory from the NIC manufacturer (if it is a PCI card NIC)

NIC can be installed from Device Manager (if) the downloaded file is file.INF

Some NIC drivers are installed via their own file.EXE and are installed directly via double-click of setup.exe

NIC driver can be copied to a folder on the computer, or installed directly from the saved media.

If you are using Device Manager to install, you will need to select "Have Disk" and then browse to point the installer to the file.INF that you have saved.

Once the NIC driver is reinstalled go through the steps previously outlined in posts #9 and 10

kwes0124 · 07-10-2009, 05:15 PM

Umm, after i did the last combofix, i checked the connections and they were there. And the internet works, and theres no problems. It seems to be working just fine without reinstalling anything...

CatByte · 07-10-2009, 05:37 PM

good the fcopy:: of ndis.sys was supposed to have accomplished that - which it obviously did - I got worried when you didn't say it repaired your connection.

Now can you continue on with the Kaspersky scan.

Thanks

~CB

CatByte · 07-10-2009, 06:33 PM

Hi,

I need you to do something for me.

Please locate the ComboFix-quarantined-files.txt - it should be in the C:\ComboFix folder and post or attach the contents

thanks

~CB

kwes0124 · 07-10-2009, 07:25 PM

I didn't check the connections till a little while after the combo fix; I was afraid to mess something up if I didn't wait for more instructions.

Here's the Kaspersky Scan results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Friday, July 10, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, July 11, 2009 01:48:44
Records in database: 2458385
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 80884
Threat name: 30
Infected objects: 97
Suspicious objects: 0
Duration of the scan: 01:03:04

File name / Threat name / Threats count
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\Incomplete\T-5158182-waiting firelight [club mix].mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\Incomplete\T-5905209-waiting firelight - bonus track.mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\botten anna radio edit.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\Foreigner - I Need You.mp3 Infected: Trojan-Downloader.WMA.GetCodec.a 1
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\i am u demon hunter.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\Jeremy Camp - Breaking My Fall.mp3 Infected: Trojan-Downloader.WMA.GetCodec.a 1
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\Jeremy Camp - Take You Back.mp3 Infected: Trojan-Downloader.WMA.GetCodec.a 1
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\never ever aftermath.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\new thing fuel.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\Papa Roach - Not Listening.mp3 Infected: Trojan-Downloader.WMA.GetCodec.a 1
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\Saving Abel - She Got Over Me.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\song for you fuel (high bitrate).mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\stronger trust compay.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\Qoobox\Quarantine\C\Program Files\Microsoft Common\svchost.exe.vir Infected: Worm.Win32.AutoRun.apfm 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.at 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.af 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.aq 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:Monitor.Win32.Agent.c 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.as 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.as 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\dncyool32.sys.vir Infected: Trojan.Win32.VB.qxd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACyappbnyglteptam.sys.vir Infected: Rootkit.Win32.Agent.lzl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\msncache.dll.vir Infected: Trojan.Win32.Koblu.da 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sfcfiles.dll.vir Infected: Trojan.Win32.Patched.fr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sopidkc.exe.vir Infected: Trojan.Win32.Koblu.yu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sysloc\sysloc.dll.vir Infected: Trojan.Win32.BHO.ugq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tpsaxyd.exe.vir Infected: Trojan.Win32.Delf.ncf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tpszxyd.sys.vir Infected: Trojan-Downloader.Win32.DlfBfkg.ix 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACekvyyqexgkkcdwv.dll.vir Infected: Packed.Win32.Tdss.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wiawow32.sys.vir Infected: Trojan.Win32.VBimay.ee 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wtukd32.exe.vir Infected: Trojan-Downloader.Win32.DlfBfkg.ix 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip Infected: Trojan-Spy.Win32.Zbot.wyu 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000001.sys Infected: Rootkit.Win32.Agent.lzl 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000004.dll Infected: Packed.Win32.Tdss.m 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000035.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000037.exe Infected: Worm.Win32.AutoRun.apfm 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000038.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.at 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000040.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000041.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000042.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000043.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.af 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000044.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000045.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000046.SCR Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000047.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000048.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000049.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000050.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000051.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.aq 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000052.DLL Infected: not-a-virus:Monitor.Win32.Agent.c 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000054.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000055.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000057.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000059.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000060.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.as 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000063.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000064.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000065.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000066.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000067.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000068.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000069.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000077.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.as 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000080.sys Infected: Trojan.Win32.VB.qxd 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000081.scr Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000085.dll Infected: Trojan.Win32.Koblu.da 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000086.exe Infected: Trojan.Win32.Koblu.yu 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000087.dll Infected: Trojan.Win32.BHO.ugq 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000088.exe Infected: Trojan.Win32.Delf.ncf 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000089.sys Infected: Trojan-Downloader.Win32.DlfBfkg.ix 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000091.sys Infected: Trojan.Win32.VBimay.ee 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000092.exe Infected: Trojan-Downloader.Win32.DlfBfkg.ix 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000093.dll Infected: Trojan.Win32.Patched.fr 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\83GQLGHC\166[1].exe Infected: Trojan.Win32.Agent2.kln 1

The selected area was scanned.

07-09-2009, 05:47 PM	#2 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,181 OS: XP sp3	Re: I cannot get rid of Win32/Cryptor viruses on my computer Hi, Please do the following: Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop. Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop If you are using Firefox, make sure that your download settings are as follows: Tools->Options->Main tab Set to "Always ask me where to Save the files". Link 1 Link 2 During the download, rename Combofix to Combo-Fix as follows: -------------------------------------------------------------------- It is important you rename Combofix during the download, but not after. Please do not rename Combofix to other names, but only to the one indicated. ----------------------------------------------------------- Double click on Combo-Fix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\Combo-Fix.txt" for further review. Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- __________________ ASAP & UNITE Member

07-09-2009, 07:07 PM	#3 (permalink)
kwes0124 Registered User Join Date: Jul 2009 Posts: 16 OS: xp service pack 2	Re: I cannot get rid of Win32/Cryptor viruses on my computer umm i wasnt sure if i was supposed to copy and paste it in or attach it so i just copy and pasted it here it is: ComboFix 09-07-09.06 - Kody 07/09/2009 20:50.1.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1610 [GMT -4:00] Running from: c:\documents and settings\Kody\Desktop\Combo-Fix.exe AV: AVG Anti-Virus Free On-access scanning disabled (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\91505456.ini c:\documents and settings\Kody\Application Data\FunWebProducts c:\program files\FunWebProducts c:\program files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html c:\program files\FunWebProducts\Shared\Cache\MailStampBtn.html c:\program files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html c:\program files\FunWebProducts\Shared\Cache\MyStationeryBtn.html c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html c:\program files\Internet Explorer\msimg32.dll c:\program files\MicPhone c:\program files\MicPhone\antit.dll c:\program files\Microsoft Common c:\program files\Microsoft Common\svchost.exe c:\program files\MyWebSearch c:\program files\MyWebSearch\bar\1.bin\F3BKGERR.JPG c:\program files\MyWebSearch\bar\1.bin\F3BROVLY.DLL c:\program files\MyWebSearch\bar\1.bin\F3CJPEG.DLL c:\program files\MyWebSearch\bar\1.bin\F3DTACTL.DLL c:\program files\MyWebSearch\bar\1.bin\F3HISTSW.DLL c:\program files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL c:\program files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL c:\program files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL c:\program files\MyWebSearch\bar\1.bin\F3POPSWT.DLL c:\program files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR c:\program files\MyWebSearch\bar\1.bin\F3REPROX.DLL c:\program files\MyWebSearch\bar\1.bin\F3RESTUB.DLL c:\program files\MyWebSearch\bar\1.bin\F3SCHMON.EXE c:\program files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL c:\program files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL c:\program files\MyWebSearch\bar\1.bin\F3SPACER.WMV c:\program files\MyWebSearch\bar\1.bin\F3WALLPP.DAT c:\program files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR c:\program files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST c:\program files\MyWebSearch\bar\1.bin\M3HTML.DLL c:\program files\MyWebSearch\bar\1.bin\M3IDLE.DLL c:\program files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE c:\program files\MyWebSearch\bar\1.bin\M3MSG.DLL c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR c:\program files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST c:\program files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL c:\program files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL c:\program files\MyWebSearch\bar\1.bin\M3SKIN.DLL c:\program files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE c:\program files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE c:\program files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE c:\program files\MyWebSearch\bar\1.bin\MWSBAR.DLL c:\program files\MyWebSearch\bar\1.bin\MWSOEMON.EXE c:\program files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL c:\program files\MyWebSearch\bar\1.bin\MWSOESTB.DLL c:\program files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S c:\program files\MyWebSearch\bar\Cache\00017143.bin c:\program files\MyWebSearch\bar\Cache\0003FF31 c:\program files\MyWebSearch\bar\Cache\00417DEE.bin c:\program files\MyWebSearch\bar\Cache\00417E2C.bin c:\program files\MyWebSearch\bar\Cache\00417EA9.bin c:\program files\MyWebSearch\bar\Cache\00469B32.bin c:\program files\MyWebSearch\bar\Cache\00469C7A.bin c:\program files\MyWebSearch\bar\Cache\00469DC2.bin c:\program files\MyWebSearch\bar\Cache\00469E6E.bin c:\program files\MyWebSearch\bar\Cache\0096C8D4 c:\program files\MyWebSearch\bar\Cache\0096C913.bin c:\program files\MyWebSearch\bar\Cache\0096CA7A.bin c:\program files\MyWebSearch\bar\Cache\0096CB26.bin c:\program files\MyWebSearch\bar\Cache\0096CBB2.bin c:\program files\MyWebSearch\bar\Cache\0096CBE1.bin c:\program files\MyWebSearch\bar\Cache\010B26A0 c:\program files\MyWebSearch\bar\Cache\files.ini c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S c:\program files\MyWebSearch\bar\Game\CHESS.F3S c:\program files\MyWebSearch\bar\Game\REVERSI.F3S c:\program files\MyWebSearch\bar\History\search2 c:\program files\MyWebSearch\bar\icons\CM.ICO c:\program files\MyWebSearch\bar\icons\MFC.ICO c:\program files\MyWebSearch\bar\icons\PSS.ICO c:\program files\MyWebSearch\bar\icons\SMILEY.ICO c:\program files\MyWebSearch\bar\icons\WB.ICO c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO c:\program files\MyWebSearch\bar\Message\COMMON.F3S c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S c:\program files\MyWebSearch\bar\Notifier\DOG.F3S c:\program files\MyWebSearch\bar\Notifier\FISH.F3S c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S c:\program files\MyWebSearch\bar\Notifier\MAID.F3S c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm c:\program files\MyWebSearch\bar\Settings\s_pid.dat c:\program files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL c:\windows\9g2234wesdf3dfgjf23 c:\windows\dhcp c:\windows\Install.txt c:\windows\jestertb.dll c:\windows\KBPK090604.log c:\windows\KBPK090605.log c:\windows\ro122730.dat c:\windows\system32\certstore.dat c:\windows\system32\comsa32.sys c:\windows\system32\dncyool32.sys c:\windows\system32\drivers\ndis.sys c:\windows\system32\drivers\UACyappbnyglteptam.sys c:\windows\system32\f3PSSavr.scr c:\windows\system32\FInstall.sys c:\windows\system32\Install.txt c:\windows\system32\lowsec c:\windows\system32\lowsec\local.ds c:\windows\system32\lowsec\user.ds c:\windows\system32\msncache.dll c:\windows\system32\mssfc.dll c:\windows\system32\sdra64.exe c:\windows\system32\sfcfiles.dat c:\windows\system32\sopidkc.exe c:\windows\system32\sysloc c:\windows\system32\sysloc\sysloc.dll c:\windows\system32\tpsaxyd.exe c:\windows\system32\tpszxyd.sys c:\windows\system32\UACckxodojbyyifvsi.dat c:\windows\system32\UACekvyyqexgkkcdwv.dll c:\windows\system32\UAChufxirspqntwqtt.log c:\windows\system32\uacinit.dll c:\windows\system32\UACjrybvkqruuywhsh.log c:\windows\system32\UAClpayblkbmumdhdn.dll c:\windows\system32\UACncdiwkaksljkgyu.dll c:\windows\system32\UACrloymeivmvtprum.log c:\windows\system32\UACwumoqxvvdlusnti.dll c:\windows\system32\UACyblhbowilrbepxl.dll c:\windows\system32\wiawow32.sys c:\windows\system32\wtukd32.exe c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job c:\windows\TEMP\mpj109623.dll c:\windows\TEMP\mta79431.dll Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected Restored copy from - c:\i386\sfcfiles.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys -------\Legacy_6to4 -------\Legacy_dhcpsrv -------\Legacy_MSNCACHE -------\Legacy_sndintd -------\Legacy_sopidkc -------\Service_6to4 -------\Service_dhcpsrv -------\Service_glaide32 -------\Service_msncache -------\Service_sndintd -------\Service_sopidkc ((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 ))))))))))))))))))))))))))))))) . 2009-07-09 17:47 . 2009-07-09 17:47 -------- d-----w- c:\windows\system32\MpEngineStore 2009-07-09 15:47 . 2004-08-04 11:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-10 00:14 . 2007-12-25 16:34 -------- d-----w- c:\program files\Warcraft III 2009-07-09 22:49 . 2009-06-06 19:29 -------- d-----w- c:\program files\Enigma Software Group 2009-07-09 15:14 . 2008-03-23 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-07-09 15:06 . 2004-08-10 18:50 6656 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2009-06-05 20:53 . 2008-05-23 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-05 19:10 . 2007-12-11 22:11 -------- d-----w- c:\program files\Google 2009-06-05 01:13 . 2009-06-05 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\91505456 2009-06-05 01:13 . 2009-06-05 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\11495464 2009-06-05 01:03 . 2009-06-05 01:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR 2009-05-15 15:24 . 2008-05-23 23:02 -------- d-----w- c:\documents and settings\Kody\Application Data\AVGTOOLBAR 2009-05-15 15:04 . 2009-05-19 23:35 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-05-15 15:04 . 2009-05-19 23:35 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe 2009-05-15 15:04 . 2008-05-23 23:02 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-05-15 15:04 . 2008-05-23 23:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-05-15 15:04 . 2008-02-28 22:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-05-15 15:04 . 2008-05-23 23:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-15 15:03 . 2009-05-19 23:35 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll 2009-05-15 15:03 . 2009-05-19 23:35 3288344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-05-15 15:03 . 2009-05-19 23:35 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll 2009-05-15 15:03 . 2009-05-19 23:35 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll 2009-05-15 15:03 . 2009-05-19 23:35 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll 2009-05-15 15:02 . 2009-05-19 23:34 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll 2009-05-15 15:02 . 2009-05-19 23:34 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll 2008-04-27 02:06 . 2008-04-27 02:06 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ------- Sigcheck ------- [-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys [7] 2009-07-10 00:50 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\dllcache\ndis.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-27 29744] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928] "fssui"="c:\program files\Windows Live\Family Safety\fssui.exe" [2007-12-17 243240] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-11 24576] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-21 118784] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-15 15:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Warcraft III\\war3.exe"= "c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"= "c:\\WINDOWS\\system32\\java.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service S1 56c4bfd1;56c4bfd1;c:\windows\system32\drivers\56c4bfd1.sys --> c:\windows\system32\drivers\56c4bfd1.sys [?] S1 84a1a6e4;84a1a6e4;c:\windows\system32\drivers\84a1a6e4.sys --> c:\windows\system32\drivers\84a1a6e4.sys [?] S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2008 7:02 PM 325896] S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2008 7:02 PM 108552] S1 ccfbepjb;ccfbepjb;\??\c:\windows\system32\drivers\ccfbepjb.sys --> c:\windows\system32\drivers\ccfbepjb.sys [?] S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 12:24 PM 908568] S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 12:24 PM 298776] S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [9/3/2008 7:24 PM 43816] S2 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/17/2007 11:13 AM 523816] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/25/2007 2:40 PM 24652] S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/11/2007 6:11 PM 29744] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512] . Contents of the 'Scheduled Tasks' folder 2009-07-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20] 2009-07-10 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-11 00:16] . - - - - ORPHANS REMOVED - - - - HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe Notify-__c00DD842 - c:\windows\system32\__c00DD842.dat . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.dell.com uInternet Settings,ProxyServer = http=localhost:7171 uInternet Settings,ProxyOverride = .local;<local> IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZKxdm011YYUS IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx FF - ProfilePath - c:\documents and settings\Kody\Application Data\Mozilla\Firefox\Profiles\btf9npem.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - AIM Search FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - chrome://google-gzfb-partner/locale/partner.properties FF - component: c:\documents and settings\Kody\Application Data\Mozilla\Firefox\Profiles\btf9npem.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-09 20:59 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2045840655-3736074713-113770698-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:64,e6,1a,1c,59,70,53,52,41,7d,99,21,a8,47,e3,8b,70,8b,9a,ef,fe,ed,45, 96,88,9d,19,01,bf,f9,3b,f2,ca,39,9c,2f,bd,38,66,06,0a,60,84,46,a9,da,84,8c,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 . Completion time: 2009-07-10 21:02 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-10 01:02 Pre-Run: 451,688,005,632 bytes free Post-Run: 455,226,327,040 bytes free 324 --- E O F --- 2009-05-15 02:04

07-09-2009, 08:12 PM	#4 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,181 OS: XP sp3	Re: I cannot get rid of Win32/Cryptor viruses on my computer Hi, Please do the following: Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Copy/paste the text inside the Codebox below into notepad: Here's how to do that: Click Start > Run type Notepad click OK. This will open an empty notepad file: Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy') Code: http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/393395-i-cannot-get-rid-win32-cryptor-viruses-my-computer.html#post2231762 Collect:: c:\windows\system32\drivers\56c4bfd1.sys c:\windows\system32\drivers\84a1a6e4.sys c:\windows\system32\drivers\ccfbepjb.sys KillAll:: Folder:: c:\documents and settings\All Users\Application Data\91505456 c:\documents and settings\All Users\Application Data\11495464 Driver:: 56c4bfd1 84a1a6e4 ccfbepjb DDS:: uInternet Settings,ProxyServer = http=localhost:7171 uInternet Settings,ProxyOverride = .local;<local> IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZKxdm011YYUS Now paste* the copied text into the open notepad - press CTRL+V (or right click and choose 'paste') Save this file to your desktop, Save this as "CFScript" Here's how to do that: 1.Click File; 2.Click Save As... Change the directory to your desktop; 3.Change the Save as type to "All Files"; 4.Type in the file name: CFScript 5.Click Save ... Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Note When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. __________________ ASAP & UNITE Member

07-09-2009, 08:47 PM	#5 (permalink)
kwes0124 Registered User Join Date: Jul 2009 Posts: 16 OS: xp service pack 2	Re: I cannot get rid of Win32/Cryptor viruses on my computer ComboFix 09-07-09.06 - Kody 07/09/2009 22:29.2.2 - NTFSx86 MINIMAL Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1773 [GMT -4:00] Running from: c:\documents and settings\Kody\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Kody\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\11495464 c:\documents and settings\All Users\Application Data\11495464\11495464.glu c:\documents and settings\All Users\Application Data\91505456 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_56c4bfd1 -------\Service_84a1a6e4 -------\Service_ccfbepjb ((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 ))))))))))))))))))))))))))))))) . 2009-07-09 17:47 . 2009-07-09 17:47 -------- d-----w- c:\windows\system32\MpEngineStore 2009-07-09 15:47 . 2004-08-04 11:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-10 00:14 . 2007-12-25 16:34 -------- d-----w- c:\program files\Warcraft III 2009-07-09 22:49 . 2009-06-06 19:29 -------- d-----w- c:\program files\Enigma Software Group 2009-07-09 15:14 . 2008-03-23 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-07-09 15:06 . 2004-08-10 18:50 6656 ----a-w- c:\windows\system32\drivers\asyncmac.sys 2009-06-05 20:53 . 2008-05-23 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-05 19:10 . 2007-12-11 22:11 -------- d-----w- c:\program files\Google 2009-06-05 01:03 . 2009-06-05 01:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR 2009-05-15 15:24 . 2008-05-23 23:02 -------- d-----w- c:\documents and settings\Kody\Application Data\AVGTOOLBAR 2009-05-15 15:04 . 2009-05-19 23:35 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-05-15 15:04 . 2009-05-19 23:35 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe 2009-05-15 15:04 . 2008-05-23 23:02 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-05-15 15:04 . 2008-05-23 23:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-05-15 15:04 . 2008-02-28 22:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-05-15 15:04 . 2008-05-23 23:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-15 15:03 . 2009-05-19 23:35 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll 2009-05-15 15:03 . 2009-05-19 23:35 3288344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-05-15 15:03 . 2009-05-19 23:35 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll 2009-05-15 15:03 . 2009-05-19 23:35 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll 2009-05-15 15:03 . 2009-05-19 23:35 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll 2009-05-15 15:02 . 2009-05-19 23:34 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll 2009-05-15 15:02 . 2009-05-19 23:34 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll 2008-04-27 02:06 . 2008-04-27 02:06 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ------- Sigcheck ------- [-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys [7] 2009-07-10 00:50 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\system32\dllcache\ndis.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-27 29744] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928] "fssui"="c:\program files\Windows Live\Family Safety\fssui.exe" [2007-12-17 243240] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-11 24576] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-21 118784] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-15 15:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Warcraft III\\war3.exe"= "c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"= "c:\\WINDOWS\\system32\\java.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2008 7:02 PM 325896] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 12:24 PM 908568] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 12:24 PM 298776] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/25/2007 2:40 PM 24652] S1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2008 7:02 PM 108552] S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [9/3/2008 7:24 PM 43816] S2 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/17/2007 11:13 AM 523816] S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/11/2007 6:11 PM 29744] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512] . Contents of the 'Scheduled Tasks' folder 2009-07-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20] 2009-07-10 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-11 00:16] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.dell.com IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZKxdm011YYUS IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx FF - ProfilePath - c:\documents and settings\Kody\Application Data\Mozilla\Firefox\Profiles\btf9npem.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - AIM Search FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - chrome://google-gzfb-partner/locale/partner.properties FF - component: c:\documents and settings\Kody\Application Data\Mozilla\Firefox\Profiles\btf9npem.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-09 22:33 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2045840655-3736074713-113770698-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY] "??"=hex:64,e6,1a,1c,59,70,53,52,41,7d,99,21,a8,47,e3,8b,70,8b,9a,ef,fe,ed,45, 96,88,9d,19,01,bf,f9,3b,f2,ca,39,9c,2f,bd,38,66,06,0a,60,84,46,a9,da,84,8c,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(380) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ati2evxx.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\ZuneBusEnum.exe c:\program files\AVG\AVG8\avgrsx.exe c:\program files\AVG\AVG8\avgcsrvx.exe c:\windows\system32\wscntfy.exe c:\program files\AIM6\aolsoftware.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************* . Completion time: 2009-07-10 22:36 - machine was rebooted ComboFix-quarantined-files.txt 2009-07-10 02:36 ComboFix2.txt 2009-07-10 01:02 Pre-Run: 455,229,468,672 bytes free Post-Run: 453,065,347,072 bytes free 190 --- E O F --- 2009-05-15 02:04

07-10-2009, 01:00 AM	#6 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,181 OS: XP sp3	Re: I cannot get rid of Win32/Cryptor viruses on my computer Hi, Please do the following: Download TFC to your desktop Close any open windows. Double click the TFC icon to run the program TFC will close all open programs itself in order to run, Click the Start button to begin the process. Allow TFC to run uninterrupted. The program should not take long to finish it's job Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean It's normal after running TFC cleaner that the PC will be slower to boot the first time. NEXT Please download Malwarebytes' Anti-Malware Double Click mbam-setup.exe to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish, so please be patient. When the scan is complete, click OK, then Show Results to view the results. Make sure that everything is checked, and click Remove Selected. <-- very important When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note) The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. Copy&Paste the entire report in your next reply. Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. NEXT Run an on-line scan with Kaspersky Using Internet Explorer or Firefox, visit Kaspersky On-line Scanner 1. Click Accept, when prompted to download and install the program files and database of malware definitions. 2. To optimize scanning time and produce a more sensible report for review: Close any open programs Turn off the real time scanner of any existing antivirus program while performing the online scan 3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes. Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. Click View scan report at the bottom. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply In your next reply please include MBAM Log Kaspersky report Also please describe how your computer is running now and if there are any outstanding issues. __________________ ASAP & UNITE Member

07-10-2009, 10:17 AM	#7 (permalink)
kwes0124 Registered User Join Date: Jul 2009 Posts: 16 OS: xp service pack 2	Re: I cannot get rid of Win32/Cryptor viruses on my computer I ran the MBAM and this is the report: Malwarebytes' Anti-Malware 1.38 Database version: 2297 Windows 5.1.2600 Service Pack 2 7/10/2009 10:14:59 AM mbam-log-2009-07-10 (10-14-59).txt Scan type: Quick Scan Objects scanned: 84428 Time elapsed: 2 minute(s), 9 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 62 Registry Values Infected: 2 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\funwebproducts.browseroverlaybarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\funwebproducts.browseroverlayembed.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{2763e333-b168-41a0-a112-d35f96f410c0} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{38a7c9da-8db7-4d0f-a7b1-c4b1a305bddb} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{8d292ec0-6792-4a38-82ed-73a087e41ba6} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{d778513b-1c40-4819-b0c5-49e40b39afd0} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{98635087-3f5d-418f-990c-b1efe0797a3b} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-f3embed (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\WINDOWS\system32\drivers\asyncmac.sys (Rootkit.Agent) -> Quarantined and deleted successfully. However, my internet connections are gone, they are non existent. So i could not run the Kaspersky On-line Scanner.

07-10-2009, 12:16 PM	#8 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,181 OS: XP sp3	Re: I cannot get rid of Win32/Cryptor viruses on my computer Hi, Please try the following to restore the internet connection: Please reset IE Go to Start > Control Panel, and choose Network Connections. Right click on your default connection, usually Local Area Connection for cable and DSL or Dial-up Connection if you are using Dial-up, and choose Properties. Click the Networking tab Double-click on the Internet Protocol (TCP/IP) item. Write down the settings in case you should need to change them back. Select the radio button that says "Obtain DNS servers automatically". Click OK twice to get out of the properties screen and restart your computer. If not prompted to reboot go ahead and reboot manually. In I.E. Check internet options settings. Tools > Internet Options > Connections LAN settings Choose "automatically detect settings" uncheck both proxy settings boxes In FireFox Click on Advanced -> Network -> Setttings… the No Proxy option should be selected If still no joy, try this: if your network icon appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair. If you have no task bar icon do this: Click on the Start button. Click on the Settings menu option. Click on the Control Panel option. When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom. You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it. click on the Repair menu option. Let the repair process perform its tasks and when it has finished, your Internet connection should be working again. __________________ ASAP & UNITE Member

07-10-2009, 12:31 PM	#9 (permalink)
kwes0124 Registered User Join Date: Jul 2009 Posts: 16 OS: xp service pack 2	Re: I cannot get rid of Win32/Cryptor viruses on my computer The connections arnt there. I've already went to control panel then network and internet connections then network connections and the connections arnt there. Where the local connection and the other connection used to be there i just a white screen. There is no network icon at the bottom either. Again there is no connections in the network connections menu

07-10-2009, 12:38 PM	#10 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,181 OS: XP sp3	Re: I cannot get rid of Win32/Cryptor viruses on my computer How do you normally connect? Please do the following: Go to Start->Run->Type CMD and click Ok. The MSDOS Window will be displayed. At the command prompt, type the following commands and press Enter after each line: ipconfig /flushdns (The space between g and / is needed) regsvr32 netshell.dll regsvr32 netcfgx.dll regsvr32 netman.dll Exit Restart the computer. __________________ ASAP & UNITE Member Last edited by CatByte; 07-10-2009 at 12:39 PM.

07-10-2009, 12:45 PM	#11 (permalink)
kwes0124 Registered User Join Date: Jul 2009 Posts: 16 OS: xp service pack 2	Re: I cannot get rid of Win32/Cryptor viruses on my computer i have comcast highspeed internet, and the cable connects to a model then to a router then directly into my computer. THeres normally a local connection and one other connection in the network connections menu. They were there after the viruses infected my computer, but they wouldnt work. Then after some of the scans they vanished. And i did as instructed and the computer is restarted.

07-10-2009, 01:32 PM	#12 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,181 OS: XP sp3	Re: I cannot get rid of Win32/Cryptor viruses on my computer Hi, Go to Start > Run type devmgmt.msc > OK What does Device Manager show under Network Adapters? Are there any yellow or red marks? Please post the output of ipconfig /all from a command prompt. 1. Click on Start then Run 2. Type cmd and press Enter or click OK 3. Type ipconfig /all and press Enter 4. Right click on the command prompt window title bar, select Edit then Mark 5. Use the mouse to select all the output from the ipconfig command, them click the right mouse button. This will copy the data to the clipboard. 6. paste the data you copied here. __________________ ASAP & UNITE Member

07-10-2009, 01:39 PM	#13 (permalink)
kwes0124 Registered User Join Date: Jul 2009 Posts: 16 OS: xp service pack 2	Re: I cannot get rid of Win32/Cryptor viruses on my computer Yes, under Network Adapters there are yellow marks, no red tho. Everything under Network Adapters has a Yellow Circle with a black ! inside it. And after putting cmd in the Run box, and typing ipconfig /all, this came up in the box: Windows IP Configuration An internal error occurred: The request is not supported. Please contact Microsoft Product Support Services for further help. Additional information: Unable to query host name.

07-10-2009, 02:00 PM	#14 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,181 OS: XP sp3	Re: I cannot get rid of Win32/Cryptor viruses on my computer Please do the following: Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Copy/paste the text inside the Codebox below into notepad: Here's how to do that: Click Start > Run type Notepad click OK. This will open an empty notepad file: Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy') Code: FCopy:: c:\windows\system32\dllcache\ndis.sys \| c:\windows\system32\drivers\ndis.sys Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste') Save this file to your desktop, Save this as "CFScript" Here's how to do that: 1.Click File; 2.Click Save As... Change the directory to your desktop; 3.Change the Save as type to "All Files"; 4.Type in the file name: CFScript 5.Click Save ... Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. __________________ ASAP & UNITE Member

07-10-2009, 02:17 PM	#15 (permalink)
kwes0124 Registered User Join Date: Jul 2009 Posts: 16 OS: xp service pack 2	Re: I cannot get rid of Win32/Cryptor viruses on my computer ComboFix 09-07-09.08 - Kody 07/10/2009 16:09.3.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1529 [GMT -4:00] Running from: c:\documents and settings\Kody\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Kody\Desktop\CFScript.txt AV: AVG Anti-Virus Free On-access scanning disabled (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . --------------- FCopy --------------- c:\windows\system32\dllcache\ndis.sys --> c:\windows\system32\drivers\ndis.sys . ((((((((((((((((((((((((( Files Created from 2009-06-10 to 2009-07-10 ))))))))))))))))))))))))))))))) . 2009-07-10 20:06 . 2009-07-10 00:50 182912 ----a-w- c:\windows\system32\drivers\ndis.sys 2009-07-10 20:06 . 2009-07-10 00:50 182912 ----a-w- c:\windows\system32\dllcache\ndis.sys 2009-07-10 14:11 . 2009-07-10 14:11 -------- d-----w- c:\documents and settings\Kody\Application Data\Malwarebytes 2009-07-10 14:11 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-07-10 14:11 . 2009-07-10 14:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-07-10 14:11 . 2009-07-10 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-07-10 14:11 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-07-09 17:47 . 2009-07-09 17:47 -------- d-----w- c:\windows\system32\MpEngineStore 2009-07-09 15:47 . 2004-08-04 11:00 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-10 18:22 . 2007-12-25 16:34 -------- d-----w- c:\program files\Warcraft III 2009-07-10 16:15 . 2008-03-23 19:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-07-09 22:49 . 2009-06-06 19:29 -------- d-----w- c:\program files\Enigma Software Group 2009-06-05 20:53 . 2008-05-23 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8 2009-06-05 19:10 . 2007-12-11 22:11 -------- d-----w- c:\program files\Google 2009-06-05 01:03 . 2009-06-05 01:03 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AVGTOOLBAR 2009-05-15 15:24 . 2008-05-23 23:02 -------- d-----w- c:\documents and settings\Kody\Application Data\AVGTOOLBAR 2009-05-15 15:04 . 2009-05-19 23:35 2051864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll 2009-05-15 15:04 . 2009-05-19 23:35 486168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe 2009-05-15 15:04 . 2008-05-23 23:02 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2009-05-15 15:04 . 2008-05-23 23:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll 2009-05-15 15:04 . 2008-02-28 22:10 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2009-05-15 15:04 . 2008-05-23 23:02 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2009-05-15 15:03 . 2009-05-19 23:35 354584 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll 2009-05-15 15:03 . 2009-05-19 23:35 3288344 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe 2009-05-15 15:03 . 2009-05-19 23:35 424472 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll 2009-05-15 15:03 . 2009-05-19 23:35 312088 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll 2009-05-15 15:03 . 2009-05-19 23:35 177432 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll 2009-05-15 15:02 . 2009-05-19 23:34 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll 2009-05-15 15:02 . 2009-05-19 23:34 1437464 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll 2008-04-27 02:06 . 2008-04-27 02:06 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll . ((((((((((((((((((((((((((((( SnapShot@2009-07-10_00.59.57 ))))))))))))))))))))))))))))))))))))))))) . + 2004-08-10 18:50 . 2004-08-04 11:00 14336 c:\windows\system32\dllcache\asyncmac.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552] "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-27 29744] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-15 1947928] "fssui"="c:\program files\Windows Live\Family Safety\fssui.exe" [2007-12-17 243240] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-24 282624] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-11 24576] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588] NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2008-1-21 118784] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2009-05-15 15:04 11952 ----a-w- c:\windows\system32\avgrsstx.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"= "c:\\Program Files\\Warcraft III\\war3.exe"= "c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"= "c:\\WINDOWS\\system32\\java.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/23/2008 7:02 PM 325896] R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/23/2008 7:02 PM 108552] R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/4/2008 12:24 PM 908568] R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/4/2008 12:24 PM 298776] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [9/3/2008 7:24 PM 43816] R2 fsssvc;Windows Live OneCare Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [12/17/2007 11:13 AM 523816] R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/25/2007 2:40 PM 24652] S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [12/11/2007 6:11 PM 29744] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [8/2/2005 5:10 PM 32512] . Contents of the 'Scheduled Tasks' folder 2009-07-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20] 2009-07-10 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-11 00:16] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.dell.com IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html IE: &Search IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx FF - ProfilePath - c:\documents and settings\Kody\Application Data\Mozilla\Firefox\Profiles\btf9npem.default\ FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query= FF - prefs.js: browser.search.selectedEngine - AIM Search FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/ FF - prefs.js: keyword.URL - chrome://google-gzfb-partner/locale/partner.properties FF - component: c:\documents and settings\Kody\Application Data\Mozilla\Firefox\Profiles\btf9npem.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-10 16:12 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2045840655-3736074713-113770698-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*] "??"=hex:64,e6,1a,1c,59,70,53,52,41,7d,99,21,a8,47,e3,8b,70,8b,9a,ef,fe,ed,45, 96,88,9d,19,01,bf,f9,3b,f2,ca,39,9c,2f,bd,38,66,06,0a,60,84,46,a9,da,84,8c,\ "??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(1668) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2009-07-10 16:13 ComboFix-quarantined-files.txt 2009-07-10 20:13 ComboFix2.txt 2009-07-10 02:36 ComboFix3.txt 2009-07-10 01:02 Pre-Run: 453,254,057,984 bytes free Post-Run: 453,236,805,632 bytes free 178 --- E O F --- 2009-05-15 02:04

07-10-2009, 04:59 PM	#16 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,181 OS: XP sp3	Re: I cannot get rid of Win32/Cryptor viruses on my computer Hi, it would appear as though the Network Interface Card (NIC) driver has been removed somehow during our malware removal. either: Download and save NIC Driver to CD, Floppy or USB memory from your Computer Manufacturer (if it is an onboard Network Interface Card) or Download and save NIC Driver to CD, Floppy or USB memory from the NIC manufacturer (if it is a PCI card NIC) NIC can be installed from Device Manager (if) the downloaded file is file.INF Some NIC drivers are installed via their own file.EXE and are installed directly via double-click of setup.exe NIC driver can be copied to a folder on the computer, or installed directly from the saved media. If you are using Device Manager to install, you will need to select "Have Disk" and then browse to point the installer to the file.INF that you have saved. Once the NIC driver is reinstalled go through the steps previously outlined in posts #9 and 10 __________________ ASAP & UNITE Member

07-10-2009, 05:15 PM	#17 (permalink)
kwes0124 Registered User Join Date: Jul 2009 Posts: 16 OS: xp service pack 2	Re: I cannot get rid of Win32/Cryptor viruses on my computer Umm, after i did the last combofix, i checked the connections and they were there. And the internet works, and theres no problems. It seems to be working just fine without reinstalling anything...

07-10-2009, 05:37 PM	#18 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,181 OS: XP sp3	Re: I cannot get rid of Win32/Cryptor viruses on my computer good the fcopy:: of ndis.sys was supposed to have accomplished that - which it obviously did - I got worried when you didn't say it repaired your connection. Now can you continue on with the Kaspersky scan. Thanks ~CB __________________ ASAP & UNITE Member Last edited by CatByte; 07-10-2009 at 05:39 PM.

07-10-2009, 06:33 PM	#19 (permalink)
CatByte Analyst, Security Team Join Date: Jan 2009 Location: Canada Posts: 2,181 OS: XP sp3	Re: I cannot get rid of Win32/Cryptor viruses on my computer Hi, I need you to do something for me. Please locate the ComboFix-quarantined-files.txt - it should be in the C:\ComboFix folder and post or attach the contents thanks ~CB __________________ ASAP & UNITE Member

07-10-2009, 07:25 PM	#20 (permalink)
kwes0124 Registered User Join Date: Jul 2009 Posts: 16 OS: xp service pack 2	Re: I cannot get rid of Win32/Cryptor viruses on my computer I didn't check the connections till a little while after the combo fix; I was afraid to mess something up if I didn't wait for more instructions. Here's the Kaspersky Scan results: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Friday, July 10, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Saturday, July 11, 2009 01:48:44 Records in database: 2458385 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Files scanned: 80884 Threat name: 30 Infected objects: 97 Suspicious objects: 0 Duration of the scan: 01:03:04 File name / Threat name / Threats count C:\Documents and Settings\Kody\My Documents\My Music\iTunes\Incomplete\T-5158182-waiting firelight [club mix].mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1 C:\Documents and Settings\Kody\My Documents\My Music\iTunes\Incomplete\T-5905209-waiting firelight - bonus track.mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1 C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\botten anna radio edit.mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1 C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\Foreigner - I Need You.mp3 Infected: Trojan-Downloader.WMA.GetCodec.a 1 C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\i am u demon hunter.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\Jeremy Camp - Breaking My Fall.mp3 Infected: Trojan-Downloader.WMA.GetCodec.a 1 C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\Jeremy Camp - Take You Back.mp3 Infected: Trojan-Downloader.WMA.GetCodec.a 1 C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\never ever aftermath.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\new thing fuel.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\Papa Roach - Not Listening.mp3 Infected: Trojan-Downloader.WMA.GetCodec.a 1 C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\Saving Abel - She Got Over Me.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\song for you fuel (high bitrate).mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1 C:\Documents and Settings\Kody\My Documents\My Music\iTunes\iTunes Music\stronger trust compay.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1 C:\Qoobox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\Qoobox\Quarantine\C\Program Files\Microsoft Common\svchost.exe.vir Infected: Worm.Win32.AutoRun.apfm 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.at 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.af 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.aq 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir Infected: not-a-virus:Monitor.Win32.Agent.c 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.as 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1 C:\Qoobox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.as 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\dncyool32.sys.vir Infected: Trojan.Win32.VB.qxd 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACyappbnyglteptam.sys.vir Infected: Rootkit.Win32.Agent.lzl 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\msncache.dll.vir Infected: Trojan.Win32.Koblu.da 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\sfcfiles.dll.vir Infected: Trojan.Win32.Patched.fr 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\sopidkc.exe.vir Infected: Trojan.Win32.Koblu.yu 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\sysloc\sysloc.dll.vir Infected: Trojan.Win32.BHO.ugq 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\tpsaxyd.exe.vir Infected: Trojan.Win32.Delf.ncf 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\tpszxyd.sys.vir Infected: Trojan-Downloader.Win32.DlfBfkg.ix 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\UACekvyyqexgkkcdwv.dll.vir Infected: Packed.Win32.Tdss.m 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\wiawow32.sys.vir Infected: Trojan.Win32.VBimay.ee 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\wtukd32.exe.vir Infected: Trojan-Downloader.Win32.DlfBfkg.ix 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip Infected: Trojan-Spy.Win32.Zbot.wyu 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000001.sys Infected: Rootkit.Win32.Agent.lzl 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000004.dll Infected: Packed.Win32.Tdss.m 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000035.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000037.exe Infected: Worm.Win32.AutoRun.apfm 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000038.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.at 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000040.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000041.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000042.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000043.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.af 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000044.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000045.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000046.SCR Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000047.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000048.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000049.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.a 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000050.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.an 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000051.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.aq 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000052.DLL Infected: not-a-virus:Monitor.Win32.Agent.c 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000054.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000055.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ax 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000057.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000059.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000060.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.as 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000063.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000064.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000065.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.bc 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000066.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000067.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.au 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000068.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000069.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000077.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.as 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000080.sys Infected: Trojan.Win32.VB.qxd 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000081.scr Infected: not-a-virus:WebToolbar.Win32.MyWebSearch 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000085.dll Infected: Trojan.Win32.Koblu.da 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000086.exe Infected: Trojan.Win32.Koblu.yu 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000087.dll Infected: Trojan.Win32.BHO.ugq 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000088.exe Infected: Trojan.Win32.Delf.ncf 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000089.sys Infected: Trojan-Downloader.Win32.DlfBfkg.ix 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000091.sys Infected: Trojan.Win32.VBimay.ee 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000092.exe Infected: Trojan-Downloader.Win32.DlfBfkg.ix 1 C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP0\A0000093.dll Infected: Trojan.Win32.Patched.fr 1 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\83GQLGHC\166[1].exe Infected: Trojan.Win32.Agent2.kln 1 The selected area was scanned.