WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


WIN32/Crypto problem.

2 posters

descriptionWIN32/Crypto problem. EmptyWIN32/Crypto problem.12th August 2009, 11:18 pm

more_horiz
ok first off here is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:06:43, on 13/08/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\temp\2279299.tmp
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Becks\Desktop\winlogon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Pavilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Pavilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Pavilion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/VistaMSNPUplden-gb.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{28EA2DBA-838B-4FD2-AEB0-78C3595E4758}: NameServer = 85.255.112.139,85.255.112.136
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6D6C2EA-8D50-4EDB-B949-988000AA8B7D}: NameServer = 85.255.112.139,85.255.112.136
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.139,85.255.112.136
O17 - HKLM\System\CS1\Services\Tcpip\..\{28EA2DBA-838B-4FD2-AEB0-78C3595E4758}: NameServer = 85.255.112.139,85.255.112.136
O17 - HKLM\System\CS14\Services\Tcpip\Parameters: NameServer = 85.255.112.139,85.255.112.136
O17 - HKLM\System\CS14\Services\Tcpip\..\{28EA2DBA-838B-4FD2-AEB0-78C3595E4758}: NameServer = 85.255.112.139,85.255.112.136
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.139,85.255.112.136
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 11389 bytes


im having major trouble with this sytem, i get a bad image error 2/3 times for every program that opens (meaning a good deal of time spent on startup closing errors).

AVG reports Crypto in several places but is unable to remove it. i have downloaded malwarebytes but after getting the usual bad image DLL errors it will not start installing.

when i do a google search the first search is always redirected then the 2nd is ok but certain websites (mainly to do with malwarebytes) give a DNS error as if the virus is blocking any attemp to kill it.

thanks for the help on this.


EDIT* forgot to add, my windows security centre has been disabled and will no restart

Last edited by elporco on 12th August 2009, 11:22 pm; edited 1 time in total (Reason for editing : forgot to add)

descriptionWIN32/Crypto problem. EmptyRe: WIN32/Crypto problem.13th August 2009, 12:07 am

more_horiz
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

WIN32/Crypto problem. CF_download_FF

WIN32/Crypto problem. CF_download_rename

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
WIN32/Crypto problem. DXwU4
WIN32/Crypto problem. VvYDg

descriptionWIN32/Crypto problem. EmptyRe: WIN32/Crypto problem.13th August 2009, 8:28 am

more_horiz
ComboFix 09-08-10.06 - Becks 13/08/2009 8:54.1.2 - NTFSx86
Microsoft®️ Windows Vista™️ Home Basic 6.0.6001.1.1252.44.1033.18.954.67 [GMT 1:00]
Running from: c:\users\Becks\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2316167748-4072116333-2837980287-500
c:\$recycle.bin\S-1-5-21-495556611-1600015499-729608983-500
c:\windows\Installer\2634e.msi
c:\windows\Installer\26352.msi
c:\windows\Installer\26356.msi
c:\windows\Installer\2635a.msi
c:\windows\Installer\2635e.msi
c:\windows\Installer\26366.msi
c:\windows\Installer\29c899.msi
c:\windows\system32\drivers\ESQULserv.sys
c:\windows\system32\drivers\UACmvxdxixcbeimoqf.sys
c:\windows\system32\file.exe.tmp
c:\windows\system32\UACeeqspeywqppvwcw.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjixahbvuhtnykhy.log
c:\windows\system32\UACmrqovivmosndihm.log
c:\windows\system32\UACnwxsygpvhxvqfcu.dll
c:\windows\system32\UACskrbqqavpmpkkif.dll
c:\windows\system32\UACteiflxmrnrewoed.dll
c:\windows\system32\UACvolvvtnnmqjyyst.log
c:\windows\system32\UACygpbsibscurptqb.dat
c:\windows\system32\UACyhsejebfiladcwd.dll
c:\windows\TEMP\2279299.tmp


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Service_ESQULserv.sys
-------\Legacy_UACd.sys
-------\Legacy_ESQULserv.sys
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-13 08:07 . 2009-08-13 08:09 -------- d-----w- c:\users\Becks\AppData\Local\temp
2009-08-13 08:07 . 2009-08-13 08:07 -------- d-----w- c:\users\joanne\AppData\Local\temp
2009-08-13 08:07 . 2009-08-13 08:07 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-12 22:58 . 2009-08-12 22:59 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-12 22:56 . 2009-08-13 07:01 -------- d-----w- c:\progra~2\NOS
2009-08-12 22:56 . 2009-08-12 22:56 -------- d-----w- c:\program files\NOS
2009-08-12 22:52 . 2009-08-13 06:53 -------- d-----w- c:\users\Becks\AppData\Local\Adobe
2009-08-12 22:43 . 2009-08-12 22:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-12 22:16 . 2009-08-12 22:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-12 22:16 . 2009-08-12 22:16 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-08-11 16:57 . 2009-08-12 18:53 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-11 16:35 . 2009-08-11 16:35 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-11 16:35 . 2009-08-11 16:35 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-11 16:34 . 2009-08-11 16:34 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-11 16:34 . 2009-08-11 16:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-11 16:34 . 2009-08-13 07:08 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-11 16:34 . 2009-08-11 16:38 -------- d-----w- c:\progra~2\AVG Security Toolbar
2009-08-11 16:33 . 2009-08-11 16:33 -------- d-----w- c:\program files\AVG
2009-08-11 16:33 . 2009-08-11 17:58 -------- d-----w- c:\progra~2\avg8
2009-08-11 16:29 . 2009-08-11 16:29 -------- d-----w- c:\users\Becks\AppData\Roaming\AVG8
2009-08-11 12:33 . 2009-08-11 12:33 -------- d-----w- c:\program files\CCleaner
2009-08-06 16:20 . 2009-08-11 16:19 -------- d-----w- c:\progra~2\Symantec
2009-08-06 16:01 . 2009-08-11 16:16 -------- d-----w- c:\users\Becks\AppData\Roaming\Symantec
2009-08-06 15:57 . 2009-08-06 15:57 -------- d-----w- c:\users\joanne\AppData\Roaming\Symantec
2009-08-06 15:43 . 2009-08-11 16:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-02 10:30 . 2009-08-02 10:30 -------- d-----w- C:\54e62fa3758e5967869c6918db
2009-08-02 10:29 . 2009-08-02 10:29 -------- d-----w- c:\windows\CheckSur

descriptionWIN32/Crypto problem. EmptyRe: WIN32/Crypto problem.13th August 2009, 8:29 am

more_horiz
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 07:33 . 2009-05-01 21:40 -------- d-----w- c:\users\Becks\AppData\Roaming\Skype
2009-08-13 07:01 . 2009-05-28 08:11 -------- d-----w- c:\users\Becks\AppData\Roaming\skypePM
2009-08-12 22:42 . 2008-10-25 10:56 -------- d-----w- c:\program files\Java
2009-08-11 15:20 . 2008-10-25 10:59 -------- d-----w- c:\program files\SMINST
2009-08-11 12:26 . 2009-03-22 15:53 75264 ----a-w- c:\users\Becks\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-10 17:54 . 2009-06-28 10:21 1356 ----a-w- c:\users\joanne\AppData\Local\d3d9caps.dat
2009-08-06 16:19 . 2009-04-05 12:37 5972 ----a-w- c:\users\Becks\AppData\Local\d3d9caps.dat
2009-08-06 15:38 . 2008-10-25 09:43 -------- d-----w- c:\progra~2\NortonInstaller
2009-07-18 16:06 . 2009-08-01 16:16 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-08-01 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-08-01 16:16 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-06-30 14:36 . 2009-08-11 15:21 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryReplaceNew.exe
2009-06-30 14:10 . 2009-08-11 15:21 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryNoTravel.exe
2009-06-30 14:03 . 2009-08-11 15:21 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryAccessories.exe
2009-06-30 11:44 . 2009-08-11 15:21 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryWeakNew.exe
2009-06-26 17:36 . 2009-08-11 15:21 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryUpgrade.exe
2009-06-15 15:24 . 2009-08-01 16:16 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-08-01 16:16 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-08-01 16:16 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-08-01 16:16 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-05-28 08:11 . 2009-05-28 08:11 56 ---ha-w- c:\progra~2\ezsidmv.dat
2009-05-16 21:28 . 2009-05-16 21:28 75264 ----a-w- c:\users\joanne\AppData\Local\GDIPFONTCACHEV1.DAT
2008-10-25 10:06 . 2008-10-25 09:56 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-04-30 22058792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-10 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-10 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-10 145944]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-12 149280]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-11 2000152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BE84A22B-3368-40C2-A7BD-588693C61C4D}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{890C8E91-63B9-4019-BC60-DE848C539F51}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{44CD7D4F-A031-47BA-A7C1-1CE0D8146DE4}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{7D2C9C0C-B797-42DD-8307-62AB3DCF71CC}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{A7CDA6AF-2AD8-4D9B-84F2-362CC1A2D799}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{CCBE1A03-E39E-4B63-BB79-B8AF38672587}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{AFDDB794-50D9-4AB0-9F92-67DF32524B4B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{934CC6AA-A7C8-47CA-A9C7-62FA8B566CE2}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9BB57742-4736-4EC8-83AB-0345FF642200}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{66DF6751-6A64-47E2-B7BD-ABDA0E18702D}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{E9D579BE-17A0-457E-96F6-502E032DE411}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{724A4421-2BFD-4AF5-B75E-926666AA1F1D}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{0E6BD4EA-14AF-44B8-8CFA-30B3C116C088}"= UDP:c:\users\Becks\AppData\Local\Temp\7zSE456.tmp\SymNRT.exe:Norton Removal Tool
"{EC4237A3-F711-41C4-952F-10374D170946}"= TCP:c:\users\Becks\AppData\Local\Temp\7zSE456.tmp\SymNRT.exe:Norton Removal Tool
"{30F4915F-FC40-4CE3-AE72-D3407ECD3FE3}"= UDP:c:\users\Becks\AppData\Local\Temp\7zSBCBA.tmp\SymNRT.exe:Norton Removal Tool
"{DF21C9CE-C2A0-408B-B60A-DC6506AE61AB}"= TCP:c:\users\Becks\AppData\Local\Temp\7zSBCBA.tmp\SymNRT.exe:Norton Removal Tool
"{C34B2A38-B522-44D2-B818-2B35E0484203}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{85C1DEC2-D2A3-45F7-841A-4F14D889D871}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{27A66526-3CDE-4D5A-A605-55828C30025A}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [11/08/2009 17:34 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [11/08/2009 17:35 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/08/2009 17:33 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/08/2009 17:33 297752]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [21/01/2008 03:33 21504]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [25/10/2008 11:59 365952]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [29/06/2008 15:52 112128]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [25/10/2008 10:56 193840]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/08/2009 23:56 66056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.

descriptionWIN32/Crypto problem. EmptyRe: WIN32/Crypto problem.13th August 2009, 8:29 am

more_horiz
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 09:09
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-495556611-1600015499-729608983-1000\Software\AppDataLow\Software\Fun Web Products\Settings]
@DACL=(02 0000)
@SACL=(02 0001)

[HKEY_USERS\S-1-5-21-495556611-1600015499-729608983-1000\Software\AppDataLow\Software\Fun Web Products\Settings\CursorManiaBtn]
@DACL=(02 0000)
@SACL=(02 0001)
"LastHTMLMenuURL"="http://www.mywebface.com/menus/CursorChooser.html"
"HTMLMenuRevision"="300"
"ETag"="\"249f-225c6-4a79aa4f\""

[HKEY_USERS\S-1-5-21-495556611-1600015499-729608983-1000\Software\AppDataLow\Software\Fun Web Products\Settings\MyFunCardsIMBtn]
@DACL=(02 0000)
@SACL=(02 0001)
"LastHTMLMenuURL"="http://www.mywebface.com/menus/MyFunCards_en.html.gz"
"HTMLMenuRevision"="286"
"ETag"="\"bffb8f-1813-48ecea36\""

[HKEY_USERS\S-1-5-21-495556611-1600015499-729608983-1000\Software\AppDataLow\Software\Fun Web Products\Settings\WebfettiBtn]
@DACL=(02 0000)
@SACL=(02 0001)
"LastHTMLMenuURL"="http://www.mywebface.com/menus/WebfettiChooser_en.html"
"HTMLMenuRevision"="287"
"ETag"="\"4a6eeb-876ea-49d524f4\""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
.
**************************************************************************
.
Completion time: 2009-08-13 9:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 08:19

Pre-Run: 121,033,207,808 bytes free
Post-Run: 121,049,120,768 bytes free

260 --- E O F --- 2009-08-11 14:48

descriptionWIN32/Crypto problem. EmptyRe: WIN32/Crypto problem.13th August 2009, 4:12 pm

more_horiz
Hello.

Now open a new notepad file.
Input this into the notepad file:

Driver::
ezSharedSvc

NetSvc::
ezSharedSvc

RegLock::
[HKEY_USERS\S-1-5-21-495556611-1600015499-729608983-1000\Software\AppDataLow\Software\Fun Web Products\Settings]
[HKEY_USERS\S-1-5-21-495556611-1600015499-729608983-1000\Software\AppDataLow\Software\Fun Web Products\Settings\CursorManiaBtn]
[HKEY_USERS\S-1-5-21-495556611-1600015499-729608983-1000\Software\AppDataLow\Software\Fun Web Products\Settings\MyFunCardsIMBtn]
[HKEY_USERS\S-1-5-21-495556611-1600015499-729608983-1000\Software\AppDataLow\Software\Fun Web Products\Settings\WebfettiBtn]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
WIN32/Crypto problem. Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
WIN32/Crypto problem. DXwU4
WIN32/Crypto problem. VvYDg

descriptionWIN32/Crypto problem. EmptyRe: WIN32/Crypto problem.13th August 2009, 6:55 pm

more_horiz
ok here is the new log!

ComboFix 09-08-10.06 - Becks 13/08/2009 19:19.2.2 - NTFSx86
Microsoft®️ Windows Vista™️ Home Basic 6.0.6001.1.1252.44.1033.18.954.313 [GMT 1:00]
Running from: c:\users\Becks\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Becks\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ezSharedSvc


((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-13 18:30 . 2009-08-13 18:30 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-13 18:30 . 2009-08-13 18:30 -------- d-----w- c:\users\joanne\AppData\Local\temp
2009-08-13 18:30 . 2009-08-13 18:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-13 18:15 . 2009-08-13 18:15 -------- d-----w- c:\windows\LastGood.Tmp
2009-08-13 08:07 . 2009-08-13 18:33 -------- d-----w- c:\users\Becks\AppData\Local\temp
2009-08-12 22:58 . 2009-08-12 22:59 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-12 22:56 . 2009-08-13 07:01 -------- d-----w- c:\progra~2\NOS
2009-08-12 22:56 . 2009-08-12 22:56 -------- d-----w- c:\program files\NOS
2009-08-12 22:52 . 2009-08-13 06:53 -------- d-----w- c:\users\Becks\AppData\Local\Adobe
2009-08-12 22:43 . 2009-08-12 22:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-12 22:16 . 2009-08-12 22:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-12 22:16 . 2009-08-12 22:16 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-08-11 16:57 . 2009-08-12 18:53 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-11 16:35 . 2009-08-11 16:35 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-11 16:35 . 2009-08-11 16:35 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-08-11 16:34 . 2009-08-11 16:34 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-11 16:34 . 2009-08-11 16:34 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-11 16:34 . 2009-08-13 07:08 -------- d-----w- c:\windows\system32\drivers\Avg
2009-08-11 16:34 . 2009-08-11 16:38 -------- d-----w- c:\progra~2\AVG Security Toolbar
2009-08-11 16:33 . 2009-08-11 16:33 -------- d-----w- c:\program files\AVG
2009-08-11 16:33 . 2009-08-11 17:58 -------- d-----w- c:\progra~2\avg8
2009-08-11 16:29 . 2009-08-11 16:29 -------- d-----w- c:\users\Becks\AppData\Roaming\AVG8
2009-08-11 12:33 . 2009-08-11 12:33 -------- d-----w- c:\program files\CCleaner
2009-08-06 16:20 . 2009-08-11 16:19 -------- d-----w- c:\progra~2\Symantec
2009-08-06 16:01 . 2009-08-11 16:16 -------- d-----w- c:\users\Becks\AppData\Roaming\Symantec
2009-08-06 15:57 . 2009-08-06 15:57 -------- d-----w- c:\users\joanne\AppData\Roaming\Symantec
2009-08-06 15:43 . 2009-08-11 16:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-02 10:30 . 2009-08-02 10:30 -------- d-----w- C:\54e62fa3758e5967869c6918db
2009-08-02 10:29 . 2009-08-02 10:29 -------- d-----w- c:\windows\CheckSur

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 18:35 . 2009-05-28 08:11 -------- d-----w- c:\users\Becks\AppData\Roaming\skypePM
2009-08-13 18:29 . 2009-05-01 21:40 -------- d-----w- c:\users\Becks\AppData\Roaming\Skype
2009-08-12 22:42 . 2008-10-25 10:56 -------- d-----w- c:\program files\Java
2009-08-11 15:20 . 2008-10-25 10:59 -------- d-----w- c:\program files\SMINST
2009-08-11 12:26 . 2009-03-22 15:53 75264 ----a-w- c:\users\Becks\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-10 17:54 . 2009-06-28 10:21 1356 ----a-w- c:\users\joanne\AppData\Local\d3d9caps.dat
2009-08-06 16:19 . 2009-04-05 12:37 5972 ----a-w- c:\users\Becks\AppData\Local\d3d9caps.dat
2009-08-06 15:38 . 2008-10-25 09:43 -------- d-----w- c:\progra~2\NortonInstaller
2009-07-18 16:06 . 2009-08-01 16:16 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-08-01 16:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-08-01 16:16 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-06-30 14:36 . 2009-08-11 15:21 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryReplaceNew.exe
2009-06-30 14:10 . 2009-08-11 15:21 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryNoTravel.exe
2009-06-30 14:03 . 2009-08-11 15:21 18696 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryAccessories.exe
2009-06-30 11:44 . 2009-08-11 15:21 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryWeakNew.exe
2009-06-26 17:36 . 2009-08-11 15:21 18184 ----a-w- c:\windows\Help\OEM\scripts\HC_BatteryUpgrade.exe
2009-06-15 15:24 . 2009-08-01 16:16 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-08-01 16:16 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-08-01 16:16 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-08-01 16:16 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-05-28 08:11 . 2009-05-28 08:11 56 ---ha-w- c:\progra~2\ezsidmv.dat
2009-05-16 21:28 . 2009-05-16 21:28 75264 ----a-w- c:\users\joanne\AppData\Local\GDIPFONTCACHEV1.DAT
2008-10-25 10:06 . 2008-10-25 09:56 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-08-13_08.09.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 02:34 . 2008-01-21 02:34 31232 c:\windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.0.6002.18049_none_93f62b2f8600b455\msvidc32.dll
+ 2006-11-02 09:03 . 2006-11-02 09:46 12800 c:\windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.0.6002.18049_none_93f62b2f8600b455\msrle32.dll
+ 2006-11-02 09:03 . 2006-11-02 09:46 82944 c:\windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.0.6002.18049_none_93f62b2f8600b455\mciavi32.dll
+ 2006-11-02 09:03 . 2006-11-02 09:46 65024 c:\windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.0.6002.18049_none_93f62b2f8600b455\avicap32.dll
+ 2008-01-21 02:34 . 2008-01-21 02:34 31232 c:\windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.0.6001.18270_none_91e6450388fad1ce\msvidc32.dll
+ 2006-11-02 09:03 . 2006-11-02 09:46 12800 c:\windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.0.6001.18270_none_91e6450388fad1ce\msrle32.dll
+ 2006-11-02 09:03 . 2006-11-02 09:46 82944 c:\windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.0.6001.18270_none_91e6450388fad1ce\mciavi32.dll
+ 2006-11-02 09:03 . 2006-11-02 09:46 65024 c:\windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.0.6001.18270_none_91e6450388fad1ce\avicap32.dll
+ 2008-01-21 02:34 . 2008-01-21 02:34 53248 c:\windows\winsxs\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.0.6001.18266_none_2fb32dbcc5d3707b\tsgqec.dll
+ 2008-01-21 01:58 . 2009-08-13 08:38 44826 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-08-13 08:39 86140 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-10-25 09:58 . 2008-10-25 09:58 12288 c:\windows\System32\drivers\hidusb.sys
- 2008-01-21 02:32 . 2008-01-21 02:32 12288 c:\windows\System32\drivers\hidusb.sys
+ 2008-10-25 09:58 . 2008-10-25 09:58 25728 c:\windows\System32\drivers\hidparse.sys
+ 2008-10-25 09:58 . 2008-10-25 09:58 39936 c:\windows\System32\drivers\hidclass.sys
- 2009-01-13 21:54 . 2009-08-13 08:09 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-13 21:54 . 2009-08-13 08:37 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-13 21:54 . 2009-08-13 08:37 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-13 21:54 . 2009-08-13 08:09 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-13 21:54 . 2009-08-13 08:09 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-13 21:54 . 2009-08-13 08:37 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-13 18:15 . 2008-01-21 02:32 12288 c:\windows\LastGood.Tmp\system32\DRIVERS\hidusb.sys
+ 2009-08-13 18:15 . 2008-01-21 02:32 25472 c:\windows\LastGood.Tmp\system32\DRIVERS\hidparse.sys
+ 2009-08-13 18:15 . 2008-01-21 02:32 38912 c:\windows\LastGood.Tmp\system32\DRIVERS\hidclass.sys
+ 2009-03-22 15:48 . 2009-08-13 08:39 8854 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-495556611-1600015499-729608983-1000_UserData.bin
+ 2008-01-21 02:34 . 2008-01-21 02:34 123904 c:\windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.0.6002.18049_none_93f62b2f8600b455\msvfw32.dll
+ 2008-01-21 02:34 . 2008-01-21 02:34 123904 c:\windows\winsxs\x86_microsoft-windows-video-for-windows_31bf3856ad364e35_6.0.6001.18270_none_91e6450388fad1ce\msvfw32.dll
+ 2008-01-21 02:34 . 2008-01-21 02:34 136192 c:\windows\winsxs\x86_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_6.0.6001.18266_none_2fb32dbcc5d3707b\aaclient.dll
+ 2009-03-22 17:27 . 2009-08-13 18:02 243136 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2009-04-30 07:01 . 2009-08-13 07:53 171984 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-04-30 07:01 . 2009-08-13 18:31 171984 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-08-13 08:07 . 2009-08-13 08:07 204800 c:\windows\ERDNT\subs\Users\00000002\NTUSER.DAT
+ 2009-08-13 18:30 . 2009-08-13 18:30 204800 c:\windows\ERDNT\subs\Users\00000002\NTUSER.DAT
- 2009-08-13 08:07 . 2009-08-13 08:07 204800 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-13 18:30 . 2009-08-13 18:30 204800 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2006-11-02 10:22 . 2009-08-13 18:30 6037504 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2009-08-13 18:30 . 2009-08-13 18:30 2392064 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-13 08:07 . 2009-08-13 08:07 2392064 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-13 08:07 . 2009-08-13 08:07 2043904 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-13 18:30 . 2009-08-13 18:30 2043904 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-13 18:30 . 2009-08-13 18:30 6037504 c:\windows\ERDNT\subs\SCHEMA.DAT
+ 2009-08-13 18:18 . 2009-08-13 18:18 6037504 c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
+ 2009-06-02 21:08 . 2009-08-13 18:08 68280822 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin

descriptionWIN32/Crypto problem. EmptyRe: WIN32/Crypto problem.13th August 2009, 6:56 pm

more_horiz
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-04-30 22058792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-10 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-10 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-10 145944]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-12 149280]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-11 2000152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BE84A22B-3368-40C2-A7BD-588693C61C4D}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{890C8E91-63B9-4019-BC60-DE848C539F51}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{44CD7D4F-A031-47BA-A7C1-1CE0D8146DE4}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{7D2C9C0C-B797-42DD-8307-62AB3DCF71CC}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{A7CDA6AF-2AD8-4D9B-84F2-362CC1A2D799}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{CCBE1A03-E39E-4B63-BB79-B8AF38672587}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{AFDDB794-50D9-4AB0-9F92-67DF32524B4B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{934CC6AA-A7C8-47CA-A9C7-62FA8B566CE2}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9BB57742-4736-4EC8-83AB-0345FF642200}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{66DF6751-6A64-47E2-B7BD-ABDA0E18702D}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{E9D579BE-17A0-457E-96F6-502E032DE411}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{724A4421-2BFD-4AF5-B75E-926666AA1F1D}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{0E6BD4EA-14AF-44B8-8CFA-30B3C116C088}"= UDP:c:\users\Becks\AppData\Local\Temp\7zSE456.tmp\SymNRT.exe:Norton Removal Tool
"{EC4237A3-F711-41C4-952F-10374D170946}"= TCP:c:\users\Becks\AppData\Local\Temp\7zSE456.tmp\SymNRT.exe:Norton Removal Tool
"{30F4915F-FC40-4CE3-AE72-D3407ECD3FE3}"= UDP:c:\users\Becks\AppData\Local\Temp\7zSBCBA.tmp\SymNRT.exe:Norton Removal Tool
"{DF21C9CE-C2A0-408B-B60A-DC6506AE61AB}"= TCP:c:\users\Becks\AppData\Local\Temp\7zSBCBA.tmp\SymNRT.exe:Norton Removal Tool
"{C34B2A38-B522-44D2-B818-2B35E0484203}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{85C1DEC2-D2A3-45F7-841A-4F14D889D871}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{27A66526-3CDE-4D5A-A605-55828C30025A}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [11/08/2009 17:34 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [11/08/2009 17:35 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [11/08/2009 17:33 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/08/2009 17:33 297752]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [25/10/2008 11:59 365952]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [25/10/2008 10:56 193840]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [29/06/2008 15:52 112128]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [12/08/2009 23:56 66056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_gb&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\wlanext.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\System32\drivers\XAudio.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\program files\Hewlett-Packard\Shared\HpqToaster.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\program files\Hewlett-Packard\HP Advisor\SSDK04.exe
.
**************************************************************************
.
Completion time: 2009-08-13 19:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-13 18:43
ComboFix2.txt 2009-08-13 08:19

Pre-Run: 120,902,402,048 bytes free
Post-Run: 120,876,969,984 bytes free

257 --- E O F --- 2009-08-11 14:48

descriptionWIN32/Crypto problem. EmptyRe: WIN32/Crypto problem.14th August 2009, 6:22 pm

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

WIN32/Crypto problem. CF_Cleanup

This will also reset your restore points.

How is the machine running now?

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
WIN32/Crypto problem. DXwU4
WIN32/Crypto problem. VvYDg

descriptionWIN32/Crypto problem. EmptyRe: WIN32/Crypto problem.14th August 2009, 8:10 pm

more_horiz
its running fantastic now mate thanks for all the help.

now to get it secure so they dont do it again.
whats best it currently has mbam and AVG on the machine.

descriptionWIN32/Crypto problem. EmptyRe: WIN32/Crypto problem.14th August 2009, 9:00 pm

more_horiz
Keep both of them. MBAM is only an antispyware, not an antivirus.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck. Big Grin

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
WIN32/Crypto problem. DXwU4
WIN32/Crypto problem. VvYDg

descriptionWIN32/Crypto problem. EmptyRe: WIN32/Crypto problem.

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum