WiredWX Hobby Weather ToolsLog in

 


win32\cryptor

4 posters

descriptionwin32\cryptor Emptywin32cryptor

more_horiz
Hi, i have the win32\cryptor virus and i cant seem to get rid of it. i identified it using AVG but it doesnt get rid of it. i currently have spywareblaster and spyware doctor installed as well. i looked online and installed malwarebytes but even after changing the file name it runs for 5 seconds then the program shuts off. i tried using the software in safe mode but it still has the same problem either turning off or not loading at all.

heres my avg result

"\\?\globalroot\systemroot\system32\UACegsppalete.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACegsppalete.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACxfjlnkvcnp.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACxfjlnkvcnp.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACxfjlnkvcnp.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\Program Files\Internet Explorer\iexplore.exe (1912)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\explorer.exe (3708)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (1208)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (1264)";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\WINDOWS\system32\svchost.exe (1552)";"Virus found Win32/Cryptor";"Moved to Virus Vault"

any help well appreciated

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
Hello,

Please read this: http://www.geekpolice.net/-t3821.htm

And post your HijackThis log here.

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
Hi i was not able to download the latest windows uopdates as the virus stopped me from visiting the website.

also i was able to download hijack this but once i pressed the 'do a system scan and save a profile' button the sytem scanned for a couple of seconds then turn off. now i cant load hijackthis. i think the virus is stopping me use this program.

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    win32\cryptor CF_download_FF

    win32\cryptor CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    win32\cryptor Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    win32\cryptor Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
Hi Belahzur, thanks for deciding to help me, i have sent the log in 2 replies as the forum states the message is to big ,heres my combofix log:

ComboFix 09-09-06.02 - Kamal 06/09/2009 21:27.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1595 [GMT 1:00]
Running from: c:\documents and settings\Kamal\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kamal\Application Data\inst.exe
c:\documents and settings\Kamal\Application Data\IUpd721
c:\documents and settings\Kamal\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\windows\igfxexl.exe
c:\windows\Installer\394ef.msi
c:\windows\Installer\7f26e.msi
c:\windows\system32\drivers\UACtueqxnsmbe.sys
c:\windows\system32\pac.txt
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\UACegsppalete.dll
c:\windows\system32\UACetdcfmletx.db
c:\windows\system32\UACfdbxtssfvw.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACxenxrpqfwb.dll
c:\windows\system32\UACxfjlnkvcnp.dll
c:\windows\system32\UACxmnyoaeuvr.dll
c:\windows\system32\uninstall.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-06 17:12 . 2009-09-06 17:12 -------- d-----w- c:\program files\tricker
2009-09-04 21:02 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-04 21:02 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-04 21:02 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-04 21:02 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-04 21:02 . 2009-09-04 21:03 -------- d-----w- c:\program files\Spyware Doctor
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\Kamal\Application Data\PC Tools
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-04 21:00 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\Kamal\Application Data\GetRightToGo
2009-09-04 17:32 . 2009-09-04 17:32 -------- d-----w- c:\documents and settings\Kamal\Application Data\Malwarebytes
2009-09-04 17:28 . 2009-09-04 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-04 17:08 . 2009-09-04 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-04 17:04 . 2009-09-04 17:04 -------- d-----w- c:\documents and settings\Kamal\Application Data\SUPERAntiSpyware.com
2009-08-31 19:47 . 2009-08-31 19:47 40156 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-31 19:46 . 2009-09-01 02:59 -------- d-----w- c:\program files\Safari
2009-08-27 13:44 . 2009-08-27 13:44 -------- d-----w- c:\documents and settings\Kamal\Local Settings\Application Data\Help
2009-08-26 10:44 . 2009-08-26 10:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-24 17:52 . 2009-08-24 17:52 -------- d-----w- C:\CloneDVDTemp
2009-08-24 17:46 . 2009-08-24 17:46 -------- d-----w- c:\program files\Elaborate Bytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 20:34 . 2008-10-02 21:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-06 20:22 . 2004-08-04 12:00 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-09-06 20:07 . 2009-09-06 20:07 4096 ----a-w- c:\windows\system32\02.tmp
2009-09-06 16:50 . 2008-10-02 22:00 -------- d-----w- c:\program files\Java
2009-09-06 16:46 . 2008-12-24 05:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-04 20:56 . 2008-10-04 18:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-04 20:56 . 2008-10-04 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-04 16:59 . 2009-09-04 16:59 4096 ----a-w- c:\windows\system32\01.tmp
2009-08-31 19:47 . 2008-10-02 21:09 -------- d-----w- c:\documents and settings\Kamal\Application Data\Apple Computer
2009-08-29 23:49 . 2008-10-02 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-25 03:40 . 2009-02-14 23:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-24 18:05 . 2009-02-14 23:56 -------- d-----w- c:\documents and settings\Kamal\Application Data\DVD Flick
2009-08-24 17:42 . 2009-02-15 00:08 -------- d-----w- c:\documents and settings\Kamal\Application Data\Vso
2009-08-24 17:42 . 2009-02-15 00:08 47360 ----a-w- c:\documents and settings\Kamal\Application Data\pcouffin.sys
2009-08-20 13:03 . 2008-10-02 02:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 13:03 . 2008-10-02 02:47 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 13:03 . 2008-10-02 02:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-04-14 00:11 . 2004-08-04 12:00 155858 --sha-r- c:\windows\system32\jmygdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-02 39408]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-10-02 3061248]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-02 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-06 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-24 16859648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-1-23 36864]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-10-12 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 13:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18635:TCP"= 18635:TCP:BitComet 18635 TCP
"18635:UDP"= 18635:UDP:BitComet 18635 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"7937:TCP"= 7937:TCP:wxmzdzju

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [04/09/2009 22:02 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/10/2008 03:47 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/10/2008 03:47 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/10/2008 03:47 297752]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [23/04/2007 14:11 224896]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [02/10/2008 03:47 908056]
S2 tawdl;Time Update;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]
S3 qycxkvvx;qycxkvvx;c:\windows\system32\01.tmp [04/09/2009 17:59 4096]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [04/09/2009 22:02 348752]
S3 wgpzwosp;wgpzwosp;c:\windows\system32\02.tmp [06/09/2009 21:07 4096]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tawdl
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\you.exe

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kamal\Application Data\Mozilla\Firefox\Profiles\ojloqkkv.default\
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-06 21:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qycxkvvx]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wgpzwosp]
"ImagePath"="\??\c:\windows\system32\02.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tawdl]
"ServiceDll"="c:\windows\system32\jmygdh.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-2025429265-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5b,9f,6a,5d,5d,f8,cc,e5,44,2d,d4,5c,a5,d1,ca,0f,9e,14,22,00,25,5d,d1,
9e,1d,48,9c,d8,ad,5c,61,0e,17,69,bf,de,9a,a6,a2,7a,3a,45,6d,45,d4,4f,76,58,\
"??"=hex:d5,f6,16,19,1a,6e,1b,03,b0,eb,27,9b,fc,0d,e8,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1904)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MagicTune Premium\MagicTune.exe
.
**************************************************************************
.
Completion time: 2009-09-06 21:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-06 20:37

Pre-Run: 211,205,881,856 bytes free
Post-Run: 213,650,276,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

257 --- E O F --- 2009-02-13 14:09

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\02.tmp
c:\windows\system32\01.tmp
c:\windows\system32\jmygdh.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18635:TCP"=-
"18635:UDP"=-
"7937:TCP"=-

NetSvcs::
tawdl

Driver::
qycxkvvx
wgpzwosp

Firefox::
FF - ProfilePath - c:\documents and settings\Kamal\Application Data\Mozilla\Firefox\Profiles\ojloqkkv.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll



Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
win32\cryptor Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
ComboFix 09-09-06.02 - Kamal 07/09/2009 2:11.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1532 [GMT 1:00]
Running from: c:\documents and settings\Kamal\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kamal\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\01.tmp"
"c:\windows\system32\02.tmp"
"c:\windows\system32\jmygdh.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
c:\windows\system32\01.tmp
c:\windows\system32\02.tmp
c:\windows\system32\jmygdh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_qycxkvvx
-------\Service_wgpzwosp
-------\Legacy_tawdl
-------\Service_tawdl


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-06 17:12 . 2009-09-06 17:12 -------- d-----w- c:\program files\tricker
2009-09-04 21:02 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-04 21:02 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-04 21:02 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-04 21:02 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-04 21:02 . 2009-09-04 21:03 -------- d-----w- c:\program files\Spyware Doctor
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\Kamal\Application Data\PC Tools
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-04 21:00 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\Kamal\Application Data\GetRightToGo
2009-09-04 17:32 . 2009-09-04 17:32 -------- d-----w- c:\documents and settings\Kamal\Application Data\Malwarebytes
2009-09-04 17:28 . 2009-09-04 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-04 17:08 . 2009-09-04 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-04 17:04 . 2009-09-04 17:04 -------- d-----w- c:\documents and settings\Kamal\Application Data\SUPERAntiSpyware.com
2009-08-31 19:47 . 2009-08-31 19:47 40156 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-31 19:46 . 2009-09-01 02:59 -------- d-----w- c:\program files\Safari
2009-08-27 13:44 . 2009-08-27 13:44 -------- d-----w- c:\documents and settings\Kamal\Local Settings\Application Data\Help
2009-08-26 10:44 . 2009-08-26 10:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-24 17:52 . 2009-08-24 17:52 -------- d-----w- C:\CloneDVDTemp
2009-08-24 17:46 . 2009-08-24 17:46 -------- d-----w- c:\program files\Elaborate Bytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 01:17 . 2008-10-02 21:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-06 20:22 . 2004-08-04 12:00 56320 ------w- c:\windows\system32\eventlog.dll
2009-09-06 16:50 . 2008-10-02 22:00 -------- d-----w- c:\program files\Java
2009-09-06 16:46 . 2008-12-24 05:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-04 20:56 . 2008-10-04 18:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-04 20:56 . 2008-10-04 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-31 19:47 . 2008-10-02 21:09 -------- d-----w- c:\documents and settings\Kamal\Application Data\Apple Computer
2009-08-29 23:49 . 2008-10-02 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-25 03:40 . 2009-02-14 23:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-24 18:05 . 2009-02-14 23:56 -------- d-----w- c:\documents and settings\Kamal\Application Data\DVD Flick
2009-08-24 17:42 . 2009-02-15 00:08 -------- d-----w- c:\documents and settings\Kamal\Application Data\Vso
2009-08-24 17:42 . 2009-02-15 00:08 47360 ----a-w- c:\documents and settings\Kamal\Application Data\pcouffin.sys
2009-08-20 13:03 . 2008-10-02 02:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 13:03 . 2008-10-02 02:47 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 13:03 . 2008-10-02 02:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-06_20.34.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-07 01:17 . 2009-09-07 01:17 16384 c:\windows\temp\Perflib_Perfdata_258.dat
+ 2004-08-04 12:00 . 2009-09-07 01:08 41068 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-09-06 20:31 41068 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-07 01:08 315124 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-09-06 20:31 315124 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-02 39408]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-10-02 3061248]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-02 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-06 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-24 16859648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-1-23 36864]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-10-12 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 13:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [04/09/2009 22:02 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/10/2008 03:47 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/10/2008 03:47 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/10/2008 03:47 297752]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [23/04/2007 14:11 224896]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [02/10/2008 03:47 908056]
S2 tawdl;Time Update;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [04/09/2009 22:02 348752]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tawdl

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kamal\Application Data\Mozilla\Firefox\Profiles\ojloqkkv.default\
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 02:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tawdl]
"ServiceDll"="c:\windows\system32\jmygdh.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-2025429265-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5b,9f,6a,5d,5d,f8,cc,e5,44,2d,d4,5c,a5,d1,ca,0f,9e,14,22,00,25,5d,d1,
9e,1d,48,9c,d8,ad,5c,61,0e,17,69,bf,de,9a,a6,a2,7a,3a,45,6d,45,d4,4f,76,58,\
"??"=hex:d5,f6,16,19,1a,6e,1b,03,b0,eb,27,9b,fc,0d,e8,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3420)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MagicTune Premium\MagicTune.exe
.
**************************************************************************
.
Completion time: 2009-09-07 2:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 01:20
ComboFix2.txt 2009-09-06 20:37

Pre-Run: 213,607,501,824 bytes free
Post-Run: 213,570,772,992 bytes free

229 --- E O F --- 2009-02-13 14:09

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
Hello.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
tawdl

File::
c:\windows\system32\jmygdh.dll

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qycxkvvx]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wgpzwosp]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tawdl]

NetSvc::
tawdl

DirLook::
c:\program files\tricker


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
win32\cryptor Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
ComboFix 09-09-06.02 - Kamal 07/09/2009 22:42.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1526 [GMT 1:00]
Running from: c:\documents and settings\Kamal\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kamal\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\jmygdh.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TAWDL
-------\Service_tawdl


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-06 17:12 . 2009-09-06 17:12 -------- d-----w- c:\program files\tricker
2009-09-04 21:02 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-04 21:02 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-04 21:02 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-04 21:02 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-04 21:02 . 2009-09-04 21:03 -------- d-----w- c:\program files\Spyware Doctor
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\Kamal\Application Data\PC Tools
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-04 21:00 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\Kamal\Application Data\GetRightToGo
2009-09-04 17:32 . 2009-09-04 17:32 -------- d-----w- c:\documents and settings\Kamal\Application Data\Malwarebytes
2009-09-04 17:28 . 2009-09-04 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-04 17:08 . 2009-09-04 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-04 17:04 . 2009-09-04 17:04 -------- d-----w- c:\documents and settings\Kamal\Application Data\SUPERAntiSpyware.com
2009-08-31 19:47 . 2009-08-31 19:47 40156 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-31 19:46 . 2009-09-01 02:59 -------- d-----w- c:\program files\Safari
2009-08-27 13:44 . 2009-08-27 13:44 -------- d-----w- c:\documents and settings\Kamal\Local Settings\Application Data\Help
2009-08-26 10:44 . 2009-08-26 10:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-24 17:52 . 2009-08-24 17:52 -------- d-----w- C:\CloneDVDTemp
2009-08-24 17:46 . 2009-08-24 17:46 -------- d-----w- c:\program files\Elaborate Bytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 21:48 . 2008-10-02 21:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-06 20:22 . 2004-08-04 12:00 56320 ------w- c:\windows\system32\eventlog.dll
2009-09-06 16:50 . 2008-10-02 22:00 -------- d-----w- c:\program files\Java
2009-09-06 16:46 . 2008-12-24 05:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-04 20:56 . 2008-10-04 18:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-04 20:56 . 2008-10-04 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-31 19:47 . 2008-10-02 21:09 -------- d-----w- c:\documents and settings\Kamal\Application Data\Apple Computer
2009-08-29 23:49 . 2008-10-02 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-25 03:40 . 2009-02-14 23:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-24 18:05 . 2009-02-14 23:56 -------- d-----w- c:\documents and settings\Kamal\Application Data\DVD Flick
2009-08-24 17:42 . 2009-02-15 00:08 -------- d-----w- c:\documents and settings\Kamal\Application Data\Vso
2009-08-24 17:42 . 2009-02-15 00:08 47360 ----a-w- c:\documents and settings\Kamal\Application Data\pcouffin.sys
2009-08-20 13:03 . 2008-10-02 02:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 13:03 . 2008-10-02 02:47 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 13:03 . 2008-10-02 02:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\tricker ----

2009-09-06 17:12 . 2009-09-06 17:12 396288 ----a-w- c:\program files\tricker\tricker.exe


((((((((((((((((((((((((((((( SnapShot@2009-09-06_20.34.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-07 21:48 . 2009-09-07 21:48 16384 c:\windows\temp\Perflib_Perfdata_230.dat
+ 2004-08-04 12:00 . 2009-09-07 16:58 41068 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-09-06 20:31 41068 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-07 16:58 315124 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-09-06 20:31 315124 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-02 39408]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-10-02 3061248]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-02 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-06 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-24 16859648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-1-23 36864]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-10-12 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 13:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [04/09/2009 22:02 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/10/2008 03:47 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/10/2008 03:47 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/10/2008 03:47 297752]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [23/04/2007 14:11 224896]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [02/10/2008 03:47 908056]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [04/09/2009 22:02 348752]

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kamal\Application Data\Mozilla\Firefox\Profiles\ojloqkkv.default\
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 22:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-2025429265-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5b,9f,6a,5d,5d,f8,cc,e5,44,2d,d4,5c,a5,d1,ca,0f,9e,14,22,00,25,5d,d1,
9e,1d,48,9c,d8,ad,5c,61,0e,17,69,bf,de,9a,a6,a2,7a,3a,45,6d,45,d4,4f,76,58,\
"??"=hex:d5,f6,16,19,1a,6e,1b,03,b0,eb,27,9b,fc,0d,e8,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3968)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MagicTune Premium\MagicTune.exe
.
**************************************************************************
.
Completion time: 2009-09-07 22:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 21:52
ComboFix2.txt 2009-09-07 01:20
ComboFix3.txt 2009-09-06 20:37

Pre-Run: 212,922,572,800 bytes free
Post-Run: 213,448,409,088 bytes free

221 --- E O F --- 2009-02-13 14:09

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
Submit a file for analysis.

  1. Please visit this website: Jotti's Malware Scanner
  2. Press the "Browse" button and locate the following file in bold:
    c:\program files\tricker\tricker.exe
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
Hi Belazur, i submited the file tricker.exe but both using internet explorer and firefox the websites states the file is empty. although checking the c drive in my computer states it is 387kb.

what i can say is that when i tried downloading hijackthis the virus stopped me from running the program. so what i tried to do is rename the folder and file and i i remember renaming it to trick and tricker, although this didnt work. maybe i should just delete the file and folder?

currently the p.c. is working much faster and is back to how it use to be in terms of speed, the cryptor virus symptoms are no longer there.

what else can i do to make sure this problem is gone?

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
Ah, so tricker.exe was Hijack This renamed? It's okay then, it just looked a little suspicious to me.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

win32\cryptor CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionwin32\cryptor EmptyRe: win32\cryptor

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum