WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


win32/cryptor

2 posters

descriptionwin32/cryptor Emptywin32/cryptor18th April 2009, 12:57 pm

more_horiz
Hi, I have obtained this virus and have been trying for at least 3 days to get rid of it. My AVG Free v. 8.5 found it, but won't get rid of it. It tries to get rid of it but it just reappears in the same folder and the same file name (C:\Windows\system32\wsrxlkb.dll).

I have downloaded and used The Avenger, Malwarebytes, SuperAntiSpyware, and ATF cleaner. After following some general instructions from another post on this site it seemed like the virus was gone.

AVG originally AVG would give me the huge file on start up of my PC it was just the file name listed above, repeatedly, and that it was infected with win32/cryptor. After running the above mentioned programs I restarted my computer and it no longer gave me that huge list, but as soon as I connected to the internet with any program (Yahoo messenger, IE etc) my AVG would pop up a "Threat Detected" box and list the above file name.

I'm at a loss with this. I have disabled system restore and scanned using the programs above several time and get different results. I will post my Hijack This Logfile in another post.

I sincerely appreciate any help you may be able to offer. I can usually do these things, but this one has me.

Thanks In Advance,
Tracy

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 12:58 pm

more_horiz
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:16 AM, on 4/18/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\BPK\bpk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\User\My Documents\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.live.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {70E601F6-48D5-4389-B6AA-A6C761A4A051} - c:\windows\system32\wsrxklb.dll
O2 - BHO: MyPoints Toolbar - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: MyPoints Toolbar - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [bpk] C:\Program Files\BPK\bpk.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Uninstall getPlus(R) for Adobe] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKLM\..\Policies\Explorer\Run: [lxsass] "C:\WINDOWS\system32\lxsass.exe" -at
O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://softdev.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} (PQIEBrowserConnector Class) - http://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://C:\Program Files\AutoCAD 2000i\InstFred.ocx
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://portal2.signalcorp.com/dana-cached/setup/JuniperSetupSP1.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: wdfmounl - C:\WINDOWS\SYSTEM32\wsrxklb.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10831 bytes

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 1:50 pm

more_horiz
Hello.
Either the rootkit is protecting that file, or another hidden driver is locking it.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
win32/cryptor DXwU4
win32/cryptor VvYDg

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 2:15 pm

more_horiz
Here is what Avenger Log says--my AVG is still picking up the "virus" though.

Thanks,
Tracy

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 4:39 pm

more_horiz
Hello. No rootkit. Don't worry about that file, we'll kill it soon.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
    O1 - Hosts: 91.212.65.122 antiwareprotect.com
    O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {70E601F6-48D5-4389-B6AA-A6C761A4A051} - c:\windows\system32\wsrxklb.dll
    O4 - HKLM\..\Policies\Explorer\Run: [lxsass] "C:\WINDOWS\system32\lxsass.exe" -at
    O4 - HKUS\S-1-5-18\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [LabelMaker2.0] regsvr32 C:\Program Files\Common Files\MySoftware\regdll.dll /s (User 'Default user')
    O20 - Winlogon Notify: wdfmounl - C:\WINDOWS\SYSTEM32\wsrxklb.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
win32/cryptor DXwU4
win32/cryptor VvYDg

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 5:16 pm

more_horiz
This is the log file

Malwarebytes' Anti-Malware 1.36
Database version: 2000
Windows 5.1.2600 Service Pack 2

4/18/2009 1:08:56 PM
mbam-log-2009-04-18 (13-08-56).txt

Scan type: Quick Scan
Objects scanned: 87873
Time elapsed: 13 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70e601f6-48d5-4389-b6aa-a6c761a4a051} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wdfmounl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{70e601f6-48d5-4389-b6aa-a6c761a4a051} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\wsrxklb.dll (Trojan.Vundo.H) -> Delete on reboot.

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 5:33 pm

more_horiz
Hmm, a locked file I bet.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
win32/cryptor DXwU4
win32/cryptor VvYDg

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 5:41 pm

more_horiz
Here is the DDS.scr log:


DDS (Ver_09-03-16.01) - NTFSx86
Run by User at 13:38:37.73 on Sat 04/18/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.176 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\BPK\bpk.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://search.live.com
uSearch Bar = hxxp://search.live.com/sphome.aspx
uWindow Title = Windows Internet Explorer provided by Comcast
mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
mStart Page = hxxp://www.comcast.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
mSearchAssistant = hxxp://search.live.com/sphome.aspx
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: : {70e601f6-48d5-4389-b6aa-a6c761a4a051} - c:\windows\system32\wsrxklb.dll
BHO: MyPoints Toolbar: {a057a204-bacc-4d26-cec4-75a487fd6484} - c:\progra~1\mypoints\mypoints.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: MyPoints Toolbar: {a057a204-bacc-4d26-cec4-75a487fd6484} - c:\progra~1\mypoints\mypoints.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MediaFace Integration] c:\program files\fellowes\mediaface 4.0\SetHook.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [bpk] c:\program files\bpk\bpk.exe
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01111F00-3E00-11D2-8470-0060089874ED} - hxxp://softdev.adelphia.net/sdccommon/download/tgctlins.cab
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemydsl.verizon.net/sdcCommon/download/DSL/Verizon%20High%20Speed%20Internet%20Installer.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} - hxxp://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://c:\program files\autocad 2000i\InstFred.ocx
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://portal2.signalcorp.com/dana-cached/setup/JuniperSetupSP1.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: wdfmounl - wsrxklb.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = :\WINDOW scecli scecli

============= SERVICES / DRIVERS ===============

R0 nbhupuaj;nbhupuaj;c:\windows\system32\drivers\nbhupuaj.sys [2001-8-18 23424]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-16 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-16 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-16 107912]
R1 NEOFLTR_540_11359;Juniper Networks TDI Filter Driver (NEOFLTR_540_11359);c:\windows\system32\drivers\NEOFLTR_540_11359.sys [2006-11-30 57559]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-16 298264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-6-13 24652]
S2 anlvqabs;Floppy Disk Controller Controller;c:\windows\system32\svchost.exe -k netsvcs [2001-8-18 14336]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]

=============== Created Last 30 ================

2009-04-18 13:37 61,440 a------- c:\windows\system32\drivers\htfibfe.sys
2009-04-18 08:24 --d----- c:\documents and settings\user\.SunDownloadManager
2009-04-17 15:59 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-17 15:59 --d----- c:\program files\SUPERAntiSpyware
2009-04-17 15:59 --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com
2009-04-17 15:59 --d----- c:\program files\common files\Wise Installation Wizard
2009-04-17 06:43 --d----- c:\docume~1\user\applic~1\wbyaodey
2009-04-16 18:26 --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-04-16 18:26 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-16 18:26 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 18:25 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-16 18:25 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-16 17:21 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-16 17:21 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-16 17:21 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-16 17:21 --d----- c:\windows\system32\drivers\Avg
2009-04-16 17:15 0 a------- c:\windows\Vkelewazucocali.bin
2009-04-16 17:15 408 a------- c:\windows\Xfoki.dat
2009-04-15 16:03 --d----- c:\program files\mypoints
2009-04-15 16:03 --d----- c:\docume~1\user\applic~1\mypoints
2009-03-26 21:11 --d----- c:\program files\AVG
2009-03-26 12:00 --d-h--- C:\$AVG8.VAULT$
2009-03-25 16:19 --d----- c:\docume~1\alluse~1\applic~1\avg8

==================== Find3M ====================

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-02-20 04:30 659,456 a------- c:\windows\system32\wininet.dll
2009-02-20 04:30 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 06:20 723,456 a------- c:\windows\system32\lsasrv.dll
2009-02-09 06:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:20 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 06:20 616,960 a------- c:\windows\system32\advapi32.dll
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-06 13:24 2,180,480 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 13:14 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:54 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 12:49 2,057,728 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 16:08 55,808 a------- c:\windows\system32\secur32.dll
2006-06-11 17:46 220,744 a------- c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 13:40:10.51 ===============

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 5:43 pm

more_horiz
note: there is a line in there about running the malware clean up script, I did that originally as you requested (through reboot), and while I was waiting for a response I ran it again just to see if it was clean. It was not, but I told it not to reboot yet as I was waiting to see your next response

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 5:45 pm

more_horiz
Hello. Yep, the file is locked by a hidden driver, along with a second hidden to boot. MBAM can't clean it because of the driver regenerating it. Were gonna use something a lot more powerful and this will take it down with ease.


  • Download combofix from here
    Link 1
    Link 2
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    win32/cryptor Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    win32/cryptor Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
win32/cryptor DXwU4
win32/cryptor VvYDg

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 7:25 pm

more_horiz
Ran the combofix.exe -- Here is the log text file: (file is too big, sending in two posts)

ComboFix 09-04-19.01 - User 04/18/2009 14:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.183 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\system32\_005032_.tmp.dll
c:\windows\system32\_005033_.tmp.dll
c:\windows\system32\_005034_.tmp.dll
c:\windows\system32\_005035_.tmp.dll
c:\windows\system32\_005038_.tmp.dll
c:\windows\system32\_005039_.tmp.dll
c:\windows\system32\_005040_.tmp.dll
c:\windows\system32\_005041_.tmp.dll
c:\windows\system32\_005046_.tmp.dll
c:\windows\system32\_005047_.tmp.dll
c:\windows\system32\_005048_.tmp.dll
c:\windows\system32\_005049_.tmp.dll
c:\windows\system32\_005050_.tmp.dll
c:\windows\system32\_005051_.tmp.dll
c:\windows\system32\_005052_.tmp.dll
c:\windows\system32\_005053_.tmp.dll
c:\windows\system32\_005055_.tmp.dll
c:\windows\system32\_005056_.tmp.dll
c:\windows\system32\_005057_.tmp.dll
c:\windows\system32\_005058_.tmp.dll
c:\windows\system32\_005059_.tmp.dll
c:\windows\system32\_005060_.tmp.dll
c:\windows\system32\_005061_.tmp.dll
c:\windows\system32\_005063_.tmp.dll
c:\windows\system32\_005065_.tmp.dll
c:\windows\system32\_005066_.tmp.dll
c:\windows\system32\_005067_.tmp.dll
c:\windows\system32\_005068_.tmp.dll
c:\windows\system32\_005070_.tmp.dll
c:\windows\system32\_005071_.tmp.dll
c:\windows\system32\_005072_.tmp.dll
c:\windows\system32\_005073_.tmp.dll
c:\windows\system32\_005074_.tmp.dll
c:\windows\system32\_005075_.tmp.dll
c:\windows\system32\_005076_.tmp.dll
c:\windows\system32\_005077_.tmp.dll
c:\windows\system32\_005079_.tmp.dll
c:\windows\system32\_005080_.tmp.dll
c:\windows\system32\_005081_.tmp.dll
c:\windows\system32\_005082_.tmp.dll
c:\windows\system32\_005083_.tmp.dll
c:\windows\system32\_005085_.tmp.dll
c:\windows\system32\_005086_.tmp.dll
c:\windows\system32\_005087_.tmp.dll
c:\windows\system32\_005088_.tmp.dll
c:\windows\system32\_005089_.tmp.dll
c:\windows\system32\_005091_.tmp.dll
c:\windows\system32\_005092_.tmp.dll
c:\windows\system32\_005094_.tmp.dll
c:\windows\system32\_005096_.tmp.dll
c:\windows\system32\_005097_.tmp.dll
c:\windows\system32\_005099_.tmp.dll
c:\windows\system32\_005100_.tmp.dll
c:\windows\system32\_005102_.tmp.dll
c:\windows\system32\_005104_.tmp.dll
c:\windows\system32\_005105_.tmp.dll
c:\windows\system32\_005107_.tmp.dll
c:\windows\system32\_005108_.tmp.dll
c:\windows\system32\_005109_.tmp.dll
c:\windows\system32\_005110_.tmp.dll
c:\windows\system32\_005113_.tmp.dll
c:\windows\system32\_005114_.tmp.dll
c:\windows\system32\_005115_.tmp.dll
c:\windows\system32\_005116_.tmp.dll
c:\windows\system32\_005117_.tmp.dll
c:\windows\system32\_005122_.tmp.dll
c:\windows\system32\_005124_.tmp.dll
c:\windows\system32\_005125_.tmp.dll
c:\windows\system32\_007386_.tmp.dll
c:\windows\system32\_007387_.tmp.dll
c:\windows\system32\_007388_.tmp.dll
c:\windows\system32\_007389_.tmp.dll
c:\windows\system32\_007396_.tmp.dll
c:\windows\system32\_007397_.tmp.dll
c:\windows\system32\_007398_.tmp.dll
c:\windows\system32\_007399_.tmp.dll
c:\windows\system32\_007401_.tmp.dll
c:\windows\system32\_007402_.tmp.dll
c:\windows\system32\_007405_.tmp.dll
c:\windows\system32\_007406_.tmp.dll
c:\windows\system32\_007408_.tmp.dll
c:\windows\system32\_007409_.tmp.dll
c:\windows\system32\_007410_.tmp.dll
c:\windows\system32\_007412_.tmp.dll
c:\windows\system32\_007415_.tmp.dll
c:\windows\system32\_007416_.tmp.dll
c:\windows\system32\_007420_.tmp.dll
c:\windows\system32\_007421_.tmp.dll
c:\windows\system32\_007423_.tmp.dll
c:\windows\system32\_007425_.tmp.dll
c:\windows\system32\_007426_.tmp.dll
c:\windows\system32\_007428_.tmp.dll
c:\windows\system32\_007429_.tmp.dll
c:\windows\system32\_007430_.tmp.dll
c:\windows\system32\_007431_.tmp.dll
c:\windows\system32\_007432_.tmp.dll
c:\windows\system32\_007435_.tmp.dll
c:\windows\system32\_007436_.tmp.dll
c:\windows\system32\_007437_.tmp.dll
c:\windows\system32\_007438_.tmp.dll
c:\windows\system32\_007439_.tmp.dll
c:\windows\system32\_007444_.tmp.dll
c:\windows\system32\_007446_.tmp.dll
c:\windows\system32\_007447_.tmp.dll
c:\windows\Tasks\At1.job
c:\windows\system32\wsrxklb.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ANLVQABS
-------\Service_anlvqabs


((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-18 14:01 . 2009-04-18 14:14 -------- d-----w c:\documents and settings\User\Local Settings\Application Data\Google
2009-04-18 12:46 . 2009-04-18 12:46 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-18 12:36 . 2009-04-18 14:09 -------- d-----w c:\program files\Google
2009-04-18 12:35 . 2009-04-18 14:00 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-18 12:35 . 2009-04-18 14:00 -------- d-----w c:\program files\NOS
2009-04-18 12:24 . 2009-04-18 12:24 -------- d-----w c:\documents and settings\User\.SunDownloadManager
2009-04-17 20:09 . 2009-04-17 20:09 -------- d-----w c:\documents and settings\Administrator.USER-1ZXQ8LA9WS\Application Data\SUPERAntiSpyware.com
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-17 10:46 . 2009-04-17 10:46 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\wbyaodey
2009-04-17 10:46 . 2009-04-17 10:46 -------- d-----w c:\documents and settings\NetworkService\Application Data\wbyaodey
2009-04-17 10:43 . 2009-04-17 10:43 -------- d-----w c:\documents and settings\User\Local Settings\Application Data\wbyaodey
2009-04-17 10:43 . 2009-04-17 10:43 -------- d-----w c:\documents and settings\User\Application Data\wbyaodey
2009-04-16 22:26 . 2009-04-16 22:26 -------- d-----w c:\documents and settings\User\Application Data\Malwarebytes
2009-04-16 22:26 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 22:26 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 22:25 . 2009-04-16 22:25 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 22:25 . 2009-04-16 22:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 21:21 . 2009-04-16 21:21 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-16 21:21 . 2009-04-16 21:21 107912 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-16 21:21 . 2009-04-16 21:21 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-16 21:21 . 2009-04-18 12:50 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-16 21:15 . 2009-04-16 21:15 0 ----a-w c:\windows\Vkelewazucocali.bin
2009-04-16 21:15 . 2009-04-16 21:15 408 ----a-w c:\windows\Xfoki.dat
2009-04-16 21:15 . 2009-04-16 21:15 -------- d-----w c:\documents and settings\User\Local Settings\Application Data\{AE7D70BD-6F41-413D-86A0-5B96F3B9C612}
2009-04-15 20:03 . 2009-04-15 20:03 -------- d-----w c:\documents and settings\User\Application Data\mypoints
2009-04-15 20:03 . 2009-04-15 20:03 -------- d-----w c:\program files\mypoints
2009-03-27 01:11 . 2009-03-27 01:11 -------- d-----w c:\program files\AVG
2009-03-26 16:00 . 2009-04-18 17:58 -------- d--h--w C:\$AVG8.VAULT$
2009-03-25 20:19 . 2009-04-18 18:56 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 18:54 . 2009-04-18 18:54 2902 ----a-w C:\avenger.txt
2009-04-18 18:48 . 2007-08-24 12:23 -------- d-----w c:\program files\BPK
2009-04-18 12:45 . 2004-10-27 13:46 -------- d-----w c:\program files\Common Files\Adobe
2009-04-18 12:30 . 2009-04-18 12:29 9818 ----a-w C:\JavaRa.log
2009-04-18 12:30 . 2007-02-24 15:15 -------- d-----w c:\program files\Java
2009-04-16 20:25 . 2004-10-19 20:05 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-05 23:26 . 2007-06-26 19:30 -------- d-----w c:\program files\Verizon
2009-03-26 19:44 . 2005-12-22 21:05 -------- d-----w c:\program files\CW4
2009-03-25 20:20 . 2005-08-26 19:45 -------- d-----w c:\program files\YPOPs
2009-03-25 20:19 . 2004-12-16 21:28 -------- d-----w c:\program files\Yahoo!
2009-03-09 09:19 . 2009-01-06 01:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:44 . 2001-08-18 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 13:06 . 2007-08-18 02:21 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-20 08:30 . 2004-10-19 20:22 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 08:30 . 2001-08-18 12:00 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-09 10:20 . 2009-02-06 02:17 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2001-08-18 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2009-02-06 02:17 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:20 . 2009-02-06 02:17 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:19 . 2009-02-06 02:17 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2009-02-06 02:17 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2009-02-06 02:17 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2009-02-06 02:17 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 02:34 . 2001-08-18 12:00 250032 --sha-r C:\ntldr
2009-02-03 20:08 . 2001-08-18 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-05-20 00:15 . 2004-10-19 20:39 447040 ----a-w c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-10-29 17:06 . 2007-10-29 17:06 2272 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2006-06-11 21:46 . 2004-12-06 16:39 220744 ----a-w c:\documents and settings\User\Application Data\GDIPFONTCACHEV1.DAT
2005-01-10 23:30 . 2005-01-10 23:30 127 ----a-w c:\documents and settings\User\Local Settings\Application Data\fusioncache.dat
.

------- Sigcheck -------

[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-04 03:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[7] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953_0$\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 7:25 pm

more_horiz
--rest of log file--

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70E601F6-48D5-4389-B6AA-A6C761A4A051}]
2001-08-18 12:00 102912 ----a-w c:\windows\system32\wsrxklb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-CEC4-75A487FD6484}]
2008-08-07 20:24 1909248 ----a-w c:\progra~1\mypoints\mypoints.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= "c:\progra~1\mypoints\mypoints.dll" [2008-08-07 1909248]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= "c:\progra~1\mypoints\mypoints.dll" [2008-08-07 1909248]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 405583]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-15 4112384]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-15 81920]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-04-11 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-16 1932568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"bpk"="c:\program files\BPK\bpk.exe" [2008-03-27 438272]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-20 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-16 21:21 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S0 nbhupuaj;nbhupuaj;c:\windows\system32\drivers\nbhupuaj.sys [2001-08-18 23424]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-16 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-16 107912]
S1 NEOFLTR_540_11359;Juniper Networks TDI Filter Driver (NEOFLTR_540_11359);c:\windows\system32\Drivers\NEOFLTR_540_11359.SYS [2006-11-30 57559]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-16 298264]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2009-04-17 c:\windows\Tasks\{07B8468A-3A9F-40CB-B92E-6E6E3F05E507}_USER-1ZXQ8LA9WS_User.job
- c:\windows\system32\mobsync.exe [2001-08-18 04:56]

2009-04-17 c:\windows\Tasks\{91B58922-69FA-42EF-8A9A-B82A4A4F7AEA}_USER-1ZXQ8LA9WS_User.job
- c:\windows\system32\mobsync.exe [2001-08-18 04:56]

2009-04-17 c:\windows\Tasks\{F50310E9-674E-4043-87AB-2E807E9CB145}_USER-1ZXQ8LA9WS_User.job
- c:\windows\system32\mobsync.exe [2001-08-18 04:56]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: turbotax.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} - hxxp://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 14:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\anlvqabs]
"ServiceDll"="c:\windows\system32\wsrxklb.dll"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\sduuywml]
"ImagePath"="system32\drivers\htfibfe.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2272FA1B-25F5-4954-9013-29AF7F53DFB9}\InprocServer32]
@DACL=(02 0000)
@="c:\\windows\\system32\\wsrxklb.dll"
"ThreadingModel"="Apartment"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2924)
c:\program files\BPK\bpkhk.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-04-18 15:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 19:04

Pre-Run: 22,086,688,768 bytes free
Post-Run: 23,916,650,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

386 --- E O F --- 2009-04-17 22:48

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 7:41 pm

more_horiz
Hello.
Were gonna run Combofix with a custom made script for your machine only.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
nbhupuaj

File::
c:\windows\system32\wsrxklb.dll
c:\windows\Vkelewazucocali.bin
c:\windows\Xfoki.dat
c:\windows\system32\drivers\nbhupuaj.sys
c:\windows\system32\drivers\htfibfe.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{70E601F6-48D5-4389-B6AA-A6C761A4A051}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\sduuywml]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\anlvqabs]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2272FA1B-25F5-4954-9013-29AF7F53DFB9}\InprocServer32]

DDS::
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
win32/cryptor Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
win32/cryptor DXwU4
win32/cryptor VvYDg

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 8:04 pm

more_horiz
This is the log file from Combofix after executing your custom script. (Posted in two posts)

ComboFix 09-04-19.01 - User 04/18/2009 15:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.183 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\htfibfe.sys
c:\windows\system32\drivers\nbhupuaj.sys
c:\windows\system32\wsrxklb.dll
c:\windows\Vkelewazucocali.bin
c:\windows\Xfoki.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\nbhupuaj.sys
c:\windows\system32\wsrxklb.dll
c:\windows\Vkelewazucocali.bin
c:\windows\Xfoki.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NBHUPUAJ
-------\Service_nbhupuaj


((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-18 14:01 . 2009-04-18 14:14 -------- d-----w c:\documents and settings\User\Local Settings\Application Data\Google
2009-04-18 12:46 . 2009-04-18 12:46 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-18 12:36 . 2009-04-18 14:09 -------- d-----w c:\program files\Google
2009-04-18 12:35 . 2009-04-18 14:00 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-18 12:35 . 2009-04-18 14:00 -------- d-----w c:\program files\NOS
2009-04-18 12:24 . 2009-04-18 12:24 -------- d-----w c:\documents and settings\User\.SunDownloadManager
2009-04-17 20:09 . 2009-04-17 20:09 -------- d-----w c:\documents and settings\Administrator.USER-1ZXQ8LA9WS\Application Data\SUPERAntiSpyware.com
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-17 10:46 . 2009-04-17 10:46 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\wbyaodey
2009-04-17 10:46 . 2009-04-17 10:46 -------- d-----w c:\documents and settings\NetworkService\Application Data\wbyaodey
2009-04-17 10:43 . 2009-04-17 10:43 -------- d-----w c:\documents and settings\User\Local Settings\Application Data\wbyaodey
2009-04-17 10:43 . 2009-04-17 10:43 -------- d-----w c:\documents and settings\User\Application Data\wbyaodey
2009-04-16 22:26 . 2009-04-16 22:26 -------- d-----w c:\documents and settings\User\Application Data\Malwarebytes
2009-04-16 22:26 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 22:26 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 22:25 . 2009-04-16 22:25 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 22:25 . 2009-04-16 22:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 21:21 . 2009-04-16 21:21 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-16 21:21 . 2009-04-16 21:21 107912 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-16 21:21 . 2009-04-16 21:21 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-16 21:21 . 2009-04-18 12:50 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-16 21:15 . 2009-04-16 21:15 -------- d-----w c:\documents and settings\User\Local Settings\Application Data\{AE7D70BD-6F41-413D-86A0-5B96F3B9C612}
2009-04-15 20:03 . 2009-04-15 20:03 -------- d-----w c:\documents and settings\User\Application Data\mypoints
2009-04-15 20:03 . 2009-04-15 20:03 -------- d-----w c:\program files\mypoints
2009-03-27 01:11 . 2009-03-27 01:11 -------- d-----w c:\program files\AVG
2009-03-26 16:00 . 2009-04-18 17:58 -------- d--h--w C:\$AVG8.VAULT$
2009-03-25 20:19 . 2009-04-18 18:56 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 19:47 . 2001-08-18 12:00 23424 ----a-w c:\windows\system32\drivers\wdaqjczi.sys
2009-04-18 19:38 . 2007-08-24 12:23 -------- d-----w c:\program files\BPK
2009-04-18 18:54 . 2009-04-18 18:54 2902 ----a-w C:\avenger.txt
2009-04-18 12:45 . 2004-10-27 13:46 -------- d-----w c:\program files\Common Files\Adobe
2009-04-18 12:30 . 2009-04-18 12:29 9818 ----a-w C:\JavaRa.log
2009-04-18 12:30 . 2007-02-24 15:15 -------- d-----w c:\program files\Java
2009-04-16 20:25 . 2004-10-19 20:05 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-05 23:26 . 2007-06-26 19:30 -------- d-----w c:\program files\Verizon
2009-03-26 19:44 . 2005-12-22 21:05 -------- d-----w c:\program files\CW4
2009-03-25 20:20 . 2005-08-26 19:45 -------- d-----w c:\program files\YPOPs
2009-03-25 20:19 . 2004-12-16 21:28 -------- d-----w c:\program files\Yahoo!
2009-03-09 09:19 . 2009-01-06 01:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:44 . 2001-08-18 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 13:06 . 2007-08-18 02:21 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-20 08:30 . 2004-10-19 20:22 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 08:30 . 2001-08-18 12:00 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-09 10:20 . 2009-02-06 02:17 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2001-08-18 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2009-02-06 02:17 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:20 . 2009-02-06 02:17 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:19 . 2009-02-06 02:17 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2009-02-06 02:17 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2009-02-06 02:17 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2009-02-06 02:17 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 02:34 . 2001-08-18 12:00 250032 --sha-r C:\ntldr
2009-02-03 20:08 . 2001-08-18 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-05-20 00:15 . 2004-10-19 20:39 447040 ----a-w c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-10-29 17:06 . 2007-10-29 17:06 2272 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2006-06-11 21:46 . 2004-12-06 16:39 220744 ----a-w c:\documents and settings\User\Application Data\GDIPFONTCACHEV1.DAT
2005-01-10 23:30 . 2005-01-10 23:30 127 ----a-w c:\documents and settings\User\Local Settings\Application Data\fusioncache.dat
.

------- Sigcheck -------

[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-04 03:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[7] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953_0$\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-18_18.56.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 19:55 . 2009-04-18 19:55 16384 c:\windows\temp\Perflib_Perfdata_7cc.dat
+ 2009-04-18 19:54 . 2009-04-18 19:54 16384 c:\windows\temp\Perflib_Perfdata_1b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 8:04 pm

more_horiz
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-CEC4-75A487FD6484}]
2008-08-07 20:24 1909248 ----a-w c:\progra~1\mypoints\mypoints.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= "c:\progra~1\mypoints\mypoints.dll" [2008-08-07 1909248]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= "c:\progra~1\mypoints\mypoints.dll" [2008-08-07 1909248]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 405583]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-15 4112384]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-15 81920]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-04-11 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-16 1932568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"bpk"="c:\program files\BPK\bpk.exe" [2008-03-27 438272]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-20 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-16 21:21 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-16 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-16 107912]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-16 298264]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - NBHUPUAJ
.
Contents of the 'Scheduled Tasks' folder

2009-04-17 c:\windows\Tasks\{07B8468A-3A9F-40CB-B92E-6E6E3F05E507}_USER-1ZXQ8LA9WS_User.job
- c:\windows\system32\mobsync.exe [2001-08-18 04:56]

2009-04-17 c:\windows\Tasks\{91B58922-69FA-42EF-8A9A-B82A4A4F7AEA}_USER-1ZXQ8LA9WS_User.job
- c:\windows\system32\mobsync.exe [2001-08-18 04:56]

2009-04-17 c:\windows\Tasks\{F50310E9-674E-4043-87AB-2E807E9CB145}_USER-1ZXQ8LA9WS_User.job
- c:\windows\system32\mobsync.exe [2001-08-18 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: turbotax.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} - hxxp://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 15:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\nbhupuaj]
"ImagePath"="system32\drivers\nbhupuaj.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3104)
c:\program files\BPK\bpkhk.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-04-18 16:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 20:01
ComboFix2.txt 2009-04-18 19:04

Pre-Run: 23,902,650,368 bytes free
Post-Run: 23,900,254,208 bytes free

269 --- E O F --- 2009-04-17 22:48

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 8:14 pm

more_horiz
Hello.
Nearly there, one more round should do it.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
NBHUPUAJ

File::
c:\windows\system32\drivers\wdaqjczi.sys

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\nbhupuaj]


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
win32/cryptor Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
win32/cryptor DXwU4
win32/cryptor VvYDg

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 9:27 pm

more_horiz
Next log file (2 posts)

ComboFix 09-04-19.01 - User 04/18/2009 17:10.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.186 [GMT -4:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\wdaqjczi.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\wdaqjczi.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NBHUPUAJ


((((((((((((((((((((((((( Files Created from 2009-03-18 to 2009-04-18 )))))))))))))))))))))))))))))))
.

2009-04-18 14:01 . 2009-04-18 14:14 -------- d-----w c:\documents and settings\User\Local Settings\Application Data\Google
2009-04-18 12:46 . 2009-04-18 12:46 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-18 12:36 . 2009-04-18 14:09 -------- d-----w c:\program files\Google
2009-04-18 12:35 . 2009-04-18 14:00 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-18 12:35 . 2009-04-18 14:00 -------- d-----w c:\program files\NOS
2009-04-18 12:24 . 2009-04-18 12:24 -------- d-----w c:\documents and settings\User\.SunDownloadManager
2009-04-17 20:09 . 2009-04-17 20:09 -------- d-----w c:\documents and settings\Administrator.USER-1ZXQ8LA9WS\Application Data\SUPERAntiSpyware.com
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-04-17 19:59 . 2009-04-17 19:59 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-17 10:46 . 2009-04-17 10:46 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\wbyaodey
2009-04-17 10:46 . 2009-04-17 10:46 -------- d-----w c:\documents and settings\NetworkService\Application Data\wbyaodey
2009-04-17 10:43 . 2009-04-17 10:43 -------- d-----w c:\documents and settings\User\Local Settings\Application Data\wbyaodey
2009-04-17 10:43 . 2009-04-17 10:43 -------- d-----w c:\documents and settings\User\Application Data\wbyaodey
2009-04-16 22:26 . 2009-04-16 22:26 -------- d-----w c:\documents and settings\User\Application Data\Malwarebytes
2009-04-16 22:26 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-16 22:26 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-16 22:25 . 2009-04-16 22:25 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-16 22:25 . 2009-04-16 22:26 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-16 21:21 . 2009-04-16 21:21 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-16 21:21 . 2009-04-16 21:21 107912 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-16 21:21 . 2009-04-16 21:21 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-16 21:21 . 2009-04-18 12:50 -------- d-----w c:\windows\system32\drivers\Avg
2009-04-16 21:15 . 2009-04-16 21:15 -------- d-----w c:\documents and settings\User\Local Settings\Application Data\{AE7D70BD-6F41-413D-86A0-5B96F3B9C612}
2009-04-15 20:03 . 2009-04-15 20:03 -------- d-----w c:\documents and settings\User\Application Data\mypoints
2009-04-15 20:03 . 2009-04-15 20:03 -------- d-----w c:\program files\mypoints
2009-03-27 01:11 . 2009-03-27 01:11 -------- d-----w c:\program files\AVG
2009-03-26 16:00 . 2009-04-18 17:58 -------- d--h--w C:\$AVG8.VAULT$
2009-03-25 20:19 . 2009-04-18 18:56 -------- d-----w c:\documents and settings\All Users\Application Data\avg8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-18 21:06 . 2007-08-24 12:23 -------- d-----w c:\program files\BPK
2009-04-18 18:54 . 2009-04-18 18:54 2902 ----a-w C:\avenger.txt
2009-04-18 12:45 . 2004-10-27 13:46 -------- d-----w c:\program files\Common Files\Adobe
2009-04-18 12:30 . 2009-04-18 12:29 9818 ----a-w C:\JavaRa.log
2009-04-18 12:30 . 2007-02-24 15:15 -------- d-----w c:\program files\Java
2009-04-16 20:25 . 2004-10-19 20:05 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-05 23:26 . 2007-06-26 19:30 -------- d-----w c:\program files\Verizon
2009-03-26 19:44 . 2005-12-22 21:05 -------- d-----w c:\program files\CW4
2009-03-25 20:20 . 2005-08-26 19:45 -------- d-----w c:\program files\YPOPs
2009-03-25 20:19 . 2004-12-16 21:28 -------- d-----w c:\program files\Yahoo!
2009-03-09 09:19 . 2009-01-06 01:29 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:44 . 2001-08-18 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 13:06 . 2007-08-18 02:21 -------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-20 08:30 . 2004-10-19 20:22 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-20 08:30 . 2001-08-18 12:00 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-09 10:20 . 2009-02-06 02:17 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2001-08-18 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2009-02-06 02:17 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:20 . 2009-02-06 02:17 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:19 . 2009-02-06 02:17 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2009-02-06 02:17 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2009-02-06 02:17 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2001-08-18 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2009-02-06 02:17 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-06 02:34 . 2001-08-18 12:00 250032 --sha-r C:\ntldr
2009-02-03 20:08 . 2001-08-18 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-05-20 00:15 . 2004-10-19 20:39 447040 ----a-w c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-10-29 17:06 . 2007-10-29 17:06 2272 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2006-06-11 21:46 . 2004-12-06 16:39 220744 ----a-w c:\documents and settings\User\Application Data\GDIPFONTCACHEV1.DAT
2005-01-10 23:30 . 2005-01-10 23:30 127 ----a-w c:\documents and settings\User\Local Settings\Application Data\fusioncache.dat
.

------- Sigcheck -------

[7] 2005-05-25 19:07 359936 63FDFEA54EB53DE2D863EE454937CE1E c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[7] 2006-01-13 17:07 360448 5562CC0A47B2AEF06D3417B733F3C195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[-] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2004-08-04 03:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[7] 2005-05-25 19:04 359808 88763A98A4C26C409741B4AA162720C9 c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB917953$\tcpip.sys
[7] 2006-01-13 02:28 359808 583E063FDC888CA30D05C2724B0D7EF4 c:\windows\$NtUninstallKB917953_0$\tcpip.sys
[7] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-04-18_18.56.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-18 21:18 . 2009-04-18 21:18 16384 c:\windows\temp\Perflib_Perfdata_46c.dat
+ 2009-04-18 21:17 . 2009-04-18 21:17 16384 c:\windows\temp\Perflib_Perfdata_1c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 9:27 pm

more_horiz
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-CEC4-75A487FD6484}]
2008-08-07 20:24 1909248 ----a-w c:\progra~1\mypoints\mypoints.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= "c:\progra~1\mypoints\mypoints.dll" [2008-08-07 1909248]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-CEC4-75A487FD6484}"= "c:\progra~1\mypoints\mypoints.dll" [2008-08-07 1909248]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-cec4-75a487fd6484}]
[HKEY_CLASSES_ROOT\mypoints.MYPOINTS]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2005-01-04 405583]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-02-20 4363504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-15 4112384]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-07-15 81920]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-04-11 53248]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-25 282624]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-16 1932568]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"bpk"="c:\program files\BPK\bpk.exe" [2008-03-27 438272]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-20 65588]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-16 21:21 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-16 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-16 107912]
S1 NEOFLTR_540_11359;Juniper Networks TDI Filter Driver (NEOFLTR_540_11359);c:\windows\system32\Drivers\NEOFLTR_540_11359.SYS [2006-11-30 57559]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-16 298264]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

.
Contents of the 'Scheduled Tasks' folder

2009-04-17 c:\windows\Tasks\{07B8468A-3A9F-40CB-B92E-6E6E3F05E507}_USER-1ZXQ8LA9WS_User.job
- c:\windows\system32\mobsync.exe [2001-08-18 04:56]

2009-04-17 c:\windows\Tasks\{91B58922-69FA-42EF-8A9A-B82A4A4F7AEA}_USER-1ZXQ8LA9WS_User.job
- c:\windows\system32\mobsync.exe [2001-08-18 04:56]

2009-04-17 c:\windows\Tasks\{F50310E9-674E-4043-87AB-2E807E9CB145}_USER-1ZXQ8LA9WS_User.job
- c:\windows\system32\mobsync.exe [2001-08-18 04:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
Trusted Zone: turbotax.com
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {11A02365-2859-4598-A9D5-4FDE99D67723} - hxxp://www.pqprintcenter.com/plugin/axversion/1611/printquick1611.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-18 17:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2424)
c:\program files\BPK\bpkhk.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\wdfmgr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-04-18 17:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-18 21:24
ComboFix2.txt 2009-04-18 20:01
ComboFix3.txt 2009-04-18 19:04

Pre-Run: 23,893,630,976 bytes free
Post-Run: 23,882,432,512 bytes free

261 --- E O F --- 2009-04-17 22:48

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 9:43 pm

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

win32/cryptor CF_Cleanup

This will also reset your restore points.

How is the machine running now?

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
win32/cryptor DXwU4
win32/cryptor VvYDg

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 9:47 pm

more_horiz
The machine is running nearly the same, but that wasn't an issue. However, I'm not getting anymore threat detects from my AVG, so I have to assume that it's much better :-)

The only issue(s) we had with this PC, was it would run sluggish sometimes even after a defrag, and yahoo messenger would do funny stuff.

I haven't used it enough to find out if either of those two things are fixed, but my guess is that with this virus removed they will be because those things just started happening recently.

I sincerely thank you for all of your time and help with this, I never would have been able to get this one on my own!

Thanks again,
Tracy

descriptionwin32/cryptor EmptyRe: win32/cryptor18th April 2009, 11:32 pm

more_horiz
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck. Big Grin

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
win32/cryptor DXwU4
win32/cryptor VvYDg

descriptionwin32/cryptor EmptyRe: win32/cryptor

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum