WiredWX Hobby Weather ToolsLog in

 


Win32/cryptor on system

2 posters

descriptionWin32/cryptor on system EmptyWin32/cryptor on system

more_horiz
My friend's system has the win32/cryptor on it.

Need to know how to remove it, can't get his system to the internet. so i have to bounce back between his system & one of mine.

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
Hello.
Lets start with a Hijack This log, you'll need a USB stick if the infected machine has no internet access.

Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
I was doing just what you said, as I was waiting for a reply!

Here's the log I forgot to t in the first post.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:24 PM, on 4/23/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
I:\installs\Hijack(GP)This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: (no name) - {33C11E5F-A106-47E3-A352-FB8D80D4C038} - c:\windows\system32\qnogfdg.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Embarq Toolbar - {4E7BD74F-2B8D-469E-92BE-BF2DFE9AAE2C} - C:\PROGRA~1\EMBARQ~1\EMBARQ~1.DLL (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Embarq Toolbar - {4E7BD74F-2B8D-469E-92BE-BF2DFE9AAE2C} - C:\PROGRA~1\EMBARQ~1\EMBARQ~1.DLL (file missing)
O4 - HKLM\..\Run: [SprintModemUpdate] javaw.exe -cp "C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: lysxfltq - C:\WINDOWS\SYSTEM32\qnogfdg.dll
O21 - SSODL: zip - {1cc0e9ae-2140-4c39-a761-84d411a77405} - C:\WINDOWS\Installer\{1cc0e9ae-2140-4c39-a761-84d411a77405}\zip.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9286 bytes

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
Hello. This machine is infected with Koobface, and that's what's blocking internet access. It's set a proxy and needs to be removed.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {33C11E5F-A106-47E3-A352-FB8D80D4C038} - c:\windows\system32\qnogfdg.dll
    O2 - BHO: Embarq Toolbar - {4E7BD74F-2B8D-469E-92BE-BF2DFE9AAE2C} - C:\PROGRA~1\EMBARQ~1\EMBARQ~1.DLL (file missing)
    O3 - Toolbar: Embarq Toolbar - {4E7BD74F-2B8D-469E-92BE-BF2DFE9AAE2C} - C:\PROGRA~1\EMBARQ~1\EMBARQ~1.DLL (file missing)
    O20 - Winlogon Notify: lysxfltq - C:\WINDOWS\SYSTEM32\qnogfdg.dll
    O21 - SSODL: zip - {1cc0e9ae-2140-4c39-a761-84d411a77405} - C:\WINDOWS\Installer\{1cc0e9ae-2140-4c39-a761-84d411a77405}\zip.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Remove the Proxy setting in Internet explorer and/or in FireFox.

In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.

In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"

Click the apply button and restart that computer in normal mode. <-- IMPORTANT!!

After reboot, you should have internet access back.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
Thanks trying it now!

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
Ok here's the Malwarebytes log.

Malwarebytes' Anti-Malware 1.36
Database version: 2034
Windows 5.1.2600 Service Pack 2

4/23/2009 6:32:00 PM
mbam-log-2009-04-23 (18-32-00).txt

Scan type: Quick Scan
Objects scanned: 78177
Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{33c11e5f-a106-47e3-a352-fb8d80d4c038} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lysxfltq (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{33c11e5f-a106-47e3-a352-fb8d80d4c038} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3aa42713-5c1e-48e2-b432-d8bf420dd31d} (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7d5dd829-6c90-42c5-b54c-2afa82f988ba} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{343ce214-9998-4b21-a151-ffe970167297} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929cd6e-2062-44a4-b2c5-2c7e78fbab38} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f31a5d11-bf0b-4a4e-90af-274f2090aaa6} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ozdriqji (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ozdriqji (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ozdriqji (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{33c11e5f-a106-47e3-a352-fb8d80d4c038} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\qnogfdg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vxvstpv.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.Data) -> Quarantined and deleted successfully.

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
DDS (Ver_09-03-16.01) - NTFSx86
Run by Scotts at 19:15:16.84 on Thu 04/23/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3005 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\javaw.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scotts\Desktop\dds.scr

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.dell.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: : {33c11e5f-a106-47e3-a352-fb8d80d4c038} - c:\windows\system32\qnogfdg.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File
TB: {4E7BD74F-2B8D-469E-92BE-BF2DFE9AAE2C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SprintModemUpdate] javaw.exe -cp "c:\program files\motive\firmwareupdater\lib\SprintModemUpdate.jar" com.motive.firmwareUpdater.client.SprintModemUpdate
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: []
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~2\mimboot.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.com/SnapfishActivia.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: lysxfltq - qnogfdg.dll
Notify: WB - c:\progra~1\stardock\object~1\window~1\fastload.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 smxpvreh;smxpvreh;c:\windows\system32\drivers\smxpvreh.sys [2004-8-11 23424]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2005-11-30 45440]
R3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2005-11-30 56960]
RUnknown SASKUTIL;SASKUTIL; [x]
S3 gel90xne;gel90xne;\??\c:\docume~1\scotts\locals~1\temp\gel90xne.sys --> c:\docume~1\scotts\locals~1\temp\gel90xne.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\drivers\netusbxp.sys [2002-2-20 72576]

=============== Created Last 30 ================

2009-04-23 18:16 --d----- c:\docume~1\scotts\applic~1\Malwarebytes
2009-04-23 18:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-23 18:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-23 18:16 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-23 18:16 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-23 16:37 --d----- c:\program files\ESET
2009-04-23 12:01 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-23 12:01 --d----- c:\program files\SUPERAntiSpyware
2009-04-23 12:01 --d----- c:\docume~1\scotts\applic~1\SUPERAntiSpyware.com
2009-04-23 11:59 --d----- c:\docume~1\scotts\applic~1\nwsymumh
2009-04-22 20:41 --d----- c:\program files\AVG
2009-04-22 20:41 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-22 20:36 --dsh--- c:\documents and settings\scotts\PrivacIE
2009-04-22 20:35 --dsh--- c:\documents and settings\scotts\IETldCache
2009-04-22 20:32 -cd-h--- c:\windows\ie8
2009-04-20 20:51 89 a------- c:\windows\wininit.ini
2009-04-18 22:08 0 a------- c:\windows\system32\nfr.assembly
2009-04-16 16:52 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-04-08 14:02 --d----- c:\program files\iPod
2009-04-08 14:02 --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-08 14:02 --d----- c:\program files\iTunes
2009-04-08 13:57 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-26 20:38 --d----- c:\docume~1\scotts\applic~1\Windows Live Writer

==================== Find3M ====================

2009-04-18 22:06 182,912 ac------ c:\windows\system32\drivers\ndis.sys
2009-03-26 15:23 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-22 23:17 2,280 ac------ c:\windows\AUTOLNCH.REG
2009-03-21 09:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 09:44 283,648 -------- c:\windows\system32\pdh.dll
2009-03-06 09:44 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-02-20 13:09 133,120 a------- c:\windows\system32\dllcache\extmgr.dll
2009-02-20 05:20 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-02-09 05:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 05:20 723,456 -------- c:\windows\system32\lsasrv.dll
2009-02-09 05:20 723,456 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 05:20 399,360 -------- c:\windows\system32\dllcache\rpcss.dll
2009-02-09 05:20 714,752 -------- c:\windows\system32\ntdll.dll
2009-02-09 05:20 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-02-09 05:20 616,960 -------- c:\windows\system32\dllcache\advapi32.dll
2009-02-09 05:20 616,960 -------- c:\windows\system32\advapi32.dll
2009-02-09 05:20 473,088 -------- c:\windows\system32\dllcache\fastprox.dll
2009-02-09 05:20 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-02-09 05:19 1,846,272 -------- c:\windows\system32\win32k.sys
2009-02-09 05:19 1,846,272 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 21:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 12:24 2,180,480 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 12:22 2,136,064 -------- c:\windows\system32\ntoskrnl.exe
2009-02-06 12:22 2,136,064 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 12:14 110,592 -------- c:\windows\system32\services.exe
2009-02-06 12:14 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-02-06 11:54 35,328 a------- c:\windows\system32\dllcache\sc.exe
2009-02-06 11:54 35,328 -------- c:\windows\system32\sc.exe
2009-02-06 11:49 2,057,728 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 11:49 2,015,744 -------- c:\windows\system32\ntkrnlpa.exe
2009-02-06 11:49 2,015,744 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 11:39 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-02-03 15:08 55,808 a------- c:\windows\system32\secur32.dll
2009-02-03 15:08 55,808 -------- c:\windows\system32\dllcache\secur32.dll

============= FINISH: 19:16:15.35 ===============

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
Hello.
We have to go deeper, another hidden rootkit is running and it's protecting the malicious files from being deleted.

  • Download combofix from here
    Link 1
    Link 2
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV. (ESET Nod32)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    Win32/cryptor on system Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    Win32/cryptor on system Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
Combo fix report part 1, Sorry I don't have a copy of WinZIp!

ComboFix 09-04-25.01 - Scotts 04/24/2009 14:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3081 [GMT -5:00]
Running from: i:\installs\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\nfr.assembly

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.

2009-04-24 12:56 . 2009-04-24 12:57 1024 ----a-w c:\windows\system32\AutoPartNt.let
2009-04-24 12:56 . 2009-04-24 12:56 1885464 ----a-w c:\windows\system32\AutoPartNt.exe
2009-04-24 12:44 . 2009-04-24 12:44 -------- d-----w c:\documents and settings\All Users\Application Data\Seagate
2009-04-24 12:44 . 2009-04-24 12:44 44384 ----a-w c:\windows\system32\drivers\tifsfilt.sys
2009-04-24 12:44 . 2009-04-24 12:44 441760 ----a-w c:\windows\system32\drivers\timntr.sys
2009-04-24 12:44 . 2009-04-24 12:44 132224 ----a-w c:\windows\system32\drivers\snapman.sys
2009-04-24 12:44 . 2009-04-24 12:44 368480 ----a-w c:\windows\system32\drivers\tdrpman.sys
2009-04-24 12:43 . 2009-04-24 12:44 -------- d-----w c:\program files\Common Files\Seagate
2009-04-24 12:43 . 2009-04-24 12:43 -------- d-----w c:\program files\Seagate
2009-04-24 12:38 . 2009-04-24 12:38 29512 ----a-w C:\WINDOWSSerifastd-black.otf
2009-04-24 12:38 . 2009-04-24 12:38 28260 ----a-w C:\WINDOWSSerifastd-lightitalic.otf
2009-04-24 12:38 . 2009-04-24 12:38 28252 ----a-w C:\WINDOWSSerifastd-italic.otf
2009-04-24 12:38 . 2009-04-24 12:38 27772 ----a-w C:\WINDOWSSerifastd-bold.otf
2009-04-24 12:38 . 2009-04-24 12:38 27452 ----a-w C:\WINDOWSSerifastd-roman.otf
2009-04-24 12:38 . 2009-04-24 12:38 27440 ----a-w C:\WINDOWSSerifastd-light.otf
2009-04-23 23:16 . 2009-04-23 23:16 -------- d-----w c:\documents and settings\Scotts\Application Data\Malwarebytes
2009-04-23 23:16 . 2009-04-23 23:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 22:52 . 2009-04-23 22:52 0 ----a-w c:\windows\nsreg.dat
2009-04-23 22:52 . 2009-04-23 22:52 -------- d-----w c:\documents and settings\Scotts\Local Settings\Application Data\Mozilla
2009-04-23 21:41 . 2009-04-23 21:41 -------- d-----w c:\documents and settings\Scotts\Local Settings\Application Data\ESET
2009-04-23 21:37 . 2009-04-23 21:37 -------- d-----w c:\program files\ESET
2009-04-23 21:37 . 2009-04-23 21:37 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-23 17:01 . 2009-04-23 17:01 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-23 17:01 . 2009-04-24 00:08 -------- d-----w c:\documents and settings\Scotts\Application Data\SUPERAntiSpyware.com
2009-04-23 17:01 . 2009-04-24 00:08 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-23 16:59 . 2009-04-23 16:59 -------- d-----w c:\documents and settings\Scotts\Local Settings\Application Data\nwsymumh
2009-04-23 16:59 . 2009-04-23 16:59 -------- d-----w c:\documents and settings\Scotts\Application Data\nwsymumh
2009-04-23 16:52 . 2009-04-23 16:52 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-23 01:41 . 2009-04-23 21:31 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-23 01:41 . 2009-04-23 01:41 -------- d-----w c:\program files\AVG
2009-04-23 01:36 . 2009-04-23 01:36 -------- d-sh--w c:\documents and settings\Scotts\PrivacIE
2009-04-23 01:35 . 2009-04-23 01:35 -------- d-sh--w c:\documents and settings\Scotts\IETldCache
2009-04-23 01:32 . 2009-04-23 01:32 -------- dc-h--w c:\windows\ie8
2009-04-21 01:51 . 2009-04-21 01:51 89 ----a-w c:\windows\wininit.ini
2009-04-16 21:53 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:53 . 2009-02-09 10:20 399360 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 21:53 . 2009-02-09 10:20 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:53 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 21:53 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 21:53 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-16 21:53 . 2009-02-09 10:20 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:53 . 2009-02-09 10:20 616960 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:53 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 21:52 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-08 19:02 . 2009-04-08 19:02 -------- d-----w c:\program files\iPod
2009-04-08 19:02 . 2009-04-08 19:02 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-08 19:02 . 2009-04-08 19:02 -------- d-----w c:\program files\iTunes
2009-04-08 18:57 . 2009-03-26 20:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-27 01:38 . 2009-03-27 01:38 -------- d-----w c:\documents and settings\Scotts\Application Data\Windows Live Writer

.

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
Combofix part 2.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 14:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(5856)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2009-04-24 14:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-24 19:53

Pre-Run: 438,269,075,456 bytes free
Post-Run: 445,424,709,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

308 --- E O F --- 2009-04-17 08:04

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
Hello.
There's a lot missing from the log file, please post all of it.

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
Part 1

ComboFix 09-04-25.01 - Scotts 04/24/2009 14:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3081 [GMT -5:00]
Running from: i:\installs\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\nfr.assembly

.
((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-4-24 )))))))))))))))))))))))))))))))
.

2009-04-24 12:56 . 2009-04-24 12:57 1024 ----a-w c:\windows\system32\AutoPartNt.let
2009-04-24 12:56 . 2009-04-24 12:56 1885464 ----a-w c:\windows\system32\AutoPartNt.exe
2009-04-24 12:44 . 2009-04-24 12:44 -------- d-----w c:\documents and settings\All Users\Application Data\Seagate
2009-04-24 12:44 . 2009-04-24 12:44 44384 ----a-w c:\windows\system32\drivers\tifsfilt.sys
2009-04-24 12:44 . 2009-04-24 12:44 441760 ----a-w c:\windows\system32\drivers\timntr.sys
2009-04-24 12:44 . 2009-04-24 12:44 132224 ----a-w c:\windows\system32\drivers\snapman.sys
2009-04-24 12:44 . 2009-04-24 12:44 368480 ----a-w c:\windows\system32\drivers\tdrpman.sys
2009-04-24 12:43 . 2009-04-24 12:44 -------- d-----w c:\program files\Common Files\Seagate
2009-04-24 12:43 . 2009-04-24 12:43 -------- d-----w c:\program files\Seagate
2009-04-24 12:38 . 2009-04-24 12:38 29512 ----a-w C:\WINDOWSSerifastd-black.otf
2009-04-24 12:38 . 2009-04-24 12:38 28260 ----a-w C:\WINDOWSSerifastd-lightitalic.otf
2009-04-24 12:38 . 2009-04-24 12:38 28252 ----a-w C:\WINDOWSSerifastd-italic.otf
2009-04-24 12:38 . 2009-04-24 12:38 27772 ----a-w C:\WINDOWSSerifastd-bold.otf
2009-04-24 12:38 . 2009-04-24 12:38 27452 ----a-w C:\WINDOWSSerifastd-roman.otf
2009-04-24 12:38 . 2009-04-24 12:38 27440 ----a-w C:\WINDOWSSerifastd-light.otf
2009-04-23 23:16 . 2009-04-23 23:16 -------- d-----w c:\documents and settings\Scotts\Application Data\Malwarebytes
2009-04-23 23:16 . 2009-04-23 23:16 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-23 22:52 . 2009-04-23 22:52 0 ----a-w c:\windows\nsreg.dat
2009-04-23 22:52 . 2009-04-23 22:52 -------- d-----w c:\documents and settings\Scotts\Local Settings\Application Data\Mozilla
2009-04-23 21:41 . 2009-04-23 21:41 -------- d-----w c:\documents and settings\Scotts\Local Settings\Application Data\ESET
2009-04-23 21:37 . 2009-04-23 21:37 -------- d-----w c:\program files\ESET
2009-04-23 21:37 . 2009-04-23 21:37 -------- d-----w c:\documents and settings\All Users\Application Data\ESET
2009-04-23 17:01 . 2009-04-23 17:01 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-23 17:01 . 2009-04-24 00:08 -------- d-----w c:\documents and settings\Scotts\Application Data\SUPERAntiSpyware.com
2009-04-23 17:01 . 2009-04-24 00:08 -------- d-----w c:\program files\SUPERAntiSpyware
2009-04-23 16:59 . 2009-04-23 16:59 -------- d-----w c:\documents and settings\Scotts\Local Settings\Application Data\nwsymumh
2009-04-23 16:59 . 2009-04-23 16:59 -------- d-----w c:\documents and settings\Scotts\Application Data\nwsymumh
2009-04-23 16:52 . 2009-04-23 16:52 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-04-23 01:41 . 2009-04-23 21:31 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-23 01:41 . 2009-04-23 01:41 -------- d-----w c:\program files\AVG
2009-04-23 01:36 . 2009-04-23 01:36 -------- d-sh--w c:\documents and settings\Scotts\PrivacIE
2009-04-23 01:35 . 2009-04-23 01:35 -------- d-sh--w c:\documents and settings\Scotts\IETldCache
2009-04-23 01:32 . 2009-04-23 01:32 -------- dc-h--w c:\windows\ie8
2009-04-21 01:51 . 2009-04-21 01:51 89 ----a-w c:\windows\wininit.ini
2009-04-16 21:53 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 21:53 . 2009-02-09 10:20 399360 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 21:53 . 2009-02-09 10:20 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 21:53 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 21:53 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
2009-04-16 21:53 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-16 21:53 . 2009-02-09 10:20 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 21:53 . 2009-02-09 10:20 616960 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 21:53 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 21:52 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-08 19:02 . 2009-04-08 19:02 -------- d-----w c:\program files\iPod
2009-04-08 19:02 . 2009-04-08 19:02 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-08 19:02 . 2009-04-08 19:02 -------- d-----w c:\program files\iTunes
2009-04-08 18:57 . 2009-03-26 20:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-27 01:38 . 2009-03-27 01:38 -------- d-----w c:\documents and settings\Scotts\Application Data\Windows Live Writer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-23 12:10 . 2005-08-26 19:22 -------- d-----w c:\program files\LimeWire
2009-04-22 03:13 . 2008-11-14 04:18 -------- d-----w c:\program files\Windows Live Toolbar
2009-04-22 03:13 . 2006-09-28 01:35 -------- d-----w c:\program files\QuickTime
2009-04-22 02:43 . 2005-08-31 01:03 -------- d-----w c:\program files\DivX
2009-04-22 02:39 . 2007-04-20 00:41 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-22 02:39 . 2007-04-20 00:41 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-20 00:19 . 2005-08-31 01:03 -------- d-----w c:\program files\Google
2009-04-20 00:18 . 2007-05-23 19:10 -------- d-----w c:\program files\Coupons
2009-04-19 03:06 . 2004-08-11 22:00 213376 -c--a-w c:\windows\system32\drivers\ndis.sys
2009-04-08 19:02 . 2008-11-09 02:15 -------- d-----w c:\program files\Common Files\Apple
2009-04-08 19:00 . 2008-04-15 19:21 -------- d-----w c:\program files\Bonjour
2009-04-08 18:50 . 2008-11-27 23:58 -------- d-----w c:\program files\Safari
2009-03-26 20:23 . 2008-11-09 02:16 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-23 04:17 . 2005-08-27 02:36 2280 -c--a-w c:\windows\AUTOLNCH.REG
2009-03-21 14:18 . 2006-07-05 10:55 986112 ------w c:\windows\system32\dllcache\kernel32.dll
2009-03-19 21:32 . 2006-09-19 20:44 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-08 19:09 . 2007-08-14 00:43 638816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 19:09 . 2007-08-14 00:39 391536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 09:41 . 2006-05-19 15:08 5937152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 09:39 . 2007-10-10 23:55 11063808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 09:34 . 2006-05-10 05:23 914944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 09:34 . 2004-08-11 22:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2006-05-10 05:23 1206784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 09:34 . 2007-08-14 00:54 236544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 09:34 . 2004-08-11 22:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:34 . 2004-08-11 22:00 43008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 09:34 . 2007-08-14 00:44 105984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 09:34 . 2007-08-14 00:44 109568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 09:34 . 2006-05-10 05:23 193536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 09:33 . 2006-09-18 14:15 759296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 09:33 . 2004-08-11 22:00 18944 ----a-w c:\windows\system32\dllcache\corpol.dll
2009-03-08 09:33 . 2004-08-11 22:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2004-08-11 22:00 25600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 09:33 . 2006-05-18 05:24 726528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 09:33 . 2004-08-11 22:00 229376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 09:33 . 2007-08-14 00:54 420352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 09:33 . 2004-08-11 22:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:33 . 2004-08-11 22:00 125952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 09:32 . 2004-08-11 22:00 72704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 09:32 . 2004-08-11 22:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2007-08-14 00:39 173056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 09:32 . 2004-08-11 22:00 163840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 09:32 . 2004-08-11 22:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:32 . 2004-08-11 22:00 71680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 09:32 . 2004-08-11 22:00 55808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 09:32 . 2007-08-14 00:39 128512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 09:32 . 2004-08-11 22:00 94720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 09:32 . 2007-10-10 23:55 594432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 09:32 . 2007-10-10 23:55 1985024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 09:32 . 2004-08-11 22:00 611840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 09:24 . 2004-08-11 22:12 68608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 09:22 . 2007-08-14 00:54 156160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 09:22 . 2004-08-11 22:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 09:11 . 2007-10-10 23:55 445952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-07 16:41 . 2005-08-26 18:49 92000 -c--a-w c:\documents and settings\Scotts\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-06 14:44 . 2004-08-11 22:00 283648 ------w c:\windows\system32\pdh.dll
2009-02-26 09:07 . 2008-08-08 19:48 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-20 18:09 . 2004-08-11 22:00 133120 ----a-w c:\windows\system32\dllcache\extmgr.dll
2009-02-20 10:20 . 2007-10-10 10:59 13824 ------w c:\windows\system32\dllcache\ieudinit.exe
2009-02-09 10:20 . 2006-08-17 12:28 723456 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-02-09 10:20 . 2004-08-11 22:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-11 22:00 723456 ------w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-11 22:00 714752 ------w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-11 22:00 616960 ------w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2007-03-08 13:47 1846272 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 10:19 . 2004-08-11 22:00 1846272 ------w c:\windows\system32\win32k.sys
2009-02-07 02:07 . 2007-07-01 03:31 3698584 ----a-w c:\windows\system32\dllcache\ieapfltr.dat
2009-02-06 17:24 . 2006-12-19 14:17 2180480 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-02-06 17:22 . 2006-12-19 14:15 2136064 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-02-06 17:22 . 2004-08-11 22:00 2136064 ------w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-11 22:00 110592 ------w c:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-11 22:00 35328 ----a-w c:\windows\system32\dllcache\sc.exe
2009-02-06 16:54 . 2004-08-11 22:00 35328 ------w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2006-12-19 12:55 2015744 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-02-06 16:49 . 2006-12-19 12:55 2057728 ------w c:\windows\system32\dllcache\ntkrnlpa.exe
2009-02-06 16:49 . 2004-08-04 03:59 2015744 ------w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2009-02-03 20:08 55808 ------w c:\windows\system32\dllcache\secur32.dll
2009-02-03 20:08 . 2004-08-11 22:00 55808 ----a-w c:\windows\system32\secur32.dll
2008-10-14 19:24 . 2008-10-14 19:24 129 -c--a-w c:\documents and settings\Scotts\Local Settings\Application Data\fusioncache.dat
.

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
------- Sigcheck -------

[-] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\ndis.sys
[-] 2009-04-19 03:06 213376 29CB83D1A129D983B6B5135DA6A72EA5 c:\windows\system32\dllcache\ndis.sys
[-] 2009-04-19 03:06 213376 29CB83D1A129D983B6B5135DA6A72EA5 c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33C11E5F-A106-47E3-A352-FB8D80D4C038}]
2004-08-04 10:00 103424 ----a-w c:\windows\system32\qnogfdg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2008-06-25 1325848]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2008-06-25 904768]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2008-06-25 136472]
"SprintModemUpdate"="javaw.exe" - c:\windows\system32\javaw.exe [2003-11-19 28779]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2004-04-26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 05:34 24576 ----a-w c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lysxfltq]
2004-08-04 10:00 103424 ----a-w c:\windows\system32\qnogfdg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll
"aux"= ctwdm32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SoftStuff Wallpaper Changer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SoftStuff Wallpaper Changer.lnk
backup=c:\windows\pss\SoftStuff Wallpaper Changer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Sprint virtual assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Sprint virtual assistant.lnk
backup=c:\windows\pss\Sprint virtual assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Scotts^Start Menu^Programs^Startup^SoftStuff Wallpaper Changer.lnk]
path=c:\documents and settings\Scotts\Start Menu\Programs\Startup\SoftStuff Wallpaper Changer.lnk
backup=c:\windows\pss\SoftStuff Wallpaper Changer.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
"c:\\Program Files\\LucasArts\\SWKotOR\\swupdate.exe"=
"c:\\Program Files\\Macromedia\\Flash MX\\Flash.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R3 gel90xne;gel90xne; [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
R3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;c:\windows\system32\DRIVERS\netusbxp.sys [2002-02-20 72576]
S0 smxpvreh;smxpvreh;c:\windows\system32\drivers\smxpvreh.sys [2004-08-04 23424]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-02-06 106208]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2009-02-06 93336]
S2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-02-06 727720]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\Drivers\ousbehci.sys [2005-06-15 45440]
S2 SgtSch2Svc;Seagate Scheduler2 Service;c:\program files\Common Files\Seagate\Schedule2\schedul2.exe [2008-06-25 431384]
S3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\windows\system32\DRIVERS\ousb2hub.sys [2005-06-15 56960]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ozdriqji

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-04-24 c:\windows\Tasks\At1.job
- c:\windows\system32\qnogfdg.dll [2004-08-11 10:00]

2009-04-24 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 17:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKLM-Run-MimBoot - c:\progra~1\MUSICM~1\MUSICM~2\mimboot.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 14:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(888)
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

- - - - - - - > 'lsass.exe'(948)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(5856)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2009-04-24 14:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-24 19:53

Pre-Run: 438,269,075,456 bytes free
Post-Run: 445,424,709,632 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

308 --- E O F --- 2009-04-17 08:04

descriptionWin32/cryptor on system EmptyRe: Win32/cryptor on system

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum