How to remove Win32/Crptor and Trojan horse Generic13. ATPH virus

View previous topic View next topic Go down

How to remove Win32/Crptor and Trojan horse Generic13. ATPH virus

Post by alvinchaudary on Sun Jun 21, 2009 11:33 pm

My laptop has got the Win32/Crptor virus. AVG's resident shield alert showed multiple threat detection. The complete list of threats is listed below. I tried installing and running Spybot and Malwarebyte Anti Malware but both didn't install properly or work. This virus is also blocking me from visiting other virus help webpages. Can anyone tell me how do I get rid of this. PLEASE NOTE THAT I AM UNABLE TO POST ALL THE VIRUS DESCRIPTION AS I GET "The posted message is too big" MESSAGE FROM THIS POSTING TOOL.

"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\taskeng.exe";"Virus found Win32/Heur";"Object is white-listed (critical/system file that should not be removed)"
"C:\Windows\System32\taskeng.exe";"Virus found Win32/Heur";"Object is white-listed (critical/system file that should not be removed)"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\taskeng.exe";"Virus found Win32/Heur";"Object is white-listed (critical/system file that should not be removed)"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACcedjydweuiipsoxwv.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACvxiqpwiopwfobctif.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\UACbarsmcxnceluvcgwh.dll";"Trojan horse Generic13.ATPH";"Infected"
"C:\Windows\System32\UACqerqdkkaepcbjugcd.dll";"Virus found Win32/Cryptor";"Infected"
"C:\Windows\System32\SKYNETjipfssoi.dll";"Virus identified Packed.Rolex";"Infected"
"C:\Windows\System32\taskeng.exe";"Virus found Win32/Heur";"Object is white-listed (critical/system file that should not be removed)"

alvinchaudary
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-06-21
Gender : Male
OS : Vista Home Premium

View user profile

Back to top Go down

Re: How to remove Win32/Crptor and Trojan horse Generic13. ATPH virus

Post by Origin on Mon Jun 22, 2009 1:50 am

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: How to remove Win32/Crptor and Trojan horse Generic13. ATPH virus

Post by alvinchaudary on Mon Jun 22, 2009 2:03 am

Hello Origin, I have done as you instructed. Please refer below for the logfile. The file is too big, hence I have broken it down.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:13 AM, on 22/06/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal


Part One

Running processes:

C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe
C:\Windows\ehome\ehtray.exe
C:\Users\Alvin\AppData\Roaming\Google\Google Talk\googletalk.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\FeedReader\feedreader.exe
C:\Users\Alvin\Alvin.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Qlock\qlock.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\CometBird\CometBird.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: ExcellentAdDisplay - {F31C8969-83E7-A513-2E11-CB6D1837C2CB} - (no file)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

alvinchaudary
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-06-21
Gender : Male
OS : Vista Home Premium

View user profile

Back to top Go down

Re: How to remove Win32/Crptor and Trojan horse Generic13. ATPH virus

Post by alvinchaudary on Mon Jun 22, 2009 2:04 am

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDAgent] "C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [TSMAgent] "C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
O4 - HKLM\..\Run: [CLMLServer for HP TouchSmart] "C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
O4 - HKLM\..\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TVAgent] "C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ParetoLogic Anti-Virus PLUS] "C:\Program Files\ParetoLogic\Anti-Virus PLUS\Pareto_AV.lnk" -NM -hidesplash
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [googletalk] C:\Users\Alvin\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [feedreader.exe] C:\Program Files\FeedReader\feedreader.exe
O4 - HKCU\..\Run: [Windows Logon Applicationedc] C:\Users\Alvin\winlogon.exe
O4 - HKCU\..\Run: [Alvin] C:\Users\Alvin\Alvin.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2117792544-3320843113-4162926766-1004\..\Run: [HPADVISOR] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN (User 'Rohit')
O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inethttpfilter.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\aestsrv.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: @comres.dll,-947 (COMSysApp) - Unknown owner - C:\Windows\system32\dllhost.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate1c9c40aeab96398) (gupdate1c9c40aeab96398) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_805f33de\STacSV.exe
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\Program Files\Common Files\ParetoLogic\PLAS\plasservice.exe

--
End of file - 15856 bytes

alvinchaudary
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-06-21
Gender : Male
OS : Vista Home Premium

View user profile

Back to top Go down

Re: How to remove Win32/Crptor and Trojan horse Generic13. ATPH virus

Post by Origin on Mon Jun 22, 2009 2:12 am

WildTangent is a game software driver, some HP laptops come with it so users can play games, but in other cases, if no game are installed, uninstall the WildTangent Web Driver.

WildTangent uses pop-unders (not exactly pop-ups, but they both behave the same way).

The pop-unders themself may not be malicious, but this is considered adware, and plus clicking any pop-under leads the user to god knows where.

Please read here for more information about [You must be registered and logged in to see this link.]. Your choice if you want to remove it or not.

If you choose to follow my advice, please follow these instructions.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • WildTangent Web Driver






  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O1 - Hosts: ::1 localhost
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.3.2.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: ExcellentAdDisplay - {F31C8969-83E7-A513-2E11-CB6D1837C2CB} - (no file)
    O8 - Extra context menu item: &D&ownload &with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - [You must be registered and logged in to see this link.] Files\BitComet\BitComet.exe/AddAllLink.htm
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - [You must be registered and logged in to see this link.] Files\BitComet\tools\BitCometBHO_1.3.3.2.dll/206 (file missing)



  • Press "Fix Checked"
  • Close Hijack This.




1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Mcafee)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Status :
Online
Offline

Posts : 2685
Joined : 2009-05-05
Gender : Male
OS : Windows Xp Sp3

View user profile

Back to top Go down

Re: How to remove Win32/Crptor and Trojan horse Generic13. ATPH virus

Post by alvinchaudary on Mon Jun 22, 2009 6:25 am

Hello, I carried out the steps you outlined. I got this error message. Please help!

---------------------------
Error
---------------------------
!! ALERT !! It is NOT SAFE to continue!



The contents of the ComboFix package has been compromised.

Please download a fresh copy from:



[You must be registered and logged in to see this link.]



Note: You may be infected with a file patching virus 'Virut'
---------------------------
OK
---------------------------

alvinchaudary
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-06-21
Gender : Male
OS : Vista Home Premium

View user profile

Back to top Go down

Re: How to remove Win32/Crptor and Trojan horse Generic13. ATPH virus

Post by Belahzur on Mon Jun 22, 2009 12:38 pm

Yep, looks like Virut to me.
AVG also shows taskeng.exe as infected.

I'm afraid I have bad news.

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a format and clean install, or destructive recovery if you have an OEM recovery partition, is the best way to clean the infection and it is the best and safest way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

Recent variants also modify htm, html, asp and php files.

Do not back up to another machine, as it may become compromised. Burn to DVD/CD, or to an external drive which has nothing else on it, and which you can format should it happen to become infected from the backups.


For more information, please see [You must be registered and logged in to see this link.]

Instructions how to format and reinstall Windows can be found [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: How to remove Win32/Crptor and Trojan horse Generic13. ATPH virus

Post by alvinchaudary on Mon Jun 22, 2009 10:38 pm

Hi,

My laptop came with pre-installed Windows Vista Home Premium OS. I don't have the OS disk. However, there is drive D labelled "Recovery". How do I format the hard drive?

alvinchaudary
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-06-21
Gender : Male
OS : Vista Home Premium

View user profile

Back to top Go down

Re: How to remove Win32/Crptor and Trojan horse Generic13. ATPH virus

Post by Belahzur on Mon Jun 22, 2009 11:36 pm

Not sure if recovery would work since it's not a recovery we want.
Does this Vista come with a restore to factory default setting?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: How to remove Win32/Crptor and Trojan horse Generic13. ATPH virus

Post by alvinchaudary on Mon Jun 22, 2009 11:54 pm

I checked the system restore properties. The check box next to Loca Disk was ticked but there is no last restore point. The check box next to recovery is unchecked. What do I do? Isn't the purpose of the recovery drive to help in formatting the hard drive?

alvinchaudary
Novice
Novice

Status :
Online
Offline

Posts : 8
Joined : 2009-06-21
Gender : Male
OS : Vista Home Premium

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum