Can't remove Virus Win32/Cryptor

View previous topic View next topic Go down

Can't remove Virus Win32/Cryptor

Post by Thebeast28 on Wed Jan 13, 2010 1:44 am

I recently been hit by the Win32/Cryptor virus. Every time I start up my computer AVG 9.0 says virus infected Win32/Cryptor C:\WINDOWS\system32\anuehcy.dll It shows me this one every time I start up my computer. AVG want let me delete it just keeps coming back. I tried every program to get rid of it spybot search and destroy, ad-aware 6.0, SUPERAntiSpyware Professional, AVP 2009, Spyhunter, and Spyware doctor. nȯne of them got ride of the virus. Then I did a scan with Malwarebytes' Anti-Malware and it found the same file as AVG 9.0 c:\WINDOWS\system32\anuehcy.dll. I deleted it then restarted my computer but AVG 9.0 still says i am infected with the virus Win32/Cryptor C:\WINDOWS\system32\anuehcy.dll I also have the problem when I go to search something on google it takes me to a totally different site. I was wondering if it had anything to do with the Win32/Cryptor virus that I have. I tried everything I know to do I don't know nothing else to do. I hope someone can help me get rid of this virus. Here is the log from Malwarebytes' Anti-Malware
Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

01/11/2010 8:00:11 AM
mbam-log-2010-01-11 (08-00-11).txt

Scan type: Quick Scan
Objects scanned: 138233
Time elapsed: 1 hour(s), 47 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{a6022701-b95d-48cb-a9e8-85f2a3086c61} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wpxilubt (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{a6022701-b95d-48cb-a9e8-85f2a3086c61} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\anuehcy.dll (Trojan.Vundo.H) -> Delete on reboot

Thebeast28
Intermediate
Intermediate

Posts Posts : 159
Joined Joined : 2010-01-12
OS OS : Windows XP
Points Points : 27649
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Virus Win32/Cryptor

Post by Dr Jay on Wed Jan 13, 2010 9:05 am

Please visit this webpage for instructions for downloading and running ComboFix:

[You must be registered and logged in to see this link.]

Post the log from ComboFix when you've accomplished that.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

log from Combofix

Post by Thebeast28 on Wed Jan 13, 2010 10:42 pm

ComboFix 10-01-13.06 - Jonathan Murray 01/13/2010 16:07:36.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.145 [GMT -5:00]
Running from: c:\program files\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Jonathan Murray\Application Data\inst.exe
c:\documents and settings\Jonathan Murray\Application Data\Mozilla\Firefox\Profiles\2tis2day.default\extensions\{dacad72b-3c87-4ed4-97b7-f49158fc2de7}
c:\documents and settings\Jonathan Murray\Application Data\Mozilla\Firefox\Profiles\2tis2day.default\extensions\{dacad72b-3c87-4ed4-97b7-f49158fc2de7}\chrome.manifest
c:\documents and settings\Jonathan Murray\Application Data\Mozilla\Firefox\Profiles\2tis2day.default\extensions\{dacad72b-3c87-4ed4-97b7-f49158fc2de7}\chrome\xulcache.jar
c:\documents and settings\Jonathan Murray\Application Data\Mozilla\Firefox\Profiles\2tis2day.default\extensions\{dacad72b-3c87-4ed4-97b7-f49158fc2de7}\defaults\preferences\xulcache.js
c:\documents and settings\Jonathan Murray\Application Data\Mozilla\Firefox\Profiles\2tis2day.default\extensions\{dacad72b-3c87-4ed4-97b7-f49158fc2de7}\install.rdf
C:\Logo.sys
c:\windows\cdmxtras
c:\windows\Fonts\acrsec.fon
c:\windows\INET.reg
c:\windows\jestertb.dll
c:\windows\system32\2DECI.INF
c:\windows\system32\3F3E3J9D0F1.INF
c:\windows\system32\3H8J7J3G.INF
c:\windows\system32\anuehcy.dll
c:\windows\system32\C8D0H3F8J2.INF
c:\windows\system32\Cache
c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_0_0_107400.htm
c:\windows\system32\cache329\B_329_1_0_449200.gif
c:\windows\system32\cache329\B_329_1_0_449600.gif
c:\windows\system32\cache329\B_329_1_0_454300.gif
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_105300.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_3_0_107400.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_0_0_107400.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_105300.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_3_0_107400.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\drivers\ggqxyxww.sys
c:\windows\system32\drivers\vgiibibs.sys
c:\windows\system32\I6D4.INF
c:\windows\system32\kungsfbnngsrhv.dat
c:\windows\system32\kungsflog.dat
c:\windows\system32\nhbonqc.dll
c:\windows\system32\ovzckqsh.dll
c:\windows\system32\uactmp.db
c:\windows\system32\Ultra.dll
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GGQXYXWW
-------\Service_ggqxyxww


((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-13 20:05 . 2010-01-13 20:05 3823771 ----a-r- c:\program files\ComboFix.exe
2010-01-13 02:56 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-11 04:40 . 2009-11-10 15:26 767952 ----a-w- c:\windows\BDTSupport.dll
2010-01-11 04:40 . 2009-11-10 15:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-01-11 04:40 . 2009-11-10 15:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-01-11 04:40 . 2009-11-10 15:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2010-01-11 04:40 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2010-01-11 04:40 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2010-01-11 04:04 . 2010-01-11 04:08 34628432 ----a-w- c:\program files\sdsetup.exe
2010-01-10 23:40 . 2010-01-10 23:40 -------- d-----w- c:\documents and settings\Administrator.JONATHAN\Application Data\SUPERAntiSpyware.com
2010-01-10 22:03 . 2010-01-13 17:36 0 ----a-w- c:\documents and settings\Jonathan Murray\Local Settings\Application Data\prvlcl.dat
2010-01-07 21:39 . 2010-01-07 23:30 -------- d-----w- C:\$AVG
2010-01-07 21:38 . 2010-01-07 21:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-07 21:38 . 2010-01-13 14:47 -------- d-----w- c:\windows\system32\drivers\Avg
2010-01-07 21:36 . 2010-01-07 21:36 25608 ----a-w- c:\windows\system32\drivers\AVGIDSxx.sys
2010-01-07 21:36 . 2010-01-07 21:36 161800 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-01-07 21:36 . 2010-01-07 21:36 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-07 21:36 . 2010-01-07 21:36 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-07 21:36 . 2010-01-07 21:36 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-07 21:34 . 2010-01-07 21:34 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-01-07 21:34 . 2010-01-07 21:34 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-01-07 21:34 . 2010-01-07 21:34 -------- d-----w- c:\program files\AVG
2010-01-07 21:34 . 2010-01-11 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-07 18:43 . 2010-01-07 20:25 163713 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-01-07 18:34 . 2010-01-07 20:27 -------- d-----w- c:\program files\COMODO
2010-01-07 18:28 . 2010-01-07 18:33 40603920 ----a-w- c:\program files\CIS_Setup_3.13.125662.579_XP_Vista_x32.exe
2010-01-07 18:00 . 2010-01-07 18:00 891248 ----a-w- c:\program files\avg_free_stb_all_9_40_cnet.exe
2010-01-05 22:45 . 2010-01-05 22:45 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-05 22:44 . 2010-01-05 22:45 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-05 22:44 . 2010-01-05 22:44 -------- d-----w- c:\documents and settings\Jonathan Murray\Application Data\SUPERAntiSpyware.com
2010-01-05 22:44 . 2010-01-05 22:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-01-05 22:42 . 2010-01-05 22:44 7451168 ----a-w- c:\program files\SUPERAntiSpywarePro.exe
2010-01-05 18:43 . 2010-01-05 18:43 -------- d-----w- c:\documents and settings\Jonathan Murray\Application Data\Malwarebytes
2010-01-05 18:42 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-05 18:42 . 2010-01-05 18:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-05 18:42 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-05 18:42 . 2010-01-11 22:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-05 18:40 . 2010-01-05 18:41 5061520 ----a-w- c:\program files\mbam-setup.exe
2010-01-02 02:55 . 2010-01-05 05:20 8086544 ----a-w- c:\program files\Firefox Setup 3.5.6.exe
2009-12-23 08:35 . 2009-12-23 14:54 -------- d-----w- C:\a725013441aa0de15deab303a87e0b7b
2009-12-23 04:35 . 2009-12-23 07:19 -------- d-----w- C:\0b93e35ba6ecc3299040c52d
2009-12-23 02:14 . 2009-12-23 19:55 -------- d-----w- c:\program files\Unlocker
2009-12-23 02:14 . 2009-12-23 02:14 220454 ----a-w- c:\program files\unlocker1.8.8.exe
2009-12-22 06:42 . 2009-12-22 06:42 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-13 21:39 . 2008-05-16 01:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-13 17:55 . 2008-05-16 23:20 -------- d-----w- c:\program files\Spyware Doctor
2010-01-13 05:24 . 2009-06-01 23:24 0 ----a-w- C:\qinfo.dat
2010-01-11 22:13 . 2004-03-25 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-11 18:32 . 2005-01-08 16:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-11 18:21 . 2009-06-02 20:26 -------- d-----w- c:\program files\Spybot - Search & Destroy1
2010-01-05 05:49 . 2009-12-04 00:27 -------- d-----w- c:\documents and settings\Jonathan Murray\Application Data\BitTorrent
2010-01-04 06:55 . 2009-08-31 05:12 -------- d-----w- c:\program files\WildGames
2010-01-04 06:29 . 2010-01-04 06:29 44024 ----a-w- c:\program files\bookmarks1-3-09.html
2009-12-31 05:26 . 2006-01-30 19:12 44240 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 20:28 . 2008-12-14 01:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-12-23 20:20 . 2004-03-23 22:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-23 19:32 . 2004-04-07 23:57 44240 ----a-w- c:\documents and settings\Jonathan Murray\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-23 15:22 . 2006-05-30 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Sonic
2009-12-23 15:19 . 2006-05-30 20:25 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-12-23 15:18 . 2006-05-30 20:22 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-12-23 15:18 . 2006-05-30 20:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-12-05 07:42 . 2009-12-05 07:41 -------- d-----w- c:\documents and settings\Jonathan Murray\Application Data\Nero
2009-12-05 07:41 . 2009-12-05 07:41 -------- d-----w- c:\documents and settings\All Users\Application Data\LightScribe
2009-12-05 07:41 . 2007-04-04 16:59 -------- d-----w- c:\program files\Common Files\LightScribe
2009-12-05 07:39 . 2009-12-05 07:20 -------- d-----w- c:\program files\Common Files\Nero
2009-12-05 07:38 . 2007-04-04 16:55 -------- d-----w- c:\program files\Nero
2009-12-05 07:25 . 2007-04-04 16:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-12-05 06:33 . 2009-12-05 06:08 214167816 ----a-w- c:\program files\Nero-9.4.26.0_trial.exe
2009-12-04 23:36 . 2009-12-04 23:30 -------- d-----w- c:\program files\Cucusoft
2009-12-04 23:35 . 2009-12-04 23:35 2081039 ----a-w- c:\program files\dvd-author.exe
2009-12-04 23:29 . 2009-12-04 23:29 3119665 ----a-w- c:\program files\dvd-burner.exe
2009-12-04 23:26 . 2009-12-04 23:26 -------- d-----w- c:\documents and settings\Jonathan Murray\Application Data\AnvSoft
2009-12-04 23:26 . 2009-12-04 23:26 -------- d-----w- c:\program files\AnvSoft
2009-12-04 23:26 . 2009-12-04 23:24 15672013 ----a-w- c:\program files\avc-free.exe
2009-12-04 23:23 . 2009-12-04 22:56 -------- d-----w- c:\documents and settings\Jonathan Murray\Application Data\Vso
2009-12-04 23:23 . 2009-12-04 22:56 47360 ----a-w- c:\documents and settings\Jonathan Murray\Application Data\pcouffin.sys
2009-12-04 22:56 . 2009-12-04 22:56 47360 ------w- c:\windows\system32\drivers\pcouffin.sys
2009-12-04 22:54 . 2009-12-04 22:52 18026336 ----a-w- c:\program files\vsoConvertXtoDVD4_setup.exe
2009-12-04 22:22 . 2009-12-04 22:11 -------- d-----w- c:\documents and settings\Jonathan Murray\Application Data\DivX
2009-12-04 19:53 . 2009-12-04 19:52 -------- d-----w- c:\program files\DivX
2009-12-04 19:52 . 2009-12-04 19:52 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-12-04 19:51 . 2009-12-04 19:49 23804080 ----a-w- c:\program files\DivXInstaller.exe
2009-12-04 19:14 . 2009-12-04 19:14 6104788 ----a-w- c:\program files\burnaware_free242.exe
2009-12-04 00:26 . 2009-12-04 00:25 -------- d-----w- c:\program files\BitTorrent
2009-12-04 00:14 . 2009-12-04 00:13 3066744 ----a-w- c:\program files\BitTorrent-6.3c.exe
2009-12-02 23:12 . 2009-12-02 23:12 8084968 ----a-w- c:\program files\Firefox Setup 3.5.5.exe
2009-12-02 00:03 . 2008-01-06 17:12 -------- d-----w- c:\documents and settings\Jonathan Murray\Application Data\LimeWire
2009-11-14 00:47 . 2009-11-14 00:47 90112 ------w- c:\windows\system32\dpl100.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ------w- c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47 . 2009-11-14 00:47 856064 ------w- c:\windows\system32\divx_xx07.dll
2009-11-14 00:47 . 2009-11-14 00:47 847872 ------w- c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47 . 2009-11-14 00:47 843776 ------w- c:\windows\system32\divx_xx16.dll
2009-11-14 00:47 . 2009-11-14 00:47 839680 ------w- c:\windows\system32\divx_xx11.dll
2009-11-14 00:47 . 2009-11-14 00:47 696320 ------w- c:\windows\system32\DivX.dll
2009-11-09 16:20 . 2009-06-02 04:10 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-10-30 16:11 . 2009-06-02 04:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-10-29 05:38 . 2003-11-08 12:00 667136 ------w- c:\windows\system32\wininet.dll
2009-10-22 20:48 . 2009-10-11 22:11 411368 ------w- c:\windows\system32\deploytk.dll
2009-10-21 05:38 . 2004-08-04 07:56 75776 ------w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 07:56 25088 ------w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ------w- c:\windows\system32\drivers\http.sys
2009-10-07 20:01 . 2009-10-07 20:01 3340064 ----a-w- c:\program files\UnityWebPlayer.exe
2009-10-04 17:12 . 2009-10-04 17:11 12541248 ----a-w- c:\program files\RLCSetup.exe
2009-09-15 19:44 . 2009-09-15 19:42 25685128 ----a-w- c:\program files\wordview_en-us.exe
2009-09-15 19:26 . 2009-09-15 19:26 13824 ----a-r- c:\program files\TRU_Unicru_92908.doc
2009-09-12 20:16 . 2009-09-12 20:16 4122416 ----a-w- c:\program files\freeclip.exe
2009-09-11 23:10 . 2009-09-11 22:55 52736 ----a-w- c:\program files\oown_resume_template.doc
2009-09-04 19:49 . 2009-09-04 19:47 11729274 ----a-w- c:\program files\installeasyjob.exe
2009-09-02 19:29 . 2009-09-02 19:29 8050536 ----a-w- c:\program files\Firefox Setup 3.5.2.exe
2009-07-07 23:46 . 2009-07-07 23:45 359656 ----a-w- c:\program files\msicuu2.exe
2009-02-17 01:18 . 2009-02-16 04:28 16939888 ----a-w- c:\program files\IE8-WindowsXP-x86-ENU.exe
2008-11-23 17:56 . 2008-11-23 17:56 25740144 ----a-w- c:\program files\wmp11-windowsxp-x86-enu.exe
2008-09-06 03:18 . 2005-01-03 03:29 1505160 ----a-w- c:\program files\install_easyshare.exe
2008-07-04 00:24 . 2008-07-04 00:21 1445888 ----a-w- c:\program files\WinsockxpFix.exe
2008-05-31 02:17 . 2008-05-31 02:07 9723880 ----a-w- c:\program files\spybotsd152.exe
2008-05-29 00:21 . 2008-05-29 00:21 1244712 ----a-w- c:\program files\SetupOneCare.exe
2008-05-28 03:12 . 2008-05-28 03:12 7608344 ----a-w- c:\program files\spyhunterFULL.exe
2008-05-09 13:47 . 2008-05-09 13:47 1206366 ----a-w- c:\program files\wrar371.exe
2008-05-09 13:43 . 2008-05-09 13:43 244784 ----a-w- c:\program files\gnie_s_dvd4-iml2iso.rar
2008-05-09 03:44 . 2008-05-09 03:44 10121656 ----a-w- c:\program files\Alcohol120_trial_1.9.7.6221.exe
2008-05-09 03:28 . 2008-05-09 03:28 1385051 ----a-w- c:\program files\cddvdgen.zip
2008-05-09 03:12 . 2008-05-09 03:12 899414 ----a-w- c:\program files\SetupDVDDecrypter_3.5.4.0.exe
2008-04-06 17:28 . 2008-04-06 17:28 569777 ----a-w- c:\program files\DVD43_4-2-0_Setup.exe
2008-01-05 18:20 . 2008-01-05 18:20 3381280 ----a-w- c:\program files\LimeWireWin.exe
2006-06-18 00:07 . 2006-06-18 00:07 1522527 ----a-w- c:\program files\dvdrip32572.exe
2006-06-12 18:48 . 2006-06-12 18:48 1160885 ----a-w- c:\program files\DVDRegionFree59.exe
2006-06-04 05:56 . 2006-06-04 05:56 302680 ----a-w- c:\program files\ac3filter_0_70b.exe
2006-06-04 05:50 . 2006-06-04 05:50 156181 ----a-w- c:\program files\MpegDecoder012.zip
2006-06-04 00:49 . 2006-06-04 00:49 6973792 ----a-w- c:\program files\iaplayer_2.60.12.0201_esd.exe
2006-06-03 21:08 . 2006-06-03 21:08 5753886 ----a-w- c:\program files\psp_video_express.exe
2006-05-15 00:22 . 2006-05-15 00:17 5779942 ----a-w- c:\program files\psp_movie_creator.exe
2006-05-14 21:15 . 2006-03-12 21:49 3457413 ----a-w- c:\program files\1clickdvdcopysetup.exe
2006-03-12 19:17 . 2006-03-12 19:17 521403 ----a-w- c:\program files\DVD43_3-7-0_Setup.exe
2006-03-12 16:38 . 2006-03-11 23:17 3878912 ----a-w- c:\program files\ICopyDVDs2_30DayTrial_EN_v4.1.0.2.exe
2006-01-30 01:05 . 2006-01-30 01:05 7391952 ----a-w- c:\program files\ewido-setup.exe
2005-11-03 23:52 . 2005-09-24 15:43 64 ---ha-w- c:\program files\AppUpdate.log
2005-09-25 14:31 . 2005-09-25 14:31 194835 ----a-w- c:\program files\ringtoneripper.exe
2005-09-24 02:14 . 2005-09-24 02:14 24265736 ----a-w- c:\program files\dotnetfx.exe
2005-03-03 23:40 . 2005-03-03 21:35 20798256 ----a-w- c:\program files\AdbeRdr70_enu_full.exe
2005-01-09 22:50 . 2005-01-09 22:39 2145414 ----a-w- c:\program files\OneTouch.exe
2005-01-08 02:48 . 2005-01-08 02:48 4354084 ----a-w- c:\program files\spybotsd13.exe
2004-02-20 07:38 . 2004-03-23 23:18 1760378 ----a-w- c:\program files\aaw6.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-20 217544]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-09-05 1261384]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"HostManager"="c:\program files\Common Files\AOL\1155679928\ee\AOLSoftware.exe" [2006-09-26 50736]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-22 149280]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-09 2033432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
""="c:\program files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe" [2002-03-25 258048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-2-10 73728]
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-1-26 1486848]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-07 21:38 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bxxs5
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qlovkj
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2006-10-23 12:50 71216 ----a-r- c:\program files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2002-01-03 03:06 4608 ------w- c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2008-03-01 19:49 826880 ----a-w- c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2001-08-18 22:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:31 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
2009-11-18 17:47 1243088 ----a-w- c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2000-07-13 20:00 311350 ----a-w- c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2000-07-13 20:00 28739 ----a-w- c:\program files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
2001-10-12 23:45 69632 ----a-w- c:\program files\Analog Devices\SoundMAX\SMTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2004-09-29 01:26 32881 ----a-w- c:\program files\Java\j2re1.4.2_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2000-07-13 20:00 24576 ----a-w- c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MCVSRte"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [01/07/2010 4:36 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [01/07/2010 4:36 PM 161800]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [06/01/2009 11:10 PM 207792]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [05/09/2008 8:40 AM 716272]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/07/2010 4:36 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/07/2010 4:36 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [01/07/2010 4:36 PM 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [01/07/2010 4:36 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [01/07/2010 4:37 PM 2303680]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [01/07/2010 4:35 PM 5832712]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [01/10/2010 11:40 PM 112592]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [01/07/2010 4:34 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [01/07/2010 4:36 PM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [01/07/2010 4:36 PM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [01/07/2010 4:36 PM 25736]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [01/07/2010 4:34 PM 30104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S3 SWNC8U12;Sierra Wireless MUX NDIS Driver (UMTS12);c:\windows\system32\drivers\swnc8u12.sys [10/25/2007 6:48 PM 82432]
S3 swumx12;Sierra Wireless USB MUX Driver (UMTS12);c:\windows\system32\drivers\swumx12.sys [10/25/2007 6:48 PM 66304]
S3 USB-100;SMC Compact USB to Ethernet converter;c:\windows\system32\drivers\SMC2208.SYS [04/02/2006 12:43 PM 27519]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GGQXYXWW
*Deregistered* - ggqxyxww

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ylmolrez

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2009-08-20 18:24 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-01-13 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2009-12-24 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-04-21 21:21]

2004-03-28 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2006-04-09 00:12]

2004-03-23 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\System32\OOBE\oobebaln.exe [2006-04-09 00:12]

2004-04-08 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2006-04-09 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mWindow Title =
uInternet Settings,ProxyServer = 168.94.74.68:8080
IE: &AOL Toolbar Search
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - [You must be registered and logged in to see this link.]
DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Jonathan Murray\Application Data\Mozilla\Firefox\Profiles\2tis2day.default\
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{E6AE90A4-1B01-47F0-AA78-E6B122E145E9} - (no file)
HKLM-Run-CPMonitor - c:\program files\Roxio Creator 2009\5.0\CPMonitor.exe
MSConfigStartUp-43EQ3me - srcgnt.exe
MSConfigStartUp-L0x4RgK7U - spnru1.exe
MSConfigStartUp-OneCareUI - c:\program files\Microsoft Windows OneCare Live\winssnotify.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe
MSConfigStartUp-RealPlayer - c:\program files\Real\RealPlayer\realplay.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-WCOLOREAL - c:\program files\COMPAQ\Coloreal\coloreal.exe
AddRemove-KODAK Picture CD Volume 2 Issue 3 - c:\program files\KODAK Picture CD\Volume 2 Issue 3\Uninst.isu
AddRemove-Microsoft Interactive Training - c:\windows\orun32.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-13 16:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, [You must be registered and logged in to see this link.]

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll atapi.sys spws.sys >>UNKNOWN [0x863BE938]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf74dbf28
\Driver\ACPI -> ACPI.sys @ 0xf7329cb8
\Driver\atapi -> atapi.sys @ 0xf72c4b40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: NVIDIA nForce MCP Networking Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf71b6bb0
PacketIndicateHandler -> NDIS.sys @ 0xf71a5a0d
SendHandler -> NDIS.sys @ 0xf71b9b40
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1584)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(208)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\System32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\System32\locator.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\Webroot\Washer\WasherSvc.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-01-13 17:03:31 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-13 22:03

Pre-Run: 17,771,589,632 bytes free
Post-Run: 19,097,911,296 bytes free

Current=2 Default=2 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - D76BE198915B91AAC78ECD4CF90978B7

Thebeast28
Intermediate
Intermediate

Posts Posts : 159
Joined Joined : 2010-01-12
OS OS : Windows XP
Points Points : 27649
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Virus Win32/Cryptor

Post by Dr Jay on Wed Jan 13, 2010 11:03 pm

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Log from Malwarebytes

Post by Thebeast28 on Thu Jan 14, 2010 9:14 pm

Malwarebytes' Anti-Malware 1.44
Database version: 3557
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

01/14/2010 12:44:40 PM
mbam-log-2010-01-14 (12-44-18).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 224489
Time elapsed: 2 hour(s), 28 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ggqxyxww.sys.vir (Malware.Trace) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\vgiibibs.sys.vir (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP12\A0003708.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP12\A0003772.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP12\A0003853.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP12\A0003951.dll (Trojan.Boaxxe) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP12\A0003952.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP12\A0003953.sys (Malware.Trace) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{8238BFE6-44BD-4B25-B0F7-CE65B3815CC9}\RP12\A0003983.sys (Malware.Trace) -> Quarantined and deleted successfully.

Thebeast28
Intermediate
Intermediate

Posts Posts : 159
Joined Joined : 2010-01-12
OS OS : Windows XP
Points Points : 27649
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Virus Win32/Cryptor

Post by Dr Jay on Thu Jan 14, 2010 11:00 pm

Please run a free online scan with the [You must be registered and logged in to see this link.]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Log from ESET Online Scanner

Post by Thebeast28 on Fri Jan 15, 2010 4:28 am

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2f735a81239a9c46974155ecb4737fc4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-15 01:18:45
# local_time=2010-01-14 08:18:45 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1279 16777215 0 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=88722
# found=6
# cleaned=6
# scan_time=7090
C:\Documents and Settings\All Users\Application Data\avg9\Temp\049cc85e-80de-4909-9618-8416117dd7dc.tmp probably a variant of Win32/TrojanDownloader.FakeAlert.AOM trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Jonathan Murray\My Documents\Downloads\Alvin and the Chipmunks - The Squeakuel (2009)\Alvin and the Chipmunks - The Squeakuel (2009).avi a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Jonathan Murray\My Documents\My Music\daughtry new single.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Jonathan Murray\My Documents\My Music\Def Leppard - Two Steps Behind (Acoustic Version).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Jonathan Murray\My Documents\My Music\Posion - somthing to believe in.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\Program Files\unlocker1.8.8.exe Win32/Adware.ADON application (deleted - quarantined) 00000000000000000000000000000000 C

Thebeast28
Intermediate
Intermediate

Posts Posts : 159
Joined Joined : 2010-01-12
OS OS : Windows XP
Points Points : 27649
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Virus Win32/Cryptor

Post by Dr Jay on Fri Jan 15, 2010 4:39 am

Download Security Check by screen317 from [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Can't remove Virus Win32/Cryptor

Post by Thebeast28 on Fri Jan 15, 2010 10:41 pm

Results of screen317's Security Check version 0.99.1
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:

AVG 9.0
``````````````````````````````
Anti-malware/Other Utilities Check:

` of date Spybot installed!
Ad-Aware
Spybot - Search & Destroy 1.3
Spyware Doctor 7.0
SpyHunter
Spyhunter Compact OS 1.0b
Spybot - Search & Destroy
SUPERAntiSpyware Professional
CCleaner (remove only)
Java 2 Runtime Environment Standard Edition v1.3.1
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java 2 Runtime Environment, SE v1.4.2_06
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 7.0.9
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Thebeast28
Intermediate
Intermediate

Posts Posts : 159
Joined Joined : 2010-01-12
OS OS : Windows XP
Points Points : 27649
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Virus Win32/Cryptor

Post by Dr Jay on Fri Jan 15, 2010 11:59 pm

Please download the newest version of Adobe Acrobat Reader from [You must be registered and logged in to see this link.]

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.

==

Please download the newest version of Java from [You must be registered and logged in to see this link.].

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

  • [You must be registered and logged in to see this link.]: the free version is just as good as the premium. I have linked you to the free version.
  • [You must be registered and logged in to see this link.]: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  • [You must be registered and logged in to see this link.]: free and excellent firewall.


AntiSpyware

  • [You must be registered and logged in to see this link.]
    SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found [You must be registered and logged in to see this link.].
  • [You must be registered and logged in to see this link.].
    Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).


NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
[You must be registered and logged in to see this link.]

Securing your computer

  • [You must be registered and logged in to see this link.] - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • [You must be registered and logged in to see this link.] replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.


Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:


See [You must be registered and logged in to see this link.] for more info about malware and prevention.

Thank you for choosing GeekPolice. Please see [You must be registered and logged in to see this link.] if you would like to leave feedback or contribute to our site. Do you have any more questions?


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Can't remove Virus Win32/Cryptor

Post by Thebeast28 on Sat Jan 16, 2010 4:52 am

I have a few questions to ask

1. After doing everything you told me is the Win32/Cryptor virus completely gone for good?

2. Is Google going to be working fine and not take me to sites i didn't ask to go to or redirect me to other sites?

3. Which of these programs should I keep and delete spybot search and destroy, ad-aware 6.0, SUPERAntiSpyware Professional, AVP 2009, AVG 9.0 trail version, Spyhunter, and Spyware doctor, and Malwarebytes' Anti-Malware

4. You talk about Resident Protection help should I have an antivirus, firewall, and scanning anti-spyware program running at all time and which one from the programs I have.

5. You told me to do a windows update but how cause I am using Firefox?

6. I do not know how to do this. hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future

Thebeast28
Intermediate
Intermediate

Posts Posts : 159
Joined Joined : 2010-01-12
OS OS : Windows XP
Points Points : 27649
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Virus Win32/Cryptor

Post by Dr Jay on Sat Jan 16, 2010 5:55 am

Yes, the malware is gone.

Try out Google search, and let me know if they redirect or not.

Get rid of all of those applications except for SuperAntiSpyware Pro. Then find one antivirus, and one firewall.

You have the anti-spyware. Just get the remaining two that are good to use.

Windows Updates are done via Internet Explorer.

Download the hpHosts installer and it can do it for you: [You must be registered and logged in to see this link.]


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Can't remove Virus Win32/Cryptor

Post by Thebeast28 on Sun Jan 17, 2010 5:45 am

Just a few more questions

1. So you want me to delete all of these programs spybot search and destroy, ad-aware 6.0, AVP 2009, AVG 9.0 free, Spyhunter, and Spyware doctor, and Malwarebytes' Anti-Malware except SUPERAntiSpyware Professional
Then what program will I use for virus protection and firewall

2. Why does it take so long for the computer to start up before I can do anything? It really takes a long time. How can I speed it up?

3. Firefox takes a really long time to open up to when I open it up. Why and how can i make it open up faster?

Thanks Google is working fine now hope I don't have any more problems with it.

Thebeast28
Intermediate
Intermediate

Posts Posts : 159
Joined Joined : 2010-01-12
OS OS : Windows XP
Points Points : 27649
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Virus Win32/Cryptor

Post by Thebeast28 on Sun Jan 17, 2010 9:26 pm

Please help me DragonMaster Jay just had a few more questions to ask thanks.

Thebeast28
Intermediate
Intermediate

Posts Posts : 159
Joined Joined : 2010-01-12
OS OS : Windows XP
Points Points : 27649
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Can't remove Virus Win32/Cryptor

Post by Dr Jay on Sun Jan 17, 2010 9:42 pm

Please be patient, I have two jobs outside of the internet and then this one online. I finally got time to be on.

Yes. Only keep SuperAntiSpyware.

See [You must be registered and logged in to see this link.] for more info about malware and prevention.

2. Why does it take so long for the computer to start up before I can do anything? It really takes a long time. How can I speed it up?
This cannot be helped. You are running XP. To improve boot speed, it would take more serious diagnostics, especially for hardware.

3. Firefox takes a really long time to open up to when I open it up. Why and how can i make it open up faster?
This happens to me from time to time. It is just the way Firefox is. No way to speed it up, unless if you remove browser extensions, via Tools > Add-ons.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 13714
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Protection Protection : Bitdefender Total Security
Points Points : 302072
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum