Win32/Cryptor and clickover.cn problems

Hi-

I hope this note finds you and yours well.

Issues-- my AVG picked up 66 instances of Win32/Cryptor which were unable to be healed and removed. My system doesn't seem to be running slowly or anything but obviously I have a problem that needs to be removed. I haven't changed any of my passwords yet.

As instructed in the tutorial, I am pasting the DDS results below as well as attaching them.

Thanks in advance for any help!

With best regards,
Jim








DDS (Ver_09-06-26.01) - FAT32x86
Run by Jack at 10:11:41.35 on Mon 07/27/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.62 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jack\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
SVCHOST.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Subliminal Blaster 2.0\subliminalblaster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Documents and Settings\Jack\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\jack\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [SpybotDeletingB5748] command /c del "c:\windows\system32\drivers\hjgruintqxqupu.sys"
uRunOnce: [SpybotDeletingD3277] cmd /c del "c:\windows\system32\drivers\hjgruintqxqupu.sys"
uRunOnce: [SpybotDeletingB9855] command /c del "c:\windows\system32\hjgruidnksbrwl.dll"
uRunOnce: [SpybotDeletingD2970] cmd /c del "c:\windows\system32\hjgruidnksbrwl.dll"
uRunOnce: [SpybotDeletingB8649] command /c del "c:\windows\system32\hjgruinkfxwvkl.dll"
uRunOnce: [SpybotDeletingD8627] cmd /c del "c:\windows\system32\hjgruinkfxwvkl.dll"
uRunOnce: [SpybotDeletingB5373] command /c del "c:\windows\temp\hjgruioqoiiwtqxt.tmp"
uRunOnce: [SpybotDeletingD5729] cmd /c del "c:\windows\temp\hjgruioqoiiwtqxt.tmp"
uRunOnce: [SpybotDeletingB2699] command /c del "c:\windows\temp\hjgruicshfnxmbjf.tmp"
uRunOnce: [SpybotDeletingD1932] cmd /c del "c:\windows\temp\hjgruicshfnxmbjf.tmp"
uRunOnce: [SpybotDeletingB622] command /c del "c:\windows\system32\hjgruioabshgqn.dat"
uRunOnce: [SpybotDeletingD340] cmd /c del "c:\windows\system32\hjgruioabshgqn.dat"
uRunOnce: [SpybotDeletingB886] command /c del "c:\windows\system32\hjgruiuounpmow.dat"
uRunOnce: [SpybotDeletingD594] cmd /c del "c:\windows\system32\hjgruiuounpmow.dat"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRunOnce: [SpybotDeletingA5222] command /c del "c:\windows\system32\drivers\hjgruintqxqupu.sys"
mRunOnce: [SpybotDeletingC7843] cmd /c del "c:\windows\system32\drivers\hjgruintqxqupu.sys"
mRunOnce: [SpybotDeletingA8450] command /c del "c:\windows\system32\hjgruidnksbrwl.dll"
mRunOnce: [SpybotDeletingC8125] cmd /c del "c:\windows\system32\hjgruidnksbrwl.dll"
mRunOnce: [SpybotDeletingA6751] command /c del "c:\windows\system32\hjgruinkfxwvkl.dll"
mRunOnce: [SpybotDeletingC2965] cmd /c del "c:\windows\system32\hjgruinkfxwvkl.dll"
mRunOnce: [SpybotDeletingA2395] command /c del "c:\windows\temp\hjgruioqoiiwtqxt.tmp"
mRunOnce: [SpybotDeletingC1362] cmd /c del "c:\windows\temp\hjgruioqoiiwtqxt.tmp"
mRunOnce: [SpybotDeletingA9485] command /c del "c:\windows\temp\hjgruicshfnxmbjf.tmp"
mRunOnce: [SpybotDeletingC2483] cmd /c del "c:\windows\temp\hjgruicshfnxmbjf.tmp"
mRunOnce: [SpybotDeletingA8559] command /c del "c:\windows\system32\hjgruioabshgqn.dat"
mRunOnce: [SpybotDeletingC6712] cmd /c del "c:\windows\system32\hjgruioabshgqn.dat"
mRunOnce: [SpybotDeletingA3943] command /c del "c:\windows\system32\hjgruiuounpmow.dat"
mRunOnce: [SpybotDeletingC9679] cmd /c del "c:\windows\system32\hjgruiuounpmow.dat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efax43~1.lnk - c:\program files\efax messenger 4.3\J2GTray.exe
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/D/0/D/D0DD87DA-994F-4334-8B55-AF2E4D98ED0C/wmv9dmo.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171324097977
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab?AuthParam=1212358168_c672e00787d51d51d4a28abbfbc4bb21&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD42/JSCDL/jre/6u6-b90/jinstall-6u6-windows-i586-jc.cab&File=jinstall-6u6-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jack\applic~1\mozilla\firefox\profiles\jjhpnzok.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

============= SERVICES / DRIVERS ===============

R0 lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-7-10 64160]
R1 avgldx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-9 335752]
R1 avgmfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-9 27784]
R1 avgtdix;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-9 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-9 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-9 298776]
R2 lavasoft ad-aware service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S1 9fdfaef;9fdfaef;c:\windows\system32\drivers\9fdfaef.sys [2009-7-8 65536]
S3 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-27 33752]
S3 nv3;nv3;c:\windows\system32\drivers\nv3.sys [2007-1-10 198144]

=============== Created Last 30 ================

2009-07-18 14:18 90,112 a------- c:\windows\DUMP6b07.tmp
2009-07-18 14:18 90,112 a------- c:\windows\DUMP6655.tmp
2009-07-18 14:18 90,112 a------- c:\windows\DUMP62b2.tmp
2009-07-18 14:17 <DIR> --dsh--- C:\FOUND.085
2009-07-16 19:43 686 a------- c:\windows\wininit.ini
2009-07-15 11:40 <DIR> --d----- c:\windows\system32\lowsec
2009-07-13 17:59 54,156 a---h--- c:\windows\QTFont.qfn
2009-07-13 17:59 1,409 a------- c:\windows\QTFont.for
2009-07-10 10:27 15,688 a------- c:\windows\system32\lsdelete.exe
2009-07-10 10:12 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-07-10 10:10 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-09 17:43 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-07-09 16:05 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-09 16:05 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-09 16:05 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-09 16:05 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-08 21:32 65,536 a------- c:\windows\system32\drivers\9fdfaef.sys
2009-07-08 21:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\93816276
2009-07-08 21:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\13806284
2009-07-08 21:31 2 a------- C:\943724550

==================== Find3M ====================

2009-07-17 23:21 251,658,240 a------- c:\windows\DUMP704f.tmp
2009-07-16 10:28 90,112 a------- c:\windows\DUMP8dce.tmp
2009-07-15 12:34 90,112 a------- c:\windows\DUMP6687.tmp
2009-07-13 15:34 90,112 a------- c:\windows\DUMP66f5.tmp
2009-07-10 10:14 90,112 a------- c:\windows\DUMP6077.tmp
2009-07-09 09:26 90,112 a------- c:\windows\DUMP41e0.tmp
2009-07-08 21:40 90,112 a------- c:\windows\DUMP3c7a.tmp
2009-06-24 16:53 48,640 a------- C:\dse.exe
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 08:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-28 21:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-28 21:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-28 21:56 1,159,680 -------- c:\windows\system32\dllcache\urlmon.dll
2009-04-28 21:56 827,392 -------- c:\windows\system32\dllcache\wininet.dll
2009-04-28 21:56 671,232 -------- c:\windows\system32\dllcache\mstime.dll
2009-04-28 21:56 233,472 -------- c:\windows\system32\dllcache\webcheck.dll
2009-04-28 21:56 105,984 -------- c:\windows\system32\dllcache\url.dll
2009-04-28 21:56 102,912 -------- c:\windows\system32\dllcache\occache.dll
2009-04-28 21:56 3,596,288 -------- c:\windows\system32\dllcache\mshtml.dll
2009-04-28 21:56 477,696 -------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-28 21:56 193,024 -------- c:\windows\system32\dllcache\msrating.dll
2007-01-10 17:11 266 ---sh--- c:\program files\desktop.ini
2007-01-10 17:11 11,079 ----h--- c:\program files\folder.htt
2008-12-17 17:29 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121720081218\index.dat

============= FINISH: 10:14:51.64 ===============

Hello jim,

Please tell me the Spybot version you are running.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
• Click the "Download" button to the right.
• At the Select Platform and Language for your download drop down box
  Select Windows and Mult-Language
• Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
• The page will refresh.
• Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  Examples of older versions in Add or Remove Programs:
  Java™ 6 Update 6
  Java™ 6 Update 13
  Java™ 6 Update 3
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u14-windows-i586.exe to install the newest version.

************

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.

************


Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh DDS log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Edited by SifuMike, 31 July 2009 - 10:02 PM.
typo

Hi Mike-

Thanks very much for the response.

Before I start doing the items you listed I needed you to know that my system now has that Windows Antivirus Pro thing popping up and blocking anything I try to do. It just started popping up in the interrim (maybe 1 or 2 days ago) after I had left my original request here. I actually printed out and tried to use the "Remove Windows Antivirus Pro (Uninstall Guide)" from here on BleepingComputer utilizing Malwarebytes as instructed in the tutorial and it does not work.

For whatever reason when I go to the Windows Task Manager to eliminate the Windows Antivrus Pro.exe and then the svchast.exe it doesn't kill that program from popping back up and then blocking everything I try to do. I was able to get to run the Malwarebytes when I would reboot and go straight to it as quickly as possible (though the Windows Antivirus Pro would still start popping up all around it). It found some items and I could remove them but the Windows Antivirus Pro is still fouling everything up.

I'm posting this via an older, smaller clean hard drive that I have.

Please pardon me if I have fouled up the process by trying to get rid of that Windows AntiVirus Pro but I wasn't sure what to do and I needed to try and move forward.

When you get a second let me know if I should still proceed with the tasks that you listed above and I'll put that hard drive back in and try to do them.

Also, the answer to the spybot question is that I was using AdAware and Spybot Search and Destroy.

Thanks again for the help, Mike.

With best regards,
Jim

Hi Jim,

Proceed with the tasks I have listed.

the answer to the spybot question is that I was using AdAware and Spybot Search and Destroy

My question was what version number are you using?
The latest version is 1.6.2

Edited by SifuMike, 01 August 2009 - 10:31 AM.

Hey Mike,

Please pardon the delay.

The Spybot version is 1600.

I followed the instructions and have saved the Java "... 1586-p.exe" to the desktop. However, after that when I went to the Control Panel to open the Add/Remove Programs I was unable to open it. I re-booted and tried again to open Add/Remove but no such luck. The little hourglass comes up for a second or two and then goes away and that's it.

I had to switch out hard drives to write this note as I couldn't even open up Firefox the second time after re-booting.

Thanks-
Jim

Hi jim,

The Spybot version is 1600.

That version is ancient so uninstall it. We will download the latest Spybot 1.6.2 version when we have you clean.


We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:  
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: ) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Hey Mike-

Please pardon the delay.

I can't run Combofix. It is saved to the desktop but when I doubleclick on it to start running it a box comes with "Combofix.exe is not a valid Win32 application".

Regards-
Jim

Hi Jim,

Delete the ComboFix you have on your deskop.

Download Combofix from any of the links below. You must rename it before saving it.  Save it to your desktop.

Link 1
Link 2








You need to disable your AVG Antivirus before running ComboFix, as it will prevent it from running.

To disable AVG antivirus:  
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: ) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.  
• Please post the C:\ComboFix.txt so we can continue cleaning the system.

Nope. The same box now comes up with "...Combo-fix.exe is not a valid..."

Try running Combo-Fix in Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.

Edited by SifuMike, 11 August 2009 - 05:53 PM.

Hey Mike,

Unfortunately, I can't get to Safe mode. When I hit F8 and get to the black Windows Advanced Options Menu and try to move the cursor up to Safe it just freezes. The only thing that works from that screen is Start Windows Normally. Tried it a few times just to make sure.

Regards-
Jim

Hi Jim,

I can't get to Safe mode

Combofix.exe is not a valid Win32 application

This is a bad sign.
The fact that Combofix displayed a "not a valid win32 application" + the fact that you can't boot to the Safe Mode makes me think you were also dealing with a file infector. This means that all your executable files (legitimate ones) may be infected.

my AVG picked up 66 instances of Win32/Cryptor which were unable to be healed and removed

Post the AVG log so I can see what and where it found the viruses.


Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
• Click on the button on the main page.
• The program will launch and fill in the Information section on the left.
• Read the "Requirements and Limitations" then press the button.
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the button, if you made any changes.
• Now under the Scan section on the left:
  
  Select My Computer
  
• The program will now start and scan your system. This will run for a while, be patient and let it finish.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your desktop.
• Copy and paste that information in your next post even if it finds nothing.

You can refer to this animation by sundavis if needed.

Edited by SifuMike, 11 August 2009 - 09:17 PM.