Plz Help! Win32:MalOb-V [Cryp] How can I get rid of this?

I’m new to the forums. I Had Avast do a full scan of my system and It found a virus.

This is what it showed:

File Name: C:\Users\Steven\AppData\Local\Temp\xcmwoesnra.exe

Maleware name: Win32:MalOb-V [Cryp]

Malware type: Virus/Worm

VPS version: 091108-1, 11/08/2009

When i tried to move to chest. It could not find the file. When I tried to delete it. It would say Access Denied. I also tried to schedule a boot scan. Also said Access Denied.

I was reading on some other posts. And I seen recommendations for installing Malwarebytes’ & Hijack this. I have installed both.

Malwarebytes’ has found 5 objects infected so far.

I also have the results of Hijack this. Both are Below in different replys

These are my results of Hijack This:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:12 AM, on 11/9/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Users\Steven\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashQuick.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashQuick.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Microsoft\Office Live\OfficeLiveSignIn.exe
C:\Users\Steven\Downloads\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashAvast.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM..\Run: [PCMService] “C:\Program Files\Acer\Acer Arcade\PCMService.exe”
O4 - HKLM..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM..\Run: [Acer Product Registration] “C:\Program Files\Acer Registration\ACE1.exe” /startup
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [MSConfig] “C:\Windows\system32\msconfig.exe” /auto
O4 - HKLM..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM..\Run: [Skytel] Skytel.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\RunOnce: [Malwarebytes’ Anti-Malware] C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O20 - AppInit_DLLs: eNetHook.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe


End of file - 8951 bytes

Hi steven1189,

Just a survey of the tasks you have running, considering your hjt log:

System task

Desktop Window Manager

taskeng.exe
System task

Task Scheduler Engine

Explorer.EXE
System task

Microsoft Windows Explorer

MSASCui.exe
Anti Add/Spyware software

Microsoft Windows Defender Antispyware

RtHDVCpl.exe
System task

High definition audio codec driver from Realtek Semiconductor

eDSLoader.exe
Backgroundtask

Launcher

PCMService.exe
Application

Dell media experienc

wmpnscfg.exe
Background task

Windows Media Player Network Sharing Service Confi

LManager.exe
Driver

MultiMedia Keyboard Applet

RtkBtMnt.exe
Driver

Realtek HD Audio Data Rerouter

Apoint.exe
Driver

Alps Pointing-device Driver

ashDisp.exe
Virusscan

Avast AntiVirus

igfxtray.exe
Application

Intel Graphics configuration and diagnostic application

hkcmd.exe
Application

Intel multimedia devices

igfxpers.exe
Driver

Intel Common User Interface Module

igfxext.exe
Driver

Intel Common User Interface

jusched.exe
Background task

Sun Java Update Scheduler

igfxsrvc.exe
Driver

Intel(R) Common User Interface

igfxsrvc.exe
Driver

Intel(R) Common User Interface

ApMsgFwd.exe
Background task

ApMsgFwd

ENMTRAY.EXE
Background task

ENMTray Task Manager

EPOWER_DMC.EXE
Background task

Acer ePower Management DMC

Apntex.exe
Driver

Alps Pointing-device Driver

ERAGENT.EXE
Background task

eRecovery agent

ashSimpl.exe
Virusscan

Virus scanner

ashSimpl.exe
Virusscan

Virus scanner

ashQuick.exe

virus scan

Background task

ashQuick.exe
virus scan

firefox.exe
Application

Mozilla Firefox

mbam.exe
Anti Add/Spyware software

mbam.exe

WINWORD.EXE
Applicatieon
Microsoft Word

OfficeLiveSignIn.exe
Achtergrondtaak

OfficeLiveSignIn

HijackThis.exe
Applicatie

Merijn Hijackthis

ashAvast.exe
Virusscan

Part of Avast antivirus

HijackThis.exe
Application

Merijn Hijackthis

SearchFilterHost.exe
System task

Microsoft® Windows® Operating System

explorer.exe
System task

Microsoft Windows Explorer


We couldn't detect any active process of a firewall on your system. Possible reasons:

(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall. Download and install one or activate windows xp´s own one


For cleansing Win32 MalOb-V- cryp use a bootable scanner CD like:

http://download.bitdefender.com/rescue_cd/ (probably a lot faster)
or
ftp://ftp.drweb.com/pub/drweb/livecd/

Make sure you have internet connection so it can update virus definitions,

polonus

I just finished the Malwarebytes Scan. These are the results:

Malwarebytes’ Anti-Malware 1.41
Database version: 3133
Windows 6.0.6002 Service Pack 2

11/9/2009 11:58:15 AM
mbam-log-2009-11-09 (11-57-58).txt

Scan type: Full Scan (C:|D:|)
Objects scanned: 179635
Time elapsed: 2 hour(s), 3 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{1a93c934-025b-4c3a-b38e-9654a7003239} (Adware.Gamesbar) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats{6f282b65-56bf-4bd1-a8b2-a4449a05863d} (Adware.Gamesbar) → No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Steven\AppData\Local\Temp\trz3A92.tmp (Trojan.Downloader) → No action taken.
C:\Users\Steven\AppData\Local\Temp\rmxcesonaw.exe (Virus.Virut) → No action taken.
C:\Users\Steven\AppData\Local\Temp\mconxeawrs.exe (Rootkit.TDSS) → No action taken.

Run MBAM again (quick scan) when finish, click on the button “remove selected” to quarantine the infections

k. Did it. Says they are quarantined. To me i’m unconvinced how easy it was to qaurantine them with MBAM. How come Avast couldn’t even touch it? But MBAM can?

I Just Rebooted my system. I’m Just started Avast on a thorough Scan. I also Set up Avast to have Boot Scan after I am finished the thorough Scan. Just incase.

Thank you for the help. I really hope it is gone. I’ll find out after my Avast Boot Scan. I’ll make sure to post results.

Everything went well. No problems found. Thanks again. Couldn’t of done it without avast!webforums :wink: