GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Win32/Cryptor + Generic13 + many others

View previous topic View next topic Go down

Win32/Cryptor + Generic13 + many others

Post by laika284 on Tue Jun 16, 2009 6:50 am

Hello,
I found this site through google and saw that you've been helping two others with very similar problems, so I hope that you can help me. I've tried to do all I can, with multiple scans of AVG8.5, Spybot S&D, Malwarebytes Anti-Malware and Superantispyware, to no avail and I'm at my wit's end.

I visited a site last night that seemed fine and was scanned by my AVG, but it must've somehow infected my PC with numerous things. I immediately tried a scan with AVG, but it stopped 10 minutes in (usually takes an hour) and said that the scan was not completed nor canceled, but 'repaired' so I've been doing nothing but scanning in safe mode since.

Offline scans in safe mode with AVG confirmed the Win32/Cryptor and the Generic13.ATPH, but upon a reboot and another scan, they're still exactly where they were. Numerous scans with these other programs have turned up Backdoor.Generic11, Trojan.Agent, Win32/Alureon, Rootkit.Agent/GenUACFake, Clicker.ZOW/Clicker.ZOT and others. My last scans have been almost clean, but Spybot keeps picking up Microsoft.WindowsSecurityCenter_disabled, which is troubling. Plus, some of these infections seem to disappear or not get picked up by any scans, then suddenly pop back up. After a bunch of scans, I've been able to download and install Malwarebytes and superantispyware, which many people with this infection haven't been able to do, so that gives me a bit of hope.

Anyway, sorry for all the text, but I wanted to be as thorough as I can because this is really, really driving me crazy. Any help you experts can offer would be greatly appreciated. Here's my Hijackthis log (Which is still open, with a list of all the stuff it's found, with options to fix things, analyze things..I suppose I should shut it down now?Crying

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:48 AM, on 6/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\dldtcoms.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\David\Desktop\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [You must be registered and logged in to see this link.] (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dldt_device - - C:\WINDOWS\system32\dldtcoms.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9920 bytes

laika284
Novice
Novice

Status :
Online
Offline

Posts : 29
Joined : 2009-06-16
OS : Windows XP
Points : 27293
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor + Generic13 + many others

Post by Belahzur on Tue Jun 16, 2009 8:44 am

Hello.
We need to remove a few things before removing the malware, the items I want to remove will only get in our way.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor + Generic13 + many others

Post by laika284 on Tue Jun 16, 2009 8:52 am

Thank you, Belahzur. A lot of mess here, I know.

7 Wonders - The Treasures of Seven
7 Wonders 2
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
AIM 6
Alien Shooter 2 - Reloaded
Apple Mobile Device Support
Apple Software Update
Aquaria
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
AVG Free 8.5
Battlefield Heroes
Blueberry Garden Demo
Bonjour
Bookworm Adventures Deluxe
Broadcom Advanced Control Suite 2
Cogs Demo
Company of Heroes
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Company of Heroes - FAKEMSI
Dangerous High School Girls in Trouble
Defense Grid: The Awakening
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Support
Emote-Launcher (remove only)
Geometry Wars
Ghost Master
Heavy Weapon Deluxe
Heroes Of Hellas
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Intel Application Accelerator
Intel(R) 537EP V9x DF PCI Modem
Internet Explorer Default Page
iTunes
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 13
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
McAfee Personal Firewall Plus
McAfee SecurityCenter
McAfee VirusScan
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (3.0.11)
Mozilla Thunderbird (2.0.0.21)
MSXML 6 Service Pack 2 (KB954459)
Musaic Box
Music Rescue
Musicmatch for Windows Media Player
MUSICMATCH® Jukebox
NetZeroInstallers
OpenAL
Penumbra Overture
Penumbra: Black Plague
Penumbra: Requiem
Plants Vs Zombies
PowerDVD 5.3
Qualxserve Service Agreement
QuickTime
Raycatcher Demo
RealPlayer Basic
Reaxxion
Ricochet Infinity
S.T.A.L.K.E.R. - Shadow of Chernobyl
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Sid Meier's Railroads Demo
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Speedball 2 - Tournament
Spybot - Search & Destroy
Steam
SUPERAntiSpyware Free Edition
Team Fortress 2
The Path
Trials 2: Second Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Venice
Viewpoint Media Player
WeatherBug
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows Presentation Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WordPerfect Office 12
World of Goo
X-COM: Apocalypse
X-COM: Enforcer
X-COM: Interceptor
X-COM: Terror from the Deep
X-COM: UFO Defense
Yahoo! Messenger
Yahoo! Toolbar
Zeno Clash Demo
Zuma Deluxe 1.0
Zylom Games Player Plugin

laika284
Novice
Novice

Status :
Online
Offline

Posts : 29
Joined : 2009-06-16
OS : Windows XP
Points : 27293
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor + Generic13 + many others

Post by Belahzur on Tue Jun 16, 2009 9:04 am

Hello.

You are running two antivirus', I see from the uninstall list you have Mcafee installed, along with AVG. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove Mcafee to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Java(TM) 6 Update 13
    McAfee Personal Firewall Plus
    McAfee SecurityCenter
    McAfee VirusScan
    Viewpoint Media Player

Next,

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor + Generic13 + many others

Post by laika284 on Tue Jun 16, 2009 9:12 am

Okay, I'm about to do so, but should I disable only AVG's Resident Shield before using ComboFix, or should I do the same with Superantispyware and Spybot SD-Resident? (Which are also running, according to my system tray)

laika284
Novice
Novice

Status :
Online
Offline

Posts : 29
Joined : 2009-06-16
OS : Windows XP
Points : 27293
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor + Generic13 + many others

Post by Belahzur on Tue Jun 16, 2009 9:20 am

SAS can be exited by right clicking the system tray icon > Exit.

Please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Now disable AVG too, then run Combofix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor + Generic13 + many others

Post by laika284 on Tue Jun 16, 2009 9:46 am

ComboFix 09-06-15.06 - David 06/16/2009 5:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.532 [GMT -4:00]
Running from: c:\documents and settings\David\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\uactmp.db

.
((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 )))))))))))))))))))))))))))))))
.

2009-06-16 05:39 . 2009-06-16 05:39 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-16 05:38 . 2009-06-16 05:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-15 14:57 . 2009-06-16 09:23 117760 ----a-w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-15 14:57 . 2009-06-15 14:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-15 14:56 . 2009-06-15 14:56 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-15 14:56 . 2009-06-15 14:56 -------- d-----w- c:\documents and settings\David\Application Data\SUPERAntiSpyware.com
2009-06-15 14:53 . 2009-06-15 14:53 -------- d-----w- c:\documents and settings\David\Application Data\Malwarebytes
2009-06-15 14:53 . 2009-06-15 14:53 -------- d-----w- c:\documents and settings\David\Application Data\Yahoo!
2009-06-15 12:37 . 2009-06-15 12:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-06-15 12:36 . 2009-06-15 12:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software
2009-06-15 12:27 . 2009-06-15 12:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-15 12:24 . 2009-06-15 12:24 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-15 12:15 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-15 12:15 . 2009-06-15 12:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-15 12:15 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-15 12:15 . 2009-06-15 12:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-14 14:17 . 2006-10-12 16:29 83504 ----a-w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\TEMP\ProgUpd.dll
2009-06-11 22:42 . 2009-05-19 13:34 3288856 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-06-11 22:29 . 2009-05-19 13:32 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-06-10 22:33 . 2009-06-10 22:33 -------- d-----w- c:\windows\system32\LogFiles
2009-06-10 12:39 . 2009-06-10 12:39 -------- d-----w- c:\documents and settings\Mom\Application Data\Yahoo!
2009-06-10 12:39 . 2009-06-10 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-06-03 11:32 . 2009-06-03 11:32 -------- d-----w- c:\documents and settings\Mom\Local Settings\Application Data\Apple Computer
2009-06-03 05:07 . 2009-06-03 05:07 -------- d-----w- c:\program files\iPod
2009-06-03 05:07 . 2009-06-03 05:07 -------- d-----w- c:\program files\iTunes
2009-06-03 05:05 . 2009-06-03 05:06 -------- d-----w- c:\program files\QuickTime
2009-06-03 05:01 . 2009-06-03 05:01 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-01 17:24 . 2009-06-01 17:56 -------- d-----w- c:\documents and settings\David\Application Data\Move Networks
2009-06-01 17:24 . 2008-12-29 18:08 970752 ----a-w- c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\eszsuv8z.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071301000019.dll
2009-05-20 11:34 . 2009-05-23 16:34 -------- d-----w- c:\program files\Ricochet Infinity
2009-05-20 10:58 . 2009-03-24 15:10 114688 ----a-w- c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
2009-05-20 10:58 . 2009-05-21 11:31 -------- d-----w- c:\program files\Zylom Games
2009-05-20 10:58 . 2009-05-20 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Zylom
2009-05-20 10:58 . 2006-12-12 21:07 161976 ----a-w- c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\zylomgamesplayer.dll
2009-05-19 18:09 . 2009-05-19 18:09 -------- d-----w- c:\documents and settings\David\Local Settings\Application Data\Redlynx
2009-05-19 18:09 . 2009-06-06 02:26 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-05-19 18:09 . 2009-06-06 02:26 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-05-19 18:09 . 2009-05-19 18:09 -------- d-----w- c:\program files\OpenAL
2009-05-19 18:09 . 2007-10-12 19:14 3734536 ----a-w- c:\windows\system32\d3dx9_36.dll
2009-05-18 23:54 . 2008-03-21 17:57 14640 ------w- c:\windows\system32\spmsgXP_2k3.dll
2009-05-17 21:38 . 2009-05-19 11:15 -------- d-----w- c:\documents and settings\Mom\Application Data\AdobeUM
2009-05-17 21:38 . 2009-05-17 21:38 -------- d-----w- c:\documents and settings\Mom\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-16 09:26 . 2009-04-16 20:41 -------- d-----w- c:\program files\Steam
2009-06-16 09:22 . 2004-10-27 17:42 -------- d-----w- c:\program files\McAfee.com
2009-06-16 09:20 . 2004-10-27 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-06-14 18:55 . 2009-05-07 14:26 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-14 14:19 . 2009-04-11 08:40 -------- d-----w- c:\program files\AIM6
2009-05-18 23:54 . 2009-05-18 23:54 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2009-05-18 23:54 . 2009-05-18 23:54 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-05-15 08:11 . 2009-05-15 08:11 -------- d-----w- c:\program files\uTorrent
2009-05-10 05:19 . 2009-04-15 16:40 -------- d-----w- c:\documents and settings\David\Application Data\Apple Computer
2009-05-07 15:44 . 2004-08-04 10:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 14:27 . 2009-05-07 14:26 -------- d-----w- c:\documents and settings\David\Application Data\Thunderbird
2009-05-05 11:39 . 2009-04-22 13:02 -------- d-----w- c:\program files\PopCap Games
2009-05-05 11:28 . 2004-10-27 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-05-05 10:36 . 2009-05-05 10:36 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games
2009-05-01 13:18 . 2009-04-15 15:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-01 13:18 . 2009-04-15 15:38 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-01 13:18 . 2009-04-15 15:38 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-04-29 04:56 . 2004-08-04 10:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-28 20:32 . 2009-04-28 20:32 -------- d-----w- c:\program files\EA Games
2009-04-27 05:37 . 2009-04-27 05:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Hot Lava Games
2009-04-24 20:05 . 2009-04-23 00:21 -------- d-----w- c:\program files\THQ
2009-04-24 06:55 . 2009-04-24 06:54 -------- d-----w- c:\documents and settings\David\Application Data\CyberLink
2009-04-22 15:26 . 2009-04-22 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-04-22 13:17 . 2009-04-22 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\MumboJumbo
2009-04-22 00:35 . 2009-04-22 00:35 -------- d-----w- c:\program files\ReflexiveArcade
2009-04-19 13:33 . 2009-04-19 13:33 -------- d-----w- c:\program files\Microsoft Silverlight
2009-04-18 14:04 . 2009-04-18 14:04 -------- d-----w- c:\program files\AWS
2009-04-18 14:04 . 2009-04-18 14:04 -------- d-----w- c:\documents and settings\Mom\Application Data\WeatherBug
2009-04-18 13:19 . 2009-04-14 14:10 45056 ----a-w- c:\windows\NCUNINST.EXE
2009-04-18 13:15 . 2009-04-11 15:09 40880 ----a-w- c:\documents and settings\Mom\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 02:56 . 2009-04-18 02:56 -------- d-----w- c:\program files\Audacity
2009-04-17 17:39 . 2009-04-17 17:39 -------- d-----w- c:\documents and settings\David\Application Data\AdobeUM
2009-04-17 14:11 . 2009-04-17 14:11 0 ----a-w- c:\windows\ativpsrm.bin
2009-04-17 09:58 . 2004-08-04 10:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 14:37 . 2009-04-16 14:37 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-15 19:31 . 2009-04-28 20:31 1099128 ----a-w- c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\eszsuv8z.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2009-04-15 19:31 . 2009-04-28 20:31 729088 ----a-w- c:\documents and settings\David\Application Data\Mozilla\Firefox\Profiles\eszsuv8z.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2009-04-15 15:30 . 2009-04-10 20:39 40880 ----a-w- c:\documents and settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-15 15:11 . 2004-08-04 10:00 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-08 18:29 . 2009-04-08 18:29 56448 ----a-w- c:\windows\system32\drivers\xusb21.sys
2009-03-19 20:32 . 2009-04-15 16:40 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 20:32 . 2009-03-19 20:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-18 21:55 . 2009-04-11 11:10 607472 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\yupdater.exe
2008-09-25 01:33 . 2008-09-25 01:33 559104 ----a-w- c:\program files\lame.exe
2008-09-14 16:51 . 2008-09-14 16:51 90705 ----a-w- c:\program files\history.html
2008-09-14 16:51 . 2008-09-14 16:51 7983 ----a-w- c:\program files\id3.html
2008-08-06 20:24 . 2008-08-06 20:24 41494 ----a-w- c:\program files\switchs.html
2008-06-27 14:29 . 2008-06-27 14:29 2167 ----a-w- c:\program files\index.html
2008-06-24 13:41 . 2008-06-24 13:41 4093 ----a-w- c:\program files\contributors.html
2008-03-13 02:15 . 2008-03-13 02:15 178 ----a-w- c:\program files\Free-Codecs.txt
2005-07-28 18:05 . 2005-07-28 18:05 4922 ----a-w- c:\program files\basic.html
2005-07-28 18:05 . 2005-07-28 18:05 1705 ----a-w- c:\program files\examples.html
2004-08-20 00:36 . 2004-08-20 00:36 2288 ----a-w- c:\program files\modes.html
2001-10-24 17:44 . 2001-10-24 17:44 6967 ----a-w- c:\program files\node6.html
2000-12-04 04:00 . 2000-12-04 04:00 732 ----a-w- c:\program files\lame.css
.

laika284
Novice
Novice

Status :
Online
Offline

Posts : 29
Joined : 2009-06-16
OS : Windows XP
Points : 27293
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor + Generic13 + many others

Post by laika284 on Tue Jun 16, 2009 9:47 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"Steam"="c:\program files\Steam\Steam.exe" [2009-06-11 1217784]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-05-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-28 335872]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2004-04-12 290816]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-08-23 57344]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2004-10-27 26112]
"mmtask"="c:\program files\MusicMatch\MusicMatch Jukebox\mmtask.exe" [2004-04-19 53248]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-11 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 32881]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-01 13:18 11952 ----a-w- c:\windows\SYSTEM32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dangerous high school girls in trouble\\prog\\brigiton.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\aquaria\\Aquaria.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\7 wonders 2\\Wonders2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bookworm adventures deluxe\\BookwormAdventures.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\raycatcher demo\\Raycatcher.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\XR_3DA.exe"=
"c:\\Program Files\\THQ\\S.T.A.L.K.E.R. - Shadow of Chernobyl\\bin\\dedicated\\XR_3DA.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\reaxxion\\Reaxxion.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\musaic box\\bin\\musaic_Release.exe"=
"c:\\WINDOWS\\SYSTEM32\\dldtcoms.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldtpswx.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldttime.exe"=
"c:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\dldtjswx.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
"c:\\Program Files\\THQ\\Company of Heroes\\RelicDownloader\\RelicDownloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\xcom interceptor\\Interceptor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\ghost master\\ghost.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\xcom ufo defense\\dosbox.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\xcom enforcer\\System\\XCom.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\geometry wars\\GeometryWars.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\trials 2 second edition\\launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\x-com terror from the deep\\runme.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\xcom apocalypse\\dosbox.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\defensegridtheawakening\\DefenseGrid.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\speedball 2\\Speedball2.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\venice\\Venice.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\sid meier's railroads demo\\RailRoadsDemo.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\plants vs zombies\\PlantsVsZombies.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\cogs\\cogs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\penumbra overture\\redist\\Penumbra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\alien shooter 2 - reloaded\\AlienShooter.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\penumbra black plague\\redist\\Penumbra.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\penumbra black plague\\redist\\Requiem.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\blueberry garden demo\\BlueberryGarden.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [4/15/2009 11:38 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [4/15/2009 11:38 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [4/15/2009 11:38 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/15/2009 11:38 AM 298776]
R2 dldt_device;dldt_device;c:\windows\system32\dldtcoms.exe -service --> c:\windows\system32\dldtcoms.exe -service [?]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-06-16 05:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????p???????????????X:??????????????????x????????:??x???????0???????????x???? ??x???x???h???x??????|????????x???????????????4???????x???????????x??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-06-16 5:40
ComboFix-quarantined-files.txt 2009-06-16 09:40

Pre-Run: 78,859,689,984 bytes free
Post-Run: 78,904,799,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

245 --- E O F --- 2009-06-16 06:26

laika284
Novice
Novice

Status :
Online
Offline

Posts : 29
Joined : 2009-06-16
OS : Windows XP
Points : 27293
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor + Generic13 + many others

Post by Belahzur on Tue Jun 16, 2009 9:49 am

Hello.
Still having problems now? the one malicious file related to the cryptor rootkit is gone now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor + Generic13 + many others

Post by laika284 on Tue Jun 16, 2009 10:15 am

It seems okay now, but like I said, it's appeared to be gone before but came right back. However, with your word, I'm much more confident that it's gone now. Everything else seemed fine according to the logs? I know a little, but I can't even make sense of a lot of it. Let me think

I have to ask the requisite questions about future safety. I know you've posted general tips in other threads, so I assume those would suffice for me? Windows Security Center tells me I'm currently running the windows XP firewall, would this conflict with another firewall like, say, Kiero free? Would you recommend other programs to supplement the AVG/Spybot/Superantispyware/Malwarebytes that I have now, or should I use other programs in place of some of those I have now? Would you recommend Windows Service Pack 3? I have a techie friend who said that some of her friends had problems with it, so I've held off since it seems inessential.

And above all, many many many thanks to you and to everybody who helps keep this site running. I really can't express my gratitude enough, but I'll be telling everyone I know and I'll be making a bit of a donation once I get everything sorted out.

laika284
Novice
Novice

Status :
Online
Offline

Posts : 29
Joined : 2009-06-16
OS : Windows XP
Points : 27293
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor + Generic13 + many others

Post by Belahzur on Tue Jun 16, 2009 10:32 am

Hello.
SAS/MBAM/AVG is a good combination. If you install a 3rd party firewall, the firewall installed will turn windows firewall off automatically for you.

By experience, I've only installed SP3 on a real OS that is validated. I can't tell if yours is validated though. I think it should be, I see IE7 on this machine.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor + Generic13 + many others

Post by laika284 on Tue Jun 16, 2009 3:05 pm

Belahzur, thank you so much. Like I said, I can't tell you how grateful I am, even if only for the peace of mind. I'm using the Outpost firewall and 3 new Firefox add-ons I've noticed you recommended in another topic (Ad-Block Plus, NoScript, and FlashBlock). The new firewall and NoScript are a bit confusing, especially for my mother who shares the same PC (as you may have noticed), but it's nothing we can't figure out and I already feel much more protected. Also, my OS is real, it came pre-installed when I got this PC from Dell about 6-7 years ago. I suppose I'll give SP3 a try.

The computer seems pretty stable now, so we'll see if anything else decides to pop up. Again, thank you so much for your time and expertise. After going crazy over these infections, you've managed to restore a bit of my faith in humanity! Bow or Thanks

laika284
Novice
Novice

Status :
Online
Offline

Posts : 29
Joined : 2009-06-16
OS : Windows XP
Points : 27293
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor + Generic13 + many others

Post by Belahzur on Tue Jun 16, 2009 3:07 pm

No problem.
Just a quick note:

When I installed SP3 on my XP laptop, it took 40mins, so yours may take anywhere upto 30mins or more, so do not worry if it seems it's taking ages.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum