win32 cryptor

View previous topic View next topic Go down

win32 cryptor

Post by katjari on 2nd July 2009, 7:21 pm

Hi! A few days ago I got infected through usb flash drive. AVG's resident shield told me I got infected with win32 cryptor, but it couldn't do anything about it. I downloaded Malwarebyte's AntiMalware and SuperAntiSpyware and they found a lot of trojans. Should I post logs of those scans? My QuickTimePlayer didn't work saying that buffer overrun was detected which has corrupted the program's internal state, and also I couldn't do a system restore saying that no changes have been made to my computer. Before I sent this post, I updated my Windows with service pack 3 and some high priority updates, and now both QuickTimePlayer and system restore work just fine. Does that mean everything's ok?
Thank you

And here's a log file of hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:56:53, on 2.7.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PBZ\ACCOCA.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdeserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\lxdecoms.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Prevx\prevx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Lexmark 4800 Series\lxdemon.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Lexmark 4800 Series\lxdeamon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: (no name) - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Pomoc za prijavu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [lxdemon.exe] "C:\Program Files\Lexmark 4800 Series\lxdemon.exe"
O4 - HKLM\..\Run: [lxdeamon] "C:\Program Files\Lexmark 4800 Series\lxdeamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: .protected
O4 - Startup: Adobe Media Player.lnk = C:\Documents and Settings\Owner\Desktop\Adobe Media Player\Adobe Media Player.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: I&zvoz u Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - [You must be registered and logged in to see this link.]
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {35F59C80-C1F2-4EEA-9981-686C7D5A9277} - [You must be registered and logged in to see this link.]
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\PBZ\\ACCOCA.EXE
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdeCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdeserv.exe
O23 - Service: lxde_device - - C:\WINDOWS\system32\lxdecoms.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 10386 bytes

katjari
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-29
OS OS : windows xp home
Points Points : 27410
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 cryptor

Post by Origin on 2nd July 2009, 7:30 pm

Hello katjari,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

  • If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  • If you have any cracked/pirated software in your computer delete them or we will not help you.
  • Only follow advise from Geek Police Staff and not a regular member.
  • Do NOT run any tool without Geek Police supervision as it could hinder your system useless.



  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - *{C94E154B-1459-4A47-966B-4B843BEFC7DB} - (no file)
    O2 - BHO: (no name) - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - (no file)
    O3 - Toolbar: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)


  • Press "Fix Checked"
  • Close Hijack This.


Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 cryptor

Post by katjari on 3rd July 2009, 1:53 pm

Hi! Malwarebytes said no malicious items were found, so thanks a lot :smile2:
Here's the log

Malwarebytes' Anti-Malware 1.38
Database version: 2368
Windows 5.1.2600 Service Pack 3

3.7.2009 15:42:54
mbam-log-2009-07-03 (15-42-54).txt

Scan type: Quick Scan
Objects scanned: 115619
Time elapsed: 20 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

katjari
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-29
OS OS : windows xp home
Points Points : 27410
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 cryptor

Post by Belahzur on 3rd July 2009, 3:39 pm

Hello.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32 cryptor

Post by katjari on 3rd July 2009, 10:28 pm

Hi! Here's the log from combo fix, it was too big, I put it in 2 posts

ComboFix 09-07-03.03 - Owner 03.07.2009 23:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.385.1033.18.511.318 [GMT 2:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\RavMonLog
c:\documents and settings\Owner\Start Menu\Programs\Webteh\Startup\.protected
c:\windows\Installer\15157.msi
c:\windows\Installer\1516a.msi
c:\windows\Installer\4be7b.msp
c:\windows\Installer\4be7c.msp
c:\windows\Installer\4be7d.msp
c:\windows\Installer\4be7e.msp
c:\windows\Installer\4be7f.msp
c:\windows\Installer\4be80.msp
c:\windows\Installer\4be81.msp
c:\windows\Installer\4be82.msp
c:\windows\Installer\4be83.msp
c:\windows\Installer\4be84.msp
c:\windows\Installer\55e61d.msp
c:\windows\Installer\55e61e.msp
c:\windows\Installer\55e61f.msp
c:\windows\Installer\55e620.msp
c:\windows\Installer\55e621.msp
c:\windows\Installer\55e622.msp
c:\windows\Installer\55e623.msp
c:\windows\Installer\55e624.msp
c:\windows\Installer\55e625.msp
c:\windows\Installer\55e626.msp
c:\windows\Installer\59a0b4.msp
c:\windows\Installer\59a0b5.msp
c:\windows\Installer\59a0b6.msp
c:\windows\Installer\59a0b7.msp
c:\windows\Installer\59a0b8.msp
c:\windows\Installer\59a0b9.msp
c:\windows\Installer\59a0ba.msp
c:\windows\Installer\59a0bb.msp
c:\windows\Installer\59a0bc.msp
c:\windows\Installer\59a0bd.msp
c:\windows\Installer\62f25.msi
c:\windows\Installer\7123d.msi
c:\windows\Installer\c3f837.msp
c:\windows\Installer\c3f838.msp
c:\windows\Installer\c3f839.msp
c:\windows\Installer\c3f83a.msp
c:\windows\Installer\c3f83b.msp
c:\windows\Installer\c3f83c.msp
c:\windows\Installer\c3f83d.msp
c:\windows\Installer\c3f83e.msp
c:\windows\Installer\c3f83f.msp
c:\windows\Installer\c3f840.msp
c:\windows\system32\_006000_.tmp.dll
c:\windows\system32\_006001_.tmp.dll
c:\windows\system32\_006002_.tmp.dll
c:\windows\system32\_006003_.tmp.dll
c:\windows\system32\_006010_.tmp.dll
c:\windows\system32\_006011_.tmp.dll
c:\windows\system32\_006012_.tmp.dll
c:\windows\system32\_006013_.tmp.dll
c:\windows\system32\_006015_.tmp.dll
c:\windows\system32\_006016_.tmp.dll
c:\windows\system32\_006017_.tmp.dll
c:\windows\system32\_006019_.tmp.dll
c:\windows\system32\_006020_.tmp.dll
c:\windows\system32\_006022_.tmp.dll
c:\windows\system32\_006023_.tmp.dll
c:\windows\system32\_006024_.tmp.dll
c:\windows\system32\_006026_.tmp.dll
c:\windows\system32\_006029_.tmp.dll
c:\windows\system32\_006030_.tmp.dll
c:\windows\system32\_006034_.tmp.dll
c:\windows\system32\_006035_.tmp.dll
c:\windows\system32\_006037_.tmp.dll
c:\windows\system32\_006040_.tmp.dll
c:\windows\system32\_006042_.tmp.dll
c:\windows\system32\_006043_.tmp.dll
c:\windows\system32\_006044_.tmp.dll
c:\windows\system32\_006045_.tmp.dll
c:\windows\system32\_006046_.tmp.dll
c:\windows\system32\_006049_.tmp.dll
c:\windows\system32\_006050_.tmp.dll
c:\windows\system32\_006051_.tmp.dll
c:\windows\system32\_006052_.tmp.dll
c:\windows\system32\_006053_.tmp.dll
c:\windows\system32\_006058_.tmp.dll
c:\windows\system32\_006060_.tmp.dll
c:\windows\system32\_006061_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-02 18:48 . 2009-07-02 18:54 -------- d-----w- c:\program files\Motherboard Monitor 5
2009-07-01 16:45 . 2009-07-01 16:45 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-07-01 16:38 . 2009-07-01 16:38 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-01 16:37 . 2009-07-01 16:37 -------- d-----w- C:\d8e6c7a22aa57062d9
2009-07-01 16:26 . 2009-07-01 16:26 -------- d-----w- c:\program files\CCleaner
2009-07-01 13:12 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-01 13:12 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-01 13:12 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-01 13:12 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-01 13:12 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-01 13:12 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-01 13:12 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-30 17:11 . 2009-07-01 16:32 -------- d-----w- c:\windows\system32\en
2009-06-30 17:11 . 2009-07-01 09:23 -------- d-----w- c:\windows\system32\scripting
2009-06-30 17:11 . 2009-07-01 09:23 -------- d-----w- c:\windows\l2schemas
2009-06-30 17:10 . 2009-06-30 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-30 17:09 . 2009-06-30 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-30 17:09 . 2009-06-30 17:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-30 15:32 . 2009-06-30 15:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2009-06-29 19:17 . 2009-06-29 19:17 -------- d-----w- c:\program files\Windows Resource Kits
2009-06-29 18:21 . 2008-04-13 17:39 2897920 ----a-w- c:\windows\system32\xpsp2res.dll
2009-06-28 09:55 . 2009-06-14 14:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-27 10:00 . 2009-07-03 21:20 -------- d-----w- c:\program files\True Sword 5
2009-06-26 18:16 . 2009-07-03 21:41 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-26 18:15 . 2009-06-26 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-26 18:15 . 2009-06-26 18:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-26 18:15 . 2009-06-26 18:15 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-06-26 16:46 . 2009-06-26 16:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-26 16:46 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 16:46 . 2009-06-26 16:46 -------- d-----w- c:\program files\Malkatja
2009-06-26 16:46 . 2009-06-26 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-26 16:46 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 13:59 . 2009-06-26 13:59 -------- d-----w- c:\program files\ESET
2009-06-26 13:48 . 2009-06-26 13:48 374 ----a-w- c:\documents and settings\Owner\MRTBLM.bat
2009-06-08 07:30 . 2009-06-08 07:30 -------- d-----w- c:\documents and settings\Owner\Application Data\FaxCtr
2009-06-07 19:25 . 2009-06-07 19:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Lexmark Productivity Studio
2009-06-07 18:46 . 2009-06-08 07:29 -------- d-----w- c:\program files\Lexmark Toolbar
2009-06-07 18:35 . 2009-07-03 20:58 -------- d-----w- c:\documents and settings\All Users\lx_cats
2009-06-07 18:29 . 2009-06-07 18:29 -------- d-----w- C:\logs
2009-06-07 18:28 . 2006-08-01 05:53 40960 ----a-w- c:\windows\system32\lxdevs.dll
2009-06-07 18:28 . 2007-05-03 19:50 348160 ----a-w- c:\windows\system32\lxdecoin.dll
2009-06-07 18:27 . 2001-08-17 20:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2009-06-07 18:27 . 2001-08-17 20:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2009-06-07 18:27 . 2007-05-24 20:24 692224 ----a-w- c:\windows\system32\lxdedrs.dll
2009-06-07 18:27 . 2007-05-22 14:09 65536 ----a-w- c:\windows\system32\lxdecaps.dll
2009-06-07 18:27 . 2007-04-17 14:17 69632 ----a-w- c:\windows\system32\lxdecnv4.dll
2009-06-07 18:26 . 2007-05-23 07:42 45056 ----a-w- c:\windows\system32\LXF3PMON.DLL
2009-06-07 18:26 . 2007-05-23 07:42 32768 ----a-w- c:\windows\system32\LXF3FXPU.DLL
2009-06-07 18:26 . 2007-05-23 07:44 12288 ----a-w- c:\windows\system32\LXF3PMRC.DLL
2009-06-07 18:26 . 2007-01-17 12:07 36864 ----a-w- c:\windows\system32\lxf3oem.dll
2009-06-07 18:26 . 2007-01-10 06:09 98345 ----a-w- c:\windows\system32\IMHOST32.DLL
2009-06-07 18:26 . 2007-01-10 06:09 339968 ----a-w- c:\windows\system32\IMGMAN32.DLL
2009-06-07 18:25 . 2009-06-07 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\FaxCtr
2009-06-07 18:25 . 2009-06-07 18:26 -------- d-----w- c:\program files\Lexmark Fax Solutions
2009-06-07 18:21 . 2007-05-29 13:07 598960 ----a-w- c:\windows\system32\lxdecoms.exe
2009-06-07 18:21 . 2007-05-28 02:06 77824 ----a-w- c:\windows\system32\lxdecu.dll
2009-06-07 18:21 . 2007-05-17 18:00 364544 ----a-w- c:\windows\system32\lxdecomm.dll
2009-06-07 18:21 . 2007-05-17 17:56 860160 ----a-w- c:\windows\system32\lxdecomc.dll
2009-06-07 18:21 . 2007-05-29 13:07 365488 ----a-w- c:\windows\system32\lxdecfg.exe
2009-06-07 18:21 . 2007-05-11 01:51 77906 ----a-w- c:\windows\system32\lxdecfg.dll
2009-06-07 18:21 . 2009-06-07 18:27 -------- d-----w- c:\program files\Lexmark 4800 Series

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 18:30 . 2008-12-18 13:41 -------- d-----w- c:\program files\Vuze
2009-07-02 16:51 . 2008-05-23 19:46 3580 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-01 17:14 . 2008-12-15 15:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-07-01 16:27 . 2007-09-01 17:49 -------- d-----w- c:\program files\Java
2009-07-01 16:25 . 2004-06-30 08:30 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-07-01 16:25 . 2003-12-30 17:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-01 09:26 . 2003-12-30 16:58 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-06-30 17:23 . 2004-08-25 14:41 -------- d-----w- c:\program files\Trend Micro
2009-06-30 17:16 . 2008-10-21 18:13 -------- d-----w- c:\program files\NOS
2009-06-30 17:10 . 2004-02-22 18:00 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-30 17:10 . 2004-02-06 18:28 -------- d-----w- c:\program files\QuickTime
2009-06-30 16:57 . 2008-10-21 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-29 17:19 . 2008-10-23 13:11 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-28 19:51 . 2007-09-01 17:52 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-06-28 09:43 . 2008-11-23 12:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-28 09:43 . 2008-11-23 12:23 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-28 09:43 . 2008-11-23 12:23 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 18:14 . 2004-08-10 19:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-25 22:00 . 2008-11-23 12:23 -------- d-----w- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-06-06 20:45 . 2007-09-14 13:28 -------- d-----w- c:\program files\Common Files\Ahead
2009-06-06 20:27 . 2007-09-15 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-06-06 20:25 . 2007-09-14 16:08 -------- d-----w- c:\program files\Ahead
2009-05-17 08:55 . 2008-11-23 12:24 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2009-06-29 18:20 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2009-04-29 04:46 666624 ------w- c:\windows\system32\SET13BC.tmp
2009-04-29 04:46 . 2009-04-29 04:46 620032 ------w- c:\windows\system32\SET13BD.tmp
2009-04-29 04:46 . 2004-12-07 15:37 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2009-04-29 04:46 1499136 ------w- c:\windows\system32\SET13BE.tmp
2009-04-29 04:46 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2009-06-29 18:20 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-11-01 22:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-10-23 14:30 . 2008-10-23 14:30 4900376 ----a-w- c:\program files\LimeWireWin.exe
.

katjari
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-29
OS OS : windows xp home
Points Points : 27410
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 cryptor

Post by katjari on 3rd July 2009, 10:30 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 14:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-31 68856]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-10-28 335872]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 40960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"lxdemon.exe"="c:\program files\Lexmark 4800 Series\lxdemon.exe" [2007-06-11 455600]
"lxdeamon"="c:\program files\Lexmark 4800 Series\lxdeamon.exe" [2007-06-01 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 316336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-29 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 09:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\WINDOWS\\system32\\lxdecoms.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\lxdeamon.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\frun.exe"=
"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\lxdemon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdepswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdejswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdetime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14224:TCP"= 14224:TCP:NortonAV
"16700:TCP"= 16700:TCP:NortonAV
"15855:TCP"= 15855:TCP:NortonAV
"13584:TCP"= 13584:TCP:NortonAV
"18328:TCP"= 18328:TCP:NortonAV
"13923:TCP"= 13923:TCP:NortonAV
"18027:TCP"= 18027:TCP:NortonAV
"17308:TCP"= 17308:TCP:NortonAV
"18106:TCP"= 18106:TCP:NortonAV
"14967:TCP"= 14967:TCP:NortonAV
"18530:TCP"= 18530:TCP:NortonAV
"17750:TCP"= 17750:TCP:NortonAV
"17286:TCP"= 17286:TCP:NortonAV
"17031:TCP"= 17031:TCP:NortonAV
"18072:TCP"= 18072:TCP:NortonAV
"18671:TCP"= 18671:TCP:NortonAV
"13030:TCP"= 13030:TCP:NortonAV
"17065:TCP"= 17065:TCP:NortonAV
"16982:TCP"= 16982:TCP:NortonAV
"12140:TCP"= 12140:TCP:NortonAV
"12431:TCP"= 12431:TCP:NortonAV
"14568:TCP"= 14568:TCP:NortonAV
"16424:TCP"= 16424:TCP:NortonAV
"13195:TCP"= 13195:TCP:NortonAV
"17776:TCP"= 17776:TCP:NortonAV
"16002:TCP"= 16002:TCP:NortonAV
"13398:TCP"= 13398:TCP:NortonAV
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23.11.2008 14:23 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23.11.2008 14:24 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23.6.2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23.6.2009 11:01 72944]
R2 Accoca;ActivCard Gold service;c:\program files\PBZ\ACCOCA.EXE [10.4.2001 19:08 110592]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [23.11.2008 14:23 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [23.11.2008 14:23 298776]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [7.6.2009 20:28 99248]
R3 actccid;ActivCard USB Reader V2;c:\windows\system32\drivers\actccid.sys [24.2.2004 16:42 47660]
S2 efdbc;System Task;c:\windows\system32\svchost.exe -k netsvcs [31.3.2003 14:00 14336]
S3 adxapie;adxapie;\??\c:\docume~1\Owner\LOCALS~1\Temp\adxapie.sys --> c:\docume~1\Owner\LOCALS~1\Temp\adxapie.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23.6.2009 11:01 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
efdbc
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-04 00:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTECT_DECOMPRESSION_FILTER_FROM_ABORT_KB942367]
@DACL=(02 0000)
@=""
"*"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(2176)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdecoms.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-03 0:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 22:12

Pre-Run: 18.662.412.288 bytes free
Post-Run: 22.059.147.264 bytes free

361 --- E O F --- 2009-07-01 13:22

katjari
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-29
OS OS : windows xp home
Points Points : 27410
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 cryptor

Post by Belahzur on 4th July 2009, 1:51 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\SET13BC.tmp
c:\windows\system32\SET13BD.tmp
c:\windows\system32\SET13BE.tmp
c:\program files\LimeWireWin.exe

Driver::
efdbc
adxapie

NetSvc::
efdbc

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32 cryptor

Post by katjari on 4th July 2009, 8:55 pm

Hello! Here's the new log of combo fix.

ComboFix 09-07-04.02 - Owner 04.07.2009 22:25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.385.1033.18.511.263 [GMT 2:00]
Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\program files\LimeWireWin.exe"
"c:\windows\system32\SET13BC.tmp"
"c:\windows\system32\SET13BD.tmp"
"c:\windows\system32\SET13BE.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWireWin.exe
c:\windows\system32\SET13BC.tmp
c:\windows\system32\SET13BD.tmp
c:\windows\system32\SET13BE.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADXAPIE
-------\Legacy_EFDBC
-------\Service_adxapie
-------\Service_efdbc


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-04 07:49 . 2009-06-28 09:43 327688 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys
2009-07-04 07:49 . 2009-06-28 09:43 2052376 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-04 07:49 . 2009-06-28 09:43 906520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-07-04 07:49 . 2009-06-28 09:43 3402008 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-07-04 07:49 . 2009-06-28 09:43 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-04 07:49 . 2009-06-28 09:43 1204504 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgabout.dll
2009-07-04 07:49 . 2009-06-28 09:43 3298072 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe
2009-07-04 07:49 . 2009-06-28 09:43 337176 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglogx.dll
2009-07-04 07:49 . 2009-06-28 09:43 829208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2009-07-04 07:47 . 2009-06-28 09:42 1454360 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-04 07:47 . 2009-06-28 09:42 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-02 18:48 . 2009-07-02 18:54 -------- d-----w- c:\program files\Motherboard Monitor 5
2009-07-01 16:45 . 2009-07-01 16:45 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-07-01 16:38 . 2009-07-01 16:38 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-01 16:37 . 2009-07-01 16:37 -------- d-----w- C:\d8e6c7a22aa57062d9
2009-07-01 16:26 . 2009-07-01 16:26 -------- d-----w- c:\program files\CCleaner
2009-07-01 13:12 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-07-01 13:12 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-07-01 13:12 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-07-01 13:12 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-01 13:12 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-07-01 13:12 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-07-01 13:12 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-30 17:11 . 2009-07-01 16:32 -------- d-----w- c:\windows\system32\en
2009-06-30 17:11 . 2009-07-01 09:23 -------- d-----w- c:\windows\system32\scripting
2009-06-30 17:11 . 2009-07-01 09:23 -------- d-----w- c:\windows\l2schemas
2009-06-30 17:10 . 2009-06-30 17:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-30 17:09 . 2009-06-30 17:09 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-30 17:09 . 2009-06-30 17:09 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-30 15:32 . 2009-06-30 15:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2009-06-29 19:17 . 2009-06-29 19:17 -------- d-----w- c:\program files\Windows Resource Kits
2009-06-29 18:21 . 2008-04-13 17:39 2897920 ----a-w- c:\windows\system32\xpsp2res.dll
2009-06-28 09:55 . 2009-06-14 14:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-27 10:00 . 2009-07-03 21:20 -------- d-----w- c:\program files\True Sword 5
2009-06-26 18:16 . 2009-07-04 20:13 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-26 18:15 . 2009-06-26 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-26 18:15 . 2009-06-26 18:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-26 18:15 . 2009-06-26 18:15 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-06-26 16:46 . 2009-06-26 16:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-06-26 16:46 . 2009-06-17 09:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-26 16:46 . 2009-06-26 16:46 -------- d-----w- c:\program files\Malkatja
2009-06-26 16:46 . 2009-06-26 16:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-26 16:46 . 2009-06-17 09:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-26 13:59 . 2009-06-26 13:59 -------- d-----w- c:\program files\ESET
2009-06-26 13:48 . 2009-06-26 13:48 374 ----a-w- c:\documents and settings\Owner\MRTBLM.bat
2009-06-08 07:30 . 2009-06-08 07:30 -------- d-----w- c:\documents and settings\Owner\Application Data\FaxCtr
2009-06-07 19:25 . 2009-06-07 19:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Lexmark Productivity Studio
2009-06-07 18:46 . 2009-06-08 07:29 -------- d-----w- c:\program files\Lexmark Toolbar
2009-06-07 18:35 . 2009-07-04 19:55 -------- d-----w- c:\documents and settings\All Users\lx_cats
2009-06-07 18:29 . 2009-06-07 18:29 -------- d-----w- C:\logs
2009-06-07 18:28 . 2006-08-01 05:53 40960 ----a-w- c:\windows\system32\lxdevs.dll
2009-06-07 18:28 . 2007-05-03 19:50 348160 ----a-w- c:\windows\system32\lxdecoin.dll
2009-06-07 18:27 . 2001-08-17 20:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2009-06-07 18:27 . 2001-08-17 20:36 87040 ----a-w- c:\windows\system32\wiafbdrv.dll
2009-06-07 18:27 . 2007-05-24 20:24 692224 ----a-w- c:\windows\system32\lxdedrs.dll
2009-06-07 18:27 . 2007-05-22 14:09 65536 ----a-w- c:\windows\system32\lxdecaps.dll
2009-06-07 18:27 . 2007-04-17 14:17 69632 ----a-w- c:\windows\system32\lxdecnv4.dll
2009-06-07 18:26 . 2007-05-23 07:42 45056 ----a-w- c:\windows\system32\LXF3PMON.DLL
2009-06-07 18:26 . 2007-05-23 07:42 32768 ----a-w- c:\windows\system32\LXF3FXPU.DLL
2009-06-07 18:26 . 2007-05-23 07:44 12288 ----a-w- c:\windows\system32\LXF3PMRC.DLL
2009-06-07 18:26 . 2007-01-17 12:07 36864 ----a-w- c:\windows\system32\lxf3oem.dll
2009-06-07 18:26 . 2007-01-10 06:09 98345 ----a-w- c:\windows\system32\IMHOST32.DLL
2009-06-07 18:26 . 2007-01-10 06:09 339968 ----a-w- c:\windows\system32\IMGMAN32.DLL
2009-06-07 18:25 . 2009-06-07 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\FaxCtr
2009-06-07 18:25 . 2009-06-07 18:26 -------- d-----w- c:\program files\Lexmark Fax Solutions
2009-06-07 18:21 . 2007-05-29 13:07 598960 ----a-w- c:\windows\system32\lxdecoms.exe
2009-06-07 18:21 . 2007-05-28 02:06 77824 ----a-w- c:\windows\system32\lxdecu.dll
2009-06-07 18:21 . 2007-05-17 18:00 364544 ----a-w- c:\windows\system32\lxdecomm.dll
2009-06-07 18:21 . 2007-05-17 17:56 860160 ----a-w- c:\windows\system32\lxdecomc.dll
2009-06-07 18:21 . 2007-05-29 13:07 365488 ----a-w- c:\windows\system32\lxdecfg.exe
2009-06-07 18:21 . 2007-05-11 01:51 77906 ----a-w- c:\windows\system32\lxdecfg.dll
2009-06-07 18:21 . 2009-06-07 18:27 -------- d-----w- c:\program files\Lexmark 4800 Series

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 07:48 . 2008-11-23 12:23 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 18:30 . 2008-12-18 13:41 -------- d-----w- c:\program files\Vuze
2009-07-02 16:51 . 2008-05-23 19:46 3580 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-01 17:14 . 2008-12-15 15:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-07-01 16:27 . 2007-09-01 17:49 -------- d-----w- c:\program files\Java
2009-07-01 16:25 . 2004-06-30 08:30 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-07-01 16:25 . 2003-12-30 17:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-01 09:26 . 2003-12-30 16:58 76487 ----a-w- c:\windows\PCHealth\HelpCtr\OfflineCache\index.dat
2009-06-30 17:23 . 2004-08-25 14:41 -------- d-----w- c:\program files\Trend Micro
2009-06-30 17:16 . 2008-10-21 18:13 -------- d-----w- c:\program files\NOS
2009-06-30 17:10 . 2004-02-22 18:00 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-30 17:10 . 2004-02-06 18:28 -------- d-----w- c:\program files\QuickTime
2009-06-30 16:57 . 2008-10-21 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-29 17:19 . 2008-10-23 13:11 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-28 19:51 . 2007-09-01 17:52 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire
2009-06-28 09:43 . 2008-11-23 12:24 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-28 09:43 . 2008-11-23 12:23 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 18:14 . 2004-08-10 19:19 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-25 22:00 . 2008-11-23 12:23 -------- d-----w- c:\documents and settings\Owner\Application Data\AVGTOOLBAR
2009-06-06 20:45 . 2007-09-14 13:28 -------- d-----w- c:\program files\Common Files\Ahead
2009-06-06 20:27 . 2007-09-15 11:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Ahead
2009-06-06 20:25 . 2007-09-14 16:08 -------- d-----w- c:\program files\Ahead
2009-05-17 08:55 . 2008-11-23 12:24 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 15:32 . 2009-06-29 18:20 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2004-12-07 15:37 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2009-06-29 18:20 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-11-01 22:51 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-04 20:32 . 2009-07-04 20:32 16384 c:\windows\temp\Perflib_Perfdata_780.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 14:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 57344]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-31 68856]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-10-28 335872]
"OM_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 40960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"lxdemon.exe"="c:\program files\Lexmark 4800 Series\lxdemon.exe" [2007-06-11 455600]
"lxdeamon"="c:\program files\Lexmark 4800 Series\lxdeamon.exe" [2007-06-01 20480]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-06-11 316336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-29 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 10:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 09:43 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\WINDOWS\\system32\\lxdecoms.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\lxdeamon.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\frun.exe"=
"c:\\Program Files\\Lexmark Fax Solutions\\FaxCtr.exe"=
"c:\\Program Files\\Lexmark 4800 Series\\lxdemon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdepswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdejswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxdetime.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

katjari
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-29
OS OS : windows xp home
Points Points : 27410
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 cryptor

Post by katjari on 4th July 2009, 9:03 pm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14224:TCP"= 14224:TCP:NortonAV
"16700:TCP"= 16700:TCP:NortonAV
"15855:TCP"= 15855:TCP:NortonAV
"13584:TCP"= 13584:TCP:NortonAV
"18328:TCP"= 18328:TCP:NortonAV
"13923:TCP"= 13923:TCP:NortonAV
"18027:TCP"= 18027:TCP:NortonAV
"17308:TCP"= 17308:TCP:NortonAV
"18106:TCP"= 18106:TCP:NortonAV
"14967:TCP"= 14967:TCP:NortonAV
"18530:TCP"= 18530:TCP:NortonAV
"17750:TCP"= 17750:TCP:NortonAV
"17286:TCP"= 17286:TCP:NortonAV
"17031:TCP"= 17031:TCP:NortonAV
"18072:TCP"= 18072:TCP:NortonAV
"18671:TCP"= 18671:TCP:NortonAV
"13030:TCP"= 13030:TCP:NortonAV
"17065:TCP"= 17065:TCP:NortonAV
"16982:TCP"= 16982:TCP:NortonAV
"12140:TCP"= 12140:TCP:NortonAV
"12431:TCP"= 12431:TCP:NortonAV
"14568:TCP"= 14568:TCP:NortonAV
"16424:TCP"= 16424:TCP:NortonAV
"13195:TCP"= 13195:TCP:NortonAV
"17776:TCP"= 17776:TCP:NortonAV
"16002:TCP"= 16002:TCP:NortonAV
"13398:TCP"= 13398:TCP:NortonAV
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [23.11.2008 14:23 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [23.11.2008 14:24 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23.6.2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23.6.2009 11:01 72944]
R2 Accoca;ActivCard Gold service;c:\program files\PBZ\ACCOCA.EXE [10.4.2001 19:08 110592]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [23.11.2008 14:23 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [23.11.2008 14:23 298776]
R2 lxde_device;lxde_device;c:\windows\system32\lxdecoms.exe -service --> c:\windows\system32\lxdecoms.exe -service [?]
R2 lxdeCATSCustConnectService;lxdeCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdeserv.exe [7.6.2009 20:28 99248]
R3 actccid;ActivCard USB Reader V2;c:\windows\system32\drivers\actccid.sys [24.2.2004 16:42 47660]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23.6.2009 11:01 7408]
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: I&zvoz u Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-04 22:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTECT_DECOMPRESSION_FILTER_FROM_ABORT_KB942367]
@DACL=(02 0000)
@=""
"*"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3608)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\scardsvr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdecoms.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-04 22:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 20:38
ComboFix2.txt 2009-07-03 22:13

Pre-Run: 21.654.544.384 bytes free
Post-Run: 21.916.233.728 bytes free

300 --- E O F --- 2009-07-01 13:22


Also, can I delete the items in quarantine from Malwarebytes' anti malware and AntiSuperSpyware? These are the items from the day I got infected. And what about my usb flash drive? I got infected through it. I deleted all the items from it and formatted it. Is it safe and clean now?
Sorry about so many questions
And thanks a lot

katjari
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-29
OS OS : windows xp home
Points Points : 27410
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 cryptor

Post by Belahzur on 4th July 2009, 9:09 pm

Hello.
Still one or two things to remove, lets continue.


  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32 cryptor

Post by katjari on 5th July 2009, 2:27 pm

Hello. Here is the uninstall list

ActivCard USB Reader V2 (2.0.3)
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Media Player
Adobe Media Player
Adobe Reader 9.1
Alat za učitavanje Windows Live
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Avanquest update
AVG Free 8.5
BSPlayer
CCleaner (remove only)
Choice Guard
DivX Codec
DivX Content Uploader
DivX Converter
DivX Web Player
ffdshow (remove only)
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
Icy Tower 1.1
Ignition
InterActual Player
Java(TM) 6 Update 14
Junk Mail filter update
Lexmark 4800 Series
Lexmark Fax Solutions
Lexmark Toolbar
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Mercora Player Plugin
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft Baseline Security Analyzer 1.2.1
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional
Microsoft Search Enhancement Pack
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MP3 Player Utilities
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero Suite
neroxml
Network Play System (Patching)
OLYMPUS Master
PhotoScape
PowerDVD
QuickTime
Rhapsody Player Engine
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Samsung Samples Installer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Segoe UI
Shield Defender 4.0.0.0
Smart Menus (Windows Live Toolbar)
SmartCard Management v3.0
Snowball Run
Sony Ericsson Media Manager 1.1
Sony Ericsson PC Suite 3.205.00
Sony Picture Utility
SoundMAX
SUPERAntiSpyware Free Edition
Supreme With Cheese Demo
Tetris 5000
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Vodafone 804SS USB driver Software
Westwood Shared Internet Components
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Pomocnik za prijavu
Windows Live Toolbar
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3

katjari
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-29
OS OS : windows xp home
Points Points : 27410
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 cryptor

Post by Belahzur on 5th July 2009, 7:19 pm

Hello.
Nearly done now.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTM.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\program files\Vuze

    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=-


  • Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32 cryptor

Post by katjari on 6th July 2009, 6:08 pm

Hello. Here's the OTMoveIt log

========== FILES ==========
c:\program files\Vuze\plugins\azupnpav moved successfully.
c:\program files\Vuze\plugins\azemp moved successfully.
c:\program files\Vuze\plugins moved successfully.
c:\program files\Vuze moved successfully.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\software\microsoft\security center\\AntiVirusOverride deleted successfully.

OTM by OldTimer - Version 3.0.0.4 log created on 07062009_194931

Is everything ok now? My computer runs much faster now, so thanks a lot Cheesy Grin (sparkly

katjari
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-29
OS OS : windows xp home
Points Points : 27410
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 cryptor

Post by Belahzur on 6th July 2009, 6:09 pm

Yep, that should do it.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32 cryptor

Post by katjari on 7th July 2009, 7:22 pm

Hello! Machine runs great, much faster than before. Thank you so much for your help Thank You! You are a genuis Bow or Thanks
Can I delete ComboFix and OTM folders from C disk?
And sorry to bug you, but can I delete items from quarantine? I mean, is it ok to delete them or I need those files?
And thanks again

katjari
Novice
Novice

Posts Posts : 27
Joined Joined : 2009-06-29
OS OS : windows xp home
Points Points : 27410
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32 cryptor

Post by Belahzur on 7th July 2009, 8:09 pm

Hello.
You can delete them now. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum