Win32/Cryptor

View previous topic View next topic Go down

Win32/Cryptor

Post by mday01376 on Thu Jul 30, 2009 1:55 am

Hi there Geek police,

Was impressed with your previously solutions to this nasty virus. Grateful for assistance:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:53:00, on 29/07/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Eraser\Eraser.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\PDFCreator\PDFCreator.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Windows\system32\agrsmsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Toshiba\IVP\ISM\pinger.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\system32\locator.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Windows\system32\svchost.exe
C:\Users\Mark & Adriana\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\Toshiba\IVP\swupdate\swupdtmr.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\taskeng.exe
C:\Users\Mark & Adriana\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mark & Adriana\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mark & Adriana\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mark & Adriana\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Mark & Adriana\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Users\Mark & Adriana\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Toshiba\IVP\ISM\ivpsvmgr.exe
C:\Program Files\Spyware Doctor\update.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Users\Mark & Adriana\Documents\Downloads\winlogon.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 85.31.89.222:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\cmds.exe,C:\Users\Mark & Adriana\AppData\Roaming\twain_x86.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Mark & Adriana\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\Eraser.exe -hide
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: PDFCreator.lnk = C:\Program Files\PDFCreator\PDFCreator.exe
O4 - Global Startup: Update Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.17\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [You must be registered and logged in to see this link.]
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (Egg Money Manager Digital Safe) - [You must be registered and logged in to see this link.]
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: pinger - Unknown owner - C:\Toshiba\IVP\ISM\pinger.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 11282 bytes

Many thanks

mday01376

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Thu Jul 30, 2009 6:27 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\cmds.exe,C:\Users\Mark & Adriana\AppData\Roaming\twain_x86.exe,
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mday01376 on Fri Jul 31, 2009 3:14 am

Hi Belahzur,

MBAM kept freezing after 16 mins in normal Vista mode detecting only 1 infection. Restarted pc in Safe mode with networking - MBAM detected 8 infections in 5 mins or so. Log posted below.

Malwarebytes' Anti-Malware 1.39
Database version: 2533
Windows 6.0.6002 Service Pack 2

30/07/2009 20:41:43
mbam-log-2009-07-30 (20-41-43).txt

Scan type: Quick Scan
Objects scanned: 80946
Time elapsed: 4 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\System32\geyekrwiigvcwd.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\GodLib (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\%windir% (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Media Index (Rogue.SmartProtector) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\System32\geyekrwiigvcwd.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\apnet.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Iexplor701.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\yvfqfno.exe (Worm.Koobface) -> Quarantined and deleted successfully.

Many thanks.

mday01376

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Fri Jul 31, 2009 8:19 pm

Hello.
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mday01376 on Fri Jul 31, 2009 11:48 pm

Hi there,

I followed instructions & allowed Combofix to run in Vista normal mode. After combofix rebooted machine, combofix window said that it was preparing report, but kept receiving error message with a variety of .exe files (e.g. Logonui.exe, Atbroker.exe, dwm.exe, explorer.exe, CF2658.exe, conime.exe, chcp.exe etc) having a bad image. The only way to make machine continue to load was to keep pressing OK button. After at least 100 error messages & clicks on OK, I stopped Combofix by clicking on X to close. Now whenever I open a program (as with Chrome to send this message) I get the following error:
Chrome.exe - Bad Image
globalroot\systemroot\system32\geyekrwiigvcwd.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or other software vendor for support.
The same message happened when I opened Notepad for the Combofix.txt
Contents below:
ComboFix 09-07-31.02 - Mark & Adriana 31/07/2009 16:29:25.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.1223 [GMT -6:00]
Running from: C:\Users\Mark & Adriana\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Installer\3a6341.msi
C:\WINDOWS\Installer\5fd168.msi
C:\WINDOWS\Installer\WMEncoder.msi
C:\Windows\system32\AutoRun.inf
C:\Windows\system32\drivers\RKHit.sys
C:\Windows\System32\geyekrwiigvcwd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.

2009-07-30 03:08:23 . 2009-07-31 22:08:44 0 d-----w- C:\PROGRA~2\Spybot - Search & Destroy
2009-07-30 03:08:23 . 2009-07-30 03:08:50 0 d-----w- C:\Program Files\Spybot - Search & Destroy
2009-07-30 02:45:01 . 2009-07-03 14:49:08 64160 ----a-w- C:\Windows\system32\drivers\Lbd.sys
2009-07-30 02:42:20 . 2009-07-30 02:42:21 0 dc-h--w- C:\PROGRA~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-30 02:41:25 . 2009-07-30 02:44:57 0 d-----w- C:\PROGRA~2\Lavasoft
2009-07-30 02:41:25 . 2009-07-30 02:41:25 0 d-----w- C:\Program Files\Lavasoft
2009-07-30 02:05:19 . 2009-07-30 02:05:19 0 d-----w- C:\Program Files\FileHippo.com
2009-07-28 11:57:27 . 2009-07-28 11:57:27 0 d-----w- C:\Users\Mark & Adriana\AppData\Roaming\Malwarebytes
2009-07-28 11:57:16 . 2009-07-13 19:36:34 38160 ----a-w- C:\Windows\system32\drivers\mbamswissarmy.sys
2009-07-28 11:57:13 . 2009-07-28 11:57:26 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-07-28 11:57:13 . 2009-07-28 11:57:13 0 d-----w- C:\PROGRA~2\Malwarebytes
2009-07-28 11:57:13 . 2009-07-13 19:36:12 19096 ----a-w- C:\Windows\system32\drivers\mbam.sys
2009-07-25 04:59:40 . 2009-07-25 04:59:40 0 d-----w- C:\Users\Mark & Adriana\AppData\Local\Little_Apps_(http___www.l
2009-07-25 04:03:30 . 2009-07-25 04:58:48 0 d-----w- C:\Program Files\Common Files\Little Registry Cleaner
2009-07-25 04:03:07 . 2009-07-25 04:03:08 0 d-----w- C:\Program Files\Little Registry Cleaner
2009-07-25 03:45:21 . 2009-07-25 03:52:44 0 d-----w- C:\Program Files\Registry Clean Expert
2009-07-21 03:42:17 . 2009-07-21 03:42:17 0 d-----w- C:\Users\Mark & Adriana\AppData\Roaming\Foxit
2009-07-21 03:42:15 . 2009-07-21 03:42:15 0 d-----w- C:\Program Files\Foxit Software
2009-07-21 03:36:48 . 2009-07-21 03:36:48 0 d-----w- C:\Users\Mark & Adriana\AppData\Roaming\iExpert Software
2009-07-15 14:14:20 . 2009-07-15 14:18:38 0 d-----w- C:\PROGRA~2\Ten Thumbs Typing Tutor
2009-07-15 14:12:55 . 2009-07-15 14:12:57 0 d-----w- C:\Program Files\Ten Thumbs Typing Tutor 4.7
2009-07-14 18:06:59 . 2009-06-15 14:53:52 156672 ----a-w- C:\Windows\system32\t2embed.dll
2009-07-14 18:06:59 . 2009-06-15 14:52:19 72704 ----a-w- C:\Windows\system32\fontsub.dll
2009-07-14 18:06:59 . 2009-06-15 12:42:30 289792 ----a-w- C:\Windows\system32\atmfd.dll
2009-07-14 18:06:58 . 2009-06-15 14:52:42 23552 ----a-w- C:\Windows\system32\lpk.dll
2009-07-14 18:06:58 . 2009-06-15 14:51:38 10240 ----a-w- C:\Windows\system32\dciman32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 02:48:56 . 2007-12-28 00:56:14 0 d-----w- C:\PROGRA~2\Google Updater
2009-07-31 01:36:47 . 2008-09-10 07:51:12 0 d-----w- C:\Program Files\Microsoft Silverlight
2009-07-30 01:48:34 . 2007-08-22 20:26:32 0 d-----w- C:\Program Files\Java
2009-07-30 01:45:28 . 2009-05-23 05:18:07 410984 ----a-w- C:\Windows\system32\deploytk.dll
2009-07-29 12:57:34 . 2008-12-03 04:01:53 0 d-----w- C:\PROGRA~2\Avg8
2009-07-21 21:52:28 . 2009-07-28 19:58:50 915456 ----a-w- C:\Windows\system32\wininet.dll
2009-07-21 21:47:28 . 2009-07-28 19:58:46 109056 ----a-w- C:\Windows\system32\iesysprep.dll
2009-07-21 21:47:27 . 2009-07-28 19:58:46 71680 ----a-w- C:\Windows\system32\iesetup.dll
2009-07-21 20:13:58 . 2009-07-28 19:58:46 133632 ----a-w- C:\Windows\system32\ieUnatt.exe
2009-07-21 04:00:24 . 2008-04-23 14:55:22 0 d-----w- C:\Program Files\HP
2009-07-21 03:53:40 . 2008-04-23 14:53:14 0 d-----w- C:\PROGRA~2\HP
2009-07-21 03:52:13 . 2008-06-05 02:08:37 0 d-----w- C:\Program Files\mozilla.org
2009-07-19 05:25:40 . 2007-08-22 20:03:16 0 d-----w- C:\Program Files\Google
2009-07-17 02:26:00 . 2007-12-27 13:01:56 0 d--h--w- C:\Users\Mark & Adriana\AppData\Roaming\Skype
2009-07-14 23:44:26 . 2006-11-02 11:18:33 0 d-----w- C:\Program Files\Windows Mail
2009-07-14 23:44:13 . 2007-09-19 01:18:59 0 d-----w- C:\PROGRA~2\Microsoft Help
2009-07-10 20:43:25 . 2008-12-03 04:07:39 335752 ----a-w- C:\Windows\system32\drivers\avgldx86.sys
2009-07-03 15:54:39 . 2009-01-27 23:48:02 11952 ----a-w- C:\Windows\system32\avgrsstx.dll
2009-07-03 15:54:38 . 2008-12-03 04:07:35 27784 ----a-w- C:\Windows\system32\drivers\avgmfx86.sys
2009-07-01 06:23:00 . 2008-10-07 23:36:26 0 d--h--w- C:\Users\Mark & Adriana\AppData\Roaming\Thinstall
2009-06-27 13:22:28 . 2008-07-28 07:26:27 0 d-----w- C:\Program Files\PhotoScape
2009-06-27 13:07:50 . 2009-05-17 21:55:33 0 d-----w- C:\Users\Mark & Adriana\AppData\Roaming\FUJIFILM
2009-06-12 03:48:27 . 2006-11-02 12:37:34 0 d-----w- C:\Program Files\Windows Calendar
2009-06-12 03:48:23 . 2006-11-02 12:37:34 0 d-----w- C:\Program Files\Windows Sidebar
2009-06-12 03:48:22 . 2006-11-02 12:37:34 0 d-----w- C:\Program Files\Windows Collaboration
2009-06-12 03:48:21 . 2006-11-02 12:37:34 0 d-----w- C:\Program Files\Windows Journal
2009-06-12 03:48:16 . 2006-11-02 12:37:34 0 d-----w- C:\Program Files\Windows Photo Gallery
2009-06-12 03:48:06 . 2006-11-02 12:37:34 0 d-----w- C:\Program Files\Windows Defender
2009-06-12 03:42:15 . 2006-11-02 10:25:05 665600 ----a-w- C:\Windows\inf\drvindex.dat
2009-06-12 03:29:38 . 2006-11-02 12:37:35 37665 ----a-w- C:\Windows\Fonts\GlobalUserInterface.CompositeFont
2009-06-11 01:45:40 . 2007-09-19 01:15:32 0 d-----w- C:\Program Files\Microsoft Works
2009-06-11 01:01:53 . 2009-06-11 01:01:22 0 d-----w- C:\Program Files\Paint.NET
2009-06-10 21:55:10 . 2008-12-06 04:48:15 0 d-----w- C:\PROGRA~2\Rosetta Stone
2009-06-10 20:53:55 . 2009-06-10 20:53:55 0 d-----w- C:\Program Files\Common Files\Macrovision Shared
2009-05-14 00:58:47 . 2008-12-10 01:26:48 123408 ----a-w- C:\Windows\system32\GDIPFONTCACHEV1.DAT
2009-05-04 07:01:34 . 2007-08-22 19:39:43 319456 ----a-w- C:\Windows\DIFxAPI.dll
2009-05-03 14:22:56 . 2009-05-03 14:22:56 76118 ----a-w- C:\Windows\Huawei ModemsUninstall.exe
2008-05-31 13:41:13 . 2007-12-29 12:50:17 67696 ----a-w- C:\Program Files\mozilla firefox\components\jar50.dll
2008-05-31 13:41:13 . 2007-12-29 12:50:17 54376 ----a-w- C:\Program Files\mozilla firefox\components\jsd3250.dll
2008-05-31 13:41:13 . 2007-12-29 12:50:17 34952 ----a-w- C:\Program Files\mozilla firefox\components\myspell.dll
2008-05-31 13:41:18 . 2007-12-29 12:50:18 46720 ----a-w- C:\Program Files\mozilla firefox\components\spellchk.dll
2008-05-31 13:41:18 . 2007-12-29 12:50:18 172144 ----a-w- C:\Program Files\mozilla firefox\components\xpinstal.dll
2008-12-16 03:20:15 . 2008-12-16 02:42:28 2048 --sha-w- C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2008-12-16 03:20:15 . 2008-12-16 02:42:28 2048 --sha-w- C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-28 00:56:15 68856]
"Google Update"="C:\Users\Mark & Adriana\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-04 00:34:14 133104]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 07:33:39 202240]
"Eraser"="C:\Program Files\Eraser\Eraser.exe" [2007-12-22 23:03:28 916240]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 21:31:16 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camera Assistant Software"="C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 17:50:02 413696]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 07:38:38 1008184]
"TPwrMain"="C:\Program Files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 17:39:18 411192]
"HSON"="C:\Program Files\TOSHIBA\TBS\HSON.exe" [2006-12-07 23:49:20 55416]
"SmoothView"="C:\Program Files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 04:01:58 448080]
"00TCrdMain"="C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 23:32:52 538744]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 22:31:50 102400]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-07-03 15:54:32 1948440]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 21:23:08 61440]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 16:40:36 1348904]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2009-07-30 01:45:28 148888]

C:\PROGRA~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Exif Launcher S.lnk - C:\Program Files\FinePixViewerS\QuickDCF2.exe [2009-5-17 303104]
PDFCreator.lnk - C:\Program Files\PDFCreator\PDFCreator.exe [2008-6-27 2641920]
Update Agent.lnk - C:\Program Files\3\3Connect\AutoUpdateSrv.exe [2009-5-3 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\Windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Mark & Adriana^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^realshed.old]
backupExtension=.Startup

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Sat Aug 01, 2009 1:31 am

Hello.
The end of the log was cut off, please post the rest.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Combfix log 1 0f 3

Post by mday01376 on Sat Aug 01, 2009 1:41 am

Hi there, Just re-run Combofix - this time in Safe Mode until re-boot into Normal mode. I had to continually click OK with same error as described above. Did manage to complete log though:

ComboFix 09-07-31.02 - Mark & Adriana 31/07/2009 18:10.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.1242 [GMT -6:00]
Running from: c:\users\Mark & Adriana\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\Installer\3a6341.msi
c:\windows\Installer\5fd168.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\RKHit.sys
c:\windows\System32\geyekrwiigvcwd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RKHIT


((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-07-30 03:08 . 2009-07-31 22:08 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-07-30 03:08 . 2009-07-30 03:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-30 02:45 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-30 02:42 . 2009-07-30 02:42 -------- dc-h--w- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-30 02:41 . 2009-07-30 02:44 -------- d-----w- c:\progra~2\Lavasoft
2009-07-30 02:41 . 2009-07-30 02:41 -------- d-----w- c:\program files\Lavasoft
2009-07-30 02:05 . 2009-07-30 02:05 -------- d-----w- c:\program files\FileHippo.com
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Malwarebytes
2009-07-28 11:57 . 2009-07-13 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\progra~2\Malwarebytes
2009-07-28 11:57 . 2009-07-13 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 04:59 . 2009-07-25 04:59 -------- d-----w- c:\users\Mark & Adriana\AppData\Local\Little_Apps_(http___www.l
2009-07-25 04:03 . 2009-07-25 04:58 -------- d-----w- c:\program files\Common Files\Little Registry Cleaner
2009-07-25 04:03 . 2009-07-25 04:03 -------- d-----w- c:\program files\Little Registry Cleaner
2009-07-25 03:45 . 2009-07-25 03:52 -------- d-----w- c:\program files\Registry Clean Expert
2009-07-21 03:42 . 2009-07-21 03:42 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Foxit
2009-07-21 03:42 . 2009-07-21 03:42 -------- d-----w- c:\program files\Foxit Software
2009-07-21 03:36 . 2009-07-21 03:36 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\iExpert Software
2009-07-15 14:14 . 2009-07-15 14:18 -------- d-----w- c:\progra~2\Ten Thumbs Typing Tutor
2009-07-15 14:12 . 2009-07-15 14:12 -------- d-----w- c:\program files\Ten Thumbs Typing Tutor 4.7
2009-07-14 18:06 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-14 18:06 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-14 18:06 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-14 18:06 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-14 18:06 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-01 00:01 . 2008-12-03 04:01 -------- d-----w- c:\progra~2\Avg8
2009-07-31 02:48 . 2007-12-28 00:56 -------- d-----w- c:\progra~2\Google Updater
2009-07-31 01:36 . 2008-09-10 07:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-30 01:48 . 2007-08-22 20:26 -------- d-----w- c:\program files\Java
2009-07-30 01:45 . 2009-05-23 05:18 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 21:52 . 2009-07-28 19:58 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 19:58 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 19:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 19:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 04:00 . 2008-04-23 14:55 -------- d-----w- c:\program files\HP
2009-07-21 03:53 . 2008-04-23 14:53 -------- d-----w- c:\progra~2\HP
2009-07-21 03:52 . 2008-06-05 02:08 -------- d-----w- c:\program files\mozilla.org
2009-07-19 05:25 . 2007-08-22 20:03 -------- d-----w- c:\program files\Google
2009-07-17 02:26 . 2007-12-27 13:01 -------- d--h--w- c:\users\Mark & Adriana\AppData\Roaming\Skype
2009-07-14 23:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-14 23:44 . 2007-09-19 01:18 -------- d-----w- c:\progra~2\Microsoft Help
2009-07-10 20:43 . 2008-12-03 04:07 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 15:54 . 2009-01-27 23:48 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-03 15:54 . 2008-12-03 04:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-01 06:23 . 2008-10-07 23:36 -------- d--h--w- c:\users\Mark & Adriana\AppData\Roaming\Thinstall
2009-06-27 13:22 . 2008-07-28 07:26 -------- d-----w- c:\program files\PhotoScape
2009-06-27 13:07 . 2009-05-17 21:55 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\FUJIFILM
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-12 03:42 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-12 03:29 . 2006-11-02 12:37 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-06-11 01:45 . 2007-09-19 01:15 -------- d-----w- c:\program files\Microsoft Works
2009-06-11 01:01 . 2009-06-11 01:01 -------- d-----w- c:\program files\Paint.NET
2009-06-10 21:55 . 2008-12-06 04:48 -------- d-----w- c:\progra~2\Rosetta Stone
2009-06-10 20:53 . 2009-06-10 20:53 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-05-14 00:58 . 2008-12-10 01:26 123408 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-05-04 07:01 . 2007-08-22 19:39 319456 ----a-w- c:\windows\DIFxAPI.dll
2009-05-03 14:22 . 2009-05-03 14:22 76118 ----a-w- c:\windows\Huawei ModemsUninstall.exe
2008-05-31 13:41 . 2007-12-29 12:50 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-05-31 13:41 . 2007-12-29 12:50 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-05-31 13:41 . 2007-12-29 12:50 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-05-31 13:41 . 2007-12-29 12:50 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-05-31 13:41 . 2007-12-29 12:50 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-12-16 03:20 . 2008-12-16 02:42 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2008-12-16 03:20 . 2008-12-16 02:42 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-22 20:40 . 2009-08-01 00:59 75574 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-01 00:59 87546 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-24 21:54 . 2009-08-01 00:59 14370 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3184346778-380610952-3069833314-1000_UserData.bin
- 2007-12-24 21:42 . 2009-07-31 22:51 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-12-24 21:42 . 2009-08-01 00:32 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2007-12-24 21:42 . 2009-08-01 00:32 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-24 21:42 . 2009-08-01 00:32 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-08-22 20:49 . 2009-07-31 22:49 1678416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2007-08-22 20:49 . 2009-08-01 00:31 1678416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
.

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Combofix Log 2 of 3

Post by mday01376 on Sat Aug 01, 2009 1:42 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-28 68856]
"Google Update"="c:\users\Mark & Adriana\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 413696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-03 1948440]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-30 148888]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-5-17 303104]
PDFCreator.lnk - c:\program files\PDFCreator\PDFCreator.exe [2008-6-27 2641920]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-5-3 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Mark & Adriana^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^realshed.old]
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):27,bf,f9,b7,11,eb,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3184346778-380610952-3069833314-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{66DD937E-AE3C-4248-8276-E03B0E662FC4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5A419130-C26E-4A4D-95D9-EA35767E4F2C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D1266DD3-3A9B-4EB2-9CE7-88D472AF7EF7}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{2E15ED65-ABB2-4DDE-AE38-1D4D7D2E9AAA}c:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 7.0.1.321\\english\\setup.exe"= UDP:c:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.321\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{A022D2AA-4EFE-4FDB-BA2E-1D99FE6B21EB}c:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 7.0.1.321\\english\\setup.exe"= TCP:c:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.321\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"TCP Query User{4DCE4B7C-3F06-4B9F-A0F1-8D893C290A69}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{48F8ABC9-AF9C-43D5-A12E-B134139A5FF3}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{020FC91C-96A9-4C91-B3A0-F29D11107746}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{6B92138C-67A5-4CBE-897A-6DF31C6689F7}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{4B71DD2E-475F-4A17-AB05-5C57A59EC1D6}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{371BF024-100B-4DE6-9863-47BC453D9E9A}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{A0F9FC39-EBE6-49EC-B900-EBFCF158336A}c:\\program files\\attractel\\zoiper\\zoiper.exe"= UDP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"UDP Query User{A1A5E757-DF8A-4A37-AAE2-0FAAEC044513}c:\\program files\\attractel\\zoiper\\zoiper.exe"= TCP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"TCP Query User{89288A4F-B931-444A-B74F-701B2BF28AC2}c:\\program files\\attractel\\zoiper\\zoiper.exe"= UDP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"UDP Query User{65127F06-2351-4BB3-B308-E0BAAA0D8C0A}c:\\program files\\attractel\\zoiper\\zoiper.exe"= TCP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"TCP Query User{F2E131E7-AD40-4103-ADD2-2DE4F67D3340}c:\\users\\mark & adriana\\appdata\\roaming\\maxthon2\\modules\\mxdownloader\\mxdownloadserver.exe"= UDP:c:\users\mark & adriana\appdata\roaming\maxthon2\modules\mxdownloader\mxdownloadserver.exe:mxdownloadserver.exe
"UDP Query User{EBBD88EB-EA08-4DCE-B9BE-AA69636D6C48}c:\\users\\mark & adriana\\appdata\\roaming\\maxthon2\\modules\\mxdownloader\\mxdownloadserver.exe"= TCP:c:\users\mark & adriana\appdata\roaming\maxthon2\modules\mxdownloader\mxdownloadserver.exe:mxdownloadserver.exe
"{753889AD-EE19-4FBE-B88E-98FE2CA52320}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"TCP Query User{AAD24E5F-CA5A-47FF-A83B-0D8A2C8D6E18}c:\\program files\\acoo browser\\acoobrowser.exe"= UDP:c:\program files\acoo browser\acoobrowser.exe:Acoo Browser
"UDP Query User{1EBE616F-AF7E-41B2-8335-E53200C5A3E8}c:\\program files\\acoo browser\\acoobrowser.exe"= TCP:c:\program files\acoo browser\acoobrowser.exe:Acoo Browser
"{726022BF-3003-4960-A583-9B25E32F0059}"= UDP:c:\program files\3\3Connect\Wilog.exe:3Connect
"{E8286F86-E4BE-4F29-A229-1837B0AD7A7A}"= TCP:c:\program files\3\3Connect\Wilog.exe:3Connect
"{4C0EF1F6-2C01-4971-ADD9-1F8DD1294879}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{A4C07ECF-D017-4649-B8B2-C970E2E04BA7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{571BC4B4-0AAF-47E6-9561-18C2CFA42A97}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{40E2B9D4-F3A2-4102-9E6F-91BE519FB1EE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{50A18888-BBD9-4202-B406-9FFAD309735C}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{5CE03319-483A-45BD-BBD7-1AD9D875D94F}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{AE9FABBC-3704-4057-8378-67E0D627B3BF}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{EE0BEC18-39EA-46C8-993C-24E184969E99}c:\\users\\mark & adriana\\appdata\\local\\google\\chrome\\application\\chrome.exe"= UDP:c:\users\mark & adriana\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"UDP Query User{20CEC1CB-DCB2-4582-BEC9-272E74CC827F}c:\\users\\mark & adriana\\appdata\\local\\google\\chrome\\application\\chrome.exe"= TCP:c:\users\mark & adriana\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"TCP Query User{722DAD41-54E8-410A-83FC-42318CE5BFCD}c:\\windows\\system32\\cmds.exe"= UDP:c:\windows\system32\cmds.exe:
"UDP Query User{44A2D863-79A0-444A-942D-FA63A34B9A3E}c:\\windows\\system32\\cmds.exe"= TCP:c:\windows\system32\cmds.exe:
"TCP Query User{D42D54D3-E89C-4E7A-A657-30B1A005C81B}c:\\users\\mark & adriana\\appdata\\roaming\\twain_x86.exe"= UDP:c:\users\mark & adriana\appdata\roaming\twain_x86.exe:twain_x86.exe
"UDP Query User{BC2A4E12-53E8-4496-B829-9256BAB54560}c:\\users\\mark & adriana\\appdata\\roaming\\twain_x86.exe"= TCP:c:\users\mark & adriana\appdata\roaming\twain_x86.exe:twain_x86.exe
"TCP Query User{5D049E69-6B76-45B3-99CA-7E59C4842937}c:\\windows\\system32\\cmds.exe"= UDP:c:\windows\system32\cmds.exe:
"UDP Query User{ED8DCD26-C8E0-4539-83F2-6B029E44A121}c:\\windows\\system32\\cmds.exe"= TCP:c:\windows\system32\cmds.exe:
"{F442AE91-7D56-4ACD-9219-9139DCE7464E}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{5F7BB48E-7A01-41AE-962A-BCA285F5D966}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{D08CA669-8B62-4611-819F-58D394FC5EE5}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{9A400437-A316-4CBD-B140-63A06361ECE9}"= c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [29/07/2009 20:45 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [02/12/2008 22:07 335752]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [27/01/2009 17:47 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 08:49 1029456]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [22/08/2007 13:53 7168]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [03/05/2009 23:06 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 11:08 533360]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [28/07/2009 05:57 38160]
S3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [28/03/2007 08:51 43008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Combofix Log 3 0f 3

Post by mday01376 on Sat Aug 01, 2009 1:44 am

------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = 85.31.89.222:8080
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.17\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\users\MARK&A~1\AppData\Roaming\Mozilla\Firefox\Profiles\6optvrgw.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-31 18:58
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\windows\System32\Locator.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\microsoft shared\Source Engine\OSE.EXE
c:\windows\System32\conime.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\Mark & Adriana\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\toshiba\IVP\ISM\Ivpsvmgr.exe
.
**************************************************************************
.
Completion time: 2009-08-01 19:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 01:31

Pre-Run: 168,577,335,296 bytes free
Post-Run: 168,607,232,000 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=9 Sets=1,2,3,5,6,7,8,9
296 --- E O F --- 2009-07-31 01:34

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Origin on Sat Aug 01, 2009 2:43 am


  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mday01376 on Sat Aug 01, 2009 4:22 am

hi there,

3Connect
AC3Filter (remove only)
Acoo Browser (remove only)
Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Apple Software Update
Atheros Driver Installation Program
AusLogics Disk Defrag
Avant Browser (remove only)
Bluetooth Stack for Windows by Toshiba
Camera Assistant Software for Toshiba
Catalyst Control Center - Branding
CD/DVD Drive Acoustic Silencer
Choice Guard
Compatibility Pack for the 2007 Office system
DVD MovieFactory for TOSHIBA
Eraser
Eraser
FileHippo.com Update Checker
Flickr Uploadr 3.0.5
Foxit Reader
Free Internet Eraser 2.50
Free PDF to Word Doc Converter v1.1
FUJIFILM FinePixViewer S Ver.2.1
Google Earth
Google Updater
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Huawei modem
Java(TM) 6 Update 14
Little Registry Cleaner
Malwarebytes' Anti-Malware
Maxthon2 Browser (remove only)
MediaMonkey 3.0
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Live Add-in 1.3
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Professional Plus 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mobile Partner
Mozilla Firefox (2.0.0.14)
MP3 Player Utilities 4.17
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
NewsLeecher v3.9 Final
Paint.NET v3.36
PDFCreator
PhotoScape
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Rosetta Stone 3.2
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Media Encoder (KB954156)
Skype™ 4.0
Synaptics Pointing Device Driver
Ten Thumbs 4.7
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Disc Creator
TOSHIBA DVD PLAYER
TOSHIBA Extended Tiles for Windows Mobility Center
TOSHIBA Games
TOSHIBA Hardware Setup
Toshiba Registration
TOSHIBA SD Memory Utilities
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Value Added Package
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Outlook 2007 Junk Email Filter (kb971933)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VLC media player 0.9.9
WaveMax Sound Editor 3.8.7
Winbond CIR Device Drivers
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Family Safety
Windows Live Movie Maker Beta
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
WinRAR archiver
World of Warcraft FREE Trial
Zoiper

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Origin on Sat Aug 01, 2009 4:26 am

Download [You must be registered and logged in to see this link.] by screen317 and save it to your Desktop.

  • Unzip SecurityCheck.zip and a folder named Security Check should appear.
  • Open the Security Check folder and double-click Security Check.bat
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: if a security program requests permission from dig.exe to access the Internet, allow it to do so.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Security Check

Post by mday01376 on Sat Aug 01, 2009 4:46 am

Hi there,

Link provided did not have Security Check.zip available - only Security Check.exe file. I have downloaded that - not sure if I should run that though?

Many thanks for your patience (& prompt responses).

mday01376 Thank You!

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Origin on Sat Aug 01, 2009 4:52 am

Yes its that file, please follow the above instructions for running that file.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mday01376 on Sat Aug 01, 2009 5:40 am

Hello,

When I run the Security Check file, the same error message (as above)appears - this time with find.exe - bad image

On clicking OK Security Check cannot find OS1check2.txt file. After a few OKs on bad image dialogue box message in Security Check black screen is that it cannot recognise objlist.exe, uninstallist.exe or runprocesses.exe. A few more clicks on bad image OK button reveals that Security Check cannot find the file Install.txt

Strange goings on?

mday01376

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Origin on Sat Aug 01, 2009 6:05 pm

Its alright I just wanted to check if you were running more then one AV, tell me, which AV do you have on your system? I am asking this because ComboFix shows two anti viruses, AVG 8 and Kaspersky.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Win32/Cryptor - Anti-Virus

Post by mday01376 on Sat Aug 01, 2009 11:32 pm

Hello,

I saw that in the report too! I'm only running AVG Anti-Virus 8.5 on my system. No idea where the Kaspersky thing came from.

Hope this helps.

mday01376

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Origin on Sun Aug 02, 2009 6:36 pm

No worries, please do the following:

Now open a new notepad file.
Input this into the notepad file:

Folder::
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
c:\users\Mark & Adriana\AppData\Local\Little_Apps_(http___www.l

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=-


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

ComboFix Log 1 of 2

Post by mday01376 on Tue Aug 04, 2009 2:50 pm

Hello there,

Been away from laptop for a couple of days. I think we're making progress, as the Bad Image error messages were less prevalent than previously. Here's the Combofix log:


ComboFix 09-08-03.A2 - Mark & Adriana 04/08/2009 7:48.3.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.1330 [GMT -6:00]
Running from: c:\users\Mark & Adriana\Desktop\Combo-Fix.exe
Command switches used :: c:\users\Mark & Adriana\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.dat
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.lan
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.msi
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.par
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.res
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\instance.dat
c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}\mia.lib
c:\users\Mark & Adriana\AppData\Local\Little_Apps_(http___www.l
c:\users\Mark & Adriana\AppData\Local\Little_Apps_(http___www.l\Little_Registry_Cleaner.e_Url_xdygii0eex4buydfojhmrm2cgozfjg1s\1.3.3481.23265\user.config

.
((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.

2009-07-30 03:08 . 2009-08-01 01:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-30 03:08 . 2009-08-01 01:02 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-07-30 02:45 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-30 02:41 . 2009-07-30 02:44 -------- d-----w- c:\progra~2\Lavasoft
2009-07-30 02:41 . 2009-07-30 02:41 -------- d-----w- c:\program files\Lavasoft
2009-07-30 02:05 . 2009-07-30 02:05 -------- d-----w- c:\program files\FileHippo.com
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Malwarebytes
2009-07-28 11:57 . 2009-07-13 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\progra~2\Malwarebytes
2009-07-28 11:57 . 2009-07-13 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-25 04:03 . 2009-07-25 04:58 -------- d-----w- c:\program files\Common Files\Little Registry Cleaner
2009-07-25 04:03 . 2009-07-25 04:03 -------- d-----w- c:\program files\Little Registry Cleaner
2009-07-25 03:45 . 2009-07-25 03:52 -------- d-----w- c:\program files\Registry Clean Expert
2009-07-21 03:42 . 2009-07-21 03:42 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Foxit
2009-07-21 03:42 . 2009-07-21 03:42 -------- d-----w- c:\program files\Foxit Software
2009-07-21 03:36 . 2009-07-21 03:36 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\iExpert Software
2009-07-15 14:14 . 2009-07-15 14:18 -------- d-----w- c:\progra~2\Ten Thumbs Typing Tutor
2009-07-15 14:12 . 2009-07-15 14:12 -------- d-----w- c:\program files\Ten Thumbs Typing Tutor 4.7
2009-07-14 18:06 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-14 18:06 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-14 18:06 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-14 18:06 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-14 18:06 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-04 11:37 . 2007-12-28 00:56 -------- d-----w- c:\progra~2\Google Updater
2009-08-01 02:11 . 2008-12-03 04:01 -------- d-----w- c:\progra~2\Avg8
2009-07-31 01:36 . 2008-09-10 07:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-30 01:48 . 2007-08-22 20:26 -------- d-----w- c:\program files\Java
2009-07-30 01:45 . 2009-05-23 05:18 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 21:52 . 2009-07-28 19:58 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 19:58 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 19:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 19:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 04:00 . 2008-04-23 14:55 -------- d-----w- c:\program files\HP
2009-07-21 03:53 . 2008-04-23 14:53 -------- d-----w- c:\progra~2\HP
2009-07-21 03:52 . 2008-06-05 02:08 -------- d-----w- c:\program files\mozilla.org
2009-07-19 05:25 . 2007-08-22 20:03 -------- d-----w- c:\program files\Google
2009-07-17 02:26 . 2007-12-27 13:01 -------- d--h--w- c:\users\Mark & Adriana\AppData\Roaming\Skype
2009-07-14 23:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-14 23:44 . 2007-09-19 01:18 -------- d-----w- c:\progra~2\Microsoft Help
2009-07-01 06:23 . 2008-10-07 23:36 -------- d--h--w- c:\users\Mark & Adriana\AppData\Roaming\Thinstall
2009-06-27 13:22 . 2008-07-28 07:26 -------- d-----w- c:\program files\PhotoScape
2009-06-27 13:07 . 2009-05-17 21:55 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\FUJIFILM
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-12 03:42 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-12 03:29 . 2006-11-02 12:37 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-06-11 01:45 . 2007-09-19 01:15 -------- d-----w- c:\program files\Microsoft Works
2009-06-11 01:01 . 2009-06-11 01:01 -------- d-----w- c:\program files\Paint.NET
2009-06-10 21:55 . 2008-12-06 04:48 -------- d-----w- c:\progra~2\Rosetta Stone
2009-06-10 20:53 . 2009-06-10 20:53 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-05-14 00:58 . 2008-12-10 01:26 123408 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-05-31 13:41 . 2007-12-29 12:50 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-05-31 13:41 . 2007-12-29 12:50 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-05-31 13:41 . 2007-12-29 12:50 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-05-31 13:41 . 2007-12-29 12:50 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-05-31 13:41 . 2007-12-29 12:50 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-12-16 03:20 . 2008-12-16 02:42 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2008-12-16 03:20 . 2008-12-16 02:42 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-22 20:40 . 2009-08-04 14:12 75654 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-04 14:12 87602 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-24 21:54 . 2009-08-04 14:12 14490 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3184346778-380610952-3069833314-1000_UserData.bin
+ 2007-12-24 21:42 . 2009-08-04 13:44 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-24 21:42 . 2009-08-04 13:44 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-24 21:42 . 2009-08-04 13:44 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-05-04 05:32 . 2009-08-04 13:44 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-04 05:32 . 2009-07-30 02:47 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2007-08-22 20:49 . 2009-07-31 22:49 1678416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2007-08-22 20:49 . 2009-08-04 14:08 1678416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

ComboFix Log 2 of 3

Post by mday01376 on Tue Aug 04, 2009 2:52 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-28 68856]
"Google Update"="c:\users\Mark & Adriana\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 413696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-30 148888]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-5-17 303104]
PDFCreator.lnk - c:\program files\PDFCreator\PDFCreator.exe [2008-6-27 2641920]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-5-3 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Mark & Adriana^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^realshed.old]
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):27,bf,f9,b7,11,eb,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3184346778-380610952-3069833314-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{66DD937E-AE3C-4248-8276-E03B0E662FC4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5A419130-C26E-4A4D-95D9-EA35767E4F2C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D1266DD3-3A9B-4EB2-9CE7-88D472AF7EF7}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{2E15ED65-ABB2-4DDE-AE38-1D4D7D2E9AAA}c:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 7.0.1.321\\english\\setup.exe"= UDP:c:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.321\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{A022D2AA-4EFE-4FDB-BA2E-1D99FE6B21EB}c:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 7.0.1.321\\english\\setup.exe"= TCP:c:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.321\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"TCP Query User{4DCE4B7C-3F06-4B9F-A0F1-8D893C290A69}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{48F8ABC9-AF9C-43D5-A12E-B134139A5FF3}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{020FC91C-96A9-4C91-B3A0-F29D11107746}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{6B92138C-67A5-4CBE-897A-6DF31C6689F7}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{4B71DD2E-475F-4A17-AB05-5C57A59EC1D6}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{371BF024-100B-4DE6-9863-47BC453D9E9A}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{A0F9FC39-EBE6-49EC-B900-EBFCF158336A}c:\\program files\\attractel\\zoiper\\zoiper.exe"= UDP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"UDP Query User{A1A5E757-DF8A-4A37-AAE2-0FAAEC044513}c:\\program files\\attractel\\zoiper\\zoiper.exe"= TCP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"TCP Query User{89288A4F-B931-444A-B74F-701B2BF28AC2}c:\\program files\\attractel\\zoiper\\zoiper.exe"= UDP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"UDP Query User{65127F06-2351-4BB3-B308-E0BAAA0D8C0A}c:\\program files\\attractel\\zoiper\\zoiper.exe"= TCP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"TCP Query User{F2E131E7-AD40-4103-ADD2-2DE4F67D3340}c:\\users\\mark & adriana\\appdata\\roaming\\maxthon2\\modules\\mxdownloader\\mxdownloadserver.exe"= UDP:c:\users\mark & adriana\appdata\roaming\maxthon2\modules\mxdownloader\mxdownloadserver.exe:mxdownloadserver.exe
"UDP Query User{EBBD88EB-EA08-4DCE-B9BE-AA69636D6C48}c:\\users\\mark & adriana\\appdata\\roaming\\maxthon2\\modules\\mxdownloader\\mxdownloadserver.exe"= TCP:c:\users\mark & adriana\appdata\roaming\maxthon2\modules\mxdownloader\mxdownloadserver.exe:mxdownloadserver.exe
"TCP Query User{AAD24E5F-CA5A-47FF-A83B-0D8A2C8D6E18}c:\\program files\\acoo browser\\acoobrowser.exe"= UDP:c:\program files\acoo browser\acoobrowser.exe:Acoo Browser
"UDP Query User{1EBE616F-AF7E-41B2-8335-E53200C5A3E8}c:\\program files\\acoo browser\\acoobrowser.exe"= TCP:c:\program files\acoo browser\acoobrowser.exe:Acoo Browser
"{726022BF-3003-4960-A583-9B25E32F0059}"= UDP:c:\program files\3\3Connect\Wilog.exe:3Connect
"{E8286F86-E4BE-4F29-A229-1837B0AD7A7A}"= TCP:c:\program files\3\3Connect\Wilog.exe:3Connect
"{4C0EF1F6-2C01-4971-ADD9-1F8DD1294879}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{A4C07ECF-D017-4649-B8B2-C970E2E04BA7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{571BC4B4-0AAF-47E6-9561-18C2CFA42A97}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{40E2B9D4-F3A2-4102-9E6F-91BE519FB1EE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{50A18888-BBD9-4202-B406-9FFAD309735C}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{5CE03319-483A-45BD-BBD7-1AD9D875D94F}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{AE9FABBC-3704-4057-8378-67E0D627B3BF}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{EE0BEC18-39EA-46C8-993C-24E184969E99}c:\\users\\mark & adriana\\appdata\\local\\google\\chrome\\application\\chrome.exe"= UDP:c:\users\mark & adriana\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"UDP Query User{20CEC1CB-DCB2-4582-BEC9-272E74CC827F}c:\\users\\mark & adriana\\appdata\\local\\google\\chrome\\application\\chrome.exe"= TCP:c:\users\mark & adriana\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"TCP Query User{722DAD41-54E8-410A-83FC-42318CE5BFCD}c:\\windows\\system32\\cmds.exe"= UDP:c:\windows\system32\cmds.exe:
"UDP Query User{44A2D863-79A0-444A-942D-FA63A34B9A3E}c:\\windows\\system32\\cmds.exe"= TCP:c:\windows\system32\cmds.exe:
"TCP Query User{D42D54D3-E89C-4E7A-A657-30B1A005C81B}c:\\users\\mark & adriana\\appdata\\roaming\\twain_x86.exe"= UDP:c:\users\mark & adriana\appdata\roaming\twain_x86.exe:twain_x86.exe
"UDP Query User{BC2A4E12-53E8-4496-B829-9256BAB54560}c:\\users\\mark & adriana\\appdata\\roaming\\twain_x86.exe"= TCP:c:\users\mark & adriana\appdata\roaming\twain_x86.exe:twain_x86.exe
"TCP Query User{5D049E69-6B76-45B3-99CA-7E59C4842937}c:\\windows\\system32\\cmds.exe"= UDP:c:\windows\system32\cmds.exe:
"UDP Query User{ED8DCD26-C8E0-4539-83F2-6B029E44A121}c:\\windows\\system32\\cmds.exe"= TCP:c:\windows\system32\cmds.exe:
"{F442AE91-7D56-4ACD-9219-9139DCE7464E}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{5F7BB48E-7A01-41AE-962A-BCA285F5D966}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{D08CA669-8B62-4611-819F-58D394FC5EE5}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{9A400437-A316-4CBD-B140-63A06361ECE9}"= c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [29/07/2009 20:45 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 08:49 1029456]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [22/08/2007 13:53 7168]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [03/05/2009 23:06 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 11:08 533360]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [28/07/2009 05:57 38160]
S3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [28/03/2007 08:51 43008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

ComboFix Log 3 of 3

Post by mday01376 on Tue Aug 04, 2009 2:54 pm

Sorry about that had to divide into 3 parts:

------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = 85.31.89.222:8080
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.17\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\users\MARK&A~1\AppData\Roaming\Mozilla\Firefox\Profiles\6optvrgw.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-04 08:12
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\windows\System32\conime.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\windows\System32\Locator.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Common Files\microsoft shared\Source Engine\OSE.EXE
.
**************************************************************************
.
Completion time: 2009-08-04 8:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-04 14:43
ComboFix2.txt 2009-08-01 01:31

Pre-Run: 168,771,829,760 bytes free
Post-Run: 168,755,953,664 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=9 Sets=1,5,6,7,8,9
280 --- E O F --- 2009-08-04 11:41

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Tue Aug 04, 2009 6:38 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Keep getting Bad Image error message

Post by mday01376 on Tue Aug 04, 2009 9:35 pm

Hello,

Keep getting Bad Image error message on log on & whenever a program is opened (either on start up or manually) Sorry have not managed to get the hand of posting an image here. Error message says:

LogonUI.exe - bad Image

globalroot\systemroot\system32\geyekrwiigvcwd.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or other software vendor for support.

Have not tried machine with AVG 8.5, Spybot or Ad-Aware running. Will let you know after I start it with those loaded onto machine.

mday01376

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mday01376 on Wed Aug 05, 2009 12:11 pm

Hi there,

Finally managed to install Super Anti-Spyware & Avast Free. (AVG free could not install as was unable to write registry entry). Ran MBAM - no result. Then SAS - no result. Avast detected Win32-Alueron-CE [Rtk] at the following file location C:/windows/system32/geyeroswbvuto.dll - tried to follow recommended action by moving to chest - could not as file was in use by another process.

BTW - still getting that bad image error message whenever an executable file is started (either on start up or manually).

Have you any more thoughts?

Many thanks for all so far.

mday01376

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Wed Aug 05, 2009 5:20 pm

Hello.
Please re-run Combofix and post a new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Combofix re-run 1 of 3

Post by mday01376 on Thu Aug 06, 2009 3:59 am

ComboFix 09-08-03.A2 - Mark & Adriana 05/08/2009 20:35.4.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.1304 [GMT -6:00]
Running from: c:\users\Mark & Adriana\Desktop\Combo-Fix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-05 02:48 . 2009-08-05 02:48 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Yahoo!
2009-08-05 02:48 . 2009-08-05 02:48 -------- d-----w- c:\progra~2\Yahoo! Companion
2009-08-05 02:48 . 2009-08-05 02:48 -------- d-----w- c:\program files\Yahoo!
2009-08-05 02:48 . 2009-08-05 02:48 -------- d-----w- c:\program files\CCleaner
2009-08-05 02:39 . 2009-08-06 03:32 117760 ----a-w- c:\users\Mark & Adriana\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-05 02:37 . 2009-08-05 02:37 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2009-08-05 02:37 . 2009-08-05 02:37 65024 ----a-r- c:\users\Mark & Adriana\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-08-05 02:37 . 2009-08-05 02:37 18944 ----a-r- c:\users\Mark & Adriana\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2009-08-05 02:37 . 2009-08-05 02:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-05 02:37 . 2009-08-05 02:37 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\SUPERAntiSpyware.com
2009-08-05 02:36 . 2009-08-05 02:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-04 22:25 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-04 22:25 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-04 22:25 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-04 22:25 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-04 22:25 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-04 22:25 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-04 22:25 . 2009-02-05 21:06 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-04 22:24 . 2009-08-04 22:24 -------- d-----w- c:\program files\Alwil Software
2009-08-04 21:38 . 2009-08-04 21:38 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\AVG8
2009-07-30 03:08 . 2009-08-01 01:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-30 03:08 . 2009-08-01 01:02 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-07-30 02:45 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-30 02:41 . 2009-07-30 02:44 -------- d-----w- c:\progra~2\Lavasoft
2009-07-30 02:41 . 2009-07-30 02:41 -------- d-----w- c:\program files\Lavasoft
2009-07-30 02:05 . 2009-07-30 02:05 -------- d-----w- c:\program files\FileHippo.com
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Malwarebytes
2009-07-28 11:57 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 11:57 . 2009-08-05 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 11:57 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\progra~2\Malwarebytes
2009-07-25 04:03 . 2009-08-05 02:44 -------- d-----w- c:\program files\Common Files\Little Registry Cleaner
2009-07-25 03:45 . 2009-07-25 03:52 -------- d-----w- c:\program files\Registry Clean Expert
2009-07-21 03:42 . 2009-07-21 03:42 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Foxit
2009-07-21 03:42 . 2009-07-21 03:42 -------- d-----w- c:\program files\Foxit Software
2009-07-21 03:36 . 2009-07-21 03:36 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\iExpert Software
2009-07-15 14:14 . 2009-07-15 14:18 -------- d-----w- c:\progra~2\Ten Thumbs Typing Tutor
2009-07-15 14:12 . 2009-07-15 14:12 -------- d-----w- c:\program files\Ten Thumbs Typing Tutor 4.7
2009-07-14 18:06 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-14 18:06 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-14 18:06 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-14 18:06 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-14 18:06 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 02:13 . 2007-12-28 00:56 -------- d-----w- c:\progra~2\Google Updater
2009-08-04 22:09 . 2008-12-03 04:01 -------- d-----w- c:\progra~2\Avg8
2009-08-04 22:05 . 2007-08-22 20:26 -------- d-----w- c:\program files\Java
2009-07-31 01:36 . 2008-09-10 07:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 11:23 . 2009-05-23 05:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 21:52 . 2009-07-28 19:58 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 19:58 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 19:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 19:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 04:00 . 2008-04-23 14:55 -------- d-----w- c:\program files\HP
2009-07-21 03:53 . 2008-04-23 14:53 -------- d-----w- c:\progra~2\HP
2009-07-21 03:52 . 2008-06-05 02:08 -------- d-----w- c:\program files\mozilla.org
2009-07-19 05:25 . 2007-08-22 20:03 -------- d-----w- c:\program files\Google
2009-07-17 02:26 . 2007-12-27 13:01 -------- d--h--w- c:\users\Mark & Adriana\AppData\Roaming\Skype
2009-07-14 23:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-14 23:44 . 2007-09-19 01:18 -------- d-----w- c:\progra~2\Microsoft Help
2009-07-01 06:23 . 2008-10-07 23:36 -------- d--h--w- c:\users\Mark & Adriana\AppData\Roaming\Thinstall
2009-06-27 13:22 . 2008-07-28 07:26 -------- d-----w- c:\program files\PhotoScape
2009-06-27 13:07 . 2009-05-17 21:55 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\FUJIFILM
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-12 03:42 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-12 03:29 . 2006-11-02 12:37 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-06-11 01:45 . 2007-09-19 01:15 -------- d-----w- c:\program files\Microsoft Works
2009-06-11 01:01 . 2009-06-11 01:01 -------- d-----w- c:\program files\Paint.NET
2009-06-10 21:55 . 2008-12-06 04:48 -------- d-----w- c:\progra~2\Rosetta Stone
2009-06-10 20:53 . 2009-06-10 20:53 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-05-14 00:58 . 2008-12-10 01:26 123408 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-05-31 13:41 . 2007-12-29 12:50 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-05-31 13:41 . 2007-12-29 12:50 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-05-31 13:41 . 2007-12-29 12:50 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-05-31 13:41 . 2007-12-29 12:50 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-05-31 13:41 . 2007-12-29 12:50 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-12-16 03:20 . 2008-12-16 02:42 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2008-12-16 03:20 . 2008-12-16 02:42 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-22 20:40 . 2009-08-06 03:30 77830 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-06 03:30 89052 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-24 21:54 . 2009-08-06 03:30 15240 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3184346778-380610952-3069833314-1000_UserData.bin
+ 2007-12-24 21:42 . 2009-08-06 03:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-24 21:42 . 2009-08-06 03:28 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-24 21:42 . 2009-08-06 03:28 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-04 22:05 . 2009-07-25 11:23 149280 c:\windows\System32\javaws.exe
+ 2009-08-04 22:05 . 2009-07-25 11:23 145184 c:\windows\System32\javaw.exe
+ 2009-08-04 22:05 . 2009-07-25 11:23 145184 c:\windows\System32\java.exe
+ 2009-05-04 05:32 . 2009-08-05 01:46 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-04 05:32 . 2009-07-30 02:47 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2007-08-22 20:49 . 2009-07-31 22:49 1678416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2007-08-22 20:49 . 2009-08-06 03:25 1678416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-08-05 02:37 . 2009-08-05 02:37 1516544 c:\windows\Installer\2eee09.msi
.

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Combofix re-run 2 of 3

Post by mday01376 on Thu Aug 06, 2009 4:01 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-28 68856]
"Google Update"="c:\users\Mark & Adriana\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 413696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-5-17 303104]
PDFCreator.lnk - c:\program files\PDFCreator\PDFCreator.exe [2008-6-27 2641920]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-5-3 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Mark & Adriana^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^realshed.old]
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):27,bf,f9,b7,11,eb,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3184346778-380610952-3069833314-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{66DD937E-AE3C-4248-8276-E03B0E662FC4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5A419130-C26E-4A4D-95D9-EA35767E4F2C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D1266DD3-3A9B-4EB2-9CE7-88D472AF7EF7}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{2E15ED65-ABB2-4DDE-AE38-1D4D7D2E9AAA}c:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 7.0.1.321\\english\\setup.exe"= UDP:c:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.321\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{A022D2AA-4EFE-4FDB-BA2E-1D99FE6B21EB}c:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 7.0.1.321\\english\\setup.exe"= TCP:c:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.321\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"TCP Query User{4DCE4B7C-3F06-4B9F-A0F1-8D893C290A69}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{48F8ABC9-AF9C-43D5-A12E-B134139A5FF3}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{020FC91C-96A9-4C91-B3A0-F29D11107746}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{6B92138C-67A5-4CBE-897A-6DF31C6689F7}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{4B71DD2E-475F-4A17-AB05-5C57A59EC1D6}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{371BF024-100B-4DE6-9863-47BC453D9E9A}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{A0F9FC39-EBE6-49EC-B900-EBFCF158336A}c:\\program files\\attractel\\zoiper\\zoiper.exe"= UDP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"UDP Query User{A1A5E757-DF8A-4A37-AAE2-0FAAEC044513}c:\\program files\\attractel\\zoiper\\zoiper.exe"= TCP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"TCP Query User{89288A4F-B931-444A-B74F-701B2BF28AC2}c:\\program files\\attractel\\zoiper\\zoiper.exe"= UDP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"UDP Query User{65127F06-2351-4BB3-B308-E0BAAA0D8C0A}c:\\program files\\attractel\\zoiper\\zoiper.exe"= TCP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"TCP Query User{F2E131E7-AD40-4103-ADD2-2DE4F67D3340}c:\\users\\mark & adriana\\appdata\\roaming\\maxthon2\\modules\\mxdownloader\\mxdownloadserver.exe"= UDP:c:\users\mark & adriana\appdata\roaming\maxthon2\modules\mxdownloader\mxdownloadserver.exe:mxdownloadserver.exe
"UDP Query User{EBBD88EB-EA08-4DCE-B9BE-AA69636D6C48}c:\\users\\mark & adriana\\appdata\\roaming\\maxthon2\\modules\\mxdownloader\\mxdownloadserver.exe"= TCP:c:\users\mark & adriana\appdata\roaming\maxthon2\modules\mxdownloader\mxdownloadserver.exe:mxdownloadserver.exe
"TCP Query User{AAD24E5F-CA5A-47FF-A83B-0D8A2C8D6E18}c:\\program files\\acoo browser\\acoobrowser.exe"= UDP:c:\program files\acoo browser\acoobrowser.exe:Acoo Browser
"UDP Query User{1EBE616F-AF7E-41B2-8335-E53200C5A3E8}c:\\program files\\acoo browser\\acoobrowser.exe"= TCP:c:\program files\acoo browser\acoobrowser.exe:Acoo Browser
"{726022BF-3003-4960-A583-9B25E32F0059}"= UDP:c:\program files\3\3Connect\Wilog.exe:3Connect
"{E8286F86-E4BE-4F29-A229-1837B0AD7A7A}"= TCP:c:\program files\3\3Connect\Wilog.exe:3Connect
"{4C0EF1F6-2C01-4971-ADD9-1F8DD1294879}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{A4C07ECF-D017-4649-B8B2-C970E2E04BA7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{571BC4B4-0AAF-47E6-9561-18C2CFA42A97}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{40E2B9D4-F3A2-4102-9E6F-91BE519FB1EE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{50A18888-BBD9-4202-B406-9FFAD309735C}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{5CE03319-483A-45BD-BBD7-1AD9D875D94F}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{AE9FABBC-3704-4057-8378-67E0D627B3BF}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{EE0BEC18-39EA-46C8-993C-24E184969E99}c:\\users\\mark & adriana\\appdata\\local\\google\\chrome\\application\\chrome.exe"= UDP:c:\users\mark & adriana\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"UDP Query User{20CEC1CB-DCB2-4582-BEC9-272E74CC827F}c:\\users\\mark & adriana\\appdata\\local\\google\\chrome\\application\\chrome.exe"= TCP:c:\users\mark & adriana\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"TCP Query User{722DAD41-54E8-410A-83FC-42318CE5BFCD}c:\\windows\\system32\\cmds.exe"= UDP:c:\windows\system32\cmds.exe:
"UDP Query User{44A2D863-79A0-444A-942D-FA63A34B9A3E}c:\\windows\\system32\\cmds.exe"= TCP:c:\windows\system32\cmds.exe:
"TCP Query User{D42D54D3-E89C-4E7A-A657-30B1A005C81B}c:\\users\\mark & adriana\\appdata\\roaming\\twain_x86.exe"= UDP:c:\users\mark & adriana\appdata\roaming\twain_x86.exe:twain_x86.exe
"UDP Query User{BC2A4E12-53E8-4496-B829-9256BAB54560}c:\\users\\mark & adriana\\appdata\\roaming\\twain_x86.exe"= TCP:c:\users\mark & adriana\appdata\roaming\twain_x86.exe:twain_x86.exe
"TCP Query User{5D049E69-6B76-45B3-99CA-7E59C4842937}c:\\windows\\system32\\cmds.exe"= UDP:c:\windows\system32\cmds.exe:
"UDP Query User{ED8DCD26-C8E0-4539-83F2-6B029E44A121}c:\\windows\\system32\\cmds.exe"= TCP:c:\windows\system32\cmds.exe:
"{F442AE91-7D56-4ACD-9219-9139DCE7464E}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{5F7BB48E-7A01-41AE-962A-BCA285F5D966}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{D08CA669-8B62-4611-819F-58D394FC5EE5}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{9A400437-A316-4CBD-B140-63A06361ECE9}"= c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [29/07/2009 20:45 64160]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [04/08/2009 16:25 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28/07/2009 10:53 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/07/2009 10:53 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [04/08/2009 16:25 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [04/08/2009 16:25 51792]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 08:49 1029456]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [22/08/2007 13:53 7168]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/07/2009 10:53 7408]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [03/05/2009 23:06 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 11:08 533360]
S3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [28/03/2007 08:51 43008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = 85.31.89.222:8080
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.17\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\users\MARK&A~1\AppData\Roaming\Mozilla\Firefox\Profiles\6optvrgw.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Combofix re-run 3 of 3

Post by mday01376 on Thu Aug 06, 2009 4:02 am

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-05 21:31
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\windows\System32\Locator.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\conime.exe
c:\program files\Common Files\microsoft shared\Source Engine\OSE.EXE
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2009-08-06 21:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-06 03:53
ComboFix2.txt 2009-08-04 14:44
ComboFix3.txt 2009-08-01 01:31

Pre-Run: 168,551,661,568 bytes free
Post-Run: 168,552,574,976 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=9 Sets=1,5,6,7,8,9
303 --- E O F --- 2009-08-04 11:41

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Thu Aug 06, 2009 2:14 pm

Not seeing anything.

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

GMER log 1 of 2

Post by mday01376 on Sun Aug 09, 2009 9:45 pm

Hi there,

Sorry about that, been away from problem computer for a few days.

Here's GMER log - had to run in Safe Mode:

GMER 1.0.15.15020 [r4h3qvme.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-09 15:39:58
Windows 6.0.6002 Service Pack 2


---- System - GMER 1.0.15 ----

Code 853782E0 ZwEnumerateKey
Code 85379398 ZwFlushInstructionCache
Code 853732CE ZwSaveKey
Code 8532F4B6 ZwSaveKeyEx
Code 85347515 IofCallDriver
Code 8533E2F6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 82249912 5 Bytes JMP 8534751A
.text ntkrnlpa.exe!IofCompleteRequest 8224997F 5 Bytes JMP 8533E2FB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 823B4EF5 5 Bytes JMP 8537939C
PAGE ntkrnlpa.exe!ZwEnumerateKey 824020BA 5 Bytes JMP 853782E4
PAGE ntkrnlpa.exe!ZwSaveKey 82457969 5 Bytes JMP 853732D2
PAGE ntkrnlpa.exe!ZwSaveKeyEx 82457B07 5 Bytes JMP 8532F4BA

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

GMER log 2 of 2

Post by mday01376 on Sun Aug 09, 2009 9:46 pm

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION E32589FD12BE0D4F597AFD0BE6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC79338EDD5E5BE2F6E667A2D97226D213B55504911C3324D50297A7D96BA154257028FB08244BFCE12D69FC4688B236E05809E8777990457CD486DC831D5FFA097129EC6E92BA968DA7BF5EC1BA074A5A6E3D664490F3BCE694177E010CC0A8013179C3229A61055121D06E19A2674128161A519722BB8FA0B5876A554AAE3D0F4677092CBDD69FC2EF36FE7A54358D950895E267F13968CDF14D635C6C8ABCCB8CB3A6E88327E18F313E42E866CB418441DB3978C73416A2C59010400DA7CB629FF3ED8D7652EDF8C0EC523BF37797EA804C55687365086C732F7A03484A3892E332901E254D8451C477AB9B1EF8EB50C97B1DA6427AD507003811F8C1AF6E2E7D1C27F2A17E900323482D890805C0D466AF5A778B17B965B371264B9D06811E58122D3C84C21B09077F9B57D846B9A662E538F025508F0E1BD2717586712A5CA1A901F9E5EA5673DFEDA0AB3D59200D8DCA4A016EAF5C9B89088BC92A87C1F84B2EE683E53A9466611AC780E3CDE0E0FBC406E5C634C33C92F1F26D39D3C7970C9C060227E7CE1C013F812701A90C8F866BC234124F8FB010A60C576A56DE6D5EA469F1CFA1215EFA4C2240CB66D719C78740533

---- Files - GMER 1.0.15 ----

File C:\Users\Mark & Adriana\AppData\Local\Temp\geyekr000 0 bytes
File C:\Windows\System32\drivers\geyekrsbmxtfyx.sys 66048 bytes
File C:\Windows\Temp\geyekreqewgtxxti.tmp 18432 bytes
File C:\Windows\Temp\geyekrgrekyqlxqw.tmp 18432 bytes
File C:\Windows\Temp\geyekrnxifftxxsv.tmp 18432 bytes

---- EOF - GMER 1.0.15 ----

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Mon Aug 10, 2009 12:05 am

Hmm, this again. ¬.¬

We have to put a stop to the main driver file before we can delete it, trust me, tried straight out deleting it with one of our most powerful tools on another machine, doesn't work.

Go to Start and in the little search box, type in "Run", now when the Run command appears, right click, select "Run as administrator".

Now when the run box opens, copy/paste in the following:

notepad "C:\Windows\System32\drivers\geyekrsbmxtfyx.sys"

This opens the rootkits driver file in Notepad, and it just appears as lots of funny characters you can't understand, this is normal. Smile
Highlight everything inside it (Ctrl+A), and press the backspace so it removes everything and leaves it blank.

Now go to File > select "Save" so it saves it blank.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
geyekrfrvqidfd

Drivers to delete:
geyekrfrvqidfd

Files to delete:
C:\Users\Mark & Adriana\AppData\Local\Temp\geyekr000
C:\Windows\System32\drivers\geyekrsbmxtfyx.sys
C:\Windows\Temp\geyekreqewgtxxti.tmp
C:\Windows\Temp\geyekrgrekyqlxqw.tmp
C:\Windows\Temp\geyekrnxifftxxsv.tmp

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Avenger Log

Post by mday01376 on Mon Aug 10, 2009 3:01 am

Hello,

File "C:\Windows\System32\drivers\geyekrsbmxtfyx.sys" not be found in Safe Mode, but successfully run in normal mode.

After Avenger ran, became a little worried as Vista rebooted twice (first time saying couldn't boot due to group policy error). On second reboot Logfile appeared on desktop.

I should add that the nasty dialogue box - bad image has now disappeared. Looks like we are close to a solution...

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

script file opened successfully.
script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "geyekrfrvqidfd" found!
ImagePath: \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "geyekrfrvqidfd" disabled successfully.
Driver "geyekrfrvqidfd" deleted successfully.
File "C:\Users\Mark & Adriana\AppData\Local\Temp\geyekr000" deleted successfully.
File "C:\Windows\System32\drivers\geyekrsbmxtfyx.sys" deleted successfully.
File "C:\Windows\Temp\geyekreqewgtxxti.tmp" deleted successfully.
File "C:\Windows\Temp\geyekrgrekyqlxqw.tmp" deleted successfully.
File "C:\Windows\Temp\geyekrnxifftxxsv.tmp" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Mon Aug 10, 2009 2:56 pm

Hello.
Run MBAM now, post the log when done.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

MBAM log

Post by mday01376 on Tue Aug 11, 2009 12:30 am

Malwarebytes' Anti-Malware 1.40
Database version: 2594
Windows 6.0.6002 Service Pack 2

10/08/2009 16:04:50
mbam-log-2009-08-10 (16-04-50).txt

Scan type: Quick Scan
Objects scanned: 81572
Time elapsed: 9 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Tue Aug 11, 2009 12:41 am

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Avast A/V finds rootkit

Post by mday01376 on Tue Aug 11, 2009 2:23 am

Hi there,

Computer runs fine & faster than previously.

In addition to MBAM I thought a quick scan of Avast would be a good idea. Avast found following file C:\Windows\System32\geyekroswbvuto.dll which has Malware name of Win32-Alureon-CE [Rtk] - could it be a false positive?

mday01376


Last edited by mday01376 on Tue Aug 11, 2009 2:24 am; edited 1 time in total (Reason for editing : Filename entered in incorrect place on reply.)

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Tue Aug 11, 2009 1:54 pm

No, probably a leftover file.
Combofix wasn't getting the rootkit, so we had to use GMER to find it, and if GMER doesn't list EVERY file that comes from the rootkit, then I can't kill it if I can't see it.

Just delete it manually.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Issue solved

Post by mday01376 on Fri Aug 14, 2009 2:43 am

Hi there,

I felt that I owed an update on the Win32/Cryptor situation. I have now run full scans of MBAM, Super Anti-Spyware, Ad-Aware & Avast & am pleased to advise that after manually deleting leftover files, my machine now appears clean & more importantly is running as good as new.

Many thanks to all at Geek Police - donation to follow.

mday01376

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26886
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Fri Aug 14, 2009 6:07 pm

Not a problem! Smile

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum