Win32/Cryptor

View previous topic View next topic Go down

Combofix re-run 1 of 3

Post by mday01376 on Thu Aug 06, 2009 3:59 am

ComboFix 09-08-03.A2 - Mark & Adriana 05/08/2009 20:35.4.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.1917.1304 [GMT -6:00]
Running from: c:\users\Mark & Adriana\Desktop\Combo-Fix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Kaspersky Anti-Virus *disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
SP: Lavasoft Ad-Watch Live! *enabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-05 02:48 . 2009-08-05 02:48 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Yahoo!
2009-08-05 02:48 . 2009-08-05 02:48 -------- d-----w- c:\progra~2\Yahoo! Companion
2009-08-05 02:48 . 2009-08-05 02:48 -------- d-----w- c:\program files\Yahoo!
2009-08-05 02:48 . 2009-08-05 02:48 -------- d-----w- c:\program files\CCleaner
2009-08-05 02:39 . 2009-08-06 03:32 117760 ----a-w- c:\users\Mark & Adriana\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-05 02:37 . 2009-08-05 02:37 -------- d-----w- c:\progra~2\SUPERAntiSpyware.com
2009-08-05 02:37 . 2009-08-05 02:37 65024 ----a-r- c:\users\Mark & Adriana\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-08-05 02:37 . 2009-08-05 02:37 18944 ----a-r- c:\users\Mark & Adriana\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2009-08-05 02:37 . 2009-08-05 02:37 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-08-05 02:37 . 2009-08-05 02:37 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\SUPERAntiSpyware.com
2009-08-05 02:36 . 2009-08-05 02:36 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-04 22:25 . 2009-02-05 21:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-04 22:25 . 2009-02-05 21:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-04 22:25 . 2009-02-05 21:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-04 22:25 . 2009-02-05 21:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-04 22:25 . 2009-02-05 21:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-04 22:25 . 2009-02-05 21:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-04 22:25 . 2009-02-05 21:06 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-04 22:24 . 2009-08-04 22:24 -------- d-----w- c:\program files\Alwil Software
2009-08-04 21:38 . 2009-08-04 21:38 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\AVG8
2009-07-30 03:08 . 2009-08-01 01:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-30 03:08 . 2009-08-01 01:02 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-07-30 02:45 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-30 02:41 . 2009-07-30 02:44 -------- d-----w- c:\progra~2\Lavasoft
2009-07-30 02:41 . 2009-07-30 02:41 -------- d-----w- c:\program files\Lavasoft
2009-07-30 02:05 . 2009-07-30 02:05 -------- d-----w- c:\program files\FileHippo.com
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Malwarebytes
2009-07-28 11:57 . 2009-08-03 19:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-28 11:57 . 2009-08-05 02:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-28 11:57 . 2009-08-03 19:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 11:57 . 2009-07-28 11:57 -------- d-----w- c:\progra~2\Malwarebytes
2009-07-25 04:03 . 2009-08-05 02:44 -------- d-----w- c:\program files\Common Files\Little Registry Cleaner
2009-07-25 03:45 . 2009-07-25 03:52 -------- d-----w- c:\program files\Registry Clean Expert
2009-07-21 03:42 . 2009-07-21 03:42 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\Foxit
2009-07-21 03:42 . 2009-07-21 03:42 -------- d-----w- c:\program files\Foxit Software
2009-07-21 03:36 . 2009-07-21 03:36 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\iExpert Software
2009-07-15 14:14 . 2009-07-15 14:18 -------- d-----w- c:\progra~2\Ten Thumbs Typing Tutor
2009-07-15 14:12 . 2009-07-15 14:12 -------- d-----w- c:\program files\Ten Thumbs Typing Tutor 4.7
2009-07-14 18:06 . 2009-06-15 14:53 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-14 18:06 . 2009-06-15 14:52 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-14 18:06 . 2009-06-15 12:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-14 18:06 . 2009-06-15 14:52 23552 ----a-w- c:\windows\system32\lpk.dll
2009-07-14 18:06 . 2009-06-15 14:51 10240 ----a-w- c:\windows\system32\dciman32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 02:13 . 2007-12-28 00:56 -------- d-----w- c:\progra~2\Google Updater
2009-08-04 22:09 . 2008-12-03 04:01 -------- d-----w- c:\progra~2\Avg8
2009-08-04 22:05 . 2007-08-22 20:26 -------- d-----w- c:\program files\Java
2009-07-31 01:36 . 2008-09-10 07:51 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-25 11:23 . 2009-05-23 05:18 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 21:52 . 2009-07-28 19:58 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 19:58 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 19:58 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 19:58 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 04:00 . 2008-04-23 14:55 -------- d-----w- c:\program files\HP
2009-07-21 03:53 . 2008-04-23 14:53 -------- d-----w- c:\progra~2\HP
2009-07-21 03:52 . 2008-06-05 02:08 -------- d-----w- c:\program files\mozilla.org
2009-07-19 05:25 . 2007-08-22 20:03 -------- d-----w- c:\program files\Google
2009-07-17 02:26 . 2007-12-27 13:01 -------- d--h--w- c:\users\Mark & Adriana\AppData\Roaming\Skype
2009-07-14 23:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-14 23:44 . 2007-09-19 01:18 -------- d-----w- c:\progra~2\Microsoft Help
2009-07-01 06:23 . 2008-10-07 23:36 -------- d--h--w- c:\users\Mark & Adriana\AppData\Roaming\Thinstall
2009-06-27 13:22 . 2008-07-28 07:26 -------- d-----w- c:\program files\PhotoScape
2009-06-27 13:07 . 2009-05-17 21:55 -------- d-----w- c:\users\Mark & Adriana\AppData\Roaming\FUJIFILM
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-06-12 03:48 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-06-12 03:42 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-06-12 03:29 . 2006-11-02 12:37 37665 ----a-w- c:\windows\Fonts\GlobalUserInterface.CompositeFont
2009-06-11 01:45 . 2007-09-19 01:15 -------- d-----w- c:\program files\Microsoft Works
2009-06-11 01:01 . 2009-06-11 01:01 -------- d-----w- c:\program files\Paint.NET
2009-06-10 21:55 . 2008-12-06 04:48 -------- d-----w- c:\progra~2\Rosetta Stone
2009-06-10 20:53 . 2009-06-10 20:53 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-05-14 00:58 . 2008-12-10 01:26 123408 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2008-05-31 13:41 . 2007-12-29 12:50 67696 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-05-31 13:41 . 2007-12-29 12:50 54376 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-05-31 13:41 . 2007-12-29 12:50 34952 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-05-31 13:41 . 2007-12-29 12:50 46720 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-05-31 13:41 . 2007-12-29 12:50 172144 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2008-12-16 03:20 . 2008-12-16 02:42 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2008-12-16 03:20 . 2008-12-16 02:42 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-08-22 20:40 . 2009-08-06 03:30 77830 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-06 03:30 89052 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2007-12-24 21:54 . 2009-08-06 03:30 15240 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3184346778-380610952-3069833314-1000_UserData.bin
+ 2007-12-24 21:42 . 2009-08-06 03:28 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-24 21:42 . 2009-08-06 03:28 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2007-12-24 21:42 . 2009-08-06 03:28 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2007-12-24 21:42 . 2009-07-31 22:51 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-04 22:05 . 2009-07-25 11:23 149280 c:\windows\System32\javaws.exe
+ 2009-08-04 22:05 . 2009-07-25 11:23 145184 c:\windows\System32\javaw.exe
+ 2009-08-04 22:05 . 2009-07-25 11:23 145184 c:\windows\System32\java.exe
+ 2009-05-04 05:32 . 2009-08-05 01:46 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-05-04 05:32 . 2009-07-30 02:47 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2007-08-22 20:49 . 2009-07-31 22:49 1678416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2007-08-22 20:49 . 2009-08-06 03:25 1678416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2009-08-05 02:37 . 2009-08-05 02:37 1516544 c:\windows\Installer\2eee09.msi
.

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26876
# Likes # Likes : 0

View user profile

Back to top Go down

Combofix re-run 2 of 3

Post by mday01376 on Thu Aug 06, 2009 4:01 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-28 68856]
"Google Update"="c:\users\Mark & Adriana\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-04 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Eraser"="c:\program files\Eraser\Eraser.exe" [2007-12-22 916240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-28 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2007-05-22 413696]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-5-17 303104]
PDFCreator.lnk - c:\program files\PDFCreator\PDFCreator.exe [2008-6-27 2641920]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-5-3 479232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 18:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Mark & Adriana^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^realshed.old]
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):27,bf,f9,b7,11,eb,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3184346778-380610952-3069833314-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{66DD937E-AE3C-4248-8276-E03B0E662FC4}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{5A419130-C26E-4A4D-95D9-EA35767E4F2C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D1266DD3-3A9B-4EB2-9CE7-88D472AF7EF7}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{2E15ED65-ABB2-4DDE-AE38-1D4D7D2E9AAA}c:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 7.0.1.321\\english\\setup.exe"= UDP:c:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.321\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{A022D2AA-4EFE-4FDB-BA2E-1D99FE6B21EB}c:\\programdata\\kaspersky lab setup files\\kaspersky anti-virus 7.0.1.321\\english\\setup.exe"= TCP:c:\programdata\kaspersky lab setup files\kaspersky anti-virus 7.0.1.321\english\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"TCP Query User{4DCE4B7C-3F06-4B9F-A0F1-8D893C290A69}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{48F8ABC9-AF9C-43D5-A12E-B134139A5FF3}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{020FC91C-96A9-4C91-B3A0-F29D11107746}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{6B92138C-67A5-4CBE-897A-6DF31C6689F7}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{4B71DD2E-475F-4A17-AB05-5C57A59EC1D6}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{371BF024-100B-4DE6-9863-47BC453D9E9A}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{A0F9FC39-EBE6-49EC-B900-EBFCF158336A}c:\\program files\\attractel\\zoiper\\zoiper.exe"= UDP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"UDP Query User{A1A5E757-DF8A-4A37-AAE2-0FAAEC044513}c:\\program files\\attractel\\zoiper\\zoiper.exe"= TCP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"TCP Query User{89288A4F-B931-444A-B74F-701B2BF28AC2}c:\\program files\\attractel\\zoiper\\zoiper.exe"= UDP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"UDP Query User{65127F06-2351-4BB3-B308-E0BAAA0D8C0A}c:\\program files\\attractel\\zoiper\\zoiper.exe"= TCP:c:\program files\attractel\zoiper\zoiper.exe:Zoiper
"TCP Query User{F2E131E7-AD40-4103-ADD2-2DE4F67D3340}c:\\users\\mark & adriana\\appdata\\roaming\\maxthon2\\modules\\mxdownloader\\mxdownloadserver.exe"= UDP:c:\users\mark & adriana\appdata\roaming\maxthon2\modules\mxdownloader\mxdownloadserver.exe:mxdownloadserver.exe
"UDP Query User{EBBD88EB-EA08-4DCE-B9BE-AA69636D6C48}c:\\users\\mark & adriana\\appdata\\roaming\\maxthon2\\modules\\mxdownloader\\mxdownloadserver.exe"= TCP:c:\users\mark & adriana\appdata\roaming\maxthon2\modules\mxdownloader\mxdownloadserver.exe:mxdownloadserver.exe
"TCP Query User{AAD24E5F-CA5A-47FF-A83B-0D8A2C8D6E18}c:\\program files\\acoo browser\\acoobrowser.exe"= UDP:c:\program files\acoo browser\acoobrowser.exe:Acoo Browser
"UDP Query User{1EBE616F-AF7E-41B2-8335-E53200C5A3E8}c:\\program files\\acoo browser\\acoobrowser.exe"= TCP:c:\program files\acoo browser\acoobrowser.exe:Acoo Browser
"{726022BF-3003-4960-A583-9B25E32F0059}"= UDP:c:\program files\3\3Connect\Wilog.exe:3Connect
"{E8286F86-E4BE-4F29-A229-1837B0AD7A7A}"= TCP:c:\program files\3\3Connect\Wilog.exe:3Connect
"{4C0EF1F6-2C01-4971-ADD9-1F8DD1294879}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{A4C07ECF-D017-4649-B8B2-C970E2E04BA7}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{571BC4B4-0AAF-47E6-9561-18C2CFA42A97}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{40E2B9D4-F3A2-4102-9E6F-91BE519FB1EE}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{50A18888-BBD9-4202-B406-9FFAD309735C}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{5CE03319-483A-45BD-BBD7-1AD9D875D94F}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{AE9FABBC-3704-4057-8378-67E0D627B3BF}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{EE0BEC18-39EA-46C8-993C-24E184969E99}c:\\users\\mark & adriana\\appdata\\local\\google\\chrome\\application\\chrome.exe"= UDP:c:\users\mark & adriana\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"UDP Query User{20CEC1CB-DCB2-4582-BEC9-272E74CC827F}c:\\users\\mark & adriana\\appdata\\local\\google\\chrome\\application\\chrome.exe"= TCP:c:\users\mark & adriana\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"TCP Query User{722DAD41-54E8-410A-83FC-42318CE5BFCD}c:\\windows\\system32\\cmds.exe"= UDP:c:\windows\system32\cmds.exe:
"UDP Query User{44A2D863-79A0-444A-942D-FA63A34B9A3E}c:\\windows\\system32\\cmds.exe"= TCP:c:\windows\system32\cmds.exe:
"TCP Query User{D42D54D3-E89C-4E7A-A657-30B1A005C81B}c:\\users\\mark & adriana\\appdata\\roaming\\twain_x86.exe"= UDP:c:\users\mark & adriana\appdata\roaming\twain_x86.exe:twain_x86.exe
"UDP Query User{BC2A4E12-53E8-4496-B829-9256BAB54560}c:\\users\\mark & adriana\\appdata\\roaming\\twain_x86.exe"= TCP:c:\users\mark & adriana\appdata\roaming\twain_x86.exe:twain_x86.exe
"TCP Query User{5D049E69-6B76-45B3-99CA-7E59C4842937}c:\\windows\\system32\\cmds.exe"= UDP:c:\windows\system32\cmds.exe:
"UDP Query User{ED8DCD26-C8E0-4539-83F2-6B029E44A121}c:\\windows\\system32\\cmds.exe"= TCP:c:\windows\system32\cmds.exe:
"{F442AE91-7D56-4ACD-9219-9139DCE7464E}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{5F7BB48E-7A01-41AE-962A-BCA285F5D966}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{D08CA669-8B62-4611-819F-58D394FC5EE5}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{9A400437-A316-4CBD-B140-63A06361ECE9}"= c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [29/07/2009 20:45 64160]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [04/08/2009 16:25 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [28/07/2009 10:53 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [28/07/2009 10:53 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [04/08/2009 16:25 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [04/08/2009 16:25 51792]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 08:49 1029456]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [22/08/2007 13:53 7168]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [28/07/2009 10:53 7408]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssfltr.sys [03/05/2009 23:06 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 11:08 533360]
S3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [28/03/2007 08:51 43008]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = 85.31.89.222:8080
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.17\AMVConverter\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\users\MARK&A~1\AppData\Roaming\Mozilla\Firefox\Profiles\6optvrgw.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26876
# Likes # Likes : 0

View user profile

Back to top Go down

Combofix re-run 3 of 3

Post by mday01376 on Thu Aug 06, 2009 4:02 am

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-05 21:31
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\agrsmsvc.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\windows\System32\Locator.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\conime.exe
c:\program files\Common Files\microsoft shared\Source Engine\OSE.EXE
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Camera Assistant Software for Toshiba\CEC_MAIN.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
.
**************************************************************************
.
Completion time: 2009-08-06 21:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-06 03:53
ComboFix2.txt 2009-08-04 14:44
ComboFix3.txt 2009-08-01 01:31

Pre-Run: 168,551,661,568 bytes free
Post-Run: 168,552,574,976 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=9 Sets=1,5,6,7,8,9
303 --- E O F --- 2009-08-04 11:41

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26876
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Thu Aug 06, 2009 2:14 pm

Not seeing anything.

Download the GMER rootkit scan from here: [You must be registered and logged in to see this link.]

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

GMER log 1 of 2

Post by mday01376 on Sun Aug 09, 2009 9:45 pm

Hi there,

Sorry about that, been away from problem computer for a few days.

Here's GMER log - had to run in Safe Mode:

GMER 1.0.15.15020 [r4h3qvme.exe] - [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-09 15:39:58
Windows 6.0.6002 Service Pack 2


---- System - GMER 1.0.15 ----

Code 853782E0 ZwEnumerateKey
Code 85379398 ZwFlushInstructionCache
Code 853732CE ZwSaveKey
Code 8532F4B6 ZwSaveKeyEx
Code 85347515 IofCallDriver
Code 8533E2F6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 82249912 5 Bytes JMP 8534751A
.text ntkrnlpa.exe!IofCompleteRequest 8224997F 5 Bytes JMP 8533E2FB
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 823B4EF5 5 Bytes JMP 8537939C
PAGE ntkrnlpa.exe!ZwEnumerateKey 824020BA 5 Bytes JMP 853782E4
PAGE ntkrnlpa.exe!ZwSaveKey 82457969 5 Bytes JMP 853732D2
PAGE ntkrnlpa.exe!ZwSaveKeyEx 82457B07 5 Bytes JMP 8532F4BA

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26876
# Likes # Likes : 0

View user profile

Back to top Go down

GMER log 2 of 2

Post by mday01376 on Sun Aug 09, 2009 9:46 pm

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION E32589FD12BE0D4F597AFD0BE6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC79338EDD5E5BE2F6E667A2D97226D213B55504911C3324D50297A7D96BA154257028FB08244BFCE12D69FC4688B236E05809E8777990457CD486DC831D5FFA097129EC6E92BA968DA7BF5EC1BA074A5A6E3D664490F3BCE694177E010CC0A8013179C3229A61055121D06E19A2674128161A519722BB8FA0B5876A554AAE3D0F4677092CBDD69FC2EF36FE7A54358D950895E267F13968CDF14D635C6C8ABCCB8CB3A6E88327E18F313E42E866CB418441DB3978C73416A2C59010400DA7CB629FF3ED8D7652EDF8C0EC523BF37797EA804C55687365086C732F7A03484A3892E332901E254D8451C477AB9B1EF8EB50C97B1DA6427AD507003811F8C1AF6E2E7D1C27F2A17E900323482D890805C0D466AF5A778B17B965B371264B9D06811E58122D3C84C21B09077F9B57D846B9A662E538F025508F0E1BD2717586712A5CA1A901F9E5EA5673DFEDA0AB3D59200D8DCA4A016EAF5C9B89088BC92A87C1F84B2EE683E53A9466611AC780E3CDE0E0FBC406E5C634C33C92F1F26D39D3C7970C9C060227E7CE1C013F812701A90C8F866BC234124F8FB010A60C576A56DE6D5EA469F1CFA1215EFA4C2240CB66D719C78740533

---- Files - GMER 1.0.15 ----

File C:\Users\Mark & Adriana\AppData\Local\Temp\geyekr000 0 bytes
File C:\Windows\System32\drivers\geyekrsbmxtfyx.sys 66048 bytes
File C:\Windows\Temp\geyekreqewgtxxti.tmp 18432 bytes
File C:\Windows\Temp\geyekrgrekyqlxqw.tmp 18432 bytes
File C:\Windows\Temp\geyekrnxifftxxsv.tmp 18432 bytes

---- EOF - GMER 1.0.15 ----

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26876
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Mon Aug 10, 2009 12:05 am

Hmm, this again. ¬.¬

We have to put a stop to the main driver file before we can delete it, trust me, tried straight out deleting it with one of our most powerful tools on another machine, doesn't work.

Go to Start and in the little search box, type in "Run", now when the Run command appears, right click, select "Run as administrator".

Now when the run box opens, copy/paste in the following:

notepad "C:\Windows\System32\drivers\geyekrsbmxtfyx.sys"

This opens the rootkits driver file in Notepad, and it just appears as lots of funny characters you can't understand, this is normal. Smile
Highlight everything inside it (Ctrl+A), and press the backspace so it removes everything and leaves it blank.

Now go to File > select "Save" so it saves it blank.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to disable:
geyekrfrvqidfd

Drivers to delete:
geyekrfrvqidfd

Files to delete:
C:\Users\Mark & Adriana\AppData\Local\Temp\geyekr000
C:\Windows\System32\drivers\geyekrsbmxtfyx.sys
C:\Windows\Temp\geyekreqewgtxxti.tmp
C:\Windows\Temp\geyekrgrekyqlxqw.tmp
C:\Windows\Temp\geyekrnxifftxxsv.tmp

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Avenger Log

Post by mday01376 on Mon Aug 10, 2009 3:01 am

Hello,

File "C:\Windows\System32\drivers\geyekrsbmxtfyx.sys" not be found in Safe Mode, but successfully run in normal mode.

After Avenger ran, became a little worried as Vista rebooted twice (first time saying couldn't boot due to group policy error). On second reboot Logfile appeared on desktop.

I should add that the nasty dialogue box - bad image has now disappeared. Looks like we are close to a solution...

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

script file opened successfully.
script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "geyekrfrvqidfd" found!
ImagePath: \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "geyekrfrvqidfd" disabled successfully.
Driver "geyekrfrvqidfd" deleted successfully.
File "C:\Users\Mark & Adriana\AppData\Local\Temp\geyekr000" deleted successfully.
File "C:\Windows\System32\drivers\geyekrsbmxtfyx.sys" deleted successfully.
File "C:\Windows\Temp\geyekreqewgtxxti.tmp" deleted successfully.
File "C:\Windows\Temp\geyekrgrekyqlxqw.tmp" deleted successfully.
File "C:\Windows\Temp\geyekrnxifftxxsv.tmp" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26876
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Mon Aug 10, 2009 2:56 pm

Hello.
Run MBAM now, post the log when done.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

MBAM log

Post by mday01376 on Tue Aug 11, 2009 12:30 am

Malwarebytes' Anti-Malware 1.40
Database version: 2594
Windows 6.0.6002 Service Pack 2

10/08/2009 16:04:50
mbam-log-2009-08-10 (16-04-50).txt

Scan type: Quick Scan
Objects scanned: 81572
Time elapsed: 9 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26876
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Tue Aug 11, 2009 12:41 am

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Avast A/V finds rootkit

Post by mday01376 on Tue Aug 11, 2009 2:23 am

Hi there,

Computer runs fine & faster than previously.

In addition to MBAM I thought a quick scan of Avast would be a good idea. Avast found following file C:\Windows\System32\geyekroswbvuto.dll which has Malware name of Win32-Alureon-CE [Rtk] - could it be a false positive?

mday01376


Last edited by mday01376 on Tue Aug 11, 2009 2:24 am; edited 1 time in total (Reason for editing : Filename entered in incorrect place on reply.)

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26876
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Tue Aug 11, 2009 1:54 pm

No, probably a leftover file.
Combofix wasn't getting the rootkit, so we had to use GMER to find it, and if GMER doesn't list EVERY file that comes from the rootkit, then I can't kill it if I can't see it.

Just delete it manually.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Issue solved

Post by mday01376 on Fri Aug 14, 2009 2:43 am

Hi there,

I felt that I owed an update on the Win32/Cryptor situation. I have now run full scans of MBAM, Super Anti-Spyware, Ad-Aware & Avast & am pleased to advise that after manually deleting leftover files, my machine now appears clean & more importantly is running as good as new.

Many thanks to all at Geek Police - donation to follow.

mday01376

mday01376
Novice
Novice

Posts Posts : 24
Joined Joined : 2009-07-30
OS OS : Vista
Points Points : 26876
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on Fri Aug 14, 2009 6:07 pm

Not a problem! Smile

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum