win32/crypto virus

View previous topic View next topic Go down

win32/crypto virus

Post by Swerdna on 8th August 2009, 10:18 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:29:54, on 08/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\DNA\btdna.exe
C:\Documents and Settings\Graham\Graham.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\netsh.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R3 - URLSearchHook: (no name) - *{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - *{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\sdra64.exe,C:\WINDOWS\system32\pavuppad.exe,
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 surety.microsoft.com
O1 - Hosts: 209.44.111.62 aware-protect.com
O1 - Hosts: 209.44.111.62 [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MS extension - {1925C7E1-5540-4675-8198-8A2779D4072A} - msfgw32.dll (file missing)
O2 - BHO: 790151 helper - {22186AA4-E2A6-45E8-BF4F-5C103C0458B0} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {8567EDFA-408C-43e9-B929-4C25C04F5003} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SearchSettings Class - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - C:\Program Files\Search Settings\kb127\SearchSettings.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
O4 - HKLM\..\Run: [EKIJ5000StatusMonitor] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
O4 - HKCU\..\Run: [Graham] C:\Documents and Settings\Graham\Graham.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MrHealthy (MrHealthyService) - Symantec Corporation - C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Wanid3ustem - Unknown owner - (no file)

--
End of file - 12731 bytes

AVG is telling me I have win32/crypto virus on 120 .exe's. Also Internet Explorer is being diverted from the selected web sites, unless address is typed in directly in address bar. I read a couple of the forum threads you have on win32/crypto which prompted me to register and get some help resolving this virus. There was also some general advice about avoiding virus threats in one which looked pretty sensible. Anyway I need a bit of help.

Swerdna

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Belahzur on 9th August 2009, 1:04 am

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R3 - URLSearchHook: (no name) - *{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    R3 - URLSearchHook: (no name) - *{E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,C:\WINDOWS\system32\sdra64.exe,C:\WINDOWS\system32\pavuppad.exe,
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 209.44.111.62 surety.microsoft.com
    O1 - Hosts: 209.44.111.62 aware-protect.com
    O1 - Hosts: 209.44.111.62 [You must be registered and logged in to see this link.]
    O2 - BHO: MS extension - {1925C7E1-5540-4675-8198-8A2779D4072A} - msfgw32.dll (file missing)
    O2 - BHO: 790151 helper - {22186AA4-E2A6-45E8-BF4F-5C103C0458B0} - (no file)
    O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O2 - BHO: (no name) - {8567EDFA-408C-43e9-B929-4C25C04F5003} - (no file)
    O4 - HKLM\..\Run: [Conime] %windir%\system32\conime.exe
    O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL
    O4 - HKCU\..\Run: [Graham] C:\Documents and Settings\Graham\Graham.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 10th August 2009, 7:48 pm

Belahzur

Followed your instructions, MBAM log below - in two parts

Swerdna

Malwarebytes' Anti-Malware 1.40
Database version: 2593
Windows 5.1.2600 Service Pack 3

10/08/2009 20:31:52
mbam-log-2009-08-10 (20-31-52).txt

Scan type: Quick Scan
Objects scanned: 151140
Time elapsed: 14 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 45
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 36
Files Infected: 75

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekraltpejnt.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\shoppingreport.hbax (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e343edfc-1e6c-4cb5-aa29-e9c922641c80} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d8560ac2-21b5-4c1a-bdd4-bd12bc83b082} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{20ea9658-6bc3-4599-a87d-6371fe9295fc} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a16ad1e9-f69a-45af-9462-b1c286708842} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9ccbb35-d123-4a31-affc-9b2933132116} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbax.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.hbinfoband.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebutton.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.iebuttona.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shoppingreport.rprtctrl.1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8ad9ad05-36be-4e40-ba62-5422eb0d02fb} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aebf09e2-0c15-43c8-99bf-928c645d98a0} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdca70d8-c6a6-49ee-9bed-7429d6c477a2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d136987f-e1c4-4ccc-a220-893df03ec5df} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1925c7e1-5540-4675-8198-8a2779d4072a} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{22186aa4-e2a6-45e8-bf4f-5c103c0458b0} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5e5efa8f-9f53-418e-b78e-44866667a404} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{8567edfa-408c-43e9-b929-4c25c04f5003} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{df058c45-cd18-453e-8745-5a77f60722ab} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5a33c35-7298-4d15-8753-a2e851e2eab3} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d2b812-752d-4af1-a2fb-968c4d8446db} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e856b973-45fd-4559-8f82-eab539144667} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\claire\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\claire\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\claire\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\claire\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\claire\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\claire\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport\cs\res2 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport\cs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport\cs\db (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport\cs\dwld (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport\cs\report (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport\cs\res1 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\218538 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\790151 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bookls (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

win32/crypto

Post by Swerdna on 10th August 2009, 7:49 pm

Second part


Files Infected:
\\?\globalroot\systemroot\system32\geyekraltpejnt.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wbem\proquota.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Graham.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\James.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\QOBLWB.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\claire\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\claire\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\claire\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\claire\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\claire\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\claire\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\claire\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Graham\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\ShoppingReport\cs\res2\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport\cs\Config.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wilma\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Application Data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bookls\dooi.poc (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bookls\orde.poc (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain_32\user.ds.cla (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\inform.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\st_1242507165.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1241786880.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1241805308.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1241817024.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1241835452.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1242475677.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1242488737.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1242494105.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1242566425.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\st_1242584872.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465349.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465749.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\f23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\jmmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\msmark2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2668f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2692f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2695f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft3165f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft3189f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft3190f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft3192f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Belahzur on 10th August 2009, 8:59 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 12th August 2009, 8:19 pm

Belahzur

Combo-fix didnt download Microsoft Recovery Console as it indicated that it couldnt find the internet, although it was connected. I guess I can download this myself. Anyway it proceeded and the log file is below. Also I didnt know how to disable McAfee - I thought this had expoired long ago.

Part 1

ComboFix 09-08-10.06 - Graham 12/08/2009 20:47.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.486 [GMT 1:00]
Running from: c:\documents and settings\Graham\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Graham\autorun.inf
c:\documents and settings\Graham\Local Settings\Temporary Internet Files\egab.dl
c:\documents and settings\Graham\Local Settings\Temporary Internet Files\qazizywozu.scr
c:\documents and settings\Graham\Local Settings\Temporary Internet Files\yrywy.sys
c:\documents and settings\James\Application Data\WeatherDPA
c:\documents and settings\James\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettings.dll
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\FONTS\cooecp.tlb
c:\windows\FONTS\logcde.dll
c:\windows\Fonts\mlog
c:\windows\Fonts\services.exe
c:\windows\FONTS\windef.dll
c:\windows\FONTS\windef.Log
c:\windows\FONTS\winpaged.ocx
c:\windows\Install.txt
c:\windows\Installer\ae98a.msp
c:\windows\msa.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\braviax.exe
c:\windows\system32\certstore.dat
c:\windows\system32\cru629.dat
c:\windows\system32\drivers\geyekrmeklyxls.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\geyekraltpejnt.dll
c:\windows\system32\geyekraswcuolp.dat
c:\windows\system32\geyekrnvvfkkyn.dat
c:\windows\system32\geyekrrkcjsdfi.dll
c:\windows\system32\Install.txt
c:\windows\system32\msacy.exe
c:\windows\system32\mscmrfv.exe
c:\windows\system32\msdha.exe
c:\windows\system32\msdyf.exe
c:\windows\system32\mseddd.exe
c:\windows\system32\mseqov.exe
c:\windows\system32\msetk.exe
c:\windows\system32\msetpiia.exe
c:\windows\system32\msextmfj.exe
c:\windows\system32\msfah.exe
c:\windows\system32\msfkipio.exe
c:\windows\system32\msfoi.exe
c:\windows\system32\msgtamb.exe
c:\windows\system32\mshjxpli.exe
c:\windows\system32\mshxju.exe
c:\windows\system32\msifcwu.exe
c:\windows\system32\msiqgeop.exe
c:\windows\system32\msjikuvl.exe
c:\windows\system32\msjlrfu.exe
c:\windows\system32\msjsby.exe
c:\windows\system32\mskegn.exe
c:\windows\system32\msknapm.exe
c:\windows\system32\mskqtpoo.exe
c:\windows\system32\mskwd.exe
c:\windows\system32\mslqvtj.exe
c:\windows\system32\mslwnmq.exe
c:\windows\system32\mslxbr.exe
c:\windows\system32\mslxtolg.exe
c:\windows\system32\msmob.exe
c:\windows\system32\msmpopwf.exe
c:\windows\system32\msnank.exe
c:\windows\system32\msnfcg.exe
c:\windows\system32\msnjyef.exe
c:\windows\system32\msnneoxj.exe
c:\windows\system32\msogrcvb.exe
c:\windows\system32\msosi.exe
c:\windows\system32\msouvcha.exe
c:\windows\system32\msouyexd.exe
c:\windows\system32\msphaug.exe
c:\windows\system32\mspnbixd.exe
c:\windows\system32\msqarx.exe
c:\windows\system32\msrmtss.exe
c:\windows\system32\mssdu.exe
c:\windows\system32\mssexji.exe
c:\windows\system32\mssvcjho.exe
c:\windows\system32\msucfi.exe
c:\windows\system32\msvskqj.exe
c:\windows\system32\msvudvmd.exe
c:\windows\system32\msvxgksc.exe
c:\windows\system32\mswbfysb.exe
c:\windows\system32\mswfkdk.exe
c:\windows\system32\mswgas.exe
c:\windows\system32\mswnnxyv.exe
c:\windows\system32\mswoulf.exe
c:\windows\system32\mswzxgf.exe
c:\windows\system32\msxirn.exe
c:\windows\system32\msxml71.dll
c:\windows\system32\msxvf.exe
c:\windows\system32\msyuaucx.exe
c:\windows\system32\mszambly.exe
c:\windows\system32\msznrrc.exe
c:\windows\system32\mszot.exe
c:\windows\system32\mszyzw.exe
c:\windows\system32\netcard.sys
c:\windows\system32\wiawow32.sys
c:\windows\system32\wisdstr.exe
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mpj107991.dll
c:\windows\TEMP\mta84770.dll

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP317\A0212366.sys

c:\windows\system32\grpconv.exe . . . is missing!!

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_geyekrumnappuw
-------\Legacy_NETCARD
-------\Service_6to4
-------\Service_geyekrumnappuw
-------\Service_netcard


((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.

2009-08-12 15:31 . 2009-08-12 15:31 -------- d-----w- c:\documents and settings\Wilma\Application Data\DivX
2009-08-12 15:29 . 2009-08-12 15:29 458 ----a-w- c:\documents and settings\Wilma\otvdno.bat
2009-08-12 15:29 . 2009-08-12 15:29 40960 ----a-w- c:\documents and settings\Wilma\YXJTHK.exe
2009-08-12 15:29 . 2009-08-12 15:29 31744 --sh--r- c:\documents and settings\Wilma\Wilma.exe
2009-08-12 14:37 . 2009-08-12 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\12848124
2009-08-12 14:36 . 2009-08-12 14:36 31744 --sh--r- c:\documents and settings\claire\claire.exe
2009-08-12 14:36 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 22:45 . 2009-08-11 22:45 19632 ----a-w- c:\documents and settings\Graham\Local Settings\Application Data\dybaci.sys
2009-08-11 22:45 . 2009-08-11 22:45 18665 ----a-w- c:\documents and settings\All Users\Application Data\tacihoq.com
2009-08-11 22:45 . 2009-08-11 22:45 18587 ----a-w- c:\windows\system32\yzygepo.pif
2009-08-11 22:45 . 2009-08-11 22:45 16308 ----a-w- c:\windows\imehofuji.bat
2009-08-11 22:45 . 2009-08-11 22:45 12163 ----a-w- c:\windows\system32\ofimyqu.com
2009-08-11 22:45 . 2009-08-11 22:45 12028 ----a-w- c:\program files\Common Files\cajede.sys
2009-08-11 22:45 . 2009-08-11 22:45 11546 ----a-w- c:\windows\ikadesimoc.dat
2009-08-11 22:45 . 2009-08-11 22:45 17157 ----a-w- c:\windows\mezynu.exe
2009-08-11 22:44 . 2009-08-11 22:44 -------- d-----w- c:\program files\PC_Antispyware2010
2009-08-10 19:15 . 2009-08-10 19:15 -------- d-----w- c:\documents and settings\Graham\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 19:14 . 2009-08-10 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 19:14 . 2009-08-10 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 22:23 . 2009-08-08 22:23 -------- d-----w- c:\program files\Sun
2009-08-08 21:55 . 2009-08-08 22:27 -------- d-----w- c:\documents and settings\Graham\.SunDownloadManager
2009-08-08 21:19 . 2009-08-08 21:19 -------- d-----w- c:\program files\Trend Micro
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 19:41 . 2009-08-04 19:41 -------- d-----w- c:\documents and settings\Graham\Application Data\AVG8
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\MSBuild
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-02 08:15 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-02 08:15 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-02 08:15 . 2009-08-02 08:15 -------- d-----w- C:\09c6fbee40c940fe6129
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-29 17:42 . 2009-07-29 17:42 458 ----a-w- c:\documents and settings\James\joqxij.bat
2009-07-21 18:55 . 2009-07-21 18:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 18:54 . 2009-07-21 18:54 152576 ----a-w- c:\documents and settings\Graham\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-17 20:15 . 2009-07-17 20:15 -------- d-----w- c:\windows\system32\kodak
2009-07-17 19:01 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll
2009-07-17 14:50 . 2009-07-17 14:53 -------- d-----w- c:\documents and settings\Graham\Application Data\Temp
2009-07-13 22:43 . 2009-07-13 22:43 286208 ------w- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 22:43 . 2009-07-13 22:43 10841088 ------w- c:\windows\system32\dllcache\wmp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-11 22:45 . 2009-08-11 22:45 11887 ----a-w- c:\documents and settings\All Users\Application Data\rysal.reg
2009-08-11 22:45 . 2009-08-11 22:45 19050 ----a-w- c:\program files\Common Files\nujoz.dl
2009-08-08 22:22 . 2005-12-09 09:26 -------- d-----w- c:\program files\Java
2009-08-07 15:05 . 2008-08-09 10:13 -------- d-----w- c:\documents and settings\Graham\Application Data\AdobeUM
2009-08-07 03:36 . 2008-09-11 19:30 -------- d-----w- c:\program files\Dl_cats
2009-08-05 16:51 . 2008-11-01 19:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-05 09:01 . 2005-08-16 04:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:34 . 2008-08-08 20:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-04 21:29 . 2008-08-08 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-03 00:49 . 2009-06-19 14:15 47232 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-23 20:37 . 2008-12-24 20:08 -------- d-----w- c:\documents and settings\Graham\Application Data\BitTorrent
2009-07-17 19:01 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:58 . 2008-09-07 21:55 -------- d-----w- c:\program files\Bonjour
2009-07-17 16:46 . 2008-10-18 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-07-17 14:52 . 2008-10-18 15:56 -------- d-----w- c:\program files\Kodak
2009-07-13 22:43 . 2005-08-16 04:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 07:08 . 2009-06-27 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-10 17:49 . 2008-08-08 23:24 -------- d-----w- c:\program files\CCleaner
2009-07-06 21:17 . 2008-09-09 21:53 -------- d-----w- c:\program files\LimeWire
2009-07-06 19:29 . 2008-09-09 21:57 -------- d-----w- c:\documents and settings\James\Application Data\LimeWire
2009-06-29 16:12 . 2005-08-16 04:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 04:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-08-16 04:18 17408 ------w- c:\windows\system32\corpol.dll
2009-06-18 14:51 . 2008-09-09 21:56 -------- d-----w- c:\program files\Google
2009-06-16 14:36 . 2005-08-16 04:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 04:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 15:07 . 2009-06-27 12:00 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2005-08-16 04:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 04:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-08-16 04:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2005-08-16 04:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-08-16 04:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 04:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 17:27 . 2008-11-06 22:39 47232 ----a-w- c:\documents and settings\Wilma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-24 23:24 . 2008-05-26 21:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-17 12:08 . 2009-05-17 12:08 146 ----a-w- C:\43214354.bat
2008-09-03 14:36 . 2008-09-03 14:36 251 ----a-w- c:\program files\wt3d.ini
2005-07-16 05:41 . 2005-12-09 09:38 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-07-16 05:41 . 2005-12-09 09:38 48223 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-07-16 05:41 . 2005-12-09 09:38 160871 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Belahzur on 12th August 2009, 9:21 pm

Hello.
The rest of the log was cut off, please post a full log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

win32/crypto

Post by Swerdna on 16th August 2009, 8:36 am

Belazur

Full log: part 1

ComboFix 09-08-10.06 - Graham 12/08/2009 20:47.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.486 [GMT 1:00]
Running from: c:\documents and settings\Graham\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Graham\autorun.inf
c:\documents and settings\Graham\Local Settings\Temporary Internet Files\egab.dl
c:\documents and settings\Graham\Local Settings\Temporary Internet Files\qazizywozu.scr
c:\documents and settings\Graham\Local Settings\Temporary Internet Files\yrywy.sys
c:\documents and settings\James\Application Data\WeatherDPA
c:\documents and settings\James\Application Data\WeatherDPA\Weather\WeatherStartup.xml
c:\program files\Search Settings
c:\program files\Search Settings\kb127\SearchSettings.dll
c:\program files\Search Settings\kb127\SearchSettingsRes409.dll
c:\program files\Search Settings\SearchSettings.exe
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\FONTS\cooecp.tlb
c:\windows\FONTS\logcde.dll
c:\windows\Fonts\mlog
c:\windows\Fonts\services.exe
c:\windows\FONTS\windef.dll
c:\windows\FONTS\windef.Log
c:\windows\FONTS\winpaged.ocx
c:\windows\Install.txt
c:\windows\Installer\ae98a.msp
c:\windows\msa.exe
c:\windows\system32\6to4v32.dll
c:\windows\system32\braviax.exe
c:\windows\system32\certstore.dat
c:\windows\system32\cru629.dat
c:\windows\system32\drivers\geyekrmeklyxls.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\geyekraltpejnt.dll
c:\windows\system32\geyekraswcuolp.dat
c:\windows\system32\geyekrnvvfkkyn.dat
c:\windows\system32\geyekrrkcjsdfi.dll
c:\windows\system32\Install.txt
c:\windows\system32\msacy.exe
c:\windows\system32\mscmrfv.exe
c:\windows\system32\msdha.exe
c:\windows\system32\msdyf.exe
c:\windows\system32\mseddd.exe
c:\windows\system32\mseqov.exe
c:\windows\system32\msetk.exe
c:\windows\system32\msetpiia.exe
c:\windows\system32\msextmfj.exe
c:\windows\system32\msfah.exe
c:\windows\system32\msfkipio.exe
c:\windows\system32\msfoi.exe
c:\windows\system32\msgtamb.exe
c:\windows\system32\mshjxpli.exe
c:\windows\system32\mshxju.exe
c:\windows\system32\msifcwu.exe
c:\windows\system32\msiqgeop.exe
c:\windows\system32\msjikuvl.exe
c:\windows\system32\msjlrfu.exe
c:\windows\system32\msjsby.exe
c:\windows\system32\mskegn.exe
c:\windows\system32\msknapm.exe
c:\windows\system32\mskqtpoo.exe
c:\windows\system32\mskwd.exe
c:\windows\system32\mslqvtj.exe
c:\windows\system32\mslwnmq.exe
c:\windows\system32\mslxbr.exe
c:\windows\system32\mslxtolg.exe
c:\windows\system32\msmob.exe
c:\windows\system32\msmpopwf.exe
c:\windows\system32\msnank.exe
c:\windows\system32\msnfcg.exe
c:\windows\system32\msnjyef.exe
c:\windows\system32\msnneoxj.exe
c:\windows\system32\msogrcvb.exe
c:\windows\system32\msosi.exe
c:\windows\system32\msouvcha.exe
c:\windows\system32\msouyexd.exe
c:\windows\system32\msphaug.exe
c:\windows\system32\mspnbixd.exe
c:\windows\system32\msqarx.exe
c:\windows\system32\msrmtss.exe
c:\windows\system32\mssdu.exe
c:\windows\system32\mssexji.exe
c:\windows\system32\mssvcjho.exe
c:\windows\system32\msucfi.exe
c:\windows\system32\msvskqj.exe
c:\windows\system32\msvudvmd.exe
c:\windows\system32\msvxgksc.exe
c:\windows\system32\mswbfysb.exe
c:\windows\system32\mswfkdk.exe
c:\windows\system32\mswgas.exe
c:\windows\system32\mswnnxyv.exe
c:\windows\system32\mswoulf.exe
c:\windows\system32\mswzxgf.exe
c:\windows\system32\msxirn.exe
c:\windows\system32\msxml71.dll
c:\windows\system32\msxvf.exe
c:\windows\system32\msyuaucx.exe
c:\windows\system32\mszambly.exe
c:\windows\system32\msznrrc.exe
c:\windows\system32\mszot.exe
c:\windows\system32\mszyzw.exe
c:\windows\system32\netcard.sys
c:\windows\system32\wiawow32.sys
c:\windows\system32\wisdstr.exe
c:\windows\system32\wiwow64.exe
c:\windows\TEMP\mpj107991.dll
c:\windows\TEMP\mta84770.dll

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\system volume information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP317\A0212366.sys

c:\windows\system32\grpconv.exe . . . is missing!!

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_geyekrumnappuw
-------\Legacy_NETCARD
-------\Service_6to4
-------\Service_geyekrumnappuw
-------\Service_netcard


((((((((((((((((((((((((( Files Created from 2009-07-12 to 2009-08-12 )))))))))))))))))))))))))))))))
.

2009-08-12 15:31 . 2009-08-12 15:31 -------- d-----w- c:\documents and settings\Wilma\Application Data\DivX
2009-08-12 15:29 . 2009-08-12 15:29 458 ----a-w- c:\documents and settings\Wilma\otvdno.bat
2009-08-12 15:29 . 2009-08-12 15:29 40960 ----a-w- c:\documents and settings\Wilma\YXJTHK.exe
2009-08-12 15:29 . 2009-08-12 15:29 31744 --sh--r- c:\documents and settings\Wilma\Wilma.exe
2009-08-12 14:37 . 2009-08-12 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\12848124
2009-08-12 14:36 . 2009-08-12 14:36 31744 --sh--r- c:\documents and settings\claire\claire.exe
2009-08-12 14:36 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 22:45 . 2009-08-11 22:45 19632 ----a-w- c:\documents and settings\Graham\Local Settings\Application Data\dybaci.sys
2009-08-11 22:45 . 2009-08-11 22:45 18665 ----a-w- c:\documents and settings\All Users\Application Data\tacihoq.com
2009-08-11 22:45 . 2009-08-11 22:45 18587 ----a-w- c:\windows\system32\yzygepo.pif
2009-08-11 22:45 . 2009-08-11 22:45 16308 ----a-w- c:\windows\imehofuji.bat
2009-08-11 22:45 . 2009-08-11 22:45 12163 ----a-w- c:\windows\system32\ofimyqu.com
2009-08-11 22:45 . 2009-08-11 22:45 12028 ----a-w- c:\program files\Common Files\cajede.sys
2009-08-11 22:45 . 2009-08-11 22:45 11546 ----a-w- c:\windows\ikadesimoc.dat
2009-08-11 22:45 . 2009-08-11 22:45 17157 ----a-w- c:\windows\mezynu.exe
2009-08-11 22:44 . 2009-08-11 22:44 -------- d-----w- c:\program files\PC_Antispyware2010
2009-08-10 19:15 . 2009-08-10 19:15 -------- d-----w- c:\documents and settings\Graham\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 19:14 . 2009-08-10 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 19:14 . 2009-08-10 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 22:23 . 2009-08-08 22:23 -------- d-----w- c:\program files\Sun
2009-08-08 21:55 . 2009-08-08 22:27 -------- d-----w- c:\documents and settings\Graham\.SunDownloadManager
2009-08-08 21:19 . 2009-08-08 21:19 -------- d-----w- c:\program files\Trend Micro
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 19:41 . 2009-08-04 19:41 -------- d-----w- c:\documents and settings\Graham\Application Data\AVG8
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\MSBuild
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-02 08:15 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-02 08:15 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-02 08:15 . 2009-08-02 08:15 -------- d-----w- C:\09c6fbee40c940fe6129
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-29 17:42 . 2009-07-29 17:42 458 ----a-w- c:\documents and settings\James\joqxij.bat
2009-07-21 18:55 . 2009-07-21 18:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 18:54 . 2009-07-21 18:54 152576 ----a-w- c:\documents and settings\Graham\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-17 20:15 . 2009-07-17 20:15 -------- d-----w- c:\windows\system32\kodak
2009-07-17 19:01 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll
2009-07-17 14:50 . 2009-07-17 14:53 -------- d-----w- c:\documents and settings\Graham\Application Data\Temp
2009-07-13 22:43 . 2009-07-13 22:43 286208 ------w- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 22:43 . 2009-07-13 22:43 10841088 ------w- c:\windows\system32\dllcache\wmp.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-11 22:45 . 2009-08-11 22:45 11887 ----a-w- c:\documents and settings\All Users\Application Data\rysal.reg
2009-08-11 22:45 . 2009-08-11 22:45 19050 ----a-w- c:\program files\Common Files\nujoz.dl
2009-08-08 22:22 . 2005-12-09 09:26 -------- d-----w- c:\program files\Java
2009-08-07 15:05 . 2008-08-09 10:13 -------- d-----w- c:\documents and settings\Graham\Application Data\AdobeUM
2009-08-07 03:36 . 2008-09-11 19:30 -------- d-----w- c:\program files\Dl_cats
2009-08-05 16:51 . 2008-11-01 19:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-05 09:01 . 2005-08-16 04:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:34 . 2008-08-08 20:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-04 21:29 . 2008-08-08 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-03 00:49 . 2009-06-19 14:15 47232 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-23 20:37 . 2008-12-24 20:08 -------- d-----w- c:\documents and settings\Graham\Application Data\BitTorrent
2009-07-17 19:01 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:58 . 2008-09-07 21:55 -------- d-----w- c:\program files\Bonjour
2009-07-17 16:46 . 2008-10-18 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-07-17 14:52 . 2008-10-18 15:56 -------- d-----w- c:\program files\Kodak
2009-07-13 22:43 . 2005-08-16 04:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 07:08 . 2009-06-27 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-10 17:49 . 2008-08-08 23:24 -------- d-----w- c:\program files\CCleaner
2009-07-06 21:17 . 2008-09-09 21:53 -------- d-----w- c:\program files\LimeWire
2009-07-06 19:29 . 2008-09-09 21:57 -------- d-----w- c:\documents and settings\James\Application Data\LimeWire
2009-06-29 16:12 . 2005-08-16 04:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 04:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-08-16 04:18 17408 ------w- c:\windows\system32\corpol.dll
2009-06-18 14:51 . 2008-09-09 21:56 -------- d-----w- c:\program files\Google
2009-06-16 14:36 . 2005-08-16 04:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 04:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 15:07 . 2009-06-27 12:00 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2005-08-16 04:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 04:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-08-16 04:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2005-08-16 04:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-08-16 04:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 04:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 17:27 . 2008-11-06 22:39 47232 ----a-w- c:\documents and settings\Wilma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-24 23:24 . 2008-05-26 21:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-17 12:08 . 2009-05-17 12:08 146 ----a-w- C:\43214354.bat
2008-09-03 14:36 . 2008-09-03 14:36 251 ----a-w- c:\program files\wt3d.ini
2005-07-16 05:41 . 2005-12-09 09:38 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-07-16 05:41 . 2005-12-09 09:38 48223 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-07-16 05:41 . 2005-12-09 09:38 160871 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 16th August 2009, 8:38 am

Full log : part 2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-24 342848]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2006-08-04 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-21 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-09 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-04 2000152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-07 1511424]
"ter8m"="c:\windows\system32\msxm192z.dll" [2004-08-17 49152]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-04 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-9 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-04 21:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9323:TCP"= 9323:TCP:EKDiscovery
"9324:TCP"= 9324:TCP:EKDiscovery
"9325:TCP"= 9325:TCP:EKDiscovery
"9326:TCP"= 9326:TCP:EKDiscovery

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/08/2008 21:59 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/08/2008 21:59 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/08/2008 21:59 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/08/2008 21:59 297752]
R2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [16/08/2005 05:18 14336]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [10/08/2004 06:00 94720]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [06/04/2009 12:21 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [10/04/2009 15:21 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [10/04/2009 15:21 20953]
S3 Wanid3ustem;Wanid3ustem; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-07-31 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\documents and settings\All Users\Application Data\Kodak\Installer\Registration.exe [2009-07-17 16:24]

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-08-05 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]

2009-08-01 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SearchSettings - c:\program files\Search Settings\SearchSettings.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;*.local
FF - ProfilePath - c:\documents and settings\Graham\Application Data\Mozilla\Firefox\Profiles\zjxqfrxg.default\
FF - prefs.js: browser.search.selectedEngine - Google

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 16th August 2009, 8:39 am

full log : part 3


---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-12 21:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(960)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\msxm192z.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\rundll32.exe
c:\program files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
c:\windows\system32\dlcccoms.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-12 21:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-12 20:06

Pre-Run: 41,100,873,728 bytes free
Post-Run: 42,362,384,384 bytes free

444 --- E O F --- 2009-08-12 15:39

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Belahzur on 16th August 2009, 6:41 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

KILLALLL::

Driver::
sofatnet
Wanid3ustem

File::
C:\documents and settings\Wilma\otvdno.bat
c:\documents and settings\Wilma\YXJTHK.exe
c:\documents and settings\Wilma\Wilma.exe
c:\documents and settings\All Users\Application Data\12848124
c:\documents and settings\claire\claire.exe
c:\documents and settings\Graham\Local Settings\Application Data\dybaci.sys
c:\documents and settings\All Users\Application Data\tacihoq.com
c:\windows\system32\yzygepo.pif
c:\windows\imehofuji.bat
c:\windows\system32\ofimyqu.com
c:\program files\Common Files\cajede.sys
c:\windows\ikadesimoc.dat
c:\windows\mezynu.exe
c:\program files\PC_Antispyware2010
c:\documents and settings\All Users\Application Data\rysal.reg
c:\program files\Common Files\nujoz.dl
c:\program files\LimeWire
c:\documents and settings\James\Application Data\LimeWire
C:\43214354.bat
c:\windows\system32\sofatnet.exe
c:\windows\system32\msxm192z.dll

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ter8m"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

win32/crypto

Post by Swerdna on 18th August 2009, 7:52 pm

Belahzur

Log from Combofix below:

ComboFix 09-08-10.06 - Graham 18/08/2009 20:24.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.493 [GMT 1:00]
Running from: c:\documents and settings\Graham\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Graham\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"C:\43214354.bat"
"c:\documents and settings\All Users\Application Data\12848124"
"c:\documents and settings\All Users\Application Data\rysal.reg"
"c:\documents and settings\All Users\Application Data\tacihoq.com"
"c:\documents and settings\claire\claire.exe"
"c:\documents and settings\Graham\Local Settings\Application Data\dybaci.sys"
"c:\documents and settings\James\Application Data\LimeWire"
"c:\documents and settings\Wilma\otvdno.bat"
"c:\documents and settings\Wilma\Wilma.exe"
"c:\documents and settings\Wilma\YXJTHK.exe"
"c:\program files\Common Files\cajede.sys"
"c:\program files\Common Files\nujoz.dl"
"c:\program files\LimeWire"
"c:\program files\PC_Antispyware2010"
"c:\windows\ikadesimoc.dat"
"c:\windows\imehofuji.bat"
"c:\windows\mezynu.exe"
"c:\windows\system32\msxm192z.dll"
"c:\windows\system32\ofimyqu.com"
"c:\windows\system32\sofatnet.exe"
"c:\windows\system32\yzygepo.pif"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\43214354.bat
c:\documents and settings\All Users\Application Data\rysal.reg
c:\documents and settings\All Users\Application Data\tacihoq.com
c:\documents and settings\claire\claire.exe
c:\documents and settings\Graham\Local Settings\Application Data\dybaci.sys
c:\documents and settings\Wilma\otvdno.bat
c:\documents and settings\Wilma\Wilma.exe
c:\documents and settings\Wilma\YXJTHK.exe
c:\program files\Common Files\cajede.sys
c:\program files\Common Files\nujoz.dl
c:\windows\ikadesimoc.dat
c:\windows\imehofuji.bat
c:\windows\Install.txt
c:\windows\mezynu.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\msxm192z.dll
c:\windows\system32\ofimyqu.com
c:\windows\system32\sofatnet.exe
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe
c:\windows\system32\yzygepo.pif
c:\windows\TEMP\mpj98108.dll
c:\windows\TEMP\mta80562.dll

c:\windows\system32\grpconv.exe . . . is missing!!

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SOFATNET
-------\Service_sofatnet


((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-18 19:30 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-18 19:30 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-14 13:58 . 2009-08-14 13:58 -------- d-----w- c:\documents and settings\Graham\Local Settings\Application Data\ABBYY
2009-08-12 15:31 . 2009-08-12 15:31 -------- d-----w- c:\documents and settings\Wilma\Application Data\DivX
2009-08-12 14:37 . 2009-08-12 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\12848124
2009-08-12 14:36 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-11 22:44 . 2009-08-11 22:44 -------- d-----w- c:\program files\PC_Antispyware2010
2009-08-10 19:15 . 2009-08-10 19:15 -------- d-----w- c:\documents and settings\Graham\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 19:14 . 2009-08-10 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 19:14 . 2009-08-10 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 22:23 . 2009-08-08 22:23 -------- d-----w- c:\program files\Sun
2009-08-08 21:55 . 2009-08-08 22:27 -------- d-----w- c:\documents and settings\Graham\.SunDownloadManager
2009-08-08 21:19 . 2009-08-08 21:19 -------- d-----w- c:\program files\Trend Micro
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 19:41 . 2009-08-04 19:41 -------- d-----w- c:\documents and settings\Graham\Application Data\AVG8
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\MSBuild
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-02 08:15 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-02 08:15 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-02 08:15 . 2009-08-02 08:15 -------- d-----w- C:\09c6fbee40c940fe6129
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-29 17:42 . 2009-07-29 17:42 458 ----a-w- c:\documents and settings\James\joqxij.bat
2009-07-21 18:55 . 2009-07-21 18:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 18:54 . 2009-07-21 18:54 152576 ----a-w- c:\documents and settings\Graham\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 09:09 . 2008-09-03 14:36 47232 ----a-w- c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 11:01 . 2008-11-01 19:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-15 00:43 . 2008-09-25 13:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-08 22:22 . 2005-12-09 09:26 -------- d-----w- c:\program files\Java
2009-08-07 15:05 . 2008-08-09 10:13 -------- d-----w- c:\documents and settings\Graham\Application Data\AdobeUM
2009-08-07 03:36 . 2008-09-11 19:30 -------- d-----w- c:\program files\Dl_cats
2009-08-05 09:01 . 2005-08-16 04:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:34 . 2008-08-08 20:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-04 21:29 . 2008-08-08 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-03 00:49 . 2009-06-19 14:15 47232 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-23 20:37 . 2008-12-24 20:08 -------- d-----w- c:\documents and settings\Graham\Application Data\BitTorrent
2009-07-17 19:01 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:58 . 2008-09-07 21:55 -------- d-----w- c:\program files\Bonjour
2009-07-17 16:46 . 2008-10-18 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-07-17 14:53 . 2009-07-17 14:50 -------- d-----w- c:\documents and settings\Graham\Application Data\Temp
2009-07-17 14:52 . 2008-10-18 15:56 -------- d-----w- c:\program files\Kodak
2009-07-13 22:43 . 2005-08-16 04:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 07:08 . 2009-06-27 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-10 17:49 . 2008-08-08 23:24 -------- d-----w- c:\program files\CCleaner
2009-07-06 21:17 . 2008-09-09 21:53 -------- d-----w- c:\program files\LimeWire
2009-07-06 19:29 . 2008-09-09 21:57 -------- d-----w- c:\documents and settings\James\Application Data\LimeWire
2009-06-29 16:12 . 2005-08-16 04:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 04:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-08-16 04:18 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2005-08-16 04:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 04:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 15:07 . 2009-06-27 12:00 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2005-08-16 04:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 04:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-08-16 04:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2005-08-16 04:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-08-16 04:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 04:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 17:27 . 2008-11-06 22:39 47232 ----a-w- c:\documents and settings\Wilma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-24 23:24 . 2008-05-26 21:18 350208 ------w- c:\windows\system32\mssph.dll
2008-09-03 14:36 . 2008-09-03 14:36 251 ----a-w- c:\program files\wt3d.ini
2005-07-16 05:41 . 2005-12-09 09:38 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-07-16 05:41 . 2005-12-09 09:38 48223 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-07-16 05:41 . 2005-12-09 09:38 160871 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-18 19:35 . 2009-08-18 19:35 16384 c:\windows\Temp\Perflib_Perfdata_4e0.dat
+ 2009-08-18 19:33 . 2009-08-18 19:33 16384 c:\windows\Temp\Perflib_Perfdata_474.dat
+ 2009-08-18 19:28 . 2009-08-18 19:28 16384 c:\windows\Temp\Perflib_Perfdata_17d0.dat
+ 2004-08-10 05:00 . 2004-08-10 05:00 44032 c:\windows\system32\EvdoServer.dll
+ 2008-08-24 10:59 . 2009-08-17 04:37 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2009-08-12 19:57 . 2009-08-12 19:57 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
+ 2009-08-18 19:31 . 2009-08-18 19:31 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
- 2009-08-12 19:57 . 2009-08-12 19:57 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
+ 2009-08-18 19:31 . 2009-08-18 19:31 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
- 2008-08-24 10:59 . 2009-05-04 18:50 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2009-08-18 19:31 . 2009-08-18 19:31 172032 c:\windows\ERDNT\subs\Users\00000008\UsrClass.dat
+ 2009-08-18 19:31 . 2009-08-18 19:31 172032 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
- 2009-08-12 19:57 . 2009-08-12 19:57 172032 c:\windows\ERDNT\subs\Users\00000006\UsrClass.dat
+ 2009-08-18 19:31 . 2009-08-18 19:31 237568 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
- 2009-08-12 19:57 . 2009-08-12 19:57 237568 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
+ 2009-08-18 19:31 . 2009-08-18 19:31 237568 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
- 2009-08-12 19:57 . 2009-08-12 19:57 237568 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
+ 2009-08-18 19:35 . 2009-06-29 16:12 1159680 c:\windows\Temp\x1c79505.dll
+ 2009-08-18 19:33 . 2009-06-29 16:12 1159680 c:\windows\Temp\mta58299.dll
+ 2009-08-18 19:36 . 2009-06-29 16:12 1159680 c:\windows\Temp\mta13187.dll
+ 2009-08-18 19:36 . 2009-06-29 16:12 1159680 c:\windows\Temp\mta107616.dll
+ 2009-08-18 19:36 . 2009-06-29 16:12 1159680 c:\windows\Temp\mpj80794.dll
+ 2009-08-18 19:31 . 2009-08-18 19:31 3952640 c:\windows\ERDNT\subs\Users\00000007\ntuser.dat
+ 2009-08-18 19:31 . 2009-08-18 19:31 4026368 c:\windows\ERDNT\subs\Users\00000005\NTUSER.DAT

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 18th August 2009, 7:53 pm

Part 2:

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-24 342848]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2006-08-04 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-21 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-09 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-04 2000152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-07 1511424]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-04 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-9 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-04 21:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9323:TCP"= 9323:TCP:EKDiscovery
"9324:TCP"= 9324:TCP:EKDiscovery
"9325:TCP"= 9325:TCP:EKDiscovery
"9326:TCP"= 9326:TCP:EKDiscovery

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/08/2008 21:59 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/08/2008 21:59 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/08/2008 21:59 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/08/2008 21:59 297752]
R2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [16/08/2005 05:18 14336]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 sofatnet;sofatnet Service;c:\windows\system32\sofatnet.exe [10/08/2004 06:00 94720]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [06/04/2009 12:21 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [10/04/2009 15:21 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [10/04/2009 15:21 20953]
S3 Ugrmtrmspdel;Ugrmtrmspdel;c:\windows\system32\drivers\cd20xrnt.sys [16/08/2005 22:28 7680]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - EVDOSERVER
*NewlyCreated* - SOFATNET
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\documents and settings\All Users\Application Data\Kodak\Installer\Registration.exe [2009-07-17 16:24]

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-08-05 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]

2009-08-16 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;*.local
FF - ProfilePath - c:\documents and settings\Graham\Application Data\Mozilla\Firefox\Profiles\zjxqfrxg.default\
FF - prefs.js: browser.search.selectedEngine - Google

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 18th August 2009, 7:55 pm

Part 3 :


---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-18 20:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\system32\FInstall.sys 8 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1696)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dlcccoms.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\searchprotocolhost.exe
c:\qoobox\Quarantine\C\WINDOWS\system32\wiwow64.exe.vir
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\searchfilterhost.exe
c:\windows\system32\wiawow32.sys
.
**************************************************************************
.
Completion time: 2009-08-18 20:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 19:42
ComboFix2.txt 2009-08-12 20:06

Pre-Run: 41,478,348,800 bytes free
Post-Run: 41,599,959,040 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

416 --- E O F --- 2009-08-12 15:39

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Belahzur on 18th August 2009, 8:44 pm

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    grpconv.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 19th August 2009, 7:50 pm

Belahzur

Log file from SystemLook

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 20:47 on 19/08/2009 by Graham (Administrator - Elevation successful)

No Context: Code:

========== filefind ==========

Searching for "grpconv.exe"
C:\i386\grpconv.exe --a--- 39424 bytes [09:52 09/08/2008] [00:12 14/04/2008] 6DD28A6D99CF7B14B2D1786D143624E0
C:\WINDOWS\$NtServicePackUninstall$\grpconv.exe -----c 39424 bytes [23:34 08/08/2008] [05:00 10/08/2004] 9EE8C35B3391F30A7D088F5C43435AFB
C:\WINDOWS\ServicePackFiles\i386\grpconv.exe ------ 39424 bytes [21:46 08/08/2008] [00:12 14/04/2008] 6DD28A6D99CF7B14B2D1786D143624E0

-=End Of File=-

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Belahzur on 19th August 2009, 8:45 pm

Now open a new notepad file.
Input this into the notepad file:

FCopy::
C:\i386\grpconv.exe | c:\windows\system32\proquota.exe

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 20th August 2009, 8:23 pm

Belahzur

Log file from Combofix : part 1

ComboFix 09-08-19.0C - Graham 20/08/2009 21:08.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.465 [GMT 1:00]
Running from: c:\documents and settings\Graham\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Graham\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Graham\Desktop\PC_Antispyware2010.lnk
c:\documents and settings\Graham\Start Menu\Programs\PC_Antispyware2010
c:\documents and settings\Graham\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk
c:\documents and settings\Graham\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk
c:\program files\PC_Antispyware2010
c:\program files\PC_Antispyware2010\AVEngn.dll
c:\program files\PC_Antispyware2010\data\daily.cvd
c:\program files\PC_Antispyware2010\htmlayout.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcm80.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcp80.dll
c:\program files\PC_Antispyware2010\Microsoft.VC80.CRT\msvcr80.dll
c:\program files\PC_Antispyware2010\PC_Antispyware2010.cfg
c:\program files\PC_Antispyware2010\pthreadVC2.dll
c:\program files\PC_Antispyware2010\wscui.cpl
c:\windows\Install.txt
c:\windows\system32\FInstall.sys
c:\windows\system32\Install.txt
c:\windows\system32\wiawow32.sys
c:\windows\system32\wiwow64.exe

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\i386\grpconv.exe

.
--------------- FCopy ---------------

c:\i386\grpconv.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-20 to 2009-08-20 )))))))))))))))))))))))))))))))
.

2009-08-20 20:13 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-08-20 20:13 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-08-20 19:59 . 2009-08-20 19:59 -------- d-----w- c:\documents and settings\James2
2009-08-18 19:30 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\proquota.exe
2009-08-18 19:30 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-14 13:58 . 2009-08-14 13:58 -------- d-----w- c:\documents and settings\Graham\Local Settings\Application Data\ABBYY
2009-08-12 15:31 . 2009-08-12 15:31 -------- d-----w- c:\documents and settings\Wilma\Application Data\DivX
2009-08-12 14:37 . 2009-08-12 15:38 -------- d-----w- c:\documents and settings\All Users\Application Data\12848124
2009-08-12 14:36 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 19:15 . 2009-08-10 19:15 -------- d-----w- c:\documents and settings\Graham\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 19:14 . 2009-08-10 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 19:14 . 2009-08-10 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 22:23 . 2009-08-08 22:23 -------- d-----w- c:\program files\Sun
2009-08-08 21:55 . 2009-08-08 22:27 -------- d-----w- c:\documents and settings\Graham\.SunDownloadManager
2009-08-08 21:19 . 2009-08-08 21:19 -------- d-----w- c:\program files\Trend Micro
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 19:41 . 2009-08-04 19:41 -------- d-----w- c:\documents and settings\Graham\Application Data\AVG8
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\MSBuild
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-02 08:15 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-02 08:15 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-02 08:15 . 2009-08-02 08:15 -------- d-----w- C:\09c6fbee40c940fe6129
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-07-29 17:42 . 2009-07-29 17:42 458 ----a-w- c:\documents and settings\James\joqxij.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 11:01 . 2008-11-01 19:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-15 00:43 . 2008-09-25 13:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-08 22:22 . 2005-12-09 09:26 -------- d-----w- c:\program files\Java
2009-08-07 15:05 . 2008-08-09 10:13 -------- d-----w- c:\documents and settings\Graham\Application Data\AdobeUM
2009-08-07 03:36 . 2008-09-11 19:30 -------- d-----w- c:\program files\Dl_cats
2009-08-05 09:01 . 2005-08-16 04:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:34 . 2008-08-08 20:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-04 21:29 . 2008-08-08 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-03 00:49 . 2009-06-19 14:15 47232 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-23 20:37 . 2008-12-24 20:08 -------- d-----w- c:\documents and settings\Graham\Application Data\BitTorrent
2009-07-21 18:55 . 2009-07-21 18:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 18:54 . 2009-07-21 18:54 152576 ----a-w- c:\documents and settings\Graham\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-17 19:01 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:58 . 2008-09-07 21:55 -------- d-----w- c:\program files\Bonjour
2009-07-17 16:46 . 2008-10-18 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-07-17 14:53 . 2009-07-17 14:50 -------- d-----w- c:\documents and settings\Graham\Application Data\Temp
2009-07-17 14:52 . 2008-10-18 15:56 -------- d-----w- c:\program files\Kodak
2009-07-13 22:43 . 2005-08-16 04:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 07:08 . 2009-06-27 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-10 17:49 . 2008-08-08 23:24 -------- d-----w- c:\program files\CCleaner
2009-07-06 21:17 . 2008-09-09 21:53 -------- d-----w- c:\program files\LimeWire
2009-07-06 19:29 . 2008-09-09 21:57 -------- d-----w- c:\documents and settings\James\Application Data\LimeWire
2009-06-29 16:12 . 2005-08-16 04:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 04:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-08-16 04:18 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2005-08-16 04:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 04:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 15:07 . 2009-06-27 12:00 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2005-08-16 04:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 04:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-08-16 04:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2005-08-16 04:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-08-16 04:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 04:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 17:27 . 2008-11-06 22:39 47232 ----a-w- c:\documents and settings\Wilma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-24 23:24 . 2008-05-26 21:18 350208 ------w- c:\windows\system32\mssph.dll
2008-09-03 14:36 . 2008-09-03 14:36 251 ----a-w- c:\program files\wt3d.ini
2005-07-16 05:41 . 2005-12-09 09:38 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-07-16 05:41 . 2005-12-09 09:38 48223 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-07-16 05:41 . 2005-12-09 09:38 160871 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-19 21:56 . 2009-08-19 21:56 16384 c:\windows\Temp\Perflib_Perfdata_7c8.dat
+ 2009-08-19 21:53 . 2009-08-19 21:53 16384 c:\windows\Temp\Perflib_Perfdata_550.dat
+ 2004-08-10 05:00 . 2004-08-10 05:00 44032 c:\windows\system32\EvdoServer.dll
+ 2008-08-24 10:59 . 2009-08-17 04:37 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 20th August 2009, 8:24 pm

Part 2 :

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-24 342848]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2006-08-04 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-21 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-09 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-04 2000152]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-07 1511424]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-04 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-9 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-04 21:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9323:TCP"= 9323:TCP:EKDiscovery
"9324:TCP"= 9324:TCP:EKDiscovery
"9325:TCP"= 9325:TCP:EKDiscovery
"9326:TCP"= 9326:TCP:EKDiscovery

R?2 EvdoServer;EvdoServer;c:\windows\system32\svchost.exe -k netsvcs [16/08/2005 05:18 14336]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/08/2008 21:59 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/08/2008 21:59 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/08/2008 21:59 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/08/2008 21:59 297752]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [06/04/2009 12:21 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [10/04/2009 15:21 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [10/04/2009 15:21 20953]
S3 Ugrmtrmspdel;Ugrmtrmspdel;c:\windows\system32\drivers\cd20xrnt.sys [16/08/2005 22:28 7680]
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\documents and settings\All Users\Application Data\Kodak\Installer\Registration.exe [2009-07-17 16:24]

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-08-19 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]

2009-08-16 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
.

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 20th August 2009, 8:25 pm

Part 3 :

.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;*.local
FF - ProfilePath - c:\documents and settings\Graham\Application Data\Mozilla\Firefox\Profiles\zjxqfrxg.default\
FF - prefs.js: browser.search.selectedEngine - Google

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-20 21:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\CLBCATQ.DLL
.
Completion time: 2009-08-20 21:16
ComboFix-quarantined-files.txt 2009-08-20 20:16
ComboFix2.txt 2009-08-18 19:42
ComboFix3.txt 2009-08-12 20:06

Pre-Run: 41,306,157,056 bytes free
Post-Run: 41,529,004,032 bytes free

325 --- E O F --- 2009-08-12 15:39

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Belahzur on 21st August 2009, 2:44 pm

Hello.
More malware came back. :l

Now open a new notepad file.
Input this into the notepad file:

Driver::
EvdoServer

File::
c:\documents and settings\James\joqxij.bat

Folder::
c:\documents and settings\All Users\Application Data\12848124

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 21st August 2009, 8:49 pm

Belahzur

Output from combofix :

ComboFix 09-08-20.07 - Graham 21/08/2009 21:29.4.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.523 [GMT 1:00]
Running from: c:\documents and settings\Graham\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Graham\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\James\joqxij.bat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\12848124
c:\documents and settings\All Users\Application Data\12848124\12848124
c:\documents and settings\James\joqxij.bat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EVDOSERVER
-------\Service_EvdoServer


((((((((((((((((((((((((( Files Created from 2009-07-21 to 2009-08-21 )))))))))))))))))))))))))))))))
.

2009-08-20 20:13 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-08-20 20:13 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-08-20 19:59 . 2009-08-20 19:59 -------- d-----w- c:\documents and settings\James2
2009-08-18 19:30 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\proquota.exe
2009-08-18 19:30 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-14 13:58 . 2009-08-14 13:58 -------- d-----w- c:\documents and settings\Graham\Local Settings\Application Data\ABBYY
2009-08-12 15:31 . 2009-08-12 15:31 -------- d-----w- c:\documents and settings\Wilma\Application Data\DivX
2009-08-12 14:36 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 19:15 . 2009-08-10 19:15 -------- d-----w- c:\documents and settings\Graham\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-10 19:14 . 2009-08-10 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-10 19:14 . 2009-08-10 19:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 19:14 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-08 22:23 . 2009-08-08 22:23 -------- d-----w- c:\program files\Sun
2009-08-08 21:55 . 2009-08-08 22:27 -------- d-----w- c:\documents and settings\Graham\.SunDownloadManager
2009-08-08 21:19 . 2009-08-08 21:19 -------- d-----w- c:\program files\Trend Micro
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 19:41 . 2009-08-04 19:41 -------- d-----w- c:\documents and settings\Graham\Application Data\AVG8
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\MSBuild
2009-08-02 08:16 . 2009-08-02 08:16 -------- d-----w- c:\program files\Reference Assemblies
2009-08-02 08:15 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-02 08:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-02 08:15 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-02 08:15 . 2009-08-02 08:15 -------- d-----w- C:\09c6fbee40c940fe6129
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-02 08:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 09:09 . 2008-09-03 14:36 47232 ----a-w- c:\documents and settings\James\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 11:01 . 2008-11-01 19:48 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-15 00:43 . 2008-09-25 13:18 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-08 22:22 . 2005-12-09 09:26 -------- d-----w- c:\program files\Java
2009-08-07 15:05 . 2008-08-09 10:13 -------- d-----w- c:\documents and settings\Graham\Application Data\AdobeUM
2009-08-07 03:36 . 2008-09-11 19:30 -------- d-----w- c:\program files\Dl_cats
2009-08-05 09:01 . 2005-08-16 04:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 21:34 . 2008-08-08 20:59 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-04 21:34 . 2008-08-08 20:59 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-04 21:34 . 2009-08-21 20:41 2061592 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-08-04 21:34 . 2009-08-21 20:38 1471768 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-08-04 21:34 . 2008-08-08 20:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-04 21:33 . 2009-08-21 20:41 3476760 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe
2009-08-04 21:33 . 2009-08-21 20:41 2000152 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtray.exe
2009-08-04 21:33 . 2009-08-21 20:41 1213720 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgfrw.exe
2009-08-04 21:33 . 2009-08-21 20:38 758040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-08-04 21:33 . 2009-08-21 20:38 1126168 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-08-04 21:29 . 2008-08-08 20:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-03 00:49 . 2009-06-19 14:15 47232 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-23 20:37 . 2008-12-24 20:08 -------- d-----w- c:\documents and settings\Graham\Application Data\BitTorrent
2009-07-21 18:55 . 2009-07-21 18:55 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 18:54 . 2009-07-21 18:54 152576 ----a-w- c:\documents and settings\Graham\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-17 19:01 . 2005-08-16 04:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 16:58 . 2008-09-07 21:55 -------- d-----w- c:\program files\Bonjour
2009-07-17 16:46 . 2008-10-18 15:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2009-07-17 14:53 . 2009-07-17 14:50 -------- d-----w- c:\documents and settings\Graham\Application Data\Temp
2009-07-17 14:52 . 2008-10-18 15:56 -------- d-----w- c:\program files\Kodak
2009-07-13 22:43 . 2005-08-16 04:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-11 07:08 . 2009-06-27 11:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-10 17:49 . 2008-08-08 23:24 -------- d-----w- c:\program files\CCleaner
2009-07-06 21:17 . 2008-09-09 21:53 -------- d-----w- c:\program files\LimeWire
2009-07-06 19:29 . 2008-09-09 21:57 -------- d-----w- c:\documents and settings\James\Application Data\LimeWire
2009-06-29 16:12 . 2005-08-16 04:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 04:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-08-16 04:18 17408 ------w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2005-08-16 04:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 04:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 15:07 . 2009-06-27 12:00 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2005-08-16 04:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 04:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-08-16 04:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2005-08-16 04:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-08-16 04:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 04:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 17:27 . 2008-11-06 22:39 47232 ----a-w- c:\documents and settings\Wilma\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-24 23:24 . 2008-05-26 21:18 350208 ------w- c:\windows\system32\mssph.dll
2008-09-03 14:36 . 2008-09-03 14:36 251 ----a-w- c:\program files\wt3d.ini
2005-07-16 05:41 . 2005-12-09 09:38 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-07-16 05:41 . 2005-12-09 09:38 48223 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-07-16 05:41 . 2005-12-09 09:38 160871 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-21 20:37 . 2009-08-21 20:37 16384 c:\windows\Temp\Perflib_Perfdata_22c.dat
+ 2004-08-10 05:00 . 2004-08-10 05:00 44032 c:\windows\system32\EvdoServer.dll
+ 2008-08-24 10:59 . 2009-08-17 04:37 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 69120 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\xlicons.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 35328 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\wordicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 30208 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\pptico.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 11264 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\PEicons.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 28160 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\misc.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 73216 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\fpicon.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 22528 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\bindico.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 104960 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\outicon.exe
- 2008-08-24 10:59 . 2009-05-04 18:50 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
+ 2008-08-24 10:59 . 2009-08-17 04:37 155136 c:\windows\Installer\{00000409-78E1-11D2-B60F-006097C998E7}\accicons.exe
.

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 21st August 2009, 8:52 pm

Part 2 :

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-12 68856]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-24 342848]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2006-08-04 25600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-21 148888]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-09 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-21 2007832]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2009-04-07 1511424]
"P17Helper"="P17.dll" - c:\windows\system32\P17.dll [2004-06-10 60928]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2006-08-04 17920]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-8-18 113664]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-9 24576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-3-22 65588]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-04 21:34 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9323:TCP"= 9323:TCP:EKDiscovery
"9324:TCP"= 9324:TCP:EKDiscovery
"9325:TCP"= 9325:TCP:EKDiscovery
"9326:TCP"= 9326:TCP:EKDiscovery

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [08/08/2008 21:59 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [08/08/2008 21:59 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/08/2008 21:59 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/08/2008 21:59 297752]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
S3 PIXMCV;JVC Communication PIX-MCV Driver;c:\windows\system32\drivers\pixmcvc.sys [06/04/2009 12:21 32000]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;c:\windows\system32\drivers\pixmcva.sys [10/04/2009 15:21 27961]
S3 PIXMCVV;JVC PIX-MCV Video Capture;c:\windows\system32\drivers\pixmcvv.sys [10/04/2009 15:21 20953]
S3 Ugrmtrmspdel;Ugrmtrmspdel;c:\windows\system32\drivers\cd20xrnt.sys [16/08/2005 22:28 7680]
.
Contents of the 'Scheduled Tasks' folder

2009-08-14 c:\windows\Tasks\AiO Home Center Registration Remind Task.job
- c:\documents and settings\All Users\Application Data\Kodak\Installer\Registration.exe [2009-07-17 16:24]

2009-08-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-08-19 c:\windows\Tasks\Norton PC Checkup Weekday Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]

2009-08-16 c:\windows\Tasks\Norton PC Checkup Weekend Scanner.job
- c:\program files\Norton PC Checkup\PC_Checkup.exe [2009-01-29 22:10]
.
.

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 21st August 2009, 8:52 pm

Part 3 :


------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = ;*.local
FF - ProfilePath - c:\documents and settings\Graham\Application Data\Mozilla\Firefox\Profiles\zjxqfrxg.default\
FF - prefs.js: browser.search.selectedEngine - Google

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("backups.number_of_prefs_copies", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.link.open_newwindow.ui", 3); // prefs UI version
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromString", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.DOMParser,parseFromStream", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.disable_window_open_feature.status", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("advanced.always_load_images", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.protocol-handler.external.help", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.connect.timeout", 30); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.request.timeout", 120); // in seconds
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN_show_punycode", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.image.imageBehavior", 0); // 0-Accept, 1-dontAcceptForeign, 2-dontUse
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.cookieBehavior", 3); // 0-Accept, 1-dontAcceptForeign, 2-dontUse, 3-p3p
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.id", "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.version",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.extensions.version", "1.0");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.build_id",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.autoUpdateEnabled", true); // Whether or not background app updates
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.url", "chrome://mozapps/locale/update/update.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.updatesAvailable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.lastUpdateDate", 0); // UTC offset when last App update was
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("app.update.performed", false); // Whether or not an update has been
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdateEnabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.autoUpdate", false); // Automatically download and install
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.interval", 604800000); // Check for updates to Extensions and
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.lastUpdateDate", 0); // UTC offset when last Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.severity.threshold", 5);// The number of pending Extension/Theme
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.update.count", 0); // The number of extension/theme/etc
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.interval", 3600000); // Check each of the above intervals
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.showSlidingNotification", true); // Windows-only slide-up taskbar
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update.severity", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendor", "Firefox");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("general.useragent.vendorSub",
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.update.resetHomepage", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.startup.homepage_override.1", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.turbo.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://browser/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("update_notifications.provider.0.frequency", 7); // number of days
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.xul.error_pages.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("pfs.datasource.url", "chrome://mozapps/locale/plugins/plugins.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-21 21:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3940)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Creative Professional\Digital Audio System\E-MU PatchMix DSP\EmuPatchMixDSP.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\dlcccoms.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2009-08-21 21:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-21 20:44
ComboFix2.txt 2009-08-20 20:16
ComboFix3.txt 2009-08-18 19:42
ComboFix4.txt 2009-08-12 20:06

Pre-Run: 42,717,425,664 bytes free
Post-Run: 46,997,958,656 bytes free

346 --- E O F --- 2009-08-12 15:39

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Origin on 22nd August 2009, 4:56 pm

I see that you are running BitTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If BitTorrent is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • BitTorrent



Run another scan with Malwarebytes and post the log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 22nd August 2009, 7:18 pm

Belahzur

I have uninstalled bit-torrent and re run malwarebytes, see log:

Malwarebytes' Anti-Malware 1.40
Database version: 2593
Windows 5.1.2600 Service Pack 3

22/08/2009 20:13:56
mbam-log-2009-08-22 (20-13-09).txt

Scan type: Quick Scan
Objects scanned: 125699
Time elapsed: 6 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> No action taken.
C:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\EvdoServer.dll (Trojan.Agent) -> No action taken.

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Origin on 22nd August 2009, 7:36 pm

Hello, you have an old database of Malwarebytes, please update it and run another scan, also make sure you click on the remove selected button.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 23rd August 2009, 6:48 am

Belahzur

Updated Malwarebytes and reran.

Malwarebytes' Anti-Malware 1.40
Database version: 2681
Windows 5.1.2600 Service Pack 3

23/08/2009 07:46:44
mbam-log-2009-08-23 (07-46-44).txt

Scan type: Quick Scan
Objects scanned: 129421
Time elapsed: 6 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{248dd890-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{248dd892-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{248dd893-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{248dd896-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{248dd897-bb45-11cf-9abc-0080c7e7b78d} (Worm.Nyxem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Antispyware2010 (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mEv (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sofatnet.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dvdpaly.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\EvdoServer.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Origin on 25th August 2009, 3:58 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31513
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/crypto virus

Post by Swerdna on 25th August 2009, 9:16 pm

Belahzur.

The machine is fine now, I have just run AVG and no threats - that's fanstatic. Many thanks.

Swerdna
Novice
Novice

Posts Posts : 39
Joined Joined : 2009-08-08
OS OS : XP
Points Points : 27083
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum