win32\cryptor

View previous topic View next topic Go down

win32cryptor

Post by y2jmocho on 6th September 2009, 1:36 am

Hi, i have the win32\cryptor virus and i cant seem to get rid of it. i identified it using AVG but it doesnt get rid of it. i currently have spywareblaster and spyware doctor installed as well. i looked online and installed malwarebytes but even after changing the file name it runs for 5 seconds then the program shuts off. i tried using the software in safe mode but it still has the same problem either turning off or not loading at all.

heres my avg result

"\\?\globalroot\systemroot\system32\UACegsppalete.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACegsppalete.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACxfjlnkvcnp.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACxfjlnkvcnp.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACxfjlnkvcnp.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\Program Files\Internet Explorer\iexplore.exe (1912)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\explorer.exe (3708)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (1208)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (1264)";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\WINDOWS\system32\svchost.exe (1552)";"Virus found Win32/Cryptor";"Moved to Virus Vault"

any help well appreciated

y2jmocho
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-06
OS OS : xp
Points Points : 26505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32\cryptor

Post by Doctor Inferno on 6th September 2009, 3:08 am

Hello,

Please read this: [You must be registered and logged in to see this link.]

And post your HijackThis log here.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104610
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32\cryptor

Post by y2jmocho on 6th September 2009, 5:05 pm

Hi i was not able to download the latest windows uopdates as the virus stopped me from visiting the website.

also i was able to download hijack this but once i pressed the 'do a system scan and save a profile' button the sytem scanned for a couple of seconds then turn off. now i cant load hijackthis. i think the virus is stopping me use this program.

y2jmocho
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-06
OS OS : xp
Points Points : 26505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32\cryptor

Post by Belahzur on 6th September 2009, 6:26 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32\cryptor

Post by y2jmocho on 6th September 2009, 8:44 pm

Hi Belahzur, thanks for deciding to help me, i have sent the log in 2 replies as the forum states the message is to big ,heres my combofix log:

ComboFix 09-09-06.02 - Kamal 06/09/2009 21:27.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1595 [GMT 1:00]
Running from: c:\documents and settings\Kamal\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kamal\Application Data\inst.exe
c:\documents and settings\Kamal\Application Data\IUpd721
c:\documents and settings\Kamal\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\LocalService\Application Data\twain_32
c:\documents and settings\LocalService\Application Data\twain_32\user.ds
c:\windows\igfxexl.exe
c:\windows\Installer\394ef.msi
c:\windows\Installer\7f26e.msi
c:\windows\system32\drivers\UACtueqxnsmbe.sys
c:\windows\system32\pac.txt
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\UACegsppalete.dll
c:\windows\system32\UACetdcfmletx.db
c:\windows\system32\UACfdbxtssfvw.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACxenxrpqfwb.dll
c:\windows\system32\UACxfjlnkvcnp.dll
c:\windows\system32\UACxmnyoaeuvr.dll
c:\windows\system32\uninstall.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-06 to 2009-09-06 )))))))))))))))))))))))))))))))
.

2009-09-06 17:12 . 2009-09-06 17:12 -------- d-----w- c:\program files\tricker
2009-09-04 21:02 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-04 21:02 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-04 21:02 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-04 21:02 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-04 21:02 . 2009-09-04 21:03 -------- d-----w- c:\program files\Spyware Doctor
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\Kamal\Application Data\PC Tools
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-04 21:00 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\Kamal\Application Data\GetRightToGo
2009-09-04 17:32 . 2009-09-04 17:32 -------- d-----w- c:\documents and settings\Kamal\Application Data\Malwarebytes
2009-09-04 17:28 . 2009-09-04 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-04 17:08 . 2009-09-04 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-04 17:04 . 2009-09-04 17:04 -------- d-----w- c:\documents and settings\Kamal\Application Data\SUPERAntiSpyware.com
2009-08-31 19:47 . 2009-08-31 19:47 40156 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-31 19:46 . 2009-09-01 02:59 -------- d-----w- c:\program files\Safari
2009-08-27 13:44 . 2009-08-27 13:44 -------- d-----w- c:\documents and settings\Kamal\Local Settings\Application Data\Help
2009-08-26 10:44 . 2009-08-26 10:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-24 17:52 . 2009-08-24 17:52 -------- d-----w- C:\CloneDVDTemp
2009-08-24 17:46 . 2009-08-24 17:46 -------- d-----w- c:\program files\Elaborate Bytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-06 20:34 . 2008-10-02 21:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-06 20:22 . 2004-08-04 12:00 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-09-06 20:07 . 2009-09-06 20:07 4096 ----a-w- c:\windows\system32\02.tmp
2009-09-06 16:50 . 2008-10-02 22:00 -------- d-----w- c:\program files\Java
2009-09-06 16:46 . 2008-12-24 05:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-04 20:56 . 2008-10-04 18:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-04 20:56 . 2008-10-04 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-04 16:59 . 2009-09-04 16:59 4096 ----a-w- c:\windows\system32\01.tmp
2009-08-31 19:47 . 2008-10-02 21:09 -------- d-----w- c:\documents and settings\Kamal\Application Data\Apple Computer
2009-08-29 23:49 . 2008-10-02 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-25 03:40 . 2009-02-14 23:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-24 18:05 . 2009-02-14 23:56 -------- d-----w- c:\documents and settings\Kamal\Application Data\DVD Flick
2009-08-24 17:42 . 2009-02-15 00:08 -------- d-----w- c:\documents and settings\Kamal\Application Data\Vso
2009-08-24 17:42 . 2009-02-15 00:08 47360 ----a-w- c:\documents and settings\Kamal\Application Data\pcouffin.sys
2009-08-20 13:03 . 2008-10-02 02:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 13:03 . 2008-10-02 02:47 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 13:03 . 2008-10-02 02:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-04-14 00:11 . 2004-08-04 12:00 155858 --sha-r- c:\windows\system32\jmygdh.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-02 39408]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-10-02 3061248]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-02 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-06 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-24 16859648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-1-23 36864]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-10-12 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 13:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18635:TCP"= 18635:TCP:BitComet 18635 TCP
"18635:UDP"= 18635:UDP:BitComet 18635 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"7937:TCP"= 7937:TCP:wxmzdzju

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [04/09/2009 22:02 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/10/2008 03:47 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/10/2008 03:47 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/10/2008 03:47 297752]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [23/04/2007 14:11 224896]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [02/10/2008 03:47 908056]
S2 tawdl;Time Update;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]
S3 qycxkvvx;qycxkvvx;c:\windows\system32\01.tmp [04/09/2009 17:59 4096]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [04/09/2009 22:02 348752]
S3 wgpzwosp;wgpzwosp;c:\windows\system32\02.tmp [06/09/2009 21:07 4096]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tawdl
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKCU-Run-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\you.exe

y2jmocho
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-06
OS OS : xp
Points Points : 26505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32\cryptor

Post by y2jmocho on 6th September 2009, 8:44 pm

.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kamal\Application Data\Mozilla\Firefox\Profiles\ojloqkkv.default\
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-06 21:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qycxkvvx]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wgpzwosp]
"ImagePath"="\??\c:\windows\system32\02.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tawdl]
"ServiceDll"="c:\windows\system32\jmygdh.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-2025429265-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5b,9f,6a,5d,5d,f8,cc,e5,44,2d,d4,5c,a5,d1,ca,0f,9e,14,22,00,25,5d,d1,
9e,1d,48,9c,d8,ad,5c,61,0e,17,69,bf,de,9a,a6,a2,7a,3a,45,6d,45,d4,4f,76,58,\
"??"=hex:d5,f6,16,19,1a,6e,1b,03,b0,eb,27,9b,fc,0d,e8,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1904)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MagicTune Premium\MagicTune.exe
.
**************************************************************************
.
Completion time: 2009-09-06 21:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-06 20:37

Pre-Run: 211,205,881,856 bytes free
Post-Run: 213,650,276,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

257 --- E O F --- 2009-02-13 14:09

y2jmocho
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-06
OS OS : xp
Points Points : 26505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32\cryptor

Post by Origin on 6th September 2009, 10:30 pm

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\02.tmp
c:\windows\system32\01.tmp
c:\windows\system32\jmygdh.dll

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18635:TCP"=-
"18635:UDP"=-
"7937:TCP"=-

NetSvcs::
tawdl

Driver::
qycxkvvx
wgpzwosp

Firefox::
FF - ProfilePath - c:\documents and settings\Kamal\Application Data\Mozilla\Firefox\Profiles\ojloqkkv.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31493
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32\cryptor

Post by y2jmocho on 7th September 2009, 1:23 am

ComboFix 09-09-06.02 - Kamal 07/09/2009 2:11.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1532 [GMT 1:00]
Running from: c:\documents and settings\Kamal\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kamal\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\01.tmp"
"c:\windows\system32\02.tmp"
"c:\windows\system32\jmygdh.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
c:\windows\system32\01.tmp
c:\windows\system32\02.tmp
c:\windows\system32\jmygdh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_qycxkvvx
-------\Service_wgpzwosp
-------\Legacy_tawdl
-------\Service_tawdl


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-06 17:12 . 2009-09-06 17:12 -------- d-----w- c:\program files\tricker
2009-09-04 21:02 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-04 21:02 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-04 21:02 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-04 21:02 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-04 21:02 . 2009-09-04 21:03 -------- d-----w- c:\program files\Spyware Doctor
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\Kamal\Application Data\PC Tools
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-04 21:00 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\Kamal\Application Data\GetRightToGo
2009-09-04 17:32 . 2009-09-04 17:32 -------- d-----w- c:\documents and settings\Kamal\Application Data\Malwarebytes
2009-09-04 17:28 . 2009-09-04 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-04 17:08 . 2009-09-04 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-04 17:04 . 2009-09-04 17:04 -------- d-----w- c:\documents and settings\Kamal\Application Data\SUPERAntiSpyware.com
2009-08-31 19:47 . 2009-08-31 19:47 40156 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-31 19:46 . 2009-09-01 02:59 -------- d-----w- c:\program files\Safari
2009-08-27 13:44 . 2009-08-27 13:44 -------- d-----w- c:\documents and settings\Kamal\Local Settings\Application Data\Help
2009-08-26 10:44 . 2009-08-26 10:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-24 17:52 . 2009-08-24 17:52 -------- d-----w- C:\CloneDVDTemp
2009-08-24 17:46 . 2009-08-24 17:46 -------- d-----w- c:\program files\Elaborate Bytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 01:17 . 2008-10-02 21:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-06 20:22 . 2004-08-04 12:00 56320 ------w- c:\windows\system32\eventlog.dll
2009-09-06 16:50 . 2008-10-02 22:00 -------- d-----w- c:\program files\Java
2009-09-06 16:46 . 2008-12-24 05:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-04 20:56 . 2008-10-04 18:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-04 20:56 . 2008-10-04 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-31 19:47 . 2008-10-02 21:09 -------- d-----w- c:\documents and settings\Kamal\Application Data\Apple Computer
2009-08-29 23:49 . 2008-10-02 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-25 03:40 . 2009-02-14 23:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-24 18:05 . 2009-02-14 23:56 -------- d-----w- c:\documents and settings\Kamal\Application Data\DVD Flick
2009-08-24 17:42 . 2009-02-15 00:08 -------- d-----w- c:\documents and settings\Kamal\Application Data\Vso
2009-08-24 17:42 . 2009-02-15 00:08 47360 ----a-w- c:\documents and settings\Kamal\Application Data\pcouffin.sys
2009-08-20 13:03 . 2008-10-02 02:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 13:03 . 2008-10-02 02:47 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 13:03 . 2008-10-02 02:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-07 01:17 . 2009-09-07 01:17 16384 c:\windows\temp\Perflib_Perfdata_258.dat
+ 2004-08-04 12:00 . 2009-09-07 01:08 41068 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-09-06 20:31 41068 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-07 01:08 315124 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-09-06 20:31 315124 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-02 39408]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-10-02 3061248]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-02 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-06 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-24 16859648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-1-23 36864]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-10-12 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 13:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [04/09/2009 22:02 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/10/2008 03:47 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/10/2008 03:47 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/10/2008 03:47 297752]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [23/04/2007 14:11 224896]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [02/10/2008 03:47 908056]
S2 tawdl;Time Update;c:\windows\system32\svchost.exe -k netsvcs [04/08/2004 13:00 14336]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [04/09/2009 22:02 348752]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
tawdl

y2jmocho
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-06
OS OS : xp
Points Points : 26505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32\cryptor

Post by y2jmocho on 7th September 2009, 1:23 am

------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kamal\Application Data\Mozilla\Firefox\Profiles\ojloqkkv.default\
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-07 02:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tawdl]
"ServiceDll"="c:\windows\system32\jmygdh.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-2025429265-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5b,9f,6a,5d,5d,f8,cc,e5,44,2d,d4,5c,a5,d1,ca,0f,9e,14,22,00,25,5d,d1,
9e,1d,48,9c,d8,ad,5c,61,0e,17,69,bf,de,9a,a6,a2,7a,3a,45,6d,45,d4,4f,76,58,\
"??"=hex:d5,f6,16,19,1a,6e,1b,03,b0,eb,27,9b,fc,0d,e8,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3420)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MagicTune Premium\MagicTune.exe
.
**************************************************************************
.
Completion time: 2009-09-07 2:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 01:20
ComboFix2.txt 2009-09-06 20:37

Pre-Run: 213,607,501,824 bytes free
Post-Run: 213,570,772,992 bytes free

229 --- E O F --- 2009-02-13 14:09

y2jmocho
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-06
OS OS : xp
Points Points : 26505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32\cryptor

Post by Belahzur on 7th September 2009, 8:50 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
tawdl

File::
c:\windows\system32\jmygdh.dll

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\qycxkvvx]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\wgpzwosp]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\tawdl]

NetSvc::
tawdl

DirLook::
c:\program files\tricker

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32\cryptor

Post by y2jmocho on 7th September 2009, 9:53 pm

ComboFix 09-09-06.02 - Kamal 07/09/2009 22:42.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1526 [GMT 1:00]
Running from: c:\documents and settings\Kamal\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Kamal\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\jmygdh.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TAWDL
-------\Service_tawdl


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-09-06 17:12 . 2009-09-06 17:12 -------- d-----w- c:\program files\tricker
2009-09-04 21:02 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-09-04 21:02 . 2009-04-03 09:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-09-04 21:02 . 2008-12-18 10:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\program files\Common Files\PC Tools
2009-09-04 21:02 . 2008-12-10 10:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-09-04 21:02 . 2009-09-04 21:03 -------- d-----w- c:\program files\Spyware Doctor
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\Kamal\Application Data\PC Tools
2009-09-04 21:02 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-09-04 21:00 . 2009-09-04 21:02 -------- d-----w- c:\documents and settings\Kamal\Application Data\GetRightToGo
2009-09-04 17:32 . 2009-09-04 17:32 -------- d-----w- c:\documents and settings\Kamal\Application Data\Malwarebytes
2009-09-04 17:28 . 2009-09-04 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-04 17:08 . 2009-09-04 17:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-04 17:04 . 2009-09-04 17:04 -------- d-----w- c:\documents and settings\Kamal\Application Data\SUPERAntiSpyware.com
2009-08-31 19:47 . 2009-08-31 19:47 40156 ---ha-w- c:\windows\system32\mlfcache.dat
2009-08-31 19:46 . 2009-09-01 02:59 -------- d-----w- c:\program files\Safari
2009-08-27 13:44 . 2009-08-27 13:44 -------- d-----w- c:\documents and settings\Kamal\Local Settings\Application Data\Help
2009-08-26 10:44 . 2009-08-26 10:45 -------- d-----w- c:\program files\SpywareBlaster
2009-08-24 17:52 . 2009-08-24 17:52 -------- d-----w- C:\CloneDVDTemp
2009-08-24 17:46 . 2009-08-24 17:46 -------- d-----w- c:\program files\Elaborate Bytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 21:48 . 2008-10-02 21:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-06 20:22 . 2004-08-04 12:00 56320 ------w- c:\windows\system32\eventlog.dll
2009-09-06 16:50 . 2008-10-02 22:00 -------- d-----w- c:\program files\Java
2009-09-06 16:46 . 2008-12-24 05:52 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-04 20:56 . 2008-10-04 18:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-04 20:56 . 2008-10-04 18:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-31 19:47 . 2008-10-02 21:09 -------- d-----w- c:\documents and settings\Kamal\Application Data\Apple Computer
2009-08-29 23:49 . 2008-10-02 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-25 03:40 . 2009-02-14 23:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-24 18:05 . 2009-02-14 23:56 -------- d-----w- c:\documents and settings\Kamal\Application Data\DVD Flick
2009-08-24 17:42 . 2009-02-15 00:08 -------- d-----w- c:\documents and settings\Kamal\Application Data\Vso
2009-08-24 17:42 . 2009-02-15 00:08 47360 ----a-w- c:\documents and settings\Kamal\Application Data\pcouffin.sys
2009-08-20 13:03 . 2008-10-02 02:47 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 13:03 . 2008-10-02 02:47 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-20 13:03 . 2008-10-02 02:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-04-15 20:24 . 2009-04-15 20:24 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-04-15 20:24 . 2009-04-15 20:24 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\tricker ----

2009-09-06 17:12 . 2009-09-06 17:12 396288 ----a-w- c:\program files\tricker\tricker.exe


((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-07 21:48 . 2009-09-07 21:48 16384 c:\windows\temp\Perflib_Perfdata_230.dat
+ 2004-08-04 12:00 . 2009-09-07 16:58 41068 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-09-06 20:31 41068 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-09-07 16:58 315124 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-09-06 20:31 315124 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-02 39408]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2008-10-02 3061248]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-02 185872]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl05a\BrStDvPt.exe" [2005-01-26 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-05-17 933888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-06 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2008-09-24 16859648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GammaTray.lnk - c:\program files\MagicTune Premium\GammaTray.exe [2009-1-23 36864]
NETGEAR WG111v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG111v3\WG111v3.exe [2007-9-12 1527808]
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2008-10-12 802816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-20 13:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MagicTune Premium\\MagicTune.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [04/09/2009 22:02 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [02/10/2008 03:47 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [02/10/2008 03:47 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [02/10/2008 03:47 297752]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [23/04/2007 14:11 224896]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [02/10/2008 03:47 908056]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [04/09/2009 22:02 348752]

y2jmocho
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-06
OS OS : xp
Points Points : 26505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32\cryptor

Post by y2jmocho on 7th September 2009, 9:54 pm

------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kamal\Application Data\Mozilla\Firefox\Profiles\ojloqkkv.default\
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPStreamPlug.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-07 22:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1757981266-2025429265-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:5b,9f,6a,5d,5d,f8,cc,e5,44,2d,d4,5c,a5,d1,ca,0f,9e,14,22,00,25,5d,d1,
9e,1d,48,9c,d8,ad,5c,61,0e,17,69,bf,de,9a,a6,a2,7a,3a,45,6d,45,d4,4f,76,58,\
"??"=hex:d5,f6,16,19,1a,6e,1b,03,b0,eb,27,9b,fc,0d,e8,22
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3968)
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\brss01a.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\MagicTune Premium\MagicTuneEngine.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\MagicTune Premium\MagicTune.exe
.
**************************************************************************
.
Completion time: 2009-09-07 22:52 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 21:52
ComboFix2.txt 2009-09-07 01:20
ComboFix3.txt 2009-09-06 20:37

Pre-Run: 212,922,572,800 bytes free
Post-Run: 213,448,409,088 bytes free

221 --- E O F --- 2009-02-13 14:09

y2jmocho
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-06
OS OS : xp
Points Points : 26505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32\cryptor

Post by Belahzur on 7th September 2009, 11:15 pm

Submit a file for analysis.

  1. Please visit this website: [You must be registered and logged in to see this link.]
  2. Press the "Browse" button and locate the following file in bold:
    c:\program files\tricker\tricker.exe
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32\cryptor

Post by y2jmocho on 7th September 2009, 11:55 pm

Hi Belazur, i submited the file tricker.exe but both using internet explorer and firefox the websites states the file is empty. although checking the c drive in my computer states it is 387kb.

what i can say is that when i tried downloading hijackthis the virus stopped me from running the program. so what i tried to do is rename the folder and file and i i remember renaming it to trick and tricker, although this didnt work. maybe i should just delete the file and folder?

currently the p.c. is working much faster and is back to how it use to be in terms of speed, the cryptor virus symptoms are no longer there.

what else can i do to make sure this problem is gone?

y2jmocho
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-06
OS OS : xp
Points Points : 26505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32\cryptor

Post by Belahzur on 8th September 2009, 1:24 am

Ah, so tricker.exe was Hijack This renamed? It's okay then, it just looked a little suspicious to me.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32\cryptor

Post by y2jmocho on 9th September 2009, 12:08 am

Hi, thank you Dr. inferno, Belahzur and Origin for all the help, my p.c. is running well now with no problems. i donated a small amount just to say thank you.

just to let you know i installed malwarebytes and found a malware which was on my desktop called winlogon (screensaver file). got rid of this now.

quick question, is it ok to use both spywaredoctor and spybot or should i just choose one only? and what would you recommend as a free degragment tool other then the xp version?

you can close this thread now as the problem is sorted. thank you

y2jmocho
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-09-06
OS OS : xp
Points Points : 26505
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32\cryptor

Post by Belahzur on 9th September 2009, 12:17 am

Hello.

just to let you know i installed malwarebytes and found a malware which was on my desktop called winlogon (screensaver file). got rid of this now.

It's okay, just we use "winlogon" as it's a windows file name and some malware wont block it, so we can take a stab at killing the malware like that, MBAM is just aggressive against window file names on the Desktop.


quick question, is it ok to use both spywaredoctor and spybot or should i just choose one only? and what would you recommend as a free degragment tool other then the xp version?

Spybot/Spyware Doctor should be fine, as for defragging though:
[You must be registered and logged in to see this link.]

That should do it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245079
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum