Win32/Cryptor

View previous topic View next topic Go down

Solved Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 5:58 pm

I have a Win XP machine using AVG Free 8.0.
It is reporting an infection on Win32/Cryptor in explorer.exe as well as some other files.
I found some instructions for removal at [You must be registered and logged in to see this link.]
They recommended running Malwarebytes Anti-Malware.
I tried to download it to the machine but it keeps giving me an access denied message.
It gives me the same message when I try and launch any executable already on the machine.
I have been afraid to reboot the machine causing even more issues.

Any help is greatly appreciated.

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by Belahzur on Tue Dec 23, 2008 6:00 pm

Hello.
Please read here and post a Hijack This log.

[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 6:14 pm

The problem is I can't launch any executable.
I was able to download the zipped up version of HijackThis and unzip it but I can't run the executable.

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by Belahzur on Tue Dec 23, 2008 6:17 pm

Hello.
Probably the malware.
But if you read the topic, you'd see the topic links to here:
[You must be registered and logged in to see this link.]

So please try one of our versions.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 6:27 pm

I tried that.
Doesn't work.
If I try and download the exe I get the following message.
"Cannot copy HJack(GP)This[1]: Access denied."
If I try and have it run it and not download it it never launches.

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by Belahzur on Tue Dec 23, 2008 6:29 pm

Okay.
Lets use this. This isn't an .exe, so hopefully, no problems.

Please download SilentRunners from here:
[You must be registered and logged in to see this link.]
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 6:36 pm

It's looking for WMI.
The service is running but I restarted it anyway to see if that would clear it up.
No luck.

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by Belahzur on Tue Dec 23, 2008 6:37 pm

I don't understand your last post.
Does silentrunners not work?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 6:40 pm

It does not.
The script relies on the WMI service to get information from the OS.
Something about the infection is blocking it even though the service is running.

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by Belahzur on Tue Dec 23, 2008 6:47 pm

Ah, so you know abit about VB.
Since we can't use tools, lets see if we can find anything manually.


  • Now open a new notepad file.
  • Input this into the notepad file:

    regedit /e peek1.txt "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    type peek1.txt >> look.txt
    type peek2.txt >> look.txt
    del peek*.txt
    start notepad look.txt

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 7:24 pm

The look.txt is blank.
When I try and run the first command from the command line it says "Access is denied"

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 7:26 pm

If I find regedit.exe in c:\windows\ I think it's been changed.
The file does not have the normal icon.
It looks like an old dos or win 3.1 icon.

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by Belahzur on Tue Dec 23, 2008 7:27 pm

Evil or enraged
I want to see if this will work, see if it's the tdss rootkit.

Ah, so you know abit about VB.
Since we can't use tools, lets see if we can find anything manually.


  • Now open a new notepad file.
  • Input this into the notepad file:

    @echo off
    dir "C:\Windows\system32\drivers" > log.txt
    start notepad look.txt

  • Save this as look.bat, save it to your desktop.
  • Double click look.bat to run it.
  • Copy and paste the report back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 7:41 pm

Volume in drive C is Windows
Volume Serial Number is 54EF-744D

Directory of C:\Windows\system32\drivers

12/13/2008 09:38 AM .
12/13/2008 09:38 AM ..
04/13/2008 01:46 PM 53,376 1394bus.sys
04/13/2008 01:46 PM 48,128 61883.sys
08/17/2001 07:20 AM 96,256 ac97intc.sys
04/13/2008 01:36 PM 187,776 acpi.sys
08/23/2001 07:00 AM 11,648 acpiec.sys
04/13/2008 07:11 PM 4,255 adv01nt5.dll
04/13/2008 07:11 PM 3,967 adv02nt5.dll
04/13/2008 07:11 PM 3,615 adv05nt5.dll
04/13/2008 07:11 PM 3,647 adv07nt5.dll
04/13/2008 07:11 PM 3,135 adv08nt5.dll
04/13/2008 07:11 PM 3,711 adv09nt5.dll
04/13/2008 07:11 PM 3,775 adv11nt5.dll
04/13/2008 11:39 AM 142,592 aec.sys
08/14/2008 05:04 AM 138,496 afd.sys
04/13/2008 01:36 PM 42,368 agp440.sys
04/13/2008 01:36 PM 44,928 agpcpq.sys
04/13/2008 01:36 PM 42,752 alim1541.sys
04/13/2008 01:36 PM 43,008 amdagp.sys
04/13/2008 01:31 PM 37,376 amdk6.sys
04/13/2008 01:31 PM 37,760 amdk7.sys
04/13/2008 01:51 PM 60,800 arp1394.sys
12/04/2003 11:33 AM 11,264 asapiW2k.sys
04/13/2008 01:57 PM 14,336 asyncmac.sys
04/13/2008 01:40 PM 96,512 atapi.sys
08/04/2004 12:29 AM 56,623 ati1btxx.sys
08/04/2004 12:29 AM 11,615 ati1mdxx.sys
08/04/2004 12:29 AM 12,047 ati1pdxx.sys
08/04/2004 12:29 AM 30,671 ati1raxx.sys
08/04/2004 12:29 AM 63,663 ati1rvxx.sys
08/04/2004 12:29 AM 26,367 ati1snxx.sys
08/04/2004 12:29 AM 21,343 ati1ttxx.sys
08/04/2004 12:29 AM 36,463 ati1tuxx.sys
08/04/2004 12:29 AM 29,455 ati1xbxx.sys
08/04/2004 12:29 AM 34,735 ati1xsxx.sys
08/04/2004 12:29 AM 327,040 ati2mtaa.sys
08/04/2004 12:29 AM 701,440 ati2mtag.sys
08/04/2004 12:29 AM 57,856 atinbtxx.sys
08/04/2004 12:29 AM 13,824 atinmdxx.sys
08/04/2004 12:29 AM 14,336 atinpdxx.sys
08/04/2004 12:29 AM 52,224 atinraxx.sys
08/04/2004 12:29 AM 104,960 atinrvxx.sys
08/04/2004 12:29 AM 28,672 atinsnxx.sys
08/04/2004 12:29 AM 13,824 atinttxx.sys
08/04/2004 12:29 AM 73,216 atintuxx.sys
08/04/2004 12:29 AM 31,744 atinxbxx.sys
08/04/2004 12:29 AM 63,488 atinxsxx.sys
07/17/2004 01:36 PM 64,352 ativmc20.cod
04/13/2008 01:51 PM 59,904 atmarpc.sys
08/23/2001 07:00 AM 31,360 atmepvc.sys
04/13/2008 01:51 PM 55,808 atmlane.sys
08/23/2001 07:00 AM 352,256 atmuni.sys
04/13/2008 07:11 PM 21,183 atv01nt5.dll
04/13/2008 07:11 PM 11,359 atv02nt5.dll
04/13/2008 07:11 PM 25,471 atv04nt5.dll
04/13/2008 07:11 PM 14,143 atv06nt5.dll
04/13/2008 07:11 PM 17,279 atv10nt5.dll
08/17/2001 08:59 AM 3,072 audstub.sys
04/13/2008 01:46 PM 38,912 avc.sys
12/23/2008 02:29 AM Avg
08/31/2008 08:54 AM 97,928 avgldx86.sys
07/06/2008 07:13 AM 26,824 avgmfx86.sys
07/06/2008 07:13 AM 76,040 avgtdix.sys
08/23/2001 07:00 AM 4,224 beep.sys
07/09/2003 05:35 PM 180,480 bender.sys
04/13/2008 01:53 PM 71,552 bridge.sys
04/13/2008 01:46 PM 17,024 bthenum.sys
04/13/2008 01:46 PM 37,888 bthmodem.sys
04/13/2008 01:51 PM 101,120 bthpan.sys
06/13/2008 06:05 AM 272,128 bthport.sys
04/13/2008 01:46 PM 36,480 bthprint.sys
04/13/2008 01:46 PM 18,944 bthusb.sys
08/23/2001 07:00 AM 13,952 cbidf2k.sys
04/13/2008 01:46 PM 17,024 ccdecode.sys
08/23/2001 07:00 AM 18,688 cdaudio.sys
04/13/2008 02:14 PM 63,744 cdfs.sys
03/07/2007 06:51 PM 9,336 cdr4_xp.sys
03/07/2007 06:51 PM 9,464 cdralw2k.sys
04/13/2008 01:40 PM 62,976 cdrom.sys
07/28/2004 06:24 PM 241,280 cdudf_xp.sys
04/13/2008 07:11 PM 15,423 ch7xxnt5.dll
08/23/2001 07:00 AM 262,528 cinemst2.sys
04/13/2008 02:16 PM 49,536 classpnp.sys
08/23/2001 07:00 AM 11,776 cpqdap01.sys
04/13/2008 01:31 PM 36,736 crusoe.sys
07/18/2004 12:55 AM 129,045 cxthsfs2.cty

list to big. Will continue in next post

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 7:41 pm

09/28/2003 07:35 AM disdn
04/13/2008 01:40 PM 36,352 disk.sys
04/13/2008 01:40 PM 14,208 diskdump.sys
04/13/2008 01:44 PM 799,744 dmboot.sys
04/13/2008 01:44 PM 153,344 dmio.sys
08/23/2001 07:00 AM 5,888 dmload.sys
04/13/2008 01:45 PM 52,864 dmusic.sys
04/13/2008 01:45 PM 60,160 drmk.sys
04/13/2008 01:45 PM 2,944 drmkaud.sys
02/03/2003 03:21 AM 83,360 drvmcdb.sys
07/28/2004 06:24 PM 25,930 Dvd_2k.sys
08/23/2001 07:00 AM 10,496 dxapi.sys
04/13/2008 01:38 PM 71,168 dxg.sys
08/23/2001 07:00 AM 3,328 dxgthk.sys
08/17/2001 07:11 AM 66,591 el90xbc5.sys
08/17/2001 01:46 PM 6,400 enum1394.sys
09/28/2003 07:37 AM etc
04/13/2008 02:14 PM 143,744 fastfat.sys
04/13/2008 01:40 PM 27,392 fdc.sys
04/13/2008 01:33 PM 44,544 fips.sys
04/13/2008 01:40 PM 20,480 flpydisk.sys
04/13/2008 01:32 PM 129,792 fltmgr.sys
08/23/2001 07:00 AM 12,160 fsvga.sys
08/23/2001 07:00 AM 7,936 fs_rec.sys
08/23/2001 07:00 AM 125,056 ftdisk.sys
04/13/2008 01:36 PM 46,464 gagp30kx.sys
09/19/2006 03:44 PM 15,664 GEARAspiWDM.sys
08/23/2001 07:00 AM 3,440,660 gm.dls
08/23/2001 07:00 AM 646 gmreadme.txt
04/13/2008 11:36 AM 144,384 hdaudbus.sys
04/13/2008 01:46 PM 25,600 hidbth.sys
04/13/2008 01:45 PM 36,864 hidclass.sys
04/13/2008 01:45 PM 19,200 hidir.sys
04/13/2008 01:45 PM 24,960 hidparse.sys
04/13/2008 01:45 PM 10,368 hidusb.sys
08/04/2004 12:41 AM 220,032 hsfbs2s2.sys
08/04/2004 12:41 AM 685,056 hsfcxts2.sys
08/04/2004 12:41 AM 1,041,536 hsfdpsp2.sys
04/13/2008 01:53 PM 264,832 http.sys
04/13/2008 02:18 PM 52,480 i8042prt.sys
04/13/2008 01:40 PM 42,112 imapi.sys
08/20/2001 10:59 AM 25,472 imapiRox.sys
04/13/2008 01:40 PM 5,504 intelide.sys
04/13/2008 01:31 PM 36,352 intelppm.sys
04/13/2008 01:53 PM 36,608 ip6fw.sys
08/23/2001 07:00 AM 32,896 ipfltdrv.sys
04/13/2008 01:57 PM 20,864 ipinip.sys
04/13/2008 01:57 PM 152,832 ipnat.sys
04/13/2008 02:19 PM 75,264 ipsec.sys
04/13/2008 01:45 PM 46,592 irbus.sys
04/13/2008 01:54 PM 11,264 irenum.sys
04/13/2008 01:36 PM 37,248 isapnp.sys
04/13/2008 01:39 PM 24,576 kbdclass.sys
04/13/2008 01:39 PM 14,592 kbdhid.sys
04/13/2008 01:45 PM 172,416 kmixer.sys
04/13/2008 02:16 PM 141,056 ks.sys
04/13/2008 01:31 PM 92,288 ksecdd.sys
08/23/2001 07:00 AM 7,680 mcd.sys
08/04/2004 12:41 AM 11,868 mdmxsdk.sys
04/13/2008 01:36 PM 63,744 mf.sys
07/28/2004 06:24 PM 30,662 Mmc_2k.sys
08/23/2001 07:00 AM 4,224 mnmdd.sys
04/13/2008 02:00 PM 30,080 modem.sys
04/13/2008 01:39 PM 23,040 mouclass.sys
08/17/2001 01:48 PM 12,160 mouhid.sys
04/13/2008 01:39 PM 42,368 mountmgr.sys
04/13/2008 01:39 PM 92,544 mqac.sys
04/13/2008 01:32 PM 180,608 mrxdav.sys
10/24/2008 06:21 AM 455,296 mrxsmb.sys
04/13/2008 01:46 PM 51,200 msdv.sys
04/13/2008 01:32 PM 19,072 msfs.sys
04/13/2008 01:56 PM 35,072 msgpc.sys
04/13/2008 01:39 PM 7,552 mskssrv.sys
04/13/2008 01:39 PM 5,376 mspclock.sys
04/13/2008 01:39 PM 4,992 mspqm.sys
04/13/2008 01:36 PM 15,488 mssmbios.sys
04/13/2008 01:39 PM 5,504 mstee.sys
08/04/2004 12:41 AM 126,686 mtlmnt5.sys
08/04/2004 12:41 AM 1,309,184 mtlstrm.sys
08/04/2004 12:29 AM 452,736 mtxparhm.sys
04/13/2008 02:17 PM 105,344 mup.sys
04/13/2008 01:43 PM 12,672 mutohpen.sys
04/13/2008 01:46 PM 85,248 nabtsfec.sys
04/13/2008 02:20 PM 182,656 ndis.sys
04/13/2008 01:46 PM 10,880 ndisip.sys
04/13/2008 01:57 PM 10,112 ndistapi.sys
04/13/2008 01:55 PM 14,592 ndisuio.sys
04/13/2008 02:20 PM 91,520 ndiswan.sys
04/13/2008 01:57 PM 40,576 ndproxy.sys
04/13/2008 01:56 PM 34,688 netbios.sys
04/13/2008 02:21 PM 162,816 netbt.sys
04/15/2002 11:11 PM 67,866 netwlan5.img
04/13/2008 01:51 PM 61,824 nic1394.sys
08/23/2001 07:00 AM 12,032 nikedrv.sys
04/13/2008 01:53 PM 40,320 nmnt.sys
08/02/2005 01:10 PM 32,512 npf.sys
04/13/2008 01:32 PM 30,848 npfs.sys
04/13/2008 02:15 PM 574,976 ntfs.sys
08/04/2004 12:41 AM 180,360 ntmtlfax.sys
08/23/2001 07:00 AM 2,944 null.sys
08/17/2001 07:50 AM 731,648 nv4.sys
08/30/2001 10:56 PM 829,305 nv4_mini.sys
08/23/2001 07:00 AM 12,416 nwlnkflt.sys
08/23/2001 07:00 AM 32,512 nwlnkfwd.sys
04/13/2008 01:56 PM 88,320 nwlnkipx.sys
08/23/2001 07:00 AM 63,232 nwlnknb.sys
08/23/2001 07:00 AM 55,936 nwlnkspx.sys
04/13/2008 01:34 PM 163,584 nwrdr.sys
04/13/2008 01:46 PM 61,696 ohci1394.sys
08/23/2001 07:00 AM 3,456 oprghdlr.sys
04/13/2008 01:31 PM 42,752 p3.sys
04/13/2008 01:40 PM 80,128 parport.sys
04/13/2008 01:40 PM 19,712 partmgr.sys
08/23/2001 07:00 AM 6,784 parvdm.sys
04/13/2008 01:36 PM 68,224 pci.sys
04/13/2008 01:40 PM 24,960 pciidex.sys
03/19/2002 11:29 AM 14,165 Pclepci.sys
04/13/2008 01:36 PM 120,192 pcmcia.sys
12/26/2003 11:44 AM 34,656 Pcouffin.sys
03/21/2003 12:34 PM 9,856 pfc.sys
03/16/2002 06:09 AM 37,031 pnp680.sys
05/15/2003 06:41 PM 19,072 point32.sys
04/13/2008 02:19 PM 146,048 portcls.sys
04/13/2008 01:31 PM 35,840 processr.sys
04/13/2008 01:56 PM 69,120 psched.sys
08/23/2001 07:00 AM 17,792 ptilink.sys
07/28/2004 06:24 PM 144,250 pwd_2K.sys
03/07/2007 06:51 PM 43,528 pxhelp20.sys
08/23/2001 07:00 AM 8,832 rasacd.sys
04/13/2008 02:19 PM 51,328 rasl2tp.sys
04/13/2008 01:57 PM 41,472 raspppoe.sys
04/13/2008 02:19 PM 48,384 raspptp.sys
08/23/2001 07:00 AM 16,512 raspti.sys
08/23/2001 07:00 AM 34,432 rawwan.sys
04/13/2008 02:28 PM 175,744 rdbss.sys
08/23/2001 07:00 AM 4,224 rdpcdd.sys
04/13/2008 01:32 PM 196,224 rdpdr.sys
04/13/2008 07:13 PM 139,656 rdpwd.sys
08/04/2004 12:41 AM 13,776 recagent.sys
04/13/2008 01:40 PM 57,600 redbook.sys
04/13/2008 01:46 PM 59,136 rfcomm.sys
08/23/2001 07:00 AM 12,032 rio8drv.sys
08/23/2001 07:00 AM 12,032 riodrv.sys
05/08/2008 09:02 AM 203,136 rmcast.sys
04/13/2008 01:56 PM 30,592 rndismp.sys
04/13/2008 01:56 PM 30,592 rndismpx.sys
08/23/2001 07:00 AM 5,888 rootmdm.sys
08/04/2004 12:29 AM 166,912 s3gnbm.sys
04/13/2008 01:40 PM 96,384 scsiport.sys
04/13/2008 01:36 PM 79,232 sdbus.sys
11/13/2007 05:25 AM 20,480 secdrv.sys
04/13/2008 01:40 PM 15,744 serenum.sys
04/13/2008 02:15 PM 64,512 serial.sys
04/13/2008 01:40 PM 11,904 sffdisk.sys
04/13/2008 01:40 PM 10,240 sffp_mmc.sys
04/13/2008 01:40 PM 11,008 sffp_sd.sys
04/13/2008 01:40 PM 11,392 sfloppy.sys
04/13/2008 07:12 PM 3,901 siint5.dll
04/13/2008 01:36 PM 40,960 sisagp.sys
04/13/2008 01:46 PM 11,136 slip.sys
08/04/2004 12:41 AM 129,535 slnt7554.sys
08/04/2004 12:41 AM 404,990 slntamr.sys
08/04/2004 12:41 AM 95,424 slnthal.sys
08/04/2004 12:41 AM 13,240 slwdmsup.sys
04/13/2008 01:36 PM 5,888 smbali.sys
08/23/2001 07:00 AM 14,592 smclib.sys
04/13/2008 01:46 PM 25,344 sonydcam.sys
08/17/2001 01:56 PM 7,552 SONYPVU1.SYS
04/13/2008 01:45 PM 6,272 splitter.sys
04/13/2008 01:36 PM 73,472 sr.sys
09/08/2008 05:41 AM 333,824 srv.sys
12/18/2004 08:32 PM 38,229 StMp3Rec.sys
04/13/2008 01:45 PM 49,408 stream.sys
04/13/2008 01:46 PM 15,232 streamip.sys
04/13/2008 01:39 PM 4,352 swenum.sys
04/13/2008 01:45 PM 56,576 swmidi.sys
04/13/2008 02:15 PM 60,800 sysaudio.sys
04/13/2008 01:40 PM 14,976 tape.sys
04/13/2008 02:20 PM 361,344 tcpip.sys
04/13/2008 02:00 PM 225,664 tcpip6.sys
04/13/2008 02:00 PM 19,072 tdi.sys
04/13/2008 07:13 PM 12,040 tdpipe.sys
04/13/2008 07:13 PM 21,896 tdtcp.sys
04/13/2008 07:13 PM 40,840 termdd.sys
08/23/2001 07:00 AM 51,712 tosdvd.sys
08/23/2001 07:00 AM 21,376 tsbvcap.sys
04/13/2008 01:56 PM 12,288 tunmp.sys
04/13/2008 01:36 PM 44,672 uagp35.sys
07/28/2004 06:24 PM 206,464 udfreadr_xp.sys
04/13/2008 01:32 PM 66,048 udfs.sys
12/31/2006 02:16 PM UMDF
04/13/2008 01:39 PM 384,768 update.sys
04/13/2008 01:56 PM 12,800 usb8023.sys
04/13/2008 01:56 PM 12,800 usb8023x.sys
04/13/2008 01:45 PM 25,600 usbcamd.sys
04/13/2008 01:45 PM 25,728 usbcamd2.sys
04/13/2008 01:45 PM 32,128 usbccgp.sys
08/23/2001 07:00 AM 4,736 usbd.sys
04/13/2008 01:45 PM 30,208 usbehci.sys
04/13/2008 01:45 PM 59,520 usbhub.sys
04/13/2008 01:45 PM 15,872 usbintel.sys
04/13/2008 01:45 PM 143,872 usbport.sys
04/13/2008 01:47 PM 25,856 usbprint.sys
04/13/2008 01:45 PM 15,104 usbscan.sys
04/13/2008 01:45 PM 26,368 usbstor.sys
04/13/2008 01:45 PM 20,608 usbuhci.sys
04/13/2008 01:46 PM 121,984 usbvideo.sys
04/13/2008 07:12 PM 11,325 vchnt5.dll
08/23/2001 07:00 AM 58,112 vdmindvd.sys
04/13/2008 01:44 PM 20,992 vga.sys
04/13/2008 01:36 PM 42,240 viaagp.sys
04/13/2008 01:44 PM 81,664 videoprt.sys
04/13/2008 01:41 PM 52,352 volsnap.sys
04/13/2008 01:43 PM 14,208 wacompen.sys
08/04/2004 12:29 AM 11,807 wadv07nt.sys
08/04/2004 12:29 AM 11,295 wadv08nt.sys
08/04/2004 12:29 AM 11,871 wadv09nt.sys
08/04/2004 12:29 AM 11,935 wadv11nt.sys
04/13/2008 01:57 PM 34,560 wanarp.sys
08/04/2004 12:29 AM 22,271 watv06nt.sys
08/04/2004 12:29 AM 25,471 watv10nt.sys
04/13/2008 02:17 PM 83,072 wdmaud.sys
08/23/2001 07:00 AM 4,352 wmilib.sys
10/18/2006 08:00 PM 38,528 wpdusb.sys
08/23/2001 07:00 AM 12,032 ws2ifsl.sys
04/13/2008 01:46 PM 19,200 wstcodec.sys
09/28/2006 06:55 PM 77,568 WudfPf.sys
09/28/2006 07:00 PM 82,944 WudfRd.sys
309 File(s) 27,941,296 bytes
6 Dir(s) 18,296,848,384 bytes free

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by Belahzur on Tue Dec 23, 2008 7:52 pm

Darn, it's not the tdss rootkit.

Download DDS and save it to your desktop from one of these locations.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

Disable any script blocker if your antivirus/antimalware has it.
Then double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:
1. DDS.txt
2. Attach.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 8:30 pm

Lots of access denied messages while running.


DDS (Version 1.1.0) - NTFSx86
Run by tnewman at 15:25:34.68 on Tue 12/23/2008

============== Running Processes ===============


============== Pseudo HJT Report ===============


============= SERVICES / DRIVERS ===============

RSPR?S?C?P?P?01234RSPR?S?C?P?P?01234

=============== Created Last 30 ================

2008-12-13 09:53 --dsh--- c:\documents and settings\all users\DRM

==================== Find3M ====================

2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2004-12-05 11:36 68 a------- C:\scheduledDefrag.bat
2003-10-07 22:33 140 a------- C:\morningWakeup.bat

============= FINISH: 15:26:29.57 ===============

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by Belahzur on Tue Dec 23, 2008 8:42 pm

Darn it, the first log we got and it's useless. Evil or enraged

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 9:23 pm

Thanks for your help on this.
I can't run executables on this machine except a few.
I've been able to run windows explorer and a cmd prompt.
Not much else.
I can't even copy them to this machine or download them.

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by Belahzur on Tue Dec 23, 2008 9:33 pm

Hello.
Okay, if you can access the cmd prompt, we'll use that.

Open the cmd prompt and type in:
start regedt32
Press enter.
This will open regedit.

Follow these two keys paths:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Right click "Run" > Export.
Save it was myrun.reg, save it to your desktop.
Right click the file and change the file extension from .reg to .txt and post the contents.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 9:37 pm

I get access denied when I run that.

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by Belahzur on Tue Dec 23, 2008 9:56 pm

I don't know if there's much we can do if nothing will run.
I will sit and think about this, see if I can come up with anything.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Tue Dec 23, 2008 10:32 pm

Thanks for taking the time on this.
I really appreciate it.

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by Belahzur on Tue Dec 23, 2008 10:36 pm

Hello.
Lets try and online scanner.

Please use the Internet Explorer browser, and do an online scan with [You must be registered and logged in to see this link.]

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

    **Note**

    To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by tcnewman on Fri Dec 26, 2008 5:42 pm

Active X is disabled and it won't let me enable it. I'm just going to wipe the machine.
Thanks for all the help.

tcnewman
Novice
Novice

Posts Posts : 14
Joined Joined : 2008-12-23
OS OS : Windows XP
Points Points : 29050
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Win32/Cryptor

Post by Doctor Inferno on Sun Feb 08, 2009 9:28 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum