crypt

View previous topic View next topic Go down

Solved Re: crypt

Post by reedinthewind on Thu 22 Jan - 6:54

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:47:45 PM, on 1/21/2009
Sorry, forgot to post HijackThis log. Have already updated Java, Adobe Reader and Microsoft updates.

Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\HCORXL0L\hijackgpthis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Easy-WebPrint Add To Print List - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - [You must be registered and logged in to see this link.] Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} (Google Gadget Control) - [You must be registered and logged in to see this link.]
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7172 bytes

reedinthewind
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-26
OS OS : Windows XP Media Center Edition 2005
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: crypt

Post by Belahzur on Thu 22 Jan - 6:59

Nothing there.
Lets take a look around.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Click No for Optional Scan.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: crypt

Post by reedinthewind on Thu 22 Jan - 10:46

DDS (Ver_09-01-07.01) - NTFSx86
Run by Owner at 18:42:28.83 on Wed 01/21/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.382.111 [GMT -5:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\HCORXL0L\hijackgpthis[1].exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\6LC3SR6D\dds[1].com

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Search_URL = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: PayPal Plug-In: {dc0f2f93-27fa-4f84-acaa-9416f90b9511} - c:\program files\paypal\paypal plug-in\OToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: Easy-WebPrint: {03c1c47f-0538-4645-8372-d3109b9fc636} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [Power2GoExpress] NA
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Verizon_McciTrayApp] c:\program files\verizon\McciTrayApp.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 ezgmntr;EZ GIG II Backup Archive Explorer;c:\windows\system32\drivers\ezgmntr.sys [2007-8-19 213760]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2009-1-19 11840]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2009-1-19 52032]
R4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2009-1-19 68865]
R4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2009-1-19 151297]
R4 dvdmmg;dvdmmg;c:\windows\system32\drivers\dvdmmg.sys [2007-9-6 5504]
R4 ezgfsfilt;EZ GIG II FS Filter;c:\windows\system32\drivers\ezgfsfilt.sys [2007-8-19 28800]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]

=============== Created Last 30 ================

2009-01-21 14:41 --ds---- c:\documents and settings\owner.your-588b4a13ea\UserData
2009-01-21 14:35 35,124,856 a------- c:\program files\AdbeRdr90_en_US.exe
2009-01-19 13:59 --d----- c:\program files\Avira
2009-01-19 13:59 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-01-19 13:54 22,058,104 a------- c:\program files\antivir_workstation.exe

==================== Find3M ====================

2008-12-11 05:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-26 17:53 59,632 a------- c:\program files\JavaRa.zip
2008-11-12 01:21 4,144 a------- c:\docume~1\owner~1.you\applic~1\wklnhst.dat
2008-11-10 13:34 2,194,129 a------- c:\program files\ClipstreamAudioPro.exe
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-10 23:18 270,128 a------- c:\program files\utorrent.exe
2008-08-05 14:07 5,375,452 a------- c:\program files\Setup_FreeFlvConverter2.exe
2008-08-05 10:02 125,336 a------- c:\program files\hideoe_v1.1b6.exe
2008-08-05 09:53 809,462 a------- c:\program files\4t-min tray.zip
2008-07-30 12:09 2,631,824 a------- c:\program files\Reg Reg Man.exe
2008-07-29 13:45 2,790,202 a------- c:\program files\sound record update.wav
2008-07-22 14:08 61,224 a------- c:\documents and settings\owner.your-588b4a13ea\GoToAssistDownloadHelper.exe
2008-07-11 12:07 5,625,382 a------- c:\program files\Setup_FreeFlvConverter.exe
2008-06-07 14:41 6,634,099 a------- c:\program files\mp3morpher_cnt.exe
2008-06-07 13:59 10,537,992 a------- c:\program files\dvd_player_morpher_cnt.exe
2008-05-28 16:48 1,822,737 a------- c:\program files\flvplayer4free_setup.exe
2008-05-25 15:12 5,842,845 a------- c:\program files\gusetupnew.exe
2008-05-25 15:08 2,897,456 a------- c:\program files\ccsetup207.exe
2008-05-25 15:06 929,820 a------- c:\program files\EFRCSetup.exe
2008-05-23 16:49 10,153,224 a------- c:\program files\PortalInstaller.exe
2008-05-23 16:27 427,160 a------- c:\program files\debutsetup.exe
2008-05-23 14:56 432,552 a------- c:\program files\wpsetup.exe
2008-05-10 14:02 2,078,689 a------- c:\program files\WebAudioPlus.zip
2008-02-07 18:47 5,386,264 a------- c:\program files\Plug-In.exe
2008-02-03 14:54 2,356,231 a------- c:\program files\cdbxp_setup_4.0.022.370.exe
2007-10-24 14:13 389,784 a------- c:\program files\switchsetup.exe
2007-09-22 03:24 4,581,672 a------- c:\program files\SFTPMSI.exe
2007-09-21 14:41 20,256,064 a------- c:\program files\QuickTimeInstaller.exe
2007-09-12 14:45 168,360 a------- c:\program files\cftpsetup.exe

============= FINISH: 18:43:00.46 ===============

reedinthewind
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-26
OS OS : Windows XP Media Center Edition 2005
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: crypt

Post by Belahzur on Thu 22 Jan - 10:58

Apart from a big dump of exe installer files in the programs files folder, I don't see any malware.
Where is your AV reporting the infection?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: crypt

Post by reedinthewind on Sat 24 Jan - 7:35

Sorry it took a while to get back, but I wanted to complete a number of scans on my brother's "infected" computer to see if I could make any sense of what had transpired over the past several days concerning what appeared to be a serious Trojan Horse infection.

Aparently, prior to the DDS scan, my brother quarantined 9 Crypt files. This would explain why no infected files appeared in the system after the DDS scan was completed. After "deleting" the 9 files from quarantine, on a subsequent scan, the files had appeared to "replicate" themselves. Again, these files were quarantined and deleted. However, after a third and fourth system scan, only one infected file appeared, which was also quarantined and deleted.

After running at least three comlete system scans after the final "crypt" file was deleted, the scans showed that no more infected files had been detected. It was strange how we were unable to delete the 9 files initially, and then with Avira actually appearing to identify a crypt removal tool as a trojan horse, but after a number of attempts, the files were successfully deleted. Was there something wrong with the Avira settings that caused it to somehow malfunction? Anyway, things seem to have settled down on their own. I have included text files from the Avira Events folder to show I am not making this up. The full Avira log files have been saved in case you want to see them as well.

First System Scan Results 1-19-09

The file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\My Documents\Norton AntiVirus\Quarantine\29413434.exe'
contained a virus or unwanted program 'TR/Crypt.CFI.Gen' [trojan]
Action(s) taken:
The file was moved to '49a8d435.qua'! (File deleted)

The file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\My Documents\Norton AntiVirus\Quarantine\2B9063A9.tmp'
contained a virus or unwanted program 'TR/Crypt.CFI.Gen' [trojan]
Action(s) taken:
The file was moved to '49add449.qua'! (File deleted)

The file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\My Documents\Norton AntiVirus\Quarantine\2E3700BE.tmp'
contained a virus or unwanted program 'TR/Crypt.CFI.Gen' [trojan]
Action(s) taken:
The file was ignored!

The file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\My Documents\Norton AntiVirus\Quarantine\346C45E8.tmp'
contained a virus or unwanted program 'TR/Crypt.E.1' [trojan]
Action(s) taken:
The file was deleted!

The file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\My Documents\Norton AntiVirus\Quarantine\4E737345.tmp'
contained a virus or unwanted program 'TR/Crypt.CFI.Gen' [trojan]
Action(s) taken:
The file was deleted!

The file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\My Documents\Norton AntiVirus\Quarantine\5F215EE9.tmp'
contained a virus or unwanted program 'TR/Crypt.E.1' [trojan]
Action(s) taken:
The file was moved to '49a6d640.qua'! (File deleted)

The file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\My Documents\Norton AntiVirus\Quarantine\5F2732E2.tmp'
contained a virus or unwanted program 'TR/Crypt.CFI.Gen' [trojan]
Action(s) taken:
The file was deleted!

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\NNDJZTGW\setupxv[1].exe.
Action performed: Move file to quarantine (File deleted)

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\NNDJZTGW\setupxv[1].exe.
Action performed: Move file to quarantine (File deleted)

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\NNDJZTGW\setupxv[1].exe.
Action performed: Move file to quarantine (File deleted)

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\K1UJG9UN\setupxv[1].exe.
Action performed: Deny access (this was the Crypt Removal Tool - 99% downloaded)

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\K1UJG9UN\setupxv[1].exe.
Action performed: Deny access (this was the Crypt Removal Tool - 99% downloaded)

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\K1UJG9UN\setupxv[1].exe.
Action performed: Delete file

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\K1UJG9UN\setupxv[1].exe.
Action performed: Delete file

reedinthewind
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-26
OS OS : Windows XP Media Center Edition 2005
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: crypt

Post by reedinthewind on Sat 24 Jan - 7:39

Attempt to copy Crypt Removal Tool to desktop from disk 1-20-09

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'E:\ABC.exe.
Action performed: Allow access

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'E:\ABC.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'E:\ABC.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'E:\ABC.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'E:\ABC.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\NNDJZTGW\setupxv[1].exe.
Action performed: Rename file

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\NNDJZTGW\setupxv[1].exe.
Action performed: Rename file

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'E:\ABC.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Drop.fra.5163372 [trojan]'
detected in file 'E:\ABC.exe.
Action performed: Deny access


2nd Complete System Scan 1-21-09

The file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\Local Settings\Temporary Internet Files\Content.IE5\NNDJZTGW\setupxv[1].VIR000'
contained a virus or unwanted program 'TR/Drop.fra.5163372' [trojan]
Action(s) taken:
The file was moved to '49ebefcd.qua'! (File deleted)

The file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\My Documents\Norton AntiVirus\Quarantine\2E3700BE.tmp'
contained a virus or unwanted program 'TR/Crypt.CFI.Gen' [trojan]
Action(s) taken:
The file was moved to '49aaf084.qua'! (File deleted)

The file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\My Documents\Norton AntiVirus\Quarantine\65D3798A.tmp'
contained a virus or unwanted program 'TR/Crypt.CFI.Gen' [trojan]
Action(s) taken:
The file was moved to '49bbf076.qua'! (File deleted)

The file 'C:\Documents and Settings\Owner.YOUR-588B4A13EA\My Documents\Norton AntiVirus\Quarantine\67821FB0.tmp'
contained a virus or unwanted program 'TR/Dldr.Nsis.Ag.U.4' [trojan]
Action(s) taken:
The file was moved to '49aff07b.qua'! (File deleted)

The file 'C:\Program Files\BEARSH~1\Downloads\clipstream crack bittorrent downloader.zip'
contained a virus or unwanted program 'TR/Obfuscated.274432.3' [trojan]
Action(s) taken:
The file was moved to '49e0f137.qua'! (File deleted)

The file 'C:\WINDOWS\system32\kdeic.exe'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen' [trojan]
Action(s) taken:
The file was moved to '49dcf4a7.qua'! (File deleted)

The file 'J:\Documents and Settings\Windows XP\My Documents\Downloads\site navigation menu -free.exe'
contained a virus or unwanted program 'DR/SaveNow.AR.31' [dropper]
Action(s) taken:
The file was moved to '49ebf9ae.qua'! (File deleted)

The file 'J:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP37\A0002223.exe'
contained a virus or unwanted program 'DR/SaveNow.AR.31' [dropper]
Action(s) taken:
The file was moved to '49a7faf8.qua'! (File deleted)


3rd Complete System Scan 1-22-09

The file 'C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP37\A0002222.exe'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen' [trojan]
Action(s) taken:
The file was ignored!


4th Complete System Scan 1-22-09

The file 'C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP37\A0002222.exe'
contained a virus or unwanted program 'TR/Crypt.XPACK.Gen' [trojan]
Action(s) taken:
The file was moved to '49a8ce62.qua'! (File deleted)


Report file date: Friday, January 23, 2009 13:41
End of the scan: Friday, January 23, 2009 14:56
Used time: 1:15:17 Hour(s)

The scan has been done completely.

9482 Scanning directories
474362 Files were scanned
0 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
474360 Files not concerned
14965 Archives were scanned
9 Warnings
0 Notes

reedinthewind
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-26
OS OS : Windows XP Media Center Edition 2005
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: crypt

Post by Belahzur on Sat 24 Jan - 9:02

Hmmm.
All it found was Norton Quarantine, temp files, and system restore points.
Apart from this file:
E:\ABC.exe

What is drive E? a memory stick or external HD?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: crypt

Post by reedinthewind on Sat 24 Jan - 10:08

Drive E would be DVD-RAM drive. E:\ABC.exe is the Crypt Removal Tool file (burned onto a disk) that I had renamed "ABC" after Avira had identified it as a Trojan Horse under its original file name of setupxv.exe from setup.adwarealert.com. Even after renaming it, Avira would still not allow me to open it on the hard drive. The disk was still in the cd/dvd drive when I made the system scans.

reedinthewind
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-26
OS OS : Windows XP Media Center Edition 2005
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: crypt

Post by Belahzur on Sat 24 Jan - 10:18

Okay, I wouldn't trust the disc if I were you, the take legit stuff off the disc, apart from that file, then get rid of the disc.
I don't know where you got the file, but the name "setup.adwarealert.com" is just screaming untrustable.

Lets clean up here now.

You are running two AV's, this is a bad idea as they can conflict and cause problems. I see Norton and Avira.
I would recommend that you remove Symantec to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Any "Symentec" product
  • Any "Norton" products


Delete this folder if it still exists once Norton/Symantec is gone.
C:\Documents and Settings\Owner.YOUR-588B4A13EA\My Documents\Norton AntiVirus

Now clean temp files.

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.


Now lets clean the restore points.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Scan with Avira again [with no discs in] and see if it finds anything, and if it does, please say where. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: crypt

Post by reedinthewind on Sun 25 Jan - 16:10

Followed all instructions above, then ran complete system scan with Avira twice for good measure. No threats found.

reedinthewind
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-26
OS OS : Windows XP Media Center Edition 2005
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: crypt

Post by Belahzur on Sun 25 Jan - 23:54

Glad I could help. Wink

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: crypt

Post by reedinthewind on Mon 26 Jan - 8:13

Thank you very much for your help. It is greatly appreciated. I have followed all your recommendations above concerning spyware and keeping software up-to-date. I have several quick questions if you have time:

1. By switching to Firefox, would I have to completely remove I.E. from this computer to avoid any conflicts, and will my favorites list, etc. be retained?

2. The disc you told me to get rid of with the suspicious file on it, do I need to literally throw it in the trash, or since it's a rw-cd, could it possibly be reformatted?

3. The firewall you recommend, would that be in addition to or in stead of the Windows firewall?

Thanks again. I'll make sure to leave feedback.

reedinthewind
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-26
OS OS : Windows XP Media Center Edition 2005
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: crypt

Post by Belahzur on Mon 26 Jan - 8:24

Hello.

1. Firefox is able to import saved stuff from IE, it will ask this when you install it, so select yes to the import option.

2. If the disc is re-writable, then use it to re-write to, just don't use that abc file.

3. Windows Firewall isn't as strong and secure as a 3rd party firewall, so it would be a good idea to install one of them instead of just using Windows Firewall.
Once installed, the Windows Firewall will be turned off, do not turn it back on as they wil conflict.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-04
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: crypt

Post by reedinthewind on Mon 26 Jan - 12:49

I appreciate the answers to my questions. Everything seems to be in good working order and back to normal now. I will heed your advice on the browser and firewall issues, as I already have on all the spyware and update tips, etc. Thanks again, and have a great day!

reedinthewind
Novice
Novice

Posts Posts : 21
Joined Joined : 2008-11-26
OS OS : Windows XP Media Center Edition 2005
Points Points : 29320
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: crypt

Post by Doctor Inferno on Sat 9 May - 20:56

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-27
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104594
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: crypt

Post by Doctor Inferno on Sat 9 May - 20:56

Since this issue has been addressed, a "solved" tag will be added and this topic will be closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a [You must be registered and logged in to see this link.] for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12017
Joined Joined : 2007-12-27
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104594
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum