Malware Win32/Cryptor

View previous topic View next topic Go down

Re: Malware Win32/Cryptor

Post by Belahzur on 19th March 2009, 5:21 pm

Hello.
The error on boot is caused by something plugged into a USB slot, or another internal drive conflicting with the OS drive. If you have anything plugged into a USB slot during boot (USB printer cable), unplug while the machine boots and the error should go away.

Run MBAM again, it should pick up the rootkits files now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Win32/Cryptor

Post by transit_ion on 19th March 2009, 5:33 pm

Quick Scan or Full Scan?

transit_ion
Novice
Novice

Posts Posts : 47
Joined Joined : 2009-03-19
Gender Gender : Male
OS OS : Vista Ultimate SP2
Points Points : 28276
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Win32/Cryptor

Post by Belahzur on 19th March 2009, 5:35 pm

Quick scan please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Win32/Cryptor

Post by transit_ion on 19th March 2009, 5:42 pm

Malwarebytes' Anti-Malware 1.34
Database version: 1870
Windows 6.0.6001 Service Pack 1

2009.03.19 18:42:27
mbam-log-2009-03-19 (18-42-27).txt

Scan type: Quick Scan
Objects scanned: 71218
Time elapsed: 4 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> Quarantined and deleted successfully.

transit_ion
Novice
Novice

Posts Posts : 47
Joined Joined : 2009-03-19
Gender Gender : Male
OS OS : Vista Ultimate SP2
Points Points : 28276
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Win32/Cryptor

Post by Belahzur on 19th March 2009, 5:50 pm

Can you run DDS one final time now.

[You must be registered and logged in to see this link.]

Post the new log when done.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Win32/Cryptor

Post by transit_ion on 19th March 2009, 7:09 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by sassan at 20:05:04,06 on 2009.03.19
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.49.1031.18.3070.1072 [GMT 1:00]

FW: Vista Firewall Control *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\spm\spmdib.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\Wacom_Tablet.exe
C:\Program Files\VistaFirewallControl\VistaFirewallService.exe
C:\Windows\system32\WTablet\Wacom_TabletUser.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\Wacom_Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Windows\system32\nfsclnt.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\nvraidservice.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Windows\Philips\SPC500NC\Monitor.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\VistaFirewallControl\VistaFirewallControl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
D:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Users\sassan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Extensis\Extensis Suitcase 11\Suitcase.exe
C:\Program Files\UltraMon\UltraMon.exe
B:\Program Files\Stickies\stickies.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\WUDFHost.exe
B:\Program Files\THQ\Dawn Of War 2\dow2.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\sassan\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

transit_ion
Novice
Novice

Posts Posts : 47
Joined Joined : 2009-03-19
Gender Gender : Male
OS OS : Vista Ultimate SP2
Points Points : 28276
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Win32/Cryptor

Post by transit_ion on 19th March 2009, 7:10 pm

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\snagit 9\SnagitBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Snagit: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\snagit 9\SnagitIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
uRun: [Google Update] "c:\users\sassan\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [CreativeTaskScheduler] "c:\program files\creative\shared files\CTSched.exe" /logon
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [AdobeBridge]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [SPC500NC_Monitor] c:\windows\philips\spc500nc\Monitor.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [OPSE reminder] "c:\program files\scansoft\omnipagese2.0\eregger\ereg.exe" -r "c:\program files\scansoft\omnipagese2.0\eregger\ereg.ini"
mRun: [VistaFirewallControl] c:\program files\vistafirewallcontrol\VistaFirewallControl.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe Acrobat Speed Launcher] "d:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: []
mRun: [Acrobat Assistant 8.0] "d:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\users\sassan\appdata\roaming\micros~1\windows\startm~1\programs\startup\stickies.lnk - b:\program files\stickies\stickies.exe
StartupFolder: c:\users\sassan\appdata\roaming\micros~1\windows\startm~1\programs\startup\winmys~1.lnk - d:\program files\xampp\mysql\bin\winmysqladmin.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\suitca~1.lnk - c:\windows\installer\{7451c9b5-3e10-4e59-ad37-ab7438d84288}\_01D57C9244869186542E24.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\ultramon.lnk - c:\windows\installer\{af0fa6d7-96f3-468a-abb7-28be006ea8e9}\IcoUltraMon.ico
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: An vorhandene PDF-Datei anfügen - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - d:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: In Adobe PDF konvertieren - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Linkziel an vorhandene PDF-Datei anhängen - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Linkziel in Adobe PDF konvertieren - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: avgrsstx.dll
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\sassan\appdata\roaming\mozilla\firefox\profiles\obfb6kp3.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\users\sassan\appdata\roaming\mozilla\firefox\profiles\obfb6kp3.default\extensions\{aaaf6f83-cc82-446a-87dc-aa885107a48e}\components\HTML2PDF_FFPlugin.dll
FF - component: c:\users\sassan\appdata\roaming\mozilla\firefox\profiles\obfb6kp3.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\users\sassan\appdata\local\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: d:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll
FF - plugin: d:\program files\adobe\acrobat 9.0\acrobat\browser\nppdf32.dll

============= SERVICES / DRIVERS ===============

R0 nvrd32;NVIDIA nForce RAID Driver;c:\windows\system32\drivers\nvrd32.sys [2008-6-16 131616]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-18 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-18 107912]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-18 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-18 298264]
R2 NfsClnt;Client für NFS;c:\windows\system32\nfsclnt.exe [2008-12-6 50688]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-3-19 1153368]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-6-10 1373480]
R2 VistaFirewallService;VistaFirewallService;c:\program files\vistafirewallcontrol\VistaFirewallService.exe [2008-10-10 286720]
R3 NfsRdr;Client für NFS-Redirector;c:\windows\system32\drivers\nfsrdr.sys [2008-12-6 195072]
R3 RpcXdr;Server für NFS Open RPC (ONCRPC);c:\windows\system32\drivers\rpcxdr.sys [2008-12-6 74240]
S2 Apache2.2;Apache2.2;"d:\program files\xampp\apache\bin\apache.exe" -k runservice --> d:\program files\xampp\apache\bin\apache.exe [?]
S3 SPC500NC;Philips SPC500NC Webcam;c:\windows\system32\drivers\SPC500NC.SYS [2007-6-21 409600]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2008-7-9 20168]

=============== Created Last 30 ================

2009-03-19 15:31 --d----- C:\_OTMoveIt
2009-03-19 13:08 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-19 13:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-19 13:08 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-19 12:03 --d----- c:\users\sassan\appdata\roaming\Malwarebytes
2009-03-19 07:48 --d----- c:\program files\SUPERAntiSpyware
2009-03-19 07:48 --d----- c:\users\sassan\appdata\roaming\SUPERAntiSpyware.com
2009-03-19 07:13 --d----- c:\programdata\Malwarebytes
2009-03-19 07:13 --d----- c:\progra~2\Malwarebytes
2009-03-19 07:12 --d----- c:\programdata\Spybot - Search & Destroy
2009-03-19 07:12 --d----- c:\program files\Spybot - Search & Destroy
2009-03-19 07:12 --d----- c:\progra~2\Spybot - Search & Destroy
2009-03-19 00:26 --d-h--- C:\$AVG8.VAULT$
2009-03-18 23:31 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-18 23:31 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-18 23:31 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-18 23:31 --d----- c:\windows\system32\drivers\Avg
2009-03-17 22:32 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll
2009-03-13 21:29 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-13 21:29 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 21:29 --d----- c:\program files\iPod
2009-03-13 21:29 --d----- c:\programdata\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 21:29 --d----- c:\program files\iTunes
2009-03-13 21:29 --d----- c:\progra~2\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 19:50 --d----- c:\programdata\Digsby
2009-03-13 19:50 --d----- c:\progra~2\Digsby
2009-03-06 11:23 --d----- c:\users\sassan\appdata\roaming\Red Alert 3
2009-03-06 11:12 --d----- c:\programdata\Electronic Arts
2009-03-06 11:12 --d----- c:\progra~2\Electronic Arts
2009-03-04 13:29 21 a------- c:\windows\SurCode.INI
2009-03-04 13:26 --d----- c:\users\sassan\Library
2009-03-03 06:18 --d----- C:\Python30
2009-03-03 05:55 --d----- C:\Engine
2009-03-02 17:46 45,392 a------- c:\windows\system32\AdobePDF.dll
2009-03-02 14:09 --d----- c:\users\sassan\appdata\roaming\Digsby
2009-03-02 14:08 --d----- c:\program files\Digsby
2009-02-24 16:42 545 a------- c:\windows\my.ini

transit_ion
Novice
Novice

Posts Posts : 47
Joined Joined : 2009-03-19
Gender Gender : Male
OS OS : Vista Ultimate SP2
Points Points : 28276
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Win32/Cryptor

Post by transit_ion on 19th March 2009, 7:10 pm

==================== Find3M ====================

2009-03-19 12:00 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-13 21:27 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-13 21:27 86,016 a------- c:\windows\inf\infstor.dat
2009-03-13 21:27 86,016 a------- c:\windows\inf\infpub.dat
2009-03-03 01:38 634,030 a------- c:\windows\system32\perfh007.dat
2009-03-03 01:38 129,274 a------- c:\windows\system32\perfc007.dat
2009-02-13 20:05 2,027,008 a------- c:\windows\system32\python30.dll
2009-01-11 20:17 49,152 a------- c:\windows\system32\SearchRequire.dll
2009-01-05 01:01 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-01-05 01:01 109,080 a------- c:\windows\system32\OpenAL32.dll
2008-12-27 22:50 126,976 a------- c:\windows\system32\Interop.SHDocVw.dll
2008-12-06 23:21 174 a--sh--- c:\program files\desktop.ini
2008-12-06 23:09 665,600 a------- c:\windows\inf\drvindex.dat
2008-10-21 23:39 1,024 a------- c:\programdata\imgpdf2.dll
2008-10-21 23:39 1,024 a------- c:\progra~2\imgpdf2.dll
2008-09-23 14:09 568,385 a------- c:\program files\dxf_viewer.jar
2008-06-16 02:19 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2008-06-16 02:19 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2008-06-16 02:19 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2008-06-16 02:19 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2007-02-01 17:02 313,344 a------- c:\program files\hjsplit.exe
2006-11-02 16:45 290,748 a------- c:\windows\inf\perflib\0407\perfi.dat
2006-11-02 16:45 290,748 a------- c:\windows\inf\perflib\0407\perfh.dat
2006-11-02 16:45 36,916 a------- c:\windows\inf\perflib\0407\perfd.dat
2006-11-02 16:45 36,916 a------- c:\windows\inf\perflib\0407\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 20:06:03,61 ===============

transit_ion
Novice
Novice

Posts Posts : 47
Joined Joined : 2009-03-19
Gender Gender : Male
OS OS : Vista Ultimate SP2
Points Points : 28276
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Win32/Cryptor

Post by Belahzur on 19th March 2009, 7:17 pm

Hello.
This looks okay now, how's the machine running?

We need to remove the tools we have used.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes to the reboot prompt, no need to post anymore logs.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Win32/Cryptor

Post by transit_ion on 19th March 2009, 7:55 pm

first thing i did was start Firefox and AVG-Free's Res Shield popped up a warning saying Accessed file has a warning

File name: C:\Users\sassan\AppData\Roaming\Mozilla\Firefox\Profiles\obfb6kp3.default\cookies.sqlite

Threat name: Found Tracking cookie.Statcounter
Detected on open.

Process name: C:\Program Files\Mozilla Firefox\firefox.exe
Process ID: 5544

transit_ion
Novice
Novice

Posts Posts : 47
Joined Joined : 2009-03-19
Gender Gender : Male
OS OS : Vista Ultimate SP2
Points Points : 28276
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Win32/Cryptor

Post by Belahzur on 19th March 2009, 8:00 pm

They are only cookies, not really a threat. We can clean them with this.

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Malware Win32/Cryptor

Post by transit_ion on 19th March 2009, 8:05 pm

i did all that but the warning just popped-up again as soon as i started Firefox ... this time Process ID: 2196

transit_ion
Novice
Novice

Posts Posts : 47
Joined Joined : 2009-03-19
Gender Gender : Male
OS OS : Vista Ultimate SP2
Points Points : 28276
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Malware Win32/Cryptor

Post by Belahzur on 19th March 2009, 8:12 pm

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000FF
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000FF

I would consider switching from AVG to Avira, AVG is known to have false positives.

If you choose to follow my recommendation then follow these instructions.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight AVG8 Free
  • Click on the Uninstall/Change button at the top.

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum