win32/cryptor

View previous topic View next topic Go down

Re: win32/cryptor

Post by Belahzur on Sat Apr 04, 2009 11:24 pm

Hello.
Nearly there now.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\Tasks\At1.job

Folder::
c:\program files\Crawler

Driver::
pjcav
upwxghbb
ALSysIO
cel90xbe

NetSvc::
upwxghbb

DDS::
IE: Crawler Search - tbr:iemenu
TB: {0494D0D9-F8E0-41AD-92A3-14154ECE70AC} - No File

RegNull:
[HKEY_USERS\S-1-5-21-1229272821-220523388-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A1931E8A-1B06-6F93-A786-BD062C2F8EDF}*]

RegLock::
[HKEY_USERS\S-1-5-21-1229272821-220523388-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A1931E8A-1B06-6F93-A786-BD062C2F8EDF}*]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by Kobra on Sat Apr 04, 2009 11:34 pm


ComboFix 09-04-04.01 - Kabir Thind 2009-04-04 16:30:44.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1349 [GMT -7:00]
Running from: c:\documents and settings\Kabir Thind\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kabir Thind\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.

2009-04-04 15:12 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 15:12 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-04 00:39 . 2009-04-04 00:39 d-------- c:\program files\Trend Micro
2009-04-03 13:15 . 2009-04-03 13:15 d-------- c:\documents and settings\Kabir Thind\Application Data\Malwarebytes
2009-04-03 13:09 . 2009-04-04 15:12 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 13:09 . 2009-04-03 13:09 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 12:21 . 2009-04-03 12:21 d-------- c:\documents and settings\Kabir Thind\Application Data\uholamgu
2009-04-02 22:30 . 2009-04-02 22:30 d-------- c:\windows\system32\QuickTime
2009-04-02 22:30 . 2009-04-02 22:30 d-------- c:\documents and settings\All Users\Application Data\TechSmith
2009-04-02 22:30 . 2008-07-10 13:56 107,864 --a------ c:\windows\system32\tsccvid.dll
2009-04-02 22:29 . 2009-04-02 22:29 d-------- c:\program files\TechSmith
2009-04-02 22:29 . 2009-04-02 22:29 d-------- c:\program files\Common Files\TechSmith Shared
2009-03-31 22:48 . 2009-03-31 22:48 d-------- c:\program files\Common Files\Bcgsoft
2009-03-31 19:04 . 2009-03-31 19:04 d-------- c:\documents and settings\Kabir Thind\Application Data\Global Forex Trading
2009-03-31 18:52 . 2009-03-31 18:52 d-------- c:\program files\DealBook 360
2009-03-31 18:52 . 2009-03-31 18:52 d-------- c:\documents and settings\Kabir Thind\Application Data\InstallShield Installation Information
2009-03-15 20:53 . 2009-03-15 20:53 d-------- c:\documents and settings\Kabir Thind\Application Data\Red Alert 3
2009-03-15 17:01 . 2009-03-15 17:01 319 --a------ c:\windows\game.ini
2009-03-12 21:12 . 2009-03-12 21:12 d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-03-12 13:11 . 2009-04-02 13:25 d-------- c:\program files\thinkorswim
2009-03-11 19:57 . 2009-03-11 19:57 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-11 18:11 . 2009-03-11 18:11 d-------- c:\documents and settings\Kabir Thind\Application Data\The Creative Assembly
2009-03-11 18:09 . 2009-03-28 23:29 d-------- c:\windows\Logs
2009-03-11 18:09 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2009-03-11 18:09 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll
2009-03-11 18:09 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll
2009-03-11 18:09 . 2007-04-04 18:55 261,480 --a------ c:\windows\system32\xactengine2_7.dll
2009-03-11 18:09 . 2007-01-24 15:27 255,848 --a------ c:\windows\system32\xactengine2_6.dll
2009-03-11 18:09 . 2006-12-08 12:02 251,672 --a------ c:\windows\system32\xactengine2_5.dll
2009-03-11 15:47 . 2008-10-24 04:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-11 15:46 . 2008-09-04 10:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-03-11 15:46 . 2008-10-15 09:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-11 15:22 . 2009-03-11 15:22 d-------- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor
2009-03-11 15:22 . 2005-10-27 15:06 356,096 --a------ c:\windows\system32\rt61.sys
2009-03-11 15:22 . 2005-10-27 15:06 356,096 --a------ c:\windows\system32\drivers\rt61.sys
2009-03-11 15:22 . 2005-10-20 15:00 243,328 --a------ c:\windows\system32\rt2500.sys
2009-03-11 15:22 . 2003-10-13 15:30 94,208 --a------ c:\windows\system32\GTW32N50.dll
2009-03-11 15:22 . 2003-09-25 23:28 31,930 --a------ c:\windows\system32\GTNDIS3.VXD
2009-03-11 15:22 . 2009-03-11 15:22 20,747 --a------ c:\windows\system32\drivers\AegisP.sys
2009-03-11 15:22 . 2005-02-01 18:18 17,992 --a------ c:\windows\system32\drivers\bcm42rly.sys
2009-03-11 15:22 . 2005-02-01 18:18 17,992 --a------ c:\windows\system32\bcm42rly.sys
2009-03-11 15:22 . 2005-02-01 18:18 17,992 --a------ c:\windows\bcm42rly.sys
2009-03-11 15:22 . 2003-09-25 22:15 15,872 --a------ c:\windows\system32\GTNDIS5.sys
2009-03-11 15:22 . 2005-11-07 03:51 7,878 --a------ c:\windows\system32\RT2500.CAT
2009-03-11 15:22 . 2005-11-09 04:41 7,870 --a------ c:\windows\system32\rt61.cat
2009-03-11 15:21 . 2009-03-11 15:21 920 --a------ c:\windows\system32\WLAN.INI
2009-03-09 21:30 . 2009-03-16 17:22 d-------- c:\program files\SpeedFan
2009-03-09 21:30 . 2009-03-09 21:30 45 --a------ c:\windows\system32\initdebug.nfo
2009-03-09 20:28 . 2009-03-09 20:28 d-------- c:\program files\Motherboard Monitor 5
2009-03-09 20:28 . 2004-04-10 09:42 2,944 --a------ c:\windows\system32\mbmiodrvr.sys
2009-03-09 19:41 . 2009-03-09 19:41 d-------- c:\windows\system32\AGEIA
2009-03-09 19:41 . 2009-03-09 19:41 d-------- c:\program files\AGEIA Technologies
2009-03-09 19:35 . 2009-03-28 21:43 d-------- c:\program files\UBISOFT
2009-03-09 19:35 . 2009-03-09 19:35 d-------- c:\documents and settings\Kabir Thind\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 22:59 --------- d-----w c:\program files\Crawler
2009-04-03 20:21 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-03 18:43 --------- d-----w c:\program files\Common Files\Mozilla Shared
2009-04-03 07:07 137,992 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-03 07:06 201,816 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-03 05:53 --------- d-----w c:\documents and settings\Kabir Thind\Application Data\BitTorrent
2009-04-02 19:05 --------- d-----w c:\documents and settings\Kabir Thind\Application Data\Ableton
2009-04-02 10:18 --------- d-----w c:\program files\Native Instruments
2009-04-02 10:11 --------- d-----w c:\program files\AviSynth 2.5
2009-04-02 08:22 --------- d-----w c:\program files\Steinberg
2009-03-29 04:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-29 00:45 --------- d-----w c:\program files\Activision
2009-03-16 03:22 --------- d-----w c:\program files\Electronic Arts
2009-03-16 01:09 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2009-03-16 00:01 22,328 ----a-w c:\documents and settings\Kabir Thind\Application Data\PnkBstrK.sys
2009-03-13 04:05 --------- d-----w c:\documents and settings\Kabir Thind\Application Data\PACE Anti-Piracy
2009-03-13 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-03-13 03:53 --------- d-----w c:\program files\IObit
2009-03-13 03:53 --------- d-----w c:\documents and settings\Kabir Thind\Application Data\IObit
2009-03-13 01:09 --------- d-----w c:\program files\Syncrosoft
2009-03-13 01:09 --------- d-----w c:\program files\Sonik Synth 2
2009-03-13 01:09 --------- d-----w c:\program files\MagicISO
2009-03-13 01:09 --------- d-----w c:\program files\IrfanView
2009-03-13 01:09 --------- d-----w c:\program files\ImpFilterV2
2009-03-13 01:09 --------- d-----w c:\program files\Full Tilt Poker
2009-03-13 01:09 --------- d-----w c:\program files\CoreFTP
2009-03-13 01:09 --------- d-----w c:\documents and settings\Kabir Thind\Application Data\Ventrilo
2009-03-13 01:09 --------- d-----w c:\documents and settings\Kabir Thind\Application Data\DNA
2009-03-13 01:09 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-03-12 02:57 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-11 22:45 --------- d-----w c:\program files\BitTorrent
2009-03-10 02:40 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-27 01:26 --------- d-----w c:\program files\Creative Professional
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2008-04-20 19:09 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2008-11-15 2235920]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"SetDefaultMIDI"="MIDIDef.exe" [2008-03-20 c:\windows\system32\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-15 6803456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 185896]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-19 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-11 1601304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"nwiz"="nwiz.exe" [2005-06-15 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2008-03-20 c:\windows\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-03-20 c:\windows\system32\Ctxfihlp.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-11 19:57 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"= usbkt1x1.dll
"Midi2"= ma_cmidn.dll
"midi4"= ma_cmidn.dll
"midi6"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.ex

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142Pace.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\localizer\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"c:\\Program Files\\DealBook 360\\DealBookFX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

Kobra
Novice
Novice

Status :
Online
Offline

Posts : 23
Joined : 2009-04-03
OS : XP Pro

View user profile

Back to top Go down

Re: win32/cryptor

Post by Kobra on Sat Apr 04, 2009 11:34 pm


R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-08-01 325128]
R1 LUMDriver;LUMDriver;c:\windows\system32\drivers\LUMDriver.sys [2003-07-11 14912]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-11 298264]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-07-26 84992]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-03-20 98328]
R3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2005-08-05 16896]
S0 pjcav;pjcav;c:\windows\system32\drivers\lbdip.sys --> c:\windows\system32\drivers\lbdip.sys [?]
S2 portD;ABS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S2 upwxghbb;Mouse HID Controller;c:\windows\System32\svchost.exe -k netsvcs [2004-08-04 14336]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\KABIRT~1\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\KABIRT~1\LOCALS~1\Temp\ALSysIO.sys [?]
S3 cel90xbe;cel90xbe;\??\c:\docume~1\KABIRT~1\LOCALS~1\Temp\cel90xbe.sys --> c:\docume~1\KABIRT~1\LOCALS~1\Temp\cel90xbe.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-03-20 98328]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-03-20 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-03-20 171032]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-03-20 528920]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-03-20 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [2008-03-20 163352]
S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [2008-03-20 163352]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [2008-03-20 259096]
S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [2008-03-20 259096]
S3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [2008-03-20 134168]
S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [2008-03-20 134168]
S3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [2008-03-20 309784]
S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [2008-03-20 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-03-20 99352]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-03-20 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-03-20 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-03-20 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-03-20 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-03-20 72728]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-03-20 534040]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-03-20 534040]
S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys --> c:\windows\system32\drivers\MA763004.sys [?]
S3 PCAlertDriver;PCAlertDriver;\??\c:\program files\MSI\PC Alert 4\NTGLM7X.sys --> c:\program files\MSI\PC Alert 4\NTGLM7X.sys [?]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2005-08-02 13504]
S3 USBKS1X1;Midiman USB Keystation USB Driver;c:\windows\system32\drivers\usbks1x1.sys --> c:\windows\system32\drivers\usbks1x1.sys [?]
S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2005-08-02 22304]
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys --> c:\windows\system32\drivers\usbmidim.sys [?]
S4 Ati630hd.;Ati630hd.; [x]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
upwxghbb
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-03 c:\windows\Tasks\At1.job
- c:\windows\system32\lczusjg.dll []

2009-04-04 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2008-11-02 16:35]

2009-04-03 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2008-11-14 23:44]

2009-04-03 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\ [2009-04-04 15:18]

2009-03-16 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-13 18:15]

2009-03-16 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-03-12 20:53]

2009-04-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Kabir Thind\Application Data\Mozilla\Firefox\Profiles\Kabir\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Crawler\firefox\components\xcomm.dll
FF - component: c:\program files\Crawler\firefox\components\xshared.dll
FF - component: c:\program files\Crawler\firefox\components\xsupport.dll
FF - component: c:\program files\Crawler\firefox\components\xwsg.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgooglevlc.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-04 16:31:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1229272821-220523388-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A1931E8A-1B06-6F93-A786-BD062C2F8EDF}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iajojfmlmogelhlmkg"=hex:69,61,67,70,63,6e,6b,6d,6c,63,6c,68,68,62,65,66,68,65,
00,00
"hadopijjpolamhom"=hex:6a,61,6d,6f,69,6d,70,67,6c,65,6d,62,68,62,65,6c,6c,62,
61,6a,00,00

[HKEY_USERS\S-1-5-21-1229272821-220523388-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8f,b3,ef,12,29,d2,b3,c8,47,c0,12,bb,b6,71,54,22,0f,b7,8b,1f,dc,b0,5a,
7f,4d,da,22,ea,eb,62,26,51,ef,6a,21,13,e9,0b,8f,1f,2f,60,d3,5b,02,25,3c,8a,\
"??"=hex:69,d6,f5,17,1e,ee,42,af,21,ca,3c,51,c5,83,69,01

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,e7,e7,7a,54,9f,
00,8d,9d,c8,28,51,af,b0,29,a3,98,fb,85,1f,ce,a7,bd,7f,58,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,6b,25,10,91,ca,
a9,74,ac,71,3b,04,66,8b,46,0d,96,54,9a,92,36,cb,33,d2,4c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,20,a9,81,44,ed,
9d,2f,62,25,da,ec,7e,55,20,c9,26,82,41,a5,3e,67,a7,4d,4f,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,2c,fa,04,3e,49,
be,1e,dc,3e,1e,9e,e0,57,5a,93,61,80,48,c6,8c,ad,54,21,71,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,d3,be,5a,6d,26,
87,9d,b7,cd,44,cd,b9,a6,33,6c,cd,e1,1c,91,75,a2,89,1a,50,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,06,18,82,0b,f3,
cd,78,dd,b0,18,ed,a7,3f,8d,37,a4,c3,5d,5f,6d,f3,a3,92,12,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,ea,10,14,3d,9f,
81,c7,84,31,77,e1,ba,b1,f8,68,02,66,16,93,f0,fa,79,85,30,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,3b,6a,d9,b6,2d,
3e,37,cd,83,6c,56,8b,a0,85,96,ab,52,9f,d5,bc,99,9b,16,9e,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,94,36,2a,a5,60,
c9,13,05,51,fa,6e,91,28,9e,14,cc,f6,75,fa,2d,aa,5a,6f,e5,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,64,f0,23,e6,95,
f3,9d,c8,b1,cd,45,5a,a8,c4,f8,b9,b8,cd,8f,34,33,6e,9a,d6,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,96,ff,53,c3,94,
ee,2d,cf,e3,0e,66,d5,eb,bc,2f,6b,3b,ac,04,ac,f3,dc,fe,a0,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,ea,02,4e,0b,10,
81,13,9e,fa,ea,66,7f,d4,3b,6b,70,47,ae,cf,05,3c,ce,04,f0,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-04 16:32:17
ComboFix-quarantined-files.txt 2009-04-04 23:32:15
ComboFix2.txt 2009-04-04 22:57:52

Pre-Run: 53,027,213,312 bytes free
Post-Run: 53,001,584,640 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
345 --- E O F --- 2009-03-25 01:19:26

Kobra
Novice
Novice

Status :
Online
Offline

Posts : 23
Joined : 2009-04-03
OS : XP Pro

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sun Apr 05, 2009 12:02 am

Hello.
That didn't work right.

Please make sure you put my script inside the notepad file.

All the commands need to have a seperate top line, Driver:: for example. Please make sure you copy/paste it all because it won't work otherwise.
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by Kobra on Sun Apr 05, 2009 12:30 am

ComboFix 09-04-04.01 - Kabir Thind 2009-04-04 17:21:39.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1322 [GMT -7:00]
Running from: c:\documents and settings\Kabir Thind\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kabir Thind\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Crawler
c:\program files\Crawler\adrkeys.dat
c:\program files\Crawler\COMMON_FF.dat
c:\program files\Crawler\confirm.dat
c:\program files\Crawler\ctbcomm.dll
c:\program files\Crawler\ctbr.dll
c:\program files\Crawler\CTConf.dat
c:\program files\Crawler\CTipsDef.dll
c:\program files\Crawler\CToolbar.exe
c:\program files\Crawler\CUpdate.exe
c:\program files\Crawler\firefox\chrome.manifest
c:\program files\Crawler\firefox\chrome\common.jar
c:\program files\Crawler\firefox\chrome\stwsg.jar
c:\program files\Crawler\firefox\components\xcomm.dll
c:\program files\Crawler\firefox\components\xplugin.xpt
c:\program files\Crawler\firefox\components\xshared.dll
c:\program files\Crawler\firefox\components\xshared.xpt
c:\program files\Crawler\firefox\components\xsupport.dll
c:\program files\Crawler\firefox\components\xsupport.xpt
c:\program files\Crawler\firefox\components\xwsg.dll
c:\program files\Crawler\firefox\install.ini
c:\program files\Crawler\firefox\install.rdf
c:\program files\Crawler\firefox\stwsg_ff.ini
c:\program files\Crawler\Languages\STWSG_CS.cab
c:\program files\Crawler\Languages\STWSG_DE.cab
c:\program files\Crawler\Languages\STWSG_EN.cab
c:\program files\Crawler\Languages\STWSG_ES.cab
c:\program files\Crawler\Languages\STWSG_FR.cab
c:\program files\Crawler\Languages\STWSG_IT.cab
c:\program files\Crawler\Languages\STWSG_PT-BR.cab
c:\program files\Crawler\Languages\STWSG_PT.cab
c:\program files\Crawler\Languages\TBR5_CS.cab
c:\program files\Crawler\Languages\TBR5_DE.cab
c:\program files\Crawler\Languages\TBR5_EN.cab
c:\program files\Crawler\Languages\TBR5_ES.cab
c:\program files\Crawler\Languages\TBR5_FR.cab
c:\program files\Crawler\Languages\TBR5_IT.cab
c:\program files\Crawler\Languages\TBR5_NL.cab
c:\program files\Crawler\Languages\TBR5_PL.cab
c:\program files\Crawler\Languages\TBR5_PT-BR.cab
c:\program files\Crawler\Languages\TBR5_PT.cab
c:\program files\Crawler\Languages\TBR5_RU.cab
c:\program files\Crawler\lookfor.dat
c:\program files\Crawler\majorse.dat
c:\program files\Crawler\rootmenu.dat
c:\program files\Crawler\services.dat
c:\program files\Crawler\STWSG_FF.dat
c:\program files\Crawler\STWSGLanguageAct\info.ini
c:\program files\Crawler\STWSGLanguageAct\language.ini
c:\program files\Crawler\TBR5LanguageAct\info.ini
c:\program files\Crawler\TBR5LanguageAct\language.ini
c:\program files\Crawler\Update\domains.cab
c:\program files\Crawler\WebSecurityGuard.dll
c:\program files\Crawler\WSGData\domains\domains_000.dat
c:\program files\Crawler\WSGData\domains\domains_000_diff.dat
c:\program files\Crawler\WSGData\domains\domains_001.dat
c:\program files\Crawler\WSGData\domains\domains_001_diff.dat
c:\program files\Crawler\WSGData\domains\domains_002.dat
c:\program files\Crawler\WSGData\domains\domains_002_diff.dat
c:\program files\Crawler\WSGData\domains\domains_003.dat
c:\program files\Crawler\WSGData\domains\domains_003_diff.dat
c:\program files\Crawler\WSGData\domains\domains_004.dat
c:\program files\Crawler\WSGData\domains\domains_004_diff.dat
c:\program files\Crawler\WSGData\domains\domains_005.dat
c:\program files\Crawler\WSGData\domains\domains_005_diff.dat
c:\program files\Crawler\WSGData\domains\domains_006.dat
c:\program files\Crawler\WSGData\domains\domains_006_diff.dat
c:\program files\Crawler\WSGData\domains\domains_007.dat
c:\program files\Crawler\WSGData\domains\domains_007_diff.dat
c:\program files\Crawler\WSGData\domains\domains_008.dat
c:\program files\Crawler\WSGData\domains\domains_008_diff.dat
c:\program files\Crawler\WSGData\domains\domains_009.dat
c:\program files\Crawler\WSGData\domains\domains_009_diff.dat
c:\program files\Crawler\WSGData\domains\domains_010.dat
c:\program files\Crawler\WSGData\domains\domains_010_diff.dat
c:\program files\Crawler\WSGData\domains\domains_011.dat
c:\program files\Crawler\WSGData\domains\domains_011_diff.dat
c:\program files\Crawler\WSGData\domains\domains_012.dat
c:\program files\Crawler\WSGData\domains\domains_012_diff.dat
c:\program files\Crawler\WSGData\domains\domains_013.dat
c:\program files\Crawler\WSGData\domains\domains_013_diff.dat
c:\program files\Crawler\WSGData\domains\domains_014.dat
c:\program files\Crawler\WSGData\domains\domains_014_diff.dat
c:\program files\Crawler\WSGData\domains\domains_015.dat
c:\program files\Crawler\WSGData\domains\domains_015_diff.dat
c:\program files\Crawler\WSGData\domains\domains_016.dat
c:\program files\Crawler\WSGData\domains\domains_016_diff.dat
c:\program files\Crawler\WSGData\domains\domains_017.dat
c:\program files\Crawler\WSGData\domains\domains_017_diff.dat
c:\program files\Crawler\WSGData\domains\domains_018.dat
c:\program files\Crawler\WSGData\domains\domains_018_diff.dat
c:\program files\Crawler\WSGData\domains\domains_019.dat
c:\program files\Crawler\WSGData\domains\domains_019_diff.dat
c:\program files\Crawler\WSGData\domains\domains_020.dat
c:\program files\Crawler\WSGData\domains\domains_020_diff.dat
c:\program files\Crawler\WSGData\domains\domains_021.dat
c:\program files\Crawler\WSGData\domains\domains_021_diff.dat
c:\program files\Crawler\WSGData\domains\domains_022.dat
c:\program files\Crawler\WSGData\domains\domains_022_diff.dat
c:\program files\Crawler\WSGData\domains\domains_023.dat
c:\program files\Crawler\WSGData\domains\domains_023_diff.dat
c:\program files\Crawler\WSGData\domains\domains_024.dat
c:\program files\Crawler\WSGData\domains\domains_024_diff.dat
c:\program files\Crawler\WSGData\domains\domains_025.dat
c:\program files\Crawler\WSGData\domains\domains_025_diff.dat
c:\program files\Crawler\WSGData\domains\domains_026.dat
c:\program files\Crawler\WSGData\domains\domains_026_diff.dat
c:\program files\Crawler\WSGData\domains\domains_027.dat
c:\program files\Crawler\WSGData\domains\domains_027_diff.dat
c:\program files\Crawler\WSGData\domains\domains_028.dat
c:\program files\Crawler\WSGData\domains\domains_028_diff.dat
c:\program files\Crawler\WSGData\domains\domains_029.dat
c:\program files\Crawler\WSGData\domains\domains_029_diff.dat
c:\program files\Crawler\WSGData\domains\domains_030.dat
c:\program files\Crawler\WSGData\domains\domains_030_diff.dat
c:\program files\Crawler\WSGData\domains\domains_031.dat
c:\program files\Crawler\WSGData\domains\domains_031_diff.dat
c:\program files\Crawler\WSGData\domains\index.dat
c:\program files\Crawler\WSGData\g_S-1-5-21-1229272821-220523388-839522115-1003.dat
c:\program files\Crawler\WSGData\p_S-1-5-21-1229272821-220523388-839522115-1003.dat
c:\program files\Crawler\WSGData\w_S-1-5-21-1229272821-220523388-839522115-1003.dat
c:\program files\Crawler\WSGData\wfilter.dat
c:\windows\Tasks\At1.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ALSYSIO
-------\Legacy_CEL90XBE
-------\Legacy_UPWXGHBB
-------\Service_ALSysIO
-------\Service_cel90xbe
-------\Service_pjcav
-------\Service_upwxghbb


((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-04 15:12 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-04 15:12 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-04 00:39 . 2009-04-04 00:39 d-------- c:\program files\Trend Micro
2009-04-03 13:15 . 2009-04-03 13:15 d-------- c:\documents and settings\Kabir Thind\Application Data\Malwarebytes
2009-04-03 13:09 . 2009-04-04 15:12 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-03 13:09 . 2009-04-03 13:09 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 12:21 . 2009-04-03 12:21 d-------- c:\documents and settings\Kabir Thind\Application Data\uholamgu
2009-04-02 22:30 . 2009-04-02 22:30 d-------- c:\windows\system32\QuickTime
2009-04-02 22:30 . 2009-04-02 22:30 d-------- c:\documents and settings\All Users\Application Data\TechSmith
2009-04-02 22:30 . 2008-07-10 13:56 107,864 --a------ c:\windows\system32\tsccvid.dll
2009-04-02 22:29 . 2009-04-02 22:29 d-------- c:\program files\TechSmith
2009-04-02 22:29 . 2009-04-02 22:29 d-------- c:\program files\Common Files\TechSmith Shared
2009-03-31 22:48 . 2009-03-31 22:48 d-------- c:\program files\Common Files\Bcgsoft
2009-03-31 19:04 . 2009-03-31 19:04 d-------- c:\documents and settings\Kabir Thind\Application Data\Global Forex Trading
2009-03-31 18:52 . 2009-03-31 18:52 d-------- c:\program files\DealBook 360
2009-03-31 18:52 . 2009-03-31 18:52 d-------- c:\documents and settings\Kabir Thind\Application Data\InstallShield Installation Information
2009-03-15 20:53 . 2009-03-15 20:53 d-------- c:\documents and settings\Kabir Thind\Application Data\Red Alert 3
2009-03-15 17:01 . 2009-03-15 17:01 319 --a------ c:\windows\game.ini
2009-03-12 21:12 . 2009-03-12 21:12 d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-03-12 13:11 . 2009-04-02 13:25 d-------- c:\program files\thinkorswim
2009-03-11 19:57 . 2009-03-11 19:57 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-11 18:11 . 2009-03-11 18:11 d-------- c:\documents and settings\Kabir Thind\Application Data\The Creative Assembly
2009-03-11 18:09 . 2009-03-28 23:29 d-------- c:\windows\Logs
2009-03-11 18:09 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2009-03-11 18:09 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll
2009-03-11 18:09 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll
2009-03-11 18:09 . 2007-04-04 18:55 261,480 --a------ c:\windows\system32\xactengine2_7.dll
2009-03-11 18:09 . 2007-01-24 15:27 255,848 --a------ c:\windows\system32\xactengine2_6.dll
2009-03-11 18:09 . 2006-12-08 12:02 251,672 --a------ c:\windows\system32\xactengine2_5.dll
2009-03-11 15:47 . 2008-10-24 04:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-11 15:46 . 2008-09-04 10:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-03-11 15:46 . 2008-10-15 09:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-11 15:22 . 2009-03-11 15:22 d-------- c:\program files\Linksys Wireless-G PCI Wireless Network Monitor
2009-03-11 15:22 . 2005-10-27 15:06 356,096 --a------ c:\windows\system32\rt61.sys
2009-03-11 15:22 . 2005-10-27 15:06 356,096 --a------ c:\windows\system32\drivers\rt61.sys
2009-03-11 15:22 . 2005-10-20 15:00 243,328 --a------ c:\windows\system32\rt2500.sys
2009-03-11 15:22 . 2003-10-13 15:30 94,208 --a------ c:\windows\system32\GTW32N50.dll
2009-03-11 15:22 . 2003-09-25 23:28 31,930 --a------ c:\windows\system32\GTNDIS3.VXD
2009-03-11 15:22 . 2009-03-11 15:22 20,747 --a------ c:\windows\system32\drivers\AegisP.sys
2009-03-11 15:22 . 2005-02-01 18:18 17,992 --a------ c:\windows\system32\drivers\bcm42rly.sys
2009-03-11 15:22 . 2005-02-01 18:18 17,992 --a------ c:\windows\system32\bcm42rly.sys
2009-03-11 15:22 . 2005-02-01 18:18 17,992 --a------ c:\windows\bcm42rly.sys
2009-03-11 15:22 . 2003-09-25 22:15 15,872 --a------ c:\windows\system32\GTNDIS5.sys
2009-03-11 15:22 . 2005-11-07 03:51 7,878 --a------ c:\windows\system32\RT2500.CAT
2009-03-11 15:22 . 2005-11-09 04:41 7,870 --a------ c:\windows\system32\rt61.cat
2009-03-11 15:21 . 2009-03-11 15:21 920 --a------ c:\windows\system32\WLAN.INI
2009-03-09 21:30 . 2009-03-16 17:22 d-------- c:\program files\SpeedFan
2009-03-09 21:30 . 2009-03-09 21:30 45 --a------ c:\windows\system32\initdebug.nfo
2009-03-09 20:28 . 2009-03-09 20:28 d-------- c:\program files\Motherboard Monitor 5
2009-03-09 20:28 . 2004-04-10 09:42 2,944 --a------ c:\windows\system32\mbmiodrvr.sys
2009-03-09 19:41 . 2009-03-09 19:41 d-------- c:\windows\system32\AGEIA
2009-03-09 19:41 . 2009-03-09 19:41 d-------- c:\program files\AGEIA Technologies
2009-03-09 19:35 . 2009-03-28 21:43 d-------- c:\program files\UBISOFT
2009-03-09 19:35 . 2009-03-09 19:35 d-------- c:\documents and settings\Kabir Thind\Application Data\InstallShield

Kobra
Novice
Novice

Status :
Online
Offline

Posts : 23
Joined : 2009-04-03
OS : XP Pro

View user profile

Back to top Go down

Re: win32/cryptor

Post by Kobra on Sun Apr 05, 2009 12:31 am


.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 20:21 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-03 18:43 --------- d-----w c:\program files\Common Files\Mozilla Shared
2009-04-03 07:07 137,992 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-03 05:53 --------- d-----w c:\documents and settings\Kabir Thind\Application Data\BitTorrent
2009-04-02 19:05 --------- d-----w c:\documents and settings\Kabir Thind\Application Data\Ableton
2009-04-02 10:18 --------- d-----w c:\program files\Native Instruments
2009-04-02 10:11 --------- d-----w c:\program files\AviSynth 2.5
2009-04-02 08:22 --------- d-----w c:\program files\Steinberg
2009-03-29 04:37 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-29 00:45 --------- d-----w c:\program files\Activision
2009-03-16 03:22 --------- d-----w c:\program files\Electronic Arts
2009-03-16 00:01 22,328 ----a-w c:\documents and settings\Kabir Thind\Application Data\PnkBstrK.sys
2009-03-13 04:05 --------- d-----w c:\documents and settings\Kabir Thind\Application Data\PACE Anti-Piracy
2009-03-13 04:05 --------- d-----w c:\documents and settings\All Users\Application Data\PACE Anti-Piracy
2009-03-13 03:53 --------- d-----w c:\program files\IObit
2009-03-13 03:53 --------- d-----w c:\documents and settings\Kabir Thind\Application Data\IObit
2009-03-13 01:09 --------- d-----w c:\program files\Syncrosoft
2009-03-13 01:09 --------- d-----w c:\program files\Sonik Synth 2
2009-03-13 01:09 --------- d-----w c:\program files\MagicISO
2009-03-13 01:09 --------- d-----w c:\program files\IrfanView
2009-03-13 01:09 --------- d-----w c:\program files\ImpFilterV2
2009-03-13 01:09 --------- d-----w c:\program files\Full Tilt Poker
2009-03-13 01:09 --------- d-----w c:\program files\CoreFTP
2009-03-13 01:09 --------- d-----w c:\documents and settings\Kabir Thind\Application Data\Ventrilo
2009-03-13 01:09 --------- d-----w c:\documents and settings\Kabir Thind\Application Data\DNA
2009-03-13 01:09 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-03-12 02:57 325,128 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-11 22:45 --------- d-----w c:\program files\BitTorrent
2009-03-10 02:40 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-27 01:26 --------- d-----w c:\program files\Creative Professional
2008-04-20 19:09 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.


((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 03:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2008-11-15 2235920]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-02-06 3325952]
"SetDefaultMIDI"="MIDIDef.exe" [2008-03-20 c:\windows\system32\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"DAEMON Tools-1033"="c:\program files\D-Tools\daemon.exe" [2004-08-22 81920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-15 6803456]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-06-15 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-26 185896]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 868352]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-19 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-03-21 1953792]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-11 1601304]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"nwiz"="nwiz.exe" [2005-06-15 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2008-03-20 c:\windows\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-03-20 c:\windows\system32\Ctxfihlp.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-11 19:57 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"= usbkt1x1.dll
"Midi2"= ma_cmidn.dll
"midi4"= ma_cmidn.dll
"midi6"= ma_cmidn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.ex

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142Pace.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\localizer\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"c:\\Program Files\\DealBook 360\\DealBookFX.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-08-01 325128]
R1 LUMDriver;LUMDriver;c:\windows\system32\drivers\LUMDriver.sys [2003-07-11 14912]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-11 298264]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-07-26 84992]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-03-20 98328]
R3 SynasUSB;SynasUSB;c:\windows\system32\drivers\SynasUSB.sys [2005-08-05 16896]
S2 portD;ABS PortIO Service;c:\windows\system32\DRIVERS\portd2k.sys --> c:\windows\system32\DRIVERS\portd2k.sys [?]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-03-20 98328]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2008-03-20 171032]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2008-03-20 171032]
S3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-03-20 528920]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-03-20 528920]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;c:\windows\system32\drivers\CTEAPSFX.sys [2008-03-20 163352]
S3 CTEAPSFX;CTEAPSFX;c:\windows\system32\drivers\CTEAPSFX.sys [2008-03-20 163352]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;c:\windows\system32\drivers\CTEDSPFX.sys [2008-03-20 259096]
S3 CTEDSPFX;CTEDSPFX;c:\windows\system32\drivers\CTEDSPFX.sys [2008-03-20 259096]
S3 CTEDSPIO.SYS;CTEDSPIO.SYS;c:\windows\system32\drivers\CTEDSPIO.sys [2008-03-20 134168]
S3 CTEDSPIO;CTEDSPIO;c:\windows\system32\drivers\CTEDSPIO.sys [2008-03-20 134168]
S3 CTEDSPSY.SYS;CTEDSPSY.SYS;c:\windows\system32\drivers\CTEDSPSY.sys [2008-03-20 309784]
S3 CTEDSPSY;CTEDSPSY;c:\windows\system32\drivers\CTEDSPSY.sys [2008-03-20 309784]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-03-20 99352]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-03-20 99352]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2008-03-20 1324056]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2008-03-20 1324056]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2008-03-20 72728]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2008-03-20 72728]
S3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-03-20 534040]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-03-20 534040]
S3 ma763004;M-Audio MobilePre USB;c:\windows\system32\drivers\MA763004.sys --> c:\windows\system32\drivers\MA763004.sys [?]
S3 PCAlertDriver;PCAlertDriver;\??\c:\program files\MSI\PC Alert 4\NTGLM7X.sys --> c:\program files\MSI\PC Alert 4\NTGLM7X.sys [?]
S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2005-08-02 13504]
S3 USBKS1X1;Midiman USB Keystation USB Driver;c:\windows\system32\drivers\usbks1x1.sys --> c:\windows\system32\drivers\usbks1x1.sys [?]
S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2005-08-02 22304]
S3 USBMIDIM;Midiman USB MidiSport Midi Kernel Driver;c:\windows\system32\drivers\usbmidim.sys --> c:\windows\system32\drivers\usbmidim.sys [?]
S4 Ati630hd.;Ati630hd.; [x]

Kobra
Novice
Novice

Status :
Online
Offline

Posts : 23
Joined : 2009-04-03
OS : XP Pro

View user profile

Back to top Go down

Re: win32/cryptor

Post by Kobra on Sun Apr 05, 2009 12:32 am



--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-05 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2008-11-02 16:35]

2009-04-03 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2008-11-14 23:44]

2009-04-03 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\ [2009-04-04 17:25]

2009-03-16 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2009-02-13 18:15]

2009-03-16 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\ [2009-03-12 20:53]

2009-04-05 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE []
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\Kabir Thind\Application Data\Mozilla\Firefox\Profiles\Kabir\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgooglevlc.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-04 17:24:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1229272821-220523388-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A1931E8A-1B06-6F93-A786-BD062C2F8EDF}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iajojfmlmogelhlmkg"=hex:69,61,67,70,63,6e,6b,6d,6c,63,6c,68,68,62,65,66,68,65,
00,00
"hadopijjpolamhom"=hex:6a,61,6d,6f,69,6d,70,67,6c,65,6d,62,68,62,65,6c,6c,62,
61,6a,00,00

[HKEY_USERS\S-1-5-21-1229272821-220523388-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:8f,b3,ef,12,29,d2,b3,c8,47,c0,12,bb,b6,71,54,22,0f,b7,8b,1f,dc,b0,5a,
7f,4d,da,22,ea,eb,62,26,51,ef,6a,21,13,e9,0b,8f,1f,2f,60,d3,5b,02,25,3c,8a,\
"??"=hex:69,d6,f5,17,1e,ee,42,af,21,ca,3c,51,c5,83,69,01

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:2e,e8,e1,00,eb,16,2b,de,e7,e7,7a,54,9f,
00,8d,9d,c8,28,51,af,b0,29,a3,98,fb,85,1f,ce,a7,bd,7f,58,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,6b,25,10,91,ca,
a9,74,ac,71,3b,04,66,8b,46,0d,96,54,9a,92,36,cb,33,d2,4c,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,20,a9,81,44,ed,
9d,2f,62,25,da,ec,7e,55,20,c9,26,82,41,a5,3e,67,a7,4d,4f,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,2c,fa,04,3e,49,
be,1e,dc,3e,1e,9e,e0,57,5a,93,61,80,48,c6,8c,ad,54,21,71,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,d3,be,5a,6d,26,
87,9d,b7,cd,44,cd,b9,a6,33,6c,cd,e1,1c,91,75,a2,89,1a,50,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,06,18,82,0b,f3,
cd,78,dd,b0,18,ed,a7,3f,8d,37,a4,c3,5d,5f,6d,f3,a3,92,12,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,ea,10,14,3d,9f,
81,c7,84,31,77,e1,ba,b1,f8,68,02,66,16,93,f0,fa,79,85,30,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,3b,6a,d9,b6,2d,
3e,37,cd,83,6c,56,8b,a0,85,96,ab,52,9f,d5,bc,99,9b,16,9e,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,94,36,2a,a5,60,
c9,13,05,51,fa,6e,91,28,9e,14,cc,f6,75,fa,2d,aa,5a,6f,e5,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,64,f0,23,e6,95,
f3,9d,c8,b1,cd,45,5a,a8,c4,f8,b9,b8,cd,8f,34,33,6e,9a,d6,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,96,ff,53,c3,94,
ee,2d,cf,e3,0e,66,d5,eb,bc,2f,6b,3b,ac,04,ac,f3,dc,fe,a0,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,ea,02,4e,0b,10,
81,13,9e,fa,ea,66,7f,d4,3b,6b,70,47,ae,cf,05,3c,ce,04,f0,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
c:\windows\system32\wscntfy.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Microsoft IntelliType Pro\dpupdchk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-04-04 17:28:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-05 00:28:27
ComboFix2.txt 2009-04-04 23:32:17
ComboFix3.txt 2009-04-04 22:57:52

Pre-Run: 52,994,801,664 bytes free
Post-Run: 52,860,911,616 bytes free

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
495 --- E O F --- 2009-03-25 01:19:26

Kobra
Novice
Novice

Status :
Online
Offline

Posts : 23
Joined : 2009-04-03
OS : XP Pro

View user profile

Back to top Go down

Re: win32/cryptor

Post by Kobra on Sun Apr 05, 2009 12:34 am

i will be back in a few. Need to get some errands done.

Kobra
Novice
Novice

Status :
Online
Offline

Posts : 23
Joined : 2009-04-03
OS : XP Pro

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sun Apr 05, 2009 12:35 am

Hello.
This looks much better now. No problem, take your time, because the malware is gone now.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

I just wanna take a peek at what's installed.

  • Open HijackThis
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by Kobra on Sun Apr 05, 2009 12:37 am


Ableton Live v6.0.7
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.1.0
Advanced SystemCare 3
AGEIA PhysX v7.05.17
Apple Mobile Device Support
Apple Software Update
Arturia Minimoog V v1.0
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
Atmosphere
AudioConverter Studio 5.4
AVG Free 8.0
Battlefield 2(TM)
Battlefield 2142
Blue Cat's FreqAnalyst - VST
Bonjour
Camtasia Studio 6
Catalyst Control Center - Branding
CCleaner (remove only)
Command & Conquer 3
Core FTP LE 2.1
Crawler Toolbar with Web Security Guard
Creative Audio Console
DAEMON Tools
DealBook 360
DH Driver Cleaner Professional Edition
DivX Codec
DivX Converter
DivX Player
DivX Web Player
EA Download Manager
File Scavenger 3.0
Full Tilt Poker
GiPo@MoveOnBoot 1.9.5
Google Video Viewer 1.0 (based on VLC 0.8.2 Player)
Half-Life(R) 2
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
iPod for Windows 2006-01-10
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
JMB36X Raid Configurer
Linksys Wireless-G PCI Adapter
Live 7.0.3
MA_CMIDI
Macromedia Flash Player 8
Macromedia Shockwave Player
Magic ISO Maker v5.4 (build 0256)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Motherboard Monitor 5
Mozilla Firefox (3.0.7)
MSN
MSXML 6.0 Parser (KB933579)
Native Instruments Battery 2
Native Instruments Elektrik Piano
Native Instruments FM7
NTI Backup NOW! 4 Trial
NTI CD & DVD-Maker Platinum Trial
PowerDVD
PunkBuster Services
QuickTime
RealPlayer
Reason 3.0
ReBirth RB-338 2.0
Rome - Total War(TM)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Smart Defrag 1.11
Sonik Synth 2
SoulSeek Client 156c
SoundMAX
SpeedFan (remove only)
Steam(TM)
Steinberg Cubase SX 3
Syncrosoft's License Control
thinkorswim
Tom Clancy's Ghost Recon Advanced WarfighterŽ 2
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
USB Keyboard Device 1.0.1.0
Ventrilo Client
VideoLAN VLC media player 0.8.6f
Videora iPod classic Converter 3.07
WAV - MP3 Converter Encoder
Winamp (remove only)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
WinZip
World of Warcraft


Dude, you're awesome.

Kobra
Novice
Novice

Status :
Online
Offline

Posts : 23
Joined : 2009-04-03
OS : XP Pro

View user profile

Back to top Go down

Re: win32/cryptor

Post by Kobra on Sun Apr 05, 2009 12:41 am

should i turn on my AV program?

Kobra
Novice
Novice

Status :
Online
Offline

Posts : 23
Joined : 2009-04-03
OS : XP Pro

View user profile

Back to top Go down

Re: win32/cryptor

Post by Kobra on Sun Apr 05, 2009 3:29 am

Alright, 2 problems I noticed.

1) It won't let me go through various restore points. It just stays on the current month at the last restore point.

Edit: Sound issue fixed.

Kobra
Novice
Novice

Status :
Online
Offline

Posts : 23
Joined : 2009-04-03
OS : XP Pro

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sun Apr 05, 2009 12:17 pm

Hello.
Don't use system restore, the restore points could be infected.

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    Adobe Reader 7.1.0
    J2SE Runtime Environment 5.0 Update 11
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1


Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the first option where it says "This release includes the highly anticipated...".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe that you downloaded to install the newest version.
Please make sure the new version of Java is installed before you run JavaRa.

Please download JavaRa from [You must be registered and logged in to see this link.]

  • First, unzip it.
  • Then run JavaRa. (If you are running Vista, you will need to right click JavaRa > select "Run as administrator")
  • Select English from the drop down menu and press Select.
  • This will open JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum