Evil Win32 Cryptor Virus will not disapear

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 1:37 am

Well, I'm like many users on here and have the dreaded Win32 cryptor virus. I've been attacking it but haven't had any success. I've ran AVG 8.5 and it continues to tell me that Cryptor is infecting c:windows\system32\vkvdpoi.dll. I run through the normal steps of running Malware, Spybot S&D and the antivirus software. It has also infected explorer.exe, winlogon.exe and iexplorer.exe. I believe this cryptor virus has shut down my windows update and firewall.

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 1:38 am

Here is my malware bytes log

Here is my Malwarebytes log:

Malwarebytes' Anti-Malware 1.35
Database version: 1942
Windows 5.1.2600 Service Pack 3

4/5/2009 7:31:59 PM
mbam-log-2009-04-05 (19-31-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 200914
Time elapsed: 1 hour(s), 44 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 1:38 am

Now here is my hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:36:45, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPUser.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpasieve.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {1dfda642-5f6e-4d5f-85bb-9c3f9cb0fcf4} - c:\windows\system32\vkvdpoi.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] "C:\Program Files\Dell\QuickSet\quickset.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKLM\..\Run: [AVG8_TRAY] "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKCU\..\Run: [ctfmon.exe] "C:\WINDOWS\system32\ctfmon.exe"
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - [You must be registered and logged in to see this link.]
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{78ECA568-4FF0-4D82-BED8-25ADFD29525D}: NameServer = 192.168.2.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: jpoposzg - C:\WINDOWS\SYSTEM32\vkvdpoi.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~2\wdsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. ([You must be registered and logged in to see this link.] - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 15113 bytes

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 6th April 2009, 2:45 am

Hello.

I strongly recommend you to remove Ask from your computer because it's:

  • Promoting its toolbars on sites targeted to kids.
  • Promoting its toolbars through ads that appear to be part of other companies' sites.
  • Promoting its toolbars through other companies' spyware.
  • Installing without any disclosure whatsoever and without any consent whatsoever.
  • Soliciting installations via "deceptive door openers" that do not accurately describe the offer; failing to affirmatively show a license agreement; linking to a EULA via an off-screen link.
  • Making confusing changes to users' browsers -- increasing Ask's revenues while taking users to pages they didn't intend to visit.
See [You must be registered and logged in to see this link.] for more info.

If you choose to follow my recommendation then please go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Ask Toolbar
Then please find and delete this folder in bold (if present):
C:\Program Files\Ask.com

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: (no name) - {1dfda642-5f6e-4d5f-85bb-9c3f9cb0fcf4} - c:\windows\system32\vkvdpoi.dll
    O20 - Winlogon Notify: jpoposzg - C:\WINDOWS\SYSTEM32\vkvdpoi.dll
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 2:49 am

Ill give that a shot and Ill post the results asap

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 3:06 am

here is my mbam log

Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 3

4/5/2009 9:04:15 PM
mbam-log-2009-04-05 (21-04-15).txt

Scan type: Quick Scan
Objects scanned: 81921
Time elapsed: 7 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 6th April 2009, 3:09 am

Hello.
I think there is a malicious driver running.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 3:17 am

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPUser.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpasieve.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Loren Mickelson\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
BHO: : {1dfda642-5f6e-4d5f-85bb-9c3f9cb0fcf4} - c:\windows\system32\vkvdpoi.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ask.com Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
uRun: [WMPNSCFG] "c:\program files\windows media player\WMPNSCFG.exe"
uRun: [SUPERAntiSpyware] "c:\program files\superantispyware\SUPERAntiSpyware.exe"
uRun: [ctfmon.exe] "c:\windows\system32\ctfmon.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [Dell QuickSet] "c:\program files\dell\quickset\quickset.exe"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Cobian Backup 8 interface] "c:\program files\cobian backup 8\cbInterface.exe" -service
mRun: [MSConfig] "c:\windows\pchealth\helpctr\binaries\MSConfig.exe" /auto
mRun: [AVG8_TRAY] "c:\progra~1\avg\avg8\avgtray.exe"
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [Ad-Watch] "c:\program files\lavasoft\ad-aware\AAWTray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
mRunOnce: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /install /silent
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
StartupFolder: c:\docume~1\lorenm~1\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {01113300-3E00-11D2-8470-0060089874ED} - [You must be registered and logged in to see this link.]
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - [You must be registered and logged in to see this link.]
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - [You must be registered and logged in to see this link.]
DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - [You must be registered and logged in to see this link.]
DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - [You must be registered and logged in to see this link.]
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - [You must be registered and logged in to see this link.]
DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - [You must be registered and logged in to see this link.]
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
DPF: {E856B973-45FD-4559-8F82-EAB539144667} - [You must be registered and logged in to see this link.]
TCP: {78ECA568-4FF0-4D82-BED8-25ADFD29525D} = 192.168.2.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: jpoposzg - vkvdpoi.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 3:18 am

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\lorenm~1\applic~1\mozilla\firefox\profiles\mu5vrrjx.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\loren mickelson\application data\mozilla\firefox\profiles\mu5vrrjx.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint_.dll

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-2-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-4-4 12552]
R0 jqdfhlls;jqdfhlls;c:\windows\system32\drivers\jqdfhlls.sys [2004-8-19 23424]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-8-9 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-4 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-4 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-4 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-4 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-4-4 1356616]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSAgent.exe [2009-2-26 5576712]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSWatcher.exe [2009-2-26 563720]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2008-10-28 156968]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2009-2-25 4048240]
R2 WFPService;WFPService;c:\program files\microsoft windows feedback panel\wfpservice.exe [2006-6-13 179000]
R2 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-2-8 1178728]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-4-4 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-2-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-2-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-2-26 27232]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S1 12208e92;12208e92;c:\windows\system32\drivers\12208e92.sys --> c:\windows\system32\drivers\12208e92.sys [?]
S2 euvbphrk;1394 Net Controller;c:\windows\system32\svchost.exe -k netsvcs [2004-8-19 14336]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-4-4 29208]
S3 GoogleDesktopManager-010108-205858;Google Desktop Manager 5.7.801.1629;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-1-14 29744]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-12-10 24652]

=============== Created Last 30 ================

2009-04-05 20:55 --d----- c:\program files\MALWAREBYTES ANTI-MALWARE
2009-04-05 17:04 --d----- c:\program files\Panda Security
2009-04-05 16:58 --d----- C:\HaxFix
2009-04-05 15:34 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-05 14:34 --d----- C:\Lop SD
2009-04-05 12:14 --d----- C:\VundoFix Backups
2009-04-04 17:22 -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-04 17:21 --d----- c:\program files\Lavasoft
2009-04-04 16:05 --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-04-04 16:04 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-04-04 16:04 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-04 16:04 --d----- c:\windows\system32\drivers\Avg
2009-04-04 16:04 --d----- c:\docume~1\lorenm~1\applic~1\AVGTOOLBAR
2009-04-04 16:03 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-04 16:03 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-04 16:01 50,968 a------- c:\windows\system32\avgfwdx.dll
2009-04-04 16:01 29,208 a------- c:\windows\system32\drivers\avgfwdx.sys
2009-04-04 16:01 --d----- c:\program files\AVG
2009-04-03 23:50 2,158 a------- c:\windows\system32\ssmute.ini
2009-04-03 23:50 --d----- c:\program files\interMute
2009-04-03 23:37 516 a------- C:\Settings.ini
2009-04-03 23:37 --d-h--- c:\windows\system32\WLANProfiles
2009-04-03 23:37 --d-h--- C:\Settings
2009-04-03 23:35 177,152 -------- c:\windows\system32\dllcache\msctfime.ime
2009-04-03 22:33 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-04-03 22:32 --d----- c:\documents and settings\loren mickelson\.housecall6.6
2009-04-03 22:24 162,304 a------- c:\windows\system32\ztvunrar36.dll
2009-04-03 22:24 153,088 a------- c:\windows\system32\UNRAR3.dll
2009-04-03 22:24 77,312 a------- c:\windows\system32\ztvunace26.dll
2009-04-03 22:24 75,264 a------- c:\windows\system32\unacev2.dll
2009-04-03 22:24 69,632 a------- c:\windows\system32\ztvcabinet.dll
2009-04-03 22:24 --d----- c:\program files\Trojan Remover
2009-04-03 22:24 --d----- c:\docume~1\lorenm~1\applic~1\Simply Super Software
2009-04-03 22:24 --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2009-04-03 17:04 3,864 a------- c:\windows\system32\tmp.reg
2009-04-02 14:32 --d----- c:\program files\Spybot - Search & Destroy
2009-04-02 14:32 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-04-02 14:28 --d----- C:\SDFix
2009-04-01 13:16 1,324 a------- c:\windows\system32\d3d9caps.dat
2009-04-01 13:02 2,148 a------- c:\windows\system32\wpa.dbl
2009-04-01 12:55 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-01 12:52 0 a------- c:\windows\system32\hctcwiu.dll.bak
2009-03-31 19:41 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-31 19:40 --d----- c:\program files\SUPERAntiSpyware
2009-03-31 19:40 --d----- c:\docume~1\lorenm~1\applic~1\SUPERAntiSpyware.com
2009-03-31 19:40 --d----- c:\program files\common files\Wise Installation Wizard
2009-03-31 18:55 --d----- c:\docume~1\lorenm~1\applic~1\gyvrpnji
2009-03-31 18:42 --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-03-31 18:28 --dsh--- c:\documents and settings\loren mickelson\IECompatCache
2009-03-31 18:24 --d----- c:\program files\CCleaner
2009-03-31 18:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-31 18:10 --d----- c:\program files\trend micro
2009-03-31 17:48 --d----- C:\_OTMoveIt
2009-03-31 17:40 --dsh--- c:\documents and settings\loren mickelson\PrivacIE
2009-03-31 17:36 --dsh--- c:\documents and settings\loren mickelson\IETldCache
2009-03-31 17:28 -cd-h--- c:\windows\ie8
2009-03-30 17:49 164 a------- c:\windows\install.dat
2009-03-28 15:19 116,736 a------- c:\windows\system32\drivers\mcdbus.sys
2009-03-28 15:19 --d----- c:\program files\MagicDisc
2009-03-28 15:13 --d----- c:\program files\MagicISO
2009-03-28 13:09 --d----- c:\program files\common files\Macrovision Shared
2009-03-28 13:08 --d----- c:\program files\Rosetta Stone
2009-03-28 13:08 --d----- c:\docume~1\alluse~1\applic~1\Rosetta Stone
2009-03-22 17:20 --d----- c:\program files\PeerGuardian2
2009-03-19 21:42 --d-h--- C:\$AVG8.VAULT$
2009-03-19 21:26 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-09 13:48 --d----- c:\docume~1\lorenm~1\applic~1\Malwarebytes
2009-03-09 13:48 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 13:48 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-09 13:48 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-09 13:48 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-08 21:11 --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-03-08 21:08 --d----- c:\program files\common files\Symantec Shared
2009-03-08 16:58 26,112 a------- c:\windows\system32\dllcache\userinit.exe
2009-03-08 04:33 18,944 -------- c:\windows\system32\dllcache\corpol.dll
2009-03-07 14:28 --d----- c:\program files\uTorrent

==================== Find3M ====================

2009-03-08 16:56 14,336 a------- c:\windows\system32\svchost.exe
2009-03-08 16:56 14,336 a------- c:\windows\system32\dllcache\svchost.exe
2009-03-08 14:09 638,816 a------- c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09 391,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39 11,063,808 a------- c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34 1,206,784 a------- c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34 236,544 a------- c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-03-08 04:34 193,536 a------- c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34 109,568 a------- c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33 759,296 a------- c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33 726,528 a------- c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33 229,376 a------- c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33 125,952 a------- c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32 163,840 a------- c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32 55,808 a------- c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32 128,512 a------- c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32 94,720 a------- c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32 1,985,024 a------- c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32 611,840 a------- c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24 68,608 a------- c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-08 04:22 156,160 a------- c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11 445,952 a------- c:\windows\system32\dllcache\ieapfltr.dll
2009-03-05 17:10 1,553,784 a------- c:\windows\WRSetup.dll
2009-03-05 13:26 81,028 a---h--- c:\windows\system32\mlfcache.dat
2009-02-26 12:46 74,760 a------- c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 12:46 25,608 a------- c:\windows\system32\drivers\AVGIDSErHr.sys
2009-02-25 15:24 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-02-25 15:24 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-02-25 15:24 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-09 05:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 05:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-02-06 21:07 3,698,584 a------- c:\windows\system32\dllcache\ieapfltr.dat
2009-01-07 18:21 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-01-07 18:20 134,144 -------- c:\windows\system32\dllcache\sqmapi.dll
2009-01-07 18:20 1,497,088 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-01-07 18:20 1,022,976 -------- c:\windows\system32\dllcache\browseui.dll
2009-01-07 18:20 474,112 -------- c:\windows\system32\dllcache\shlwapi.dll
2009-01-07 18:20 24,576 a------- c:\windows\system32\nlsdl.dll
2009-01-07 18:20 26,112 a------- c:\windows\system32\idndl.dll
2009-01-07 18:20 23,552 a------- c:\windows\system32\normaliz.dll
2009-01-07 18:20 265,720 a------- c:\windows\system32\msdbg2.dll
2008-09-26 13:50 46,848 ac------ c:\docume~1\lorenm~1\applic~1\GDIPFONTCACHEV1.DAT
2008-06-22 16:00 32 ac------ c:\docume~1\alluse~1\applic~1\ezsid.dat
2005-11-15 15:16 376,593 -c-sh--- c:\windows\system32\knnmp.bak1
2005-11-19 15:33 425,126 -c-sh--- c:\windows\system32\knnmp.bak2
2008-09-10 12:27 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091020080911\index.dat

============= FINISH: 21:13:45.13 ===============

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 6th April 2009, 3:24 am

Oh wow, you have one nasty infection. I think it could be Virut, or a new variant of it anyway.

That file won't that go away, I was right about the malicious driver, I was wrong about how many of the littel buggers there are. I was expecting just one, but so far I count three.

I think you are right about it getting into your legit files, because I see it's gotten into userinit and svchost, and possibly more.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8/Webroot Spysweeper\Adaware Adwatch)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 4:26 am

combofix ran and it was unable to gain access from the vkvdpoi.dll. It was denied access both times. It then shut off and was going to create a text, but it detected a virus and then I prompted it to remove it. Then, once it did that combofix closed itself down.

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 4:31 am

Im going to run it again. I think i had some software running that messed it up

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 4:47 am

here is the config log

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\knnmp.bak1
c:\windows\system32\knnmp.bak2
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\vkvdpoi.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_euvbphrk
-------\Legacy_icf
-------\Service_euvbphrk


((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-05 20:55 . 2009-04-05 20:55 d-------- c:\program files\MALWAREBYTES ANTI-MALWARE
2009-04-05 17:04 . 2009-04-05 17:04 d-------- c:\program files\Panda Security
2009-04-05 16:58 . 2009-04-05 17:02 d-------- C:\HaxFix
2009-04-05 15:34 . 2009-03-09 02:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-04-05 14:34 . 2009-04-05 14:51 d-------- C:\Lop SD
2009-04-05 12:14 . 2009-04-05 12:14 d-------- C:\VundoFix Backups
2009-04-04 17:22 . 2009-04-05 15:09 d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-04 17:21 . 2009-04-04 17:21 d-------- c:\program files\Lavasoft
2009-04-04 16:05 . 2009-04-04 16:05 d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-04-04 16:04 . 2009-04-05 11:51 d-------- c:\windows\system32\drivers\Avg
2009-04-04 16:04 . 2009-04-04 16:04 d-------- c:\documents and settings\Loren Mickelson\Application Data\AVGTOOLBAR
2009-04-04 16:04 . 2009-04-04 16:04 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-04-04 16:04 . 2009-04-04 16:04 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-04-04 16:03 . 2009-04-04 16:03 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-04-04 16:03 . 2009-04-04 16:03 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-04-04 16:01 . 2009-04-04 16:01 d-------- c:\program files\AVG
2009-04-04 16:01 . 2009-04-04 16:01 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-04-04 16:01 . 2009-04-04 16:01 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-04-03 23:50 . 2009-04-03 23:50 d-------- c:\program files\interMute
2009-04-03 23:50 . 2009-04-03 23:51 2,158 --a------ c:\windows\system32\ssmute.ini
2009-04-03 23:37 . 2009-04-03 23:37 d--h----- c:\windows\system32\WLANProfiles
2009-04-03 23:37 . 2009-04-03 23:37 d--h----- C:\Settings
2009-04-03 23:37 . 2009-04-03 23:37 516 --a------ C:\Settings.ini
2009-04-03 23:35 . 2009-02-26 22:56 177,152 --------- c:\windows\system32\dllcache\msctfime.ime
2009-04-03 23:27 . 2009-04-03 23:35 1,355 --a------ c:\windows\imsins.BAK
2009-04-03 22:33 . 2009-04-03 22:53 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-04-03 22:32 . 2009-04-03 23:15 d-------- c:\documents and settings\Loren Mickelson\.housecall6.6
2009-04-03 22:24 . 2009-04-03 22:24 d-------- c:\program files\Trojan Remover
2009-04-03 22:24 . 2009-04-03 22:24 d-------- c:\documents and settings\Loren Mickelson\Application Data\Simply Super Software
2009-04-03 22:24 . 2009-04-03 22:24 d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-04-03 22:24 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-04-03 22:24 . 2003-02-02 20:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-04-03 22:24 . 2005-08-26 01:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-04-03 22:24 . 2002-03-06 01:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-04-03 22:24 . 2006-06-19 13:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-04-02 19:03 . 2009-04-02 19:03 d--hs---- c:\documents and settings\LocalService\IETldCache
2009-04-02 14:32 . 2009-04-02 21:49 d-------- c:\program files\Spybot - Search & Destroy
2009-04-02 14:32 . 2009-04-04 00:10 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-02 14:28 . 2009-04-02 21:04 d-------- C:\SDFix
2009-04-01 20:22 . 2009-04-01 20:22 d--hs---- c:\documents and settings\Administrator\PrivacIE
2009-04-01 20:18 . 2009-04-01 20:18 d-------- c:\documents and settings\Administrator\Application Data\Webroot
2009-04-01 18:25 . 2009-04-01 18:25 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-01 13:16 . 2009-04-05 12:25 1,324 --a------ c:\windows\system32\d3d9caps.dat
2009-04-01 13:03 . 2009-04-01 13:03 d--hs---- c:\documents and settings\Administrator\IETldCache
2009-04-01 13:03 . 2009-04-01 13:03 d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-01 13:02 . 2009-04-05 22:07 2,148 --a------ c:\windows\system32\wpa.dbl
2009-04-01 12:55 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-04-01 12:52 . 2009-04-01 12:52 0 --a------ c:\windows\system32\hctcwiu.dll.bak
2009-03-31 19:41 . 2009-03-31 19:41 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-31 19:40 . 2009-03-31 19:40 d-------- c:\program files\SUPERAntiSpyware
2009-03-31 19:40 . 2009-03-31 19:40 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-31 19:40 . 2009-03-31 19:40 d-------- c:\documents and settings\Loren Mickelson\Application Data\SUPERAntiSpyware.com
2009-03-31 18:55 . 2009-03-31 18:55 d-------- c:\documents and settings\Loren Mickelson\Application Data\gyvrpnji
2009-03-31 18:53 . 2009-03-31 18:53 d-------- c:\documents and settings\NetworkService\Application Data\gyvrpnji
2009-03-31 18:42 . 2009-03-31 18:42 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-31 18:28 . 2009-03-31 18:28 d--hs---- c:\documents and settings\Loren Mickelson\IECompatCache
2009-03-31 18:24 . 2009-03-31 18:24 d-------- c:\program files\CCleaner
2009-03-31 18:18 . 2009-03-09 05:19 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-31 18:10 . 2009-03-31 18:11 d-------- C:\rsit
2009-03-31 18:10 . 2009-04-02 14:27 d-------- c:\program files\trend micro
2009-03-31 17:48 . 2009-03-31 17:48 d-------- C:\_OTMoveIt
2009-03-31 17:40 . 2009-03-31 17:40 d--hs---- c:\documents and settings\Loren Mickelson\PrivacIE
2009-03-31 17:36 . 2009-03-31 17:36 d--hs---- c:\documents and settings\Loren Mickelson\IETldCache
2009-03-31 17:35 . 2009-03-31 17:35 d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-03-31 17:28 . 2009-03-31 17:30 d--h-c--- c:\windows\ie8
2009-03-30 17:49 . 2009-03-30 17:49 164 --a------ c:\windows\install.dat
2009-03-28 15:19 . 2009-03-28 15:20 d-------- c:\program files\MagicDisc
2009-03-28 15:19 . 2009-02-24 18:42 116,736 --a------ c:\windows\system32\drivers\mcdbus.sys
2009-03-28 15:13 . 2009-03-28 15:13 d-------- c:\program files\MagicISO
2009-03-28 13:09 . 2009-03-28 13:09 d-------- c:\program files\Common Files\Macrovision Shared
2009-03-28 13:08 . 2009-03-28 13:08 d-------- c:\program files\Rosetta Stone
2009-03-28 13:08 . 2009-04-05 20:40 d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-03-22 17:20 . 2009-03-22 17:26 d-------- c:\program files\PeerGuardian2
2009-03-19 21:42 . 2009-04-05 17:42 d--h----- C:\$AVG8.VAULT$
2009-03-19 21:26 . 2009-04-05 17:33 d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-19 19:41 . 2009-03-19 19:41 d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-03-19 18:58 . 2009-03-22 15:49 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-09 13:48 . 2009-04-05 20:55 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-09 13:48 . 2009-03-09 13:48 d-------- c:\documents and settings\Loren Mickelson\Application Data\Malwarebytes
2009-03-09 13:48 . 2009-03-09 13:48 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-09 13:48 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-09 13:48 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-08 21:11 . 2009-03-22 15:52 d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-08 21:08 . 2009-03-22 15:52 d-------- c:\program files\Common Files\Symantec Shared
2009-03-08 16:58 . 2008-04-13 18:12 26,112 --a------ c:\windows\system32\dllcache\userinit.exe
2009-03-08 04:33 . 2009-03-08 04:33 18,944 --------- c:\windows\system32\dllcache\corpol.dll
2009-03-07 14:28 . 2009-03-07 14:28 d-------- c:\program files\uTorrent

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 4:48 am

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 04:01 105,472 ----a-w c:\windows\system32\hctcwiu.dll
2009-04-06 01:36 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-06 01:23 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-04-05 21:36 --------- d-----w c:\program files\Java
2009-04-04 02:13 --------- d-----w c:\program files\RGB
2009-04-04 02:11 --------- d-----w c:\program files\Windows Media Connect 2
2009-04-04 02:10 --------- d-----w c:\program files\Bonjour
2009-04-03 23:04 --------- d-----w c:\program files\Google
2009-03-31 17:31 --------- d-----w c:\documents and settings\Loren Mickelson\Application Data\uTorrent
2009-03-20 17:08 --------- d-----w c:\documents and settings\Loren Mickelson\Application Data\DNA
2009-03-20 02:28 --------- d-----w c:\program files\DNA
2009-03-20 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-20 00:33 --------- d-----w c:\program files\McAfee
2009-03-08 22:56 14,336 ----a-w c:\windows\system32\svchost.exe
2009-03-08 22:56 14,336 ----a-w c:\windows\system32\dllcache\svchost.exe
2009-03-08 20:09 638,816 ----a-w c:\windows\system32\dllcache\iexplore.exe
2009-03-08 20:09 391,536 ----a-w c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 10:41 5,937,152 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-03-08 10:39 11,063,808 ----a-w c:\windows\system32\dllcache\ieframe.dll
2009-03-08 10:34 914,944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 10:34 914,944 ----a-w c:\windows\system32\dllcache\wininet.dll
2009-03-08 10:34 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 10:34 43,008 ----a-w c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 10:34 236,544 ----a-w c:\windows\system32\dllcache\webcheck.dll
2009-03-08 10:34 193,536 ----a-w c:\windows\system32\dllcache\msrating.dll
2009-03-08 10:34 109,568 ----a-w c:\windows\system32\dllcache\occache.dll
2009-03-08 10:34 105,984 ----a-w c:\windows\system32\dllcache\url.dll
2009-03-08 10:34 1,206,784 ----a-w c:\windows\system32\dllcache\urlmon.dll
2009-03-08 10:33 759,296 ----a-w c:\windows\system32\dllcache\VGX.dll
2009-03-08 10:33 726,528 ----a-w c:\windows\system32\dllcache\jscript.dll
2009-03-08 10:33 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 10:33 420,352 ----a-w c:\windows\system32\dllcache\vbscript.dll
2009-03-08 10:33 25,600 ----a-w c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 10:33 229,376 ----a-w c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 10:33 18,944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 10:33 125,952 ----a-w c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 10:32 94,720 ----a-w c:\windows\system32\dllcache\inseng.dll
2009-03-08 10:32 72,704 ----a-w c:\windows\system32\dllcache\admparse.dll
2009-03-08 10:32 72,704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 10:32 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 10:32 71,680 ----a-w c:\windows\system32\dllcache\iesetup.dll
2009-03-08 10:32 611,840 ----a-w c:\windows\system32\dllcache\mstime.dll
2009-03-08 10:32 594,432 ----a-w c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 10:32 55,808 ----a-w c:\windows\system32\dllcache\iernonce.dll
2009-03-08 10:32 173,056 ----a-w c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 10:32 163,840 ----a-w c:\windows\system32\dllcache\ieakui.dll
2009-03-08 10:32 128,512 ----a-w c:\windows\system32\dllcache\advpack.dll
2009-03-08 10:32 1,985,024 ----a-w c:\windows\system32\dllcache\iertutil.dll
2009-03-08 10:24 68,608 ----a-w c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 10:22 156,160 ----a-w c:\windows\system32\msls31.dll
2009-03-08 10:22 156,160 ----a-w c:\windows\system32\dllcache\msls31.dll
2009-03-08 10:11 445,952 ----a-w c:\windows\system32\dllcache\ieapfltr.dll
2009-03-05 23:10 1,553,784 ----a-w c:\windows\WRSetup.dll
2009-03-04 21:43 --------- d-----w c:\documents and settings\Loren Mickelson\Application Data\LimeWire
2009-03-03 18:39 --------- d-----w c:\program files\Yahoo!
2009-03-03 17:46 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2009-03-03 17:35 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-28 20:00 --------- d-----w c:\program files\Cobian Backup 8
2009-02-28 19:52 --------- d-----w c:\program files\Cobian Backup 9
2009-02-28 16:27 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-27 03:09 --------- d-----w c:\documents and settings\Loren Mickelson\Application Data\.purple
2009-02-26 18:46 74,760 ----a-w c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 18:46 25,608 ----a-w c:\windows\system32\drivers\AVGIDSErHr.sys
2009-02-26 02:25 --------- d-----w c:\program files\iTunes
2009-02-26 02:25 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-26 02:24 --------- d-----w c:\program files\iPod
2009-02-26 01:57 --------- d-----w c:\program files\Common Files\Apple
2009-02-26 01:06 --------- d-----w c:\program files\QuickTime
2009-02-25 21:24 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-25 21:24 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-02-25 21:24 176,752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-02-22 00:06 --------- d-----w c:\program files\Files
2009-02-21 02:15 --------- d-----w c:\program files\InstallShield Installation Information
2009-02-21 02:14 --------- d-----w c:\program files\Seagate
2009-02-21 02:14 --------- d-----w c:\documents and settings\All Users\Application Data\Seagate
2009-02-12 19:44 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-01-08 00:21 26,144 ----a-w c:\windows\system32\spupdsvc.exe
2009-01-08 00:20 474,112 ------w c:\windows\system32\dllcache\shlwapi.dll
2009-01-08 00:20 265,720 ----a-w c:\windows\system32\msdbg2.dll
2009-01-08 00:20 26,112 ----a-w c:\windows\system32\idndl.dll
2009-01-08 00:20 24,576 ----a-w c:\windows\system32\nlsdl.dll
2009-01-08 00:20 23,552 ----a-w c:\windows\system32\normaliz.dll
2009-01-08 00:20 134,144 ------w c:\windows\system32\dllcache\sqmapi.dll
2009-01-08 00:20 1,497,088 ------w c:\windows\system32\dllcache\shdocvw.dll
2009-01-08 00:20 1,022,976 ------w c:\windows\system32\dllcache\browseui.dll
2008-09-26 19:50 46,848 -c--a-w c:\documents and settings\Loren Mickelson\Application Data\GDIPFONTCACHEV1.DAT
2008-06-22 22:00 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-01-15 02:50 122,368 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-10 18:27 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat
.

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 4:48 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1dfda642-5f6e-4d5f-85bb-9c3f9cb0fcf4}]
2009-04-05 22:01 105472 --a------ c:\windows\system32\vkvdpoi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-03 344064]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Cobian Backup 8 interface"="c:\program files\Cobian Backup 8\cbInterface.exe" [2007-09-27 2425856]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-04 1932568]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\Loren Mickelson\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-03-28 576000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-04 16:04 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WFPUser.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WFPUser.lnk
backup=c:\windows\pss\WFPUser.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Loren Mickelson^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Loren Mickelson\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
- [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 12:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
-----c--- 2004-06-18 09:30 290816 c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2008-08-14 00:04 206064 c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--------- 2005-03-16 04:33 127037 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-01-14 20:49 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 15:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--------- 2004-07-27 15:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--------- 2009-01-06 14:06 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
--a------ 2008-10-28 17:42 181544 c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
--------- 2004-12-22 08:21 823296 c:\program files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MXOBG]
--------- 2005-09-09 22:43 94208 c:\windows\MXOALDR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 17:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RetroExpress]
-----c--- 2004-07-30 15:47 6946816 c:\progra~1\Dantz\RETROS~1\RetroExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-12 20:10 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
-----c--- 2003-11-19 16:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
--a------ 2009-03-30 16:07 1213320 c:\program files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
--a------ 2008-04-13 18:12 10752 c:\windows\system32\dumprep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
--------- 2006-01-07 16:57 331776 c:\windows\system32\WDBtnMgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 4:49 am

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-02-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-04-04 12552]
R0 jqdfhlls;jqdfhlls;c:\windows\system32\drivers\jqdfhlls.sys [2004-08-19 23424]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-08-09 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-04 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-04-04 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-04 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-04-04 1356616]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-02-26 563720]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-10-28 156968]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R2 WFPService;WFPService;c:\program files\Microsoft Windows Feedback Panel\wfpservice.exe [2006-06-13 179000]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2009-02-08 1178728]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-04-04 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2009-02-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2009-02-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2009-02-26 27232]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S1 12208e92;12208e92;c:\windows\system32\drivers\12208e92.sys --> c:\windows\system32\drivers\12208e92.sys [?]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2009-02-26 5576712]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-04-04 29208]
S3 GoogleDesktopManager-010108-205858;Google Desktop Manager 5.7.801.1629;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-01-14 29744]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-10 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 4:50 am

Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 13:06]

2009-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 16:10]
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
MSConfigStartUp-a3zjru027w7u7msy1mbz2s6n9u - c:\docume~1\LORENM~1\LOCALS~1\Temp\fh190sp8l.exe
MSConfigStartUp-abk81dpnspxp7za7xep1c9okd48m00iou6gu1 - c:\docume~1\LORENM~1\LOCALS~1\Temp\ju4zxjuusj3yy.exe
MSConfigStartUp-ahdlmh882iufqlh6gmm4upudl55ehw9fmpju - c:\docume~1\LORENM~1\LOCALS~1\Temp\axd5y6.exe
MSConfigStartUp-ai5nf38pec8naz0uoc - c:\docume~1\LORENM~1\LOCALS~1\Temp\dudvoms0pft.exe
MSConfigStartUp-Aim6 - c:\program files\Common Files\AOL\Launch\AOLLaunch.exe
MSConfigStartUp-aj4rzp5hjyyk - c:\docume~1\LORENM~1\LOCALS~1\Temp\ckmpm8yonovu.exe
MSConfigStartUp-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-asvoinb93ewkms4j2fxtd71wwg3mz - c:\docume~1\LORENM~1\LOCALS~1\Temp\s5902167vm.exe
MSConfigStartUp-b9cscnm3ovvasfwzv7b5vk - c:\docume~1\LORENM~1\LOCALS~1\Temp\ecfvi9t.exe
MSConfigStartUp-beg7o3gb2wy7wiznsufd3cm035aleyvgmglt50qsodje - c:\docume~1\LORENM~1\LOCALS~1\Temp\uuvf3ec5va9n.exe
MSConfigStartUp-bezk41auxstfvu05xz9xmg2vdb8l9 - c:\docume~1\LORENM~1\LOCALS~1\Temp\skyn7hu.exe
MSConfigStartUp-bfdc8zqaa5m6hxm0k03s8dtuy - c:\docume~1\LORENM~1\LOCALS~1\Temp\sx32l2.exe
MSConfigStartUp-civkzld8s9d8ppfltfo3cp00g3a96mg83xc1 - c:\docume~1\LORENM~1\LOCALS~1\Temp\e4itf3cbq976.exe
MSConfigStartUp-cnp71tly93luvp - c:\docume~1\LORENM~1\LOCALS~1\Temp\tezirrbyu35.exe
MSConfigStartUp-cr9mtlxxutt4nevdx5tagrkjc79x3gzh3n0512r8ddcobl4 - c:\docume~1\LORENM~1\LOCALS~1\Temp\rxdnn2.exe
MSConfigStartUp-duo8us5yeqfe5ab0lmlwrq0wczugwk8p - c:\docume~1\LORENM~1\LOCALS~1\Temp\zky45y.exe
MSConfigStartUp-e0ws80m0na9euhcf1onnka2po - c:\docume~1\LORENM~1\LOCALS~1\Temp\shik6o7tc.exe
MSConfigStartUp-e2rleogbu06nqwujd4havgzkfat9s6yggiq - c:\docume~1\LORENM~1\LOCALS~1\Temp\gc1nhtw1ojf.exe
MSConfigStartUp-e334d1tijah24a078 - c:\docume~1\LORENM~1\LOCALS~1\Temp\wz4l5eozis0.exe
MSConfigStartUp-f1l5gvf3wsbqhje37s6luzlu - c:\docume~1\LORENM~1\LOCALS~1\Temp\a7e3uch3l24oc.exe
MSConfigStartUp-fh8s5gnfiygtm4gsc2h096fiq732wuqaimw2s103 - c:\docume~1\LORENM~1\LOCALS~1\Temp\aozm4qa3.exe
MSConfigStartUp-g8773tnt2g5ygm - c:\docume~1\LORENM~1\LOCALS~1\Temp\pel6w7zw31x0.exe
MSConfigStartUp-ga16622i8pjw0rqa13jpv - c:\docume~1\LORENM~1\LOCALS~1\Temp\q3jpyx7ny.exe
MSConfigStartUp-gjfcsqhu3ndhljhnbitw884198574qp200sw94r91l4mqjbz - c:\docume~1\LORENM~1\LOCALS~1\Temp\iozfjhozuyl.exe
MSConfigStartUp-gzrun501cbjgzytub - c:\docume~1\LORENM~1\LOCALS~1\Temp\fc9r8wch3n.exe
MSConfigStartUp-hl296z2e486jfdv3q3vk5jo4ovp8tx5h5 - c:\docume~1\LORENM~1\LOCALS~1\Temp\vpta2a.exe
MSConfigStartUp-HostManager - c:\program files\Common Files\AOL\1153697701\ee\AOLSoftware.exe
MSConfigStartUp-i6icu4epj2ib0wgk2z30lmuf7yyqu3sbcti9lfm - c:\docume~1\LORENM~1\LOCALS~1\Temp\upkijrhapm096.exe
MSConfigStartUp-ifyra3xc44e27h9yx0koa1jwmcnocerrs4o2suxk95rwjh - c:\docume~1\LORENM~1\LOCALS~1\Temp\hy26cqd.exe
MSConfigStartUp-IPHSend - c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
MSConfigStartUp-jjgc1r3ccifnogxlsxb0gz - c:\docume~1\LORENM~1\LOCALS~1\Temp\l15e9vage.exe
MSConfigStartUp-jsf8uiw3jnjgffght - c:\docume~1\LORENM~1\LOCALS~1\Temp\winlognn.exe
MSConfigStartUp-keqewy0bv8bwe - c:\docume~1\LORENM~1\LOCALS~1\Temp\zu8s03av2d.exe
MSConfigStartUp-kks588bgyd883ivo53fl9kebfzds9772 - c:\docume~1\LORENM~1\LOCALS~1\Temp\htr00gfnv4t.exe
MSConfigStartUp-lcwfypnpk3frv4s0t6 - c:\docume~1\LORENM~1\LOCALS~1\Temp\hf2mo6p6.exe
MSConfigStartUp-ld1a1dyxmiw94iztte9d1yv49tey91i7fkxd9m - c:\docume~1\LORENM~1\LOCALS~1\Temp\bmg91anch2.exe
MSConfigStartUp-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
MSConfigStartUp-le43mjv3wo5vzrn5tog28oyweah - c:\docume~1\LORENM~1\LOCALS~1\Temp\l16n8ojts9zf.exe
MSConfigStartUp-lj8gt6iljnv9tbg6ftu9gl7uvj17ygihg0bxjnmjmwrqktkc1 - c:\docume~1\LORENM~1\LOCALS~1\Temp\cq2sr9zu8.exe
MSConfigStartUp-lkng7bghq0u58v844qr8q5bm2lykwefoki08lal2do5 - c:\docume~1\LORENM~1\LOCALS~1\Temp\tpyiqy9yk8f4i.exe
MSConfigStartUp-LogitechQuickCamRibbon - c:\program files\Logitech\QuickCam10\QuickCam10.exe
MSConfigStartUp-LogitechSetup - c:\docume~1\LORENM~1\LOCALS~1\Temp\QuickCam_11.0.0\setup.exe
MSConfigStartUp-LogitechVideo[inspector] - c:\program files\Logitech\Video\InstallHelper.exe
MSConfigStartUp-lwc63kcl6678ploz2tk408krd6h7eo90peayvp22 - c:\docume~1\LORENM~1\LOCALS~1\Temp\lydh27qi.exe
MSConfigStartUp-m2rrlvrk3weloe436iw32nmpi9 - c:\docume~1\LORENM~1\LOCALS~1\Temp\acmqvk.exe
MSConfigStartUp-m839bxi6f4jw4w5y4lhro551o5whmtn8hbcn0u - c:\docume~1\LORENM~1\LOCALS~1\Temp\zahm6oemynl.exe
MSConfigStartUp-mgtr71m0e8hcye6njye0 - c:\docume~1\LORENM~1\LOCALS~1\Temp\zgb4be4.exe
MSConfigStartUp-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe
MSConfigStartUp-MMTray - c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
MSConfigStartUp-mwhuixza7szm3phv8pwfvtnrwctf6x0zqwmqzql48 - c:\docume~1\LORENM~1\LOCALS~1\Temp\tjj0s65qhxbi.exe
MSConfigStartUp-nbpcqj5rwf35a6z0kujfhf130sz22y2i8iqt5wyl8uyb4tkh - c:\docume~1\LORENM~1\LOCALS~1\Temp\kpisb5.exe
MSConfigStartUp-nndlreri5bc - c:\docume~1\LORENM~1\LOCALS~1\Temp\skdvbu6tka47.exe
MSConfigStartUp-no2jyna0ssr1 - c:\docume~1\LORENM~1\LOCALS~1\Temp\w0vcj00kb.exe
MSConfigStartUp-nuekuxcow9ehuuknzw7c6wmduzif2os7v81lsfytw5d1m - c:\docume~1\LORENM~1\LOCALS~1\Temp\bkpczq0vrskj.exe
MSConfigStartUp-nzmojmocqeye2c7alm34l6ph7anjacau9p1aidb8 - c:\docume~1\LORENM~1\LOCALS~1\Temp\ojaxs6ela20z.exe
MSConfigStartUp-o2q9ukskoico9f5jdt6jyvv43b - c:\docume~1\LORENM~1\LOCALS~1\Temp\uvvnjfwmnq.exe
MSConfigStartUp-o7npj3wth62mwlmvbk8v0obbe5p3imyjg3wk - c:\docume~1\LORENM~1\LOCALS~1\Temp\m9w4qjd4.exe
MSConfigStartUp-oiposuub58bez1yf6gs9e9she5uv6 - c:\docume~1\LORENM~1\LOCALS~1\Temp\wgwdyvamamwt.exe
MSConfigStartUp-orn991q4j05n09 - c:\docume~1\LORENM~1\LOCALS~1\Temp\zb33bgxf2k.exe
MSConfigStartUp-os7fofphapwuhhob - c:\docume~1\LORENM~1\LOCALS~1\Temp\tn0k0t2y.exe
MSConfigStartUp-p1fq89q2ypv0k4r - c:\docume~1\LORENM~1\LOCALS~1\Temp\u2w9x2.exe
MSConfigStartUp-p5wz2xryhw4neb0124s6i4vixs8vmtnyb6lez6wyj6yftdpvn5 - c:\docume~1\LORENM~1\LOCALS~1\Temp\dhesjl9m.exe
MSConfigStartUp-peomqu43njzsx8elkrdan - c:\docume~1\LORENM~1\LOCALS~1\Temp\q07ld5rkwj7.exe
MSConfigStartUp-pjzn1pgiqxl89kn7xi6ci - c:\docume~1\LORENM~1\LOCALS~1\Temp\abi712qx2pvh.exe
MSConfigStartUp-PlaxoUpdate - c:\program files\Plaxo\2.8.1.2\PlaxoHelper.exe
MSConfigStartUp-pmdx875trq8v7dria42szgferq7bpdxb03vk6qr3eg8h - c:\docume~1\LORENM~1\LOCALS~1\Temp\oegsau3r.exe
MSConfigStartUp-puac0kd2lyu8xp5hadp45qac5cikg1 - c:\docume~1\LORENM~1\LOCALS~1\Temp\ig9p5fa.exe
MSConfigStartUp-pxhr2807tfxwiuvw09pftcmhs8 - c:\docume~1\LORENM~1\LOCALS~1\Temp\pn8ifm3dm7.exe
MSConfigStartUp-pzwjfvt427gvji5q3x39dcq5f6w - c:\docume~1\LORENM~1\LOCALS~1\Temp\nwfompz2caa.exe
MSConfigStartUp-q4191no7tbpezrdig1tgaf3nab8bz3wqsgwbmce - c:\docume~1\LORENM~1\LOCALS~1\Temp\ink1o4czwvd.exe
MSConfigStartUp-q6o5kmgjmptg1vv - c:\docume~1\LORENM~1\LOCALS~1\Temp\byc86lyrvw18.exe
MSConfigStartUp-qyf64928yp - c:\docume~1\LORENM~1\LOCALS~1\Temp\oi2vy6rpzn6xg.exe
MSConfigStartUp-r4lczgua5wxr4vb1bq3rg0gc32v9a7m7egyxystp915rl05 - c:\docume~1\LORENM~1\LOCALS~1\Temp\s0b10or0ikb2f.exe
MSConfigStartUp-RealTray - c:\program files\Real\RealPlayer\RealPlay.exe
MSConfigStartUp-rtfegsgb56ppxr8u - c:\docume~1\LORENM~1\LOCALS~1\Temp\vcon4ka.exe
MSConfigStartUp-ru3flmuqrs53gwvk03249xpb7jqt85khh - c:\docume~1\LORENM~1\LOCALS~1\Temp\jr5p4yk.exe
MSConfigStartUp-s0rt1gggukhwqdx9vz96uv0582 - c:\docume~1\LORENM~1\LOCALS~1\Temp\ttwcci.exe
MSConfigStartUp-scgjfxf5e9ekzejs8haca3az1r28hpdp6rgiy6tbiigyg - c:\docume~1\LORENM~1\LOCALS~1\Temp\icgz4095rl.exe
MSConfigStartUp-sercwr9b66971mieh0rq8qa - c:\docume~1\LORENM~1\LOCALS~1\Temp\ik14juf729yzn.exe
MSConfigStartUp-spwpk69tq1068dk8wejgjv2q - c:\docume~1\LORENM~1\LOCALS~1\Temp\zgdtpgov93e.exe
MSConfigStartUp-sqhwt7tebyt2vmzv2nm - c:\docume~1\LORENM~1\LOCALS~1\Temp\pxdcvo2nf1igb.exe
MSConfigStartUp-sv1k0omt2w659id - c:\docume~1\LORENM~1\LOCALS~1\Temp\y9wsgvooo.exe
MSConfigStartUp-sxs3e9rz08b4irrgwastysybkxu10ch2joc - c:\docume~1\LORENM~1\LOCALS~1\Temp\o2fqf04x7.exe
MSConfigStartUp-t18iolskamhc3 - c:\docume~1\LORENM~1\LOCALS~1\Temp\tty0wwtfnfd.exe
MSConfigStartUp-t1cnn1pzzqbtoq6 - c:\docume~1\LORENM~1\LOCALS~1\Temp\xlkydzfk4.exe
MSConfigStartUp-t5d2cmsbh14njhw7bhto255btq7xuvl12v - c:\docume~1\LORENM~1\LOCALS~1\Temp\jn8jo1pnnql.exe
MSConfigStartUp-t80am3gk0g8i4in6ifuii0185ko3da9toq - c:\docume~1\LORENM~1\LOCALS~1\Temp\an2kxtcz.exe
MSConfigStartUp-t9acayqc0skpt39aed8hdkuy0q01emm47jb3pa9kao - c:\docume~1\LORENM~1\LOCALS~1\Temp\oem91b5.exe
MSConfigStartUp-ta9lr5w40zsyijavwhhv0y8g2j67osmxswo73w68o517fh - c:\docume~1\LORENM~1\LOCALS~1\Temp\jzbuupee8un.exe
MSConfigStartUp-tcfvuehkpcgzcjfkey8mpdlvkau4mmpru0sddoxrc - c:\docume~1\LORENM~1\LOCALS~1\Temp\bv9wea4.exe
MSConfigStartUp-tgvlhpd9fpomzofqybk09t0f53a9dre02ocxnxi9 - c:\docume~1\LORENM~1\LOCALS~1\Temp\qcs2ml3nwh.exe
MSConfigStartUp-ti012zw330kpl40jvma7jo8dbjrhanq6cxw06cichn - c:\docume~1\LORENM~1\LOCALS~1\Temp\cdamhw.exe
MSConfigStartUp-uabfn1mxvayhtea4kuuvtbdvxuy - c:\docume~1\LORENM~1\LOCALS~1\Temp\lj3pwlhxm48n.exe
MSConfigStartUp-uf0zb6yskxys56xlyllakdv9t0m06kq - c:\docume~1\LORENM~1\LOCALS~1\Temp\mg8bj42.exe
MSConfigStartUp-ufd4sa5i9ls - c:\docume~1\LORENM~1\LOCALS~1\Temp\r1rdzeudwbid.exe
MSConfigStartUp-uhavrejlewal8fz5j7c62c71b0v3li9f9r6dyynxhp - c:\docume~1\LORENM~1\LOCALS~1\Temp\bm27vkl9.exe
MSConfigStartUp-uk2ct36ocgnmq17b6 - c:\docume~1\LORENM~1\LOCALS~1\Temp\lc0gmlv3f0.exe
MSConfigStartUp-unwgkjlk9dua - c:\docume~1\LORENM~1\LOCALS~1\Temp\sc7ii4.exe
MSConfigStartUp-uoaioskt7lclbl50t2m53ckp - c:\docume~1\LORENM~1\LOCALS~1\Temp\gp7s9pwmqcd.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-v6ql1es3brhw12q9tqzsavs - c:\docume~1\LORENM~1\LOCALS~1\Temp\rny4u2j2e0y3o.exe
MSConfigStartUp-vltfq0fnnuyznlnldcxcwzi1s5cjqvn1xl4vii8smxqi8xz - c:\docume~1\LORENM~1\LOCALS~1\Temp\jdi93fn7.exe
MSConfigStartUp-vozne0pgq3ytuf98hqi9902e9yfywzmb6vr5xwnmqwx18gxr - c:\docume~1\LORENM~1\LOCALS~1\Temp\gebm8t0ho3p.exe
MSConfigStartUp-vpcj2jwje9jtknxj4c9aewbqpuk - c:\docume~1\LORENM~1\LOCALS~1\Temp\hg80c4e2.exe
MSConfigStartUp-w5mm111wpdr7z8qnmtz62 - c:\docume~1\LORENM~1\LOCALS~1\Temp\acx94k1.exe
MSConfigStartUp-w69vg41w2rs4wu1fnwzd0atuz - c:\docume~1\LORENM~1\LOCALS~1\Temp\zat6r8.exe
MSConfigStartUp-w9301sji6smb72f5jlcellan4c65cy - c:\docume~1\LORENM~1\LOCALS~1\Temp\y33u9mqk1.exe
MSConfigStartUp-wa38a95zrmpzqhqve2m5fol8bn9t8rnytw5evgcutvq - c:\docume~1\LORENM~1\LOCALS~1\Temp\z03htlw.exe
MSConfigStartUp-wxerulajqxq2la99nv1xfsl - c:\docume~1\LORENM~1\LOCALS~1\Temp\s4fae1vc92.exe
MSConfigStartUp-x15jgdjg2q - c:\docume~1\LORENM~1\LOCALS~1\Temp\i4mkclw7z8z.exe
MSConfigStartUp-xdm4cqd0ifz70uzh87 - c:\docume~1\LORENM~1\LOCALS~1\Temp\muprtne6.exe
MSConfigStartUp-xpt5z475uz7h6z46z3z4ve4bcsq2w5pgh0d8td61ugkxfyo - c:\docume~1\LORENM~1\LOCALS~1\Temp\v6b8jggjle.exe
MSConfigStartUp-xspvpsu7z7i1b6xlalzr013c47we8ophz - c:\docume~1\LORENM~1\LOCALS~1\Temp\ip2g67pdsg.exe
MSConfigStartUp-xtcr2y307s3dfa80gx3hbtuv2g26hijxs8se4j5y72ie - c:\docume~1\LORENM~1\LOCALS~1\Temp\t92h0c25.exe
MSConfigStartUp-xwp2c00c090glwmoyazeercy6tsdln5kqa4sbt6mr1 - c:\docume~1\LORENM~1\LOCALS~1\Temp\zpx8pkr5h.exe
MSConfigStartUp-y0tg2rn91v4be3emsw56yrf8dak81wnhhrmvqd15ugj41sp7t - c:\docume~1\LORENM~1\LOCALS~1\Temp\w6e2xfgb.exe
MSConfigStartUp-yh899pga02i5bebcbnjciz - c:\docume~1\LORENM~1\LOCALS~1\Temp\p5b1dh3g.exe
MSConfigStartUp-yrfs4vooqudoam2s5xkv2q8 - c:\docume~1\LORENM~1\LOCALS~1\Temp\l8qvoekpddee8.exe
MSConfigStartUp-ywcxu2mgl3byc4p731 - c:\docume~1\LORENM~1\LOCALS~1\Temp\bqcv4vv1c4io.exe
MSConfigStartUp-z71z0xzmi - c:\docume~1\LORENM~1\LOCALS~1\Temp\xb46ngckmlnv.exe
MSConfigStartUp-zii8tgdab8bxe67upsh80ztfuk4l7nia7kbwnp - c:\docume~1\LORENM~1\LOCALS~1\Temp\j7y03ih6z3af.exe
MSConfigStartUp-zzjrnyuj5hha6th65bkyl - c:\docume~1\LORENM~1\LOCALS~1\Temp\v0hy1q7pcn.exe

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 4:50 am

.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {78ECA568-4FF0-4D82-BED8-25ADFD29525D} = 192.168.2.1
DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Loren Mickelson\Application Data\Mozilla\Firefox\Profiles\mu5vrrjx.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Loren Mickelson\Application Data\Mozilla\Firefox\Profiles\mu5vrrjx.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-05 22:39:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SNDSrvc]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1252)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2009-04-05 22:43:28
ComboFix-quarantined-files.txt 2009-04-06 04:43:01

Pre-Run: 26,748,186,624 bytes free
Post-Run: 26,723,475,456 bytes free

562 --- E O F --- 2009-02-26 10:00:54

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 6th April 2009, 1:03 pm

Hmm.
Svchost has been modified, but Combofix doesn't find it as infected and didn't list any other copies of it.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
jqdfhlls
12208e92

File::
c:\windows\system32\drivers\jqdfhlls.sys
c:\windows\system32\vkvdpoi.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1dfda642-5f6e-4d5f-85bb-9c3f9cb0fcf4}]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\DNA\\btdna.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Domains::

Firefox::
FF - ProfilePath - c:\documents and settings\Loren Mickelson\Application Data\Mozilla\Firefox\Profiles\mu5vrrjx.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_.dll

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 11:56 pm

Here is the newest combofix txt

FILE ::
c:\windows\system32\drivers\jqdfhlls.sys
c:\windows\system32\vkvdpoi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\jqdfhlls.sys
c:\windows\system32\vkvdpoi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JQDFHLLS
-------\Service_12208e92
-------\Service_jqdfhlls


((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))
.

2009-04-06 17:23 . 2006-03-03 00:42 73,728 --a------ C:\pv.exe
2009-04-05 20:55 . 2009-04-05 20:55 d-------- c:\program files\MALWAREBYTES ANTI-MALWARE
2009-04-05 17:04 . 2009-04-05 17:04 d-------- c:\program files\Panda Security
2009-04-05 16:58 . 2009-04-05 17:02 d-------- C:\HaxFix
2009-04-05 15:34 . 2009-03-09 02:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-04-05 14:34 . 2009-04-05 14:51 d-------- C:\Lop SD
2009-04-05 12:14 . 2009-04-05 12:14 d-------- C:\VundoFix Backups
2009-04-04 17:22 . 2009-04-05 15:09 d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-04 17:21 . 2009-04-04 17:21 d-------- c:\program files\Lavasoft
2009-04-04 16:05 . 2009-04-04 16:05 d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-04-04 16:04 . 2009-04-06 17:06 d-------- c:\windows\system32\drivers\Avg
2009-04-04 16:04 . 2009-04-04 16:04 d-------- c:\documents and settings\Loren Mickelson\Application Data\AVGTOOLBAR
2009-04-04 16:04 . 2009-04-04 16:04 12,552 --a------ c:\windows\system32\drivers\avgrkx86.sys
2009-04-04 16:04 . 2009-04-04 16:04 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-04-04 16:03 . 2009-04-04 16:03 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-04-04 16:03 . 2009-04-04 16:03 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-04-04 16:01 . 2009-04-04 16:01 d-------- c:\program files\AVG
2009-04-04 16:01 . 2009-04-04 16:01 50,968 --a------ c:\windows\system32\avgfwdx.dll
2009-04-04 16:01 . 2009-04-04 16:01 29,208 --a------ c:\windows\system32\drivers\avgfwdx.sys
2009-04-03 23:50 . 2009-04-03 23:50 d-------- c:\program files\interMute
2009-04-03 23:50 . 2009-04-03 23:51 2,158 --a------ c:\windows\system32\ssmute.ini
2009-04-03 23:37 . 2009-04-03 23:37 d--h----- c:\windows\system32\WLANProfiles
2009-04-03 23:37 . 2009-04-03 23:37 d--h----- C:\Settings
2009-04-03 23:37 . 2009-04-03 23:37 516 --a------ C:\Settings.ini
2009-04-03 23:35 . 2009-02-26 22:56 177,152 --------- c:\windows\system32\dllcache\msctfime.ime
2009-04-03 23:27 . 2009-04-03 23:35 1,355 --a------ c:\windows\imsins.BAK
2009-04-03 22:33 . 2009-04-03 22:53 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-04-03 22:32 . 2009-04-03 23:15 d-------- c:\documents and settings\Loren Mickelson\.housecall6.6
2009-04-03 22:24 . 2009-04-03 22:24 d-------- c:\program files\Trojan Remover
2009-04-03 22:24 . 2009-04-03 22:24 d-------- c:\documents and settings\Loren Mickelson\Application Data\Simply Super Software
2009-04-03 22:24 . 2009-04-03 22:24 d-------- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-04-03 22:24 . 2006-05-25 15:52 162,304 --a------ c:\windows\system32\ztvunrar36.dll
2009-04-03 22:24 . 2003-02-02 20:06 153,088 --a------ c:\windows\system32\UNRAR3.dll
2009-04-03 22:24 . 2005-08-26 01:50 77,312 --a------ c:\windows\system32\ztvunace26.dll
2009-04-03 22:24 . 2002-03-06 01:00 75,264 --a------ c:\windows\system32\unacev2.dll
2009-04-03 22:24 . 2006-06-19 13:01 69,632 --a------ c:\windows\system32\ztvcabinet.dll
2009-04-02 19:03 . 2009-04-02 19:03 d--hs---- c:\documents and settings\LocalService\IETldCache
2009-04-02 14:32 . 2009-04-02 21:49 d-------- c:\program files\Spybot - Search & Destroy
2009-04-02 14:32 . 2009-04-04 00:10 d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-02 14:28 . 2009-04-02 21:04 d-------- C:\SDFix
2009-04-01 20:22 . 2009-04-01 20:22 d--hs---- c:\documents and settings\Administrator\PrivacIE
2009-04-01 20:18 . 2009-04-01 20:18 d-------- c:\documents and settings\Administrator\Application Data\Webroot
2009-04-01 18:25 . 2009-04-01 18:25 d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-04-01 13:16 . 2009-04-05 12:25 1,324 --a------ c:\windows\system32\d3d9caps.dat
2009-04-01 13:03 . 2009-04-01 13:03 d--hs---- c:\documents and settings\Administrator\IETldCache
2009-04-01 13:03 . 2009-04-01 13:03 d-------- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-04-01 13:02 . 2009-04-06 17:43 2,148 --a------ c:\windows\system32\wpa.dbl
2009-04-01 12:55 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-04-01 12:52 . 2009-04-01 12:52 0 --a------ c:\windows\system32\hctcwiu.dll.bak
2009-03-31 19:41 . 2009-03-31 19:41 d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-31 19:40 . 2009-03-31 19:40 d-------- c:\program files\SUPERAntiSpyware
2009-03-31 19:40 . 2009-03-31 19:40 d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-31 19:40 . 2009-03-31 19:40 d-------- c:\documents and settings\Loren Mickelson\Application Data\SUPERAntiSpyware.com
2009-03-31 18:55 . 2009-03-31 18:55 d-------- c:\documents and settings\Loren Mickelson\Application Data\gyvrpnji
2009-03-31 18:53 . 2009-03-31 18:53 d-------- c:\documents and settings\NetworkService\Application Data\gyvrpnji
2009-03-31 18:42 . 2009-03-31 18:42 d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-31 18:28 . 2009-03-31 18:28 d--hs---- c:\documents and settings\Loren Mickelson\IECompatCache
2009-03-31 18:24 . 2009-03-31 18:24 d-------- c:\program files\CCleaner
2009-03-31 18:18 . 2009-03-09 05:19 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-31 18:10 . 2009-03-31 18:11 d-------- C:\rsit
2009-03-31 18:10 . 2009-04-02 14:27 d-------- c:\program files\trend micro
2009-03-31 17:48 . 2009-03-31 17:48 d-------- C:\_OTMoveIt
2009-03-31 17:40 . 2009-03-31 17:40 d--hs---- c:\documents and settings\Loren Mickelson\PrivacIE
2009-03-31 17:36 . 2009-03-31 17:36 d--hs---- c:\documents and settings\Loren Mickelson\IETldCache
2009-03-31 17:35 . 2009-03-31 17:35 d--hs---- c:\windows\system32\config\systemprofile\IETldCache
2009-03-31 17:28 . 2009-03-31 17:30 d--h-c--- c:\windows\ie8
2009-03-30 17:49 . 2009-03-30 17:49 164 --a------ c:\windows\install.dat
2009-03-28 15:19 . 2009-03-28 15:20 d-------- c:\program files\MagicDisc
2009-03-28 15:19 . 2009-02-24 18:42 116,736 --a------ c:\windows\system32\drivers\mcdbus.sys
2009-03-28 15:13 . 2009-03-28 15:13 d-------- c:\program files\MagicISO
2009-03-28 13:09 . 2009-03-28 13:09 d-------- c:\program files\Common Files\Macrovision Shared
2009-03-28 13:08 . 2009-03-28 13:08 d-------- c:\program files\Rosetta Stone
2009-03-28 13:08 . 2009-04-05 20:40 d-------- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-03-22 17:20 . 2009-03-22 17:26 d-------- c:\program files\PeerGuardian2
2009-03-19 21:42 . 2009-04-05 17:42 d--h----- C:\$AVG8.VAULT$
2009-03-19 21:26 . 2009-04-05 17:33 d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-19 19:41 . 2009-03-19 19:41 d-------- c:\documents and settings\All Users\Application Data\TEMP
2009-03-19 18:58 . 2009-03-22 15:49 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-09 13:48 . 2009-04-05 20:55 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-09 13:48 . 2009-03-09 13:48 d-------- c:\documents and settings\Loren Mickelson\Application Data\Malwarebytes
2009-03-09 13:48 . 2009-03-09 13:48 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-09 13:48 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-09 13:48 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-08 21:11 . 2009-03-22 15:52 d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-08 21:08 . 2009-03-22 15:52 d-------- c:\program files\Common Files\Symantec Shared
2009-03-08 16:58 . 2008-04-13 18:12 26,112 --a------ c:\windows\system32\dllcache\userinit.exe
2009-03-08 04:33 . 2009-03-08 04:33 18,944 --------- c:\windows\system32\dllcache\corpol.dll
2009-03-07 14:28 . 2009-03-07 14:28 d-------- c:\program files\uTorrent

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 11:57 pm

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 23:32 23,424 ----a-w c:\windows\system32\drivers\jcxpuabz.sys
2009-04-06 01:36 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-06 01:23 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2009-04-05 21:36 --------- d-----w c:\program files\Java
2009-04-04 02:13 --------- d-----w c:\program files\RGB
2009-04-04 02:11 --------- d-----w c:\program files\Windows Media Connect 2
2009-04-04 02:10 --------- d-----w c:\program files\Bonjour
2009-04-03 23:04 --------- d-----w c:\program files\Google
2009-03-31 17:31 --------- d-----w c:\documents and settings\Loren Mickelson\Application Data\uTorrent
2009-03-20 17:08 --------- d-----w c:\documents and settings\Loren Mickelson\Application Data\DNA
2009-03-20 02:28 --------- d-----w c:\program files\DNA
2009-03-20 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-20 00:33 --------- d-----w c:\program files\McAfee
2009-03-05 23:10 1,553,784 ----a-w c:\windows\WRSetup.dll
2009-03-04 21:43 --------- d-----w c:\documents and settings\Loren Mickelson\Application Data\LimeWire
2009-03-03 18:39 --------- d-----w c:\program files\Yahoo!
2009-03-03 17:46 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2009-03-03 17:35 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-02-28 20:00 --------- d-----w c:\program files\Cobian Backup 8
2009-02-28 19:52 --------- d-----w c:\program files\Cobian Backup 9
2009-02-28 16:27 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-27 03:09 --------- d-----w c:\documents and settings\Loren Mickelson\Application Data\.purple
2009-02-26 18:46 74,760 ----a-w c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 18:46 25,608 ----a-w c:\windows\system32\drivers\AVGIDSErHr.sys
2009-02-26 02:25 --------- d-----w c:\program files\iTunes
2009-02-26 02:25 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-26 02:24 --------- d-----w c:\program files\iPod
2009-02-26 01:57 --------- d-----w c:\program files\Common Files\Apple
2009-02-26 01:06 --------- d-----w c:\program files\QuickTime
2009-02-25 21:24 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-02-25 21:24 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-02-25 21:24 176,752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-02-22 00:06 --------- d-----w c:\program files\Files
2009-02-21 02:15 --------- d-----w c:\program files\InstallShield Installation Information
2009-02-21 02:14 --------- d-----w c:\program files\Seagate
2009-02-21 02:14 --------- d-----w c:\documents and settings\All Users\Application Data\Seagate
2009-02-12 19:44 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-09 02:46 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2008-09-26 19:50 46,848 -c--a-w c:\documents and settings\Loren Mickelson\Application Data\GDIPFONTCACHEV1.DAT
2008-06-22 22:00 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2008-01-15 02:50 122,368 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-09-10 18:27 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091020080911\index.dat
.

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 11:57 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 606208]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-12-03 344064]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-14 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Cobian Backup 8 interface"="c:\program files\Cobian Backup 8\cbInterface.exe" [2007-09-27 2425856]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 169984]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-04 1932568]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-02-26 1579528]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\Loren Mickelson\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-03-28 576000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 12:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 15:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-04 16:04 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WFPUser.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WFPUser.lnk
backup=c:\windows\pss\WFPUser.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Loren Mickelson^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Loren Mickelson\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
- [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 12:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
-----c--- 2004-06-18 09:30 290816 c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
--a------ 2008-08-14 00:04 206064 c:\program files\Dell Support Center\bin\sprtcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--------- 2005-03-16 04:33 127037 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
--a------ 2008-01-14 20:49 29744 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 15:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--------- 2004-07-27 15:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--------- 2009-01-06 14:06 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
--a------ 2008-10-28 17:42 181544 c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxtorOneTouch]
--------- 2004-12-22 08:21 823296 c:\program files\Maxtor\OneTouch\Utils\OneTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MXOBG]
--------- 2005-09-09 22:43 94208 c:\windows\MXOALDR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 17:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RetroExpress]
-----c--- 2004-07-30 15:47 6946816 c:\progra~1\Dantz\RETROS~1\RetroExpress.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-02-12 20:10 21898024 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
-----c--- 2003-11-19 16:48 32881 c:\program files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
--a------ 2009-03-30 16:07 1213320 c:\program files\Trojan Remover\Trjscan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
--a------ 2008-04-13 18:12 10752 c:\windows\system32\dumprep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WD Button Manager]
--------- 2006-01-07 16:57 331776 c:\windows\system32\WDBtnMgr.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 6th April 2009, 11:58 pm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\Ad-Aware.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-02-26 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-04-04 12552]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-08-09 29808]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-04 325640]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-04-04 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-04 298264]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2009-04-04 1356616]
R2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-02-26 563720]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-10-28 156968]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
R2 WFPService;WFPService;c:\program files\Microsoft Windows Feedback Panel\wfpservice.exe [2006-06-13 179000]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2009-02-08 1178728]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-04-04 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2009-02-26 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2009-02-26 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2009-02-26 27232]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe [2009-02-26 5576712]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-04-04 29208]
S3 GoogleDesktopManager-010108-205858;Google Desktop Manager 5.7.801.1629;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-01-14 29744]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-10 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JQDFHLLS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 13:06]

2009-03-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 16:10]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
TCP: {78ECA568-4FF0-4D82-BED8-25ADFD29525D} = 192.168.2.1
DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Loren Mickelson\Application Data\Mozilla\Firefox\Profiles\mu5vrrjx.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Loren Mickelson\Application Data\Mozilla\Firefox\Profiles\mu5vrrjx.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-06 17:45:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SNDSrvc]
"ImagePath"="-"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1244)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cobian Backup 8\cbService.exe
c:\windows\ehome\ehrecvr.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\windows\ehome\ehSched.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Dantz\Retrospect Express HD\retrorun.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Microsoft Windows Feedback Panel\wfpuser.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Microsoft Windows Feedback Panel\wfpasieve.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\Apoint\ApntEx.exe
.
**************************************************************************
.
Completion time: 2009-04-06 17:51:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-06 23:51:09
ComboFix2.txt 2009-04-06 04:43:35

Pre-Run: 26,691,928,064 bytes free
Post-Run: 26,666,913,792 bytes free

402 --- E O F --- 2009-02-26 10:00:54

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 7th April 2009, 12:00 am

Hello.
The malware is gone now, just some extra junk you don't need to throw out.

  • Open HijackThis
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 7th April 2009, 12:05 am

I think that partially worked. I'm still not able to update windows or turn on windows firewall. Plus, I am getting redirection when I click on a search link result. Here is the hijacthis.txt unstall.txt

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
7-Zip 4.57
A4 DVD Shrinker
ABBYY FineReader 5.0 Sprint Plus
Across Lite 2.0
Ad-Aware
Ad-Aware
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 8.1.3
Adobe Shockwave Player
ALPS Touch Pad Driver
Amazon DVD Shrinker SE 2.6.1
Amazon MP3 Downloader 1.0.3
AOLIcon
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
AVG 8.5
AVG Identity Protection
Bonjour
Broadcom Management Programs 2
CCleaner (remove only)
Cobian Backup 8
Conexant D110 MDC V.9x Modem
Crack-Gmat Diagnostic Test
Dell Photo AIO Printer 922
Dell Picture Studio v3.0
Dell Support Center (Support Software)
DellConnect
DellSupport
Digital Line Detect
DivX
DivX Player
Easy DVD Shrink
ESPNMotion
FireTune
FlipViewer 2.2.5
FLV Player 1.3.3
FoxyTunes for Firefox
G21922EN
Garmin City Navigator North America NT 2009 Update
Garmin WebUpdater
GemMaster Mystic
getPlus(R)_dll
Google Desktop
Google Earth
Google Photos Screensaver
Google Talk (remove only)
Google Updater
GTK+ Runtime 2.12.8 rev a (remove only)
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) PROSet/Wireless Software
Internal Network Card Power Management
Internet Explorer Default Page
iPod for Windows 2005-06-26
iPod for Windows 2005-10-12
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Photo Album
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 13
Learn2 Player (Uninstall Only)
LexarMedia ImageRescue Software
LimeWire 4.18.5
Magic ISO Maker v5.5 (build 0274)
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
mCore
mDrWiFi
MediaMonkey 2.5
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Windows Feedback Panel 3.3
mIWA
mIWCA
mLogView
mMHouse
MobileMe Control Panel
Modem Helper
Mozilla Firefox (3.0.8)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
mToolkit
mWlsSafe
mXML
mZConfig
Opera 9.50
Otto
PeerGuardian 2.0
Picasa 3
PowerDVD 5.5
Qualxserve Service Agreement
QuickSet
QuickTime
RamBooster
Retrospect 6.5
Retrospect Express HD 1.0
Rosetta Stone Version 3
Safari
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Seagate Manager Installer
Seagate Manager Installer
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960715)
Shutterfly Plugin
Skype™ 3.6
Sonic Audio module
Sonic Copy Module
Sonic DLA
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Data
Sonic Update Manager
Spy Sweeper
Spy Sweeper Core
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
System Requirements Lab
TripStalker
Trojan Remover 6.7.8
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959634)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
USB Storage Adapter FX (MXO)
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebCyberCoach 3.2 Dell
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Internet Explorer 8
Windows Live installer
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
Winkflash Transporter
WordPerfect Office 12

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 7th April 2009, 12:18 am

Hello.

Is the re-direct only in Firefox?

We'll do one more CFScript after you've removed these programs.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 6
    Java 2 Runtime Environment, SE v1.4.2_03
    LimeWire 4.18.5
    Viewpoint Media Player

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
JQDFHLLS

File::
C:\pv.exe
c:\windows\system32\drivers\jcxpuabz.sys

Folder::
C:\HaxFix
C:\Lop SD
C:\VundoFix Backups
C:\SDFix
C:\rsit
C:\_OTMoveIt
c:\program files\uTorrent
c:\documents and settings\Loren Mickelson\Application Data\uTorrent
c:\documents and settings\Loren Mickelson\Application Data\DNA
c:\program files\DNA

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 7th April 2009, 12:21 am

No its in both ie and firefox. The main problem with ie is that its not working properly. It can't run active x files and any java based programs or icons won't load. Its a pain in the butt.

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 7th April 2009, 12:24 am

Okay, we'll see if the redirects are still there after you've done the above CFScript.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 7th April 2009, 1:47 am

I've ran combofix as you've instructed. However, during the restart Combofix has given me a please wait command and its been over a hour. Should I restart the computer or wait?

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 7th April 2009, 1:53 am

Let it stay there for a bit and see if it's just going slow or has crashed. If it's still stuck after another 20mins or so, then follow these instructions.

Combofix should never take more that 20 minutes including the reboot. If it does, open Task Manager and use the Processes tab (press Ctrl+Alt+Del at the same time) and end any processes of findstr, find, sed or swreg, then Combofix should continue. If this happens, please let me know what process you had to end.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 7th April 2009, 2:00 am

I've waited 20mins and nothing has happened. I looked at the processes and none of those you suggested looking for are running. What do you recommend to do?

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 7th April 2009, 2:16 am

Okay, reboot your machine and see what happens.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 7th April 2009, 2:28 am

I rebooted my computer and combofix didn't run. Here is my last hijack log


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cobian Backup 8\cbService.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPService.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Microsoft Windows Feedback Panel\WFPUser.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft Windows Feedback Panel\wfpasieve.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Cobian Backup 8\cbInterface.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\trend micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF9186.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_13.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - [You must be registered and logged in to see this link.]
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5DA9D8E0-5A57-11CF-9E36-00C0930198C0} (Pegasus ImagN' 32-bit (Windowed) ActiveX Control v4.00) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{78ECA568-4FF0-4D82-BED8-25ADFD29525D}: NameServer = 192.168.2.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: AVGIDSAgent - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
O23 - Service: AVGIDSWatcher - AVG - C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~2\wdsvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. ([You must be registered and logged in to see this link.] - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 7th April 2009, 1:12 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF9186.exe /c C:\ComboFix\Combobatch.bat


  • Press "Fix Checked"
  • Close Hijack This.

These services just needs resetting back to it's default value because they have been modified by malware.


O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\


Please download this fix tool from [You must be registered and logged in to see this link.].

Double click it to run it.
Allow it to run if protection programs stop it.
The services should now be back to default value and no longer appear in Hijack This.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 7th April 2009, 10:28 pm

its getting better. ActiveX is finally running again (thanks). However, I am still getting redirection from clicking on search links and none of the pictures are loading on windows website or on some of antivirus software.

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 7th April 2009, 10:37 pm

Okay, lets see what we can do about that.

Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Double-click GooredFix.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 7th April 2009, 10:42 pm

Gooredfix txt.
GooredFix v1.92 by jpshortstuff
Log created at 16:41 on 07/04/2009 running Option #1 )
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{6F9D8B6F-B908-4E08-B107-FE59318FC63D}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 7th April 2009, 10:47 pm

Hello.
Open Gooredfix again. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 7th April 2009, 11:15 pm

gooredfix log

GooredFix v1.92 by jpshortstuff
Log created at 17:06 on 07/04/2009 running Option #2 (Loren Mickelson)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{6F9D8B6F-B908-4E08-B107-FE59318FC63D}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox

Everything is improving but i'm still having problems with IE loading icons along with my antivirus software.

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 7th April 2009, 11:17 pm

Good, good.
We might be able to fix the IE icons. Hold the control key (ctrl) and while holding it, press the F5 key.

What's the problem with your AV?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 7th April 2009, 11:26 pm

That trick didn't work on IE. Its like the virus isn't allowing any pictures to be loaded on IE. It wasn't AVG it was attacking. It attacked my Mcafee. Nothing was loading properly. The basics would work but not the pictures or tab icons.

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 7th April 2009, 11:32 pm

You don't have Mcafee installed from what I can see, no signs of it in Hijack This. You shouldn't have Mcafee installed anyway if you have AVG installed. Running two AV's, this is a bad idea as they can conflict and cause problems.

So if you do have Mcafee installed, then it needs to be uninstalled.

Lets see if this will fix IE.

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 8th April 2009, 12:16 am

Nope. No go on that. IE main problem is that texts load but pictures don't. Its not just on microsoft websites. Its on all the websites.

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 8th April 2009, 12:31 am

Well you do have IE8 installed, IE8 is still somewhat buggy.
Try this though.

Right click the IE8 icon on your desktop > Is there a "Run with no add-ons" choice?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 8th April 2009, 12:52 am

yeah it has a start without add ons. I've ran that and still none of the icons or pictures will load. Its so wierd. The same websites load with firefox and opera, but don't load with pictures or icons.

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 8th April 2009, 12:59 am

those websites load pics and tabs with opera and firefox but not ie

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 8th April 2009, 1:03 am

I wonder if it's software conflict between AVG/Firewall/Spysweeper.

See [You must be registered and logged in to see this link.] and disable SpySweeper and AVG8 temporarily. (AVG is in the first post, SpySweeper in the third post)

Any luck now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 8th April 2009, 1:08 am

I tried that and it didn't work. IE and the antivirus icons were working fine before the virus, but now they don't show up.

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by Belahzur on 8th April 2009, 1:10 am

I guess the malware did this then. Although, it could be an option changed in IE.

But remember, malware does damage that can't always be fixed.
I'd forget about IE, it's not safe to use, Firefox/.Opera are more secure.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Evil Win32 Cryptor Virus will not disapear

Post by brew311 on 8th April 2009, 1:26 am

I think I figured out the problem on IE8. I followed the following instructions from Microsoft.

Method 3: Verify that the Show Pictures option has not been turned off
If the Show Pictures option in Internet Explorer is turned off, you cannot see pictures. To determine whether the Show Pictures option is turned off, follow these steps:

1. On the Tools menu, click Internet Options.
2. Click the Advanced tab, and then verify that the Show Pictures check box is selected under Multimedia.
3. Click OK.

I did that. Updated Windows update. Then restart my computer. I think my computer is running normal. Thanks!

brew311
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-05
OS OS : xp
Points Points : 28374
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum