Win32/Cryptor, can't install HijackThis, frequent freezing

View previous topic View next topic Go down

Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 2:40 pm

Hi,

I'm stuck. AVG picked up several files infected with Win32/Cryptor, however, the computer freezes frequently enough that it is difficult to perform any tasks. The computer will not install HijackThis or Malwarebytes (I can download the install files but double-clicking on them does nothing) and there is also a browser/search engine hijack happening that redirects search inquiries to seemingly random pages. Any help would be greatly appreciated. Thanks.

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Doctor Inferno on 9th April 2009, 2:53 pm

Welcome to GeekPolice.

Please read this topic before we can help you:

[You must be registered and logged in to see this link.]

Smile


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104640
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 3:03 pm

I've read the intro post. Java is updated, Adobe reader is updated, and I've managed to download the install file for HijackThis, however, it will not run. double-clicking it only causes an hourglass to appear with the cursor, then nothing. Also, at this point the computer freezes (no keyboard or mouse response) when I try to open any folder/file/webpage forcing me to restart.
Because of this, I'm replying from a different computer. Is it ok to run in Safe Mode? I think I have a better chance at keeping it from freezing that way. Thanks.

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 4:47 pm

Bump - Are you able to help me?

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Belahzur on 9th April 2009, 5:02 pm

Hello.
Yes, we can help.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 5:06 pm

The computer now won't even start up. It freezes at the "welcome" splash screen and becomes unresponsive. Can I do this in safe mode (with networking, I suppose)?

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Belahzur on 9th April 2009, 5:08 pm

Yes, try that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 5:16 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACctfmqxow.sys
Driver disabled successfully.

Rootkit scan completed.

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Belahzur on 9th April 2009, 5:17 pm

Hello.
You should at least be able to boot to normal mode now, the rootkit driver is disabled. We just have to delete it now, then we can start cleaning this mess up.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\TDSSmact.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 5:24 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\TDSSmact.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\TDSSmact.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 5:25 pm

Also, Spybot just asked if I want to allow a registry change, a deletion of cleanup.exe? Should I allow it?

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Belahzur on 9th April 2009, 5:27 pm

Hello.
A quick note I should mention should Spybot warn you about this anytime during removal:

C:\Cleanup.exe is from the avenger, it's legit, so please allow it.
I want to turn TeaTimer off for now anyway, because it will interfere with our removal soon.

Please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 5:49 pm

After MBAM ran, it asked to restart. Since then, the computer boots but when I move the cursor anywhere over the taskbar, it turns into an hourglass and I can't click on anything (on the desktop nor the taskbar). Nothing in the system tray is there besides the clock. I restarted from the Task Manager and it had to force explorer and another process (pccguide?) but it didn't change.

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 5:51 pm

Nevermind it's operational. I'll post the MBAM log in a moment.

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 5:52 pm

Malwarebytes' Anti-Malware 1.36
Database version: 1959
Windows 5.1.2600 Service Pack 3

4/9/2009 1:37:38 PM
mbam-log-2009-04-09 (13-37-38).txt

Scan type: Quick Scan
Objects scanned: 75317
Time elapsed: 3 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 2
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ieocxapp.ieocx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ieocxapp.ieocx.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4b66e1df-4de3-4cda-83b5-11673eadab0b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07851c6a-1c43-41d9-8319-bc89154a8c00} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{06ec6572-7280-485a-a712-c380526bc048} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{b360243e-09e8-402f-8721-00b6798089ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3f5a62e2-51f2-11d3-a075-cc7364cae42a} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06ec6572-7280-485a-a712-c380526bc048} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WinPC Defender (Rogue.WinPCDefender) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrPack (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrModule (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Temporary (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Dot1XCfg (Trojan.Downloader) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\UACettapoxr.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UAClnscmqwp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACpuhbapkk.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACwsrsbide.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACctfmqxow.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Laura Kelley\Local Settings\Temp\UAC98c0.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACbrmlaxvy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACxjfqxevb.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACyirjlkdm.dat (Trojan.Agent) -> Quarantined and deleted successfully.

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Belahzur on 9th April 2009, 5:54 pm

Good, good.
Lets have one final look around.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 5:58 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by Laura Kelley at 13:56:46.54 on Thu 04/09/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.292 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: PC-cillin Internet Security - Virus Protection *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Laura Kelley\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
uWindows: run=""
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [OE_OEM] "c:\program files\trend micro\internet security 14\tmas_oe\TMAS_OEMon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [IMC] c:\program files\friendfinder\friendfinder messenger 30\imc.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\laurak~1\applic~1\mozilla\firefox\profiles\fi97w4qe.default\
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-7 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-7 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-7 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-7 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-7 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\trendm~1\intern~1\Tmntsrv.exe [2006-9-25 345696]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2006-9-25 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\trendm~1\intern~1\tmproxy.exe [2006-9-25 566872]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\trendm~1\intern~1\TmPfw.exe [2006-9-25 923216]
S2 VGFS;Security Service;c:\windows\system32\svcd\svchost.exe --> c:\windows\system32\svcd\svchost.exe [?]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2006-9-25 280392]

=============== Created Last 30 ================

2009-04-09 13:32 --d----- c:\docume~1\laurak~1\applic~1\Malwarebytes
2009-04-09 13:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-09 13:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 13:32 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-09 13:32 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-09 09:59 --d----- c:\documents and settings\laura kelley\.SunDownloadManager
2009-04-09 08:57 --d----- c:\windows\system32\XPSViewer
2009-04-09 08:56 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-04-09 08:56 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll
2009-04-09 08:56 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-09 08:56 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-04-09 08:56 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-09 08:56 117,760 -------- c:\windows\system32\prntvpt.dll
2009-04-09 08:56 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-09 08:50 6,066,688 -------- c:\windows\system32\dllcache\ieframe.dll
2009-04-09 08:50 991,232 -------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-09 08:50 459,264 -------- c:\windows\system32\dllcache\msfeeds.dll
2009-04-09 08:50 267,776 -------- c:\windows\system32\dllcache\iertutil.dll
2009-04-09 08:50 52,224 -------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-09 08:50 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-09 08:50 2,455,488 -------- c:\windows\system32\dllcache\ieapfltr.dat
2009-04-09 08:50 383,488 -------- c:\windows\system32\dllcache\ieapfltr.dll
2009-04-09 08:50 63,488 -------- c:\windows\system32\dllcache\icardie.dll
2009-04-08 13:37 --d----- c:\program files\SpywareBlaster
2009-04-08 13:00 --d----- c:\program files\CCleaner
2009-04-08 12:36 --d----- c:\windows\pss
2009-04-08 11:33 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-07 22:44 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-07 22:43 --d----- c:\program files\Lavasoft
2009-04-07 21:26 --d-h--- C:\$AVG8.VAULT$
2009-04-07 21:24 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-07 21:24 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-07 21:24 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-07 21:24 --d----- c:\windows\system32\drivers\Avg
2009-04-07 21:24 --d----- c:\program files\AVG
2009-04-07 21:24 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-07 21:05 --d----- c:\program files\FirefoxPortable
2009-04-02 19:25 --d----- c:\docume~1\alluse~1\applic~1\WEBREG
2009-04-02 19:18 --d----- c:\program files\common files\Hewlett-Packard
2009-04-02 19:14 118,272 a------- c:\windows\system32\hpz3l5mu.dll
2009-04-02 19:14 6,784 a------- c:\windows\system32\drivers\serscan.sys
2009-04-02 19:14 6,784 a------- c:\windows\system32\dllcache\serscan.sys
2009-04-02 19:08 1,373,528 a----r-- c:\windows\hpzshl01.exe
2009-04-02 19:08 1,140,056 a----r-- c:\windows\hpzmsi01.exe
2009-04-02 19:08 12,054 a----r-- c:\windows\hpwscr20.dat
2009-04-02 19:08 --d----- c:\program files\HP
2009-04-02 19:08 32,128 a------- c:\windows\system32\drivers\usbccgp.sys
2009-04-02 19:08 32,128 a------- c:\windows\system32\dllcache\usbccgp.sys
2009-04-02 19:08 25,856 a------- c:\windows\system32\drivers\usbprint.sys
2009-04-02 19:08 25,856 a------- c:\windows\system32\dllcache\usbprint.sys

==================== Find3M ====================

2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-11-13 22:05 2,120 a------- c:\docume~1\laurak~1\applic~1\wklnhst.dat
2007-04-17 01:16 88 ---shr-- c:\windows\system32\73DA083153.sys
2007-04-17 01:19 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 13:57:37.26 ===============

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Belahzur on 9th April 2009, 6:15 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 6:19 pm

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Ad-Aware
Ad-Aware
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
AOLIcon
AVG 8.5
Broadcom Management Programs
CCleaner (remove only)
CCScore
Conexant HDA D110 MDC V.92 Modem
Corel Snapfire Plus
Critical Update for Windows Media Player 11 (KB959772)
Dell Game Console
Dell Support 3.2.1
Dell Wireless WLAN Card
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
EducateU
ESPNMotion
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
ESSvpaht
ESSvpot
Games, Music, & Photos Launcher
GemMaster Mystic
Google Earth
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
HLPIndex
HLPRFO
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Small Business Edition 2003
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Modem Helper
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NetWaiting
Notifier
OTtBPSDK
OutlookAddinSetup
PCDADDIN
PCDHELP
QuickSet
QuickTime
RealPlayer Basic
SearchAssist
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
SFR
SHASTA
SKIN0001
SKINXSDK
Sonic DLA
Sonic Encoders
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
SpywareBlaster 4.1
Synaptics Pointing Device Driver
Trend Micro PC-cillin Internet Security 14
Trend Micro PC-cillin Internet Security 14
Update for Office 2007 (KB946691)
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPRINTOL
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WIRELESS

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Belahzur on 9th April 2009, 6:23 pm

You are running two AV's, this is a bad idea as they can conflict and cause problems. I see AVG and Trend Micro.
I would recommend that you remove Trend Micro to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Trend Micro PC-cillin Internet Security 14
  • Trend Micro PC-cillin Internet Security 14
  • Viewpoint Media Player


Then go to Start > Run. In the run box, copy and paste this line in bold EXACTLY as seen below.

sc delete "VGFS"

Hit enter.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 6:31 pm

The only weird thing that still happens is that the "My Computer" folder automatically opens upon startup. Any ideas as to how to stop that?

I can't even express how thankful I am for all your diligent help. Thank you!

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Belahzur on 9th April 2009, 6:36 pm

Hello.
Yep, It's some sort of nullified/unrealable character in your registry.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Reboot normally.
Let me know if My Computer opens on startup now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 6:43 pm

It still happened.

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Belahzur on 9th April 2009, 6:52 pm

Guess we'll use this, this will probably find that nullified key in the registry.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 7:07 pm

ComboFix 09-04-04.01 - Laura Kelley 2009-04-09 14:58:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.482 [GMT -4:00]
Running from: c:\documents and settings\Laura Kelley\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\CID
c:\windows\system32\SvcNm
c:\windows\system32\url1
c:\windows\system32\url2
c:\windows\system32\url3

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTLOAD
-------\Legacy_PACKET


((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-09 13:32 . 2009-04-09 13:32 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-09 13:32 . 2009-04-09 13:32 d-------- c:\documents and settings\Laura Kelley\Application Data\Malwarebytes
2009-04-09 13:32 . 2009-04-09 13:32 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 13:32 . 2009-04-06 15:32 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 13:32 . 2009-04-06 15:32 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-09 09:59 . 2009-04-09 10:09 d-------- c:\documents and settings\Laura Kelley\.SunDownloadManager
2009-04-09 08:57 . 2009-04-09 08:57 d-------- c:\windows\system32\XPSViewer
2009-04-09 08:57 . 2009-04-09 08:57 d-------- c:\program files\Reference Assemblies
2009-04-09 08:57 . 2009-04-09 08:57 d-------- c:\program files\MSBuild
2009-04-09 08:56 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-04-09 08:56 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-04-09 08:56 . 2008-07-06 06:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-09 08:56 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-04-09 08:56 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-09 08:56 . 2008-07-06 08:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-04-09 08:56 . 2008-07-06 08:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-09 08:50 . 2008-12-20 19:15 6,066,688 --------- c:\windows\system32\dllcache\ieframe.dll
2009-04-09 08:50 . 2007-04-17 05:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-04-09 08:50 . 2007-03-08 01:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-09 08:50 . 2008-12-20 19:15 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-04-09 08:50 . 2008-12-20 19:15 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-04-09 08:50 . 2008-12-20 19:15 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-04-09 08:50 . 2008-12-20 19:15 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-04-09 08:50 . 2008-12-20 19:15 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-09 08:50 . 2008-12-19 05:10 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-09 08:11 . 2009-04-09 08:51 1,355 --a------ c:\windows\imsins.BAK
2009-04-08 17:40 . 2009-04-08 17:58 d---s---- c:\documents and settings\Administrator\UserData
2009-04-08 13:00 . 2009-04-08 13:00 d-------- c:\program files\CCleaner
2009-04-08 11:33 . 2009-03-09 15:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-04-07 22:44 . 2009-03-09 15:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-04-07 22:43 . 2009-04-07 22:43 d-------- c:\program files\Lavasoft
2009-04-07 22:43 . 2009-04-07 22:43 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-07 21:26 . 2009-04-09 09:13 d--h----- C:\$AVG8.VAULT$
2009-04-07 21:24 . 2009-04-09 09:42 d-------- c:\windows\system32\drivers\Avg
2009-04-07 21:24 . 2009-04-07 21:24 d-------- c:\program files\AVG
2009-04-07 21:24 . 2009-04-07 22:26 d-------- c:\documents and settings\All Users\Application Data\avg8
2009-04-07 21:24 . 2009-04-07 21:24 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-04-07 21:24 . 2009-04-07 21:24 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-04-07 21:24 . 2009-04-07 21:24 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-04-02 19:25 . 2009-04-02 19:25 d-------- c:\documents and settings\All Users\Application Data\WEBREG
2009-04-02 19:19 . 2009-04-02 19:19 d-------- c:\documents and settings\All Users\Application Data\HP
2009-04-02 19:18 . 2009-04-02 19:18 d-------- c:\program files\Common Files\Hewlett-Packard
2009-04-02 19:15 . 2009-04-02 19:15 d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-04-02 19:14 . 2007-12-03 18:57 118,272 --a------ c:\windows\system32\hpz3l5mu.dll
2009-04-02 19:14 . 2001-08-17 13:53 6,784 --a------ c:\windows\system32\drivers\serscan.sys
2009-04-02 19:14 . 2001-08-17 13:53 6,784 --a------ c:\windows\system32\dllcache\serscan.sys
2009-04-02 19:08 . 2009-04-04 20:14 d-------- c:\program files\HP
2009-04-02 19:08 . 2007-11-06 22:04 1,373,528 -ra------ c:\windows\hpzshl01.exe
2009-04-02 19:08 . 2007-11-06 22:15 1,140,056 -ra------ c:\windows\hpzmsi01.exe
2009-04-02 19:08 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-04-02 19:08 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\dllcache\usbccgp.sys
2009-04-02 19:08 . 2008-04-13 13:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-04-02 19:08 . 2008-04-13 13:47 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys
2009-04-02 19:08 . 2008-01-08 08:44 12,054 -ra------ c:\windows\hpwscr20.dat
2009-03-29 10:09 . 2009-03-29 10:09 d-------- c:\program files\Common Files\Adobe AIR
2009-03-29 10:07 . 2009-03-29 10:08 d-------- c:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 18:26 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-09 18:18 --------- d-----w c:\program files\Trend Micro
2009-04-09 17:29 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-09 14:16 --------- d-----w c:\program files\Java
2009-04-08 01:43 --------- d-----w c:\program files\DIGStream
2009-04-05 01:43 --------- d-----w c:\program files\Google
2009-04-05 01:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 02:05 2,120 ----a-w c:\documents and settings\Laura Kelley\Application Data\wklnhst.dat
2007-04-17 05:16 88 --sh--r c:\windows\system32\73DA083153.sys
2007-04-17 05:19 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-23 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-07 1932568]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-07 21:24 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-08-03 20:51 1032192 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
--a------ 2006-11-03 11:01 319488 c:\windows\PixArt\PAC207\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-05 18:07 98304 c:\program files\QuickTime\qttask.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-04-07 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-07 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-04-07 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-07 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]
S2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe --> c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [?]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys --> c:\windows\system32\DRIVERS\TM_CFW.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-IMC - c:\program files\FriendFinder\FriendFinder Messenger 30\imc.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-OE_OEM - c:\program files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
MSConfigStartUp-pccguide - c:\program files\Trend Micro\Internet Security 14\pccguide.exe


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Laura Kelley\Application Data\Mozilla\Firefox\Profiles\fi97w4qe.default\
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-09 15:02:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-04-09 15:05:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-09 19:05:27

Pre-Run: 55,460,098,048 bytes free
Post-Run: 55,371,878,400 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

221 --- E O F --- 2009-04-09 18:09:01

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Belahzur on 9th April 2009, 7:21 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
TmPfw
tmcfw

Folder::
c:\documents and settings\All Users\Application Data\Viewpoint

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 7:36 pm

Whew. Here we go.

ComboFix 09-04-04.01 - Laura Kelley 2009-04-09 15:25:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.536 [GMT -4:00]
Running from: c:\documents and settings\Laura Kelley\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Laura Kelley\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
FW: PC-cillin Internet Security - Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TMCFW
-------\Legacy_TMPFW
-------\Service_tmcfw
-------\Service_TmPfw


((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-09 13:32 . 2009-04-09 13:32 d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-09 13:32 . 2009-04-09 13:32 d-------- c:\documents and settings\Laura Kelley\Application Data\Malwarebytes
2009-04-09 13:32 . 2009-04-09 13:32 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-09 13:32 . 2009-04-06 15:32 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 13:32 . 2009-04-06 15:32 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-09 09:59 . 2009-04-09 10:09 d-------- c:\documents and settings\Laura Kelley\.SunDownloadManager
2009-04-09 08:57 . 2009-04-09 08:57 d-------- c:\windows\system32\XPSViewer
2009-04-09 08:57 . 2009-04-09 08:57 d-------- c:\program files\Reference Assemblies
2009-04-09 08:57 . 2009-04-09 08:57 d-------- c:\program files\MSBuild
2009-04-09 08:56 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-04-09 08:56 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\dllcache\xpssvcs.dll
2009-04-09 08:56 . 2008-07-06 06:50 597,504 --------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-09 08:56 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-04-09 08:56 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-09 08:56 . 2008-07-06 08:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-04-09 08:56 . 2008-07-06 08:06 89,088 --------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-09 08:50 . 2008-12-20 19:15 6,066,688 --------- c:\windows\system32\dllcache\ieframe.dll
2009-04-09 08:50 . 2007-04-17 05:32 2,455,488 --------- c:\windows\system32\dllcache\ieapfltr.dat
2009-04-09 08:50 . 2007-03-08 01:10 991,232 --------- c:\windows\system32\dllcache\ieframe.dll.mui
2009-04-09 08:50 . 2008-12-20 19:15 459,264 --------- c:\windows\system32\dllcache\msfeeds.dll
2009-04-09 08:50 . 2008-12-20 19:15 383,488 --------- c:\windows\system32\dllcache\ieapfltr.dll
2009-04-09 08:50 . 2008-12-20 19:15 267,776 --------- c:\windows\system32\dllcache\iertutil.dll
2009-04-09 08:50 . 2008-12-20 19:15 63,488 --------- c:\windows\system32\dllcache\icardie.dll
2009-04-09 08:50 . 2008-12-20 19:15 52,224 --------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-04-09 08:50 . 2008-12-19 05:10 13,824 --------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-09 08:11 . 2009-04-09 08:51 1,355 --a------ c:\windows\imsins.BAK
2009-04-08 17:40 . 2009-04-08 17:58 d---s---- c:\documents and settings\Administrator\UserData
2009-04-08 13:00 . 2009-04-08 13:00 d-------- c:\program files\CCleaner
2009-04-08 11:33 . 2009-03-09 15:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-04-07 22:44 . 2009-03-09 15:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-04-07 22:43 . 2009-04-07 22:43 d-------- c:\program files\Lavasoft
2009-04-07 22:43 . 2009-04-07 22:43 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-07 21:26 . 2009-04-09 09:13 d--h----- C:\$AVG8.VAULT$
2009-04-07 21:24 . 2009-04-09 09:42 d-------- c:\windows\system32\drivers\Avg
2009-04-07 21:24 . 2009-04-07 21:24 d-------- c:\program files\AVG
2009-04-07 21:24 . 2009-04-07 22:26 d-------- c:\documents and settings\All Users\Application Data\avg8
2009-04-07 21:24 . 2009-04-07 21:24 325,640 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-04-07 21:24 . 2009-04-07 21:24 108,552 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-04-07 21:24 . 2009-04-07 21:24 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-04-02 19:25 . 2009-04-02 19:25 d-------- c:\documents and settings\All Users\Application Data\WEBREG
2009-04-02 19:19 . 2009-04-02 19:19 d-------- c:\documents and settings\All Users\Application Data\HP
2009-04-02 19:18 . 2009-04-02 19:18 d-------- c:\program files\Common Files\Hewlett-Packard
2009-04-02 19:15 . 2009-04-02 19:15 d-------- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-04-02 19:14 . 2007-12-03 18:57 118,272 --a------ c:\windows\system32\hpz3l5mu.dll
2009-04-02 19:14 . 2001-08-17 13:53 6,784 --a------ c:\windows\system32\drivers\serscan.sys
2009-04-02 19:14 . 2001-08-17 13:53 6,784 --a------ c:\windows\system32\dllcache\serscan.sys
2009-04-02 19:08 . 2009-04-04 20:14 d-------- c:\program files\HP
2009-04-02 19:08 . 2007-11-06 22:04 1,373,528 -ra------ c:\windows\hpzshl01.exe
2009-04-02 19:08 . 2007-11-06 22:15 1,140,056 -ra------ c:\windows\hpzmsi01.exe
2009-04-02 19:08 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-04-02 19:08 . 2008-04-13 13:45 32,128 --a------ c:\windows\system32\dllcache\usbccgp.sys
2009-04-02 19:08 . 2008-04-13 13:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2009-04-02 19:08 . 2008-04-13 13:47 25,856 --a------ c:\windows\system32\dllcache\usbprint.sys
2009-04-02 19:08 . 2008-01-08 08:44 12,054 -ra------ c:\windows\hpwscr20.dat
2009-03-29 10:09 . 2009-03-29 10:09 d-------- c:\program files\Common Files\Adobe AIR
2009-03-29 10:07 . 2009-03-29 10:08 d-------- c:\program files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 18:18 --------- d-----w c:\program files\Trend Micro
2009-04-09 17:29 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-09 14:16 --------- d-----w c:\program files\Java
2009-04-08 01:43 --------- d-----w c:\program files\DIGStream
2009-04-05 01:43 --------- d-----w c:\program files\Google
2009-04-05 01:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-14 02:05 2,120 ----a-w c:\documents and settings\Laura Kelley\Application Data\wklnhst.dat
2007-04-17 05:16 88 --sh--r c:\windows\system32\73DA083153.sys
2007-04-17 05:19 2,828 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-09 19:29:27 16,384 ----atw c:\windows\temp\Perflib_Perfdata_1e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-14 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-14 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-23 1392640]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-08-22 184320]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-07 1932568]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-07 21:24 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2009-02-27 17:10 35696 c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-08-03 20:51 1032192 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
--a------ 2006-11-03 11:01 319488 c:\windows\PixArt\PAC207\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-05 18:07 98304 c:\program files\QuickTime\qttask.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-04-07 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-07 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-04-07 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-07 298264]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 15:06]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Laura Kelley\Application Data\Mozilla\Firefox\Profiles\fi97w4qe.default\
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-09 15:29:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(912)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-04-09 15:34:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-09 19:34:41
ComboFix2.txt 2009-04-09 19:05:31

Pre-Run: 55,378,825,216 bytes free
Post-Run: 55,350,759,424 bytes free

200 --- E O F --- 2009-04-09 18:09:01

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Belahzur on 9th April 2009, 7:39 pm

Hello.
Has My Computer stopped appearing at startup?

If not, I think I have a brief idea what's causing it from a quick Google search who had a log like yours and looking through my registry.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by dblume on 9th April 2009, 7:44 pm

It stopped appearing. I can finally move on with my life! Thanks again!!!

dblume
Intermediate
Intermediate

Posts Posts : 54
Joined Joined : 2009-04-09
OS OS : Windows Vista
Points Points : 28210
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor, can't install HijackThis, frequent freezing

Post by Belahzur on 9th April 2009, 7:48 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum