win32/cryptor

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 1:16 pm

I have dell xp noutbook with AVG and Bitfinder. Bitfinder produce clean scans. AVG produce scans with multiple win32/cryptor infections. I am new to PC virus removel. Please advice what to do.

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Doctor Inferno on Fri Apr 10, 2009 1:18 pm

Welcome to GeekPolice.

Read this topic on how to get started:

[You must be registered and logged in to see this link.]


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Status :
Online
Offline

Posts : 12017
Joined : 2007-12-26
Gender : Male
OS : Windows 7 Home Premium and Ultimate X64

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 2:24 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:15 AM, on 4/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CASIO\Ploader\Plauto.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\DG\Local Settings\Temporary Internet Files\Content.IE5\BFMCXCSY\hijackgpthis[1].exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\SearchSuggest\YSearchSuggest.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\awtQkkHa.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: C:\WINDOWS\system32\hsfd83jfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: TBSB00982 - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Ant.com Toolbar - {6CD56C02-CB4D-41B5-A0FE-B479061CCB41} - C:\Program Files\Antbar\Ant.com Toolbar\tbu08610\tbcore3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Ploader\Plauto.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Google Search - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - [You must be registered and logged in to see this link.] Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: rgybsu.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: awtQkkHa - awtQkkHa.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11616 bytes

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 3:35 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: (no name) - - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\awtQkkHa.dll (file missing)
    O2 - BHO: C:\WINDOWS\system32\hsfd83jfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)
    O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
    O4 - HKCU\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.exe -boot
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O20 - AppInit_DLLs: rgybsu.dll
    O20 - Winlogon Notify: awtQkkHa - awtQkkHa.dll (file missing)
    O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\hsfd83jfdg.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 5:40 pm

"Once the program has loaded, select "Perform Quick Scan", then click Scan."

Program was loaded OK, but click on desktop icon produce only sand-clock simbol for few seconds and nothing happend after that.

Did uninstall and install one more time. Click on icon. Same result.

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 5:42 pm

Hello.
Leave MBAM for now, because there's a deeper problem that needs to be removed before MBAM will work.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 5:52 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 5:54 pm

Okay, no rootkit. We'll have to use this and see what's going on.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 6:03 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by DG at 12:57:07.60 on Fri 04/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.544 [GMT -5:00]

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Bitdefender Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -kbdx
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CASIO\Ploader\Plauto.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DG\Local Settings\Temporary Internet Files\Content.IE5\OFWX7WTK\dds[1].scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: H - No File
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Suggest: {5a263cf7-56a6-4d68-a8cf-345be45bc911} - c:\program files\yahoo!\searchsuggest\YSearchSuggest.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: TBSB00982 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\antbar\ant.com toolbar\tbu08610\tbcore3.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2008\IEToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: Ant.com Toolbar: {6cd56c02-cb4d-41b5-a0fe-b479061ccb41} - c:\program files\antbar\ant.com toolbar\tbu08610\tbcore3.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2008\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2008\bdagent.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\ploader\Plauto.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-21 325128]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-21 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-21 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-9-23 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-9-23 298264]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-6-2 86792]
S0 sghnktnw;sghnktnw;c:\windows\system32\drivers\wgpfaffi.sys []
S4 CA Personal Firewall ASEM;CA Personal Firewall ASEM;c:\program files\ca\etrust internet security suite\ca personal firewall\capfasem.exe --> c:\program files\ca\etrust internet security suite\ca personal firewall\capfasem.exe [?]

=============== Created Last 30 ================

2009-04-10 12:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-10 12:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-10 12:04 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-10 12:04 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-10 09:05 118 a------- c:\windows\system32\MRT.INI
2009-04-10 08:26 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-10 08:26 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-08 08:37 --dsh--- c:\documents and settings\dg\IECompatCache
2009-04-08 08:33 --dsh--- c:\documents and settings\dg\PrivacIE
2009-04-08 08:31 --dsh--- c:\documents and settings\dg\IETldCache
2009-04-08 08:25 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-08 08:25 78,336 a------- c:\windows\system32\dllcache\ieencode.dll
2009-03-23 16:56 --d----- c:\docume~1\dg\applic~1\AdwareAlert
2009-03-20 06:19 122 a------- c:\windows\system32\privacy.xml

==================== Find3M ====================

2009-04-10 12:46 81,984 a------- c:\windows\system32\bdod.bin
2009-04-05 00:18 5,018 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-10 15:32 31,909 a--sh--- c:\windows\system32\bKUCdfhk.ini2
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-27 17:31 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2006-11-17 23:05 800,272 a------- c:\documents and settings\dg\ppctl.dll
2008-09-12 15:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 12:59:33.40 ===============

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 6:08 pm

Hello.
Thanks. There's a few problems I see in DDS that need to go.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 6:26 pm

"Then select "Open Uninstall Manager"

Could not find this button. I see only those buttons:

open process manager
open hosts file manager
delete a file on reboot
open ADS spy

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 6:38 pm

You might not be able to see.
Make Hijack This full screen or use the scroll bar, it's to the right side of the buttons.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 6:42 pm

Full screen show few more buttons:

generate startup listlog
check for update online
uninstall hijackthis & exit

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 6:46 pm

Hmm. Try using the scroll bar and let me if the uninstall manager button is there using that.

If not, copy and paste attach.txt here (the second log made by DDS)


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 6:55 pm

Still did not find "uninstall manager button"

Run DDS second time

Here is attach.txt file


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 1/17/2006 12:36:17 PM
System Uptime: 4/10/2009 12:47:01 PM (1 hours ago)

Motherboard: Dell Inc. | |
Processor: Intel(R) Celeron(R) M processor 1.40GHz | Microprocessor | 1396/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 34 GiB total, 15.503 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

" "
AAC Decoder
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
Ant.com Toolbar
AOLIcon
AutoUpdate
AVG Free 8.0
BitDefender Internet Security 2008
BitTorrent 4.0.1
Broadcom Management Programs
Conexant HDA D110 MDC V.92 Modem
Corel Photo Album 6
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Support Center
Dell System Restore
DellSupport
Digital Content Portal
Digital Line Detect
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
EducateU
Flock 1.2
Get High Speed Internet!
Google Earth
Google Toolbar for Internet Explorer
Google Updater
H.264 Decoder
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Intel(R) Graphics Media Accelerator Driver for Mobile
Internal Network Card Power Management
Java(TM) 6 Update 13
Learn2 Player (Uninstall Only)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
Modem Helper
Mozilla Firefox (2.0)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
Netscape Browser (remove only)
NetWaiting
Panorama Editor 1.0E
Photo Loader 1.0E
PowerDVD 5.9
Qualxserve Service Agreement
QuickSet
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Synaptics Pointing Device Driver
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.6c
Viewpoint Media Player
WebCyberCoach 3.2 Dell
WebFldrs XP
WildTangent Web Driver
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WordPerfect Office 12
Yahoo! Search Suggest Add-on for IE7
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

4/3/2009 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
4/3/2009 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
4/3/2009 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
4/3/2009 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
4/3/2009 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
4/3/2009 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
4/3/2009 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
4/3/2009 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
4/3/2009 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
4/3/2009 12:12:05 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: sghnktnw
4/3/2009 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
4/3/2009 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
4/3/2009 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
4/3/2009 9:00:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
4/3/2009 8:00:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
4/3/2009 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
4/4/2009 12:27:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
4/4/2009 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
4/4/2009 2:58:55 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
4/4/2009 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
4/4/2009 4:00:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
4/4/2009 6:00:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
4/4/2009 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
4/4/2009 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
4/5/2009 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
4/5/2009 5:00:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
4/5/2009 10:37:42 PM, error: PlugPlayManager [12] - The device 'PHILIPS CDRW/DVD SCB5265' (IDE\CdRomPHILIPS_CDRW/DVD_SCB5265________________TD15____\5&2c7c2be&0&0.1.0) disappeared from the system without first being prepared for removal.
4/6/2009 2:45:22 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg8wd service.
4/8/2009 8:23:21 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {9B1F122C-2982-4E91-AA8B-E071D54F2A4D}
4/8/2009 8:23:29 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/10/2009 8:30:36 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
4/10/2009 12:47:56 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde sghnktnw
4/10/2009 12:48:03 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
4/8/2009 3:30:00 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\iexplore.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.

==== End Of File ===========================

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 7:02 pm

Hello.

You are running two AV's, this is a bad idea as they can conflict and cause problems. I see BitDefender and AVG.
I would recommend that you remove AVG (8.0 is old now anyway) to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • AVG Free 8.0
  • Viewpoint Media Player
  • WildTangent Web Driver

Next, fix this item in Hijack This.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,


  • Press "Fix Checked"
  • Close Hijack This.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    sghnktnw
    CA Personal Firewall ASEM

    :files
    c:\windows\system32\bKUCdfhk.ini2
    C:\WINDOWS\system32\twex.exe
    C:\WINDOWS\system32\drivers\svchost.exe
    C:\WINDOWS\Tasks\At*.job
    C:\Program Files\AdwareAlert
    c:\docume~1\dg\applic~1\AdwareAlert

    :reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
    "NoFolderOptions"=-


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 7:19 pm

========== SERVICES/DRIVERS ==========

Service\Driver sghnktnw deleted successfully.

Service\Driver CA Personal Firewall ASEM deleted successfully.
========== FILES ==========
c:\windows\system32\bKUCdfhk.ini2 moved successfully.
File/Folder C:\WINDOWS\system32\twex.exe not found.
File/Folder C:\WINDOWS\system32\drivers\svchost.exe not found.
C:\WINDOWS\Tasks\At1.job moved successfully.
C:\WINDOWS\Tasks\At10.job moved successfully.
C:\WINDOWS\Tasks\At11.job moved successfully.
C:\WINDOWS\Tasks\At12.job moved successfully.
C:\WINDOWS\Tasks\At13.job moved successfully.
C:\WINDOWS\Tasks\At14.job moved successfully.
C:\WINDOWS\Tasks\At15.job moved successfully.
C:\WINDOWS\Tasks\At16.job moved successfully.
C:\WINDOWS\Tasks\At17.job moved successfully.
C:\WINDOWS\Tasks\At18.job moved successfully.
C:\WINDOWS\Tasks\At19.job moved successfully.
C:\WINDOWS\Tasks\At2.job moved successfully.
C:\WINDOWS\Tasks\At20.job moved successfully.
C:\WINDOWS\Tasks\At21.job moved successfully.
C:\WINDOWS\Tasks\At22.job moved successfully.
C:\WINDOWS\Tasks\At23.job moved successfully.
C:\WINDOWS\Tasks\At24.job moved successfully.
C:\WINDOWS\Tasks\At3.job moved successfully.
C:\WINDOWS\Tasks\At4.job moved successfully.
C:\WINDOWS\Tasks\At5.job moved successfully.
C:\WINDOWS\Tasks\At6.job moved successfully.
C:\WINDOWS\Tasks\At7.job moved successfully.
C:\WINDOWS\Tasks\At8.job moved successfully.
C:\WINDOWS\Tasks\At9.job moved successfully.
File/Folder C:\Program Files\AdwareAlert not found.
c:\docume~1\dg\applic~1\AdwareAlert\Settings moved successfully.
c:\docume~1\dg\applic~1\AdwareAlert\Log moved successfully.
c:\docume~1\dg\applic~1\AdwareAlert moved successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoFolderOptions deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04102009_141645

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 7:22 pm

Hello.

  • Please double-click OTMoveIt3.exe to run it again.
  • Press the green CleanUp! button.
  • Press Yes cleanup process prompt, do the same for the reboot prompt.

Try running MBAM now we've taken some weight off the machine, the problem that I thought was stopping MBAM in the first place might have been that twex.exe, but that's gone now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 7:39 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACswuduycp.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 7:44 pm

Where did that log come from?

The first time we ran the avenger in this thread, the log came up clean. Now this log shows a hidden rootkit.

If that is the latest log, we'll have to start again if you didn't tell me you ran the avenger on your own.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 7:49 pm

this text I copied from log after running MBAM from desctop . It did restart procedure with this log.

First time I run MBAM from c:\

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 7:52 pm

The avenger isn't MBAM. LMBO or ROFL MBAM is back in this post:
[You must be registered and logged in to see this link.]

But run this next avenger script anyway.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACswuduycp.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 8:19 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACswuduycp.sys" deleted successfully.

Completed script processing.

*******************

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 8:31 pm

Please download and run MBAM via my instructions in this post:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 8:53 pm

Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 5.1.2600 Service Pack 3

4/10/2009 3:42:43 PM
mbam-log-2009-04-10 (15-42-43).txt

Scan type: Quick Scan
Objects scanned: 73862
Time elapsed: 8 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 22
Registry Values Infected: 6
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5bf49a2-94f3-42bd-f434-3604812c8955} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{e596df5f-4239-4d40-8367-ebadf0165917} (Rogue.Installer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\MSFox (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tbsb00982.tbsb00982toolbar (Adware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\sppinit_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twex.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2810eb22-763d-4d0c-9450-64bbd1758685}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.28,85.255.112.185 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2810eb22-763d-4d0c-9450-64bbd1758685}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.28,85.255.112.185 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{2810eb22-763d-4d0c-9450-64bbd1758685}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.28,85.255.112.185 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{2810eb22-763d-4d0c-9450-64bbd1758685}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.116.28,85.255.112.185 -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\twain32 (Backdoor.Bot) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\UACsibgrxvs.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\wgpfaffi.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\DG\Local Settings\Temp\UAC9227.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\DG\Local Settings\Temp\pfhtqvbdiv.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain32\local.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain32\user.ds (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twain32\user.ds.lll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AimqGhg3.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twex.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\DG\Local Settings\Temp\~tmpb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UAChuhiokkt.log (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACmtxvnrwo.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACylyxetew.dll (Trojan.Agent) -> Quarantined and deleted successfully.

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 8:56 pm

Hello.
I need a new DDS log again. So run DDS and post the newest log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 9:04 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by DG at 16:00:14.18 on Fri 04/10/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.563 [GMT -5:00]

AV: Bitdefender Antivirus *On-access scanning enabled* (Updated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: Bitdefender Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\svchost.exe -kbdx
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CASIO\Ploader\Plauto.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\DG\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uWindow Title = Windows Internet Explorer provided by Yahoo!
uSearch Bar = [You must be registered and logged in to see this link.]
mDefault_Page_URL = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Yahoo! IE Suggest: {5a263cf7-56a6-4d68-a8cf-345be45bc911} - c:\program files\yahoo!\searchsuggest\YSearchSuggest.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: TBSB00982 Class: {fcbccb87-9224-4b8d-b117-f56d924beb18} - c:\program files\antbar\ant.com toolbar\tbu08610\tbcore3.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2008\IEToolbar.dll
TB: Ant.com Toolbar: {6cd56c02-cb4d-41b5-a0fe-b479061ccb41} - c:\program files\antbar\ant.com toolbar\tbu08610\tbcore3.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Corel Photo Downloader] c:\program files\corel\corel photo album 6\MediaDetect.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2008\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2008\bdagent.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photol~1.lnk - c:\program files\casio\ploader\Plauto.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\khfdCUKb

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-10 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-10 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-10 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-4-10 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-10 298264]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;c:\windows\system32\drivers\bdfndisf.sys [2008-6-2 86792]

=============== Created Last 30 ================

2009-04-10 15:32 --d----- c:\docume~1\dg\applic~1\Malwarebytes
2009-04-10 15:30 --d-h--- C:\$AVG8.VAULT$
2009-04-10 14:54 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-04-10 14:54 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-10 14:54 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-10 14:54 --d----- c:\windows\system32\drivers\Avg
2009-04-10 14:54 --d----- c:\docume~1\dg\applic~1\AVGTOOLBAR
2009-04-10 14:54 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-04-10 13:34 --d----- C:\HijackThis
2009-04-10 12:04 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-10 12:04 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-10 12:04 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-10 12:04 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-10 09:05 118 a------- c:\windows\system32\MRT.INI
2009-04-10 08:26 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-10 08:26 73,728 a------- c:\windows\system32\javacpl.cpl
2009-04-08 08:37 --dsh--- c:\documents and settings\dg\IECompatCache
2009-04-08 08:33 --dsh--- c:\documents and settings\dg\PrivacIE
2009-04-08 08:31 --dsh--- c:\documents and settings\dg\IETldCache
2009-04-08 08:25 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-08 08:25 78,336 a------- c:\windows\system32\dllcache\ieencode.dll
2009-03-20 06:19 122 a------- c:\windows\system32\privacy.xml

==================== Find3M ====================

2009-04-10 15:45 81,984 a------- c:\windows\system32\bdod.bin
2009-04-05 00:18 5,018 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2006-11-17 23:05 800,272 a------- c:\documents and settings\dg\ppctl.dll
2008-09-12 15:49 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 16:01:20.71 ===============

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 9:07 pm

Hello.
You still have AVG installed.

You are running two AV's, this is a bad idea as they can conflict and cause problems. I see BitDefender and AVG.
I would recommend that you remove AVG (8.0 is old now anyway) to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • AVG Free 8.0

Just need to fix a registry item.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 9:11 pm

May be I can keep this new AVG 8.5 (I just downloaded it to check for cryptor virus because Bitdefender NEVER informed me about win32/cryptor)? Only AVG informed me about crypter penetration.

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 9:14 pm

Okay, keep AVG but uninstall this instead:
BitDefender Internet Security 2008

Then do my reg fix and let me know how the machine is running.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 10:51 pm

I scan with AVG 6.5 and it found nothing. System was fixed until... I created fix.reg and run it.

After that I re-start my PC and Explorer7 stop working. I click on icon on tabletop and nothing happend. Tried it many times. Scan system with AVG 8.5 again - nothing detected.

Finnaly I was able to activate my old Netskape icon and using it now to communicate with you. Please help to make Explorer7 work again.

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Fri Apr 10, 2009 10:52 pm

Typo. It should be AVG 8.5 in both cases/

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri Apr 10, 2009 11:16 pm

Hello.
Did you uninstall BitDefender?

You have IE7, so I'm wondering if BitDefender left behind a plug in.

The reg fix we did had nothing to do with IE7. Let me think

Press Start > Run.
Type in cmd, then press enter.

At the DOS prompt execute the following commands, one by one.
Press the enter key after each entry.

regsvr32 urlmon.dll
regsvr32 Shdocvw.dll
regsvr32 Msjava.dll
regsvr32 Actxprxy.dll
regsvr32 Oleaut32.dll
regsvr32 Mshtml.dll
regsvr32 Browseui.dll
regsvr32 Shell32.dll

Type Exit press enter to return the operating mode.
Note: there is a space between each "regsvr32" and the "file"

Reboot normally.

Does IE7 work now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Sat Apr 11, 2009 12:02 am

Run each command. Some -ok, some - failed

urlmon - ok
Shdocvw - fail. code 0x8002801c
Msjava - fail. module not found
Actxprxy - ok
Oleaut32 - ok
Mshtml- loaded, but entry point not found
Browseui - ok
Shell32 - ok

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sat Apr 11, 2009 12:05 am

Still no luck?

Try it this way.
Go to Start > Run. Copy and paste this in the Run box.

"C:\Program Files\Internet Explorer\iexplore.exe" -extoff

Hit enter.
Does IE load now?


Last edited by Belahzur on Sat Apr 11, 2009 12:21 am; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Sat Apr 11, 2009 12:18 am

I tryed to type this line exactly with "-extoff but it did not run

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sat Apr 11, 2009 12:24 am

Hello.
I leftover an quite mark by accident in my last post, so it should of thrown up an error for you.

Try it again with quote mark at the start of the file location of Internet Explorer.

If not, we'll try to re-install IE7 again, because malware may have done damage in this case.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Sat Apr 11, 2009 12:59 am

I tryed to download IE7 again - uncuccessfull. No Criptographic module.
Same with IE8. Netscape stop working. Now using Firefox.

After restart system is extrimly slow during booting (about 5 minutes).

AVG 8.5 scan did not show any virusis.

Can we undo reg-fix? Because just before that everithing was OK and fast.

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sat Apr 11, 2009 1:13 am

We can try changing it back to a default value instead of a hex.

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"="msv1_0"

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.


Last edited by Belahzur on Sat Apr 11, 2009 1:52 pm; edited 1 time in total


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Sat Apr 11, 2009 3:20 am

I did it - did not help.
Startup take almost 5 min
Basically nothing work.

May be we should start scratch?
Or you want me to open new ticket?

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sat Apr 11, 2009 1:53 pm

Hello.
I edited this post to change the value, I had it wrong.

[You must be registered and logged in to see this link.]

Delete all the old fix.reg files and try that again now the value is changed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Sat Apr 11, 2009 3:31 pm

Just double checking - should I type into noutepad text ALL your text (starting with Windows Registery Editor...) or just starting with [HKEY_

Copy paste function stop working too, so I am now typing all texts manually.

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sat Apr 11, 2009 3:33 pm

Starting with "Windows Registery Editor 5.00"

Sounds like the malware has left some damage, there's no reason things like copy and paste should stop working.

If worst comes to worst, then a repair or format maybe a better option.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Sat Apr 11, 2009 4:02 pm

I try that script - no changes. Still same 5 min to start-up, IE7 just flash blank screen foe a second and dissappear, so I am not using it.
Copy paste did not work... Any suggestions?

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Sat Apr 11, 2009 4:03 pm

I had read in prev tred that your suggest to get rid of AVG and use other ANTI VIRUS. May be I should erase my AVG and instlall other too?

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Sat Apr 11, 2009 4:05 pm

By the way - the key with window flag stop working too.

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sat Apr 11, 2009 4:09 pm

Do you have your Windows XP disc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Sat Apr 11, 2009 4:43 pm

Sorry, but I do not have it.

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sat Apr 11, 2009 4:48 pm

Darn.
Does this machine have a factory restore image saved to the machine? on a seperate partition?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: win32/cryptor

Post by borisburakov on Sat Apr 11, 2009 4:53 pm

I do not know. I am not very computer literal. How can I find if my PC have it?

borisburakov
Novice
Novice

Status :
Online
Offline

Posts : 28
Joined : 2009-04-10
OS : XP

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum