Win32 cryptor? (no internet access what-so-ever)

View previous topic View next topic Go down

Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 12:46 am

I ran MalwareBytes and Spybot thoroughly and cleaned out most of the problems, but no coupe-de-grace yet. The only problem is that the computer refuses to connect to ANYTHING online, though everything seems to work fine, modem is online, TCP/IP refreshes without a hitch, etc. I'm on another comp now using the same internet connection. I guess I need a diagnostics tool so I can post a log and sort this thing out. If there are any questions please feel free to ask.

I'm on Windows XP SP2 btw.

Many thanks.

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by Belahzur on 11th April 2009, 12:47 am

Hello.
Do you have a USB stick you can use to transfer tools over so I can get a good look at stuff?

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 12:49 am

[You must be registered and logged in to see this link.] wrote:Hello.
Do you have a USB stick you can use to transfer tools over so I can get a good look at stuff?

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

Yeah I got it and good to go, i'll post the results soon.

thanks.

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 12:54 am

Alright here's the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:52:32 PM, on 4/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\M\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [Microsoft Windows Sound] svghost.exe
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.24\RivaTuner.exe" /S
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O10 - Broken Internet access because of LSP provider 'c:\windows\temp\ntdll64.dll' missing
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - [You must be registered and logged in to see this link.]
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 2887 bytes

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by Belahzur on 11th April 2009, 1:08 am

Hello.
A few things I see wrong here:

First, this infection has gotten into your LSP (Layered Service Provider), which is bascially your internet access, and when you tried to remove the malware yourself, it removed ONLY the malicious file. Which inresult has broken your LSP because it can't fix that and that's why your internet access is gone.

We can fix this, but be very careful with this next tool because any mistakes and there will be severe damage and consequences.

Please download the LSPfix from here: [You must be registered and logged in to see this link.]
Unzip it to the Desktop (Important!!) and run it. Check the box that says "I know what I'm doing", and then select each instance of "ntdll64.dll" in the left-hand panel and click >> button to move it to the right-hand panel. Then click Finish to allow LSPfix to rebuild the LSP chain.

Now reboot normally before the LSP chain can be fully functional again.

Second, I see you HAD AVG installed, but uninstalled it. So now you have NO AV installed.

This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: [You must be registered and logged in to see this link.]
This is a free Antivirus.

Please download it and update it. (Once you do the LSPFix, your internet access should be back), but do not run a scan with it yet.

Third, you have turned off startup entries with MSConfig. By doing so, you hide (malicious) startup entries from me. If I can't see it, then I can't fix it.

Now we can use this to have a look around, I've seen this infection patch a legit file before, I need to know what the case is here.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 1:29 am

UGH! Okay I'm on it. I got rid of AVG because honestly I think AVG sucks, always corrupts ,always conflicts with other progs, and then claims "AVG can not update, please re-install."

Thanks for the help. I knew this thing damaged a certain .dll file

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by Belahzur on 11th April 2009, 1:33 am

Hello.
I completely agree, AVG corrupted itself on me after updating. Darn the stupid thing. Open Grin

I switched from AVG to Avira myself. Avira is lighter on the system and you don't have to worry about updating it because it updates itself. It sets itself a specific time to just jump up on your screen and do the updating itself. Open Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 1:40 am

Good riddance!

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 1:41 am

Windows is running a 5 part CHKDSK after I rebooted from removing that .dll file in the LSPfix prog. It may be a moment before I get you the next log.

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 4:24 am

Alright here is the DDS Log:

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 7/16/2007 3:29:46 AM
System Uptime: 4/10/2009 11:10:45 PM (0 hours ago)

Motherboard: | | Springdale
Processor: Intel(R) Pentium(R) 4 CPU 3.40GHz | Socket 478 | 3400/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.40GHz | Socket 478 | 3400/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 9.635 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 28 GiB total, 0.86 GiB free.
G: is FIXED (NTFS) - 298 GiB total, 11.863 GiB free.
H: is CDROM ()
I: is CDROM ()
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/1000 CT Network Connection
Device ID: PCI\VEN_8086&DEV_1019&SUBSYS_101917F2&REV_00\4&16EBCD95&1&0818
Manufacturer: Intel
Name: Intel(R) PRO/1000 CT Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1019&SUBSYS_101917F2&REV_00\4&16EBCD95&1&0818
Service: E1000

Class GUID:
Description: Network Controller
Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_700E1799&REV_00\4&1F7DBC9F&0&28F0
Manufacturer:
Name: Network Controller
PNP Device ID: PCI\VEN_1814&DEV_0301&SUBSYS_700E1799&REV_00\4&1F7DBC9F&0&28F0
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

µTorrent
1500
1500_Help
1500Trb
2d3 SteadyMove for Adobe Premiere Pro
AAC Decoder
Active WebCam
Ad-Aware
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Flash CS3
Adobe Flash CS3 Professional
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Premiere Pro CS3 Third Party Content
Adobe Reader 8.1.2
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Video Profiles
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
AutoUpdate
Avira AntiVir Personal - Free Antivirus
Battlefield 2(TM)
Bonjour
BufferChm
CCleaner (remove only)
CDisplay 1.8
CoffeeCup Direct FTP
CoffeeCup WebCam 3.5
Copy
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DH Driver Cleaner Professional Edition
DirectKiSS
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DocProc
DocumentViewer
DocumentViewerQFolder
DVD Flick
DVD Shrink 3.2
eSupportQFolder
Fallout 3
Fax
FileZilla Client 3.2.3.1
Flickr Uploadr 3.0.5
Float32 2.0
FullDPAppQFolder
Google Earth
Google Talk (remove only)
Google Talk Plugin
GPL MPEG-1/2 DirectShow Decoder Filter
H.264 Decoder
HijackThis 2.0.2
HP Document Viewer 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Product Assistant
HP PSC & OfficeJet 5.3.B
HP Solution Center & Imaging Support Tools 5.3
HP Update
HPProductAssistant
HPSystemDiagnostics
InstantShare
InstantShareDevices
Intel(R) PRO Network Adapters and Drivers
iTunes
Java(TM) 6 Update 11
Lavasoft Reghance 2.1 -licensed-
Left 4 Dead
LG USB Modem Drivers
Macromedia Extension Manager
Magic Bullet Editors 2.0 Premiere
Magic Bullet Editors Premiere
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
mIRC
MKV Splitter
Mozilla Firefox (3.0.8)
MSXML 6.0 Parser (KB925673)
Nero 7 Demo
NewCopy
NVIDIA Drivers
Panasonic P2 Drivers
Panasonic P2 Viewer
PanoStandAlone
PartitionMagic
PDF Settings
PhotoGallery
PowerISO
PowerQuest PartitionMagic 8.0
ProductContext
ProxyShell Hide IP 2.4.1
QFolder
QuickTime
RandMap
Readme
RealPlayer
Registry Mechanic 7.0
Revo Uninstaller 1.80
Scan
ScannerCopy
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows XP (KB923789)
SkinsHP1
Skype™ 4.0
SolutionCenter
Sonic_PrimoSDK
Sony ACID Pro 6.0
Sony Media Manager 2.2
Sony Noise Reduction Plug-In 2.0h
Sony Sound Forge 9.0
SoulSeek 157 NS 13c
SoulSeek Client 156c
Source SDK Base
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareBlaster 4.1
SpywareGuard v2.2
Status
Steam
System Requirements Lab
Theorica Divx ;-) Codecs (remove only)
TMPGEnc 4.0 XPress
TMPGEnc DVD Author 3 with DivX Authoring
TrayApp
Trillian
Tweak UI
Unload
VC80CRTRedist - 8.0.50727.762
Ventrilo Client
Ventrilo Server
VideoLAN VLC media player 0.8.6e
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebCam Monitor 5.0
WebReg
Winamp
Windows Communication Foundation
Windows Imaging Component
Windows Live installer
Windows Media Format 11 runtime
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
WinRAR archiver
Worms Armageddon - New Edition
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

4/6/2009 7:02:45 AM, error: Service Control Manager [7000] - The AVG8 WatchDog service failed to start due to the following error: The system cannot find the file specified.
4/6/2009 1:00:00 AM, error: Schedule [7901] - The At26.job command failed to start due to the following error: %%2147942402
4/6/2009 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
4/6/2009 12:51:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
4/6/2009 12:41:00 AM, error: Schedule [7901] - The At25.job command failed to start due to the following error: %%2147942402
4/5/2009 11:00:00 PM, error: Schedule [7901] - The At48.job command failed to start due to the following error: %%2147942402
4/5/2009 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
4/5/2009 10:00:00 PM, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402
4/5/2009 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
4/5/2009 9:27:42 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
4/5/2009 9:00:00 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: %%2147942402
4/5/2009 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
4/5/2009 8:00:00 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402
4/5/2009 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
4/5/2009 7:00:00 PM, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402
4/5/2009 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
4/5/2009 6:00:00 PM, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402
4/5/2009 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
4/5/2009 5:00:00 PM, error: Schedule [7901] - The At42.job command failed to start due to the following error: %%2147942402
4/5/2009 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
4/5/2009 4:00:00 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402
4/5/2009 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
4/5/2009 3:59:03 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
4/5/2009 3:00:00 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402
4/5/2009 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
4/5/2009 2:00:00 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
4/5/2009 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
4/5/2009 1:00:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402
4/5/2009 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
4/5/2009 12:00:00 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402
4/5/2009 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
4/5/2009 11:00:00 AM, error: Schedule [7901] - The At36.job command failed to start due to the following error: %%2147942402
4/5/2009 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
4/5/2009 10:00:00 AM, error: Schedule [7901] - The At35.job command failed to start due to the following error: %%2147942402
4/5/2009 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
4/5/2009 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
4/5/2009 3:00:00 AM, error: Schedule [7901] - The At28.job command failed to start due to the following error: %%2147942402
4/5/2009 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
4/5/2009 2:00:00 AM, error: Schedule [7901] - The At27.job command failed to start due to the following error: %%2147942402
4/7/2009 9:00:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
4/7/2009 9:00:00 AM, error: Schedule [7901] - The At34.job command failed to start due to the following error: %%2147942402
4/9/2009 8:00:00 AM, error: Schedule [7901] - The At33.job command failed to start due to the following error: %%2147942402
4/9/2009 8:00:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
4/9/2009 5:33:03 PM, error: ipnathlp [31012] - The DNS proxy agent encountered an error while obtaining the local list of name-resolution servers. Some DNS or WINS servers may be inaccessible to clients on the local network. The data is the error code.
4/9/2009 6:22:31 PM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 0050BA073F9E has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/9/2009 7:47:54 PM, error: Dhcp [1002] - The IP address lease 71.12.195.28 for the Network Card with network address 0050BA073F9E has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
4/9/2009 7:55:29 PM, error: ipnathlp [31008] - The DNS proxy agent was unable to read the local list of name-resolution servers from the registry. The data is the error code.
4/9/2009 8:03:28 PM, error: System Error [1003] - Error code 1000008e, parameter1 c0000005, parameter2 bf05f54b, parameter3 ba252344, parameter4 00000000.
4/9/2009 10:56:45 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
4/9/2009 11:19:40 PM, error: Service Control Manager [7024] - The Background Intelligent Transfer Service service terminated with service-specific error 2147952506 (0x8007277A).
4/10/2009 12:03:19 AM, error: Service Control Manager [7034] - The PnkBstrA service terminated unexpectedly. It has done this 1 time(s).
4/10/2009 4:00:00 AM, error: Schedule [7901] - The At29.job command failed to start due to the following error: %%2147942402
4/10/2009 4:00:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
4/10/2009 5:00:00 AM, error: Schedule [7901] - The At30.job command failed to start due to the following error: %%2147942402
4/10/2009 5:00:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
4/10/2009 6:00:00 AM, error: Schedule [7901] - The At31.job command failed to start due to the following error: %%2147942402
4/10/2009 6:00:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
4/10/2009 7:00:00 AM, error: Schedule [7901] - The At32.job command failed to start due to the following error: %%2147942402
4/10/2009 7:00:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
4/10/2009 7:35:22 AM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
4/10/2009 4:53:19 PM, error: Service Control Manager [7023] - The ASP.NET State Service service terminated with the following error: %%2147952506

==== End Of File ===========================

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by Belahzur on 11th April 2009, 1:40 pm

Hello.
Wrong log, that's attach.txt, I need to see DDS.txt.

I see that you are running uTorrent.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If uTorrent is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • µTorrent
  • Java(TM) 6 Update 11

Post DDS.txt please.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 2:13 pm

Ok here is the right log file:


DDS (Ver_09-03-16.01) - NTFSx86
Run by M at 9:10:47.78 on Sat 04/11/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.437 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\M\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Documents and Settings\M\Desktop\dds.scr

============== Pseudo HJT Report ===============

uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Windows Sound] svghost.exe
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.24\RivaTuner.exe" /S
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
uPolicies-explorer: ForceClassicControlPanel = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: WinCtrl32 - WinCtrl32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\m\applic~1\mozilla\firefox\profiles\9egyngeb.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\m\application data\mozilla\firefox\profiles\9egyngeb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\m\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\m\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - HiddenExtension: XUL Cache: {63B643C8-FD99-485E-8DC0-3A594352B68F} - c:\documents and settings\m\local settings\application data\{63B643C8-FD99-485E-8DC0-3A594352B68F}

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0

============= SERVICES / DRIVERS ===============

R0 Winkn31;Winkn31;c:\windows\system32\drivers\Winkn31.sys [2007-7-16 31616]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-10 11608]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-16 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-16 27656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-10 55640]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2007-11-30 651712]
R3 ICAM3NT5;Intel(r) PC Camera CS331;c:\windows\system32\drivers\ICAM3D2.SYS [2008-5-18 145184]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\progra~1\belkin\belkin~1.11g\dnindis5.sys --> c:\progra~1\belkin\belkin~1.11g\DNINDIS5.SYS [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-3-19 42512]
S4 COM+ System Manager;COM+ System Application Manage;c:\program files\common files\system\dllhost.exe --> c:\program files\common files\system\Dllhost.exe [?]
S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 KAK;KAK; [x]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-04-10 23:14 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-10 23:14 --d----- c:\program files\Avira
2009-04-10 23:14 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-10 23:13 438 a------- c:\windows\system32\win32hlp.cnf
2009-04-10 15:53 16,896 a------- c:\windows\system32\WinCtrl32.dll
2009-04-09 20:11 16 a------- c:\windows\Imijoxuqux.bin
2009-04-09 20:11 1,420 a------- c:\windows\Onolacanuv.dat
2009-04-09 20:03 206,793 a------- c:\windows\system32\nvapps.nvb
2009-04-09 19:56 7,680 a------- C:\dvyjbxu.exe
2009-04-09 19:56 46,614 a------- C:\oaegdrw.exe
2009-04-09 19:56 43,520 a------- C:\hpnvepk.exe
2009-04-09 19:50 --d----- c:\program files\The Rosetta Stone
2009-04-08 20:29 57,398 ac------ c:\windows\system32\dllcache\imjpdadm.exe
2009-04-08 20:28 480,256 ac------ c:\windows\system32\dllcache\cintsetp.exe
2009-04-08 20:27 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2009-04-08 20:27 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2009-04-08 20:27 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2009-04-08 20:27 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2009-04-08 20:27 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2009-04-08 20:27 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2009-04-08 20:27 8,704 a------- c:\windows\system32\kbdjpn.dll
2009-04-08 20:27 8,192 a------- c:\windows\system32\kbdkor.dll
2009-04-08 20:27 6,144 a------- c:\windows\system32\kbd106.dll
2009-04-08 20:27 6,144 a------- c:\windows\system32\kbd101c.dll
2009-04-08 20:27 6,144 a------- c:\windows\system32\kbd101b.dll
2009-04-08 20:27 5,632 a------- c:\windows\system32\kbd103.dll
2009-04-07 19:00 --d----- c:\program files\iPod
2009-04-07 19:00 --d----- c:\program files\iTunes
2009-04-07 19:00 --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-03-27 22:29 1,594,537 a------- c:\windows\WANEUninstaller.exe
2009-03-27 22:27 --d----- C:\Games
2009-03-24 19:16 --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-20 22:55 --d----- c:\program files\Active WebCam
2009-03-19 23:42 --d----- c:\program files\Steam
2009-03-19 21:03 201,405 a------- c:\windows\system32\nvapps.xml
2009-03-19 21:02 --d----- c:\windows\nview
2009-03-19 20:52 --d----- c:\program files\SystemRequirementsLab
2009-03-19 16:39 --d----- c:\program files\RivaTuner v2.24
2009-03-19 16:31 453,152 a------- c:\windows\system32\nvudisp.exe
2009-03-19 16:31 18,725 a------- c:\windows\system32\nvdisp.nvu
2009-03-19 16:31 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-19 16:31 --d----- C:\NVIDIA
2009-03-19 00:46 --d----- c:\docume~1\alluse~1\applic~1\DeskShare
2009-03-19 00:46 140,288 a------- c:\windows\system32\COMDLG32.OCX
2009-03-19 00:46 --d----- c:\program files\common files\DeskShare Shared
2009-03-19 00:46 240,240 a------- c:\windows\system32\wpcap.dll
2009-03-19 00:46 88,704 a------- c:\windows\system32\packet.dll
2009-03-19 00:46 42,512 a------- c:\windows\system32\drivers\npf.sys
2009-03-18 23:17 --d----- c:\docume~1\m\applic~1\EyeSpyFX

==================== Find3M ====================

2009-04-10 23:12 31,616 a------- c:\windows\system32\drivers\Winkn31.sys
2009-04-09 20:08 7,156 a------- c:\windows\system32\d3d9caps.dat
2009-04-09 19:57 235,008 a------- c:\windows\system32\userinit.exe
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-02 08:05 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-02 08:05 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-19 20:01 98,304 a------- c:\windows\DUMP954a.tmp
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-10 21:58 71,712 a------- c:\docume~1\m\applic~1\GDIPFONTCACHEV1.DAT
2009-03-05 13:39 34 a------- c:\documents and settings\m\jagex_runescape_preferences.dat
2009-02-21 15:27 139,264 a------- c:\windows\system32\hpzjrd01.dll
2009-02-21 15:21 112,384 a------- c:\windows\hpoins07.dat
2009-02-18 14:44 401,408 a------- c:\windows\system32\nvcuvid.dll
2009-02-11 22:45 56,096 a---h--- c:\windows\system32\mlfcache.dat
2009-02-08 00:53 116,697 a------- c:\windows\system32\rn.tmp
2009-01-16 17:38 410,984 a------- c:\windows\system32\deploytk.dll
2007-12-20 21:01 22,328 a------- c:\docume~1\m\applic~1\PnkBstrK.sys

============= FINISH: 9:11:34.68 ===============

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 2:15 pm

OH wait let me remove those progs you requested.

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 2:20 pm

Ok new DDS log with UTorrent and the Java update removed:


DDS (Ver_09-03-16.01) - NTFSx86
Run by M at 9:19:29.21 on Sat 04/11/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.433 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\M\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\M\Desktop\dds.scr

============== Pseudo HJT Report ===============

uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
mRun: [LVCOMS] c:\program files\common files\logitech\qcdriver3\LVCOMS.EXE
mRun: [Microsoft Windows Sound] svghost.exe
mRun: [RivaTunerStartupDaemon] "c:\program files\rivatuner v2.24\RivaTuner.exe" /S
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
uPolicies-explorer: ForceClassicControlPanel = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - [You must be registered and logged in to see this link.]
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: WinCtrl32 - WinCtrl32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\m\applic~1\mozilla\firefox\profiles\9egyngeb.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\m\application data\mozilla\firefox\profiles\9egyngeb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\m\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\m\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - HiddenExtension: XUL Cache: {63B643C8-FD99-485E-8DC0-3A594352B68F} - c:\documents and settings\m\local settings\application data\{63B643C8-FD99-485E-8DC0-3A594352B68F}

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0

============= SERVICES / DRIVERS ===============

R0 Winkn31;Winkn31;c:\windows\system32\drivers\Winkn31.sys [2007-7-16 31616]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-4-10 11608]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-16 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-16 27656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-4-10 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-4-10 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-10 55640]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2007-11-30 651712]
R3 ICAM3NT5;Intel(r) PC Camera CS331;c:\windows\system32\drivers\ICAM3D2.SYS [2008-5-18 145184]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;\??\c:\windows\system32\drivers\nsdriver.sys --> c:\windows\system32\drivers\NSDriver.sys [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\progra~1\belkin\belkin~1.11g\dnindis5.sys --> c:\progra~1\belkin\belkin~1.11g\DNINDIS5.SYS [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-3-19 42512]
S4 COM+ System Manager;COM+ System Application Manage;c:\program files\common files\system\dllhost.exe --> c:\program files\common files\system\Dllhost.exe [?]
S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloservicemanager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 KAK;KAK; [x]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1

=============== Created Last 30 ================

2009-04-10 23:14 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-04-10 23:14 --d----- c:\program files\Avira
2009-04-10 23:14 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-04-10 23:13 438 a------- c:\windows\system32\win32hlp.cnf
2009-04-10 15:53 16,896 a------- c:\windows\system32\WinCtrl32.dll
2009-04-09 20:11 16 a------- c:\windows\Imijoxuqux.bin
2009-04-09 20:11 1,420 a------- c:\windows\Onolacanuv.dat
2009-04-09 20:03 206,793 a------- c:\windows\system32\nvapps.nvb
2009-04-09 19:56 7,680 a------- C:\dvyjbxu.exe
2009-04-09 19:56 46,614 a------- C:\oaegdrw.exe
2009-04-09 19:56 43,520 a------- C:\hpnvepk.exe
2009-04-09 19:50 --d----- c:\program files\The Rosetta Stone
2009-04-08 20:29 57,398 ac------ c:\windows\system32\dllcache\imjpdadm.exe
2009-04-08 20:28 480,256 ac------ c:\windows\system32\dllcache\cintsetp.exe
2009-04-08 20:27 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2009-04-08 20:27 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2009-04-08 20:27 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2009-04-08 20:27 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2009-04-08 20:27 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2009-04-08 20:27 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2009-04-08 20:27 8,704 a------- c:\windows\system32\kbdjpn.dll
2009-04-08 20:27 8,192 a------- c:\windows\system32\kbdkor.dll
2009-04-08 20:27 6,144 a------- c:\windows\system32\kbd106.dll
2009-04-08 20:27 6,144 a------- c:\windows\system32\kbd101c.dll
2009-04-08 20:27 6,144 a------- c:\windows\system32\kbd101b.dll
2009-04-08 20:27 5,632 a------- c:\windows\system32\kbd103.dll
2009-04-07 19:00 --d----- c:\program files\iPod
2009-04-07 19:00 --d----- c:\program files\iTunes
2009-04-07 19:00 --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-03-27 22:29 1,594,537 a------- c:\windows\WANEUninstaller.exe
2009-03-27 22:27 --d----- C:\Games
2009-03-24 19:16 --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-20 22:55 --d----- c:\program files\Active WebCam
2009-03-19 23:42 --d----- c:\program files\Steam
2009-03-19 21:03 201,405 a------- c:\windows\system32\nvapps.xml
2009-03-19 21:02 --d----- c:\windows\nview
2009-03-19 20:52 --d----- c:\program files\SystemRequirementsLab
2009-03-19 16:39 --d----- c:\program files\RivaTuner v2.24
2009-03-19 16:31 453,152 a------- c:\windows\system32\nvudisp.exe
2009-03-19 16:31 18,725 a------- c:\windows\system32\nvdisp.nvu
2009-03-19 16:31 453,152 a------- c:\windows\system32\NVUNINST.EXE
2009-03-19 16:31 --d----- C:\NVIDIA
2009-03-19 00:46 --d----- c:\docume~1\alluse~1\applic~1\DeskShare
2009-03-19 00:46 140,288 a------- c:\windows\system32\COMDLG32.OCX
2009-03-19 00:46 --d----- c:\program files\common files\DeskShare Shared
2009-03-19 00:46 240,240 a------- c:\windows\system32\wpcap.dll
2009-03-19 00:46 88,704 a------- c:\windows\system32\packet.dll
2009-03-19 00:46 42,512 a------- c:\windows\system32\drivers\npf.sys
2009-03-18 23:17 --d----- c:\docume~1\m\applic~1\EyeSpyFX

==================== Find3M ====================

2009-04-10 23:12 31,616 a------- c:\windows\system32\drivers\Winkn31.sys
2009-04-09 20:08 7,156 a------- c:\windows\system32\d3d9caps.dat
2009-04-09 19:57 235,008 a------- c:\windows\system32\userinit.exe
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-02 08:05 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-02 08:05 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-19 20:01 98,304 a------- c:\windows\DUMP954a.tmp
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-10 21:58 71,712 a------- c:\docume~1\m\applic~1\GDIPFONTCACHEV1.DAT
2009-03-05 13:39 34 a------- c:\documents and settings\m\jagex_runescape_preferences.dat
2009-02-21 15:27 139,264 a------- c:\windows\system32\hpzjrd01.dll
2009-02-21 15:21 112,384 a------- c:\windows\hpoins07.dat
2009-02-18 14:44 401,408 a------- c:\windows\system32\nvcuvid.dll
2009-02-11 22:45 56,096 a---h--- c:\windows\system32\mlfcache.dat
2009-02-08 00:53 116,697 a------- c:\windows\system32\rn.tmp
2009-01-16 17:38 410,984 a------- c:\windows\system32\deploytk.dll
2007-12-20 21:01 22,328 a------- c:\docume~1\m\applic~1\PnkBstrK.sys

============= FINISH: 9:20:01.51 ===============

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by Belahzur on 11th April 2009, 2:30 pm

Hello.
As I thought, userinit is patched, We can fix that though. Before we can start fixing that, we have to kick out another infection.

Please download [You must be registered and logged in to see this link.] and save it to your Desktop. Please double-click GooredFix.exe on your Desktop to run it. Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Avira)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 3:26 pm

GooredFIX log:

GooredFix v1.92 by jpshortstuff
Log created at 09:37 on 11/04/2009 running Option #2 (M)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{63B643C8-FD99-485E-8DC0-3A594352B68F}"="C:\Documents and Settings\M\Local Settings\Application Data\{63B643C8-FD99-485E-8DC0-3A594352B68F}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\M\Local Settings\Application Data\{63B643C8-FD99-485E-8DC0-3A594352B68F}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 3:29 pm

COMBO Fix Log: PART I

ComboFix 09-04-04.01 - M 2009-04-11 9:38:53.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.534 [GMT -5:00]
Running from: c:\documents and settings\M\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
* Created a new restore point
.
Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\Winkn31.sys
c:\windows\system32\packet.dll
c:\windows\system32\tmpxccacj1.exe
c:\windows\system32\wpcap.dll

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\system32\init32.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINKN31
-------\Service_NPF
-------\Service_Winkn31


((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-10 23:14 . 2009-04-10 23:14 d-------- c:\program files\Avira
2009-04-10 23:14 . 2009-04-10 23:14 d-------- c:\documents and settings\All Users\Application Data\Avira
2009-04-10 23:14 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-04-10 23:13 . 2009-04-11 09:03 438 --a------ c:\windows\system32\win32hlp.cnf
2009-04-10 15:53 . 2009-04-11 09:02 16,896 --a------ c:\windows\system32\WinCtrl32.dll
2009-04-09 20:11 . 2009-04-09 20:11 1,420 --a------ c:\windows\Onolacanuv.dat
2009-04-09 20:11 . 2009-04-09 21:51 16 --a------ c:\windows\Imijoxuqux.bin
2009-04-09 20:03 . 2009-01-15 08:19 206,793 --a------ c:\windows\system32\nvapps.nvb
2009-04-09 19:56 . 2009-04-09 19:56 46,614 --a------ C:\oaegdrw.exe
2009-04-09 19:56 . 2009-04-09 19:56 43,520 --a------ C:\hpnvepk.exe
2009-04-09 19:56 . 2009-04-09 19:56 7,680 --a------ C:\dvyjbxu.exe
2009-04-09 19:50 . 2009-04-09 23:08 d-------- c:\program files\The Rosetta Stone
2009-04-08 20:29 . 2004-09-08 09:58 180,770 --a--c--- c:\windows\system32\dllcache\c_20932.nls
2009-04-08 20:28 . 2004-09-08 10:00 811,064 --a------ c:\windows\system32\imjp81k.dll
2009-04-08 20:27 . 2009-03-19 16:25 8,704 --a------ c:\windows\system32\kbdjpn.dll
2009-04-08 20:27 . 2009-03-19 16:25 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2009-04-08 20:27 . 2009-03-19 16:25 8,192 --a------ c:\windows\system32\kbdkor.dll
2009-04-08 20:27 . 2009-03-19 16:25 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2009-04-08 20:27 . 2009-03-19 16:25 6,144 --a------ c:\windows\system32\kbd106.dll
2009-04-08 20:27 . 2009-03-19 16:25 6,144 --a------ c:\windows\system32\kbd101c.dll
2009-04-08 20:27 . 2009-03-19 16:25 6,144 --a------ c:\windows\system32\kbd101b.dll
2009-04-08 20:27 . 2009-03-19 16:25 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2009-04-08 20:27 . 2009-03-19 16:25 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2009-04-08 20:27 . 2009-03-19 16:25 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2009-04-08 20:27 . 2009-03-19 16:25 5,632 --a------ c:\windows\system32\kbd103.dll
2009-04-08 20:27 . 2009-03-19 16:25 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2009-04-07 19:00 . 2009-04-07 19:00 d-------- c:\program files\iTunes
2009-04-07 19:00 . 2009-04-07 19:00 d-------- c:\program files\iPod
2009-04-07 19:00 . 2009-04-07 19:00 d-------- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-03-27 22:29 . 2009-03-27 22:29 1,594,537 --a------ c:\windows\WANEUninstaller.exe
2009-03-27 22:27 . 2009-03-27 22:27 d-------- C:\Games
2009-03-24 19:16 . 2009-03-24 19:16 d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-20 22:55 . 2009-03-21 12:09 d-------- c:\program files\Active WebCam
2009-03-19 23:42 . 2009-04-11 10:17 d-------- c:\program files\Steam
2009-03-19 21:03 . 2009-04-11 10:17 201,405 --a------ c:\windows\system32\nvapps.xml
2009-03-19 21:02 . 2009-04-09 22:56 d-------- c:\windows\nview
2009-03-19 20:52 . 2009-03-19 20:52 d-------- c:\program files\SystemRequirementsLab
2009-03-19 20:52 . 2009-03-19 20:52 d-------- c:\documents and settings\M\Application Data\SystemRequirementsLab
2009-03-19 16:39 . 2009-03-19 16:40 d-------- c:\program files\RivaTuner v2.24
2009-03-19 16:31 . 2009-03-19 20:50 d-------- C:\NVIDIA
2009-03-19 16:31 . 2009-02-16 23:17 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2009-03-19 16:31 . 2009-02-18 14:44 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-03-19 16:31 . 2009-01-15 08:19 18,725 --a------ c:\windows\system32\nvdisp.nvu
2009-03-19 00:46 . 2009-03-19 00:46 d-------- c:\program files\Common Files\DeskShare Shared
2009-03-19 00:46 . 2009-03-19 00:46 d-------- c:\documents and settings\All Users\Application Data\DeskShare
2009-03-19 00:46 . 2001-02-20 03:47 140,288 --a------ c:\windows\system32\COMDLG32.OCX
2009-03-18 23:17 . 2009-03-18 23:17 d-------- c:\documents and settings\M\Application Data\EyeSpyFX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 14:19 --------- d-----w c:\program files\Trillian
2009-04-11 14:18 --------- d-----w c:\program files\Java
2009-04-11 04:31 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-11 04:31 --------- d-----w c:\program files\SpywareBlaster
2009-04-11 04:26 --------- d-----w c:\program files\Lavasoft
2009-04-11 04:26 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-10 21:50 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-10 01:06 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 22:30 --------- d-----w c:\documents and settings\M\Application Data\Skype
2009-04-08 00:00 --------- d-----w c:\program files\Common Files\Apple
2009-04-07 15:36 --------- d-----w c:\documents and settings\M\Application Data\FileZilla
2009-04-06 20:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 05:15 --------- d-----w c:\documents and settings\M\Application Data\DVD Flick
2009-04-05 00:05 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-04 14:26 --------- d-----w c:\program files\FileZilla Client
2009-04-02 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-02 13:05 325,640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-28 02:58 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 02:58 --------- d-----w c:\program files\EA GAMES
2009-03-25 00:15 --------- d-----w c:\program files\Bonjour
2009-03-23 02:04 --------- d-----w c:\program files\Soulseek
2009-03-20 01:01 98,304 ----a-w c:\windows\DUMP954a.tmp
2009-03-19 21:42 --------- d-----w c:\program files\SpywareGuard
2009-03-19 21:32 23,400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 05:46 --------- d-----w c:\program files\Deskshare
2009-03-16 16:10 --------- d-----w c:\program files\QuickTime
2009-03-13 22:43 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-13 22:43 --------- d-----r c:\program files\Skype
2009-03-13 21:05 --------- d-----w c:\documents and settings\M\Application Data\skypePM
2009-03-11 02:58 71,712 ----a-w c:\documents and settings\M\Application Data\GDIPFONTCACHEV1.DAT
2009-03-05 18:39 34 ----a-w c:\documents and settings\M\jagex_runescape_preferences.dat
2009-03-03 07:25 --------- d-----w c:\program files\DirectKiSS11
2009-02-23 23:34 --------- d-----w c:\documents and settings\M\Application Data\The Creative Assembly
2009-02-23 06:07 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-02-21 20:38 --------- d-----w c:\program files\HP
2009-02-21 20:38 --------- d-----w c:\program files\Hewlett-Packard
2009-02-21 20:37 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-02-21 20:21 --------- d-----w c:\documents and settings\M\Application Data\HP
2009-02-21 20:19 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-02-21 20:19 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-02-21 20:18 --------- d-----w c:\program files\Common Files\HP
2009-02-15 08:12 --------- d-----w c:\program files\CoffeeCup Software
2009-02-15 01:32 --------- d-----w c:\documents and settings\M\Application Data\CoffeeCup Software
2009-02-14 22:58 --------- d-----w c:\documents and settings\M\Application Data\mIRC
2009-02-14 22:56 --------- d-----w c:\program files\mIRC
2007-12-21 02:01 22,328 ----a-w c:\documents and settings\M\Application Data\PnkBstrK.sys

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 3:31 pm

ComboFIX log: PART II

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2009-03-19 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24\RivaTuner.exe" [2009-02-25 2781184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-09-08 158208]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"= 0 (0x0)
"ForceClassicControlPanel"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-02 08:05 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
2009-04-11 09:02 16896 c:\windows\system32\WinCtrl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"msacm.avis"= ff_acm.acm
"vidc.i263"= c:\windows\system32\i263_32.drv
"msacm.imc"= c:\windows\system32\imc32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^P2 Card Manager.lnk]
backup=c:\windows\pss\P2 Card Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^M^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
backup=c:\windows\pss\Free WebSite Tools.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^M^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=c:\documents and settings\M\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=c:\windows\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-16 11:18 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 07:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 08:08 136136 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 16:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 17:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2005-12-17 00:55 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-09-08 10:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-04-02 16:11 342312 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-09-08 09:59 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2009-01-15 08:19 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2009-01-15 08:19 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-09-08 10:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-09-08 10:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-07-07 02:34 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2009-03-06 22:54 24095528 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2009-03-19 23:42 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2009-01-15 08:19 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KAK"=3 (0x3)
"iPod Service"=3 (0x3)
"COM+ System Manager"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"usnjsvc"=3 (0x3)
"Ventrilo"=2 (0x2)
"Pml Driver HPH11"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"Bonjour Service"=2 (0x2)
"ioloSystemService"=2 (0x2)
"ioloFileInfoList"=2 (0x2)
"mnmsrvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"idsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\M\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\M\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-16 325640]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-10 108289]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2007-11-30 651712]
R3 ICAM3NT5;Intel(r) PC Camera CS331;c:\windows\system32\drivers\ICAM3D2.SYS [2008-05-18 145184]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS --> c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [?]
S4 COM+ System Manager;COM+ System Application Manage;c:\program files\Common Files\System\Dllhost.exe --> c:\program files\Common Files\System\Dllhost.exe [?]
S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 KAK;KAK; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bfa693c3-366a-11dd-8c45-0050ba073f9e}]
\Shell\AutoRun\command - E:\Autorun.exe

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 3:32 pm

ComboFIX log: PART III

Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-04-11 c:\windows\Tasks\At1.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-09 c:\windows\Tasks\At10.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-11 c:\windows\Tasks\At11.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-09 c:\windows\Tasks\At12.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-09 c:\windows\Tasks\At13.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-09 c:\windows\Tasks\At14.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-09 c:\windows\Tasks\At15.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-09 c:\windows\Tasks\At16.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At17.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At18.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At19.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-11 c:\windows\Tasks\At2.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-11 c:\windows\Tasks\At20.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-11 c:\windows\Tasks\At21.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At22.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At23.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At24.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-11 c:\windows\Tasks\At25.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-11 c:\windows\Tasks\At26.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At27.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At28.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At29.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At3.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At31.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At32.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-09 c:\windows\Tasks\At33.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-11 c:\windows\Tasks\At35.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-09 c:\windows\Tasks\At36.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-09 c:\windows\Tasks\At37.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-09 c:\windows\Tasks\At38.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At4.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-09 c:\windows\Tasks\At40.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At41.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At42.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At43.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-11 c:\windows\Tasks\At44.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At46.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At47.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At48.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At5.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At6.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At7.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-10 c:\windows\Tasks\At8.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-09 c:\windows\Tasks\At9.job
- c:\windows\system32\0xyD7MQO.exe []

2009-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-651377827-725345543-1003.job
- c:\documents and settings\M\Local Settings\Application Data\Google\Update\GoogleUpdate.exe []
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Microsoft Windows Sound - svghost.exe
MSConfigStartUp-Google Update - c:\documents and settings\M\Local Settings\Application Data\Google\Update\GoogleUpdate.exe


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\9egyngeb.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\9egyngeb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\plugins\npgoogletalk.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-11 10:18:05
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

c:\windows\system32\.342aa742\342aa742.exe [1736] 0x86A8F5D8

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\.342aa742

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\342aa742]
"ImagePath"="c:\windows\system32\.342aa742\342aa742.exe"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-651377827-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{90742E31-07BF-5BDB-F101-3F327C315F37}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oaobfgfbahjgmaakiconobbiabcpko"=hex:64,61,68,64,6b,66,68,68,00,50
"oacdnhakdefalhejkhccdnikampmge"=hex:6a,61,6f,64,62,64,69,67,69,68,61,6e,61,6e,
61,64,61,6b,70,65,00,cb
"naebhhfihnednlepbanpbpohjken"=hex:69,61,68,64,65,64,69,65,64,66,69,69,65,68,
67,65,6b,64,00,00

[HKEY_USERS\S-1-5-21-1801674531-651377827-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3e,6c,c9,78,5a,52,87,c0,0e,79,13,6e,7d,bd,ea,5a,97,4b,36,13,21,bd,5d,
f7,19,0b,9d,54,af,c6,42,44,0a,60,b7,22,38,43,a2,25,af,2e,85,db,cc,75,be,4a,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:10,fe,94,5e,1a,47,c4,0c,19,30,e3,2b,2f,fd,81,2b,bc,ce,ba,1e,7d,
dc,0f,f9,22,7e,f9,95,50,18,87,ac,d0,d1,7e,98,72,6a,c4,d3,46,ad,c5,0a,72,c7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\WinCtrl32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\bgsvcgen.exe
c:\windows\system32\netdde.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-04-11 10:23:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-11 15:23:08
Pre-Run: 10,486,394,880 bytes free
Post-Run: 10,788,601,856 bytes free

450 --- E O F --- 2007-07-30 15:02:07

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by Belahzur on 11th April 2009, 3:40 pm

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
COM+ System Manager

File::
c:\windows\system32\win32hlp.cnf
c:\windows\system32\WinCtrl32.dll
c:\windows\Onolacanuv.dat
c:\windows\Imijoxuqux.bin
C:\oaegdrw.exe
C:\hpnvepk.exe
C:\dvyjbxu.exe
c:\windows\system32\0xyD7MQO.exe

Folder::
c:\windows\system32\.342aa742

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"=-
"ForceClassicControlPanel"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinCtrl32]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bfa693c3-366a-11dd-8c45-0050ba073f9e}]
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\342aa742]

RegLock::
[HKEY_USERS\S-1-5-21-1801674531-651377827-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{90742E31-07BF-5BDB-F101-3F327C315F37}*]

RegNull::
[HKEY_USERS\S-1-5-21-1801674531-651377827-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{90742E31-07BF-5BDB-F101-3F327C315F37}*]

AtJob::

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 4:38 pm

New ComboFIX Log: PART I

ComboFix 09-04-04.01 - M 2009-04-11 10:45:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.544 [GMT -5:00]
Running from: c:\documents and settings\M\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\M\Desktop\CFscript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
C:\dvyjbxu.exe
C:\hpnvepk.exe
C:\oaegdrw.exe
c:\windows\Imijoxuqux.bin
c:\windows\Onolacanuv.dat
c:\windows\system32\0xyD7MQO.exe
c:\windows\system32\win32hlp.cnf
c:\windows\system32\WinCtrl32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\dvyjbxu.exe
C:\hpnvepk.exe
C:\oaegdrw.exe
c:\windows\Imijoxuqux.bin
c:\windows\Onolacanuv.dat
c:\windows\system32\.342aa742
c:\windows\system32\win32hlp.cnf
c:\windows\system32\WinCtrl32.dll
c:\windows\system32\xcchit32.ini
c:\windows\system32\xcchit32.ini.tmp
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\xccwinsys.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_COM+_SYSTEM_MANAGER
-------\Service_COM+ System Manager


((((((((((((((((((((((((( Files Created from 2009-03-11 to 2009-04-11 )))))))))))))))))))))))))))))))
.

2009-04-10 23:14 . 2009-04-10 23:14 d-------- c:\program files\Avira
2009-04-10 23:14 . 2009-04-10 23:14 d-------- c:\documents and settings\All Users\Application Data\Avira
2009-04-10 23:14 . 2009-02-13 11:31 55,640 --a------ c:\windows\system32\drivers\avgntflt.sys
2009-04-09 20:03 . 2009-01-15 08:19 206,793 --a------ c:\windows\system32\nvapps.nvb
2009-04-09 19:50 . 2009-04-09 23:08 d-------- c:\program files\The Rosetta Stone
2009-04-08 20:29 . 2004-09-08 09:58 180,770 --a--c--- c:\windows\system32\dllcache\c_20932.nls
2009-04-08 20:28 . 2004-09-08 10:00 811,064 --a------ c:\windows\system32\imjp81k.dll
2009-04-08 20:27 . 2009-03-19 16:25 8,704 --a------ c:\windows\system32\kbdjpn.dll
2009-04-08 20:27 . 2009-03-19 16:25 8,704 --a--c--- c:\windows\system32\dllcache\kbdjpn.dll
2009-04-08 20:27 . 2009-03-19 16:25 8,192 --a------ c:\windows\system32\kbdkor.dll
2009-04-08 20:27 . 2009-03-19 16:25 8,192 --a--c--- c:\windows\system32\dllcache\kbdkor.dll
2009-04-08 20:27 . 2009-03-19 16:25 6,144 --a------ c:\windows\system32\kbd106.dll
2009-04-08 20:27 . 2009-03-19 16:25 6,144 --a------ c:\windows\system32\kbd101c.dll
2009-04-08 20:27 . 2009-03-19 16:25 6,144 --a------ c:\windows\system32\kbd101b.dll
2009-04-08 20:27 . 2009-03-19 16:25 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2009-04-08 20:27 . 2009-03-19 16:25 6,144 --a--c--- c:\windows\system32\dllcache\kbd101c.dll
2009-04-08 20:27 . 2009-03-19 16:25 6,144 --a--c--- c:\windows\system32\dllcache\kbd101b.dll
2009-04-08 20:27 . 2009-03-19 16:25 5,632 --a------ c:\windows\system32\kbd103.dll
2009-04-08 20:27 . 2009-03-19 16:25 5,632 --a--c--- c:\windows\system32\dllcache\kbd103.dll
2009-04-07 19:00 . 2009-04-07 19:00 d-------- c:\program files\iTunes
2009-04-07 19:00 . 2009-04-07 19:00 d-------- c:\program files\iPod
2009-04-07 19:00 . 2009-04-07 19:00 d-------- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-03-27 22:29 . 2009-03-27 22:29 1,594,537 --a------ c:\windows\WANEUninstaller.exe
2009-03-27 22:27 . 2009-03-27 22:27 d-------- C:\Games
2009-03-24 19:16 . 2009-03-24 19:16 d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-20 22:55 . 2009-03-21 12:09 d-------- c:\program files\Active WebCam
2009-03-19 23:42 . 2009-04-11 11:28 d-------- c:\program files\Steam
2009-03-19 21:03 . 2009-04-11 11:28 201,405 --a------ c:\windows\system32\nvapps.xml
2009-03-19 21:02 . 2009-04-09 22:56 d-------- c:\windows\nview
2009-03-19 20:52 . 2009-03-19 20:52 d-------- c:\program files\SystemRequirementsLab
2009-03-19 20:52 . 2009-03-19 20:52 d-------- c:\documents and settings\M\Application Data\SystemRequirementsLab
2009-03-19 16:39 . 2009-03-19 16:40 d-------- c:\program files\RivaTuner v2.24
2009-03-19 16:31 . 2009-03-19 20:50 d-------- C:\NVIDIA
2009-03-19 16:31 . 2009-02-16 23:17 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2009-03-19 16:31 . 2009-02-18 14:44 453,152 --a------ c:\windows\system32\nvudisp.exe
2009-03-19 16:31 . 2009-01-15 08:19 18,725 --a------ c:\windows\system32\nvdisp.nvu
2009-03-19 00:46 . 2009-03-19 00:46 d-------- c:\program files\Common Files\DeskShare Shared
2009-03-19 00:46 . 2009-03-19 00:46 d-------- c:\documents and settings\All Users\Application Data\DeskShare
2009-03-19 00:46 . 2001-02-20 03:47 140,288 --a------ c:\windows\system32\COMDLG32.OCX
2009-03-18 23:17 . 2009-03-18 23:17 d-------- c:\documents and settings\M\Application Data\EyeSpyFX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-11 15:36 --------- d-----w c:\program files\Trillian
2009-04-11 14:18 --------- d-----w c:\program files\Java
2009-04-11 04:31 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-11 04:31 --------- d-----w c:\program files\SpywareBlaster
2009-04-11 04:26 --------- d-----w c:\program files\Lavasoft
2009-04-11 04:26 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-10 21:50 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-04-10 01:06 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-09 22:30 --------- d-----w c:\documents and settings\M\Application Data\Skype
2009-04-08 00:00 --------- d-----w c:\program files\Common Files\Apple
2009-04-07 15:36 --------- d-----w c:\documents and settings\M\Application Data\FileZilla
2009-04-06 20:32 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 05:15 --------- d-----w c:\documents and settings\M\Application Data\DVD Flick
2009-04-05 00:05 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-04 14:26 --------- d-----w c:\program files\FileZilla Client
2009-04-02 22:49 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-02 13:05 325,640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-03-28 02:58 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 02:58 --------- d-----w c:\program files\EA GAMES
2009-03-25 00:15 --------- d-----w c:\program files\Bonjour
2009-03-23 02:04 --------- d-----w c:\program files\Soulseek
2009-03-20 01:01 98,304 ----a-w c:\windows\DUMP954a.tmp
2009-03-19 21:42 --------- d-----w c:\program files\SpywareGuard
2009-03-19 21:32 23,400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-19 05:46 --------- d-----w c:\program files\Deskshare
2009-03-16 16:10 --------- d-----w c:\program files\QuickTime
2009-03-13 22:43 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-13 22:43 --------- d-----r c:\program files\Skype
2009-03-13 21:05 --------- d-----w c:\documents and settings\M\Application Data\skypePM
2009-03-11 02:58 71,712 ----a-w c:\documents and settings\M\Application Data\GDIPFONTCACHEV1.DAT
2009-03-05 18:39 34 ----a-w c:\documents and settings\M\jagex_runescape_preferences.dat
2009-03-03 07:25 --------- d-----w c:\program files\DirectKiSS11
2009-02-23 23:34 --------- d-----w c:\documents and settings\M\Application Data\The Creative Assembly
2009-02-23 06:07 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-02-21 20:38 --------- d-----w c:\program files\HP
2009-02-21 20:38 --------- d-----w c:\program files\Hewlett-Packard
2009-02-21 20:37 --------- d-----w c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-02-21 20:21 --------- d-----w c:\documents and settings\M\Application Data\HP
2009-02-21 20:19 --------- d-----w c:\program files\Common Files\Sonic Shared
2009-02-21 20:19 --------- d-----w c:\documents and settings\All Users\Application Data\Sonic
2009-02-21 20:18 --------- d-----w c:\program files\Common Files\HP
2009-02-15 08:12 --------- d-----w c:\program files\CoffeeCup Software
2009-02-15 01:32 --------- d-----w c:\documents and settings\M\Application Data\CoffeeCup Software
2009-02-14 22:58 --------- d-----w c:\documents and settings\M\Application Data\mIRC
2009-02-14 22:56 --------- d-----w c:\program files\mIRC
2007-12-21 02:01 22,328 ----a-w c:\documents and settings\M\Application Data\PnkBstrK.sys
.

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 4:39 pm

PART II

((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\Steam.exe" [2009-03-19 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 127022]
"RivaTunerStartupDaemon"="c:\program files\RivaTuner v2.24\RivaTuner.exe" [2009-02-25 2781184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"VIDC.HFYU"= huffyuv.dll
"msacm.avis"= ff_acm.acm
"vidc.i263"= c:\windows\system32\i263_32.drv
"msacm.imc"= c:\windows\system32\imc32.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^P2 Card Manager.lnk]
backup=c:\windows\pss\P2 Card Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^M^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
backup=c:\windows\pss\Free WebSite Tools.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^M^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=c:\documents and settings\M\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=c:\windows\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-16 11:18 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 07:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 08:08 136136 c:\program files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
--a------ 2007-01-01 16:22 3739648 c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 17:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2005-12-17 00:55 176128 c:\windows\system32\spool\drivers\w32x86\3\hpztsb12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-09-08 10:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-04-02 16:11 342312 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-09-08 09:59 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2009-01-15 08:19 13680640 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2009-01-15 08:19 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-09-08 10:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-09-08 10:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-07-07 02:34 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2009-03-06 22:54 24095528 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2009-03-19 23:42 1410296 c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2009-01-15 08:19 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"KAK"=3 (0x3)
"iPod Service"=3 (0x3)
"COM+ System Manager"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"usnjsvc"=3 (0x3)
"Ventrilo"=2 (0x2)
"Pml Driver HPH11"=3 (0x3)
"Pml Driver HPZ12"=2 (0x2)
"Bonjour Service"=2 (0x2)
"ioloSystemService"=2 (0x2)
"ioloFileInfoList"=2 (0x2)
"mnmsrvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"idsvc"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"Lavasoft Ad-Aware Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Documents and Settings\\M\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\M\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\digital imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\digital imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-01-16 325640]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-04-10 108289]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;c:\windows\system32\drivers\Envy24HF.sys [2007-11-30 651712]
R3 ICAM3NT5;Intel(r) PC Camera CS331;c:\windows\system32\drivers\ICAM3D2.SYS [2008-05-18 145184]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS --> c:\progra~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [?]
S4 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S4 KAK;KAK; [x]
.

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 4:39 pm

AND PART III

Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1801674531-651377827-725345543-1003.job
- c:\documents and settings\M\Local Settings\Application Data\Google\Update\GoogleUpdate.exe []
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-342aa742


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\9egyngeb.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\9egyngeb.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\M\Application Data\Mozilla\plugins\npgoogletalk.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 0
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-04-11 11:29:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\M\Application Data\Mozilla\Firefox\Profiles\9egyngeb.default\parent.lock 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-651377827-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3e,6c,c9,78,5a,52,87,c0,0e,79,13,6e,7d,bd,ea,5a,97,4b,36,13,21,bd,5d,
f7,19,0b,9d,54,af,c6,42,44,0a,60,b7,22,38,43,a2,25,af,2e,85,db,cc,75,be,4a,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:10,fe,94,5e,1a,47,c4,0c,19,30,e3,2b,2f,fd,81,2b,bc,ce,ba,1e,7d,
dc,0f,f9,22,7e,f9,95,50,18,87,ac,d0,d1,7e,98,72,6a,c4,d3,46,ad,c5,0a,72,c7,\
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\bgsvcgen.exe
c:\windows\system32\netdde.exe
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\windows\system32\notepad.exe
.
**************************************************************************
.
Completion time: 2009-04-11 11:35:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-11 16:35:11
ComboFix2.txt 2009-04-11 15:23:15

Pre-Run: 10,801,078,272 bytes free
Post-Run: 10,778,259,456 bytes free

377 --- E O F --- 2007-07-30 15:02:07

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by Belahzur on 11th April 2009, 4:43 pm

Hello.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by lesabre on 11th April 2009, 5:57 pm

Everything is running smoothly thus far.

I will re-run anti-malware and virus progs again to be on the safe side.

Thanks for the Avira link, way more hassle free than AVG.

If you like art , swing by my site sometime and poke around:

[You must be registered and logged in to see this link.]

Wink

Many thanks,

-m

lesabre
Novice
Novice

Posts Posts : 35
Joined Joined : 2009-01-16
OS OS : Windows XP SP2
Points Points : 28894
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32 cryptor? (no internet access what-so-ever)

Post by Belahzur on 11th April 2009, 6:00 pm

Hello.
AVG has done a messy uninstall.

Completely Uninstall AVG software

Download and run avgremover.exe
[You must be registered and logged in to see this link.]

Run this and allow it to do what it wants to do (it might want to reboot too)
Once it's done everything, you can delete avgremover.exe

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum