Win32/Cryptor Maybe?

View previous topic View next topic Go down

Win32/Cryptor Maybe?

Post by Blutooth on Wed Apr 22, 2009 10:46 pm

OK I have been battling all day and I need help. Yesterday I started experiencing problems with my computer. I ran AVG 8.5free and it found quite a few things. I thought I was out of the woods. I tried running Malwarebytes Anti-Malware, but it only goes to a hourglass and then nothing. I downloaded a new version and it will not install.

I also installed SUPERAntiSpyware, and it installed but would not run.

I then restarted the computer in safe mode and ran AVG, and found 3 instances of Win32/Cryptor. They were removed.

Restarted windows and I have the following:
SUPERAntivirusSypware is running (and has so far found 3 threats, tracking cookies, Rogue.XP AntiSpyware 2009 and Rogue.WinPCDefender)
My internet connection does not work (says it is connected, but no data transfer)
My USB ports do work and I have a computer on the same internet connection working (which I am working on)
I tried installing Hijack this and running it from the desktop of the infected computer. It would not run
I tried installing Malwarebyte's AntiMalware. Still will not work
I purchased Prevx, which other websites claimed works well, but cannot run it because my internet connection is not working
I ran Avenger yesterday but I cannot find the log.
I tried system restore and the final "Next" button before the system restore starts seems to have no effect (I can hit it with no activity)

Any help is GREATLY appreciated!

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Belahzur on Wed Apr 22, 2009 11:23 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.[/b][/i]

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Wed Apr 22, 2009 11:41 pm

Downloaded Avenger and ran it per instructions. So far I have gotten the "Blue screen of death" 3 times.

The computer will not boot up.

Shutting down until further advise.... I don't think this is good.

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Wed Apr 22, 2009 11:52 pm

Tried restarting one more time and it worked (safe mode).

Here is the log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACfdedbslduajnqel.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Wed Apr 22, 2009 11:53 pm

Internet is working again...

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Belahzur on Thu Apr 23, 2009 12:06 am

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACfdedbslduajnqel.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengers actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Thu Apr 23, 2009 1:27 am

OK, ran Avenger again. Restarted in blue screen again the first time, restarted in Safe mode (but once selecting safe mode it started full version of windows - did it last time too). Anyway here is the log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACfdedbslduajnqel.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Also upon startup AVG Resident found 19 instances of Win32/Cryptor which it either moved or deleted.

Thanks for everything so far!

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Belahzur on Thu Apr 23, 2009 8:31 am

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Thu Apr 23, 2009 4:36 pm

It did require a restart. Here is the log:

Malwarebytes' Anti-Malware 1.36
Database version: 2031
Windows 5.1.2600 Service Pack 3

4/23/2009 11:30:02 AM
mbam-log-2009-04-23 (11-30-02).txt

Scan type: Quick Scan
Objects scanned: 94083
Time elapsed: 10 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Belahzur on Thu Apr 23, 2009 4:41 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Thu Apr 23, 2009 5:17 pm

See below for log. I don't think it worked right as below was the output and I did not get the attach.txt file

Log (Truncated due to posting size) - I tried posting what looked like the interesting stuff...:


Fttuuu Ausu s /vBGIucwL^& G,<w?u_f)ٍ   tE_0T PU Gt܉yGPGWHUU tU U  PTjSWՍ `(XPTPSWXaD$j 9u    H    
    H   e `    x         $T        0  X                 H D 6     p |      d *       4            (  P x
    @ W ,     h @Y       \       _ ~         X     d     8 a      `    x a ? 
A S K N E X T V O L G E T P A S S W O R D 1
L I C E N S E D L G R E N A M E D L G  R E P L A C E F I L E D L G  S T A R T D L G  D V C L A L  ( @   33333333330  o  ox   o xx  o8 ? o 8Ǐ ?̏ o8x ?̏ 8x o?̏ x ̏ o                              
  S e l e c t d e s t i n a t i o n f o l d e r
E x t r a c t i n g % s S k i p p i n g % s  U n e x p e c t e d e n d o f a r c h i v e  T h e f i l e " % s " h e a d e r i s c o r r u p t % T h e a r c h i v e c o m m e n t h e a d e r i s c o r r u p t  T h e a r c h i v e c o m m e n t i s c o r r u p t  N o t e n o u g h m e m o r y  U n k n o w n m e t h o d i n % s  C a n n o t o p e n % s  C a n n o t c r e a t e % s  C a n n o t c r e a t e f o l d e r % s  6 C R C f a i l e d i n t h e e n c r y p t e d f i l e % s ( w r o n g p a s s w o r d ? )  C R C f a i l e d i n % s  P a c k e d d a t a C R C f a i l e d i n % s  W r o n g p a s s w o r d f o r % s 5 W r i t e e r r o r i n t h e f i l e % s . P r o b a b l y t h e d i s k i s f u l l  R e a d e r r o r i n t h e f i l e % s  F i l e c l o s e e r r o r  T h e r e q u i r e d v o l u m e i s a b s e n t 2 T h e a r c h i v e i s e i t h e r i n u n k n o w n f o r m a t o r d a m a g e d  E x t r a c t i n g f r o m % s N e x t v o l u m e  T h e a r c h i v e h e a d e r i s c o r r u p t  C l o s e  E r r o r a E r r o r s e n c o u n t e r e d w h i l e p e r f o r m i n g t h e o p e r a t i o n
L o o k a t t h e i n f o r m a t i o n w i n d o w f o r m o r e d e t a i l s PA  b y t e s m o d i f i e d o n  f o l d e r i s n o t a c c e s s i b l e l S o m e f i l e s c o u l d n o t b e c r e a t e d .
P l e a s e c l o s e a l l a p p l i c a t i o n s , r e b o o t W i n d o w s a n d r e s t a r t t h i s i n s t a l l a t i o n \ S o m e i n s t a l l a t i o n f i l e s a r e c o r r u p t .
P l e a s e d o w n l o a d a f r e s h c o p y a n d r e t r y t h e i n s t a l l a t i o n A l l f i l e s PA E < u l > < l i > P r e s s < b > I n s t a l l < / b > b u t t o n t o s t a r t e x t r a c t i o n . < / l i > < b r > < b r > 6 < l i > U s e < b > B r o w s e < / b > b u t t o n t o s e l e c t t h e d e s t i n a t i o n 4 f o l d e r f r o m t h e f o l d e r s t r e e . I t c a n b e a l s o e n t e r e d  m a n u a l l y . < / l I > < b r > < b r > 8 < l I > I f t h e d e s t i n a t i o n f o l d e r d o e s n o t e x i s t , i t w i l l b e 2 c r e a t e d a u t o m a t i c a l l y b e f o r e e x t r a c t i o n . < / l I > < / u l > PAh        |

version="1.0.0.0"
processorArchitecture="X86"
name="WinRAR SFX"
type="win32"/>
WinRAR SFX module



uiAccess="false"/>





type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="X86"
publicKeyToken="6595b64144ccf1df"
language="*"/>



P e e f e f e f e (f e 2f e z # k j  3 CMT
P
/N
E7AiCCoHwTWr3ܽ2zt7ͯ+A6INoQ&ѽ!f<dqUݮoe-ut. 
I0Js(95 Assoc.cmd Ik fqױ`.'IX1Kh=LJ4>hTw{br!)`CP3P_3ΥmY &GxUB.C&vT
d7J
j Ww;EOQ:Amj+0eX_ʝlO0p5 d˭dw)@/ 1M~B7r$ &xu!Uth EtIAgsСϰ,Yu:3SA82C:G28\[])V+#z@FiE)GDһ? x*2'8qh~{yW2U9b˘Pt;C ⤯ݹx_lE.oG$^Y٘y
`*,@Kljݏ;0>l
UE*

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Belahzur on Thu Apr 23, 2009 5:23 pm

That didn't go right. Let me think
Try running it again - if it comes out with stuff like that, close it and we'll use something else.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Thu Apr 23, 2009 5:28 pm

I just rebooted the computer, made sure no other programs were running, and I got the same result...

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Belahzur on Thu Apr 23, 2009 6:15 pm


  • Download random's system information tool (RSIT) by random/random from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of log.txt (<< will be maximized) and save info.txt (<< will be minimized) for later.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Thu Apr 23, 2009 7:44 pm

See below for results:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Matt Seeboth at 2009-04-23 14:40:47
Microsoft Windows XP Home Edition Service Pack 3
System drive C: has 9 GB (16%) free of 54 GB
Total RAM: 2030 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:17 PM, on 4/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Prevx\prevx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\Program Files\Compaq A3000\CPQA3000.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\eFax Messenger 4.4\J2GTray.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Matt Seeboth\Desktop\RSIT.exe
C:\Program Files\trend micro\Matt Seeboth.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [CTPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - Startup: eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe
O4 - Global Startup: Compaq A3000 Settings Utility.lnk = C:\Program Files\Compaq A3000\CPQA3000.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Thu Apr 23, 2009 7:45 pm

Part 2:


O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - [You must be registered and logged in to see this link.] (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{384285F6-4557-4282-9DDA-548EF370FE05}: NameServer = 169.207.1.3
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10809 bytes

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Thu Apr 23, 2009 7:46 pm

Part 3:


======Scheduled tasks folder======

C:\WINDOWS\tasks\rpc.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll [2009-04-21 1078552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\system32\dla\tfswshx.dll [2004-03-15 118836]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-04-02 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar2.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-02 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-02 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar2.dll []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-02 136600]
"SynTPLpr"=C:\Program Files\Synaptics\SynTP\SynTPLpr.exe [2004-04-22 98304]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2004-04-22 507904]
"dla"=C:\WINDOWS\system32\dla\tfswctrl.exe [2004-03-15 122933]
"UpdateManager"=C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [2003-08-19 110592]
"PCMService"=C:\Program Files\Dell\Media Experience\PCMService.exe [2004-04-11 290816]
"DVDLauncher"=C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe [2004-04-11 53248]
"DwlClient"=c:\Program Files\Common Files\Dell\EUSW\Support.exe [2004-05-27 323584]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2005-04-28 180269]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2005-11-21 98304]
"igfxtray"=C:\WINDOWS\system32\igfxtray.exe [2005-09-20 94208]
"igfxhkcmd"=C:\WINDOWS\system32\hkcmd.exe [2005-09-20 77824]
"igfxpers"=C:\WINDOWS\system32\igfxpers.exe [2005-09-20 114688]
"CTPDPSRV"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CTPDPSRV.EXE [2001-09-18 45056]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-12-10 49152]
"Intuit SyncManager"=C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2008-09-09 623880]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"AVG8_TRAY"=C:\PROGRA~1\AVG\AVG8\avgtray.exe [2009-04-21 1932568]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ESPN BottomLine"=C:\Program Files\ESPN\BottomLine\bline.exe []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"PhotoShow Deluxe Media Manager"=C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe []
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.911.3380\GoogleToolbarNotifier.exe []
"eFax 4.4"=C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe [2008-07-31 95744]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Compaq A3000 Settings Utility.lnk - C:\Program Files\Compaq A3000\CPQA3000.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Documents and Settings\Matt Seeboth\Start Menu\Programs\Startup
eFax 4.4.lnk - C:\Program Files\eFax Messenger 4.4\J2GTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-04-21 10520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2005-09-20 135168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"
"C:\Program Files\WS_FTP\WS_FTP95.exe"="C:\Program Files\WS_FTP\WS_FTP95.exe:*:Enabled:WS_FTP 95"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:*:Enabled:Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:*:Enabled:ActiveSync Application"
"C:\WINDOWS\system32\mstsc.exe"="C:\WINDOWS\system32\mstsc.exe:*:Enabled:mstsc.exe"
"C:\axiUm\axiUm.exe"="C:\axiUm\axiUm.exe:*:Enabled:axiUm "
"C:\Program Files\Timbuktu Pro\tb2pro.exe"="C:\Program Files\Timbuktu Pro\tb2pro.exe:*:Enabled:Timbuktu Pro"
"C:\Program Files\Timbuktu Pro\MiniTB2.exe"="C:\Program Files\Timbuktu Pro\MiniTB2.exe:*:Enabled:MiniTB2"
"\\its-piso\psoft\sa\bin\client\winx86\pside.exe"="\\its-piso\psoft\sa\bin\client\winx86\pside.exe:*:Enabled:pside.exe"
"\\its-piso\psoft\sa\bin\client\winx86\psdbgsrv.exe"="\\its-piso\psoft\sa\bin\client\winx86\psdbgsrv.exe:*:Enabled:psdbgsrv.exe"
"C:\Program Files\QuickTime\QuickTimePlayer.exe"="C:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CTpdpsrv.exe"="C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\CTpdpsrv.exe:*:Disabled:PDP RPC Server"
"C:\Program Files\Pinnacle\Studio 10\programs\RM.exe"="C:\Program Files\Pinnacle\Studio 10\programs\RM.exe:*:Enabled:Render Manager"
"C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe"="C:\Program Files\Pinnacle\Studio 10\programs\Studio.exe:*:Enabled:Studio"
"C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe"="C:\Program Files\Pinnacle\Studio 10\programs\PMSRegisterFile.exe:*:Enabled:PMSRegisterFile"
"C:\Program Files\Pinnacle\Studio 10\programs\umi.exe"="C:\Program Files\Pinnacle\Studio 10\programs\umi.exe:*:Enabled:umi"
"C:\Program Files\BitTornado\btdownloadgui.exe"="C:\Program Files\BitTornado\btdownloadgui.exe:*:Enabled:btdownloadgui"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\Network Associates\Common Framework\FrameworkService.exe"="C:\Program Files\Network Associates\Common Framework\FrameworkService.exe:*:Disabled:Framework Service"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:Torrent"
"D:\setup\HPZNET01.EXE"="D:\setup\HPZNET01.EXE:*:Enabled:hpznet01.exe"
"D:\setup\HPONICIFS01.EXE"="D:\setup\HPONICIFS01.EXE:*:Enabled:hponicifs01.exe"

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Thu Apr 23, 2009 7:47 pm

Part 4:

"C:\Documents and Settings\Matt Seeboth\Local Settings\Temp\7zS9.tmp\setup\HPZnui01.exe"="C:\Documents and Settings\Matt Seeboth\Local Settings\Temp\7zS9.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\Documents and Settings\Matt Seeboth\Local Settings\Temp\7zS9.tmp\setup\hponicifs01.exe"="C:\Documents and Settings\Matt Seeboth\Local Settings\Temp\7zS9.tmp\setup\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\Documents and Settings\Matt Seeboth\Local Settings\Temp\7zS595.tmp\setup\HPZnui01.exe"="C:\Documents and Settings\Matt Seeboth\Local Settings\Temp\7zS595.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\Documents and Settings\Matt Seeboth\Local Settings\Temp\7zS595.tmp\setup\hponicifs01.exe"="C:\Documents and Settings\Matt Seeboth\Local Settings\Temp\7zS595.tmp\setup\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\Documents and Settings\Matt Seeboth\Local Settings\Temp\7zSD.tmp\setup\HPZnui01.exe"="C:\Documents and Settings\Matt Seeboth\Local Settings\Temp\7zSD.tmp\setup\HPZnui01.exe:*:Enabled:hpznui01.exe"
"C:\Documents and Settings\Matt Seeboth\Local Settings\Temp\7zSD.tmp\setup\hponicifs01.exe"="C:\Documents and Settings\Matt Seeboth\Local Settings\Temp\7zSD.tmp\setup\hponicifs01.exe:*:Enabled:hponicifs01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe"="C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe"="C:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe"="C:\Program Files\Intuit\QuickBooks 2009\QBDBMgrN.exe:*:Enabled:QuickBooks 2009 Data Manager"
"D:\Netcam\EasyConfig.exe"="D:\Netcam\EasyConfig.exe:*:Enabled:Network Camera Setup Software"
"C:\Documents and Settings\Matt Seeboth\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.] and Settings\Matt Seeboth\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.] add-in for Adobe Flash Player"
"C:\Program Files\AVG\AVG8\avgam.exe"="C:\Program Files\AVG\AVG8\avgam.exe:*:Enabled:avgam.exe"
"C:\Program Files\AVG\AVG8\avgdiag.exe"="C:\Program Files\AVG\AVG8\avgdiag.exe:*:Enabled:avgdiag.exe"
"C:\Program Files\AVG\AVG8\avgdiagex.exe"="C:\Program Files\AVG\AVG8\avgdiagex.exe:*:Enabled:avgdiagex.exe"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:*:Enabled:Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:*:Enabled:ActiveSync Application"
"C:\WINDOWS\system32\mstsc.exe"="C:\WINDOWS\system32\mstsc.exe:*:Enabled:mstsc.exe"
"C:\axiUm\axiUm.exe"="C:\axiUm\axiUm.exe:*:Enabled:axiUm "
"C:\Program Files\Timbuktu Pro\tb2pro.exe"="C:\Program Files\Timbuktu Pro\tb2pro.exe:*:Enabled:Timbuktu Pro"
"C:\Program Files\Timbuktu Pro\MiniTB2.exe"="C:\Program Files\Timbuktu Pro\MiniTB2.exe:*:Enabled:MiniTB2"
"\\its-piso\psoft\sa\bin\client\winx86\pside.exe"="\\its-piso\psoft\sa\bin\client\winx86\pside.exe:*:Enabled:pside.exe"
"\\its-piso\psoft\sa\bin\client\winx86\psdbgsrv.exe"="\\its-piso\psoft\sa\bin\client\winx86\psdbgsrv.exe:*:Enabled:psdbgsrv.exe"
"C:\Program Files\QuickTime\QuickTimePlayer.exe"="C:\Program Files\QuickTime\QuickTimePlayer.exe:*:Enabled:QuickTime Player"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cb25630-9953-11dd-a0c0-000f1faf2773}]
shell\AutoRun\command - F:\WDSetup.exe


======File associations======

.scr - open - C:\WINDOWS\system32\notepad.exe "%1"
.scr - install -
.scr - config -
.txt - open -

======List of files/folders created in the last 1 months======

2009-04-23 14:40:50 ----D---- C:\Program Files\trend micro
2009-04-23 14:40:47 ----D---- C:\rsit
2009-04-23 09:32:40 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-22 17:29:53 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-04-22 17:26:52 ----D---- C:\Program Files\Prevx
2009-04-22 17:26:46 ----D---- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2009-04-22 17:06:03 ----D---- C:\Program Files\SUPERAntiSpyware
2009-04-22 17:06:03 ----D---- C:\Documents and Settings\Matt Seeboth\Application Data\SUPERAntiSpyware.com
2009-04-22 14:11:27 ----D---- C:\Program Files\Alwil Software
2009-04-21 14:24:02 ----D---- C:\Program Files\Panda Security
2009-04-21 12:26:06 ----HD---- C:\$AVG8.VAULT$
2009-04-21 12:14:54 ----A---- C:\WINDOWS\system32\avgrsstx.dll
2009-04-21 12:12:24 ----D---- C:\Program Files\AVG
2009-04-21 12:12:15 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-04-21 12:03:04 ----D---- C:\Documents and Settings\Matt Seeboth\Application Data\AVG8
2009-04-20 18:53:15 ----A---- C:\Documents and Settings\Matt Seeboth\Application Data\~eu37.tmp
2009-04-15 23:11:27 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-15 23:11:17 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-15 23:07:40 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-15 23:07:22 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-15 23:06:57 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-15 23:05:11 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-15 08:48:06 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-04-02 09:52:23 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-02 09:52:23 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-02 09:52:23 ----A---- C:\WINDOWS\system32\java.exe
2009-04-02 09:52:23 ----A---- C:\WINDOWS\system32\deploytk.dll

======List of files/folders modified in the last 1 months======

2009-04-23 14:40:50 ----RD---- C:\Program Files
2009-04-23 14:40:50 ----D---- C:\WINDOWS\Temp
2009-04-23 14:09:48 ----RSHD---- C:\WINDOWS\system32\DLLCACHE
2009-04-23 13:49:48 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-23 12:26:27 ----D---- C:\WINDOWS
2009-04-23 12:22:17 ----A---- C:\WINDOWS\ModemLog_Conexant D480 MDC V.9x Modem.txt
2009-04-23 12:19:10 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-23 11:31:45 ----D---- C:\WINDOWS\system32\DRIVERS
2009-04-23 11:30:02 ----D---- C:\WINDOWS\SYSTEM32
2009-04-23 10:59:18 ----SHD---- C:\WINDOWS\Installer
2009-04-23 10:59:18 ----D---- C:\WINDOWS\WinSxS
2009-04-23 10:59:02 ----HD---- C:\Config.Msi
2009-04-23 10:57:20 ----RSD---- C:\WINDOWS\assembly
2009-04-23 10:57:18 ----D---- C:\Program Files\Clear Estimates v2
2009-04-23 10:57:17 ----D---- C:\Program Files\Common Files
2009-04-23 10:55:43 ----SD---- C:\Documents and Settings\Matt Seeboth\Application Data\Microsoft
2009-04-23 10:53:26 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-23 10:52:20 ----D---- C:\Program Files\Network Associates
2009-04-23 10:52:02 ----D---- C:\Documents and Settings\All Users\Application Data\Network Associates
2009-04-22 20:18:24 ----AC---- C:\WINDOWS\ntbtlog.txt
2009-04-22 20:18:11 ----A---- C:\WINDOWS\DUMP4ba7.tmp
2009-04-22 18:49:35 ----D---- C:\WINDOWS\Prefetch
2009-04-22 18:45:05 ----A---- C:\WINDOWS\DUMP3a71.tmp
2009-04-22 18:39:08 ----A---- C:\WINDOWS\DUMP03e7.tmp
2009-04-22 17:26:46 ----AC---- C:\WINDOWS\wininit.ini
2009-04-22 15:31:10 ----SHD---- C:\RECYCLER
2009-04-22 15:22:59 ----D---- C:\Documents and Settings
2009-04-22 09:57:57 ----A---- C:\WINDOWS\DUMPf08a.tmp
2009-04-22 09:43:47 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-22 02:44:08 ----D---- C:\Program Files\WinRAR
2009-04-21 14:24:02 ----HD---- C:\WINDOWS\INF
2009-04-16 08:56:38 ----D---- C:\WINDOWS\system32\WBEM
2009-04-16 08:56:37 ----D---- C:\WINDOWS\AppPatch
2009-04-15 23:11:22 ----A---- C:\WINDOWS\imsins.BAK
2009-04-15 23:10:57 ----D---- C:\WINDOWS\system32\en-US
2009-04-15 23:10:57 ----D---- C:\Program Files\Internet Explorer
2009-04-15 23:07:33 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-13 09:50:01 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-04-13 09:49:49 ----D---- C:\Program Files\Common Files\Adobe
2009-04-06 09:57:24 ----A---- C:\WINDOWS\system32\MRT.exe
2009-04-02 09:51:32 ----D---- C:\Program Files\Java
2009-03-28 16:55:50 ----D---- C:\WINDOWS\system32\FxsTmp
2009-03-26 15:39:37 ----A---- C:\WINDOWS\system32\geometry.txt

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-04-21 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-04-21 27656]
R1 AvgTdiX;AVG8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2009-04-21 108552]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2004-02-13 17153]
R1 PCLEPCI;PCLEPCI; \??\C:\WINDOWS\system32\drivers\pclepci.sys []
R1 SCDEmu;SCDEmu; C:\WINDOWS\system32\drivers\SCDEmu.sys [2008-11-02 56572]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2004-01-14 5621]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2004-01-14 23219]
R2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2004-02-27 40480]
R2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.7; C:\WINDOWS\System32\DRIVERS\mdc8021x.sys [2004-09-28 15781]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2004-03-15 25685]
R2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2004-03-15 34837]
R2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2004-03-15 4117]
R2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2004-03-15 2233]
R2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2004-03-15 85972]
R2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2004-03-15 14229]
R2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2004-03-15 6357]
R2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2004-03-15 98580]
R2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2004-03-15 100597]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2004-02-20 312960]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2004-04-23 44032]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-11-13 1042816]
R3 HSFHWICH;HSFHWICH; C:\WINDOWS\System32\DRIVERS\HSFHWICH.sys [2003-11-13 197120]
R3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2005-09-20 1302332]
R3 MarvinBus;Pinnacle Marvin Bus; C:\WINDOWS\system32\DRIVERS\MarvinBus.sys [2005-06-02 171008]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\stac97.sys [2004-01-19 256688]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\System32\DRIVERS\SynTP.sys [2004-04-22 182688]
R3 tifm;tifm; C:\WINDOWS\system32\drivers\tifm.sys [2004-03-18 66816]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-11-13 679808]

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Thu Apr 23, 2009 7:47 pm

Part 5 (This is everything):

S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2008-04-13 42752]
S2 DgiVecp;DgiVecp; \??\C:\WINDOWS\system32\Drivers\DgiVecp.sys []
S3 61883;61883 Unit Device; C:\WINDOWS\System32\DRIVERS\61883.sys [2008-04-13 48128]
S3 ASAPIW2K;ASAPIW2K; \??\C:\WINDOWS\system32\Drivers\asapiW2k.sys []
S3 Avc;AVC Device; C:\WINDOWS\System32\DRIVERS\avc.sys [2008-04-13 38912]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 CVirtA;Cisco Systems VPN Adapter; C:\WINDOWS\system32\DRIVERS\CVirtA.sys [2003-05-01 5220]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 gv3;Intel GV3 Processor Driver; C:\WINDOWS\System32\DRIVERS\gv3.sys [2002-11-18 30976]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2004-08-04 161020]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2004-08-04 12415]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2004-08-04 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2004-08-04 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2004-08-04 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2004-08-04 19455]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2004-08-04 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2004-08-04 19551]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2004-08-04 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2004-08-04 23615]
S3 lmimirr;lmimirr; C:\WINDOWS\system32\DRIVERS\lmimirr.sys []
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\System32\DRIVERS\msdv.sys [2008-04-13 51200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 RimVSerPort;RIM Virtual Serial Port v2; C:\WINDOWS\system32\DRIVERS\RimSerial.sys [2007-01-18 26496]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2002-08-29 5888]
S3 Ser2pl;Prolific2 Serial port driver; C:\WINDOWS\system32\DRIVERS\ser2pl.sys [2004-06-28 42752]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 StillCam;Still Serial Digital Camera Driver; C:\WINDOWS\System32\DRIVERS\serscan.sys [2001-08-17 6784]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 LMIRfsClientNP;LMIRfsClientNP; C:\WINDOWS\system32\drivers\LMIRfsClientNP.sys []
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avg8wd;AVG8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-04-21 298264]
R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 CSIScanner;CSIScanner; C:\Program Files\Prevx\prevx.exe [2009-04-22 4368440]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 HPSLPSVC;HP Network Devices Support; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-02 152984]
R2 LexBceS;LexBce Server; C:\WINDOWS\system32\LEXBCES.EXE [2003-05-16 303104]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2008-12-09 24576]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
R2 WLTRYSVC;WLTRYSVC; C:\WINDOWS\System32\WLTRYSVC.EXE [2004-02-20 45056]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S2 RoxLiveShare9;LiveShare P2P Server 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2008-12-13 85096]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-10-23 654848]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2008-08-08 61440]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Belahzur on Thu Apr 23, 2009 8:04 pm

Hello.
Log looks good, hows the machine running?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Thu Apr 23, 2009 9:20 pm

seems to be running pretty good. Gets a little slow sometimes but I am on overkill for virus protection right now. What do you recommend as a good solution for this? A certain software/version?

When all of this started I installed (all have background montitors):
AVG
McAfee (this sucks lots of memory in my opinion)
Prevx
Avast! - seemed very slow
SUPERAntispyware

Thanks for all of your help so far!

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Belahzur on Thu Apr 23, 2009 9:26 pm

So you are running FOUR AV's?

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Thu Apr 23, 2009 9:34 pm

No, currently I am only running Prevx. Sorry for the confusion. I still have the install for all four on my computer though. Here is the log:

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Acrobat.com
Acrobat.com
Ad-Aware SE Personal
ADG Panorama Tools 5.2.0.23
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 9.1
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Analysis
AutoCAD 2009 - English
AVG 8.5
Broadcom Management Programs
Chinese Simplified Fonts Support For Adobe Reader 9
Compaq A3000
Compatibility Pack for the 2007 Office system
Conexant D480 MDC V.9x Modem
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Solution Center
Dell Support
Dell Wireless WLAN Utility
Digatron Core V2.00 (Do Not Remove)
FedEx QuickShip
FileZilla (remove only)
Garmin TOPO U.S. 2008
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 8.0
HP Imaging Device Functions 8.0
HP OCR Software 8.0
HP Officejet Pro All-In-One Series
HP Photosmart Essential
HP Product Assistant
HP Solution Center 8.0
HP Update
HPSSupply
IMAPSize 0.3.6
Intel(R) Extreme Graphics 2 Driver
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro 8
Jasc Paint Shop Pro 8.10 Update Patch
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 11
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Lexmark X6100 Series
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Primary Interop Assemblies
Microsoft Office FrontPage 2003
Microsoft Office OneNote 2003
Microsoft Office Outlook 2007
Microsoft Office Outlook 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Visual Studio 2005 Tools for Office Runtime
Modem Helper
Mozilla Thunderbird (2.0.0.17)
MPM
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB925673)
Nero Suite
NetWaiting
Notepad++
PDF Settings
PowerDVD 5.1
PowerISO
Prevx 3.0
Proposal Invoice 3x
QuickBooks Pro 2009
QuickTime
RealPlayer
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Shockwave
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sony Vegas 5.0a
SupportSoft Assisted Service
Synaptics Pointing Device Driver
Texas Instruments PCIxx20 drivers.
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Visual Studio 2005 Tools for Office Second Edition Runtime
Windows Communication Foundation
Windows Genuine Advantage v1.3.0254.0
Windows Media Format Runtime
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Belahzur on Thu Apr 23, 2009 10:31 pm

Hello.
You have Prevx AND AVG installed.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 11
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
    Prevx 3.0
    Viewpoint Media Player

Reboot again.
Let me know if there is any change in performance.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Blutooth on Fri Apr 24, 2009 2:21 am

Seems to be running great. Thank you so much for your help!

Donation sent!

Blutooth

Blutooth
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-04-22
OS : XP Home SP3

View user profile

Back to top Go down

Re: Win32/Cryptor Maybe?

Post by Belahzur on Fri Apr 24, 2009 4:34 pm

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum