GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Win32/Cryptor Removal...HELP!

View previous topic View next topic Go down

Win32/Cryptor Removal...HELP!

Post by tmossy on Sat May 02, 2009 8:43 pm

Hello,

My daughters computer has this Win32/Cryptor on her computer. I have tried everything to get rid of it. It disabled Norton Internet Security 2009...will not let me remove and reinstall. I installed AVG Free, and it detected it and removed some but not all. I have tried to install Malwarebytes and HIJACKTHIS....it will not run the install...even in safe mode. I did System Restore...on and off....Can Someone Help!????

Thanks

Tracy

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Sat May 02, 2009 9:34 pm

Rename the Hijack This setup file. Once renamed, it runs fine.
Post the log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Sun May 03, 2009 12:29 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:19:12 PM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\sdra64.exe
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 [You must be registered and logged in to see this link.]
O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com
O1 - Hosts: 91.212.65.122 knocker
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: &Viewpoint Search - [You must be registered and logged in to see this link.] Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\LaRee Mossman\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - [You must be registered and logged in to see this link.]
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [You must be registered and logged in to see this link.]
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - [You must be registered and logged in to see this link.]
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - [You must be registered and logged in to see this link.]
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - [You must be registered and logged in to see this link.]

--
End of file - 8277 bytes

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Sun May 03, 2009 12:33 am

Hello.

I see you have Viewpoint software installed.

Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: [You must be registered and logged in to see this link.] and [You must be registered and logged in to see this link.]

I suggest you remove the program now.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Java(TM) 6 update 7
  • Viewpoint Manager (remove only)
  • Viewpoint Media Player
  • Viewpoint Toolbar


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\sdra64.exe
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
    O1 - Hosts: 91.212.65.122 spyware-protector-2009.com
    O1 - Hosts: 91.212.65.122 [You must be registered and logged in to see this link.]
    O1 - Hosts: 91.212.65.122 secure.spyware-protector-2009.com
    O1 - Hosts: 91.212.65.122 knocker
    O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
    O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm (file missing)
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]


  • Press "Fix Checked"
  • Close Hijack This.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Sun May 03, 2009 1:07 am

Thank You...will do that now. I was able to install Malwarebytes...but it will not run or open. I tried in safe mode as well. Just to let you know...her computer when started...will not load desktop...just background picture. The only way I can get to it is by launching Task Manager, going to MSCONFIG...going to TOOLS....then clicking on Network Diagnostics...then it loads up???

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Sun May 03, 2009 1:10 am

Hmm, sounds like explorer.exe isn't running as it should. Although, I wouldn't be surprised if the rootkit isn't to blame for that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Sun May 03, 2009 4:20 am

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACevpxmfti.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Sun May 03, 2009 11:42 am

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACevpxmfti.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Sun May 03, 2009 5:35 pm

Went to start computer up after we did the last session....and it wont let me log on....it goes to the sign in screen...I click on it it...it acts like it is going to sign in...then says saving settings...logging off! I tried in safe mode too...wont let me log in???

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Sun May 03, 2009 6:36 pm

Can you try a last known good configuration? go back into the F8 menu where you access safe mode and choose "Last known good configuration"


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Sun May 03, 2009 6:53 pm

I just tried that....still doing it..... Sad tearing

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Sun May 03, 2009 7:05 pm

¨.¨ Hmm.
Do you have your XP disc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Sun May 03, 2009 7:12 pm

Yes...its an older one...upgrade....XP Home 2002
For some reason her Recovery Disc from Dell is missing!

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Sun May 03, 2009 7:23 pm

Okay, lets try a repair mode.
Guide is here if needed:
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Sun May 03, 2009 7:29 pm

Never have done this before...it wont wipe out all her information on her computer??

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Sun May 03, 2009 7:33 pm

No, that's formatting.
Repair is different.

Repair replaces needed system files/registry settings back to default in case something happened. In this case, I suspect the modified userinit is to blame.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Sun May 03, 2009 11:09 pm

OK...been trying to do repair install.....it gets to copying...and I get a pop up that it cant copy or find i386??? I browse to the location the CD is, and still nothing.....

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Sun May 03, 2009 11:33 pm

Damn, our last hope would have to be a boot disc.

See here:
[You must be registered and logged in to see this link.]

Download the Avira boot disc, follow the guide and burn it to a CD.
This allows you to do a virus scan from the boot disc, everything else you need is on that site.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Sun May 03, 2009 11:44 pm

Do you how my i386 file is missing? Will running this restore anything?

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Sun May 03, 2009 11:46 pm

i386 isn't a file, it's a folder. It's a backup folder of system files, it can be located in different locations on different machines.

A few locations would be as follows:
C:\i386
C:\Windows\system32\i386

The Avira boot disc won't restore anything, but it will remove the rootkit hopefully and take the weight off, then we can try something else.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Sun May 03, 2009 11:51 pm

ok...I went to your link it says its a Active@ Boot Disk v.4 New...is this the correct one?

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Sun May 03, 2009 11:53 pm

Did you get the file from this link?
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Sun May 03, 2009 11:56 pm

No.....at this one you gave me [You must be registered and logged in to see this link.]

Do I use the one you just sent?

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Mon May 04, 2009 12:00 am

That's the article and guide on how to use it. Down the bottom of the article is the download link.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Mon May 04, 2009 12:05 am

Yes....There was just a couple of different links..wanted the right one.
Can you give me the proper name?

Is it : Download Avira AntiVir Rescue System ?

Im sorry...You are being very helpful...much appeciated..and Im getting tired, and irritated with the computer!

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Mon May 04, 2009 12:07 am

It's okay, the malware is to blame for this damage.

Scroll down to just below the two pictures of how to use the boot disc, you'll see this:
"[ Download Avira AntiVir Rescue System ]"

That's the download link.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Mon May 04, 2009 12:11 am

OK..Thanks! Do I just download to my desktop and then put install on a CD?

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Mon May 04, 2009 12:14 am

I've never used this myself so I don't know what the exe file makes when you run it, but it should make an iso file.
Read through it slowly, you'll understand better.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Mon May 04, 2009 12:44 am

OK..got in on a CD-R...when I try to boot it nothing.....Is there a special way to burn it?

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Mon May 04, 2009 1:30 am

Hello.
I'm going to test this out in the morning so I can get a better understand of what to do. Hold tight.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Tue May 05, 2009 11:58 pm

Hello....any information yet?? I have put in on a CD...and nothing...I must be putting it wrong on the CD...HELP! Anyone know how to do this?

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Wed May 06, 2009 12:00 am

Yep, I checked it out.
When you run the file, it asks if you want to burn it to a CD using whatever kind of drive you have in at the moment.

You need to have a blank CD in the draw when you run the file.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by tmossy on Wed May 06, 2009 12:20 am

I did all that...when I try to run the CD..nothing....on my computer...as well as my daughters....there is no special burning program...or way it is to be put on the CD?

tmossy
Novice
Novice

Status :
Online
Offline

Posts : 18
Joined : 2009-05-02
OS : XP
Points : 27732
# Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor Removal...HELP!

Post by Belahzur on Wed May 06, 2009 12:26 am

You can try this:
[You must be registered and logged in to see this link.]

It's a free CD burning software. When you run the file, exit it and it offers you to save an .iso file. Save the iso file and use the above software to burn it to a CD.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245029
# Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum