Win32/Cryptor problem

View previous topic View next topic Go down

Win32/Cryptor problem

Post by Grombags on Sun May 03, 2009 5:27 pm

Dear Geekpolice

I started having problems with my laptop on Thursday - initially it was swp2009 that kept bringing up pop-ups trying to get me to buy bogus antispyware software. Using Super Anti Spyware seemed to get rid of this, but now that won't work any more and AVG scans show I have Wn32/Cryptor in the scvhost.exe that it is unable to cleanse or delete. I have been reading through other people's posts on this site about the same malware and have just downloaded Hijack This and scanned the system. I attach the log below (separated into 2 parts as it is too big for one):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17:01, on 03/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\TAMSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WacomTouchService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\TTPDSRV.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\usbdlm\USBDLM.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\CrossMenu\CrossMenu.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\WTouchUser.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\TrueSuite Access Manager\FpNotifier.exe
C:\Program Files\TrueSuite Access Manager\usbnotify.exe
C:\Program Files\TrueSuite Access Manager\PwdBank.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\Program Files\TrueSuite Access Manager\CssSvr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Please can you help me with this? My boyfriend is sugesting I might need to 're-ghost' the whole thing but I'm hoping that you will be able to help with a less drastic solution.
Many thanks
Grombags

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Hijack This log part 2

Post by Grombags on Sun May 03, 2009 5:28 pm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [TabletWizard] C:\WINDOWS\help\SplshWrp.exe
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CrossMenu] C:\Program Files\TOSHIBA\CrossMenu\CrossMenu.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\system32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TouchED] C:\Program Files\TOSHIBA\TouchED\TouchED.exe
O4 - HKLM\..\Run: [ThpSrv] C:\WINDOWS\system32\thpsrv /logon
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [TPSODDCtl] TPSODDCtl.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TOSDCR] TOSDCR.EXE
O4 - HKLM\..\Run: [TAcelMgr] C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
O4 - HKLM\..\Run: [TSkrMain] C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
O4 - HKLM\..\Run: [TAudEffect] C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe /run
O4 - HKLM\..\Run: [DDWMon] C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe
O4 - HKLM\..\Run: [topi] C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe -startup
O4 - HKLM\..\Run: [Snippet] "C:\Program Files\Microsoft Experience Pack\Snipping Tool\SnippingTool.exe" /i
O4 - HKLM\..\Run: [TRot.exe] c:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [WTouchUser] C:\WINDOWS\system32\WTouchUser.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\system32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [FingerPrintNotifer] "C:\Program Files\TrueSuite Access Manager\FpNotifier.exe"
O4 - HKLM\..\Run: [UsbMonitor] "C:\Program Files\TrueSuite Access Manager\usbnotify.exe"
O4 - HKLM\..\Run: [PwdBank] "C:\Program Files\TrueSuite Access Manager\PwdBank.exe"
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB002" /M "Stylus C86"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = isdads.salford.ac.uk
O17 - HKLM\Software\..\Telephony: DomainName = isdads.salford.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = isdads.salford.ac.uk
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: TosBtNP - C:\WINDOWS\SYSTEM32\TosBtNP.dll
O20 - Winlogon Notify: TSigNP - C:\WINDOWS\SYSTEM32\TSigNP.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Authentec memory manager service (Authentec memory manager) - AuthenTec Inc. - C:\WINDOWS\system32\TAMSvr.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: TOSHIBA HDD Protection (Thpsrv) - TOSHIBA Corporation - C:\WINDOWS\system32\ThpSrv.exe
O23 - Service: Tmesrv3 (Tmesrv) - TOSHIBA - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: TOSHIBA Touch Pad Service (TTPDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TTPDSRV.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: USBDLM - Uwe Sieber - [You must be registered and logged in to see this link.] - C:\WINDOWS\usbdlm\USBDLM.exe
O23 - Service: Wacom Touch Service (WacomTouchService) - Unknown owner - C:\WINDOWS\system32\WacomTouchService.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 17118 bytes

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Belahzur on Sun May 03, 2009 6:35 pm

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Java(TM) 6 update 3

Now lets start cleaning this.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = [You must be registered and logged in to see this link.]
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]


  • Press "Fix Checked"
  • Close Hijack This.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Sun May 03, 2009 9:09 pm

Thanks Belahzur

Struggling to get on this site ths evening, keeps crashing. Anyway, the avenger logfile is posted below:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACnpevrtjxjcrkvyt.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Belahzur on Sun May 03, 2009 9:12 pm

Hello.
I do notice the site (sometimes) refuses to work for me with Firefox, but works fine with Google Chrome, strange huh? Goofy

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACnpevrtjxjcrkvyt.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Sun May 03, 2009 11:09 pm

OK, that seems to have gone ok. New logfile below:

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACnpevrtjxjcrkvyt.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


I have noticed that all the antivirus software seems to be working again, so it is looking good.

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Belahzur on Sun May 03, 2009 11:24 pm

Still not done yet though.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Sun May 03, 2009 11:43 pm

MBAM log below. Where to next?

Malwarebytes' Anti-Malware 1.36
Database version: 2072
Windows 5.1.2600 Service Pack 3

04/05/2009 00:41:20
mbam-log-2009-05-04 (00-41-20).txt

Scan type: Quick Scan
Objects scanned: 105116
Time elapsed: 5 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACqwidlxrhovfmxfq.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACtmqborpbrrruruw.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Belahzur on Sun May 03, 2009 11:47 pm

Hello. One last scan to take a good look around.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste both logs back here, use more than one post if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Mon May 04, 2009 10:51 am

Thanks again. This website is now refusing to open at all in IE Explorer so I have downloaded Firefox and it seems to be working in that - for now anyway!

The DDS.txt file as follows:

DDS (Ver_09-03-16.01) - NTFSx86
Run by exs149 at 11:44:36.90 on 04/05/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2007.614 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\TAMSvr.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\WacomTouchService.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k eapsvcs
svchost.exe
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ThpSrv.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\system32\TODDSrv.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\TTPDSRV.exe
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\usbdlm\USBDLM.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\TOSHIBA\CrossMenu\CrossMenu.exe
C:\WINDOWS\system32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.exe
C:\WINDOWS\system32\thpsrv.exe
C:\WINDOWS\system32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\TPSODDCtl.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMETEMNU.EXE
C:\Program Files\TOSHIBA\Acceleration Utilities\TAcelMgr\TAcelMgr.exe
C:\Program Files\TOSHIBA\Acceleration Utilities\Shaker\TSkrMain.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\TOSHIBA\TAudEffect\TAudEff.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\TOSHIBA\TOSHIBA Direct Disc Writer\ddwmon.exe
C:\Program Files\TOSHIBA\Toshiba Online Product Information\topi.exe
C:\Program Files\TOSHIBA\TOSHIBA Rotation Utility\TRot.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\WTouchUser.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\TrueSuite Access Manager\FpNotifier.exe
C:\Program Files\TrueSuite Access Manager\usbnotify.exe
C:\Program Files\TrueSuite Access Manager\PwdBank.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0R2.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\TrueSuite Access Manager\CssSvr.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\EXS149\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
mWinlogon: System=ziswin.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [TabletWizard] c:\windows\help\SplshWrp.exe
mRun: [TabletTip] "c:\program files\common files\microsoft shared\ink\tabtip.exe" /resume
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CrossMenu] c:\program files\toshiba\crossmenu\CrossMenu.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.exe
mRun: [ThpSrv] c:\windows\system32\thpsrv /logon
mRun: [TFNF5] TFNF5.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TPSODDCtl] TPSODDCtl.exe
mRun: [TPSMain] TPSMain.exe
mRun: [TMERzCtl.EXE] c:\program files\toshiba\tme3\TMERzCtl.EXE /Service
mRun: [TMESRV.EXE] c:\program files\toshiba\tme3\TMESRV31.EXE /Logon
mRun: [TOSDCR] TOSDCR.EXE
mRun: [TAcelMgr] c:\program files\toshiba\acceleration utilities\tacelmgr\TAcelMgr.exe
mRun: [TSkrMain] c:\program files\toshiba\acceleration utilities\shaker\TSkrMain.exe
mRun: [TAudEffect] c:\program files\toshiba\taudeffect\TAudEff.exe /run
mRun: [DDWMon] c:\program files\toshiba\toshiba direct disc writer\\ddwmon.exe
mRun: [topi] c:\program files\toshiba\toshiba online product information\topi.exe -startup
mRun: [Snippet] "c:\program files\microsoft experience pack\snipping tool\SnippingTool.exe" /i
mRun: [TRot.exe] c:\program files\toshiba\toshiba rotation utility\TRot.exe
mRun: [TosHKCW.exe] "c:\program files\toshiba\wireless hotkey\TosHKCW.exe"
mRun: [NDSTray.exe] NDSTray.exe
mRun: [WTouchUser] c:\windows\system32\WTouchUser.exe
mRun: [ShStatEXE] "c:\program files\network associates\virusscan\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Network Associates Error Reporting Service] "c:\program files\common files\network associates\talkback\TBMon.exe"
mRun: [NDPS] c:\windows\system32\dpmw32.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [FingerPrintNotifer] "c:\program files\truesuite access manager\FpNotifier.exe"
mRun: [UsbMonitor] "c:\program files\truesuite access manager\usbnotify.exe"
mRun: [PwdBank] "c:\program files\truesuite access manager\PwdBank.exe"
mRun: [EPSON Stylus C86 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O6 "USB002" /M "Stylus C86"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\exs149\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\applic~1.lnk - c:\program files\novell\zenworks\NalView.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: ATFUS - c:\windows\system32\FpWinLogonNp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Notify: loginkey - c:\program files\common files\microsoft shared\ink\loginkey.dll
Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll
Notify: TabBtnWL - TabBtnWL.dll
Notify: TosBtNP - TosBtNP.dll
Notify: tpgwlnotify - tpgwlnot.dll
Notify: TSigNP - TSigNP.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwv1_0

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Mon May 04, 2009 10:51 am

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\exs149\applic~1\mozilla\firefox\profiles\p7wmewfk.default\

============= SERVICES / DRIVERS ===============

R0 AlfaFF;AlfaFF mini-filter driver;c:\windows\system32\drivers\AlfaFF.sys [2008-12-20 42608]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-2 64160]
R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [2007-4-27 21120]
R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [2007-3-9 6528]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-2 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-2 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-2 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R1 TMEI3E;TMEI3E;c:\windows\system32\drivers\TMEI3E.sys [2007-11-28 5888]
R2 Authentec memory manager;Authentec memory manager service;c:\windows\system32\TAMSvr.exe [2008-12-20 49152]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-2 298776]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2004-6-4 6899]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 953168]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-6-3 103744]
R2 McShield;Network Associates McShield;c:\program files\network associates\virusscan\Mcshield.exe [2004-9-22 221191]
R2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2004-9-22 28672]
R2 Remote Management Agent;Novell ZfD Remote Management;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2004-5-20 163840]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-26 105856]
R2 Tmesrv;Tmesrv3;c:\program files\toshiba\tme3\TMESRV31.exe [2007-11-28 114688]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-19 134016]
R2 TTPDSrv;TOSHIBA Touch Pad Service;c:\windows\system32\TTPDSRV.exe [2007-11-28 73728]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2007-11-28 1464856]
R2 USBDLM;USBDLM;c:\windows\usbdlm\USBDLM.exe [2008-7-14 156672]
R2 WacomTouchService;Wacom Touch Service;c:\windows\system32\WacomTouchService.exe [2008-6-3 95528]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2004-5-10 2773]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-11-28 36608]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2008-6-3 108256]
R3 TBtnKey;TOSHIBA Tablet PC Buttons Type N HID Driver;c:\windows\system32\drivers\TBtnKey.sys [2007-11-28 8832]
R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2007-11-28 435072]
R3 WacomVTHid;Virtual Touch Driver;c:\windows\system32\drivers\WacomVTHid.sys [2007-11-28 11312]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [2008-6-3 30248]
R3 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2004-2-26 61440]
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2008-12-20 131072]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2008-7-16 31592]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]
S4 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2008-6-3 58048]

=============== Created Last 30 ================

2009-05-04 00:34 --d----- c:\docume~1\exs149\applic~1\Malwarebytes
2009-05-04 00:34 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-04 00:34 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 00:34 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-04 00:34 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-03 18:16 --d----- c:\program files\Trend Micro
2009-05-02 20:38 --d----- c:\docume~1\exs149\applic~1\SUPERAntiSpyware.com
2009-05-02 13:16 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-02 13:16 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 13:16 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 13:16 --d----- c:\windows\system32\drivers\Avg
2009-05-02 12:37 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-02 12:03 --d-h--- C:\$AVG8.VAULT$
2009-05-02 11:42 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-05-02 11:42 --d----- c:\program files\Lavasoft
2009-05-02 11:38 --d----- c:\program files\AVG
2009-05-02 11:38 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-02 11:37 -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-01 23:04 --d----- c:\documents and settings\exs149\DoctorWeb
2009-05-01 14:10 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-01 14:08 --d----- c:\program files\SUPERAntiSpyware
2009-05-01 14:07 --d----- c:\program files\common files\Wise Installation Wizard
2009-05-01 13:01 --d----- c:\windows\system32\XPSViewer
2009-05-01 13:00 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-05-01 13:00 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-05-01 13:00 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-05-01 13:00 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-05-01 13:00 --d----- C:\0d267a4c936ecf192ba14baa80be
2009-05-01 13:00 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-05-01 13:00 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-05-01 13:00 117,760 -------- c:\windows\system32\prntvpt.dll
2009-05-01 13:00 --d----- c:\windows\SxsCaPendDel
2009-05-01 12:36 --d----- c:\docume~1\exs149\applic~1\GlarySoft
2009-05-01 12:35 --d----- c:\program files\AskSearch
2009-05-01 12:35 --d----- c:\program files\Glary Utilities
2009-04-30 14:54 224 a------- c:\windows\system32\UACpabbpiktpjboyee.dat
2009-04-24 22:22 41 a------- c:\windows\popcinfo.dat
2009-04-24 22:07 --d----- c:\docume~1\exs149\applic~1\ABIG
2009-04-20 09:43 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-20 09:43 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-04-20 09:43 2,560 -------- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-02-20 09:10 666,112 a------- c:\windows\system32\wininet.dll
2009-02-20 09:10 81,920 a------- c:\windows\system32\ieencode.dll
2009-02-09 13:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 13:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 13:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 13:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 12:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 12:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 11:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 11:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 11:45:52.51 ===============

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Mon May 04, 2009 10:56 am

The Attach.txt file says not to copy and paste but to zip and attach? Sorry for being stupid but I don't know how to do this, or should I just ignore and cut/paste anyway?

Grombags

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Mon May 04, 2009 11:23 am

Hi again. Please ignore last posting - have just spoken to someone more familiar with these sites who has explained why you probably don't allow zip files! So here is the full Attach.txt:

DDS (Ver_09-03-16.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 03/06/2008 18:04:12
System Uptime: 05/04/2009 10:49:16 (697 hours ago)
Motherboard: TOSHIBA | | Portable PC
Processor: Intel Pentium III Xeon processor | uFC-PGA Socket | 2094/200mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 112 GiB total, 98.147 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
==== System Restore Points ===================
No restore point in system.
==== Installed Programs ======================
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Agilix GoBinder Lite
Alchemy 1.2
ALPS Touch Pad Driver
AVG 8.5
Bluetooth Stack for Windows by Toshiba
BookWorm Deluxe 1.02
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CD/DVD Drive Acoustic Silencer
CDBurnerXP
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
dirXperts
EPSON PhotoQuicker3.5
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Web-To-Page
ESC86 Reference Guide
ESC86 Software Guide
getPlus(R)
Glary Utilities 2.11.0.638
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Ink Art
Intel(R) Active Management Technology Device Software
Intel(R) Graphics Media Accelerator Driver
Intel(R) Management Engine Interface
Intel(R) Network Connections Drivers
InterVideo WinDVD for TOSHIBA
Macromedia Flash Player
Malwarebytes' Anti-Malware
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Education Pack for Windows XP Tablet PC Edition
Microsoft Energy Blue Theme Pack
Microsoft Experience Pack for Tablet PC
Microsoft Ink Crossword
Microsoft Ink Desktop
Microsoft Media Transfer
Microsoft Office OneNote 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Visio Viewer 2007
Microsoft Snipping Tool 2.0
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
NICI (Shared) U.S./Worldwide (128 bit) (2.6.8-2)
NMAS Challenge Response Method
NMAS Client
PDF-XChange 3.0
PIF DESIGNER2.1
Realtek High Definition Audio Driver
ScanToWeb
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB963027)
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Tablet PC Tutorials for Microsoft Windows XP SP2
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Accelerometer Utilities
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Direct Disc Writer
TOSHIBA Disc Creator
TOSHIBA Display Devices Change Utility
TOSHIBA HDD Protection
TOSHIBA Hotkey Utility for Display Devices
TOSHIBA Manuals
TOSHIBA Mic Effect
TOSHIBA Mobile Extension3
Toshiba Online Product Information
TOSHIBA Password Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA Rotation Utility
TOSHIBA SD Memory Boot Utility
TOSHIBA SD Memory Utilities
TOSHIBA Security Assist
TOSHIBA Software Modem
TOSHIBA Tablet Access Code Logon Utility
TOSHIBA TouchPad On/Off Utility V2.5.1.0
TOSHIBA Utilities
TOSHIBA Wireless Key Logon
TOSHIBA Zooming Utility
Trivial Pursuit Digital Choice v1.2.5 for Windows XP/Vista
TrueSuite Access Manager
Uninstall for TOSHIBA Mobile Extension3
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VPN Client
Wacom Tablet
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows Mobileģ Device Handbook
Windows XP Service Pack 3
WinZip
Wireless Hotkey
ZENworks Desktop Management Agent
==== Event Viewer Messages From Past Week ========
04/05/2009 10:51:47, error: Dhcp [1002] - The IP address lease 192.168.1.8 for the Network Card with network address 001F3B99BA4B has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
04/05/2009 00:45:32, error: PlugPlayManager [11] - The device Root\LEGACY_WODOB\0000 disappeared from the system without first being prepared for removal.
02/05/2009 11:42:47, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Lavasoft Ad-Aware Service service to connect.
02/05/2009 11:42:47, error: Service Control Manager [7000] - The Lavasoft Ad-Aware Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
02/05/2009 11:41:37, error: SideBySide [59] - Generate Activation Context failed for C:\PROGRA~1\AVG\AVG8\avgtray.exe. Reference error message: The operation completed successfully. .
02/05/2009 11:39:21, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\AVG\AVG8\avgui.exe. Reference error message: The operation completed successfully. .
02/05/2009 11:39:09, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC80.MFC. Reference error message: The referenced assembly is not installed on your system. .
02/05/2009 11:39:09, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\AVG\AVG8\avgfrw.exe. Reference error message: The operation completed successfully. .
02/05/2009 11:39:09, error: SideBySide [32] - Dependent Assembly Microsoft.VC80.MFC could not be found and Last Error was The referenced assembly is not installed on your system.
02/05/2009 11:37:52, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
01/05/2009 23:04:34, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SASDIFSV SASKUTIL TMEI3E Tosrfcom
01/05/2009 23:04:10, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
01/05/2009 23:04:09, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
01/05/2009 20:16:37, error: Service Control Manager [7034] - The Novell ZfD Remote Management service terminated unexpectedly. It has done this 1 time(s).
01/05/2009 19:39:12, error: NETLOGON [5719] - No Domain Controller is available for domain ISDADS due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
01/05/2009 12:57:44, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
01/05/2009 12:36:46, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume3'. It has stopped monitoring the volume.
==== End Of File ===========================

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Belahzur on Mon May 04, 2009 2:23 pm

Hello.

Is this machine part of some network or something? there's a modified value from within your registry and there seems to be network software I see from the log, which makes things harder for me to know whether you put them there, or it's malicious.

You are running two AV's, this is a bad idea as they can conflict and cause problems. I see AVG and Mcafee.
I would recommend that you remove Mcafee to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Adobe Reader 8.1.2
  • Adobe Reader 8.1.2 Security Update 1 (KB403742)
  • McAfee VirusScan Enterprise

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\popcinfo.dat
    c:\windows\system32\UACpabbpiktpjboyee.dat
    c:\program files\AskSearch


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Mon May 04, 2009 4:39 pm

Hi Belahzur

I use the laptop sometimes on a network at work and the tech support staff there would have loaded any network drives etc - also the McAfee virus software (which seems to have been a total dead-loss as it didn't detect the cryptor at all!). We also have a home wireless network but I don't think anything was loaded for that.

I will remove the McAfee as you suggest as I now have more faith in AVG. Will also run the OTMoveit3 and report back.

Grom

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Mon May 04, 2009 4:51 pm

Hi again

I removed the Adobe and Macafee programs but the Adobe Reader 8.1.2 Security Update 1 (KB403742) was not on the add/remove list?

OTMoveIt3 results below:

========== FILES ==========
c:\windows\popcinfo.dat moved successfully.
c:\windows\system32\UACpabbpiktpjboyee.dat moved successfully.
c:\program files\AskSearch\bin moved successfully.
c:\program files\AskSearch moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05042009_174735

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Belahzur on Mon May 04, 2009 4:55 pm

Hello.
Good work, but not done yet.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

I want to track down that suspicious looking file and have it scanned.

Please download SystemLook from one of the links below and save it to your Desktop.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:

    :filefind
    *ziswin*

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Mon May 04, 2009 5:06 pm

SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 18:04 on 04/05/2009 by exs149 (Administrator - Elevation successful)

========== filefind ==========

Searching for "*ziswin*"
C:\Documents and Settings\Default User\Application Data\Microsoft\Office\Recent\ziswin.hst.LNK --a--- 413 bytes [22:37 03/06/2008] [22:25 03/06/2008] 65C862E317C8233A846FB7B728ACE6B3
C:\Documents and Settings\isdprofiler\Application Data\Microsoft\Office\Recent\ziswin.hst.LNK --a--- 413 bytes [22:25 03/06/2008] [22:25 03/06/2008] 65C862E317C8233A846FB7B728ACE6B3
C:\Documents and Settings\uis403\Application Data\Microsoft\Office\Recent\ziswin.hst.LNK --a--- 413 bytes [13:09 22/07/2008] [22:25 03/06/2008] 65C862E317C8233A846FB7B728ACE6B3
C:\Documents and Settings\uis595\Application Data\Microsoft\Office\Recent\ziswin.hst.LNK --a--- 413 bytes [13:45 04/08/2008] [22:25 03/06/2008] 65C862E317C8233A846FB7B728ACE6B3
C:\WINDOWS\system32\nls\ENGLISH\ziswinr.dll --a--- 73728 bytes [05:14 08/06/2004] [05:14 08/06/2004] 10AA3E0FBC6305E87626D07496C8C0CC
C:\WINDOWS\system32\ziswin.chm --a--- 51973 bytes [16:14 06/04/2004] [16:14 06/04/2004] 5D9BFF40785BABB33D1A8E184991DA1A
C:\WINDOWS\system32\ZISWIN.EXE --a--- 184320 bytes [05:14 08/06/2004] [05:14 08/06/2004] 5A56E542B4E98E6196C9DAE02376550D
C:\ziswin.hst --a--- 1280 bytes [22:07 03/06/2008] [22:22 03/06/2008] C8B1C9F3E46DC2D06BC9320CC2CB903B

-=End Of File=-

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Belahzur on Mon May 04, 2009 5:12 pm

Hello.
Please visit this website: [You must be registered and logged in to see this link.]

Press the browse button and locate this file in bold: C:\WINDOWS\system32\ZISWIN.EXE
Double click it for it to be selected.
Now hit the "Submit" button on the website.

Please wait for the scanners to do their job and the file will be tested by each scanner. Copy and paste the results back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Mon May 04, 2009 5:35 pm

Hi again

Seems to think it is ok -

Scan taken on 04 May 2009 17:31:48 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Belahzur on Mon May 04, 2009 5:40 pm

Yep, that looks fine. How is the machine running now?

You can delete all the tools we used.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Mon May 04, 2009 5:46 pm

Hi Belahzur

Thanks for all your time and patience on this.

It seems to be running OK. Websites are opening with no problem again (that was the main problem originally) and I'm not having any trouble logging on. The only thing I have found is that when I run AVG it is finding loads of new cookies and tracking things each time (177 of them the last time) even though the only web pages I have been to are this one, the sites for downloads and google.

Dare I hope it is pretty much fixed and what do I need to do next?

Grom

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Belahzur on Mon May 04, 2009 5:46 pm

AVG really go over the top sometimes.

Tracking cookies are harmless, everyone has them.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Mon May 04, 2009 5:53 pm

So is that me done then? Is there anything else I could/should be doing to avoid picking up anything similar?

Grom

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Belahzur on Mon May 04, 2009 5:57 pm

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Win32/Cryptor problem

Post by Grombags on Mon May 04, 2009 6:32 pm

Hi Belahzur

Thank you SO much - you are an absolute STAR. I was anticipating having to save all my files onto flash drives and have the whole of Windows re-ghosted, but now I don't need to.

Still can't quite believe how good this site is, but I will definitely be recommending it to everyone from now on. The help has been clearly explained, quick and thorough. I know you must do this every day but believe me - it is such a great help and relief to non-technical types like myself to find this sort of support.

I have already downloaded Mozilla and the extra Anti-Spyware you recommend and will look into getting a firewall so hopefully I won't need to bother you again!

A huge thank you.

Grombags

javascript:emoticonp('Thank You!')

Grombags
Novice
Novice

Status :
Online
Offline

Posts : 17
Joined : 2009-05-03
OS : XP

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum