Win32/Cryptor [Help Plz]

View previous topic View next topic Go down

Win32/Cryptor [Help Plz]

Post by Belou on 7th May 2009, 8:33 pm

My AntiVirus Software Has Detected This As A Threat (I Use AVG 8.5) I Already Have Malware Bytes,CCleaner & SuperAntiSpyware (Free Edition) Installed. I Just Can't Get Rid Of This Virus And I Search All Over The Internet/Google Search And This Seems Like The Only Place Offering Help.


Can Someone Assist Me? Thx A Mil Smile

Belou
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-04
Gender Gender : Male
OS OS : Windows XP
Points Points : 27773
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belahzur on 7th May 2009, 8:36 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belou on 7th May 2009, 8:45 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

Belou
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-04
Gender Gender : Male
OS OS : Windows XP
Points Points : 27773
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belahzur on 7th May 2009, 8:48 pm

No rootkit active. Can you try running MalwareBytes AntiMalware for me? It should work since the driver isn't active.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belou on 7th May 2009, 8:50 pm

ok will do right now.

Belou
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-04
Gender Gender : Male
OS OS : Windows XP
Points Points : 27773
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belou on 7th May 2009, 9:06 pm

delete this post plz.

sorry!


Last edited by Belou on 7th May 2009, 9:08 pm; edited 2 times in total

Belou
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-04
Gender Gender : Male
OS OS : Windows XP
Points Points : 27773
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belahzur on 7th May 2009, 9:07 pm

No, remove what is found first, then the log should open itself.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belou on 7th May 2009, 9:10 pm

Malwarebytes' Anti-Malware 1.36
Database version: 2069
Windows 5.1.2600 Service Pack 2

5/7/2009 5:09:08 PM
mbam-log-2009-05-07 (17-09-08).txt

Scan type: Quick Scan
Objects scanned: 78644
Time elapsed: 13 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 20
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\pakbvqe.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7b13b443-bec9-4942-abe3-6c9028587e08} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dgkkchch (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7b13b443-bec9-4942-abe3-6c9028587e08} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\kzjaxcqp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\kzjaxcqp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kzjaxcqp (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7b13b443-bec9-4942-abe3-6c9028587e08} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{abd42510-9b22-41cd-9dcd-8182a2d07c63} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\pakbvqe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\pakbvqe.dll.bak (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Belou
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-04
Gender Gender : Male
OS OS : Windows XP
Points Points : 27773
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belahzur on 7th May 2009, 9:17 pm


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belou on 7th May 2009, 9:21 pm

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 17:19:15.78 on Thu 05/07/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.52 [GMT -4:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: : {7b13b443-bec9-4942-abe3-6c9028587e08} - c:\windows\system32\pakbvqe.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp psc 900 series\bin\hpobrt07.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - [You must be registered and logged in to see this link.]
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - [You must be registered and logged in to see this link.]
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: dgkkchch - pakbvqe.dll
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-5-2 12552]
R0 xysxbauo;xysxbauo;c:\windows\system32\drivers\xysxbauo.sys [2002-9-3 23424]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-2 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-2 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-2 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-2 298776]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]

=============== Created Last 30 ================

2009-05-06 13:44 --d----- c:\windows\Cache
2009-05-06 13:44 --d----- c:\program files\Coupons
2009-05-03 00:00 --d-h--- C:\$AVG8.VAULT$
2009-05-02 23:21 --d----- C:\VundoFix Backups
2009-05-02 22:44 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 22:44 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-05-02 22:44 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-02 22:43 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 22:43 --d----- c:\windows\system32\drivers\Avg
2009-05-02 22:41 --d----- c:\program files\AVG
2009-05-02 22:41 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-05-02 22:36 --d----- c:\windows\pss
2009-05-02 22:32 --d----- c:\docume~1\owner\applic~1\GetRightToGo
2009-05-02 21:22 --d----- c:\windows\CD95F661A5C444F5A6AAECDD91C240B5.TMP
2009-05-02 19:29 --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-05-02 19:29 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-02 19:29 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 19:29 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-02 19:29 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-02 19:26 --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-02 19:25 --d----- c:\program files\SUPERAntiSpyware
2009-05-02 19:25 --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-05-02 19:25 --d----- c:\program files\common files\Wise Installation Wizard
2009-05-02 19:25 --d----- c:\program files\CCleaner
2009-05-02 18:20 --d----- c:\docume~1\owner\applic~1\nwhkuejs
2009-04-18 12:38 0 a------- c:\windows\system32\nfr.assembly
2009-04-18 12:35 182,912 ac------ c:\windows\system32\dllcache\ndis.sys
2009-04-17 07:54 473,088 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-04-17 07:54 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 07:54 399,360 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-04-17 07:54 283,648 -c------ c:\windows\system32\dllcache\pdh.dll
2009-04-17 07:54 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 07:54 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-04-17 07:54 60,416 -c------ c:\windows\system32\dllcache\colbact.dll
2009-04-17 07:54 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-04-17 07:54 616,960 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-04-17 07:54 1,193,414 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-04-17 07:54 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-18 12:35 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-03-06 10:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-02 20:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-20 14:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 06:20 723,456 a------- c:\windows\system32\lsasrv.dll
2009-02-09 06:20 399,360 a------- c:\windows\system32\rpcss.dll
2009-02-09 06:20 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 06:20 616,960 a------- c:\windows\system32\advapi32.dll
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2002-09-03 13:07 94,784 ---sh--- c:\windows\twain.dll
2004-08-04 03:56 50,688 ---sh--- c:\windows\twain_32.dll
2004-08-04 03:56 1,028,096 ---sh--- c:\windows\system32\mfc42.dll
2004-08-04 03:56 54,784 ---sh--- c:\windows\system32\msvcirt.dll
2004-08-04 03:56 413,696 ---sh--- c:\windows\system32\msvcp60.dll
2004-08-04 03:56 343,040 ---sh--- c:\windows\system32\msvcrt.dll
2007-12-04 14:38 550,912 ---sh--- c:\windows\system32\oleaut32.dll
2004-08-04 03:56 83,456 ---sh--- c:\windows\system32\olepro32.dll
2004-08-04 03:56 11,776 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 17:20:08.12 ===============

Belou
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-04
Gender Gender : Male
OS OS : Windows XP
Points Points : 27773
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belahzur on 7th May 2009, 9:31 pm

Hello.
You really got yourself into a mess here haven't you. Not only have you got the Koobface infection, but there's also another rootkit here, and it's patched a legit system file, we have to fix all this in one go.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belou on 7th May 2009, 9:55 pm

ComboFix 09-05-07.06 - Owner 05/07/2009 17:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.90 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\nfr.assembly
c:\windows\system32\pakbvqe.dll . . . . failed to delete

Infected copy of c:\windows\system32\drivers\ndis.sys was found and disinfected
Restored copy from - The cat ate it Smile

.
((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-06 17:44 . 2009-05-06 17:44 -------- d-----w c:\windows\Cache
2009-05-06 17:44 . 2009-05-06 17:44 -------- d-----w c:\program files\Coupons
2009-05-03 04:14 . 2009-05-03 04:14 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-03 04:00 . 2009-05-07 20:33 -------- d--h--w C:\$AVG8.VAULT$
2009-05-03 03:21 . 2009-05-03 03:21 -------- d-----w C:\VundoFix Backups
2009-05-03 02:44 . 2009-05-03 02:44 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 02:44 . 2009-05-03 02:44 12552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-05-03 02:44 . 2009-05-03 02:44 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-03 02:43 . 2009-05-03 02:43 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 02:43 . 2009-05-07 21:28 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-03 02:41 . 2009-05-03 02:41 -------- d-----w c:\program files\AVG
2009-05-03 02:41 . 2009-05-07 20:41 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-03 02:32 . 2009-05-03 02:32 -------- d-----w c:\documents and settings\Owner\Application Data\GetRightToGo
2009-05-03 01:22 . 2009-05-03 01:22 -------- d-----w c:\windows\CD95F661A5C444F5A6AAECDD91C240B5.TMP
2009-05-03 00:11 . 2009-05-03 00:11 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-02 23:29 . 2009-05-02 23:29 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-02 23:29 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 23:29 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 23:29 . 2009-05-02 23:29 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-02 23:29 . 2009-05-02 23:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-02 23:26 . 2009-05-02 23:26 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-02 23:25 . 2009-05-02 23:26 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-02 23:25 . 2009-05-02 23:25 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-05-02 23:25 . 2009-05-02 23:25 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-02 23:25 . 2009-05-02 23:25 -------- d-----w c:\program files\CCleaner
2009-05-02 22:20 . 2009-05-02 22:20 -------- d-----w c:\documents and settings\Owner\Application Data\nwhkuejs
2009-05-02 22:20 . 2009-05-02 22:20 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\nwhkuejs
2009-04-27 16:32 . 2009-04-27 16:32 -------- d-----w c:\documents and settings\NetworkService\Application Data\nwhkuejs
2009-04-27 16:32 . 2009-04-27 16:32 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\nwhkuejs
2009-04-17 11:54 . 2009-03-06 14:44 283648 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 11:54 . 2005-07-26 04:39 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-04-17 11:54 . 2009-02-09 10:20 399360 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 11:54 . 2009-02-06 17:14 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 11:54 . 2009-02-09 10:20 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 11:54 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 11:54 . 2009-02-09 10:20 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 11:54 . 2009-02-09 10:20 616960 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 11:54 . 2009-02-09 10:20 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 11:54 . 2008-04-21 10:02 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 02:30 . 2009-04-12 02:30 -------- d-----w c:\program files\Google
2009-04-12 02:30 . 2009-04-12 17:07 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-12 02:29 . 2009-04-12 17:07 -------- d-----w c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 21:42 . 2002-09-03 16:50 104448 ----a-w c:\windows\system32\mouizhu.dll
2009-05-07 21:37 . 2002-09-03 16:47 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-29 18:23 . 2007-05-26 04:51 -------- d-----w c:\program files\QUICKENW
2009-03-06 14:44 . 2002-09-03 16:51 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-06-23 15:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2005-07-26 04:31 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2002-09-03 16:39 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2002-09-03 16:49 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2002-09-03 16:27 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2002-09-03 17:11 1846272 ----a-w c:\windows\system32\win32k.sys
2002-09-03 17:07 . 2002-09-03 17:07 94784 --sh--w c:\windows\twain.dll
2004-08-04 07:56 . 2002-09-03 17:07 50688 --sh--w c:\windows\twain_32.dll
2004-08-04 07:56 . 2002-09-03 16:41 1028096 --sh--w c:\windows\system32\mfc42.dll
2004-08-04 07:56 . 2002-09-03 16:46 54784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-04 07:56 . 2002-09-03 16:46 413696 --sh--w c:\windows\system32\msvcp60.dll
2004-08-04 07:56 . 2002-09-03 16:46 343040 --sh--w c:\windows\system32\msvcrt.dll
2007-12-04 18:38 . 2002-09-03 16:51 550912 --sh--w c:\windows\system32\oleaut32.dll
2004-08-04 07:56 . 2002-09-03 16:51 83456 --sh--w c:\windows\system32\olepro32.dll
2004-08-04 07:56 . 2002-09-03 16:56 11776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B13B443-BEC9-4942-ABE3-6C9028587E08}]
2002-09-03 16:50 104448 ----a-w c:\windows\system32\pakbvqe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp psc 900 series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe [2002-9-26 487484]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 02:44 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dgkkchch]
2002-09-03 16:50 104448 ----a-w c:\windows\system32\pakbvqe.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"39453:TCP"= 39453:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [5/2/2009 10:44 PM 12552]
R0 xysxbauo;xysxbauo;c:\windows\system32\drivers\xysxbauo.sys [9/3/2002 12:50 PM 23424]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/2/2009 10:43 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/2/2009 10:44 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/2/2009 10:41 PM 298776]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - MDM
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - W32Time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
kzjaxcqp
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-07 17:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-05-07 17:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 21:51

Pre-Run: 51,788,951,552 bytes free
Post-Run: 51,960,651,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

214 --- E O F --- 2009-04-29 23:26

Belou
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-04
Gender Gender : Male
OS OS : Windows XP
Points Points : 27773
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belahzur on 7th May 2009, 10:02 pm

Hello.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
xysxbauo

File::
c:\windows\system32\mouizhu.dll
c:\windows\system32\drivers\xysxbauo.sys
c:\windows\system32\pakbvqe.dll

Folder::
c:\program files\Coupons
c:\windows\Cache
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7B13B443-BEC9-4942-ABE3-6C9028587E08}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dgkkchch]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-

NetSvc::
kzjaxcqp

DDS::
uInternet Settings,ProxyOverride = *.local;
uInternet Settings,ProxyServer = http=localhost:7171
IE: &Search

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belou on 7th May 2009, 10:18 pm

ComboFix 09-05-07.06 - Owner 05/07/2009 18:07.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.134 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)

FILE ::
c:\windows\system32\drivers\xysxbauo.sys
c:\windows\system32\mouizhu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Coupons
c:\program files\Coupons\Coupons.com.url
c:\program files\Coupons\uninstall.exe
c:\program files\Coupons\Uninstall\IRIMG1.JPG
c:\program files\Coupons\Uninstall\IRIMG2.JPG
c:\program files\Coupons\Uninstall\IRIMG3.JPG
c:\program files\Coupons\Uninstall\IRIMG4.JPG
c:\program files\Coupons\Uninstall\IRIMG5.JPG
c:\program files\Coupons\Uninstall\IRIMG6.JPG
c:\program files\Coupons\Uninstall\IRIMG7.JPG
c:\program files\Coupons\Uninstall\IRIMG8.JPG
c:\program files\Coupons\Uninstall\uninstall.dat
c:\program files\Coupons\Uninstall\uninstall.xml
C:\VundoFix Backups
c:\windows\Cache
c:\windows\system32\drivers\xysxbauo.sys
c:\windows\system32\mouizhu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XYSXBAUO
-------\Service_xysxbauo


((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-03 04:14 . 2009-05-03 04:14 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-03 04:00 . 2009-05-07 20:33 -------- d--h--w C:\$AVG8.VAULT$
2009-05-03 02:44 . 2009-05-03 02:44 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 02:44 . 2009-05-03 02:44 12552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-05-03 02:44 . 2009-05-03 02:44 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-03 02:43 . 2009-05-03 02:43 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 02:43 . 2009-05-07 21:28 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-03 02:41 . 2009-05-03 02:41 -------- d-----w c:\program files\AVG
2009-05-03 02:41 . 2009-05-07 20:41 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-03 02:32 . 2009-05-03 02:32 -------- d-----w c:\documents and settings\Owner\Application Data\GetRightToGo
2009-05-03 01:22 . 2009-05-03 01:22 -------- d-----w c:\windows\CD95F661A5C444F5A6AAECDD91C240B5.TMP
2009-05-03 00:11 . 2009-05-03 00:11 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-02 23:29 . 2009-05-02 23:29 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-02 23:29 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 23:29 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 23:29 . 2009-05-02 23:29 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-02 23:29 . 2009-05-02 23:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-02 23:26 . 2009-05-02 23:26 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-02 23:25 . 2009-05-02 23:26 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-02 23:25 . 2009-05-02 23:25 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-05-02 23:25 . 2009-05-02 23:25 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-02 23:25 . 2009-05-02 23:25 -------- d-----w c:\program files\CCleaner
2009-05-02 22:20 . 2009-05-02 22:20 -------- d-----w c:\documents and settings\Owner\Application Data\nwhkuejs
2009-05-02 22:20 . 2009-05-02 22:20 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\nwhkuejs
2009-04-27 16:32 . 2009-04-27 16:32 -------- d-----w c:\documents and settings\NetworkService\Application Data\nwhkuejs
2009-04-27 16:32 . 2009-04-27 16:32 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\nwhkuejs
2009-04-17 11:54 . 2009-03-06 14:44 283648 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 11:54 . 2005-07-26 04:39 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-04-17 11:54 . 2009-02-09 10:20 399360 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 11:54 . 2009-02-06 17:14 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 11:54 . 2009-02-09 10:20 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 11:54 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 11:54 . 2009-02-09 10:20 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 11:54 . 2009-02-09 10:20 616960 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 11:54 . 2009-02-09 10:20 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 11:54 . 2008-04-21 10:02 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 02:30 . 2009-04-12 02:30 -------- d-----w c:\program files\Google
2009-04-12 02:30 . 2009-04-12 17:07 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-12 02:29 . 2009-04-12 17:07 -------- d-----w c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 22:07 . 2002-09-03 16:50 23424 ----a-w c:\windows\system32\drivers\cpwlsxbq.sys
2009-05-07 21:37 . 2002-09-03 16:47 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-29 18:23 . 2007-05-26 04:51 -------- d-----w c:\program files\QUICKENW
2009-03-06 14:44 . 2002-09-03 16:51 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-06-23 15:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2005-07-26 04:31 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2002-09-03 16:39 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2002-09-03 16:49 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2002-09-03 16:27 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2002-09-03 17:11 1846272 ----a-w c:\windows\system32\win32k.sys
2002-09-03 17:07 . 2002-09-03 17:07 94784 --sh--w c:\windows\twain.dll
2004-08-04 07:56 . 2002-09-03 17:07 50688 --sh--w c:\windows\twain_32.dll
2004-08-04 07:56 . 2002-09-03 16:41 1028096 --sh--w c:\windows\system32\mfc42.dll
2004-08-04 07:56 . 2002-09-03 16:46 54784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-04 07:56 . 2002-09-03 16:46 413696 --sh--w c:\windows\system32\msvcp60.dll
2004-08-04 07:56 . 2002-09-03 16:46 343040 --sh--w c:\windows\system32\msvcrt.dll
2007-12-04 18:38 . 2002-09-03 16:51 550912 --sh--w c:\windows\system32\oleaut32.dll
2004-08-04 07:56 . 2002-09-03 16:51 83456 --sh--w c:\windows\system32\olepro32.dll
2004-08-04 07:56 . 2002-09-03 16:56 11776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp psc 900 series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe [2002-9-26 487484]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 02:44 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"39453:TCP"= 39453:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [5/2/2009 10:44 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/2/2009 10:43 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/2/2009 10:44 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/2/2009 10:41 PM 298776]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - XYSXBAUO
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-07 18:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-05-07 18:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 22:15
ComboFix2.txt 2009-05-07 21:51

Pre-Run: 51,987,673,088 bytes free
Post-Run: 51,928,125,440 bytes free

189 --- E O F --- 2009-04-29 23:26

Belou
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-04
Gender Gender : Male
OS OS : Windows XP
Points Points : 27773
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belahzur on 7th May 2009, 10:20 pm

Hello.
One more round and we should be done here.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
XYSXBAUO

File::
c:\windows\system32\drivers\cpwlsxbq.sys
c:\windows\system32\pakbvqe.dll

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belou on 7th May 2009, 10:33 pm

ComboFix 09-05-07.06 - Owner 05/07/2009 18:23.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254.106 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus *On-access scanning disabled* (Updated)

FILE ::
c:\windows\system32\drivers\cpwlsxbq.sys
c:\windows\system32\pakbvqe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\cpwlsxbq.sys
c:\windows\system32\pakbvqe.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XYSXBAUO


((((((((((((((((((((((((( Files Created from 2009-04-07 to 2009-05-07 )))))))))))))))))))))))))))))))
.

2009-05-03 04:14 . 2009-05-03 04:14 -------- d-----w c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-05-03 04:00 . 2009-05-07 20:33 -------- d--h--w C:\$AVG8.VAULT$
2009-05-03 02:44 . 2009-05-03 02:44 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-03 02:44 . 2009-05-03 02:44 12552 ----a-w c:\windows\system32\drivers\avgrkx86.sys
2009-05-03 02:44 . 2009-05-03 02:44 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-03 02:43 . 2009-05-03 02:43 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-03 02:43 . 2009-05-07 21:28 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-03 02:41 . 2009-05-03 02:41 -------- d-----w c:\program files\AVG
2009-05-03 02:41 . 2009-05-07 20:41 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-03 02:32 . 2009-05-03 02:32 -------- d-----w c:\documents and settings\Owner\Application Data\GetRightToGo
2009-05-03 01:22 . 2009-05-03 01:22 -------- d-----w c:\windows\CD95F661A5C444F5A6AAECDD91C240B5.TMP
2009-05-03 00:11 . 2009-05-03 00:11 -------- d-----w c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-05-02 23:29 . 2009-05-02 23:29 -------- d-----w c:\documents and settings\Owner\Application Data\Malwarebytes
2009-05-02 23:29 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-02 23:29 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-02 23:29 . 2009-05-02 23:29 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-02 23:29 . 2009-05-02 23:29 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-02 23:26 . 2009-05-02 23:26 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-05-02 23:25 . 2009-05-02 23:26 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-02 23:25 . 2009-05-02 23:25 -------- d-----w c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-05-02 23:25 . 2009-05-02 23:25 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-02 23:25 . 2009-05-02 23:25 -------- d-----w c:\program files\CCleaner
2009-05-02 22:20 . 2009-05-02 22:20 -------- d-----w c:\documents and settings\Owner\Application Data\nwhkuejs
2009-05-02 22:20 . 2009-05-02 22:20 -------- d-----w c:\documents and settings\Owner\Local Settings\Application Data\nwhkuejs
2009-04-27 16:32 . 2009-04-27 16:32 -------- d-----w c:\documents and settings\NetworkService\Application Data\nwhkuejs
2009-04-27 16:32 . 2009-04-27 16:32 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\nwhkuejs
2009-04-17 11:54 . 2009-03-06 14:44 283648 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-17 11:54 . 2005-07-26 04:39 60416 -c----w c:\windows\system32\dllcache\colbact.dll
2009-04-17 11:54 . 2009-02-09 10:20 399360 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 11:54 . 2009-02-06 17:14 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-17 11:54 . 2009-02-09 10:20 473088 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 11:54 . 2009-02-06 16:39 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 11:54 . 2009-02-09 10:20 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 11:54 . 2009-02-09 10:20 616960 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 11:54 . 2009-02-09 10:20 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 11:54 . 2008-04-21 10:02 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-12 02:30 . 2009-04-12 02:30 -------- d-----w c:\program files\Google
2009-04-12 02:30 . 2009-04-12 17:07 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-04-12 02:29 . 2009-04-12 17:07 -------- d-----w c:\program files\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-07 21:37 . 2002-09-03 16:47 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-29 18:23 . 2007-05-26 04:51 -------- d-----w c:\program files\QUICKENW
2009-03-06 14:44 . 2002-09-03 16:51 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2006-06-23 15:33 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 07:56 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2005-07-26 04:31 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2002-09-03 16:39 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2002-09-03 16:49 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2002-09-03 16:27 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2002-09-03 17:11 1846272 ----a-w c:\windows\system32\win32k.sys
2002-09-03 17:07 . 2002-09-03 17:07 94784 --sh--w c:\windows\twain.dll
2004-08-04 07:56 . 2002-09-03 17:07 50688 --sh--w c:\windows\twain_32.dll
2004-08-04 07:56 . 2002-09-03 16:41 1028096 --sh--w c:\windows\system32\mfc42.dll
2004-08-04 07:56 . 2002-09-03 16:46 54784 --sh--w c:\windows\system32\msvcirt.dll
2004-08-04 07:56 . 2002-09-03 16:46 413696 --sh--w c:\windows\system32\msvcp60.dll
2004-08-04 07:56 . 2002-09-03 16:46 343040 --sh--w c:\windows\system32\msvcrt.dll
2007-12-04 18:38 . 2002-09-03 16:51 550912 --sh--w c:\windows\system32\oleaut32.dll
2004-08-04 07:56 . 2002-09-03 16:51 83456 --sh--w c:\windows\system32\olepro32.dll
2004-08-04 07:56 . 2002-09-03 16:56 11776 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-01-13 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-01-13 114688]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-03 1947928]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HPAiODevice(hp psc 900 series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe [2002-9-26 487484]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-03 02:44 11952 ----a-w c:\windows\system32\avgrsstx.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave"= serwvdrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"39453:TCP"= 39453:TCP:@xpsp2res.dll,-22009

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [5/2/2009 10:44 PM 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/2/2009 10:43 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/2/2009 10:44 PM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [4/28/2009 11:33 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/28/2009 11:33 AM 72944]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/2/2009 10:41 PM 298776]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [4/28/2009 11:33 AM 7408]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-07 18:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(660)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hposts07.exe
c:\program files\Hewlett-Packard\AiO\Shared\Bin\hpofxm07.exe
.
**************************************************************************
.
Completion time: 2009-05-07 18:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-07 22:31
ComboFix2.txt 2009-05-07 22:16
ComboFix3.txt 2009-05-07 21:51

Pre-Run: 51,934,167,040 bytes free
Post-Run: 51,924,955,136 bytes free

171 --- E O F --- 2009-04-29 23:26

Belou
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-04
Gender Gender : Male
OS OS : Windows XP
Points Points : 27773
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belahzur on 7th May 2009, 10:35 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belou on 7th May 2009, 10:37 pm

Machine seems to be running better than before but to actually say that should i re enable AVG 8.5 to see if resident shield detects anything?

Belou
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-04
Gender Gender : Male
OS OS : Windows XP
Points Points : 27773
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belahzur on 7th May 2009, 10:45 pm

Yeah, do that. Smile If it picks up anything, let me know where.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belou on 7th May 2009, 10:52 pm

THANK YOU SO MUCH! I APPRECIATE THE HELP! GREAT FORUM! GREAT STAFF!

NOTHING ITS FINALLY CLEAR... ONE MORE QUESTION (SORTA OFF TOPIC) BUT IS THERE SOMETHING I CAN DO SOFTWARE WISE TO FREE UP SOME RAM THIS COMPUTER RUNS SORTA SLOW I THOUGHT MAYBE IT WAS BECAUSE OF THE VIRUS BUT THATS NOT THE CASE!!!

Belou
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-05-04
Gender Gender : Male
OS OS : Windows XP
Points Points : 27773
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor [Help Plz]

Post by Belahzur on 7th May 2009, 11:01 pm

Probably the startup stuff.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum