Win 32/Cryptor - added Hijack logfiile as instructed

View previous topic View next topic Go down

Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 9th May 2009, 4:01 am

Hello from the deep South, USA.

I am being misdirected to sites after Yahoo or Google searches. I ran AVG and saw the Win32/Cryptor listed as a virus. I have updated Java & IE 8. Now, my computer won't keep an IE open when going from Yahoo. Only from my address book. I am running XP. I have tried to do a "system restore" and it won't go back. I will welcome any and all help.

Thanks!!!!

I tried to get on your website at least a dozen times, the site would open, as soon as I hit a couple of keystrokes, the site would close. All of a sudden it is letting me stay on. All my systems are updated per your instructions. Here is the log I ran last night.

HiJack log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06:51 PM, on 5/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\Restore\rstrui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner.YOUR-20E2EF4B33\Local Settings\Temporary Internet Files\Content.IE5\H1JFQHT8\Hijack(GP)This[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SMSERIAL] "C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\WebrootSecurity\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Unknown owner - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe (file missing)
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe

--
End of file - 10523 bytes


Last edited by barb999 on 9th May 2009, 12:28 pm; edited 1 time in total

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Doctor Inferno on 9th May 2009, 4:10 am

Hello,

Please read this topic:

[You must be registered and logged in to see this link.]

Before we can help you.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 11976
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104640
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Belahzur on 9th May 2009, 1:54 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 9th May 2009, 2:06 pm

I Downloaded Avenger & then clicked on it. I got this message.

---------------------------
C:\Documents and Settings\Owner.YOUR-20E2EF4B33\My Documents\Downloads\avenger\avenger.exe
---------------------------
C:\Documents and Settings\Owner.YOUR-20E2EF4B33\My Documents\Downloads\avenger\avenger.exe is not a valid Win32 application.


---------------------------
OK
---------------------------

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Belahzur on 9th May 2009, 2:25 pm


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 11th May 2009, 3:09 am

I finally got Avenger to fun. The report is

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

I downloaded Combofix. I can click on it all day and it does nothing. During this time that I couldn't get anything to work, I downloaded the Shield virus program. Figured it was worth a try. It did give me a different name (Trojan.FakeAV.KI) of the infection than AVG (win32/cryptor). It still won't remove the 27 infected files I have.

I am ready for your next command. This country girl needs some big time help.

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Belahzur on 11th May 2009, 12:00 pm

Well the good news is that if there is a rootkit, it's main driver isn't running otherwise the avenger would of stopped that.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 11th May 2009, 1:37 pm

I have downloaded Mbam but when I click "run" nothing happens.

This is two of the files that my virus program lists as being infected. Not fun trying to type stuff that doesn't look right. I've triple checked for accuracy.

globalroot\systemroot\system32\uacnklvmpncxmjxtqs.dll
globalroot\systemroot\system32\uacmdcqiuspnysrta.dll

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Belahzur on 11th May 2009, 1:47 pm

Hello.
Well at least we know it's the UAC version of the rootkit. See this guide here:
[You must be registered and logged in to see this link.]

Follow the guide and see if it comes up with the main driver file in the rootrepeal scan. The main driver will be something like this:

C:\Windows\system32\drivers\UAC-----.sys

Note: the ---- stand for random letters, but the main driver always starts with "UAC"

If you find it, wipe the file by following the guide.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 11th May 2009, 2:32 pm

This really a bad guy. I downloaded RootRepeal. It found nothing when I scanned the "Files", so I ran a scan on "drivers". The UAC file was found immediately. I like the way RootRepeal showed the hidden file in RED. I clicked on the UAC.sys file and said "Wipe". RR said it was wiped, but MBam still wouldn't run. I reopened RR, ran the driver scan again. The file was still there. I chose "force delete" this time. Tried Mbam again. Still won't run. Ran RootRepeal again. The driver is still there.

Next?????

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Belahzur on 11th May 2009, 2:40 pm

Can you note down the exact spelling of that driver .sys file? we got the avenger running, and the UAV variant uses a static name, so that doesn't change.

We can use the avenger to delete the drive and file, but I need the exact spelling first.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 11th May 2009, 2:43 pm

I saved the file. This is a cut & paste from the report

Name: UACvkowxnsswrumhsu.sys
Image Path: C:\WINDOWS\system32\drivers\UACvkowxnsswrumhsu.sys
Address: 0x9AF33000 Size: 77824 File Visible: -
Status: Hidden from Windows API!

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Belahzur on 11th May 2009, 2:46 pm

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACvkowxnsswrumhsu.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 11th May 2009, 3:19 pm

Avenger ran great. Following is the report. As my computer came back up, the Shield Deluxe Virus Alert showed that it had blocked 4 viruses affecting my computer. All started as Trojan.FakeAV.KI. The small virus alert box would not show me more text, nor could I figure out how to copy it.

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACvkowxnsswrumhsu.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "UACd.sys" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\UACvkowxnsswrumhsu.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\UACvkowxnsswrumhsu.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

BTW.... Everytime I have sent you a message, my IEplorer has closed down & I can only access you through my Outlook address book where I have your website noted. Seems the bad guys know about you and are taking steps to prevent you from helping others.

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Belahzur on 11th May 2009, 3:21 pm

Sad to say, we have been expecting it for a long time that malware would try to block out site.

The driver is active again, but killed now.
See if you can run MBAM now.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 11th May 2009, 3:31 pm

I reran RootRepeal and the hidden file is GONE!!!! Thought everything was okay so I clicked on IE and it opened 23 screens. I think it is mad at me for trying to get rid of the problem child. So far, nothing else seems to be going on. I am running Shield Plus as a full system scan for viruses. This will take all day on my computer.

I ran Mbam all the way to execution and have started it scanning my whole system. Hope the Shield & Malware don't have a problem meeting each other in the middle. lol If I have more problems I will add a posting to this string.

Thank you for all your help. You guys are the greatest. I will be making a donation.

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Belahzur on 11th May 2009, 3:37 pm

Hello.
Don't be suprised, we've only put a stop to the main driver, you still have problems right now because all of the other files related to the UACd.sys are still on your machine.

As we clean more and more, you'll get less problems.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 12th May 2009, 1:40 pm

My virus scans showed Trojan files in the System Restore that could not be removed. For the past few days I could not use System Restore, nor could I set a new Restore Point. I was able to do a Restore Point today. Before I found this website, another help website advised me to delete my restore points. I did it, but wish I hadn't. Perhaps it would have let me go back to a non infected computer.

I thought that today I would go through all the commands you have given me, just to make sure I am clean. When going to the Hijack download, I got a new surprise

Direct Download site Now...is this right???
[You must be registered and logged in to see this link.]

Second site:
[You must be registered and logged in to see this link.]

Third site - has a tab for Hijack this
[You must be registered and logged in to see this link.]

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 12th May 2009, 1:52 pm

I am still having some problems with misdirecting & websites closing down. Not nearly as bad as when I started, but not right yet. Thanks to all this, I now have 2 new Anti Virus programs on my pc....Probably have to get rid of one of them. My pc is very, very slow.

Results of the most current HiJackThis file (I found where I had saved the original download on my computer & ran it)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:11 AM, on 5/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\\WINDOWS\\System32\\smss.exe
C:\\WINDOWS\\system32\\winlogon.exe
C:\\WINDOWS\\system32\\services.exe
C:\\WINDOWS\\system32\\lsass.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\Program Files\\Common Files\\BitDefender\\BitDefender Update Service\\livesrv.exe
C:\\Program Files\\PCSecurityShield\\BitDefender 2009\\vsserv.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe
C:\\Program Files\\Intel\\Wireless\\Bin\\S24EvMon.exe
C:\\WINDOWS\\system32\\spoolsv.exe
C:\\WINDOWS\\Explorer.EXE
C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe
C:\\WINDOWS\\system32\\bmwebcfg.exe
C:\\Program Files\\Bonjour\\mDNSResponder.exe
C:\\WINDOWS\\system32\\crypserv.exe
C:\\WINDOWS\\eHome\\ehRecvr.exe
C:\\WINDOWS\\eHome\\ehSched.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\Program Files\\Java\\jre6\\bin\\jqs.exe
C:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE
C:\\WINDOWS\\System32\\svchost.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\Program Files\\Common Files\\New Boundary\\PrismXL\\PRISMXL.SYS
C:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe
C:\\WINDOWS\\system32\\svchost.exe
C:\\Program Files\\Common Files\\ParetoLogic\\PLAS\\plasservice.exe
C:\\WINDOWS\\system32\\dllhost.exe
C:\\Program Files\\Motorola\\SMSERIAL\\sm56hlpr.exe
C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe
C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe
C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe
C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe
C:\\Program Files\\iTunes\\iTunesHelper.exe
C:\\Program Files\\Java\\jre6\\bin\\jusched.exe
C:\\WINDOWS\\System32\\svchost.exe
C:\\Program Files\\PCSecurityShield\\BitDefender 2009\\bdagent.exe
C:\\Program Files\\ParetoLogic\\Anti-Virus PLUS\\Pareto_AV.exe
C:\\Program Files\\Microsoft Location Finder\\LocationFinder.exe
C:\\WINDOWS\\system32\\ctfmon.exe
C:\\Program Files\\Messenger\\msmsgs.exe
C:\\PROGRA~1\\MI3AA1~1\\wcescomm.exe
C:\\PROGRA~1\\MI3AA1~1\\rapimgr.exe
C:\\PROGRA~1\\Intel\\Wireless\\Bin\\Dot1XCfg.exe
C:\\Program Files\\Sony\\Sony Picture Utility\\VolumeWatcher\\SPUVolumeWatcher.exe
C:\\Program Files\\iPod\\bin\\iPodService.exe
C:\\Program Files\\iTunes\\iTunes.exe
C:\\Program Files\\PCSecurityShield\\BitDefender 2009\\seccenter.exe
C:\\WINDOWS\\system32\\taskmgr.exe
C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqSTE08.exe
C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceHelper.exe
C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\distnoted.exe
C:\\Program Files\\Internet Explorer\\iexplore.exe
C:\\Program Files\\Internet Explorer\\iexplore.exe
C:\\Program Files\\Internet Explorer\\iexplore.exe
C:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe
C:\\WINDOWS\\system32\\wuauclt.exe

R1 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\\Software\\Microsoft\\Internet Explorer\\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R1 - HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\\WINDOWS\\system32\\Userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelperShim.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\\Program Files\\HP\\Smart Web Printing\\SmartWebPrinting.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\\windows\\system32\\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\\Program Files\\Java\\jre6\\bin\\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\\Program Files\\Java\\jre6\\lib\\deploy\\jqs\\ie\\jqs_plugin.dll
O3 - Toolbar: The Shield Deluxe 2009 Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\\Program Files\\PCSecurityShield\\BitDefender 2009\\IEToolbar.dll
O4 - HKLM\\..\\Run: [SMSERIAL] "C:\\Program Files\\Motorola\\SMSERIAL\\sm56hlpr.exe"
O4 - HKLM\\..\\Run: [IntelWireless] "C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\\..\\Run: [ISUSPM Startup] "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe" -startup
O4 - HKLM\\..\\Run: [ISUSScheduler] "C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe" -start
O4 - HKLM\\..\\Run: [Corel Photo Downloader] "C:\\Program Files\\Corel\\Corel Photo Album 6\\MediaDetect.exe"
O4 - HKLM\\..\\Run: [HP Component Manager] "C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe"
O4 - HKLM\\..\\Run: [QuickTime Task] "C:\\Program Files\\QuickTime\\qttask.exe" -atboottime
O4 - HKLM\\..\\Run: [AppleSyncNotifier] "C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleSyncNotifier.exe"
O4 - HKLM\\..\\Run: [iTunesHelper] "C:\\Program Files\\iTunes\\iTunesHelper.exe"
O4 - HKLM\\..\\Run: [SunJavaUpdateSched] "C:\\Program Files\\Java\\jre6\\bin\\jusched.exe"
O4 - HKLM\\..\\Run: [Adobe Reader Speed Launcher] "C:\\Program Files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe"
O4 - HKLM\\..\\Run: [BDAgent] "C:\\Program Files\\PCSecurityShield\\BitDefender 2009\\bdagent.exe"
O4 - HKLM\\..\\Run: [BitDefender Antiphishing Helper] "C:\\Program Files\\PCSecurityShield\\BitDefender 2009\\IEShow.exe"
O4 - HKLM\\..\\Run: [ParetoLogic Anti-Virus PLUS] "C:\\Program Files\\ParetoLogic\\Anti-Virus PLUS\\Pareto_AV.exe" -NM -hidesplash
O4 - HKCU\\..\\Run: [Microsoft Location Finder] "C:\\Program Files\\Microsoft Location Finder\\LocationFinder.exe"
O4 - HKCU\\..\\Run: [ctfmon.exe] C:\\WINDOWS\\system32\\ctfmon.exe
O4 - HKCU\\..\\Run: [MSMSGS] "C:\\Program Files\\Messenger\\msmsgs.exe" /background
O4 - HKCU\\..\\Run: [H/PC Connection Agent] "C:\\PROGRA~1\\MI3AA1~1\\wcescomm.exe"
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\\Program Files\\Sony\\Sony Picture Utility\\VolumeWatcher\\SPUVolumeWatcher.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\\PROGRA~1\\MI3AA1~1\\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\\PROGRA~1\\MI3AA1~1\\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\\PROGRA~1\\MI3AA1~1\\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\\PROGRA~1\\MICROS~2\\OFFICE11\\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\\WINDOWS\\system32\\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\\Program Files\\Messenger\\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\\windows\\system32\\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\\windows\\system32\\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\\windows\\system32\\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\\windows\\system32\\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\\windows\\system32\\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: c:\\windows\\system32\\inethttpfilter.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: c:\\windows\\system32\\inethttpfilter.dll
O15 - Trusted Zone: [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [You must be registered and logged in to see this link.]
O23 - Service: Apple Mobile Device - Apple Inc. - C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe
O23 - Service: The Shield Deluxe 2009 Arrakis Server (Arrakis3) - Unknown owner - C:\\Program Files\\Common Files\\BitDefender\\BitDefender Arrakis Server\\bin\\Arrakis3.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\\WINDOWS\\system32\\bmwebcfg.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\\Program Files\\Bonjour\\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\\WINDOWS\\SYSTEM32\\crypserv.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\\Program Files\\Common Files\\InstallShield\\Driver\\11\\Intel 32\\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\\Program Files\\iPod\\bin\\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\\Program Files\\Java\\jre6\\bin\\jqs.exe
O23 - Service: The Shield Deluxe 2009 Desktop Update Service (LIVESRV) - PCSecurityShield - C:\\Program Files\\Common Files\\BitDefender\\BitDefender Update Service\\livesrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\\Program Files\\Common Files\\New Boundary\\PrismXL\\PRISMXL.SYS
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\\Program Files\\Intel\\Wireless\\Bin\\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\\Program Files\\Intel\\Wireless\\Bin\\S24EvMon.exe
O23 - Service: The Shield Deluxe 2009 Virus Shield (VSSERV) - PCSecurityShield - C:\\Program Files\\PCSecurityShield\\BitDefender 2009\\vsserv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Unknown owner - C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe (file missing)
O23 - Service: plasservice (ZeppelinService) - ParetoLogic Inc. - C:\\Program Files\\Common Files\\ParetoLogic\\PLAS\\plasservice.exe

--
End of file - 11501 bytes

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Belahzur on 12th May 2009, 2:01 pm

It's okay, stay strong and we'll beat this together. I have a feeling there's another infection called Goored here, but we'll get that later, it's not serious.

If you ran MBAM, please post the log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 12th May 2009, 9:52 pm

Well, wonder where drafts go????? I'll try again

mbam log:

Malwarebytes' Anti-Malware 1.36
Database version: 2109
Windows 5.1.2600 Service Pack 3

5/12/2009 4:35:24 PM
mbam-log-2009-05-12 (16-34-59).txt

Scan type: Full Scan (C:\\|D:\\|)
Objects scanned: 853177
Time elapsed: 5 hour(s), 59 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Security Center\\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\SpywareBot (Rogue.SpywareBot) -> No action taken.

Files Infected:
C:\\System Volume Information\\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\\RP0\\A0001027.dll (Spyware.OnlineGames) -> No action taken.
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\SpywareBot\\SpywareBot on the Web.lnk (Rogue.SpywareBot) -> No action taken.
C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\SpywareBot\\Uninstall SpywareBot.lnk (Rogue.SpywareBot) -> No action taken.
C:\\WINDOWS\\system32\\uacinit.dll (Trojan.Agent) -> No action taken.


As this was running, one of my anti virus programs, The Shield Deluxe, quarantined the following 3 items:

Backdoor.Generic (docs & settings UAC3573.tmp)
Trojan.Script.33021 (system restore)
Trojan.FakeAV.KI (system restore)

What should be my next step?

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Belahzur on 12th May 2009, 10:03 pm

Hello.
Did you get that log BEFORE removing everything? MBAM says "No action taken"


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 12th May 2009, 10:41 pm

It didn't give me an option to remove anything. I was gone when it completed and had to resume my computer when I returned. All I saw was the log. Do you want me to run again?

I was able to run Combofix. This is the log from it. I saw while it was running that it deleted at least 2 files with UAC as part of the file name. The file was too large to attach as 1 item. I'll send it in multiple postings.

ComboFix 09-05-12.04 - Owner 05/12/2009 17:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1327 [GMT -5:00]
Running from: c:\\documents and settings\\Owner.YOUR-20E2EF4B33\\My Documents\\Downloads\\ComboFix3.exe
AV: The Shield Deluxe 2009 Antivirus *On-access scanning enabled* (Updated)
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\\documents and settings\\Owner.YOUR-20E2EF4B33\\Application Data\\inst.exe
c:\\windows\\IE4 Error Log.txt
c:\\windows\\system32\\UACftoqvxbnrowlipr.dat
c:\\windows\\system32\\uacinit.dll
c:\\windows\\system32\\UACpuloepasvpqwmyx.db
D:\\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-04-12 to 2009-05-12 )))))))))))))))))))))))))))))))
.

2009-05-12 21:59 . 2009-05-12 22:18 -------- d-----w C:\\ComboFix
2009-05-12 21:59 . 2009-05-12 21:55 389120 ----a-w c:\\windows\\system32\\CF5838.exe
2009-05-11 15:28 . 2009-05-11 15:28 -------- d-----w c:\\documents and settings\\Owner.YOUR-20E2EF4B33\\Application Data\\Malwarebytes
2009-05-11 15:28 . 2009-04-06 20:32 15504 ----a-w c:\\windows\\system32\\drivers\\mbam.sys
2009-05-11 15:28 . 2009-04-06 20:32 38496 ----a-w c:\\windows\\system32\\drivers\\mbamswissarmy.sys
2009-05-11 15:28 . 2009-05-11 15:28 -------- d-----w c:\\documents and settings\\All Users\\Application Data\\Malwarebytes
2009-05-11 15:28 . 2009-05-11 15:28 -------- d-----w c:\\program files\\Malwarebytes' Anti-Malware
2009-05-11 15:06 . 2009-05-12 14:14 21643808 --sha-w c:\\windows\\system32\\drivers\\fidbox.dat
2009-05-11 15:06 . 2009-05-12 22:30 31008 --sha-w c:\\windows\\system32\\drivers\\fidbox2.dat
2009-05-11 13:05 . 2009-05-11 13:05 -------- d-----w c:\\program files\\XoftSpySE
2009-05-11 12:29 . 2009-05-11 12:29 -------- d-----w c:\\documents and settings\\All Users\\Application Data\\ParetoLogic Anti-Virus PLUS
2009-05-11 12:29 . 2009-05-11 12:29 -------- d-----w c:\\program files\\Common Files\\ParetoLogic
2009-05-11 12:29 . 2009-05-11 12:29 -------- d-----w c:\\program files\\ParetoLogic
2009-05-11 12:29 . 2009-05-11 12:29 -------- d-----w c:\\documents and settings\\All Users\\Application Data\\ParetoLogic
2009-05-11 12:27 . 2009-05-11 12:27 -------- d-----w c:\\documents and settings\\Owner.YOUR-20E2EF4B33\\Local Settings\\Application Data\\Downloaded Installations
2009-05-10 19:32 . 2009-05-12 14:47 81984 ----a-w c:\\windows\\system32\\bdod.bin
2009-05-10 19:10 . 2009-05-10 19:10 -------- d-----w c:\\documents and settings\\Owner.YOUR-20E2EF4B33\\Application Data\\BitDefender
2009-05-10 19:10 . 2009-05-10 19:13 -------- d-----w c:\\documents and settings\\All Users\\Application Data\\BitDefender
2009-05-10 19:10 . 2009-05-10 19:10 -------- d-----w c:\\program files\\PCSecurityShield
2009-05-10 19:06 . 2009-05-10 19:10 -------- d-----w c:\\program files\\Common Files\\BitDefender
2009-05-10 13:08 . 2009-05-10 13:08 664 ----a-w c:\\windows\\system32\\d3d9caps.dat
2009-05-10 13:07 . 2009-05-10 13:07 -------- d-sh--w c:\\documents and settings\\Administrator\\IETldCache
2009-05-10 02:39 . 2009-03-24 21:08 55640 ----a-w c:\\windows\\system32\\drivers\\avgntflt.sys
2009-05-09 23:58 . 2009-05-10 00:05 -------- d-----w c:\\documents and settings\\Owner.YOUR-20E2EF4B33\\.housecall6.6
2009-05-09 15:40 . 2009-05-09 15:40 -------- d-----w c:\\documents and settings\\All Users\\Application Data\\SITEguard
2009-05-09 15:40 . 2009-05-09 15:40 -------- d-----w c:\\program files\\Common Files\\iS3
2009-05-09 15:40 . 2009-05-10 00:55 -------- d-----w c:\\documents and settings\\All Users\\Application Data\\STOPzilla!
2009-05-09 03:28 . 2009-05-09 03:28 -------- d-sh--w c:\\documents and settings\\Owner.YOUR-20E2EF4B33\\PrivacIE
2009-05-09 03:28 . 2009-05-09 03:28 -------- d-sh--w c:\\documents and settings\\Owner.YOUR-20E2EF4B33\\IECompatCache
2009-05-09 03:18 . 2009-05-09 03:18 -------- d-sh--w c:\\windows\\system32\\config\\systemprofile\\IETldCache
2009-05-09 03:18 . 2009-05-09 03:18 -------- d-sh--w c:\\documents and settings\\Owner.YOUR-20E2EF4B33\\IETldCache
2009-05-09 03:11 . 2009-05-09 03:11 -------- d-----w c:\\windows\\ie8updates
2009-05-09 03:11 . 2009-04-25 05:30 102400 -c----w c:\\windows\\system32\\dllcache\\iecompat.dll
2009-05-09 03:10 . 2009-05-09 03:10 -------- dc-h--w c:\\windows\\ie8
2009-05-09 02:53 . 2009-05-09 02:53 -------- d-----w c:\\program files\\Common Files\\Adobe AIR
2009-05-09 02:51 . 2009-05-09 02:52 -------- d-----w c:\\program files\\Common Files\\Adobe
2009-05-09 02:49 . 2009-05-09 03:18 -------- d-----w c:\\documents and settings\\All Users\\Application Data\\NOS
2009-05-09 02:49 . 2009-05-09 03:18 -------- d-----w c:\\program files\\NOS
2009-05-08 17:28 . 2009-05-08 17:28 -------- d-----w c:\\program files\\Webroot
2009-05-08 17:22 . 2009-05-09 02:38 410984 ----a-w c:\\windows\\system32\\deploytk.dll
2009-05-08 02:38 . 2009-05-08 02:38 -------- d-----w c:\\program files\\MSSOAP
2009-05-08 02:38 . 2009-05-08 18:16 164 ----a-w c:\\windows\\install.dat
2009-04-27 20:28 . 2002-01-10 08:01 110592 ----a-w c:\\windows\\system32\\tsccvid.dll
2009-04-27 20:23 . 2009-04-27 20:23 -------- d-----w c:\\program files\\Electric Quilt Company
2009-04-15 11:39 . 2009-03-06 14:22 284160 -c----w c:\\windows\\system32\\dllcache\\pdh.dll
2009-04-15 11:39 . 2009-02-06 10:39 35328 -c----w c:\\windows\\system32\\dllcache\\sc.exe
2009-04-15 11:39 . 2009-02-09 12:10 401408 -c----w c:\\windows\\system32\\dllcache\\rpcss.dll
2009-04-15 11:39 . 2009-02-06 11:11 110592 -c----w c:\\windows\\system32\\dllcache\\services.exe
2009-04-15 11:39 . 2009-02-09 12:10 473600 -c----w c:\\windows\\system32\\dllcache\\fastprox.dll
2009-04-15 11:39 . 2009-02-06 10:10 227840 -c----w c:\\windows\\system32\\dllcache\\wmiprvse.exe
2009-04-15 11:39 . 2009-02-09 12:10 453120 -c----w c:\\windows\\system32\\dllcache\\wmiprvsd.dll
2009-04-15 11:39 . 2009-02-09 12:10 729088 -c----w c:\\windows\\system32\\dllcache\\lsasrv.dll
2009-04-15 11:39 . 2009-02-09 12:10 617472 -c----w c:\\windows\\system32\\dllcache\\advapi32.dll
2009-04-15 11:39 . 2009-02-09 12:10 714752 -c----w c:\\windows\\system32\\dllcache\\ntdll.dll
2009-04-15 11:38 . 2008-05-03 11:55 2560 ------w c:\\windows\\system32\\xpsp4res.dll
2009-04-15 11:38 . 2008-04-21 12:08 215552 -c----w c:\\windows\\system32\\dllcache\\wordpad.exe

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 12th May 2009, 10:42 pm

Part 2 of Combofix Log file:

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-12 14:14 . 2009-05-11 15:06 2228 --sha-w c:\\windows\\system32\\drivers\\fidbox2.idx
2009-05-12 14:14 . 2009-05-11 15:06 13844 --sha-w c:\\windows\\system32\\drivers\\fidbox.idx
2009-05-12 13:44 . 2006-11-26 20:17 -------- d-----w c:\\program files\\Trend Micro
2009-05-11 11:46 . 2008-08-25 03:00 -------- d-----w c:\\program files\\thinkorswim
2009-05-09 02:43 . 2006-09-30 03:14 -------- d-----w c:\\program files\\Java
2009-04-28 02:04 . 2006-09-30 03:12 -------- d--h--w c:\\program files\\InstallShield Installation Information
2009-04-22 17:35 . 2009-04-20 03:17 -------- d-----w c:\\program files\\CompuHost
2009-04-13 21:35 . 2006-12-03 02:15 28771 ----a-w c:\\windows\\hpoins03.dat
2009-04-02 19:30 . 2009-04-02 19:30 176752 ----a-w c:\\windows\\system32\\drivers\\ssidrv.sys
2009-04-02 19:30 . 2009-04-02 19:30 23152 ----a-w c:\\windows\\system32\\drivers\\sshrmd.sys
2009-04-02 19:30 . 2009-04-02 19:30 29808 ----a-w c:\\windows\\system32\\drivers\\ssfs0bbc.sys
2009-04-02 02:39 . 2006-06-19 04:25 75432 ----a-w c:\\documents and settings\\Administrator\\Local Settings\\Application Data\\GDIPFONTCACHEV1.DAT
2009-03-29 14:21 . 2007-03-07 14:54 -------- d-----w c:\\program files\\2nd Story Software
2009-03-29 13:39 . 2009-03-29 13:39 -------- d-----w c:\\program files\\MSBuild
2009-03-29 13:39 . 2009-03-29 13:39 -------- d-----w c:\\program files\\Reference Assemblies
2009-03-08 09:34 . 2006-06-17 09:23 914944 ----a-w c:\\windows\\system32\\wininet.dll
2009-03-08 09:34 . 2006-06-17 09:23 43008 ----a-w c:\\windows\\system32\\licmgr10.dll
2009-03-08 09:33 . 2006-06-17 09:23 18944 ----a-w c:\\windows\\system32\\corpol.dll
2009-03-08 09:33 . 2006-06-17 09:23 420352 ----a-w c:\\windows\\system32\\vbscript.dll
2009-03-08 09:32 . 2006-06-17 09:23 72704 ----a-w c:\\windows\\system32\\admparse.dll
2009-03-08 09:32 . 2006-06-17 09:23 71680 ----a-w c:\\windows\\system32\\iesetup.dll
2009-03-08 09:31 . 2006-06-17 09:23 34816 ----a-w c:\\windows\\system32\\imgutil.dll
2009-03-08 09:31 . 2006-06-17 09:23 48128 ----a-w c:\\windows\\system32\\mshtmler.dll
2009-03-08 09:31 . 2006-06-17 09:23 45568 ----a-w c:\\windows\\system32\\mshta.exe
2009-03-08 09:22 . 2006-06-17 09:23 156160 ----a-w c:\\windows\\system32\\msls31.dll
2009-03-06 14:22 . 2006-06-17 09:23 284160 ----a-w c:\\windows\\system32\\pdh.dll
2009-02-18 19:43 . 2009-02-18 19:43 243024 ----a-w c:\\windows\\system32\\LSPInstall.dll
2009-02-18 19:43 . 2009-02-18 19:43 111960 ----a-w c:\\windows\\system32\\INetHTTPFilter.dll
2006-12-02 00:18 . 2006-12-01 23:18 1890 --sha-w c:\\windows\\system32\\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
"Microsoft Location Finder"="c:\\program files\\Microsoft Location Finder\\LocationFinder.exe" [2005-08-25 101080]
"ctfmon.exe"="c:\\windows\\system32\\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\\program files\\Messenger\\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\\progra~1\\MI3AA1~1\\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
"SMSERIAL"="c:\\program files\\Motorola\\SMSERIAL\\sm56hlpr.exe" [2006-05-24 573440]
"IntelWireless"="c:\\program files\\Intel\\Wireless\\Bin\\ifrmewrk.exe" [2005-12-28 602182]
"ISUSPM Startup"="c:\\program files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\\program files\\Common Files\\InstallShield\\UpdateService\\issch.exe" [2005-06-10 81920]
"Corel Photo Downloader"="c:\\program files\\Corel\\Corel Photo Album 6\\MediaDetect.exe" [2006-02-09 106496]
"HP Component Manager"="c:\\program files\\HP\\hpcoretech\\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\\program files\\QuickTime\\qttask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\\program files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleSyncNotifier.exe" [2008-09-04 111936]
"iTunesHelper"="c:\\program files\\iTunes\\iTunesHelper.exe" [2008-10-01 289576]
"SunJavaUpdateSched"="c:\\program files\\Java\\jre6\\bin\\jusched.exe" [2009-05-09 148888]
"Adobe Reader Speed Launcher"="c:\\program files\\Adobe\\Reader 9.0\\Reader\\Reader_sl.exe" [2009-02-27 35696]
"BDAgent"="c:\\program files\\PCSecurityShield\\BitDefender 2009\\bdagent.exe" [2009-03-23 778240]
"BitDefender Antiphishing Helper"="c:\\program files\\PCSecurityShield\\BitDefender 2009\\IEShow.exe" [2009-03-18 73728]
"ParetoLogic Anti-Virus PLUS"="c:\\program files\\ParetoLogic\\Anti-Virus PLUS\\Pareto_AV.exe" [2009-02-18 2659664]

c:\\documents and settings\\Owner.YOUR-20E2EF4B33\\Start Menu\\Programs\\Startup\\
Picture Motion Browser Media Check Tool.lnk - c:\\program files\\Sony\\Sony Picture Utility\\VolumeWatcher\\SPUVolumeWatcher.exe [2007-7-14 344064]

c:\\documents and settings\\All Users\\Start Menu\\Programs\\Startup\\
HP Digital Imaging Monitor.lnk - c:\\program files\\HP\\Digital Imaging\\bin\\hpqtra08.exe [2007-1-2 210520]

[HKLM\\~\\startupfolder\\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\\windows\\pss\\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\\software\\microsoft\\security center]
"AntiVirusDisableNotify"=dword:00000001

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 12th May 2009, 10:43 pm

Part 3 of Combofix Log file:


[HKLM\\~\\services\\sharedaccess\\parameters\\firewallpolicy\\standardprofile\\AuthorizedApplications\\List]
"%windir%\\\\system32\\\\sessmgr.exe"=
"c:\\\\Program Files\\\\Common Files\\\\AOL\\\\Loader\\\\aolload.exe"=
"c:\\\\StubInstaller.exe"=
"c:\\\\Program Files\\\\LimeWire\\\\LimeWire.exe"=
"c:\\\\Program Files\\\\Messenger\\\\msmsgs.exe"=
"c:\\\\WINDOWS\\\\system32\\\\mshta.exe"=
"c:\\program files\\Microsoft ActiveSync\\rapimgr.exe"= c:\\program files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\\program files\\Microsoft ActiveSync\\wcescomm.exe"= c:\\program files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\\program files\\Microsoft ActiveSync\\WCESMgr.exe"= c:\\program files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\\\Network Diagnostic\\\\xpnetdiag.exe"=
"c:\\\\Program Files\\\\Bonjour\\\\mDNSResponder.exe"=
"c:\\\\Program Files\\\\iTunes\\\\iTunes.exe"=
"c:\\\\Program Files\\\\Electric Quilt Company\\\\EQ6\\\\EQ6.exe"=

[HKLM\\~\\services\\sharedaccess\\parameters\\firewallpolicy\\standardprofile\\GloballyOpenPorts\\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 ssfs0bbc;ssfs0bbc;c:\\windows\\system32\\drivers\\ssfs0bbc.sys [4/2/2009 2:30 PM 29808]
R2 ZeppelinService;plasservice;c:\\program files\\Common Files\\ParetoLogic\\PLAS\\plasservice.exe [2/18/2009 2:40 PM 587216]
R3 bdfm;BDFM;c:\\windows\\system32\\drivers\\bdfm.sys [9/18/2008 12:09 PM 111112]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\\windows\\system32\\drivers\\mbamswissarmy.sys [5/11/2009 10:28 AM 38496]
S2 alwybfa;alwybfa;c:\\windows\\system32\\drivers\\txnc.sys --> c:\\windows\\system32\\drivers\\txnc.sys [?]
S3 ACGPRS;Sierra Wireless 3G Adapter;c:\\windows\\system32\\drivers\\acgprs.sys [2/14/2006 3:07 PM 97280]
S3 Arrakis3;The Shield Deluxe 2009 Arrakis Server;c:\\program files\\Common Files\\BitDefender\\BitDefender Arrakis Server\\bin\\Arrakis3.exe [1/20/2009 7:16 PM 172032]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBAMSWISSARMY

[HKEY_LOCAL_MACHINE\\software\\microsoft\\windows nt\\currentversion\\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\explorer\\mountpoints2\\F]
\\Shell\\AutoRun\\command - F:\\LaunchU3.exe -a

[HKEY_CURRENT_USER\\software\\microsoft\\windows\\currentversion\\explorer\\mountpoints2\\{310ccff2-c548-11dd-b231-0018de207ca9}]
\\Shell\\AutoRun\\command - G:\\LaunchU3.exe -a

[HKEY_LOCAL_MACHINE\\software\\microsoft\\active setup\\installed components\\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\\windows\\system32\\rundll32.exe" "c:\\windows\\system32\\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-09 c:\\windows\\Tasks\\AppleSoftwareUpdate.job
- c:\\program files\\Apple Software Update\\SoftwareUpdate.exe [2007-08-29 17:34]

2009-05-11 c:\\windows\\Tasks\\ParetoLogic Anti-Virus PLUS.job
- c:\\program files\\ParetoLogic\\Anti-Virus PLUS\\Pareto_AV.exe [2009-02-18 19:43]

2009-05-11 c:\\windows\\Tasks\\ParetoLogic Anti-Virus PLUS_dbsummary.job
- c:\\program files\\ParetoLogic\\Anti-Virus PLUS\\Pareto_AV.exe [2009-02-18 19:43]

2009-05-11 c:\\windows\\Tasks\\ParetoLogic Registration.job
- c:\\program files\\Common Files\\ParetoLogic\\UUS2\\UUS.dll [2008-02-22 17:25]

2009-05-11 c:\\windows\\Tasks\\ParetoLogic Update Version2.job
- c:\\program files\\Common Files\\ParetoLogic\\UUS2\\Pareto_Update.exe [2008-02-22 17:25]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-SITEguard - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\\progra~1\\MICROS~2\\OFFICE11\\EXCEL.EXE/3000
LSP: c:\\windows\\system32\\INetHTTPFilter.dll
LSP: bmnet.dll
Trusted Zone: vectorvest.com\\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-12 17:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\\windows\\system32\\igfxdev.dll

- - - - - - - > 'lsass.exe'(956)
c:\\windows\\system32\\INetHTTPFilter.dll
c:\\windows\\system32\\bmnet.dll
.
Completion time: 2009-05-12 17:33
ComboFix-quarantined-files.txt 2009-05-12 22:32

Pre-Run: 27,529,601,024 bytes free
Post-Run: 28,637,945,856 bytes free

221 --- E O F --- 2009-04-15 14:04

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Belahzur on 12th May 2009, 10:50 pm

Hello.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :services
    alwybfa

    :files
    c:\\Program Files\\LimeWire

    :reg
    [HKEY_LOCAL_MACHINE\\software\\microsoft\\security center]
    "AntiVirusDisableNotify"=-
    [HKEY_LOCAL_MACHINE\\currentcontrolset\\services\\sharedaccess\\parameters\\firewallpolicy\\standardprofile\\AuthorizedApplications\\List]
    "c:\\\\Program Files\\\\LimeWire\\\\LimeWire.exe"=-


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 12th May 2009, 11:04 pm

========== SERVICES/DRIVERS ==========

Service\\Driver alwybfa deleted successfully.
========== FILES ==========
Folder move failed. c:\\\\Program Files\\\\LimeWire\\root\\magnet10 scheduled to be moved on reboot.
Folder move failed. c:\\\\Program Files\\\\LimeWire\\root scheduled to be moved on reboot.
Folder move failed. c:\\\\Program Files\\\\LimeWire\\lib scheduled to be moved on reboot.
Folder move failed. c:\\\\Program Files\\\\LimeWire\\.NetworkShare scheduled to be moved on reboot.
c:\\\\Program Files\\\\LimeWire moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\\\\software not found.
Registry key HKEY_LOCAL_MACHINE\\\\currentcontrolset not found.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05122009_180245

After the program finished, it asked me if I wanted to reboot? I haven't yet.

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 12th May 2009, 11:05 pm

I just saw your command to "reboot" if asked. I am doing so now...be back in a few minutes.

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 12th May 2009, 11:16 pm

This is the OTMoveIt3 log after rebooting:

========= SERVICES/DRIVERS ==========

Service\\Driver alwybfa deleted successfully.
========== FILES ==========
Folder move failed. c:\\\\Program Files\\\\LimeWire\\root\\magnet10 scheduled to be moved on reboot.
Folder move failed. c:\\\\Program Files\\\\LimeWire\\root scheduled to be moved on reboot.
Folder move failed. c:\\\\Program Files\\\\LimeWire\\lib scheduled to be moved on reboot.
Folder move failed. c:\\\\Program Files\\\\LimeWire\\.NetworkShare scheduled to be moved on reboot.
c:\\\\Program Files\\\\LimeWire moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\\\\software not found.
Registry key HKEY_LOCAL_MACHINE\\\\currentcontrolset not found.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05122009_180245

Files moved on Reboot...
File c:\\\\Program Files\\\\LimeWire\\root\\magnet10 not found!
File c:\\\\Program Files\\\\LimeWire\\root not found!
File c:\\\\Program Files\\\\LimeWire\\lib not found!
File c:\\\\Program Files\\\\LimeWire\\.NetworkShare not found!

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 13th May 2009, 12:52 pm

Man, has this been a trial???? I have run so many reports that I forget which ones I have done. One of them exposed SpyBot files and I deleted them.

RootRepeal Drivers report Part 1 - a to l

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/05/13 07:45
Program Version: Version 1.2.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xBA8C8000 Size: 57344 File Visible: -
Status: -

Name: ABP480N5.SYS
Image Path: ABP480N5.SYS
Address: 0xBAB78000 Size: 23552 File Visible: -
Status: -

Name: acgprs.sys
Image Path: C:\WINDOWS\system32\DRIVERS\acgprs.sys
Address: 0x9F9E5000 Size: 97280 File Visible: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xBA779000 Size: 187776 File Visible: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2150400 File Visible: -
Status: -

Name: ACPIEC.sys
Image Path: ACPIEC.sys
Address: 0xBACC4000 Size: 11648 File Visible: -
Status: -

Name: adpu160m.sys
Image Path: adpu160m.sys
Address: 0xBA58B000 Size: 101888 File Visible: -
Status: -

Name: AegisP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\AegisP.sys
Address: 0xA2931000 Size: 19232 File Visible: -
Status: -

Name: afd.sys
Image Path: C:\WINDOWS\System32\drivers\afd.sys
Address: 0x9AA92000 Size: 138496 File Visible: -
Status: -

Name: AFS2K.SYS
Image Path: C:\WINDOWS\System32\Drivers\AFS2K.SYS
Address: 0xBAAC8000 Size: 35840 File Visible: -
Status: -

Name: agp440.sys
Image Path: agp440.sys
Address: 0xBA9F8000 Size: 42368 File Visible: -
Status: -

Name: agpCPQ.sys
Image Path: agpCPQ.sys
Address: 0xBAA08000 Size: 44928 File Visible: -
Status: -

Name: aha154x.sys
Image Path: aha154x.sys
Address: 0xBACCC000 Size: 12800 File Visible: -
Status: -

Name: aic78u2.sys
Image Path: aic78u2.sys
Address: 0xBA948000 Size: 55168 File Visible: -
Status: -

Name: aic78xx.sys
Image Path: aic78xx.sys
Address: 0xBA918000 Size: 56960 File Visible: -
Status: -

Name: aliide.sys
Image Path: aliide.sys
Address: 0xBADAC000 Size: 5248 File Visible: -
Status: -

Name: alim1541.sys
Image Path: alim1541.sys
Address: 0xBA9D8000 Size: 42752 File Visible: -
Status: -

Name: amdagp.sys
Image Path: amdagp.sys
Address: 0xBA9E8000 Size: 43008 File Visible: -
Status: -

Name: amsint.sys
Image Path: amsint.sys
Address: 0xBACD8000 Size: 12032 File Visible: -
Status: -

Name: arp1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\arp1394.sys
Address: 0x9BB06000 Size: 60800 File Visible: -
Status: -

Name: asc.sys
Image Path: asc.sys
Address: 0xBAB48000 Size: 26496 File Visible: -
Status: -

Name: asc3350p.sys
Image Path: asc3350p.sys
Address: 0xBAB80000 Size: 22400 File Visible: -
Status: -

Name: asc3550.sys
Image Path: asc3550.sys
Address: 0xBACDC000 Size: 14848 File Visible: -
Status: -

Name: ASCTRM.SYS
Image Path: C:\WINDOWS\System32\Drivers\ASCTRM.SYS
Address: 0xBAE2A000 Size: 7488 File Visible: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xBA5A4000 Size: 96512 File Visible: -
Status: -

Name: ATMFD.DLL
Image Path: C:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: -
Status: -

Name: audstub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\audstub.sys
Address: 0xBAE92000 Size: 3072 File Visible: -
Status: -

Name: BATTC.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\BATTC.SYS
Address: 0xBACC0000 Size: 16384 File Visible: -
Status: -

Name: bdfm.sys
Image Path: C:\WINDOWS\system32\drivers\bdfm.sys
Address: 0x99898000 Size: 104448 File Visible: -
Status: -

Name: bdfsfltr.sys
Image Path: C:\WINDOWS\system32\drivers\bdfsfltr.sys
Address: 0x998DA000 Size: 235520 File Visible: -
Status: -

Name: bdftdif.sys
Image Path: C:\Program Files\Common Files\BitDefender\BitDefender Firewall\bdftdif.sys
Address: 0x9AB02000 Size: 130560 File Visible: -
Status: -

Name: bdselfpr.sys
Image Path: C:\Program Files\PCSecurityShield\BitDefender 2009\bdselfpr.sys
Address: 0x99F74000 Size: 8832 File Visible: -
Status: -

Name: Beep.SYS
Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xBADBE000 Size: 4224 File Visible: -
Status: -

Name: BOOTVID.dll
Image Path: C:\WINDOWS\system32\BOOTVID.dll
Address: 0xBACB8000 Size: 12288 File Visible: -
Status: -

Name: cbidf2k.sys
Image Path: cbidf2k.sys
Address: 0xBACE4000 Size: 13952 File Visible: -
Status: -

Name: cd20xrnt.sys
Image Path: cd20xrnt.sys
Address: 0xBADB8000 Size: 7680 File Visible: -
Status: -

Name: Cdfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0x9B51B000 Size: 63744 File Visible: -
Status: -

Name: Cdr4_xp.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS
Address: 0xBAE84000 Size: 2432 File Visible: -
Status: -

Name: Cdralw2k.SYS
Image Path: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS
Address: 0xBAE72000 Size: 2560 File Visible: -
Status: -

Name: cdrom.sys
Image Path: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xBAAD8000 Size: 62976 File Visible: -
Status: -

Name: ckldrv.sys
Image Path: C:\WINDOWS\system32\ckldrv.sys
Address: 0x9B8DA000 Size: 17792 File Visible: -
Status: -

Name: CLASSPNP.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xBA9A8000 Size: 53248 File Visible: -
Status: -

Name: CmBatt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\CmBatt.sys
Address: 0xBA312000 Size: 13952 File Visible: -
Status: -

Name: cmdide.sys
Image Path: cmdide.sys
Address: 0xBADB4000 Size: 6656 File Visible: -
Status: -

Name: compbatt.sys
Image Path: compbatt.sys
Address: 0xBACBC000 Size: 10240 File Visible: -
Status: -

Name: cpqarray.sys
Image Path: cpqarray.sys
Address: 0xBACC8000 Size: 14976 File Visible: -
Status: -

Name: dac2w2k.sys
Image Path: dac2w2k.sys
Address: 0xBA55F000 Size: 179584 File Visible: -
Status: -

Name: dac960nt.sys
Image Path: dac960nt.sys
Address: 0xBACD4000 Size: 14720 File Visible: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xBA998000 Size: 36352 File Visible: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xBA6AA000 Size: 153344 File Visible: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xBADB6000 Size: 5888 File Visible: -
Status: -

Name: dpti2o.sys
Image Path: dpti2o.sys
Address: 0xBAB88000 Size: 20192 File Visible: -
Status: -

Name: drmk.sys
Image Path: C:\WINDOWS\system32\drivers\drmk.sys
Address: 0xA10FE000 Size: 61440 File Visible: -
Status: -

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9A8BF000 Size: 876544 File Visible: No
Status: -

Name: Dxapi.sys
Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0x9B7EB000 Size: 12288 File Visible: -
Status: -

Name: dxg.sys
Image Path: C:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: -
Status: -

Name: dxgthk.sys
Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xBAEE9000 Size: 4096 File Visible: -
Status: -

Name: e100b325.sys
Image Path: C:\WINDOWS\system32\DRIVERS\e100b325.sys
Address: 0xB8BDB000 Size: 163328 File Visible: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0x9A995000 Size: 143744 File Visible: -
Status: -

Name: Fips.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS
Address: 0x9B54B000 Size: 44544 File Visible: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xBA53F000 Size: 129792 File Visible: -
Status: -

Name: Fs_Rec.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xBAE6E000 Size: 7936 File Visible: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xBA6D0000 Size: 125056 File Visible: -
Status: -

Name: GEARAspiWDM.sys
Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
Address: 0xBA30E000 Size: 9984 File Visible: -
Status: -

Name: hal.dll
Image Path: C:\WINDOWS\system32\hal.dll
Address: 0x806E4000 Size: 134400 File Visible: -
Status: -

Name: HDAudBus.sys
Image Path: C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xB8D84000 Size: 163840 File Visible: -
Status: -

Name: HIDPARSE.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xA2901000 Size: 28672 File Visible: -
Status: -

Name: hpn.sys
Image Path: hpn.sys
Address: 0xBAB98000 Size: 25952 File Visible: -
Status: -

Name: HTTP.sys
Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys
Address: 0x9A6AE000 Size: 264832 File Visible: -
Status: -

Name: i2omgmt.SYS
Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS
Address: 0xA4C45000 Size: 8576 File Visible: -
Status: -

Name: i2omp.sys
Image Path: i2omp.sys
Address: 0xBAB58000 Size: 18560 File Visible: -
Status: -

Name: i8042prt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\i8042prt.sys
Address: 0xBAAA8000 Size: 52480 File Visible: -
Status: -

Name: ialmdd5.DLL
Image Path: C:\WINDOWS\System32\ialmdd5.DLL
Address: 0xBFA41000 Size: 983040 File Visible: -
Status: -

Name: ialmdev5.DLL
Image Path: C:\WINDOWS\System32\ialmdev5.DLL
Address: 0xBFA06000 Size: 241664 File Visible: -
Status: -

Name: ialmdnt5.dll
Image Path: C:\WINDOWS\System32\ialmdnt5.dll
Address: 0xBF9E4000 Size: 139264 File Visible: -
Status: -

Name: ialmnt5.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
Address: 0xB8DC0000 Size: 1166848 File Visible: -
Status: -

Name: ialmrnt5.dll
Image Path: C:\WINDOWS\System32\ialmrnt5.dll
Address: 0xBF9D5000 Size: 61440 File Visible: -
Status: -

Name: IASTOR.SYS
Image Path: IASTOR.SYS
Address: 0xBA5BC000 Size: 874240 File Visible: -
Status: -

Name: imapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xBAAB8000 Size: 42112 File Visible: -
Status: -

Name: ini910u.sys
Image Path: ini910u.sys
Address: 0xBACE0000 Size: 16000 File Visible: -
Status: -

Name: intelide.sys
Image Path: intelide.sys
Address: 0xBADAE000 Size: 5504 File Visible: -
Status: -

Name: intelppm.sys
Image Path: C:\WINDOWS\system32\DRIVERS\intelppm.sys
Address: 0xBAA78000 Size: 36352 File Visible: -
Status: -

Name: ipnat.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0x9AADC000 Size: 152832 File Visible: -
Status: -

Name: ipsec.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0x9F716000 Size: 75264 File Visible: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xBA8A8000 Size: 37248 File Visible: -
Status: -

Name: kbdclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xBAC28000 Size: 24576 File Visible: -
Status: -

Name: KDCOM.DLL
Image Path: C:\WINDOWS\system32\KDCOM.DLL
Address: 0xBADA8000 Size: 8192 File Visible: -
Status: -

Name: klif.sys
Image Path: C:\WINDOWS\System32\DRIVERS\klif.sys
Address: 0x9A9B9000 Size: 253952 File Visible: -
Status: -

Name: kmixer.sys
Image Path: C:\WINDOWS\system32\drivers\kmixer.sys
Address: 0x99205000 Size: 172416 File Visible: -
Status: -

Name: ks.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xB8B62000 Size: 143360 File Visible: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xBA516000 Size: 92288 File Visible: -
Status: -

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by barb999 on 13th May 2009, 12:53 pm

RootRepeal Rpt 2 m to z

Name: mbamswissarmy.sys
Image Path: C:\WINDOWS\system32\drivers\mbamswissarmy.sys
Address: 0x9F899000 Size: 32768 File Visible: -
Status: -

Name: mf.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mf.sys
Address: 0xBAA88000 Size: 63744 File Visible: -
Status: -

Name: mnmdd.SYS
Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS
Address: 0xBADC0000 Size: 4224 File Visible: -
Status: -

Name: Modem.SYS
Image Path: C:\WINDOWS\System32\Drivers\Modem.SYS
Address: 0xBAC38000 Size: 30080 File Visible: -
Status: -

Name: mouclass.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xBAC30000 Size: 23040 File Visible: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xBA8F8000 Size: 42368 File Visible: -
Status: -

Name: mraid35x.sys
Image Path: mraid35x.sys
Address: 0xBAB50000 Size: 17280 File Visible: -
Status: -

Name: mrxdav.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxdav.sys
Address: 0x9A7F2000 Size: 180608 File Visible: -
Status: -

Name: mrxsmb.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0x9A9F7000 Size: 455296 File Visible: -
Status: -

Name: Msfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xA1369000 Size: 19072 File Visible: -
Status: -

Name: msgpc.sys
Image Path: C:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xB9F87000 Size: 35072 File Visible: -
Status: -

Name: mssmbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBAD88000 Size: 15488 File Visible: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xBA46F000 Size: 105344 File Visible: -
Status: -

Name: NDIS.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\NDIS.SYS
Address: 0xBA70D000 Size: 182656 File Visible: -
Status: -

Name: ndistapi.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xBA306000 Size: 10112 File Visible: -
Status: -

Name: ndisuio.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0x9B7D3000 Size: 14592 File Visible: -
Status: -

Name: ndiswan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xB8B4B000 Size: 91520 File Visible: -
Status: -

Name: NDProxy.SYS
Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xB9F57000 Size: 40576 File Visible: -
Status: -

Name: netbios.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0x9B56B000 Size: 34688 File Visible: -
Status: -

Name: netbt.sys
Image Path: C:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0x9AAB4000 Size: 162816 File Visible: -
Status: -

Name: nic1394.sys
Image Path: C:\WINDOWS\system32\DRIVERS\nic1394.sys
Address: 0xBAA98000 Size: 61824 File Visible: -
Status: -

Name: Npfs.SYS
Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xA1361000 Size: 30848 File Visible: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xBA489000 Size: 574976 File Visible: -
Status: -

Name: ntkrnlpa.exe
Image Path: C:\WINDOWS\system32\ntkrnlpa.exe
Address: 0x804D7000 Size: 2150400 File Visible: -
Status: -

Name: Null.SYS
Image Path: C:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xBAFFA000 Size: 2944 File Visible: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xBA8B8000 Size: 61696 File Visible: -
Status: -

Name: OPRGHDLR.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
Address: 0xBAE71000 Size: 4096 File Visible: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xBAB38000 Size: 19712 File Visible: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xBA768000 Size: 68224 File Visible: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xBAE70000 Size: 3328 File Visible: -
Status: -

Name: PCIIDEX.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xBAB30000 Size: 28672 File Visible: -
Status: -

Name: pcmcia.sys
Image Path: pcmcia.sys
Address: 0xBA6EF000 Size: 120192 File Visible: -
Status: -

Name: pcouffin.sys
Image Path: C:\WINDOWS\System32\Drivers\pcouffin.sys
Address: 0xB9F77000 Size: 47360 File Visible: -
Status: -

Name: perc2.sys
Image Path: perc2.sys
Address: 0xBAB90000 Size: 27296 File Visible: -
Status: -

Name: perc2hib.sys
Image Path: perc2hib.sys
Address: 0xBADBA000 Size: 5504 File Visible: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2150400 File Visible: -
Status: -

Name: portcls.sys
Image Path: C:\WINDOWS\system32\drivers\portcls.sys
Address: 0x9FB29000 Size: 147456 File Visible: -
Status: -

Name: psched.sys
Image Path: C:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xB8B3A000 Size: 69120 File Visible: -
Status: -

Name: ptilink.sys
Image Path: C:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xBAC40000 Size: 17792 File Visible: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xBABA0000 Size: 20000 File Visible: -
Status: -

Name: ql1080.sys
Image Path: ql1080.sys
Address: 0xBA968000 Size: 40320 File Visible: -
Status: -

Name: ql10wnt.sys
Image Path: ql10wnt.sys
Address: 0xBA928000 Size: 33152 File Visible: -
Status: -

Name: ql12160.sys
Image Path: ql12160.sys
Address: 0xBA988000 Size: 45312 File Visible: -
Status: -

Name: ql1240.sys
Image Path: ql1240.sys
Address: 0xBA938000 Size: 40448 File Visible: -
Status: -

Name: ql1280.sys
Image Path: ql1280.sys
Address: 0xBA978000 Size: 49024 File Visible: -
Status: -

Name: rasacd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xA4C31000 Size: 8832 File Visible: -
Status: -

Name: rasl2tp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xBAAF8000 Size: 51328 File Visible: -
Status: -

Name: raspppoe.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xB9FA7000 Size: 41472 File Visible: -
Status: -

Name: raspptp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xB9F97000 Size: 48384 File Visible: -
Status: -

Name: raspti.sys
Image Path: C:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xBAC48000 Size: 16512 File Visible: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2150400 File Visible: -
Status: -

Name: rdbss.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0x9AA67000 Size: 175744 File Visible: -
Status: -

Name: RDPCDD.sys
Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xBADC2000 Size: 4224 File Visible: -
Status: -

Name: rdpdr.sys
Image Path: C:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xB8B0A000 Size: 196224 File Visible: -
Status: -

Name: redbook.sys
Image Path: C:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xBAAE8000 Size: 57600 File Visible: -
Status: -

Name: RimSerial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\RimSerial.sys
Address: 0xBAC50000 Size: 18432 File Visible: -
Status: -

Name: RootMdm.sys
Image Path: C:\WINDOWS\System32\Drivers\RootMdm.sys
Address: 0xBAE00000 Size: 5888 File Visible: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x99360000 Size: 45056 File Visible: No
Status: -

Name: s24trans.sys
Image Path: C:\WINDOWS\system32\DRIVERS\s24trans.sys
Address: 0x9D5FC000 Size: 13568 File Visible: -
Status: -

Name: SCSIPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS
Address: 0xBA692000 Size: 98304 File Visible: -
Status: -

Name: Serial.SYS
Image Path: C:\WINDOWS\System32\Drivers\Serial.SYS
Address: 0xA02BB000 Size: 64512 File Visible: -
Status: -

Name: serscan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\serscan.sys
Address: 0xBADFE000 Size: 6784 File Visible: -
Status: -

Name: sisagp.sys
Image Path: sisagp.sys
Address: 0xBA9B8000 Size: 40960 File Visible: -
Status: -

Name: smserial.sys
Image Path: C:\WINDOWS\system32\DRIVERS\smserial.sys
Address: 0x9FA4E000 Size: 893952 File Visible: -
Status: -

Name: sparrow.sys
Image Path: sparrow.sys
Address: 0xBAB40000 Size: 19072 File Visible: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xBA52D000 Size: 73472 File Visible: -
Status: -

Name: srv.sys
Image Path: C:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0x9A454000 Size: 333952 File Visible: -
Status: -

Name: ssfs0bbc.sys
Image Path: ssfs0bbc.sys
Address: 0xBA8E8000 Size: 45056 File Visible: -
Status: -

Name: sshrmd.sys
Image Path: sshrmd.sys
Address: 0xBA8D8000 Size: 36864 File Visible: -
Status: -

Name: ssidrv.sys
Image Path: ssidrv.sys
Address: 0xBA73A000 Size: 188416 File Visible: -
Status: -

Name: sthda.sys
Image Path: C:\WINDOWS\system32\drivers\sthda.sys
Address: 0x9FB4D000 Size: 1132704 File Visible: -
Status: -

Name: swenum.sys
Image Path: C:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xBAE02000 Size: 4352 File Visible: -
Status: -

Name: sym_hi.sys
Image Path: sym_hi.sys
Address: 0xBAB68000 Size: 28384 File Visible: -
Status: -

Name: sym_u3.sys
Image Path: sym_u3.sys
Address: 0xBAB70000 Size: 30688 File Visible: -
Status: -

Name: symc810.sys
Image Path: symc810.sys
Address: 0xBACD0000 Size: 16256 File Visible: -
Status: -

Name: symc8xx.sys
Image Path: symc8xx.sys
Address: 0xBAB60000 Size: 32640 File Visible: -
Status: -

Name: SynTP.sys
Image Path: C:\WINDOWS\system32\DRIVERS\SynTP.sys
Address: 0xB8B85000 Size: 185824 File Visible: -
Status: -

Name: sysaudio.sys
Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys
Address: 0xB8F0D000 Size: 60800 File Visible: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0x9F6BD000 Size: 361600 File Visible: -
Status: -

Name: TDI.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xBAB28000 Size: 20480 File Visible: -
Status: -

Name: termdd.sys
Image Path: C:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xB9F67000 Size: 40704 File Visible: -
Status: -

Name: tifm21.sys
Image Path: C:\WINDOWS\system32\drivers\tifm21.sys
Address: 0xB8BB3000 Size: 162432 File Visible: -
Status: -

Name: toside.sys
Image Path: toside.sys
Address: 0xBADB0000 Size: 4992 File Visible: -
Status: -

Name: ultra.sys
Image Path: ultra.sys
Address: 0xBA958000 Size: 36736 File Visible: -
Status: -

Name: update.sys
Image Path: C:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xB8AAC000 Size: 384768 File Visible: -
Status: -

Name: usbaapl.sys
Image Path: C:\WINDOWS\System32\Drivers\usbaapl.sys
Address: 0xBABF0000 Size: 32000 File Visible: -
Status: -

Name: USBD.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xBADFC000 Size: 8192 File Visible: -
Status: -

Name: usbehci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xB989C000 Size: 30208 File Visible: -
Status: -

Name: usbhub.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xA10EE000 Size: 59520 File Visible: -
Status: -

Name: USBPORT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xB8C03000 Size: 147456 File Visible: -
Status: -

Name: usbscan.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbscan.sys
Address: 0xB8733000 Size: 15104 File Visible: -
Status: -

Name: usbuhci.sys
Image Path: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Address: 0xB98A4000 Size: 20608 File Visible: -
Status: -

Name: vga.sys
Image Path: C:\WINDOWS\System32\drivers\vga.sys
Address: 0xA1371000 Size: 20992 File Visible: -
Status: -

Name: viaagp.sys
Image Path: viaagp.sys
Address: 0xBA9C8000 Size: 42240 File Visible: -
Status: -

Name: viaide.sys
Image Path: viaide.sys
Address: 0xBADB2000 Size: 5376 File Visible: -
Status: -

Name: VIDEOPRT.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS
Address: 0xB8DAC000 Size: 81920 File Visible: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xBA908000 Size: 52352 File Visible: -
Status: -

Name: w39n51.sys
Image Path: C:\WINDOWS\system32\DRIVERS\w39n51.sys
Address: 0xB8C27000 Size: 1428096 File Visible: -
Status: -

Name: wanarp.sys
Image Path: C:\WINDOWS\system32\DRIVERS\wanarp.sys
Address: 0x9BB16000 Size: 34560 File Visible: -
Status: -

Name: watchdog.sys
Image Path: C:\WINDOWS\System32\watchdog.sys
Address: 0xA1329000 Size: 20480 File Visible: -
Status: -

Name: wdmaud.sys
Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys
Address: 0x9A7B5000 Size: 83072 File Visible: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: win32k.sys
Image Path: C:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: -
Status: -

Name: WMILIB.SYS
Image Path: C:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xBADAA000 Size: 8192 File Visible: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2150400 File Visible: -
Status: -

Name: ws2ifsl.sys
Image Path: C:\WINDOWS\System32\drivers\ws2ifsl.sys
Address: 0x9CED7000 Size: 12032 File Visible: -
Status: -

barb999
Novice
Novice

Posts Posts : 19
Joined Joined : 2009-05-09
OS OS : xp
Points Points : 27741
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/Cryptor - added Hijack logfiile as instructed

Post by Belahzur on 13th May 2009, 12:57 pm

You don't need to run RootRepeal now, the malware is gone.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum