win32/cryptor

View previous topic View next topic Go down

win32/cryptor

Post by albertskoh on Wed May 13, 2009 11:56 pm

i ran AVG and it detected win32/cryptor but couldn't delete the files and now every time i click a link in google it redirects me to another site and malwarebytes and super antispyware wont load when i double click them

theres the logfile from hijackthis:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:53:26 PM, on 5/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\Comodo\comodo internet security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\windows\rthdcpl.exe
c:\windows\system32\rundll32.exe
c:\program files\cyberlink\powerdvd\pdvdserv.exe
c:\progra~1\cyberl~1\instan~1\win2k\iburn.exe
c:\windows\system32\rundll32.exe
d:\program files\hp\hp software update\hpwuschd2.exe
c:\program files\microsoft office\office12\groovemonitor.exe
d:\program files\itunes\ituneshelper.exe
c:\program files\comodo\comodo internet security\cfp.exe
c:\program files\windows defender\msascui.exe
c:\progra~1\avg\avg8\avgtray.exe
c:\program files\messenger\msmsgs.exe
c:\program files\aim6\aim6.exe
c:\windows\system32\ctfmon.exe
c:\program files\iobit\advanced systemcare 3\awc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\spybot - search & destroy\teatimer.exe
d:\program files\hp\digital imaging\bin\hpqtra08.exe
d:\program files\logitech\setpoint\setpoint.exe
c:\program files\AIM6\aolsoftware.exe
d:\program files\microtek\scannerfinder.exe
c:\program files\google\web accelerator\googlewebaccwarden.exe
c:\program files\common files\logishrd\khal2\khalmnpr.exe
c:\program files\google\web accelerator\googlewebaccclient.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\stardock\objectdock\objectdock.exe
d:\program files\widgets\yahoowidgets.exe
D:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
d:\program files\widgets\yahoowidgets.exe
d:\program files\widgets\yahoowidgets.exe
c:\program files\mozilla firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
c:\documents and settings\albert\desktop\hijack(gp)this.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = [You must be registered and logged in to see this link.]
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InstantBurn] C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "c:\program files\Comodo\comodo internet security\cfp.exe" -h
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.] /HIDEBL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SuperAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [getofobopu] Rundll32.exe "C:\WINDOWS\system32\zizatewa.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [getofobopu] Rundll32.exe "C:\WINDOWS\system32\zizatewa.dll",s (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = D:\Program Files\Widgets\YahooWidgets.exe
O4 - Global Startup: BD Icon.lnk = C:\Program Files\Sony\BD Icon\BDIcon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = D:\Program Files\Microtek\ScannerFinder.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {E62A8B6B-D91C-457C-B1FB-20CC2D96B4EC} (Comodo AV Scanner ActiveX) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dbbin - dbbin.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BOCore - Unknown owner - C:\Program Files\Comodo\CBOClean\BOCORE.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - c:\program files\Comodo\comodo internet security\cmdagent.exe
O23 - Service: CSIScanner - Unknown owner - C:\Program Files\Prevx\prevx.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - [You must be registered and logged in to see this link.] - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10839 bytes

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Thu May 14, 2009 4:38 am

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint Manager (remove only)
  • Viewpoint Media Player
  • Viewpoint Toolbar

Next,

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    F3 - REG:win.ini: load=
    F3 - REG:win.ini: run=
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
    O4 - HKUS\S-1-5-19\..\Run: [getofobopu] Rundll32.exe "C:\WINDOWS\system32\zizatewa.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [getofobopu] Rundll32.exe "C:\WINDOWS\system32\zizatewa.dll",s (User 'NETWORK SERVICE')
    O20 - Winlogon Notify: dbbin - dbbin.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Thu May 14, 2009 5:05 am

i got rid of viewpoint and ran hijackthis and downloaded mbam-setup but my computer wouldn't let me run it
i saw the process in the task manager but nothing happened

here's a new logfile if you need:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:50 AM, on 5/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\program files\Comodo\comodo internet security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\libusbd-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\ctfmon.exe
c:\windows\rthdcpl.exe
c:\windows\system32\rundll32.exe
c:\program files\cyberlink\powerdvd\pdvdserv.exe
c:\progra~1\cyberl~1\instan~1\win2k\iburn.exe
c:\program files\adobe\reader 8.0\reader\reader_sl.exe
d:\program files\hp\hp software update\hpwuschd2.exe
c:\program files\microsoft office\office12\groovemonitor.exe
c:\windows\system32\rundll32.exe
c:\program files\java\jre6\bin\jusched.exe
d:\program files\itunes\ituneshelper.exe
c:\program files\comodo\comodo internet security\cfp.exe
c:\program files\windows defender\msascui.exe
c:\progra~1\avg\avg8\avgtray.exe
c:\program files\messenger\msmsgs.exe
c:\program files\aim6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\iobit\advanced systemcare 3\awc.exe
c:\program files\spybot - search & destroy\teatimer.exe
d:\program files\hp\digital imaging\bin\hpqtra08.exe
d:\program files\logitech\setpoint\setpoint.exe
d:\program files\microtek\scannerfinder.exe
c:\program files\common files\logishrd\khal2\khalmnpr.exe
c:\program files\google\web accelerator\googlewebaccwarden.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\google\web accelerator\googlewebaccclient.exe
c:\program files\stardock\objectdock\objectdock.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
d:\program files\widgets\yahoowidgets.exe
D:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe
d:\program files\widgets\yahoowidgets.exe
d:\program files\widgets\yahoowidgets.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\spybot - search & destroy\spybotsd.exe
c:\program files\spybot - search & destroy\spybotsd.exe
c:\documents and settings\albert\desktop\mbam-setup.exe
c:\documents and settings\albert\desktop\mbam-setup.exe
c:\program files\mozilla firefox\firefox.exe
C:\WINDOWS\system32\HPZinw12.exe
c:\documents and settings\albert\desktop\hijack(gp)this.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = [You must be registered and logged in to see this link.]
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InstantBurn] C:\PROGRA~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\Itunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Internet Security] "c:\program files\Comodo\comodo internet security\cfp.exe" -h
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.] /HIDEBL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SuperAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Advanced SystemCare 3] "c:\program files\iobit\advanced systemcare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Startup: Yahoo! Widgets.lnk = D:\Program Files\Widgets\YahooWidgets.exe
O4 - Global Startup: BD Icon.lnk = C:\Program Files\Sony\BD Icon\BDIcon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microtek Scanner Finder.lnk = D:\Program Files\Microtek\ScannerFinder.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {E62A8B6B-D91C-457C-B1FB-20CC2D96B4EC} (Comodo AV Scanner ActiveX) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: dbbin - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BOCore - Unknown owner - C:\Program Files\Comodo\CBOClean\BOCORE.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - c:\program files\Comodo\comodo internet security\cmdagent.exe
O23 - Service: CSIScanner - Unknown owner - C:\Program Files\Prevx\prevx.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - [You must be registered and logged in to see this link.] - C:\WINDOWS\system32\libusbd-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Unknown owner - C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe (file missing)
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--
End of file - 10817 bytes

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Thu May 14, 2009 6:35 am

Hello.
Please disable TeaTimer again.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O20 - Winlogon Notify: dbbin - C:\WINDOWS\
    O23 - Service: BOCore - Unknown owner - C:\Program Files\Comodo\CBOClean\BOCORE.exe (file missing)
    O23 - Service: CSIScanner - Unknown owner - C:\Program Files\Prevx\prevx.exe (file missing)
    O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Thu May 14, 2009 7:39 pm

it said it didn't find anything
i'm not sure if this info will help but in the task manager i always see an iexplorer process running even when i haven't started internet explorer and there's this file ld08.exe that keeps popping up in C:\Windows
starting mbam still doesnt work either, same with super antispyware


Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Thu May 14, 2009 7:53 pm


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Before downloading Combofix, your going to need to rename it BEFORE downloading it.

  • If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

  • During the download, rename Combofix to Combo-Fix as follows:





  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Thu May 14, 2009 9:53 pm

ComboFix 09-05-14.03 - Albert 05/14/2009 18:38.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1518 [GMT -7:00]
Running from: c:\documents and settings\albert\desktop\combo-fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Albert\Application Data\wiaserva.log
c:\windows\system32\AcroIEHelpe7.dll
c:\windows\system32\AcroIEHelpe8.dll
c:\windows\system32\AcroIEHelpe9.dll
c:\windows\system32\drivers\UACpxufybyxwxjcxis.sys
c:\windows\system32\UACeervnnomwwbqxqd.log
c:\windows\system32\UACgwveibdpeclikdw.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkvvdwlrqmttddam.log
c:\windows\system32\UACmrrwxvnssfoewbm.dll
c:\windows\system32\UACnmifjosbtldhqws.log
c:\windows\system32\UACoynmoqoxnrnyxld.dll
c:\windows\system32\UACqxbftivcxalnkxj.dat
c:\windows\system32\UACtmstidsmdvoahor.dll
c:\windows\system32\UACxubmtqlqwwcpbwm.dll
c:\windows\system32\UAs
c:\windows\system32\UAs\AdobeUpdater_UAs001.dat
c:\windows\system32\UAs\aim6_UAs001.dat
c:\windows\system32\UAs\aim6_UAs002.dat
c:\windows\system32\UAs\aim6_UAs003.dat
c:\windows\system32\UAs\aolsoftware_UAs001.dat
c:\windows\system32\UAs\awc_UAs001.dat
c:\windows\system32\UAs\BOC4UPD_UAs001.dat
c:\windows\system32\UAs\BOC4UPD_UAs002.dat
c:\windows\system32\UAs\cfpconfg_UAs001.dat
c:\windows\system32\UAs\cfpconfg_UAs002.dat
c:\windows\system32\UAs\cfpupdat_UAs001.dat
c:\windows\system32\UAs\cfpupdat_UAs002.dat
c:\windows\system32\UAs\Explorer_UAs001.dat
c:\windows\system32\UAs\explorer_UAs002.dat
c:\windows\system32\UAs\Explorer_UAs003.dat
c:\windows\system32\UAs\Explorer_UAs004.dat
c:\windows\system32\UAs\firefox_UAs001.dat
c:\windows\system32\UAs\firefox_UAs002.dat
c:\windows\system32\UAs\genuinecheck_UAs001.dat
c:\windows\system32\UAs\iexplore_UAs001.dat
c:\windows\system32\UAs\iexplore_UAs002.dat
c:\windows\system32\UAs\iexplore_UAs003.dat
c:\windows\system32\UAs\iexplore_UAs004.dat
c:\windows\system32\UAs\iexplore_UAs005.dat
c:\windows\system32\UAs\iexplore_UAs006.dat
c:\windows\system32\UAs\Iexplore_UAs007.dat
c:\windows\system32\UAs\Iexplore_UAs008.dat
c:\windows\system32\UAs\mbam_UAs001.dat
c:\windows\system32\UAs\mcupdmgr_UAs001.dat
c:\windows\system32\UAs\objectdock_UAs001.dat
c:\windows\system32\UAs\objectdock_UAs002.dat
c:\windows\system32\UAs\opera_UAs001.dat
c:\windows\system32\UAs\pctsSvc_UAs001.dat
c:\windows\system32\UAs\power2goexpress_UAs001.dat
c:\windows\system32\UAs\sdsetup_UAs001.dat
c:\windows\system32\UAs\softwareupdate_UAs001.dat
c:\windows\system32\UAs\spybotsd162_UAs001.dat
c:\windows\system32\UAs\ssupdate_UAs001.dat
c:\windows\system32\UAs\superantispyware_UAs001.dat
c:\windows\system32\UAs\superantispyware_UAs002.dat
c:\windows\system32\UAs\superantispyware_UAs003.dat
c:\windows\system32\UAs\svchost_UAs001.dat
c:\windows\system32\UAs\wgasetup_UAs001.dat
c:\windows\system32\UAs\wgatray_UAs001.dat
c:\windows\system32\UAs\wiseregistrycleaner_UAs001.dat
c:\windows\system32\UAs\wiseregistrycleaner_UAs002.dat
c:\windows\system32\UAs\wmplayer_UAs001.dat
c:\windows\system32\UAs\yahoowidgets_UAs001.dat
c:\windows\system32\UAs\yahoowidgets_UAs002.dat
c:\windows\system32\UAs\yahoowidgets_UAs003.dat
c:\windows\system32\UAs\yahoowidgets_UAs004.dat
c:\windows\system32\wbem\grpconv.exe
H:\Autorun.inf

c:\windows\system32\powrprof.dll . . . is infected!!

Infected copy of c:\windows\system32\wininet.dll was found and disinfected
Restored copy from - c:\system volume information\_restore{696ADC2F-383F-490F-AEAB-D5905BD70EE8}\RP424\A0052280.dll


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-14 02:51 . 2009-05-14 03:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-14 02:51 . 2009-05-14 02:51 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-08 17:03 . 2009-05-14 23:45 -------- d--h--w C:\$AVG8.VAULT$
2009-05-08 16:53 . 2009-05-08 16:53 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-08 16:53 . 2009-05-08 16:53 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-08 16:53 . 2009-05-08 16:53 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-08 16:53 . 2009-05-14 23:21 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-08 16:53 . 2009-05-14 23:20 -------- d-----w c:\documents and settings\Albert\Application Data\AVGTOOLBAR
2009-05-08 16:52 . 2009-05-08 16:52 -------- d-----w c:\program files\AVG
2009-05-08 16:52 . 2009-05-08 16:52 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-08 16:42 . 2009-05-08 16:42 -------- d-----w c:\program files\Windows Defender
2009-05-08 16:40 . 2009-05-08 16:40 -------- d-----w c:\documents and settings\Albert\Application Data\IObit
2009-05-08 16:40 . 2009-05-08 16:40 -------- d-----w c:\program files\IObit
2009-05-08 16:19 . 2009-05-08 16:19 22024 ----a-w c:\windows\system32\drivers\pxscan.sys
2009-05-08 16:19 . 2009-05-08 16:19 27656 ----a-w c:\windows\system32\drivers\pxsec.sys
2009-05-08 16:18 . 2009-05-08 16:18 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-05-08 15:59 . 2009-05-08 15:59 -------- d-----w c:\windows\system32\796525
2009-05-08 03:07 . 2009-05-08 03:07 -------- d-----w c:\documents and settings\Albert\Local Settings\Application Data\COMODO
2009-05-01 00:46 . 2008-07-14 12:09 205560 ----a-w c:\windows\UNBOC.EXE
2009-05-01 00:46 . 2008-07-14 12:09 212728 ----a-w c:\windows\CMDLIC.DLL
2009-05-01 00:46 . 2009-05-10 03:08 -------- d-----w c:\documents and settings\All Users\Application Data\BOC427
2009-05-01 00:38 . 2009-05-01 02:40 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-05-01 00:38 . 2009-05-01 00:38 155384 ----a-w c:\windows\system32\guard32.dll
2009-05-01 00:38 . 2009-05-01 00:38 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-05-01 00:38 . 2009-05-01 00:38 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-05-01 00:37 . 2009-05-01 00:37 -------- d-----w c:\documents and settings\Albert\Application Data\Comodo
2009-05-01 00:37 . 2009-05-01 00:37 -------- d-----w c:\documents and settings\All Users\Comodo
2009-05-01 00:37 . 2009-05-13 10:07 -------- d-----w c:\program files\Comodo
2009-04-30 22:33 . 2009-04-30 22:33 -------- d-----w c:\windows\i_setup
2009-04-30 22:22 . 2009-05-15 00:17 -------- d-----w c:\windows\system32\cock
2009-04-30 22:22 . 2009-05-15 01:26 -------- d-----w c:\windows\system32\xmldm
2009-04-30 22:11 . 2009-05-15 01:43 6407 ----a-w c:\windows\system32\krncode.dat
2009-04-30 22:11 . 2009-05-15 01:43 1575 ----a-w c:\windows\system32\pwrcode.dat
2009-04-30 22:11 . 2009-05-15 01:43 19434 ----a-w c:\windows\system32\wincode.dat
2009-04-30 22:11 . 2008-04-14 00:12 17408 ----a-w c:\windows\system32\osysp.dat
2009-04-30 22:11 . 2009-03-21 14:06 989696 ----a-w c:\windows\system32\osysk.dat
2009-04-30 22:11 . 2008-12-20 23:15 826368 ----a-w c:\windows\system32\osysw.dat
2009-04-29 22:11 . 2009-04-30 22:22 7 ----a-w c:\windows\system32\nar.bin
2009-04-29 22:03 . 2009-04-29 22:03 4707 ----a-w c:\windows\system32\z98a.bin
2009-04-27 04:46 . 2009-04-27 04:47 -------- d-----w c:\windows\A8B9466986544126BD28D0D2412CDED6.TMP
2009-04-26 06:23 . 2009-04-26 06:23 -------- d-----w c:\documents and settings\Albert\Local Settings\Application Data\PunkBuster
2009-04-24 22:44 . 2009-04-24 22:44 -------- d-----w c:\program files\Activision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-14 03:48 . 2008-05-17 19:09 -------- d-----w c:\program files\Java
2009-05-13 10:05 . 2009-04-09 05:59 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-13 09:00 . 2009-04-09 05:59 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-05-04 23:21 . 2001-08-23 12:00 21504 ----a-w c:\windows\system32\powrprof.dll
2009-05-03 20:32 . 2001-08-23 12:00 993792 ----a-w c:\windows\system32\sysk.tmp
2009-05-03 20:32 . 2001-08-23 12:00 830464 ----a-w c:\windows\system32\sysw.tmp
2009-05-03 20:32 . 2001-08-23 12:00 21504 ----a-w c:\windows\system32\sysp.tmp
2009-04-30 23:57 . 2009-04-30 23:57 112 ----a-w c:\windows\system32\srvblck2.tmp
2009-04-26 06:24 . 2009-04-09 05:59 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-24 23:06 . 2008-03-28 20:33 22328 ----a-w c:\documents and settings\Albert\Application Data\PnkBstrK.sys
2009-04-15 00:48 . 2009-04-15 00:48 -------- d-----w c:\program files\iPod
2009-04-15 00:48 . 2008-03-10 01:30 -------- d-----w c:\program files\Common Files\Apple
2009-04-15 00:47 . 2008-09-09 23:12 -------- d-----w c:\program files\Bonjour
2009-04-15 00:46 . 2009-04-15 00:46 -------- d-----w c:\program files\QuickTime
2009-04-14 08:42 . 2008-03-10 22:04 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-04-10 07:38 . 2009-04-10 07:38 -------- d-----w c:\program files\Bethesda Softworks
2009-04-10 07:24 . 2008-03-09 23:24 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-09 05:59 . 2009-04-09 05:59 2337865 ----a-w c:\windows\system32\pbsvc.exe
2009-04-09 05:49 . 2008-08-01 07:39 -------- d-----w c:\program files\Ubisoft
2009-04-08 22:13 . 2008-03-10 01:25 -------- d-----w c:\program files\Google
2009-04-08 06:28 . 2009-04-08 06:28 -------- d-----w c:\program files\Stardock
2009-04-08 06:28 . 2009-04-08 06:28 -------- d-----w c:\program files\Common Files\Stardock
2009-04-02 01:33 . 2008-07-15 22:13 -------- d-----w c:\program files\DivX
2009-04-02 01:33 . 2009-04-02 01:33 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-26 22:23 . 2008-09-09 23:08 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-26 22:23 . 2008-09-09 23:08 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-23 01:26 . 2009-03-23 01:25 -------- d-----w c:\program files\AIM6
2009-03-23 01:25 . 2008-03-10 01:19 -------- d-----w c:\program files\Common Files\AOL
2009-03-23 01:21 . 2008-03-09 23:15 76312 ----a-w c:\documents and settings\Albert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 01:17 . 2008-03-10 01:26 -------- d-----w c:\program files\Common Files\Adobe
2009-03-23 01:16 . 2009-03-23 01:16 -------- d-----w c:\program files\Adobe Media Player
2009-03-23 01:13 . 2009-03-23 01:13 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-22 17:23 . 2009-03-22 17:23 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-22 15:55 . 2009-03-22 15:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-22 15:48 . 2009-03-22 15:46 -------- d-----w c:\program files\Wise Registry Cleaner
2009-03-22 15:39 . 2009-03-22 15:39 -------- d-----w c:\program files\CCleaner
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 21:18 . 2009-04-14 08:35 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 21:18 . 2009-04-14 08:35 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 21:18 . 2009-04-14 08:34 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 21:18 . 2009-04-14 08:34 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-09 22:27 . 2009-04-14 08:35 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 22:27 . 2009-04-14 08:35 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 22:27 . 2009-04-14 08:35 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-06 14:22 . 2001-08-23 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 18:09 . 2008-03-09 23:10 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Thu May 14, 2009 9:54 pm

------- Sigcheck -------

[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\$NtUninstallKB944533$\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\ie7\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\ie7updates\KB942615-IE7\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\ie7updates\KB944533-IE7\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\ie7updates\KB947864-IE7\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\ie7updates\KB950759-IE7\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\ie7updates\KB963027-IE7\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3gdr\wininet.dll
[7] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3qfe\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\system32\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\system32\dllcache\wininet.dll

[-] 2009-05-15 01:43 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2009-05-15 01:43 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-05-15 01:43 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2009-05-15 01:43 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2009-05-15 01:43 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-05-15 01:43 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-05-15 01:43 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\system32\kernel32.dll
[-] 2009-05-15 01:43 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\system32\dllcache\kernel32.dll

[-] 2009-05-15 01:43 21504 7DB82427E29BD2CDE739EF23F82CFCD6 c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2009-05-15 01:43 21504 7DB82427E29BD2CDE739EF23F82CFCD6 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2009-05-15 01:43 21504 7DB82427E29BD2CDE739EF23F82CFCD6 c:\windows\system32\powrprof.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="d:\program files\SuperAntiSpyware\SUPERAntiSpyware.exe" [2009-05-01 1830128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Advanced SystemCare 3"="c:\program files\iobit\advanced systemcare 3\AWC.exe" [2009-05-01 2329936]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"InstantBurn"="c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2006-06-17 729088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-22 136600]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\quicktime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="d:\program files\Itunes\iTunesHelper.exe" [2009-04-02 342312]
"COMODO Internet Security"="c:\program files\Comodo\comodo internet security\cfp.exe" [2009-05-01 1851128]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-08 1947928]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-11-29 55824]

c:\documents and settings\Albert\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-4-7 3450608]
Yahoo! Widgets.lnk - d:\program files\Widgets\YahooWidgets.exe [2007-12-11 3746856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BD Icon.lnk - c:\program files\Sony\BD Icon\BDIcon.exe [2006-6-5 98304]
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-3-9 789008]
Microtek Scanner Finder.lnk - d:\program files\Microtek\ScannerFinder.exe [2008-3-9 344064]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-7-9 1134592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SuperAntiSpyware\SASSEH.DLL" [2008-05-22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 19:30 72208 ----a-w c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-08 16:53 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\CLDMA.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Downloads\\My Downloads\\Cool\\steamapps\\snarfoman\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\Itunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [3/9/2008 3:48 PM 10368]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [5/8/2009 9:19 AM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [5/8/2009 9:19 AM 27656]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/8/2009 9:53 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/8/2009 9:53 AM 108552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [4/30/2009 5:38 PM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [4/30/2009 5:38 PM 24336]
R1 SASDIFSV;SASDIFSV;d:\program files\SuperAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SuperAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 55024]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [3/9/2008 3:45 PM 6656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/8/2009 9:52 AM 298776]
R2 CLBUDF;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [3/9/2008 3:48 PM 179584]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [3/9/2008 4:32 PM 39424]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [3/9/2008 4:31 PM 105984]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [10/21/2008 8:57 PM 33792]
R3 SASENUM;SASENUM;d:\program files\SuperAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
S4 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe --> c:\program files\Comodo\CBOClean\BOCORE.exe [?]
S4 CSIScanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - h:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
Notify-dbbin - (no file)
SafeBoot-dbbin.sys


.

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Thu May 14, 2009 9:54 pm

------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {E62A8B6B-D91C-457C-B1FB-20CC2D96B4EC} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Albert\Application Data\Mozilla\Firefox\Profiles\4ht9ejr1.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\Albert\Application Data\Mozilla\Firefox\Profiles\4ht9ejr1.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\Albert\Application Data\Mozilla\Firefox\Profiles\4ht9ejr1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: d:\program files\DivX\DivX Web Player\npdivx32.dll
FF - plugin: d:\program files\Itunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: d:\program files\Opera\program\plugins\npdsplay.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin6.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin7.dll
FF - plugin: d:\program files\Opera\program\plugins\NPSWF32.dll
FF - plugin: d:\program files\Opera\program\plugins\npwmsdrm.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
.
------- File Associations -------
.
txtfile=c:\windows\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-14 18:44
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-152049171-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f0,8a,c2,84,86,23,0c,96,33,c9,27,89,94,5c,a4,8b,ba,88,19,3c,f4,f4,a1,
5a,44,4e,da,29,4f,e5,36,67,d6,2e,da,62,f4,c6,91,67,62,86,7c,cd,96,ec,00,6e,\
"??"=hex:3a,35,22,73,28,3f,c8,70,a1,c5,a5,cf,e4,19,8f,9b

[HKEY_USERS\S-1-5-21-1715567821-152049171-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:d9,95,a2,d0,59,8a,41,a0,cc,4c,c8,7b,bf,66,8e,9b,09,fe,f6,65,27,
00,ac,d1,e0,ea,ae,3e,e9,14,1e,25,57,69,8b,48,c5,62,8e,1b,7d,50,bf,57,27,5c,\
"rkeysecu"=hex:3b,7a,56,28,ef,95,a6,95,d0,ba,1a,d4,83,91,07,f5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\guard32.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(868)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(2984)
c:\program files\stardock\objectdock\DockShellHook.dll
c:\windows\system32\nview.dll
d:\program files\logitech\setpoint\GameHook.dll
d:\program files\logitech\setpoint\lgscroll.dll
d:\program files\Itunes\iTunesMiniPlayer.dll
d:\program files\Itunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
d:\program files\Itunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Comodo\COMODO Internet Security\cmdagent.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\libusbd-nt.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\Temp\ldshyf1.old
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
d:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
d:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\system32\msiexec.exe
c:\program files\Google\Web Accelerator\GoogleWebAccClient.exe
c:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2009-05-15 18:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-15 01:50

Pre-Run: 7,789,871,104 bytes free
Post-Run: 7,956,975,616 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

461 --- E O F --- 2009-05-14 23:32

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri May 15, 2009 4:13 am

Hello.
The malware has done some serious damage, the log came out pretty bad. Do you have your XP disc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 11:42 am

i think i might
what should i do with it?

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri May 15, 2009 12:28 pm

Hello.
Please hand it standing by, we need to get a file off of it.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 6:26 pm

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Anchor Service CS4
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge CS4
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS3
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe Linguistics CS4
Adobe Media Player
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 8.1.2
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Update Manager CS4
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Advanced SystemCare 3
Advanced Video FX Utility
AIM 6
Apple Mobile Device Support
Apple Software Update
Atheros Communications Inc.(R) L1 Gigabit Ethernet Driver
AVG Free 8.5
BD Solution
BOClean
Bonjour
Brother HL-5170DN
Call of Duty(R) 4 - Modern Warfare(TM)
Call of Duty(R) 4 - Modern Warfare(TM) 1.2 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch
CCleaner (remove only)
CDDRV_Installer
Comodo AV Scanner 1.0.1.14
COMODO Internet Security
Connect
Critical Update for Windows Media Player 11 (KB959772)
CyberLink InstantBurn
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
Get Yahoo! Messenger
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Web Accelerator
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Deskjet 6900 series
HP Extended Capabilities 6.0
HP Imaging Device Functions 6.0
HP Photosmart Essential
HP Software Update
HP Solution Center and Imaging Support Tools 6.0
iTunes
Java(TM) 6 Update 11
KhalInstallWrapper
kuler
LabelPrint 1.0
LibUSB-Win32-0.1.10.1
LimeWire 4.18.6
Logitech SetPoint
Magic ISO Maker v5.5 (build 0272)
Malwarebytes' Anti-Malware
MediaShow 3.0
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB925673)
Nokia Connectivity Cable Driver
NVIDIA Drivers
NVIDIA PhysX v8.04.25
ObjectDock
Opera 9.51
Paint.NET v3.35
PC Connectivity Solution
PDF Settings CS4
PhotoNow! 1.0
Photoshop Camera Raw
Power2Go 5.0
PowerBackup 2.5
PowerDirector
PowerDVD
PowerDVD Copy 1.0
PowerProducer BD Edition
PunkBuster Services
QuickTime
Realtek High Definition Audio Driver
ScanWizard 5
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sony BD Icon
Spybot - Search & Destroy
Suite Shared Configuration CS4
SUPERAntiSpyware Free Edition
TI Connect 1.6
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Outlook 2007 Junk Email Filter (kb968503)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
VoiceOver Kit
WD Diagnostics
Windows Communication Foundation
Windows Defender
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 3
WinRAR archiver
Wise Registry Cleaner 4 Free 4.2
Yahoo! Widgets

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri May 15, 2009 6:45 pm

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If Limewire is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Adobe Reader 8.1.2
  • Java(TM) 6 Update 11
  • LimeWire 4.18.6

Now insert your XP disc and leave it in until I say so.

Go to Start > My Computer. Check what letter your CD drive is because you'll need to know this for this next fix to work.
Once you know what letter is it, go to Start > Run. In the Run box, type in cmd and hit enter.

When the cmd box opens, type this in:

expand X:\i386\powrprof.dll c:\windows\system32\powrprof.dll

Note: I have underlined "X", change this to your CD drive letter.

Hit enter. If done correctly, it will say "1 file(s) copies", if you have done that, re-run Combofix because I want a new log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 6:57 pm

it says cant open input file e:\i386\powrprof.dll
i looked in the cd and its listed as powrprof.dl_

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri May 15, 2009 7:03 pm

Darn, my mistake. LMBO or ROFL
Do it again, but change it to powrprof.dl_


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 7:07 pm

when i do that it says e:\i386\powrprof.dl_: 7235 bytes expanded to 14848 bytes, 105% increase

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri May 15, 2009 7:09 pm

Okay, that's worked, run Combofix now. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 7:10 pm

disable all scanners and run combofix i assume right?

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri May 15, 2009 7:12 pm

Yes. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 7:23 pm

alright here it is
ComboFix 09-05-14.03 - Albert 05/15/2009 16:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1261 [GMT -7:00]
Running from: c:\documents and settings\albert\desktop\combo-fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\UAs
c:\windows\system32\UAs\awc_UAs001.dat
c:\windows\system32\UAs\cfpupdat_UAs001.dat
c:\windows\system32\UAs\objectdock_UAs001.dat
c:\windows\system32\UAs\ssupdate_UAs001.dat
c:\windows\system32\UAs\wgatray_UAs001.dat
c:\windows\system32\UAs\yahoowidgets_UAs001.dat
c:\windows\system32\UAs\yahoowidgets_UAs002.dat

c:\windows\system32\powrprof.dll . . . is infected!!

Infected copy of c:\windows\system32\wininet.dll was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3gdr\wininet.dll


.
((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-15 22:53 . 2001-08-18 05:36 14848 ----a-w c:\windows\system32\powerprof.dll
2009-05-14 02:51 . 2009-05-14 03:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-14 02:51 . 2009-05-14 02:51 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-08 17:03 . 2009-05-15 03:03 -------- d--h--w C:\$AVG8.VAULT$
2009-05-08 16:53 . 2009-05-08 16:53 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-08 16:53 . 2009-05-08 16:53 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-08 16:53 . 2009-05-08 16:53 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-08 16:53 . 2009-05-15 22:23 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-08 16:53 . 2009-05-14 23:20 -------- d-----w c:\documents and settings\Albert\Application Data\AVGTOOLBAR
2009-05-08 16:52 . 2009-05-08 16:52 -------- d-----w c:\program files\AVG
2009-05-08 16:52 . 2009-05-08 16:52 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-08 16:42 . 2009-05-08 16:42 -------- d-----w c:\program files\Windows Defender
2009-05-08 16:40 . 2009-05-08 16:40 -------- d-----w c:\documents and settings\Albert\Application Data\IObit
2009-05-08 16:40 . 2009-05-08 16:40 -------- d-----w c:\program files\IObit
2009-05-08 16:19 . 2009-05-08 16:19 22024 ----a-w c:\windows\system32\drivers\pxscan.sys
2009-05-08 16:19 . 2009-05-08 16:19 27656 ----a-w c:\windows\system32\drivers\pxsec.sys
2009-05-08 16:18 . 2009-05-08 16:18 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-05-08 15:59 . 2009-05-08 15:59 -------- d-----w c:\windows\system32\796525
2009-05-08 03:07 . 2009-05-08 03:07 -------- d-----w c:\documents and settings\Albert\Local Settings\Application Data\COMODO
2009-05-01 00:46 . 2008-07-14 12:09 205560 ----a-w c:\windows\UNBOC.EXE
2009-05-01 00:46 . 2008-07-14 12:09 212728 ----a-w c:\windows\CMDLIC.DLL
2009-05-01 00:46 . 2009-05-10 03:08 -------- d-----w c:\documents and settings\All Users\Application Data\BOC427
2009-05-01 00:38 . 2009-05-01 02:40 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-05-01 00:38 . 2009-05-01 00:38 155384 ----a-w c:\windows\system32\guard32.dll
2009-05-01 00:38 . 2009-05-01 00:38 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-05-01 00:38 . 2009-05-01 00:38 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-05-01 00:37 . 2009-05-01 00:37 -------- d-----w c:\documents and settings\Albert\Application Data\Comodo
2009-05-01 00:37 . 2009-05-01 00:37 -------- d-----w c:\documents and settings\All Users\Comodo
2009-05-01 00:37 . 2009-05-13 10:07 -------- d-----w c:\program files\Comodo
2009-04-30 22:33 . 2009-04-30 22:33 -------- d-----w c:\windows\i_setup
2009-04-30 22:22 . 2009-05-15 00:17 -------- d-----w c:\windows\system32\cock
2009-04-30 22:22 . 2009-05-15 23:07 -------- d-----w c:\windows\system32\xmldm
2009-04-30 22:11 . 2009-05-15 23:15 6407 ----a-w c:\windows\system32\krncode.dat
2009-04-30 22:11 . 2009-05-15 23:15 1575 ----a-w c:\windows\system32\pwrcode.dat
2009-04-30 22:11 . 2009-05-15 23:15 19434 ----a-w c:\windows\system32\wincode.dat
2009-04-30 22:11 . 2008-04-14 00:12 17408 ----a-w c:\windows\system32\osysp.dat
2009-04-30 22:11 . 2009-03-21 14:06 989696 ----a-w c:\windows\system32\osysk.dat
2009-04-30 22:11 . 2009-03-03 00:18 826368 ----a-w c:\windows\system32\osysw.dat
2009-04-29 22:11 . 2009-04-30 22:22 7 ----a-w c:\windows\system32\nar.bin
2009-04-29 22:03 . 2009-04-29 22:03 4707 ----a-w c:\windows\system32\z98a.bin
2009-04-27 04:46 . 2009-04-27 04:47 -------- d-----w c:\windows\A8B9466986544126BD28D0D2412CDED6.TMP
2009-04-26 06:23 . 2009-04-26 06:23 -------- d-----w c:\documents and settings\Albert\Local Settings\Application Data\PunkBuster
2009-04-24 22:44 . 2009-04-24 22:44 -------- d-----w c:\program files\Activision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 23:15 . 2001-08-23 12:00 21504 ----a-w c:\windows\system32\powrprof.dll
2009-05-15 23:15 . 2001-08-23 12:00 830464 ----a-w c:\windows\system32\wininet.dll
2009-05-15 22:47 . 2008-03-10 01:26 -------- d-----w c:\program files\Common Files\Adobe
2009-05-15 22:21 . 2001-08-23 12:00 993792 ----a-w c:\windows\system32\sysk.tmp
2009-05-15 22:21 . 2001-08-23 12:00 21504 ----a-w c:\windows\system32\sysp.tmp
2009-05-14 03:48 . 2008-05-17 19:09 -------- d-----w c:\program files\Java
2009-05-13 10:05 . 2009-04-09 05:59 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-13 09:00 . 2009-04-09 05:59 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-30 23:57 . 2009-04-30 23:57 112 ----a-w c:\windows\system32\srvblck2.tmp
2009-04-26 06:24 . 2009-04-09 05:59 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-24 23:06 . 2008-03-28 20:33 22328 ----a-w c:\documents and settings\Albert\Application Data\PnkBstrK.sys
2009-04-15 00:48 . 2009-04-15 00:48 -------- d-----w c:\program files\iPod
2009-04-15 00:48 . 2008-03-10 01:30 -------- d-----w c:\program files\Common Files\Apple
2009-04-15 00:47 . 2008-09-09 23:12 -------- d-----w c:\program files\Bonjour
2009-04-15 00:46 . 2009-04-15 00:46 -------- d-----w c:\program files\QuickTime
2009-04-14 08:42 . 2008-03-10 22:04 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-04-10 07:38 . 2009-04-10 07:38 -------- d-----w c:\program files\Bethesda Softworks
2009-04-10 07:24 . 2008-03-09 23:24 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-09 05:59 . 2009-04-09 05:59 2337865 ----a-w c:\windows\system32\pbsvc.exe
2009-04-09 05:49 . 2008-08-01 07:39 -------- d-----w c:\program files\Ubisoft
2009-04-08 22:13 . 2008-03-10 01:25 -------- d-----w c:\program files\Google
2009-04-08 06:28 . 2009-04-08 06:28 -------- d-----w c:\program files\Stardock
2009-04-08 06:28 . 2009-04-08 06:28 -------- d-----w c:\program files\Common Files\Stardock
2009-04-02 01:33 . 2008-07-15 22:13 -------- d-----w c:\program files\DivX
2009-04-02 01:33 . 2009-04-02 01:33 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-26 22:23 . 2008-09-09 23:08 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-26 22:23 . 2008-09-09 23:08 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-23 01:26 . 2009-03-23 01:25 -------- d-----w c:\program files\AIM6
2009-03-23 01:25 . 2008-03-10 01:19 -------- d-----w c:\program files\Common Files\AOL
2009-03-23 01:21 . 2008-03-09 23:15 76312 ----a-w c:\documents and settings\Albert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 01:16 . 2009-03-23 01:16 -------- d-----w c:\program files\Adobe Media Player
2009-03-23 01:13 . 2009-03-23 01:13 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-22 17:23 . 2009-03-22 17:23 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-22 15:55 . 2009-03-22 15:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-22 15:48 . 2009-03-22 15:46 -------- d-----w c:\program files\Wise Registry Cleaner
2009-03-22 15:39 . 2009-03-22 15:39 -------- d-----w c:\program files\CCleaner
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 21:18 . 2009-04-14 08:35 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 21:18 . 2009-04-14 08:35 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 21:18 . 2009-04-14 08:34 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 21:18 . 2009-04-14 08:34 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-09 22:27 . 2009-04-14 08:35 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 22:27 . 2009-04-14 08:35 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 22:27 . 2009-04-14 08:35 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-06 14:22 . 2001-08-23 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2001-08-23 12:00 826368 ----a-w c:\windows\system32\sysw.tmp
2009-02-20 18:09 . 2008-03-09 23:10 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 7:24 pm

------- Sigcheck -------

[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\$NtUninstallKB944533$\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\ie7\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\ie7updates\KB942615-IE7\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\ie7updates\KB944533-IE7\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\ie7updates\KB947864-IE7\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\ie7updates\KB950759-IE7\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\ie7updates\KB956390-IE7\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\ie7updates\KB963027-IE7\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2009-03-03 00:18 826368 28775945CCD53DEE280EF58DEA1A94C4 c:\windows\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3gdr\wininet.dll
[7] 2009-03-03 00:17 828416 C8667854873938CA13C986F16B0CD183 c:\windows\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3qfe\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\wininet.dll
[-] 2009-05-15 01:43 830464 2D8ACEE5743EEBC79A5EFB0DB41B1D43 c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\system32\wininet.dll
[-] 2009-05-15 23:15 830464 2EDF3B3BBB1EB2F472CDFEC95213B830 c:\windows\system32\dllcache\wininet.dll

[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\system32\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\system32\dllcache\kernel32.dll

[-] 2009-05-15 23:15 21504 7DB82427E29BD2CDE739EF23F82CFCD6 c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2009-05-15 23:15 21504 7DB82427E29BD2CDE739EF23F82CFCD6 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2009-05-15 23:15 21504 7DB82427E29BD2CDE739EF23F82CFCD6 c:\windows\system32\powrprof.dll
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-10 02:12 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2008-03-10 02:12 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2008-08-23 00:10 . 2009-05-15 01:43 21504 c:\windows\$NtServicePackUninstall$\powrprof.dll
+ 2008-08-23 00:10 . 2009-05-15 23:15 21504 c:\windows\$NtServicePackUninstall$\powrprof.dll
- 2009-04-15 07:02 . 2009-05-15 01:43 993792 c:\windows\$NtUninstallKB959426$\kernel32.dll
+ 2009-04-15 07:02 . 2009-05-15 23:15 993792 c:\windows\$NtUninstallKB959426$\kernel32.dll
- 2008-03-10 02:28 . 2009-05-15 01:43 830464 c:\windows\$NtUninstallKB944533$\wininet.dll
+ 2008-03-10 02:28 . 2009-05-15 23:15 830464 c:\windows\$NtUninstallKB944533$\wininet.dll
- 2008-03-10 02:27 . 2009-05-15 01:43 993792 c:\windows\$NtUninstallKB935839$\kernel32.dll
+ 2008-03-10 02:27 . 2009-05-15 23:15 993792 c:\windows\$NtUninstallKB935839$\kernel32.dll
+ 2008-08-23 00:11 . 2009-05-15 23:15 830464 c:\windows\$NtServicePackUninstall$\wininet.dll
- 2008-08-23 00:11 . 2009-05-15 01:43 830464 c:\windows\$NtServicePackUninstall$\wininet.dll
- 2008-08-23 00:10 . 2009-05-15 01:43 993792 c:\windows\$NtServicePackUninstall$\kernel32.dll
+ 2008-08-23 00:10 . 2009-05-15 23:15 993792 c:\windows\$NtServicePackUninstall$\kernel32.dll
+ 2009-03-03 00:17 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
- 2009-03-03 00:17 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
+ 2009-02-11 01:18 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
- 2009-02-11 01:18 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
- 2009-03-21 13:59 . 2009-05-15 01:43 993792 c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
+ 2009-03-21 13:59 . 2009-05-15 23:15 993792 c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
+ 2008-12-11 05:51 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
- 2008-12-11 05:51 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
- 2008-08-26 09:08 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
+ 2008-08-26 09:08 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
+ 2008-08-15 03:34 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
- 2008-08-15 03:34 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
- 2008-06-11 00:17 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
+ 2008-06-11 00:17 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
- 2008-04-08 22:14 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
+ 2008-04-08 22:14 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
+ 2007-12-07 00:44 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll
- 2007-12-07 00:44 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll
- 2008-03-10 02:36 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
+ 2008-03-10 02:36 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
+ 2008-03-10 02:35 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
- 2008-03-10 02:35 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
+ 2007-04-16 16:07 . 2009-05-15 23:15 993792 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
- 2007-04-16 16:07 . 2009-05-15 01:43 993792 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
+ 2009-04-14 19:16 . 2008-07-09 14:25 2455488 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\ieapfltr.dat
- 2009-04-14 19:16 . 2007-04-17 09:32 2455488 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\ieapfltr.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="d:\program files\SuperAntiSpyware\SUPERAntiSpyware.exe" [2009-05-01 1830128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Advanced SystemCare 3"="c:\program files\iobit\advanced systemcare 3\AWC.exe" [2009-05-01 2329936]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"InstantBurn"="c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2006-06-17 729088]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\quicktime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="d:\program files\Itunes\iTunesHelper.exe" [2009-04-02 342312]
"COMODO Internet Security"="c:\program files\Comodo\comodo internet security\cfp.exe" [2009-05-01 1851128]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-08 1947928]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-11-29 55824]

c:\documents and settings\Albert\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-4-7 3450608]
Yahoo! Widgets.lnk - d:\program files\Widgets\YahooWidgets.exe [2007-12-11 3746856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BD Icon.lnk - c:\program files\Sony\BD Icon\BDIcon.exe [2006-6-5 98304]
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-3-9 789008]
Microtek Scanner Finder.lnk - d:\program files\Microtek\ScannerFinder.exe [2008-3-9 344064]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-7-9 1134592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SuperAntiSpyware\SASSEH.DLL" [2008-05-22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 19:30 72208 ----a-w c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-08 16:53 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dbbin]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dbbin.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\CLDMA.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Downloads\\My Downloads\\Cool\\steamapps\\snarfoman\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\Itunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 7:24 pm

R0 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [3/9/2008 3:48 PM 10368]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [5/8/2009 9:19 AM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [5/8/2009 9:19 AM 27656]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/8/2009 9:53 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/8/2009 9:53 AM 108552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [4/30/2009 5:38 PM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [4/30/2009 5:38 PM 24336]
R1 SASDIFSV;SASDIFSV;d:\program files\SuperAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SuperAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 55024]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [3/9/2008 3:45 PM 6656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/8/2009 9:52 AM 298776]
R2 CLBUDF;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [3/9/2008 3:48 PM 179584]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [3/9/2008 4:32 PM 39424]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [3/9/2008 4:31 PM 105984]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [10/21/2008 8:57 PM 33792]
R3 SASENUM;SASENUM;d:\program files\SuperAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
S4 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe --> c:\program files\Comodo\CBOClean\BOCORE.exe [?]
S4 CSIScanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - h:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-15 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {E62A8B6B-D91C-457C-B1FB-20CC2D96B4EC} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Albert\Application Data\Mozilla\Firefox\Profiles\4ht9ejr1.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\Albert\Application Data\Mozilla\Firefox\Profiles\4ht9ejr1.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\Albert\Application Data\Mozilla\Firefox\Profiles\4ht9ejr1.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - plugin: d:\program files\Itunes\Mozilla Plugins\npitunes.dll
FF - plugin: d:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: d:\program files\Opera\program\plugins\npdsplay.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin2.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin3.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin4.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin5.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin6.dll
FF - plugin: d:\program files\Opera\program\plugins\npqtplugin7.dll
FF - plugin: d:\program files\Opera\program\plugins\NPSWF32.dll
FF - plugin: d:\program files\Opera\program\plugins\npwmsdrm.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
.
------- File Associations -------
.
txtfile=c:\windows\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-15 16:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-152049171-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f0,8a,c2,84,86,23,0c,96,33,c9,27,89,94,5c,a4,8b,ba,88,19,3c,f4,f4,a1,
5a,44,4e,da,29,4f,e5,36,67,d6,2e,da,62,f4,c6,91,67,62,86,7c,cd,96,ec,00,6e,\
"??"=hex:3a,35,22,73,28,3f,c8,70,a1,c5,a5,cf,e4,19,8f,9b

[HKEY_USERS\S-1-5-21-1715567821-152049171-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:d9,95,a2,d0,59,8a,41,a0,cc,4c,c8,7b,bf,66,8e,9b,09,fe,f6,65,27,
00,ac,d1,e0,ea,ae,3e,e9,14,1e,25,57,69,8b,48,c5,62,8e,1b,7d,50,bf,57,27,5c,\
"rkeysecu"=hex:3b,7a,56,28,ef,95,a6,95,d0,ba,1a,d4,83,91,07,f5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\guard32.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(868)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(2304)
c:\program files\stardock\objectdock\DockShellHook.dll
c:\windows\system32\nview.dll
d:\program files\logitech\setpoint\GameHook.dll
d:\program files\logitech\setpoint\lgscroll.dll
d:\program files\Itunes\iTunesMiniPlayer.dll
d:\program files\Itunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
d:\program files\Itunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Comodo\COMODO Internet Security\cmdagent.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\libusbd-nt.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\temp\ldshyf1.old
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Google\Web Accelerator\GoogleWebAccClient.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\AIM6\aolsoftware.exe
d:\program files\HP\Digital Imaging\bin\hpqste08.exe
d:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\windows\system32\msiexec.exe
d:\program files\Opera\opera.exe
c:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2009-05-15 16:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-15 23:22
ComboFix2.txt 2009-05-15 01:50

Pre-Run: 8,031,092,736 bytes free
Post-Run: 7,983,267,840 bytes free

430 --- E O F --- 2009-05-15 06:07

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 7:26 pm

how does it look? =/

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri May 15, 2009 7:29 pm

Hello.
Don't give up, we WILL beat it.

I think you made a tiny mistake when you did the expand command.

The infected file is powrprof.dll, Combofix shows me this file created: powerprof.dll <== there's no 'e' in there.

I need you to repeat the expand command in cmd again, proof read what you type this time. Wink


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 7:31 pm

i tried doing it again but this time it says it can't open output file

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri May 15, 2009 7:40 pm

It has to be exactly right, with spaces in the correct areas. It should work if you've typed it exactly like this.

expandSPACEe:\i386\powrprof.dllSPACEc:\windows\system32\powrprof.dll


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 7:46 pm

i think i expanded to powerprof.dll first and then did it to powrprof.dll a second time so i think that it might not be doing it because i already did the expansion

fyi this is before the log posting

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri May 15, 2009 7:54 pm

Hello.
Okay, we might still be able to use the wrong named file.

Go to this file in bold:
c:\windows\system32\powrprof.dll

Right click > Rename. Add "bad" into the file name.

Now locate this file in bold:
c:\windows\system32\powerprof.dll

Right click > Rename.
Remove the extra 'e'

Re-run Combofix again after that.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 8:12 pm

alritey here it is sir

ComboFix 09-05-14.03 - Albert 05/15/2009 16:57.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1228 [GMT -7:00]
Running from: c:\documents and settings\albert\desktop\combo-fix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\powrprofbad.dll

Infected copy of c:\windows\system32\wininet.dll was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\263159e92061f273983a0f9531635ce0\sp3gdr\wininet.dll


.
((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-15 22:53 . 2001-08-18 05:36 14848 ----a-w c:\windows\system32\powrprof.dll
2009-05-14 02:51 . 2009-05-14 03:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-14 02:51 . 2009-05-14 02:51 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-08 17:03 . 2009-05-15 03:03 -------- d--h--w C:\$AVG8.VAULT$
2009-05-08 16:53 . 2009-05-08 16:53 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-08 16:53 . 2009-05-08 16:53 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-08 16:53 . 2009-05-08 16:53 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-08 16:53 . 2009-05-15 22:23 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-08 16:53 . 2009-05-14 23:20 -------- d-----w c:\documents and settings\Albert\Application Data\AVGTOOLBAR
2009-05-08 16:52 . 2009-05-08 16:52 -------- d-----w c:\program files\AVG
2009-05-08 16:52 . 2009-05-08 16:52 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-08 16:42 . 2009-05-08 16:42 -------- d-----w c:\program files\Windows Defender
2009-05-08 16:40 . 2009-05-08 16:40 -------- d-----w c:\documents and settings\Albert\Application Data\IObit
2009-05-08 16:40 . 2009-05-08 16:40 -------- d-----w c:\program files\IObit
2009-05-08 16:19 . 2009-05-08 16:19 22024 ----a-w c:\windows\system32\drivers\pxscan.sys
2009-05-08 16:19 . 2009-05-08 16:19 27656 ----a-w c:\windows\system32\drivers\pxsec.sys
2009-05-08 16:18 . 2009-05-08 16:18 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-05-08 15:59 . 2009-05-08 15:59 -------- d-----w c:\windows\system32\796525
2009-05-08 03:07 . 2009-05-08 03:07 -------- d-----w c:\documents and settings\Albert\Local Settings\Application Data\COMODO
2009-05-01 00:46 . 2008-07-14 12:09 205560 ----a-w c:\windows\UNBOC.EXE
2009-05-01 00:46 . 2008-07-14 12:09 212728 ----a-w c:\windows\CMDLIC.DLL
2009-05-01 00:46 . 2009-05-10 03:08 -------- d-----w c:\documents and settings\All Users\Application Data\BOC427
2009-05-01 00:38 . 2009-05-01 02:40 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-05-01 00:38 . 2009-05-01 00:38 155384 ----a-w c:\windows\system32\guard32.dll
2009-05-01 00:38 . 2009-05-01 00:38 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-05-01 00:38 . 2009-05-01 00:38 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-05-01 00:37 . 2009-05-01 00:37 -------- d-----w c:\documents and settings\Albert\Application Data\Comodo
2009-05-01 00:37 . 2009-05-01 00:37 -------- d-----w c:\documents and settings\All Users\Comodo
2009-05-01 00:37 . 2009-05-13 10:07 -------- d-----w c:\program files\Comodo
2009-04-30 22:33 . 2009-04-30 22:33 -------- d-----w c:\windows\i_setup
2009-04-30 22:22 . 2009-05-15 00:17 -------- d-----w c:\windows\system32\cock
2009-04-30 22:22 . 2009-05-15 23:07 -------- d-----w c:\windows\system32\xmldm
2009-04-30 22:11 . 2009-05-15 23:15 6407 ----a-w c:\windows\system32\krncode.dat
2009-04-30 22:11 . 2009-05-15 23:15 1575 ----a-w c:\windows\system32\pwrcode.dat
2009-04-30 22:11 . 2009-05-15 23:15 19434 ----a-w c:\windows\system32\wincode.dat
2009-04-30 22:11 . 2008-04-14 00:12 17408 ----a-w c:\windows\system32\osysp.dat
2009-04-30 22:11 . 2009-03-21 14:06 989696 ----a-w c:\windows\system32\osysk.dat
2009-04-30 22:11 . 2009-03-03 00:18 826368 ----a-w c:\windows\system32\osysw.dat
2009-04-29 22:11 . 2009-04-30 22:22 7 ----a-w c:\windows\system32\nar.bin
2009-04-29 22:03 . 2009-04-29 22:03 4707 ----a-w c:\windows\system32\z98a.bin
2009-04-27 04:46 . 2009-04-27 04:47 -------- d-----w c:\windows\A8B9466986544126BD28D0D2412CDED6.TMP
2009-04-26 06:23 . 2009-04-26 06:23 -------- d-----w c:\documents and settings\Albert\Local Settings\Application Data\PunkBuster
2009-04-24 22:44 . 2009-04-24 22:44 -------- d-----w c:\program files\Activision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 22:47 . 2008-03-10 01:26 -------- d-----w c:\program files\Common Files\Adobe
2009-05-15 22:21 . 2001-08-23 12:00 993792 ----a-w c:\windows\system32\sysk.tmp
2009-05-15 22:21 . 2001-08-23 12:00 21504 ----a-w c:\windows\system32\sysp.tmp
2009-05-14 03:48 . 2008-05-17 19:09 -------- d-----w c:\program files\Java
2009-05-13 10:05 . 2009-04-09 05:59 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-13 09:00 . 2009-04-09 05:59 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-30 23:57 . 2009-04-30 23:57 112 ----a-w c:\windows\system32\srvblck2.tmp
2009-04-26 06:24 . 2009-04-09 05:59 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-24 23:06 . 2008-03-28 20:33 22328 ----a-w c:\documents and settings\Albert\Application Data\PnkBstrK.sys
2009-04-15 00:48 . 2009-04-15 00:48 -------- d-----w c:\program files\iPod
2009-04-15 00:48 . 2008-03-10 01:30 -------- d-----w c:\program files\Common Files\Apple
2009-04-15 00:47 . 2008-09-09 23:12 -------- d-----w c:\program files\Bonjour
2009-04-15 00:46 . 2009-04-15 00:46 -------- d-----w c:\program files\QuickTime
2009-04-14 08:42 . 2008-03-10 22:04 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-04-10 07:38 . 2009-04-10 07:38 -------- d-----w c:\program files\Bethesda Softworks
2009-04-10 07:24 . 2008-03-09 23:24 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-09 05:59 . 2009-04-09 05:59 2337865 ----a-w c:\windows\system32\pbsvc.exe
2009-04-09 05:49 . 2008-08-01 07:39 -------- d-----w c:\program files\Ubisoft
2009-04-08 22:13 . 2008-03-10 01:25 -------- d-----w c:\program files\Google
2009-04-08 06:28 . 2009-04-08 06:28 -------- d-----w c:\program files\Stardock
2009-04-08 06:28 . 2009-04-08 06:28 -------- d-----w c:\program files\Common Files\Stardock
2009-04-02 01:33 . 2008-07-15 22:13 -------- d-----w c:\program files\DivX
2009-04-02 01:33 . 2009-04-02 01:33 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-26 22:23 . 2008-09-09 23:08 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-26 22:23 . 2008-09-09 23:08 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-23 01:26 . 2009-03-23 01:25 -------- d-----w c:\program files\AIM6
2009-03-23 01:25 . 2008-03-10 01:19 -------- d-----w c:\program files\Common Files\AOL
2009-03-23 01:21 . 2008-03-09 23:15 76312 ----a-w c:\documents and settings\Albert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 01:16 . 2009-03-23 01:16 -------- d-----w c:\program files\Adobe Media Player
2009-03-23 01:13 . 2009-03-23 01:13 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-22 17:23 . 2009-03-22 17:23 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-22 15:55 . 2009-03-22 15:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-22 15:48 . 2009-03-22 15:46 -------- d-----w c:\program files\Wise Registry Cleaner
2009-03-22 15:39 . 2009-03-22 15:39 -------- d-----w c:\program files\CCleaner
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 21:18 . 2009-04-14 08:35 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 21:18 . 2009-04-14 08:35 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 21:18 . 2009-04-14 08:34 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 21:18 . 2009-04-14 08:34 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-09 22:27 . 2009-04-14 08:35 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 22:27 . 2009-04-14 08:35 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 22:27 . 2009-04-14 08:35 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-06 14:22 . 2001-08-23 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2001-08-23 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-03 00:18 . 2001-08-23 12:00 826368 ----a-w c:\windows\system32\sysw.tmp
2009-02-20 18:09 . 2008-03-09 23:10 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 8:12 pm

------- Sigcheck -------

[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\system32\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\system32\dllcache\kernel32.dll

[-] 2009-05-15 23:15 21504 7DB82427E29BD2CDE739EF23F82CFCD6 c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2009-05-15 23:15 21504 7DB82427E29BD2CDE739EF23F82CFCD6 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2001-08-18 05:36 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\system32\powrprof.dll
.
((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-10 02:12 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2008-03-10 02:12 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2008-08-23 00:10 . 2009-05-15 23:15 21504 c:\windows\$NtServicePackUninstall$\powrprof.dll
- 2008-08-23 00:10 . 2009-05-15 01:43 21504 c:\windows\$NtServicePackUninstall$\powrprof.dll
- 2001-08-23 12:00 . 2008-12-20 23:15 826368 c:\windows\system32\dllcache\wininet.dll
+ 2001-08-23 12:00 . 2009-03-03 00:18 826368 c:\windows\system32\dllcache\wininet.dll
- 2008-03-10 02:33 . 2009-05-04 23:21 830464 c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2QFE\wininet.dll
- 2008-03-10 02:33 . 2009-04-30 22:11 830464 c:\windows\SoftwareDistribution\Download\e5a204b08ee9dd0f7a20547e61486b27\SP2GDR\wininet.dll
- 2008-03-10 02:33 . 2009-04-30 22:11 830464 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2QFE\wininet.dll
- 2008-03-10 02:33 . 2009-04-30 22:11 830464 c:\windows\SoftwareDistribution\Download\e3709fbfd9557a7d083f543d51d38612\SP2GDR\wininet.dll
- 2008-03-09 23:10 . 2009-05-04 23:21 830464 c:\windows\ServicePackFiles\i386\wininet.dll
+ 2008-03-09 23:10 . 2009-05-15 23:15 830464 c:\windows\ServicePackFiles\i386\wininet.dll
- 2009-04-15 07:02 . 2009-05-04 23:21 830464 c:\windows\ie7updates\KB963027-IE7\wininet.dll
+ 2009-04-15 07:02 . 2009-05-15 23:15 830464 c:\windows\ie7updates\KB963027-IE7\wininet.dll
- 2009-02-11 07:39 . 2009-05-04 23:21 830464 c:\windows\ie7updates\KB961260-IE7\wininet.dll
+ 2009-02-11 07:39 . 2009-05-15 23:15 830464 c:\windows\ie7updates\KB961260-IE7\wininet.dll
+ 2008-12-11 08:12 . 2009-05-15 23:15 830464 c:\windows\ie7updates\KB958215-IE7\wininet.dll
- 2008-12-11 08:12 . 2009-05-04 23:21 830464 c:\windows\ie7updates\KB958215-IE7\wininet.dll
- 2008-10-15 06:36 . 2009-05-04 23:21 830464 c:\windows\ie7updates\KB956390-IE7\wininet.dll
+ 2008-10-15 06:36 . 2009-05-15 23:15 830464 c:\windows\ie7updates\KB956390-IE7\wininet.dll
+ 2008-08-15 07:10 . 2009-05-15 23:15 830464 c:\windows\ie7updates\KB953838-IE7\wininet.dll
- 2008-08-15 07:10 . 2009-05-04 23:21 830464 c:\windows\ie7updates\KB953838-IE7\wininet.dll
+ 2008-06-11 07:08 . 2009-05-15 23:15 830464 c:\windows\ie7updates\KB950759-IE7\wininet.dll
- 2008-06-11 07:08 . 2009-05-04 23:21 830464 c:\windows\ie7updates\KB950759-IE7\wininet.dll
+ 2008-04-09 06:52 . 2009-05-15 23:15 830464 c:\windows\ie7updates\KB947864-IE7\wininet.dll
- 2008-04-09 06:52 . 2009-05-04 23:21 830464 c:\windows\ie7updates\KB947864-IE7\wininet.dll
+ 2008-03-10 02:36 . 2009-05-15 23:15 830464 c:\windows\ie7updates\KB944533-IE7\wininet.dll
- 2008-03-10 02:36 . 2009-05-04 23:21 830464 c:\windows\ie7updates\KB944533-IE7\wininet.dll
- 2008-03-10 02:36 . 2009-05-04 23:21 830464 c:\windows\ie7updates\KB942615-IE7\wininet.dll
+ 2008-03-10 02:36 . 2009-05-15 23:15 830464 c:\windows\ie7updates\KB942615-IE7\wininet.dll
+ 2008-03-10 02:35 . 2009-05-15 23:15 830464 c:\windows\ie7\wininet.dll
- 2008-03-10 02:35 . 2009-05-04 23:21 830464 c:\windows\ie7\wininet.dll
+ 2009-04-15 07:02 . 2009-05-15 23:15 993792 c:\windows\$NtUninstallKB959426$\kernel32.dll
- 2009-04-15 07:02 . 2009-05-15 01:43 993792 c:\windows\$NtUninstallKB959426$\kernel32.dll
+ 2008-03-10 02:28 . 2009-05-15 23:15 830464 c:\windows\$NtUninstallKB944533$\wininet.dll
- 2008-03-10 02:28 . 2009-05-15 01:43 830464 c:\windows\$NtUninstallKB944533$\wininet.dll
+ 2008-03-10 02:27 . 2009-05-15 23:15 993792 c:\windows\$NtUninstallKB935839$\kernel32.dll
- 2008-03-10 02:27 . 2009-05-15 01:43 993792 c:\windows\$NtUninstallKB935839$\kernel32.dll
+ 2008-08-23 00:11 . 2009-05-15 23:15 830464 c:\windows\$NtServicePackUninstall$\wininet.dll
- 2008-08-23 00:11 . 2009-05-15 01:43 830464 c:\windows\$NtServicePackUninstall$\wininet.dll
- 2008-08-23 00:10 . 2009-05-15 01:43 993792 c:\windows\$NtServicePackUninstall$\kernel32.dll
+ 2008-08-23 00:10 . 2009-05-15 23:15 993792 c:\windows\$NtServicePackUninstall$\kernel32.dll
+ 2009-03-03 00:17 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
- 2009-03-03 00:17 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
- 2009-02-11 01:18 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
+ 2009-02-11 01:18 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
+ 2009-03-21 13:59 . 2009-05-15 23:15 993792 c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
- 2009-03-21 13:59 . 2009-05-15 01:43 993792 c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
- 2008-12-11 05:51 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
+ 2008-12-11 05:51 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
+ 2008-08-26 09:08 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
- 2008-08-26 09:08 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
+ 2008-08-15 03:34 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
- 2008-08-15 03:34 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
- 2008-06-11 00:17 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
+ 2008-06-11 00:17 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
+ 2008-04-08 22:14 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
- 2008-04-08 22:14 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
- 2007-12-07 00:44 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll
+ 2007-12-07 00:44 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll
- 2008-03-10 02:36 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
+ 2008-03-10 02:36 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
- 2008-03-10 02:35 . 2009-05-15 01:43 830464 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
+ 2008-03-10 02:35 . 2009-05-15 23:15 830464 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
- 2007-04-16 16:07 . 2009-05-15 01:43 993792 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
+ 2007-04-16 16:07 . 2009-05-15 23:15 993792 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
+ 2009-04-14 19:16 . 2008-07-09 14:25 2455488 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\ieapfltr.dat
- 2009-04-14 19:16 . 2007-04-17 09:32 2455488 c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\ieapfltr.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="d:\program files\SuperAntiSpyware\SUPERAntiSpyware.exe" [2009-05-01 1830128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Advanced SystemCare 3"="c:\program files\iobit\advanced systemcare 3\AWC.exe" [2009-05-01 2329936]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"InstantBurn"="c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2006-06-17 729088]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\quicktime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="d:\program files\Itunes\iTunesHelper.exe" [2009-04-02 342312]
"COMODO Internet Security"="c:\program files\Comodo\comodo internet security\cfp.exe" [2009-05-01 1851128]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-08 1947928]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-11-29 55824]

c:\documents and settings\Albert\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-4-7 3450608]
Yahoo! Widgets.lnk - d:\program files\Widgets\YahooWidgets.exe [2007-12-11 3746856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BD Icon.lnk - c:\program files\Sony\BD Icon\BDIcon.exe [2006-6-5 98304]
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-3-9 789008]
Microtek Scanner Finder.lnk - d:\program files\Microtek\ScannerFinder.exe [2008-3-9 344064]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-7-9 1134592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SuperAntiSpyware\SASSEH.DLL" [2008-05-22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 19:30 72208 ----a-w c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-08 16:53 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dbbin]
[BU]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dbbin.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\CLDMA.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Downloads\\My Downloads\\Cool\\steamapps\\snarfoman\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\Itunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 8:13 pm

R0 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [3/9/2008 3:48 PM 10368]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [5/8/2009 9:19 AM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [5/8/2009 9:19 AM 27656]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/8/2009 9:53 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/8/2009 9:53 AM 108552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [4/30/2009 5:38 PM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [4/30/2009 5:38 PM 24336]
R1 SASDIFSV;SASDIFSV;d:\program files\SuperAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SuperAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 55024]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [3/9/2008 3:45 PM 6656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/8/2009 9:52 AM 298776]
R2 CLBUDF;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [3/9/2008 3:48 PM 179584]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [3/9/2008 4:32 PM 39424]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [3/9/2008 4:31 PM 105984]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [10/21/2008 8:57 PM 33792]
R3 SASENUM;SASENUM;d:\program files\SuperAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
S4 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe --> c:\program files\Comodo\CBOClean\BOCORE.exe [?]
S4 CSIScanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" --> c:\program files\Viewpoint\Common\ViewpointService.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - h:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {E62A8B6B-D91C-457C-B1FB-20CC2D96B4EC} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Albert\Application Data\Mozilla\Firefox\Profiles\4ht9ejr1.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.
.
------- File Associations -------
.
txtfile=c:\windows\NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-15 17:06
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-152049171-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f0,8a,c2,84,86,23,0c,96,33,c9,27,89,94,5c,a4,8b,ba,88,19,3c,f4,f4,a1,
5a,44,4e,da,29,4f,e5,36,67,d6,2e,da,62,f4,c6,91,67,62,86,7c,cd,96,ec,00,6e,\
"??"=hex:3a,35,22,73,28,3f,c8,70,a1,c5,a5,cf,e4,19,8f,9b

[HKEY_USERS\S-1-5-21-1715567821-152049171-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:d9,95,a2,d0,59,8a,41,a0,cc,4c,c8,7b,bf,66,8e,9b,09,fe,f6,65,27,
00,ac,d1,e0,ea,ae,3e,e9,14,1e,25,57,69,8b,48,c5,62,8e,1b,7d,50,bf,57,27,5c,\
"rkeysecu"=hex:3b,7a,56,28,ef,95,a6,95,d0,ba,1a,d4,83,91,07,f5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\guard32.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(868)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(588)
c:\windows\system32\guard32.dll
c:\program files\stardock\objectdock\DockShellHook.dll
c:\windows\system32\nview.dll
d:\program files\logitech\setpoint\GameHook.dll
d:\program files\logitech\setpoint\lgscroll.dll
d:\program files\Itunes\iTunesMiniPlayer.dll
d:\program files\Itunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
d:\program files\Itunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Comodo\COMODO Internet Security\cmdagent.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\libusbd-nt.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Google\Web Accelerator\GoogleWebAccClient.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
d:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\msiexec.exe
d:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
c:\windows\system32\HPZinw12.exe
.
**************************************************************************
.
Completion time: 2009-05-16 17:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 00:11
ComboFix2.txt 2009-05-15 23:22
ComboFix3.txt 2009-05-15 01:50

Pre-Run: 8,055,062,528 bytes free
Post-Run: 8,045,555,712 bytes free

403 --- E O F --- 2009-05-15 06:07

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Fri May 15, 2009 8:33 pm

That worked. Big Grin Big Grin Big Grin

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
Viewpoint Manager Service

File::
c:\windows\system32\nar.bin
c:\windows\system32\z98a.bin
c:\windows\system32\sysk.tmp
c:\windows\system32\sysp.tmp
c:\windows\system32\sysw.tmp

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dbbin]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dbbin.sys]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\spoolsv.exe"=-
"c:\\Program Files\\DNA\\btdna.exe"=-
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 11:26 pm

ComboFix 09-05-14.03 - Albert 05/15/2009 20:06.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1302 [GMT -7:00]
Running from: c:\documents and settings\albert\desktop\combo-fix.exe
Command switches used :: c:\documents and settings\Albert\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
c:\windows\system32\nar.bin
c:\windows\system32\sysk.tmp
c:\windows\system32\sysp.tmp
c:\windows\system32\sysw.tmp
c:\windows\system32\z98a.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\nar.bin
c:\windows\system32\sysk.tmp
c:\windows\system32\sysp.tmp
c:\windows\system32\sysw.tmp
c:\windows\system32\z98a.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-15 22:53 . 2001-08-18 05:36 14848 ----a-w c:\windows\system32\powrprof.dll
2009-05-14 02:51 . 2009-05-14 03:12 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-14 02:51 . 2009-05-14 02:51 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-08 17:03 . 2009-05-15 03:03 -------- d--h--w C:\$AVG8.VAULT$
2009-05-08 16:53 . 2009-05-08 16:53 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-08 16:53 . 2009-05-08 16:53 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-08 16:53 . 2009-05-08 16:53 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-08 16:53 . 2009-05-15 22:23 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-08 16:53 . 2009-05-14 23:20 -------- d-----w c:\documents and settings\Albert\Application Data\AVGTOOLBAR
2009-05-08 16:52 . 2009-05-08 16:52 -------- d-----w c:\program files\AVG
2009-05-08 16:52 . 2009-05-08 16:52 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-05-08 16:42 . 2009-05-08 16:42 -------- d-----w c:\program files\Windows Defender
2009-05-08 16:40 . 2009-05-08 16:40 -------- d-----w c:\documents and settings\Albert\Application Data\IObit
2009-05-08 16:40 . 2009-05-08 16:40 -------- d-----w c:\program files\IObit
2009-05-08 16:19 . 2009-05-08 16:19 22024 ----a-w c:\windows\system32\drivers\pxscan.sys
2009-05-08 16:19 . 2009-05-08 16:19 27656 ----a-w c:\windows\system32\drivers\pxsec.sys
2009-05-08 16:18 . 2009-05-08 16:18 -------- d-----w c:\documents and settings\All Users\Application Data\PrevxCSI
2009-05-08 15:59 . 2009-05-08 15:59 -------- d-----w c:\windows\system32\796525
2009-05-08 03:07 . 2009-05-08 03:07 -------- d-----w c:\documents and settings\Albert\Local Settings\Application Data\COMODO
2009-05-01 00:46 . 2008-07-14 12:09 205560 ----a-w c:\windows\UNBOC.EXE
2009-05-01 00:46 . 2008-07-14 12:09 212728 ----a-w c:\windows\CMDLIC.DLL
2009-05-01 00:46 . 2009-05-10 03:08 -------- d-----w c:\documents and settings\All Users\Application Data\BOC427
2009-05-01 00:38 . 2009-05-01 02:40 -------- d-----w c:\documents and settings\All Users\Application Data\Comodo
2009-05-01 00:38 . 2009-05-01 00:38 155384 ----a-w c:\windows\system32\guard32.dll
2009-05-01 00:38 . 2009-05-01 00:38 24336 ----a-w c:\windows\system32\drivers\cmdhlp.sys
2009-05-01 00:38 . 2009-05-01 00:38 110992 ----a-w c:\windows\system32\drivers\cmdguard.sys
2009-05-01 00:37 . 2009-05-01 00:37 -------- d-----w c:\documents and settings\Albert\Application Data\Comodo
2009-05-01 00:37 . 2009-05-01 00:37 -------- d-----w c:\documents and settings\All Users\Comodo
2009-05-01 00:37 . 2009-05-13 10:07 -------- d-----w c:\program files\Comodo
2009-04-30 22:33 . 2009-04-30 22:33 -------- d-----w c:\windows\i_setup
2009-04-30 22:22 . 2009-05-15 00:17 -------- d-----w c:\windows\system32\cock
2009-04-30 22:22 . 2009-05-15 23:07 -------- d-----w c:\windows\system32\xmldm
2009-04-30 22:11 . 2009-05-15 23:15 6407 ----a-w c:\windows\system32\krncode.dat
2009-04-30 22:11 . 2009-05-15 23:15 1575 ----a-w c:\windows\system32\pwrcode.dat
2009-04-30 22:11 . 2009-05-15 23:15 19434 ----a-w c:\windows\system32\wincode.dat
2009-04-30 22:11 . 2008-04-14 00:12 17408 ----a-w c:\windows\system32\osysp.dat
2009-04-30 22:11 . 2009-03-21 14:06 989696 ----a-w c:\windows\system32\osysk.dat
2009-04-30 22:11 . 2009-03-03 00:18 826368 ----a-w c:\windows\system32\osysw.dat
2009-04-27 04:46 . 2009-04-27 04:47 -------- d-----w c:\windows\A8B9466986544126BD28D0D2412CDED6.TMP
2009-04-26 06:23 . 2009-04-26 06:23 -------- d-----w c:\documents and settings\Albert\Local Settings\Application Data\PunkBuster
2009-04-24 22:44 . 2009-04-24 22:44 -------- d-----w c:\program files\Activision

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 22:47 . 2008-03-10 01:26 -------- d-----w c:\program files\Common Files\Adobe
2009-05-14 03:48 . 2008-05-17 19:09 -------- d-----w c:\program files\Java
2009-05-13 10:05 . 2009-04-09 05:59 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-05-13 09:00 . 2009-04-09 05:59 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-30 23:57 . 2009-04-30 23:57 112 ----a-w c:\windows\system32\srvblck2.tmp
2009-04-26 06:24 . 2009-04-09 05:59 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-04-24 23:06 . 2008-03-28 20:33 22328 ----a-w c:\documents and settings\Albert\Application Data\PnkBstrK.sys
2009-04-15 00:48 . 2009-04-15 00:48 -------- d-----w c:\program files\iPod
2009-04-15 00:48 . 2008-03-10 01:30 -------- d-----w c:\program files\Common Files\Apple
2009-04-15 00:47 . 2008-09-09 23:12 -------- d-----w c:\program files\Bonjour
2009-04-15 00:46 . 2009-04-15 00:46 -------- d-----w c:\program files\QuickTime
2009-04-14 08:42 . 2008-03-10 22:04 107888 ----a-w c:\windows\system32\CmdLineExt.dll
2009-04-10 07:38 . 2009-04-10 07:38 -------- d-----w c:\program files\Bethesda Softworks
2009-04-10 07:24 . 2008-03-09 23:24 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-09 05:59 . 2009-04-09 05:59 2337865 ----a-w c:\windows\system32\pbsvc.exe
2009-04-09 05:49 . 2008-08-01 07:39 -------- d-----w c:\program files\Ubisoft
2009-04-08 22:13 . 2008-03-10 01:25 -------- d-----w c:\program files\Google
2009-04-08 06:28 . 2009-04-08 06:28 -------- d-----w c:\program files\Stardock
2009-04-08 06:28 . 2009-04-08 06:28 -------- d-----w c:\program files\Common Files\Stardock
2009-04-02 01:33 . 2008-07-15 22:13 -------- d-----w c:\program files\DivX
2009-04-02 01:33 . 2009-04-02 01:33 -------- d-----w c:\program files\Common Files\DivX Shared
2009-03-26 22:23 . 2008-09-09 23:08 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-26 22:23 . 2008-09-09 23:08 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-23 01:26 . 2009-03-23 01:25 -------- d-----w c:\program files\AIM6
2009-03-23 01:25 . 2008-03-10 01:19 -------- d-----w c:\program files\Common Files\AOL
2009-03-23 01:21 . 2008-03-09 23:15 76312 ----a-w c:\documents and settings\Albert\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-03-23 01:16 . 2009-03-23 01:16 -------- d-----w c:\program files\Adobe Media Player
2009-03-23 01:13 . 2009-03-23 01:13 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-22 17:23 . 2009-03-22 17:23 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-22 15:55 . 2009-03-22 15:55 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-22 15:48 . 2009-03-22 15:46 -------- d-----w c:\program files\Wise Registry Cleaner
2009-03-22 15:39 . 2009-03-22 15:39 -------- d-----w c:\program files\CCleaner
2009-03-19 23:32 . 2008-01-29 19:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 21:18 . 2009-04-14 08:35 69448 ----a-w c:\windows\system32\XAPOFX1_3.dll
2009-03-16 21:18 . 2009-04-14 08:35 517448 ----a-w c:\windows\system32\XAudio2_4.dll
2009-03-16 21:18 . 2009-04-14 08:34 235352 ----a-w c:\windows\system32\xactengine3_4.dll
2009-03-16 21:18 . 2009-04-14 08:34 22360 ----a-w c:\windows\system32\X3DAudio1_6.dll
2009-03-09 22:27 . 2009-04-14 08:35 453456 ----a-w c:\windows\system32\d3dx10_41.dll
2009-03-09 22:27 . 2009-04-14 08:35 1846632 ----a-w c:\windows\system32\D3DCompiler_41.dll
2009-03-09 22:27 . 2009-04-14 08:35 4178264 ----a-w c:\windows\system32\D3DX9_41.dll
2009-03-06 14:22 . 2001-08-23 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2001-08-23 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2008-03-09 23:10 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
.

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 11:27 pm

------- Sigcheck -------

[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\system32\kernel32.dll
[-] 2009-05-15 23:15 993792 C7E4E72EF166D8ED155128A74FD891DD c:\windows\system32\dllcache\kernel32.dll

[-] 2009-05-15 23:15 21504 7DB82427E29BD2CDE739EF23F82CFCD6 c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2009-05-15 23:15 21504 7DB82427E29BD2CDE739EF23F82CFCD6 c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2001-08-18 05:36 14848 865AD7CCB20856727D5BD994B094DC5E c:\windows\system32\powrprof.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SUPERAntiSpyware"="d:\program files\SuperAntiSpyware\SUPERAntiSpyware.exe" [2009-05-01 1830128]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-04 68856]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Advanced SystemCare 3"="c:\program files\iobit\advanced systemcare 3\AWC.exe" [2009-05-01 2329936]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"InstantBurn"="c:\progra~1\CYBERL~1\INSTAN~1\Win2K\IBurn.exe" [2006-06-17 729088]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\quicktime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="d:\program files\Itunes\iTunesHelper.exe" [2009-04-02 342312]
"COMODO Internet Security"="c:\program files\Comodo\comodo internet security\cfp.exe" [2009-05-01 1851128]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-08 1947928]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-12-05 1626112]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-11-29 55824]

c:\documents and settings\Albert\Start Menu\Programs\Startup\
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2009-4-7 3450608]
Yahoo! Widgets.lnk - d:\program files\Widgets\YahooWidgets.exe [2007-12-11 3746856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BD Icon.lnk - c:\program files\Sony\BD Icon\BDIcon.exe [2006-6-5 98304]
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-9-24 282624]
Logitech SetPoint.lnk - d:\program files\Logitech\SetPoint\SetPoint.exe [2008-3-9 789008]
Microtek Scanner Finder.lnk - d:\program files\Microtek\ScannerFinder.exe [2008-3-9 344064]
Run Google Web Accelerator.lnk - c:\program files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-7-9 1134592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SuperAntiSpyware\SASSEH.DLL" [2008-05-22 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 19:30 72208 ----a-w c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-08 16:53 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD\\CLDMA.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"d:\\Downloads\\My Downloads\\Cool\\steamapps\\snarfoman\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\Itunes\\iTunes.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 CLBStor;InstantBurn Storage Helper Driver;c:\windows\system32\drivers\CLBStor.sys [3/9/2008 3:48 PM 10368]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [5/8/2009 9:19 AM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [5/8/2009 9:19 AM 27656]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/8/2009 9:53 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/8/2009 9:53 AM 108552]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [4/30/2009 5:38 PM 110992]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [4/30/2009 5:38 PM 24336]
R1 SASDIFSV;SASDIFSV;d:\program files\SuperAntiSpyware\SASDIFSV.SYS [2/29/2008 4:03 PM 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SuperAntiSpyware\SASKUTIL.SYS [2/29/2008 4:03 PM 55024]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [3/9/2008 3:45 PM 6656]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/8/2009 9:52 AM 298776]
R2 CLBUDF;CyberLink UDF Filesystem;c:\windows\system32\drivers\CLBUDF.sys [3/9/2008 3:48 PM 179584]
R2 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l151x86.sys [3/9/2008 4:32 PM 39424]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [3/9/2008 4:31 PM 105984]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [10/21/2008 8:57 PM 33792]
R3 SASENUM;SASENUM;d:\program files\SuperAntiSpyware\SASENUM.SYS [2/16/2006 4:51 PM 4096]
S4 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe --> c:\program files\Comodo\CBOClean\BOCORE.exe [?]
S4 CSIScanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - h:\wd_windows_tools\WDSetup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-05-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Fri May 15, 2009 11:27 pm

------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {E62A8B6B-D91C-457C-B1FB-20CC2D96B4EC} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Albert\Application Data\Mozilla\Firefox\Profiles\4ht9ejr1.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - false // Popupblocker control handled by McAfee Privacy Service
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-15 20:11
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1715567821-152049171-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:f0,8a,c2,84,86,23,0c,96,33,c9,27,89,94,5c,a4,8b,ba,88,19,3c,f4,f4,a1,
5a,44,4e,da,29,4f,e5,36,67,d6,2e,da,62,f4,c6,91,67,62,86,7c,cd,96,ec,00,6e,\
"??"=hex:3a,35,22,73,28,3f,c8,70,a1,c5,a5,cf,e4,19,8f,9b

[HKEY_USERS\S-1-5-21-1715567821-152049171-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:d9,95,a2,d0,59,8a,41,a0,cc,4c,c8,7b,bf,66,8e,9b,09,fe,f6,65,27,
00,ac,d1,e0,ea,ae,3e,e9,14,1e,25,57,69,8b,48,c5,62,8e,1b,7d,50,bf,57,27,5c,\
"rkeysecu"=hex:3b,7a,56,28,ef,95,a6,95,d0,ba,1a,d4,83,91,07,f5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\guard32.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'lsass.exe'(868)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(748)
c:\windows\system32\guard32.dll
c:\program files\stardock\objectdock\DockShellHook.dll
c:\windows\system32\nview.dll
d:\program files\logitech\setpoint\GameHook.dll
d:\program files\logitech\setpoint\lgscroll.dll
d:\program files\Itunes\iTunesMiniPlayer.dll
d:\program files\Itunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
d:\program files\Itunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\nvwddi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Comodo\COMODO Internet Security\cmdagent.exe
c:\windows\system32\BRSS01A.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\libusbd-nt.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Google\Web Accelerator\GoogleWebAccClient.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
d:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\msiexec.exe
d:\program files\HP\Digital Imaging\bin\hpqnrs08.exe
.
**************************************************************************
.
Completion time: 2009-05-16 20:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 03:16
ComboFix2.txt 2009-05-16 00:11
ComboFix3.txt 2009-05-15 23:22
ComboFix4.txt 2009-05-15 01:50

Pre-Run: 8,056,754,176 bytes free
Post-Run: 7,950,757,888 bytes free

323 --- E O F --- 2009-05-15 06:07

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sat May 16, 2009 9:44 am

Hello.
This looks so much better now, just two leftovers I missed.

Please download the [You must be registered and logged in to see this link.].

  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it.
  • Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose CopyCrying


    :files
    c:\windows\system32\srvblck2.tmp
    c:\windows\system32\796525


  • Return to OTMoveIt3, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Sat May 16, 2009 12:47 pm

here you go

========== FILES ==========
c:\windows\system32\srvblck2.tmp moved successfully.
c:\windows\system32\796525 moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05162009_094639

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sat May 16, 2009 12:52 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now/


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Sat May 16, 2009 12:55 pm

it seems to be running much better
is the virus killed or is there still some more stuff to do

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sat May 16, 2009 1:00 pm

I'd say it's dead, the log looks good. Wink


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor

Post by albertskoh on Sat May 16, 2009 1:05 pm

awesome
thanks so much for the help
so my computer is pretty much virus free now right?

albertskoh
Novice
Novice

Posts Posts : 26
Joined Joined : 2009-05-13
OS OS : XP
Points Points : 27678
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor

Post by Belahzur on Sat May 16, 2009 1:14 pm

Yep.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum