Cryptor win 32

View previous topic View next topic Go down

Cryptor win 32

Post by Fonzie on 14th May 2009, 10:38 am

hey!

i'm having trouble w<ith the win32/cryptor virus. Can anyone help me please?

Grtz

Tom

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 14th May 2009, 10:39 am

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 14th May 2009, 11:24 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:24:13, on 14/05/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\tom\DAEMON Tools Lite\daemon.exe
C:\tom\Ares\Ares.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\GVB Vikingschool\Local Settings\Temporary Internet Files\Content.IE5\Y4A59ULC\HJTInstall[1].exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4dbdb0f2-5f45-4073-a79c-c5fe3ad46051} - c:\windows\system32\zlzbrlu.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ccApp] -
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [D-Link AirPlus G DWL-G510] C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\tom\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ares] "C:\tom\Ares\Ares.exe" -h
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [international] International*
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - [You must be registered and logged in to see this link.]
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {5D2CF9D0-113A-476B-986F-288B54571614} (DevalVR Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - [You must be registered and logged in to see this link.]
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: gqibnbsw - C:\WINDOWS\SYSTEM32\zlzbrlu.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Intelligente achtergrondsoverdrachtservice (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Automatische updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 10384 bytes

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 14th May 2009, 11:26 am

you can do everything i don't need away. including programs i use that may slow down my computer. I want to clean it up now i have the virus.

thx in advance !!

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 14th May 2009, 3:26 pm

Hello.
The malware has made a quite a mess, this will take more than one round to fix.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste BOTH logs back here. [Ignore the line where attach.txt says not to post it]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 14th May 2009, 9:44 pm

DDS (Ver_09-05-14.01) - NTFSx86
Run by GVB Vikingschool at 23:39:25,12 on do 14/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.32.1043.18.511.88 [GMT 2:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\tom\DAEMON Tools Lite\daemon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\TEMP\ivtD.tmp
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\GVB Vikingschool\Bureaublad\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearch Page = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: {03b0ed95-f312-4a6d-864b-bed2eb06be91} - c:\windows\system32\mhlljalr.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: : {4dbdb0f2-5f45-4073-a79c-c5fe3ad46051} - c:\windows\system32\zlzbrlu.dll
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [DAEMON Tools Lite] "c:\tom\daemon tools lite\daemon.exe" -autorun
uRun: [ares] "c:\tom\ares\Ares.exe" -h
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [ccApp] -
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [D-Link AirPlus G DWL-G510] c:\program files\d-link\airplus g dwl-g510\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - [You must be registered and logged in to see this link.]
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - [You must be registered and logged in to see this link.]
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - [You must be registered and logged in to see this link.]
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - [You must be registered and logged in to see this link.]
DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - [You must be registered and logged in to see this link.]
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: bltbrw - bltbrw.dll
Notify: gqibnbsw - zlzbrlu.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2005-9-2 9344]
R0 ipshbxme;ipshbxme;c:\windows\system32\drivers\ipshbxme.sys [2001-9-7 23424]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 jffmafjz;IP in IP Tunnel Controller;c:\windows\system32\svchost.exe -k netsvcs [2001-9-7 14336]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R2 vcdc;HiPath 1220 virtual serial interface;c:\windows\system32\drivers\vcdc.sys [2006-8-16 64114]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2005-6-20 18864]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090510.003\naveng.sys [2009-5-10 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090510.003\navex15.sys [2009-5-10 876144]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
S3 usbcomm;HiPath 1220 USB interface;c:\windows\system32\drivers\usbcomm.sys [2006-8-16 96757]
S3 vi2000;CallBridge for Data (Eval);c:\windows\system32\drivers\usbeval.sys [2006-8-16 49461]
S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2005-9-2 462464]
S4 ccEvtMgr;Symantec Event Manager;- --> - [?]
S4 SAVRT;SAVRT;- --> - [?]

=============== Created Last 30 ================

2009-05-14 23:33 16,896 a------- c:\windows\system32\bltbrw.dll
2009-05-14 13:23 --d----- c:\program files\Trend Micro
2009-05-14 00:21 --d----- c:\docume~1\gvbvik~1\applic~1\rlrsbyax
2009-05-12 18:14 --d----- c:\program files\common files\Idu
2009-05-12 18:13 --d----- c:\program files\Microprose
2009-05-04 09:49 --d----- c:\docume~1\gvbvik~1\applic~1\Malwarebytes
2009-05-04 09:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-04 09:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 09:49 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-04 09:49 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-04 09:07 --d----- c:\program files\CCleaner
2009-04-27 18:40 --d----- C:\VanDale
2009-04-25 20:11 --d----- c:\windows\system32\nl-nl
2009-04-25 02:10 --d----- c:\docume~1\gvbvik~1\applic~1\rlrsbyax(2)
2009-04-25 00:45 182,912 ac------ c:\windows\system32\dllcache\ndis.sys
2009-04-25 00:45 110,204 a------- c:\windows\system32\drivers\b1c2fa46.sys
2009-04-25 00:45 2,560 a------- C:\saul.exe
2009-04-25 00:45 2 a------- C:\1424420491
2009-04-25 00:13 --d----- c:\docume~1\gvbvik~1\applic~1\iWin
2009-04-25 00:11 --d----- c:\program files\ReflexiveArcade
2009-04-24 19:54 --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-04-24 19:54 --d----- c:\program files\DAEMON Tools Toolbar
2009-04-24 19:46 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-04-24 19:46 --d----- c:\docume~1\gvbvik~1\applic~1\DAEMON Tools Lite
2009-04-17 12:45 --d----- c:\program files\SystemRequirementsLab
2009-04-16 20:50 116,224 a------- c:\windows\system32\pdfcmnnt.dll
2009-04-16 20:50 23,552 a------- c:\windows\system32\MSMPIDE.DLL
2009-04-16 20:50 --d----- c:\program files\PDFCreator

==================== Find3M ====================

2009-04-27 09:23 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-04-24 20:11 486,398 a------- c:\windows\system32\perfh013.dat
2009-04-24 20:11 89,808 a------- c:\windows\system32\perfc013.dat
2009-03-06 16:47 285,184 a------- c:\windows\system32\pdh.dll
2009-02-20 10:33 81,920 -------- c:\windows\system32\ieencode.dll
2009-02-16 16:26 410,984 a------- c:\windows\system32\deploytk.dll
2001-09-07 14:00 94,784 ---sh--- c:\windows\twain.dll
2004-08-04 10:03 50,688 ---sh--- c:\windows\twain_32.dll
2004-08-04 10:03 1,028,096 a--sh--- c:\windows\system32\mfc42.dll
2004-08-04 10:03 54,784 a--sh--- c:\windows\system32\msvcirt.dll
2004-08-04 10:03 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2004-08-04 10:03 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2007-05-17 13:30 549,376 ---sh--- c:\windows\system32\oleaut32.dll
2004-08-04 10:03 83,456 ---sh--- c:\windows\system32\olepro32.dll
2004-08-04 10:03 12,288 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 23:41:17,95 ===============

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 14th May 2009, 9:44 pm

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/06/2005 11:18:56
System Uptime: 14/05/2009 23:29:45 (0 hours ago)

Motherboard: ASUSTeK Computer INC. | | Puffer
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | CPU 1 | 3000/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | CPU 1 | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 128 GiB total, 100,118 GiB free.
D: is Removable
E: is Removable
F: is Removable
G: is Removable
H: is CDROM (UDF)
I: is CDROM ()
J: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP13: 14/05/2009 23:39:01 - Controlepunt van systeem

==== Installed Programs ======================

3DVIA player 4.1
Adobe Acrobat 5.0
Adobe Flash Player 10 Plugin
Agere Systems PCI Soft Modem
Ahead InCD
AirPlus G DWL-G510
Alfabet met Muntje
ANIO Service
ANIWZCS2 Service
ATI Display Driver
AutoUpdate
AVI DivX MPEG to DVD Converter & Burner Pro 1.6
Beveiligingsupdate for Windows XP (KB941569)
Beveiligingsupdate voor Windows Media Player (KB911564)
Beveiligingsupdate voor Windows Media Player (KB952069)
Beveiligingsupdate voor Windows Media Player 6.4 (KB925398)
Beveiligingsupdate voor Windows Media Player 9 (KB911565)
Beveiligingsupdate voor Windows Media Player 9 (KB917734)
Beveiligingsupdate voor Windows Media Player 9 (KB936782)
Beveiligingsupdate voor Windows XP (KB890046)
Beveiligingsupdate voor Windows XP (KB893066)
Beveiligingsupdate voor Windows XP (KB893756)
Beveiligingsupdate voor Windows XP (KB896358)
Beveiligingsupdate voor Windows XP (KB896422)
Beveiligingsupdate voor Windows XP (KB896423)
Beveiligingsupdate voor Windows XP (KB896424)
Beveiligingsupdate voor Windows XP (KB896428)
Beveiligingsupdate voor Windows XP (KB896688)
Beveiligingsupdate voor Windows XP (KB899587)
Beveiligingsupdate voor Windows XP (KB899588)
Beveiligingsupdate voor Windows XP (KB899589)
Beveiligingsupdate voor Windows XP (KB899591)
Beveiligingsupdate voor Windows XP (KB900725)
Beveiligingsupdate voor Windows XP (KB901017)
Beveiligingsupdate voor Windows XP (KB901214)
Beveiligingsupdate voor Windows XP (KB902400)
Beveiligingsupdate voor Windows XP (KB904706)
Beveiligingsupdate voor Windows XP (KB905414)
Beveiligingsupdate voor Windows XP (KB905749)
Beveiligingsupdate voor Windows XP (KB905915)
Beveiligingsupdate voor Windows XP (KB908519)
Beveiligingsupdate voor Windows XP (KB911562)
Beveiligingsupdate voor Windows XP (KB911567)
Beveiligingsupdate voor Windows XP (KB911927)
Beveiligingsupdate voor Windows XP (KB912812)
Beveiligingsupdate voor Windows XP (KB912919)
Beveiligingsupdate voor Windows XP (KB913446)
Beveiligingsupdate voor Windows XP (KB913580)
Beveiligingsupdate voor Windows XP (KB914388)
Beveiligingsupdate voor Windows XP (KB914389)
Beveiligingsupdate voor Windows XP (KB916281)
Beveiligingsupdate voor Windows XP (KB917159)
Beveiligingsupdate voor Windows XP (KB917344)
Beveiligingsupdate voor Windows XP (KB917422)
Beveiligingsupdate voor Windows XP (KB917953)
Beveiligingsupdate voor Windows XP (KB918118)
Beveiligingsupdate voor Windows XP (KB918439)
Beveiligingsupdate voor Windows XP (KB918899)
Beveiligingsupdate voor Windows XP (KB919007)
Beveiligingsupdate voor Windows XP (KB920213)
Beveiligingsupdate voor Windows XP (KB920214)
Beveiligingsupdate voor Windows XP (KB920670)
Beveiligingsupdate voor Windows XP (KB920683)
Beveiligingsupdate voor Windows XP (KB920685)
Beveiligingsupdate voor Windows XP (KB921398)
Beveiligingsupdate voor Windows XP (KB921503)
Beveiligingsupdate voor Windows XP (KB921883)
Beveiligingsupdate voor Windows XP (KB922616)
Beveiligingsupdate voor Windows XP (KB922819)
Beveiligingsupdate voor Windows XP (KB923191)
Beveiligingsupdate voor Windows XP (KB923414)
Beveiligingsupdate voor Windows XP (KB923561)
Beveiligingsupdate voor Windows XP (KB923980)
Beveiligingsupdate voor Windows XP (KB924270)
Beveiligingsupdate voor Windows XP (KB924496)
Beveiligingsupdate voor Windows XP (KB924667)
Beveiligingsupdate voor Windows XP (KB925486)
Beveiligingsupdate voor Windows XP (KB925902)
Beveiligingsupdate voor Windows XP (KB926255)
Beveiligingsupdate voor Windows XP (KB926436)
Beveiligingsupdate voor Windows XP (KB927779)
Beveiligingsupdate voor Windows XP (KB927802)
Beveiligingsupdate voor Windows XP (KB928255)
Beveiligingsupdate voor Windows XP (KB928843)
Beveiligingsupdate voor Windows XP (KB929123)
Beveiligingsupdate voor Windows XP (KB930178)
Beveiligingsupdate voor Windows XP (KB931261)
Beveiligingsupdate voor Windows XP (KB931784)
Beveiligingsupdate voor Windows XP (KB932168)
Beveiligingsupdate voor Windows XP (KB933729)
Beveiligingsupdate voor Windows XP (KB935839)
Beveiligingsupdate voor Windows XP (KB935840)
Beveiligingsupdate voor Windows XP (KB936021)
Beveiligingsupdate voor Windows XP (KB937894)
Beveiligingsupdate voor Windows XP (KB938127)
Beveiligingsupdate voor Windows XP (KB938464)
Beveiligingsupdate voor Windows XP (KB938829)
Beveiligingsupdate voor Windows XP (KB941202)
Beveiligingsupdate voor Windows XP (KB941568)
Beveiligingsupdate voor Windows XP (KB941644)
Beveiligingsupdate voor Windows XP (KB942615)
Beveiligingsupdate voor Windows XP (KB943460)
Beveiligingsupdate voor Windows XP (KB943485)
Beveiligingsupdate voor Windows XP (KB944338-v2)
Beveiligingsupdate voor Windows XP (KB944653)
Beveiligingsupdate voor Windows XP (KB946648)
Beveiligingsupdate voor Windows XP (KB950749)
Beveiligingsupdate voor Windows XP (KB950762)
Beveiligingsupdate voor Windows XP (KB950974)
Beveiligingsupdate voor Windows XP (KB951066)
Beveiligingsupdate voor Windows XP (KB951376-v2)
Beveiligingsupdate voor Windows XP (KB951698)
Beveiligingsupdate voor Windows XP (KB951748)
Beveiligingsupdate voor Windows XP (KB952004)
Beveiligingsupdate voor Windows XP (KB952954)
Beveiligingsupdate voor Windows XP (KB954211)
Beveiligingsupdate voor Windows XP (KB954600)
Beveiligingsupdate voor Windows XP (KB955069)
Beveiligingsupdate voor Windows XP (KB956390)
Beveiligingsupdate voor Windows XP (KB956391)
Beveiligingsupdate voor Windows XP (KB956572)
Beveiligingsupdate voor Windows XP (KB956802)
Beveiligingsupdate voor Windows XP (KB956803)
Beveiligingsupdate voor Windows XP (KB956841)
Beveiligingsupdate voor Windows XP (KB957095)
Beveiligingsupdate voor Windows XP (KB957097)
Beveiligingsupdate voor Windows XP (KB958215)
Beveiligingsupdate voor Windows XP (KB958644)
Beveiligingsupdate voor Windows XP (KB958687)
Beveiligingsupdate voor Windows XP (KB958690)
Beveiligingsupdate voor Windows XP (KB959426)
Beveiligingsupdate voor Windows XP (KB960225)
Beveiligingsupdate voor Windows XP (KB960714)
Beveiligingsupdate voor Windows XP (KB960715)
Beveiligingsupdate voor Windows XP (KB960803)
Beveiligingsupdate voor Windows XP (KB961373)
Beveiligingsupdate voor Windows XP (KB963027)
BitLord 1.1
CCleaner (remove only)
Choice Guard
Compatibility Pack for the 2007 Office system
CP_AtenaShokunin1Config
cp_dwSharkTaleAlbums1
cp_dwSharkTaleCards1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_PLSBusinessFlyers
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
DevalVR plugin for Internet Explorer (remove)
Director
DiscAPI (Studio 10)
DivX
FileMaker Pro 5.0
Google Desktop Search
Google Toolbar for Internet Explorer
Hewlett-Packard Multimedia Keyboard/Mouse Solution
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hot CPU Tester Pro 4.4.1
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Windows XP (KB915865)
Hotfix voor Windows XP (KB935448)
Hotfix voor Windows XP (KB952287)
HP Image Zone 4.5.3
HP Image Zone Plus 4.5.3
HP Photo Imaging Software
HP Photo Printing Software
hp photosmart printer series (Remove only)
HP Software Update
HPIZplus450
InstantShare
InterVideo WinDVD Player
IrfanView (remove only)
Java(TM) 6 Update 12
KBD
LiveUpdate 2.6 (Symantec Corporation)
Magic ISO Maker v5.5 (build 0276)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Dutch Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office Professional Editie 2003
Microsoft SQL Server Desktop Engine (PINNACLESYS)
Microsoft Visual C++ 2005 Redistributable
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 6 Ultra Edition
PanoStandAlone
PDFCreator
PhotoGallery
Picasa 2
Pinnacle Instant DVD Recorder
Pinnacle MediaServer
QFolder
QuickTime Alternative 1.62
RAPID (Studio 10)
Realtek High Definition Audio Driver
Risk WarZone Client
Robbie Konijn Dreumes
Roxio Easy Media Creator 7
Ruimtelijk Inzicht voor groep 1 en 2
Security Update for CAPICOM (KB931906)
Segoe UI
SkinsHP1
SmartSound Quicktracks Plugin
SopCast 2.0.4
Studio 10
Symantec AntiVirus
System Requirements Lab
TrayApp
Unload
Update voor Windows XP (KB898461)
Update voor Windows XP (KB900485)
Update voor Windows XP (KB908531)
Update voor Windows XP (KB910437)
Update voor Windows XP (KB911280)
Update voor Windows XP (KB916595)
Update voor Windows XP (KB920872)
Update voor Windows XP (KB922582)
Update voor Windows XP (KB927891)
Update voor Windows XP (KB930916)
Update voor Windows XP (KB936357)
Update voor Windows XP (KB938828)
Update voor Windows XP (KB942763)
Update voor Windows XP (KB942840)
Update voor Windows XP (KB946627)
Update voor Windows XP (KB951072-v2)
Update voor Windows XP (KB955839)
Update voor Windows XP (KB967715)
Van Dale Grote woordenboeken Duits
Van Dale Grote woordenboeken Frans
VLC media player 0.9.8a
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live - Hulpprogramma voor uploaden
Windows Live aanmeldhulp
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Format Runtime
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR
WinZip

==== Event Viewer Messages From Past Week ========

14/05/2009 23:33:54, error: Service Control Manager [7016] - De BrSplService-service heeft een ongeldige status 0 gerapporteerd.
14/05/2009 23:25:30, error: Service Control Manager [7032] - Servicebesturingsbeheer heeft na het onverwachte afsluiten van de Windows Management Instrumentation-service geprobeerd een herstelactie (Service opnieuw starten) uit te voeren, maar deze actie is met de volgende fout mislukt: De service is al gestart.
14/05/2009 23:25:09, error: Service Control Manager [7031] - De Symantec AntiVirus-service is onverwacht gestopt. Dit is 2 keer gebeurd. De volgende herstelbewerking zal over 10000 milliseconden worden uitgevoerd: Service opnieuw starten.
13/05/2009 7:32:28, error: Service Control Manager [7023] - De Computer Browser-service is gestopt met de volgende foutcode: Deze bewerking is geretourneerd omdat de time-outperiode verlopen is. .
13/05/2009 7:27:34, error: Service Control Manager [7000] - De Automatische updates-service kan vanwege de volgende fout niet worden gestart: Het systeem kan het opgegeven bestand niet vinden.
12/05/2009 21:06:06, error: Dhcp [1001] - Deze computer heeft geen adres toegewezen gekregen van het netwerk (door de DHCP-server) voor de netwerkkaart met netwerkadres 0022B06CC9D6. De volgende fout is opgetreden: De bewerking is geannuleerd door de gebruiker. . De computer zal doorgaan om zelf een adres van de server met netwerkadressen (DHCP-server) proberen te krijgen.
12/05/2009 17:36:46, error: Print [6161] -
12/05/2009 16:21:33, error: W32Time [17] - Tijdprovider/NtpClient: er is een onverwachte fout opgetreden tijdens de DNS-lookup van de handmatig geconfigureerde peer time.windows.com,0x1. NtpClient probeert een nieuwe DNS-lookup in 15 minuten. De fout is: Er is geprobeerd een socketbewerking uit te voeren op een onbereikbare host. (0x80072751)

==== End Of File ===========================

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 14th May 2009, 9:51 pm

Hello.
Not good news at all here.

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Actually, this doesn't suprise me at all...
I notice in the DDS log that Symantec is disabled, so you've allowed a very big mess to get in here, it's even patched a system file. For now, keep it disabled.

I see that you are running BitLord.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If BitLord is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • BitLord 1.1
  • Java(TM) 6 Update 12


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Please keep Symantec disabled or it will interfere with our removal.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 15th May 2009, 11:38 am

ComboFix 09-05-14.05 - GVB Vikingschool 15/05/2009 13:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.32.1043.18.511.135 [GMT 2:00]
Gestart vanuit: c:\documents and settings\GVB Vikingschool\Bureaublad\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\bltbrw.dll
c:\windows\system32\drivers\b1c2fa46.sys
c:\windows\system32\mhlljalr.dll . . . . konden niet verwijderd worden
c:\windows\system32\zlzbrlu.dll . . . . konden niet verwijderd worden

Besmet exemplaar van c:\windows\system32\drivers\ndis.sys werd aangetroffen en gedesinfecteerd
Hersteld exemplaar van -

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_jffmafjz
-------\Service_b1c2fa46
-------\Service_jffmafjz


(((((((((((((((((((( Bestanden Gemaakt van 2009-04-15 to 2009-05-15 ))))))))))))))))))))))))))))))
.

2009-05-15 11:15 . 2009-05-15 11:15 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax
2009-05-15 11:15 . 2009-05-15 11:15 -------- d-----w c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\rlrsbyax
2009-05-14 11:23 . 2009-05-14 11:23 -------- d-----w c:\program files\Trend Micro
2009-05-14 10:19 . 2009-05-14 10:19 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-05-13 05:31 . 2009-05-13 05:31 -------- d-----w c:\documents and settings\NetworkService\Application Data\rlrsbyax
2009-05-13 05:31 . 2009-05-13 05:31 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\rlrsbyax
2009-05-12 16:14 . 2009-05-12 16:14 -------- d-----w c:\program files\Common Files\Idu
2009-05-12 16:13 . 2009-05-12 16:13 -------- d-----w c:\program files\Microprose
2009-05-04 07:49 . 2009-05-04 07:49 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\Malwarebytes
2009-05-04 07:49 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-04 07:49 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 07:49 . 2009-05-04 07:49 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-04 07:49 . 2009-05-04 07:49 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-04 07:07 . 2009-05-04 07:07 -------- d-----w c:\program files\CCleaner
2009-04-27 16:40 . 2009-04-27 16:40 -------- d-----w C:\VanDale
2009-04-26 14:27 . 2009-04-26 14:27 0 ----a-w c:\windows\nsreg.dat
2009-04-26 14:27 . 2009-04-26 14:27 -------- d-----w c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\Mozilla
2009-04-26 14:22 . 2009-04-26 14:22 -------- d-----w c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\Ares
2009-04-25 18:11 . 2009-04-25 18:11 -------- d-----w c:\windows\system32\nl-nl
2009-04-25 14:19 . 2009-05-12 17:49 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\dvdcss
2009-04-25 00:10 . 2009-04-25 07:35 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)
2009-04-25 00:10 . 2009-04-25 07:35 -------- d-----w c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\rlrsbyax(2)
2009-04-24 22:45 . 2009-04-24 22:45 2560 ----a-w C:\saul.exe
2009-04-24 22:13 . 2009-04-24 22:13 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\iWin
2009-04-24 22:11 . 2009-04-24 22:11 -------- d-----w c:\program files\ReflexiveArcade
2009-04-24 17:54 . 2009-04-24 17:54 -------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-04-24 17:54 . 2009-04-24 17:54 -------- d-----w c:\program files\DAEMON Tools Toolbar
2009-04-24 17:46 . 2009-04-24 17:46 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-24 17:46 . 2009-04-24 17:59 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\DAEMON Tools Lite
2009-04-17 10:45 . 2009-04-17 10:45 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-16 18:50 . 2001-10-28 15:42 116224 ----a-w c:\windows\system32\pdfcmnnt.dll
2009-04-16 18:50 . 1998-07-05 23:00 23552 ----a-w c:\windows\system32\MSMPIDE.DLL
2009-04-16 18:50 . 2009-04-16 18:52 -------- d-----w c:\program files\PDFCreator

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 11:25 . 2001-09-07 12:00 143872 ----a-w c:\windows\system32\mhlljalr.dll
2009-05-15 11:15 . 2001-09-07 12:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-27 07:25 . 2005-10-10 14:59 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-24 18:11 . 2001-09-07 12:00 89808 ----a-w c:\windows\system32\perfc013.dat
2009-04-24 18:11 . 2001-09-07 12:00 486398 ----a-w c:\windows\system32\perfh013.dat
2009-04-14 18:21 . 2009-04-14 18:21 -------- d-----w c:\program files\Virtools
2009-03-06 14:47 . 2005-06-02 09:44 285184 ----a-w c:\windows\system32\pdh.dll
2009-02-25 15:13 . 2005-06-22 07:34 95472 ----a-w c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 08:33 . 2004-08-04 08:03 81920 ------w c:\windows\system32\ieencode.dll
2009-02-16 14:26 . 2009-02-16 14:26 410984 ----a-w c:\windows\system32\deploytk.dll
2001-09-07 12:00 . 2001-09-07 12:00 94784 --sh--w c:\windows\twain.dll
2004-08-04 08:03 . 2001-09-07 12:00 50688 --sh--w c:\windows\twain_32.dll
2004-08-04 08:03 . 2001-09-07 12:00 1028096 --sha-w c:\windows\system32\mfc42.dll
2004-08-04 08:03 . 2001-09-07 12:00 54784 --sha-w c:\windows\system32\msvcirt.dll
2004-08-04 08:03 . 2005-06-02 09:44 413696 --sha-w c:\windows\system32\msvcp60.dll
2004-08-04 08:03 . 2005-06-02 09:44 343040 --sha-w c:\windows\system32\msvcrt.dll
2007-05-17 11:30 . 2001-09-07 12:00 549376 --sh--w c:\windows\system32\oleaut32.dll
2004-08-04 08:03 . 2001-09-07 12:00 83456 --sh--w c:\windows\system32\olepro32.dll
2004-08-04 08:03 . 2001-09-07 12:00 12288 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03b0ed95-f312-4a6d-864b-bed2eb06be91}]
2009-05-15 11:25 143872 ----a-w c:\windows\system32\mhlljalr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4dbdb0f2-5f45-4073-a79c-c5fe3ad46051}]
2001-09-07 12:00 102400 ----a-w c:\windows\system32\zlzbrlu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-25 120320]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DAEMON Tools Lite"="c:\tom\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"ares"="c:\tom\Ares\Ares.exe" [2009-02-03 1004544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-04-13 1470464]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 196608]
"HPHmon03"="c:\windows\System32\hphmon03.exe" [2001-10-25 311296]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-09-19 45056]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"D-Link AirPlus G DWL-G510"="c:\program files\D-Link\AirPlus G DWL-G510\AirGCFG.exe" [2007-10-24 1552384]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Default User\Menu Start\Programma's\Opstarten\
AutoTBar.exe [2003-9-30 57344]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-4-25 122880]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\K:\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^CommServer.lnk]
path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\CommServer.lnk
backup=c:\windows\pss\CommServer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"30350:TCP"= 30350:TCP:@xpsp2res.dll,-22009
"28961:TCP"= 28961:TCP:@xpsp2res.dll,-22009
"2187:TCP"= 2187:TCP:@xpsp2res.dll,-22009
"37664:TCP"= 37664:TCP:@xpsp2res.dll,-22009
"21129:TCP"= 21129:TCP:@xpsp2res.dll,-22009
"64033:TCP"= 64033:TCP:@xpsp2res.dll,-22009
"30090:TCP"= 30090:TCP:@xpsp2res.dll,-22009
"18210:TCP"= 18210:TCP:@xpsp2res.dll,-22009
"36490:TCP"= 36490:TCP:@xpsp2res.dll,-22009
"63522:TCP"= 63522:TCP:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2/09/2005 15:04 9344]
R0 ipshbxme;ipshbxme;c:\windows\system32\drivers\ipshbxme.sys [7/09/2001 14:00 23424]
R2 vcdc;HiPath 1220 virtual serial interface;c:\windows\system32\drivers\vcdc.sys [16/08/2006 17:11 64114]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [20/06/2005 13:50 18864]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 13:30 124608]
S3 usbcomm;HiPath 1220 USB interface;c:\windows\system32\drivers\usbcomm.sys [16/08/2006 17:11 96757]
S3 vi2000;CallBridge for Data (Eval);c:\windows\system32\drivers\usbeval.sys [16/08/2006 17:08 49461]
S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2/09/2005 15:04 462464]

--- Andere Services/Drivers In Geheugen ---

*Deregistered* - EraserUtilDrv10910

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\shell\autorun\command - L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48224c80-37f7-11db-b359-0011d8d0c1c7}]
\Shell\AutoRun\command - K:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9dcef461-34e3-11de-b3da-0022b06cc9d6}]
\shell\autorun\command - L:\EXPLORER.EXE
\shell\explore\command - L:\EXPLORER.EXE
\shell\open\command - L:\EXPLORER.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a09350-3f0a-11de-b3e5-0022b06cc9d6}]
\shell\autorun\command - L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a09351-3f0a-11de-b3e5-0022b06cc9d6}]
\shell\autoplay\command - M:\usb_installer.exe
\shell\autorun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL usb_installer.exe
\shell\explore\command - M:\usb_installer.exe
\shell\open\command - M:\usb_installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e467d068-ed2c-11dc-b385-0011d8d0c1c7}]
\shell\autoplay\command - K:\autorun.exe
\shell\autorun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autorun.exe
\shell\explore\command - K:\autorun.exe
\shell\open\command - K:\autorun.exe
.
.
------- Bijkomende Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-15 13:29
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 15th May 2009, 11:39 am

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,83,e6,da,49,84,
34,d4,a4,e2,63,26,f1,3f,c8,ff,68,4a,dc,c5,71,2d,8d,cb,e3,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,bc,26,3a,05,98,
e2,b6,aa,6a,9c,d6,61,af,45,84,18,54,35,ec,c1,45,ba,7e,b6,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,f3,76,77,c3,83,
74,29,25,ff,7c,85,e0,43,d4,0e,fe,76,ab,66,c1,27,b3,03,02,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,1c,b1,f2,95,d7,
a5,60,55,86,8c,21,01,be,91,eb,e7,10,b5,06,5f,a3,6f,59,e4,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,c8,3b,0e,de,a3,
4d,f3,b2,f5,1d,4d,73,a8,13,5c,05,5b,c4,d3,d8,8f,ec,e9,54,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,7b,bd,fd,04,dd,
b7,08,d4,df,20,58,62,78,6b,cf,c8,f8,8c,4a,b2,7b,3e,c4,49,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,95,d5,bf,ed,10,
8c,76,76,fb,a7,78,e6,12,2f,9a,ea,cc,1a,3b,07,ff,e1,0d,b0,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ad,16,ef,a2,79,
04,fa,24,01,3a,48,fc,e8,04,4a,f1,7b,86,25,e5,0b,1d,15,ff,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,0b,0b,41,4a,c0,
c1,0a,99,f6,0f,4e,58,98,5b,89,c9,56,e1,96,26,25,9f,13,1b,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,7e,30,c4,a8,b6,
f1,ee,13,3d,ce,ea,26,2d,45,aa,78,63,55,52,46,02,f1,13,27,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,3a,ba,0f,55,d0,
4e,d1,76,2a,b7,cc,b5,b9,7f,41,e7,68,57,3a,3a,36,7c,52,68,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,15,bd,7d,df,ff,
8d,03,3b,6c,43,2d,1e,aa,22,2f,9c,55,bd,d6,c9,31,08,15,b6,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ōēÄ|ˇˇˇˇēÄ|ýē9~*]
"3140710900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3020)
c:\windows\system32\IEFRAME.dll
c:\windows\system32\msls31.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BRSS01A.EXE
c:\windows\system32\ati2evxx.exe
c:\progra~1\WinZip\WZQKPICK.EXE
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
.
**************************************************************************
.
Voltooingstijd: 2009-05-15 13:35 - machine werd herstart
ComboFix-quarantined-files.txt 2009-05-15 11:34

Pre-Run: 107.491.340.288 bytes beschikbaar
Post-Run: 109.538.123.776 bytes beschikbaar

WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

310 --- E O F --- 2009-04-16 17:18

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 15th May 2009, 11:41 am

hey!

thank you very much for helping me so far! The combofix scanned and now i posted to log up here. He couldn't remove two DLL files:

-mhlljalr.dll
- zlzbrlu.dll

What do you suggest to try to get rid of these two? Is there a way to get them off my computer?
And what should I use to protect me in the future? Symantec or something else?

Thanks in advance!

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 15th May 2009, 12:57 pm

Hello.
The reason they couldn't be deleted is because they are locked by a rootkit. We are going to run Combofix again using a custom script made for ONLY your machine which will take it down along with the rest of the malicious files.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
ipshbxme

File::
C:\saul.exe
c:\windows\system32\mhlljalr.dll
c:\windows\system32\zlzbrlu.dll
c:\windows\system32\drivers\ipshbxme.sys

Folder::
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax
c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\rlrsbyax
c:\documents and settings\NetworkService\Application Data\rlrsbyax
c:\documents and settings\NetworkService\Local Settings\Application Data\rlrsbyax
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)
c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\rlrsbyax(2)
c:\documents and settings\GVB Vikingschool\Application Data\iWin

DirLook::
c:\windows\system32\nl-nl

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{03b0ed95-f312-4a6d-864b-bed2eb06be91}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4dbdb0f2-5f45-4073-a79c-c5fe3ad46051}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9dcef461-34e3-11de-b3da-0022b06cc9d6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a09351-3f0a-11de-b3e5-0022b06cc9d6}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e467d068-ed2c-11dc-b385-0011d8d0c1c7}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 16th May 2009, 3:53 pm

ComboFix 09-05-14.05 - GVB Vikingschool 16/05/2009 17:40.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.32.1043.18.511.260 [GMT 2:00]
Gestart vanuit: c:\documents and settings\GVB Vikingschool\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\GVB Vikingschool\Bureaublad\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
C:\saul.exe
c:\windows\system32\drivers\ipshbxme.sys
c:\windows\system32\mhlljalr.dll
c:\windows\system32\zlzbrlu.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\GVB Vikingschool\Application Data\iWin
c:\documents and settings\GVB Vikingschool\Application Data\iWin\RiskSA\debug.txt
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\cert8.db
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\compreg.dat
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\cookies.sqlite
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\formhistory.sqlite
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\key3.db
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\localstore.rdf
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\permissions.sqlite
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\places.sqlite-journal
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\places.sqlite
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\pluginreg.dat
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\prefs.js
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\secmod.db
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\webappsstore.sqlite
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\xpti.dat
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\profiles.ini
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\cert8.db
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\compatibility.ini
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\compreg.dat
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\cookies.sqlite
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\formhistory.sqlite
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\key3.db
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\localstore.rdf
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\permissions.sqlite
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\places.sqlite-journal
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\places.sqlite
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\pluginreg.dat
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\prefs.js
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\secmod.db
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\webappsstore.sqlite
c:\documents and settings\GVB Vikingschool\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\xpti.dat
c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\rlrsbyax
c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\rlrsbyax(2)
c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\rlrsbyax(2)\Profiles(2)\pqj4m0mg.default\urlclassifier3.sqlite
c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\urlclassifier3.sqlite
c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\rlrsbyax\Profiles\g0qpv9r3.default\XPC.mfl
c:\documents and settings\NetworkService\Application Data\rlrsbyax
c:\documents and settings\NetworkService\Application Data\rlrsbyax\profiles.ini
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\cert8.db
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\key3.db
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\prefs.js
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\secmod.db
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\rlrsbyax\Profiles\agnilfts.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\rlrsbyax
c:\documents and settings\NetworkService\Local Settings\Application Data\rlrsbyax\Profiles\agnilfts.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\rlrsbyax\Profiles\agnilfts.default\XPC.mfl
C:\saul.exe
c:\windows\system32\drivers\ipshbxme.sys
c:\windows\system32\mhlljalr.dll
c:\windows\system32\zlzbrlu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ipshbxme
-------\Service_ipshbxme


(((((((((((((((((((( Bestanden Gemaakt van 2009-04-16 to 2009-05-16 ))))))))))))))))))))))))))))))
.

2009-05-15 12:35 . 2009-05-15 12:38 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\Free Download Manager
2009-05-14 11:23 . 2009-05-14 11:23 -------- d-----w c:\program files\Trend Micro
2009-05-14 10:19 . 2009-05-14 10:19 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-05-12 16:14 . 2009-05-12 16:14 -------- d-----w c:\program files\Common Files\Idu
2009-05-12 16:13 . 2009-05-12 16:13 -------- d-----w c:\program files\Microprose
2009-05-04 07:49 . 2009-05-04 07:49 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\Malwarebytes
2009-05-04 07:49 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-04 07:49 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 07:49 . 2009-05-04 07:49 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-04 07:49 . 2009-05-04 07:49 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-04 07:07 . 2009-05-04 07:07 -------- d-----w c:\program files\CCleaner
2009-04-27 16:40 . 2009-04-27 16:40 -------- d-----w C:\VanDale
2009-04-26 14:27 . 2009-04-26 14:27 0 ----a-w c:\windows\nsreg.dat
2009-04-26 14:27 . 2009-04-26 14:27 -------- d-----w c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\Mozilla
2009-04-26 14:22 . 2009-04-26 14:22 -------- d-----w c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\Ares
2009-04-25 18:11 . 2009-04-25 18:11 -------- d-----w c:\windows\system32\nl-nl
2009-04-25 14:19 . 2009-05-12 17:49 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\dvdcss
2009-04-24 22:11 . 2009-04-24 22:11 -------- d-----w c:\program files\ReflexiveArcade
2009-04-24 17:54 . 2009-04-24 17:54 -------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-04-24 17:54 . 2009-04-24 17:54 -------- d-----w c:\program files\DAEMON Tools Toolbar
2009-04-24 17:46 . 2009-04-24 17:46 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-24 17:46 . 2009-04-24 17:59 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\DAEMON Tools Lite
2009-04-17 10:45 . 2009-04-17 10:45 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-16 18:50 . 2001-10-28 15:42 116224 ----a-w c:\windows\system32\pdfcmnnt.dll
2009-04-16 18:50 . 1998-07-05 23:00 23552 ----a-w c:\windows\system32\MSMPIDE.DLL
2009-04-16 18:50 . 2009-04-16 18:52 -------- d-----w c:\program files\PDFCreator

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 15:40 . 2001-09-07 12:00 23424 ----a-w c:\windows\system32\drivers\kiflsdfk.sys
2009-05-15 11:32 . 2001-09-07 12:00 89808 ----a-w c:\windows\system32\perfc013.dat
2009-05-15 11:32 . 2001-09-07 12:00 486398 ----a-w c:\windows\system32\perfh013.dat
2009-05-15 11:15 . 2001-09-07 12:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-27 07:25 . 2005-10-10 14:59 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-14 18:21 . 2009-04-14 18:21 -------- d-----w c:\program files\Virtools
2009-03-06 14:47 . 2005-06-02 09:44 285184 ----a-w c:\windows\system32\pdh.dll
2009-02-25 15:13 . 2005-06-22 07:34 95472 ----a-w c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 08:33 . 2004-08-04 08:03 81920 ------w c:\windows\system32\ieencode.dll
2009-02-16 14:26 . 2009-02-16 14:26 410984 ----a-w c:\windows\system32\deploytk.dll
2001-09-07 12:00 . 2001-09-07 12:00 94784 --sh--w c:\windows\twain.dll
2004-08-04 08:03 . 2001-09-07 12:00 50688 --sh--w c:\windows\twain_32.dll
2004-08-04 08:03 . 2001-09-07 12:00 1028096 --sha-w c:\windows\system32\mfc42.dll
2004-08-04 08:03 . 2001-09-07 12:00 54784 --sha-w c:\windows\system32\msvcirt.dll
2004-08-04 08:03 . 2005-06-02 09:44 413696 --sha-w c:\windows\system32\msvcp60.dll
2004-08-04 08:03 . 2005-06-02 09:44 343040 --sha-w c:\windows\system32\msvcrt.dll
2007-05-17 11:30 . 2001-09-07 12:00 549376 --sh--w c:\windows\system32\oleaut32.dll
2004-08-04 08:03 . 2001-09-07 12:00 83456 --sh--w c:\windows\system32\olepro32.dll
2004-08-04 08:03 . 2001-09-07 12:00 12288 --sh--w c:\windows\system32\regsvr32.exe

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 16th May 2009, 3:53 pm

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\windows\system32\nl-nl ----

2007-10-04 08:33 . 2007-10-04 08:33 57344 ------w c:\windows\system32\nl-nl\wininet.dll.mui
2007-10-04 08:33 . 2007-10-04 08:33 6656 ------w c:\windows\system32\nl-nl\WinFXDocObj.exe.mui
2007-10-04 08:33 . 2007-10-04 08:33 45056 ------w c:\windows\system32\nl-nl\webcheck.dll.mui
2007-10-04 08:33 . 2007-10-04 08:33 40960 ------w c:\windows\system32\nl-nl\urlmon.dll.mui
2007-10-04 08:33 . 2007-10-04 08:33 20480 ------w c:\windows\system32\nl-nl\occache.dll.mui
2007-10-04 08:33 . 2007-10-04 08:33 53248 ------w c:\windows\system32\nl-nl\msrating.dll.mui
2007-10-04 08:33 . 2007-10-04 08:33 57344 ------w c:\windows\system32\nl-nl\mshtmler.dll.mui
2007-10-04 08:33 . 2007-10-04 08:33 3072 ------w c:\windows\system32\nl-nl\mshtmled.dll.mui
2007-10-04 08:33 . 2007-10-04 08:33 12288 ------w c:\windows\system32\nl-nl\mshtml.dll.mui
2007-10-04 08:33 . 2007-10-04 08:33 2560 ------w c:\windows\system32\nl-nl\mshta.exe.mui
2007-10-04 08:33 . 2007-10-04 08:33 4096 ------w c:\windows\system32\nl-nl\licmgr10.dll.mui
2007-10-04 08:33 . 2007-10-04 08:33 3584 ------w c:\windows\system32\nl-nl\inseng.dll.mui
2007-10-04 08:32 . 2007-10-04 08:32 114688 ------w c:\windows\system32\nl-nl\inetcpl.cpl.mui
2007-10-04 08:32 . 2007-10-04 08:32 2560 ------w c:\windows\system32\nl-nl\ieunatt.exe.mui
2007-10-04 08:32 . 2007-10-04 08:32 7168 ------w c:\windows\system32\nl-nl\iesetup.dll.mui
2007-10-04 08:32 . 2007-10-04 08:32 5120 ------w c:\windows\system32\nl-nl\iernonce.dll.mui
2007-10-04 08:32 . 2007-10-04 08:32 4608 ------w c:\windows\system32\nl-nl\iepeers.dll.mui
2007-10-04 08:32 . 2007-10-04 08:32 1032192 ------w c:\windows\system32\nl-nl\ieframe.dll.mui
2007-10-04 08:32 . 2007-10-04 08:32 81920 ------w c:\windows\system32\nl-nl\iedkcs32.dll.mui
2007-10-04 08:32 . 2007-10-04 08:32 151552 ------w c:\windows\system32\nl-nl\ieakui.dll.mui
2007-10-04 08:32 . 2007-10-04 08:32 45056 ------w c:\windows\system32\nl-nl\ieaksie.dll.mui
2007-10-04 08:32 . 2007-10-04 08:32 8192 ------w c:\windows\system32\nl-nl\ieakeng.dll.mui
2007-10-04 08:32 . 2007-10-04 08:32 4096 ------w c:\windows\system32\nl-nl\ie4uinit.exe.mui
2007-10-04 08:32 . 2007-10-04 08:32 8704 ------w c:\windows\system32\nl-nl\icardie.dll.mui
2007-10-04 08:32 . 2007-10-04 08:32 12800 ------w c:\windows\system32\nl-nl\html.iec.mui
2007-10-04 08:32 . 2007-10-04 08:32 9728 ------w c:\windows\system32\nl-nl\extmgr.dll.mui
2007-10-04 08:31 . 2007-10-04 08:31 3584 ------w c:\windows\system32\nl-nl\admparse.dll.mui
2007-08-13 16:36 . 2007-08-13 16:36 2560 ------w c:\windows\system32\nl-nl\msfeedsbs.dll.mui
2007-08-13 16:11 . 2007-08-13 16:11 3584 ------w c:\windows\system32\nl-nl\ieui.dll.mui


((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-16 15:44 . 2009-05-16 15:44 16384 c:\windows\temp\Perflib_Perfdata_6e0.dat
- 2009-05-15 11:28 . 2009-05-15 11:28 49152 c:\windows\Temp\CompiledAdapter.dll
+ 2009-05-16 15:44 . 2009-05-16 15:44 49152 c:\windows\temp\CompiledAdapter.dll
+ 2001-09-07 12:00 . 2009-05-15 11:32 70804 c:\windows\system32\perfc009.dat
- 2001-09-07 12:00 . 2009-04-24 18:11 70804 c:\windows\system32\perfc009.dat
+ 2001-09-07 12:00 . 2009-05-15 11:32 421798 c:\windows\system32\perfh009.dat
- 2001-09-07 12:00 . 2009-04-24 18:11 421798 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-25 120320]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DAEMON Tools Lite"="c:\tom\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"ares"="c:\tom\Ares\Ares.exe" [2009-02-03 1004544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-04-13 1470464]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 196608]
"HPHmon03"="c:\windows\System32\hphmon03.exe" [2001-10-25 311296]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-09-19 45056]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"D-Link AirPlus G DWL-G510"="c:\program files\D-Link\AirPlus G DWL-G510\AirGCFG.exe" [2007-10-24 1552384]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Default User\Menu Start\Programma's\Opstarten\
AutoTBar.exe [2003-9-30 57344]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-4-25 122880]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\K:\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^CommServer.lnk]
path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\CommServer.lnk
backup=c:\windows\pss\CommServer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"30350:TCP"= 30350:TCP:@xpsp2res.dll,-22009
"28961:TCP"= 28961:TCP:@xpsp2res.dll,-22009
"2187:TCP"= 2187:TCP:@xpsp2res.dll,-22009
"37664:TCP"= 37664:TCP:@xpsp2res.dll,-22009
"21129:TCP"= 21129:TCP:@xpsp2res.dll,-22009
"64033:TCP"= 64033:TCP:@xpsp2res.dll,-22009
"30090:TCP"= 30090:TCP:@xpsp2res.dll,-22009
"18210:TCP"= 18210:TCP:@xpsp2res.dll,-22009
"36490:TCP"= 36490:TCP:@xpsp2res.dll,-22009
"63522:TCP"= 63522:TCP:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2/09/2005 15:04 9344]
R2 vcdc;HiPath 1220 virtual serial interface;c:\windows\system32\drivers\vcdc.sys [16/08/2006 17:11 64114]
R3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [10/05/2009 19:48 101936]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [20/06/2005 13:50 18864]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 13:30 124608]
S3 usbcomm;HiPath 1220 USB interface;c:\windows\system32\drivers\usbcomm.sys [16/08/2006 17:11 96757]
S3 vi2000;CallBridge for Data (Eval);c:\windows\system32\drivers\usbeval.sys [16/08/2006 17:08 49461]
S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2/09/2005 15:04 462464]

--- Andere Services/Drivers In Geheugen ---

*NewlyCreated* - IPSHBXME

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\shell\autorun\command - L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48224c80-37f7-11db-b359-0011d8d0c1c7}]
\Shell\AutoRun\command - K:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a09350-3f0a-11de-b3e5-0022b06cc9d6}]
\shell\autorun\command - L:\LaunchU3.exe -a
.
.
------- Bijkomende Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Download all with Free Download Manager - [You must be registered and logged in to see this link.] Download Manager\dlall.htm
IE: Download selected with Free Download Manager - [You must be registered and logged in to see this link.] Download Manager\dlselected.htm
IE: Download with Free Download Manager - [You must be registered and logged in to see this link.] Download Manager\dllink.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-16 17:45
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="-"

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 16th May 2009, 3:53 pm

--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,83,e6,da,49,84,
34,d4,a4,e2,63,26,f1,3f,c8,ff,68,4a,dc,c5,71,2d,8d,cb,e3,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,bc,26,3a,05,98,
e2,b6,aa,6a,9c,d6,61,af,45,84,18,54,35,ec,c1,45,ba,7e,b6,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,f3,76,77,c3,83,
74,29,25,ff,7c,85,e0,43,d4,0e,fe,76,ab,66,c1,27,b3,03,02,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,1c,b1,f2,95,d7,
a5,60,55,86,8c,21,01,be,91,eb,e7,10,b5,06,5f,a3,6f,59,e4,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,c8,3b,0e,de,a3,
4d,f3,b2,f5,1d,4d,73,a8,13,5c,05,5b,c4,d3,d8,8f,ec,e9,54,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,7b,bd,fd,04,dd,
b7,08,d4,df,20,58,62,78,6b,cf,c8,f8,8c,4a,b2,7b,3e,c4,49,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,95,d5,bf,ed,10,
8c,76,76,fb,a7,78,e6,12,2f,9a,ea,cc,1a,3b,07,ff,e1,0d,b0,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ad,16,ef,a2,79,
04,fa,24,01,3a,48,fc,e8,04,4a,f1,7b,86,25,e5,0b,1d,15,ff,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,0b,0b,41,4a,c0,
c1,0a,99,f6,0f,4e,58,98,5b,89,c9,56,e1,96,26,25,9f,13,1b,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,7e,30,c4,a8,b6,
f1,ee,13,3d,ce,ea,26,2d,45,aa,78,63,55,52,46,02,f1,13,27,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,3a,ba,0f,55,d0,
4e,d1,76,2a,b7,cc,b5,b9,7f,41,e7,68,57,3a,3a,36,7c,52,68,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,15,bd,7d,df,ff,
8d,03,3b,6c,43,2d,1e,aa,22,2f,9c,55,bd,d6,c9,31,08,15,b6,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ōēÄ|ˇˇˇˇēÄ|ýē9~*]
"3140710900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(592)
c:\windows\system32\ieframe.dll
c:\windows\system32\browselc.dll
c:\program files\HP\Digital Imaging\bin\HPDTLK02.dll
c:\program files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BRSS01A.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\progra~1\WinZip\WZQKPICK.EXE
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Voltooingstijd: 2009-05-16 17:50 - machine werd herstart
ComboFix-quarantined-files.txt 2009-05-16 15:50
ComboFix2.txt 2009-05-15 11:35

Pre-Run: 109.389.451.264 bytes beschikbaar
Post-Run: 109.568.663.552 bytes beschikbaar

384 --- E O F --- 2009-04-16 17:18

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 16th May 2009, 3:56 pm

Okay, nearly there now, one more round.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\drivers\kiflsdfk.sys

Driver::
IPSHBXME

Folder::
c:\tom\Ares

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ares"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 17th May 2009, 12:14 pm

ComboFix 09-05-14.05 - GVB Vikingschool 17/05/2009 14:00.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.32.1043.18.511.201 [GMT 2:00]
Gestart vanuit: c:\documents and settings\GVB Vikingschool\Bureaublad\ComboFix.exe
gebruikte Opdracht switches :: c:\documents and settings\GVB Vikingschool\Bureaublad\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
c:\windows\system32\drivers\kiflsdfk.sys
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\tom\Ares
c:\tom\Ares\Ares.exe
c:\windows\system32\drivers\kiflsdfk.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPSHBXME


(((((((((((((((((((( Bestanden Gemaakt van 2009-04-17 to 2009-05-17 ))))))))))))))))))))))))))))))
.

2009-05-17 11:45 . 2009-05-17 11:45 -------- d-----w c:\program files\7-Zip
2009-05-15 12:35 . 2009-05-15 12:38 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\Free Download Manager
2009-05-14 11:23 . 2009-05-14 11:23 -------- d-----w c:\program files\Trend Micro
2009-05-14 10:19 . 2009-05-14 10:19 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-05-12 16:14 . 2009-05-12 16:14 -------- d-----w c:\program files\Common Files\Idu
2009-05-12 16:13 . 2009-05-12 16:13 -------- d-----w c:\program files\Microprose
2009-05-04 07:49 . 2009-05-04 07:49 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\Malwarebytes
2009-05-04 07:49 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-04 07:49 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 07:49 . 2009-05-04 07:49 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-04 07:49 . 2009-05-04 07:49 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-04 07:07 . 2009-05-04 07:07 -------- d-----w c:\program files\CCleaner
2009-04-27 16:40 . 2009-04-27 16:40 -------- d-----w C:\VanDale
2009-04-26 14:27 . 2009-04-26 14:27 0 ----a-w c:\windows\nsreg.dat
2009-04-26 14:27 . 2009-04-26 14:27 -------- d-----w c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\Mozilla
2009-04-26 14:22 . 2009-04-26 14:22 -------- d-----w c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\Ares
2009-04-25 18:11 . 2009-04-25 18:11 -------- d-----w c:\windows\system32\nl-nl
2009-04-25 14:19 . 2009-05-12 17:49 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\dvdcss
2009-04-24 22:11 . 2009-04-24 22:11 -------- d-----w c:\program files\ReflexiveArcade
2009-04-24 17:54 . 2009-04-24 17:54 -------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-04-24 17:54 . 2009-04-24 17:54 -------- d-----w c:\program files\DAEMON Tools Toolbar
2009-04-24 17:46 . 2009-04-24 17:46 721904 ----a-w c:\windows\system32\drivers\sptd.sys
2009-04-24 17:46 . 2009-04-24 17:59 -------- d-----w c:\documents and settings\GVB Vikingschool\Application Data\DAEMON Tools Lite

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 11:32 . 2001-09-07 12:00 89808 ----a-w c:\windows\system32\perfc013.dat
2009-05-15 11:32 . 2001-09-07 12:00 486398 ----a-w c:\windows\system32\perfh013.dat
2009-05-15 11:15 . 2001-09-07 12:00 182912 ----a-w c:\windows\system32\drivers\ndis.sys
2009-04-27 07:25 . 2005-10-10 14:59 -------- d-----w c:\program files\Symantec AntiVirus
2009-04-17 10:45 . 2009-04-17 10:45 -------- d-----w c:\program files\SystemRequirementsLab
2009-04-16 18:52 . 2009-04-16 18:50 -------- d-----w c:\program files\PDFCreator
2009-04-14 18:21 . 2009-04-14 18:21 -------- d-----w c:\program files\Virtools
2009-03-06 14:47 . 2005-06-02 09:44 285184 ----a-w c:\windows\system32\pdh.dll
2009-02-25 15:13 . 2005-06-22 07:34 95472 ----a-w c:\documents and settings\GVB Vikingschool\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-20 08:33 . 2004-08-04 08:03 81920 ------w c:\windows\system32\ieencode.dll
2009-02-16 14:26 . 2009-02-16 14:26 410984 ----a-w c:\windows\system32\deploytk.dll
2001-09-07 12:00 . 2001-09-07 12:00 94784 --sh--w c:\windows\twain.dll
2004-08-04 08:03 . 2001-09-07 12:00 50688 --sh--w c:\windows\twain_32.dll
2004-08-04 08:03 . 2001-09-07 12:00 1028096 --sha-w c:\windows\system32\mfc42.dll
2004-08-04 08:03 . 2001-09-07 12:00 54784 --sha-w c:\windows\system32\msvcirt.dll
2004-08-04 08:03 . 2005-06-02 09:44 413696 --sha-w c:\windows\system32\msvcp60.dll
2004-08-04 08:03 . 2005-06-02 09:44 343040 --sha-w c:\windows\system32\msvcrt.dll
2007-05-17 11:30 . 2001-09-07 12:00 549376 --sh--w c:\windows\system32\oleaut32.dll
2004-08-04 08:03 . 2001-09-07 12:00 83456 --sh--w c:\windows\system32\olepro32.dll
2004-08-04 08:03 . 2001-09-07 12:00 12288 --sh--w c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-17 12:05 . 2009-05-17 12:05 16384 c:\windows\temp\Perflib_Perfdata_610.dat
- 2009-05-15 11:28 . 2009-05-15 11:28 49152 c:\windows\Temp\CompiledAdapter.dll
+ 2009-05-17 12:05 . 2009-05-17 12:05 49152 c:\windows\temp\CompiledAdapter.dll
+ 2001-09-07 12:00 . 2009-05-15 11:32 70804 c:\windows\system32\perfc009.dat
- 2001-09-07 12:00 . 2009-04-24 18:11 70804 c:\windows\system32\perfc009.dat
+ 2001-09-07 12:00 . 2009-05-15 11:32 421798 c:\windows\system32\perfh009.dat
- 2001-09-07 12:00 . 2009-04-24 18:11 421798 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-04-25 120320]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"DAEMON Tools Lite"="c:\tom\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2004-04-13 1470464]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-10-25 196608]
"HPHmon03"="c:\windows\System32\hphmon03.exe" [2001-10-25 311296]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-09-19 45056]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"D-Link AirPlus G DWL-G510"="c:\program files\D-Link\AirPlus G DWL-G510\AirGCFG.exe" [2007-10-24 1552384]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Default User\Menu Start\Programma's\Opstarten\
AutoTBar.exe [2003-9-30 57344]

c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2006-4-25 122880]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /r \??\K:\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^CommServer.lnk]
path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\CommServer.lnk
backup=c:\windows\pss\CommServer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"c:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"30350:TCP"= 30350:TCP:@xpsp2res.dll,-22009
"28961:TCP"= 28961:TCP:@xpsp2res.dll,-22009
"2187:TCP"= 2187:TCP:@xpsp2res.dll,-22009
"37664:TCP"= 37664:TCP:@xpsp2res.dll,-22009
"21129:TCP"= 21129:TCP:@xpsp2res.dll,-22009
"64033:TCP"= 64033:TCP:@xpsp2res.dll,-22009
"30090:TCP"= 30090:TCP:@xpsp2res.dll,-22009
"18210:TCP"= 18210:TCP:@xpsp2res.dll,-22009
"36490:TCP"= 36490:TCP:@xpsp2res.dll,-22009
"63522:TCP"= 63522:TCP:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2/09/2005 15:04 9344]
R2 vcdc;HiPath 1220 virtual serial interface;c:\windows\system32\drivers\vcdc.sys [16/08/2006 17:11 64114]
R3 EraserUtilDrv10910;EraserUtilDrv10910;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10910.sys [10/05/2009 19:48 101936]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [20/06/2005 13:50 18864]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 13:30 124608]
S3 usbcomm;HiPath 1220 USB interface;c:\windows\system32\drivers\usbcomm.sys [16/08/2006 17:11 96757]
S3 vi2000;CallBridge for Data (Eval);c:\windows\system32\drivers\usbeval.sys [16/08/2006 17:08 49461]
S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2/09/2005 15:04 462464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\L]
\shell\autorun\command - L:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{48224c80-37f7-11db-b359-0011d8d0c1c7}]
\Shell\AutoRun\command - K:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0a09350-3f0a-11de-b3e5-0022b06cc9d6}]
\shell\autorun\command - L:\LaunchU3.exe -a

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 17th May 2009, 12:15 pm

------- Bijkomende Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Download all with Free Download Manager - [You must be registered and logged in to see this link.] Download Manager\dlall.htm
IE: Download selected with Free Download Manager - [You must be registered and logged in to see this link.] Download Manager\dlselected.htm
IE: Download with Free Download Manager - [You must be registered and logged in to see this link.] Download Manager\dllink.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\GVB Vikingschool\Application Data\Mozilla\Firefox\Profiles\gc7bd92f.default\
FF - plugin: c:\program files\Virtools\3D Life Player\npvirtools.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-17 14:05
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SYMTDI]
"ImagePath"="-"
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,83,e6,da,49,84,
34,d4,a4,e2,63,26,f1,3f,c8,ff,68,4a,dc,c5,71,2d,8d,cb,e3,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,bc,26,3a,05,98,
e2,b6,aa,6a,9c,d6,61,af,45,84,18,54,35,ec,c1,45,ba,7e,b6,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,f3,76,77,c3,83,
74,29,25,ff,7c,85,e0,43,d4,0e,fe,76,ab,66,c1,27,b3,03,02,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,1c,b1,f2,95,d7,
a5,60,55,86,8c,21,01,be,91,eb,e7,10,b5,06,5f,a3,6f,59,e4,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,c8,3b,0e,de,a3,
4d,f3,b2,f5,1d,4d,73,a8,13,5c,05,5b,c4,d3,d8,8f,ec,e9,54,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,7b,bd,fd,04,dd,
b7,08,d4,df,20,58,62,78,6b,cf,c8,f8,8c,4a,b2,7b,3e,c4,49,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,95,d5,bf,ed,10,
8c,76,76,fb,a7,78,e6,12,2f,9a,ea,cc,1a,3b,07,ff,e1,0d,b0,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,ad,16,ef,a2,79,
04,fa,24,01,3a,48,fc,e8,04,4a,f1,7b,86,25,e5,0b,1d,15,ff,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,0b,0b,41,4a,c0,
c1,0a,99,f6,0f,4e,58,98,5b,89,c9,56,e1,96,26,25,9f,13,1b,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,7e,30,c4,a8,b6,
f1,ee,13,3d,ce,ea,26,2d,45,aa,78,63,55,52,46,02,f1,13,27,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,3a,ba,0f,55,d0,
4e,d1,76,2a,b7,cc,b5,b9,7f,41,e7,68,57,3a,3a,36,7c,52,68,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,15,bd,7d,df,ff,
8d,03,3b,6c,43,2d,1e,aa,22,2f,9c,55,bd,d6,c9,31,08,15,b6,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\ōēÄ|ˇˇˇˇēÄ|ýē9~*]
"3140710900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\System32\\FM20ENU.DLL"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(216)
c:\windows\system32\ieframe.dll
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\BRSS01A.EXE
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\progra~1\WinZip\WZQKPICK.EXE
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
.
**************************************************************************
.
Voltooingstijd: 2009-05-17 14:11 - machine werd herstart
ComboFix-quarantined-files.txt 2009-05-17 12:11
ComboFix2.txt 2009-05-16 15:50
ComboFix3.txt 2009-05-15 11:35

Pre-Run: 104.006.144.000 bytes beschikbaar
Post-Run: 104.139.964.416 bytes beschikbaar

286 --- E O F --- 2009-04-16 17:18

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 17th May 2009, 1:11 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 17th May 2009, 3:02 pm

hello!

the computer is working like when he did for i got the virus. I stopped using torrent files and I want to thank you very much for the help you gave me!
how can I thank you?

One more question: what about symantec? When I enable it, it disables itself. Shoud i use something else to protect my computer?

Thank alot!

Tom

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 17th May 2009, 3:08 pm

If it's buggy, uninstall it and use Avira.

Please install Avira antivirus otherwise you won't be protected.

1) [You must be registered and logged in to see this link.]
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 18th May 2009, 4:16 pm

hey! I installed the AntiVirus Guard that you told me to. He scanned and found a trojan, the TR/unpacked.gen trojan. He can't remove it. What do I do about that?

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 18th May 2009, 4:35 pm

Does it says where it is? it could be just a leftover.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 18th May 2009, 10:18 pm

* c:\Documents and Settings\GVB Vikingschool\Local settings\Temp\00017339.exe

* c:\Documents and Settings\GVB Vikingschool\Local settings\Temp\00029166.exe

*c:\Documents and Settings\GVB Vikingschool\Local settings\Temp\00022406.exe
*c:\Documents and Settings\GVB Vikingschool\Local settings\Temp\00008682.exe

I think it goes on and on if I say deny acces.

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 18th May 2009, 10:27 pm

Just temp files.

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 19th May 2009, 12:47 pm

Hey! I removed the malware at first but now i'm having the same virus(ses)

* TR/Crypt.XPACK.Gen - Trojan
* TR/unpacked.gen

(same files in Temp as I put above) only new numbers every time.

grtz

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 19th May 2009, 1:01 pm

Please run and post a new DDS log.

Remember before we started I told you that you were severely infected and we may not be able to clean it all because of the damage done.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 19th May 2009, 4:39 pm

I know you told me that it could leave some damage and I am very grateful to you for helping me to clean the worst virusses!!

DDS (Ver_09-05-14.01) - NTFSx86
Run by GVB Vikingschool at 18:37:20,10 on di 19/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.2.1252.32.1043.18.511.128 [GMT 2:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\System32\hphmon03.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\D-Link\AirPlus G DWL-G510\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\tom\DAEMON Tools Lite\daemon.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\Avira\AntiVir Desktop\GUARDGUI.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\GVB Vikingschool\Bureaublad\logs\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: HP View: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [DAEMON Tools Lite] "c:\tom\daemon tools lite\daemon.exe" -autorun
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 7\drag to disc\DrgToDsc.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [HPHmon03] c:\windows\system32\hphmon03.exe
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [ccApp] -
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [D-Link AirPlus G DWL-G510] c:\program files\d-link\airplus g dwl-g510\AirGCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - [You must be registered and logged in to see this link.]
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - [You must be registered and logged in to see this link.]
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - [You must be registered and logged in to see this link.]
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - [You must be registered and logged in to see this link.]
DPF: {5D2CF9D0-113A-476B-986F-288B54571614} - [You must be registered and logged in to see this link.]
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - [You must be registered and logged in to see this link.]
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - [You must be registered and logged in to see this link.]
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - [You must be registered and logged in to see this link.]
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gvbvik~1\applic~1\mozilla\firefox\profiles\gc7bd92f.default\
FF - plugin: c:\program files\virtools\3d life player\npvirtools.dll

============= SERVICES / DRIVERS ===============

R0 BsStor;InCD Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [2005-9-2 9344]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-5-18 11608]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-5-18 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-5-18 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-18 55640]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-4-8 161392]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-4-17 1706176]
R2 vcdc;HiPath 1220 virtual serial interface;c:\windows\system32\drivers\vcdc.sys [2006-8-16 64114]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-4-8 83568]
S3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2005-6-20 18864]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090510.003\naveng.sys [2009-5-10 89104]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090510.003\navex15.sys [2009-5-10 876144]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-4-17 124608]
S3 usbcomm;HiPath 1220 USB interface;c:\windows\system32\drivers\usbcomm.sys [2006-8-16 96757]
S3 vi2000;CallBridge for Data (Eval);c:\windows\system32\drivers\usbeval.sys [2006-8-16 49461]
S4 BsUDF;InCD UDF Driver;c:\windows\system32\drivers\bsudf.sys [2005-9-2 462464]
S4 ccEvtMgr;Symantec Event Manager;- --> - [?]
S4 SAVRT;SAVRT;- --> - [?]

=============== Created Last 30 ================

2009-05-18 01:33 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-05-18 01:33 --d----- c:\program files\Avira
2009-05-18 01:33 --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-05-17 17:00 --d----- C:\ComboFix
2009-05-17 15:30 17 a------- c:\windows\system32\ANIWZCSUSERNAME{40F63ADA-0D51-4877-BBE6-D5423735368B}
2009-05-17 15:23 --d----- c:\program files\ANI
2009-05-17 15:15 --d----- c:\program files\D-Link
2009-05-17 15:15 8,192 a------- c:\windows\system32\rt2661.bin
2009-05-17 15:15 8,192 a------- c:\windows\system32\rt2561s.bin
2009-05-17 15:15 8,192 a------- c:\windows\system32\rt2561.bin
2009-05-15 13:17 a-dshr-- C:\cmdcons
2009-05-14 13:23 --d----- c:\program files\Trend Micro
2009-05-12 18:14 --d----- c:\program files\common files\Idu
2009-05-12 18:13 --d----- c:\program files\Microprose
2009-05-04 09:49 --d----- c:\docume~1\gvbvik~1\applic~1\Malwarebytes
2009-05-04 09:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-04 09:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-04 09:49 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-04 09:49 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-04 09:07 --d----- c:\program files\CCleaner
2009-04-27 18:40 --d----- C:\VanDale
2009-04-25 20:11 --d----- c:\windows\system32\nl-nl
2009-04-25 00:45 2 a------- C:\1424420491
2009-04-25 00:11 --d----- c:\program files\ReflexiveArcade
2009-04-24 19:54 --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-04-24 19:54 --d----- c:\program files\DAEMON Tools Toolbar
2009-04-24 19:46 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-04-24 19:46 --d----- c:\docume~1\gvbvik~1\applic~1\DAEMON Tools Lite

==================== Find3M ====================

2009-05-15 13:32 486,398 a------- c:\windows\system32\perfh013.dat
2009-05-15 13:32 89,808 a------- c:\windows\system32\perfc013.dat
2009-05-15 13:15 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-03-06 16:47 285,184 a------- c:\windows\system32\pdh.dll
2009-02-20 10:33 81,920 -------- c:\windows\system32\ieencode.dll
2001-09-07 14:00 94,784 ---sh--- c:\windows\twain.dll
2004-08-04 10:03 50,688 ---sh--- c:\windows\twain_32.dll
2004-08-04 10:03 1,028,096 a--sh--- c:\windows\system32\mfc42.dll
2004-08-04 10:03 54,784 a--sh--- c:\windows\system32\msvcirt.dll
2004-08-04 10:03 413,696 a--sh--- c:\windows\system32\msvcp60.dll
2004-08-04 10:03 343,040 a--sh--- c:\windows\system32\msvcrt.dll
2007-05-17 13:30 549,376 ---sh--- c:\windows\system32\oleaut32.dll
2004-08-04 10:03 83,456 ---sh--- c:\windows\system32\olepro32.dll
2004-08-04 10:03 12,288 ---sh--- c:\windows\system32\regsvr32.exe

============= FINISH: 18:38:23,09 ===============

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 19th May 2009, 4:54 pm

Hello.
Do you have attach.txt from DDS? I want to see that too, that log contains an uninstall log, and there's two AV's present here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 20th May 2009, 9:32 am

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2/06/2005 11:18:56
System Uptime: 19/05/2009 17:52:23 (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | Puffer
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | CPU 1 | 3000/200mhz
Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | CPU 1 | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 128 GiB total, 98,879 GiB free.
D: is Removable
E: is Removable
F: is Removable
G: is Removable
H: is CDROM ()
I: is CDROM ()
J: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394-netwerkkaart
Device ID: V1394\NIC1394\280B2511D800
Manufacturer: Microsoft
Name: 1394-netwerkkaart
PNP Device ID: V1394\NIC1394\280B2511D800
Service: NIC1394

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_2A0B103C&REV_10\4&23C0B1C&0&10F0
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
PNP Device ID: PCI\VEN_10EC&DEV_8139&SUBSYS_2A0B103C&REV_10\4&23C0B1C&0&10F0
Service: rtl8139

==== System Restore Points ===================

RP1: 18/05/2009 10:27:52 - Controlepunt van systeem
RP2: 19/05/2009 11:00:16 - Controlepunt van systeem

==== Installed Programs ======================

3DVIA player 4.1
7-Zip 4.65
Adobe Acrobat 5.0
Adobe Flash Player 10 Plugin
Agere Systems PCI Soft Modem
Ahead InCD
AirPlus G DWL-G510
Alfabet met Muntje
ANIO Service
ANIWZCS2 Service
ATI Display Driver
AutoUpdate
AVI DivX MPEG to DVD Converter & Burner Pro 1.6
Avira AntiVir Personal - Free Antivirus
Beveiligingsupdate for Windows XP (KB941569)
Beveiligingsupdate voor Windows Media Player (KB911564)
Beveiligingsupdate voor Windows Media Player (KB952069)
Beveiligingsupdate voor Windows Media Player 6.4 (KB925398)
Beveiligingsupdate voor Windows Media Player 9 (KB911565)
Beveiligingsupdate voor Windows Media Player 9 (KB917734)
Beveiligingsupdate voor Windows Media Player 9 (KB936782)
Beveiligingsupdate voor Windows XP (KB890046)
Beveiligingsupdate voor Windows XP (KB893066)
Beveiligingsupdate voor Windows XP (KB893756)
Beveiligingsupdate voor Windows XP (KB896358)
Beveiligingsupdate voor Windows XP (KB896422)
Beveiligingsupdate voor Windows XP (KB896423)
Beveiligingsupdate voor Windows XP (KB896424)
Beveiligingsupdate voor Windows XP (KB896428)
Beveiligingsupdate voor Windows XP (KB896688)
Beveiligingsupdate voor Windows XP (KB899587)
Beveiligingsupdate voor Windows XP (KB899588)
Beveiligingsupdate voor Windows XP (KB899589)
Beveiligingsupdate voor Windows XP (KB899591)
Beveiligingsupdate voor Windows XP (KB900725)
Beveiligingsupdate voor Windows XP (KB901017)
Beveiligingsupdate voor Windows XP (KB901214)
Beveiligingsupdate voor Windows XP (KB902400)
Beveiligingsupdate voor Windows XP (KB904706)
Beveiligingsupdate voor Windows XP (KB905414)
Beveiligingsupdate voor Windows XP (KB905749)
Beveiligingsupdate voor Windows XP (KB905915)
Beveiligingsupdate voor Windows XP (KB908519)
Beveiligingsupdate voor Windows XP (KB911562)
Beveiligingsupdate voor Windows XP (KB911567)
Beveiligingsupdate voor Windows XP (KB911927)
Beveiligingsupdate voor Windows XP (KB912812)
Beveiligingsupdate voor Windows XP (KB912919)
Beveiligingsupdate voor Windows XP (KB913446)
Beveiligingsupdate voor Windows XP (KB913580)
Beveiligingsupdate voor Windows XP (KB914388)
Beveiligingsupdate voor Windows XP (KB914389)
Beveiligingsupdate voor Windows XP (KB916281)
Beveiligingsupdate voor Windows XP (KB917159)
Beveiligingsupdate voor Windows XP (KB917344)
Beveiligingsupdate voor Windows XP (KB917422)
Beveiligingsupdate voor Windows XP (KB917953)
Beveiligingsupdate voor Windows XP (KB918118)
Beveiligingsupdate voor Windows XP (KB918439)
Beveiligingsupdate voor Windows XP (KB918899)
Beveiligingsupdate voor Windows XP (KB919007)
Beveiligingsupdate voor Windows XP (KB920213)
Beveiligingsupdate voor Windows XP (KB920214)
Beveiligingsupdate voor Windows XP (KB920670)
Beveiligingsupdate voor Windows XP (KB920683)
Beveiligingsupdate voor Windows XP (KB920685)
Beveiligingsupdate voor Windows XP (KB921398)
Beveiligingsupdate voor Windows XP (KB921503)
Beveiligingsupdate voor Windows XP (KB921883)
Beveiligingsupdate voor Windows XP (KB922616)
Beveiligingsupdate voor Windows XP (KB922819)
Beveiligingsupdate voor Windows XP (KB923191)
Beveiligingsupdate voor Windows XP (KB923414)
Beveiligingsupdate voor Windows XP (KB923561)
Beveiligingsupdate voor Windows XP (KB923980)
Beveiligingsupdate voor Windows XP (KB924270)
Beveiligingsupdate voor Windows XP (KB924496)
Beveiligingsupdate voor Windows XP (KB924667)
Beveiligingsupdate voor Windows XP (KB925486)
Beveiligingsupdate voor Windows XP (KB925902)
Beveiligingsupdate voor Windows XP (KB926255)
Beveiligingsupdate voor Windows XP (KB926436)
Beveiligingsupdate voor Windows XP (KB927779)
Beveiligingsupdate voor Windows XP (KB927802)
Beveiligingsupdate voor Windows XP (KB928255)
Beveiligingsupdate voor Windows XP (KB928843)
Beveiligingsupdate voor Windows XP (KB929123)
Beveiligingsupdate voor Windows XP (KB930178)
Beveiligingsupdate voor Windows XP (KB931261)
Beveiligingsupdate voor Windows XP (KB931784)
Beveiligingsupdate voor Windows XP (KB932168)
Beveiligingsupdate voor Windows XP (KB933729)
Beveiligingsupdate voor Windows XP (KB935839)
Beveiligingsupdate voor Windows XP (KB935840)
Beveiligingsupdate voor Windows XP (KB936021)
Beveiligingsupdate voor Windows XP (KB937894)
Beveiligingsupdate voor Windows XP (KB938127)
Beveiligingsupdate voor Windows XP (KB938464)
Beveiligingsupdate voor Windows XP (KB938829)
Beveiligingsupdate voor Windows XP (KB941202)
Beveiligingsupdate voor Windows XP (KB941568)
Beveiligingsupdate voor Windows XP (KB941644)
Beveiligingsupdate voor Windows XP (KB942615)
Beveiligingsupdate voor Windows XP (KB943460)
Beveiligingsupdate voor Windows XP (KB943485)
Beveiligingsupdate voor Windows XP (KB944338-v2)
Beveiligingsupdate voor Windows XP (KB944653)
Beveiligingsupdate voor Windows XP (KB946648)
Beveiligingsupdate voor Windows XP (KB950749)
Beveiligingsupdate voor Windows XP (KB950762)
Beveiligingsupdate voor Windows XP (KB950974)
Beveiligingsupdate voor Windows XP (KB951066)
Beveiligingsupdate voor Windows XP (KB951376-v2)
Beveiligingsupdate voor Windows XP (KB951698)
Beveiligingsupdate voor Windows XP (KB951748)
Beveiligingsupdate voor Windows XP (KB952004)
Beveiligingsupdate voor Windows XP (KB952954)
Beveiligingsupdate voor Windows XP (KB954211)
Beveiligingsupdate voor Windows XP (KB954600)
Beveiligingsupdate voor Windows XP (KB955069)
Beveiligingsupdate voor Windows XP (KB956390)
Beveiligingsupdate voor Windows XP (KB956391)
Beveiligingsupdate voor Windows XP (KB956572)
Beveiligingsupdate voor Windows XP (KB956802)
Beveiligingsupdate voor Windows XP (KB956803)
Beveiligingsupdate voor Windows XP (KB956841)
Beveiligingsupdate voor Windows XP (KB957095)
Beveiligingsupdate voor Windows XP (KB957097)
Beveiligingsupdate voor Windows XP (KB958215)
Beveiligingsupdate voor Windows XP (KB958644)
Beveiligingsupdate voor Windows XP (KB958687)
Beveiligingsupdate voor Windows XP (KB958690)
Beveiligingsupdate voor Windows XP (KB959426)
Beveiligingsupdate voor Windows XP (KB960225)
Beveiligingsupdate voor Windows XP (KB960714)
Beveiligingsupdate voor Windows XP (KB960715)
Beveiligingsupdate voor Windows XP (KB960803)
Beveiligingsupdate voor Windows XP (KB961373)
Beveiligingsupdate voor Windows XP (KB963027)
CCleaner (remove only)
Choice Guard
Compatibility Pack for the 2007 Office system
CP_AtenaShokunin1Config
cp_dwSharkTaleAlbums1
cp_dwSharkTaleCards1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_PLSBusinessFlyers
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
DevalVR plugin for Internet Explorer (remove)
Director
DiscAPI (Studio 10)
DivX
FileMaker Pro 5.0
Google Desktop Search
Google Toolbar for Internet Explorer
Hewlett-Packard Multimedia Keyboard/Mouse Solution
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hot CPU Tester Pro 4.4.1
Hotfix 2050 for SQL Server 2000 ENU (KB948110)
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Windows XP (KB915865)
Hotfix voor Windows XP (KB935448)
Hotfix voor Windows XP (KB952287)
HP Image Zone 4.5.3
HP Image Zone Plus 4.5.3
HP Photo Imaging Software
HP Photo Printing Software
hp photosmart printer series (Remove only)
HP Software Update
HPIZplus450
InstantShare
InterVideo WinDVD Player
IrfanView (remove only)
KBD
LiveUpdate 2.6 (Symantec Corporation)
Magic ISO Maker v5.5 (build 0276)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Dutch Language Pack
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office FrontPage 2003
Microsoft Office Professional Editie 2003
Microsoft SQL Server Desktop Engine (PINNACLESYS)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.0.10)
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 6 Ultra Edition
PanoStandAlone
PDFCreator
PhotoGallery
Picasa 2
Pinnacle Instant DVD Recorder
Pinnacle MediaServer
QFolder
QuickTime Alternative 1.62
RAPID (Studio 10)
Realtek High Definition Audio Driver
Risk WarZone Client
Robbie Konijn Dreumes
Roxio Easy Media Creator 7
Ruimtelijk Inzicht voor groep 1 en 2
Security Update for CAPICOM (KB931906)
Segoe UI
SkinsHP1
SmartSound Quicktracks Plugin
SopCast 2.0.4
Studio 10
Symantec AntiVirus
System Requirements Lab
TrayApp
Unload
Update voor Windows XP (KB898461)
Update voor Windows XP (KB900485)
Update voor Windows XP (KB908531)
Update voor Windows XP (KB910437)
Update voor Windows XP (KB911280)
Update voor Windows XP (KB916595)
Update voor Windows XP (KB920872)
Update voor Windows XP (KB922582)
Update voor Windows XP (KB927891)
Update voor Windows XP (KB930916)
Update voor Windows XP (KB936357)
Update voor Windows XP (KB938828)
Update voor Windows XP (KB942763)
Update voor Windows XP (KB942840)
Update voor Windows XP (KB946627)
Update voor Windows XP (KB951072-v2)
Update voor Windows XP (KB955839)
Update voor Windows XP (KB967715)
Van Dale Grote woordenboeken Duits
Van Dale Grote woordenboeken Frans
VLC media player 0.9.8a
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live - Hulpprogramma voor uploaden
Windows Live aanmeldhulp
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Format Runtime
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR
WinZip

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 20th May 2009, 9:33 am

==== Event Viewer Messages From Past Week ========

19/05/2009 17:55:47, error: NetBT [4321] - De naam WORKGROUP :1d kan niet op de interface met het IP-adres 78.22.105.193 worden geregistreerd. De computer met het IP-adres 78.22.104.184 staat niet toe dat deze naam door deze computer wordt gebruikt.
18/05/2009 19:45:28, error: NetBT [4321] - De naam WORKGROUP :1d kan niet op de interface met het IP-adres 78.22.199.44 worden geregistreerd. De computer met het IP-adres 78.22.199.2 staat niet toe dat deze naam door deze computer wordt gebruikt.
18/05/2009 19:42:17, error: MRxSmb [8003] - De masterbrowser heeft een servermelding ontvangen van computer PETER die meent de masterbrowser voor het domein te zijn op transport NetBT_Tcpip_{40F63ADA-0D51-4877-BBE. De masterbrowser wordt gestopt of er wordt een verkiezing afgedwongen.
18/05/2009 17:59:24, error: Dhcp [1002] - De IP-adreslease 78.22.199.44 voor de netwerkkaart met netwerkadres 0022B06CC9D6 is geweigerd door de DHCP-server 192.168.1.1. De DHCP-server heeft een DHCPNACK-bericht gezonden.
17/05/2009 14:05:33, error: Service Control Manager [7009] - Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: 0D987AF267AF76231517A0FCC8E0B376.
17/05/2009 14:03:18, error: Service Control Manager [7009] - Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: E930DD55A0E97CD82841985FF4790AE7.
17/05/2009 14:00:35, error: Service Control Manager [7034] - De Windows User Mode Driver Framework-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
17/05/2009 14:00:35, error: Service Control Manager [7034] - De Symantec Settings Manager-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
17/05/2009 14:00:35, error: Service Control Manager [7034] - De Symantec AntiVirus Definition Watcher-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
17/05/2009 14:00:35, error: Service Control Manager [7034] - De Pinnacle Systems Media Service-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
17/05/2009 14:00:35, error: Service Control Manager [7034] - De MSSQL$PINNACLESYS-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
17/05/2009 14:00:35, error: Service Control Manager [7034] - De Machine Debug Manager-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
17/05/2009 14:00:35, error: Service Control Manager [7034] - De BrSplService-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
17/05/2009 14:00:35, error: Service Control Manager [7034] - De Ati HotKey Poller-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
17/05/2009 14:00:35, error: Service Control Manager [7034] - De Application Layer Gateway-service-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
17/05/2009 14:00:11, error: Service Control Manager [7009] - Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: 51B1F58C800405F499FEFFB05649214A.
16/05/2009 17:45:11, error: Service Control Manager [7009] - Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: 89E1F30B6FBF47DCDEFF9F2941D27E5D.
16/05/2009 17:42:59, error: Service Control Manager [7009] - Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: CE98A3709F82928524027969D201E7EF.
16/05/2009 17:40:18, error: Service Control Manager [7031] - De Print Spooler-service is onverwacht gestopt. Dit is 1 keer gebeurd. De volgende herstelbewerking zal over 60000 milliseconden worden uitgevoerd: Service opnieuw starten.
16/05/2009 17:40:17, error: Service Control Manager [7034] - De Pinnacle Systems Media Service-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
16/05/2009 17:40:17, error: Service Control Manager [7034] - De Application Layer Gateway-service-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
16/05/2009 17:40:17, error: Service Control Manager [7031] - De Symantec AntiVirus-service is onverwacht gestopt. Dit is 1 keer gebeurd. De volgende herstelbewerking zal over 10000 milliseconden worden uitgevoerd: Service opnieuw starten.
16/05/2009 17:40:14, error: Service Control Manager [7034] - De Windows User Mode Driver Framework-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
16/05/2009 17:40:14, error: Service Control Manager [7034] - De Symantec Settings Manager-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
16/05/2009 17:40:14, error: Service Control Manager [7034] - De Symantec AntiVirus Definition Watcher-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
16/05/2009 17:40:14, error: Service Control Manager [7034] - De MSSQL$PINNACLESYS-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
16/05/2009 17:40:14, error: Service Control Manager [7034] - De Machine Debug Manager-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
16/05/2009 17:40:14, error: Service Control Manager [7034] - De BrSplService-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
16/05/2009 17:40:14, error: Service Control Manager [7034] - De Ati HotKey Poller-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
16/05/2009 17:40:01, error: Service Control Manager [7009] - Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: D82401DD4FBD9DB29E05972FBB1F86B9.
15/05/2009 13:29:00, error: Service Control Manager [7009] - Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: 81456536846C5AA3DA38A39B92077786.
15/05/2009 13:26:26, error: Service Control Manager [7009] - Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: 27B83C2D3E957B26EAC72C25C115DE0A.
15/05/2009 13:25:46, information: Windows File Protection [64001] - Er is geprobeerd om bestandsvervanging toe te passen op het beveiligde systeembestand ndis.sys. Dit bestand is teruggezet naar de oorspronkelijke versie om systeemstabiliteit te behouden. De bestandsversie van het ongeldige bestand is 0.0.0.1, de versie van het systeembestand is 5.1.2600.2180.
15/05/2009 13:23:37, error: Service Control Manager [7009] - Time-out (30000 seconden) tijdens het wachten op het verbinden van deze service: 4D6D3DD195594D6991F9E32D8607086B.
15/05/2009 13:13:07, error: Service Control Manager [7034] - De Java Quick Starter-service is onverwacht beŽindigd. Dit is nu 1 keer gebeurd.
15/05/2009 13:11:43, error: DCOM [10005] - DCOM kreeg foutmelding '%2' bij het starten van de wuauserv-service met de argumenten '' om de server {E60687F7-01A1-40AA-86AC-DB1CBF673334} te starten
14/05/2009 23:36:15, error: Service Control Manager [7023] - De Computer Browser-service is gestopt met de volgende foutcode: Deze bewerking is geretourneerd omdat de time-outperiode verlopen is. .
14/05/2009 23:33:54, error: Service Control Manager [7016] - De BrSplService-service heeft een ongeldige status 0 gerapporteerd.
14/05/2009 23:31:05, error: Service Control Manager [7000] - De Automatische updates-service kan vanwege de volgende fout niet worden gestart: Het systeem kan het opgegeven bestand niet vinden.
14/05/2009 23:25:30, error: Service Control Manager [7032] - Servicebesturingsbeheer heeft na het onverwachte afsluiten van de Windows Management Instrumentation-service geprobeerd een herstelactie (Service opnieuw starten) uit te voeren, maar deze actie is met de volgende fout mislukt: De service is al gestart.
14/05/2009 23:25:09, error: Service Control Manager [7031] - De Symantec AntiVirus-service is onverwacht gestopt. Dit is 2 keer gebeurd. De volgende herstelbewerking zal over 10000 milliseconden worden uitgevoerd: Service opnieuw starten.
14/05/2009 18:47:35, error: Dhcp [1001] - Deze computer heeft geen adres toegewezen gekregen van het netwerk (door de DHCP-server) voor de netwerkkaart met netwerkadres 0022B06CC9D6. De volgende fout is opgetreden: De bewerking is geannuleerd door de gebruiker. . De computer zal doorgaan om zelf een adres van de server met netwerkadressen (DHCP-server) proberen te krijgen.
14/05/2009 14:40:54, error: Print [6161] -
12/05/2009 16:21:33, error: W32Time [17] - Tijdprovider/NtpClient: er is een onverwachte fout opgetreden tijdens de DNS-lookup van de handmatig geconfigureerde peer time.windows.com,0x1. NtpClient probeert een nieuwe DNS-lookup in 15 minuten. De fout is: Er is geprobeerd een socketbewerking uit te voeren op een onbereikbare host. (0x80072751)

==== End Of File ===========================

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 20th May 2009, 1:30 pm

Hello.

You are running two antivirus', I see from the uninstall list you have Norton/Symantec installed, along with Avira. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove Symantec to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • LiveUpdate 2.6 (Symantec Corporation)
  • Symantec AntiVirus

Download and install [You must be registered and logged in to see this link.]
When installing, it will ask if you want to uninstall the old version first before it can install the new version, so please select yes and allow it to install.

Then delete this file in bold:
C:\1424420491

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Fonzie on 20th May 2009, 3:07 pm

First of all I want to thank you again for what you did for me. You helped me quite a lot with my computer! without your help my PC could maybe crashed sometime! It's not my main PC. My own PC is broken and I got one of my dad's computers to help me out for a few weeks. I had a wrong file downloaded and thats how the misery began. So thank you very much!

Do you understand dutch? :p It can't be simple to find the problems although most of the data is universally the same.

I installed the new VLC ( why is that? bug fixes?) and i deleted Symantec as well as the file in c:\. I haven't got any pop ups from Avira so far so It should be fixed now!

You told me at the beginning of this that thre was a chance you couldn't repare it all. When I look at the work you did, you are a genious to me :p

How did you learn all this stuff? Are you a Computer expert who studied for this? Is it a hobby?

I know quite a bit of hard- and software but not how to fix these things like you did. Any suggestions so I might learn it?

Greetings from Belgium

Fonzie
Novice
Novice

Posts Posts : 21
Joined Joined : 2009-05-14
OS OS : XP
Points Points : 27673
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Cryptor win 32

Post by Belahzur on 20th May 2009, 3:15 pm

Hello.
Nope, I don't do dutch. LMBO or ROFL

Yes, the 0.9.9 has bug fixes, that's why I asked you to update it.

There was an incredible amount of damage at the start of this thread, two rootkits and a patched system file, we've put that right now.

I learnt from an online malware fighting school, there's loads of them around.

What The Tech classroom
[You must be registered and logged in to see this link.]
GeekU
[You must be registered and logged in to see this link.]
MRU
[You must be registered and logged in to see this link.]

It is advised if you take part that you learn at only one site, as to save teachers time, etc.

There are few malware experts from Belgium I know of in the security community.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum