win32/cryptor found in Iexplorer.exe and evchost.exe

View previous topic View next topic Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by Belahzur on Fri May 15, 2009 2:53 pm

Yeah, theres a few things to tidy up, but it can wait, no serious threat anymore.

Go get some sleep. Wink


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by aycnrz on Fri May 15, 2009 2:55 pm

Haha alright Smile! Thanks.
Good night.

aycnrz
Novice
Novice

Posts Posts : 29
Joined Joined : 2009-05-15
OS OS : XP
Points Points : 27631
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by aycnrz on Sat May 16, 2009 5:49 am

Im backkk!
What's my next step ><

aycnrz
Novice
Novice

Posts Posts : 29
Joined Joined : 2009-05-15
OS OS : XP
Points Points : 27631
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by Belahzur on Sat May 16, 2009 1:46 pm

Getting an uninstall log. Smile

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by aycnrz on Sat May 16, 2009 1:48 pm

100% Free Chess Toolbar
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
3D Interstellar Voyager
3-D Salt Water Fish Tank Dem-esd Screen Saver
3DVIA player 4.1
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Any Video Converter 2.6.2
AoA Audio Extractor 1.0
Apple Mobile Device Support
Apple Software Update
Ashampoo Photo Commander 5.40
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI Parental Control & Encoder
AVG 8.5
BA Installer
Bonjour
Choice Guard
Combat Arms
Counter-Strike 1.6
COWON Media Center - jetAudio Basic
Cube Maniak 1.8.0.0
Cucusoft YouTube Mate 7.13
Desktop Destroyer 3D Screensaver Free
Digital Locker Assistant
Easy Duplicate Finder v. 2.1
Free Video to iPod Converter version 3.1
Free YouTube Uploader version 1.5
Gabbasoft Cube Demo
GameArena The Arena
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
GunboundWC
Hamachi 1.0.3.0
High Definition Audio Driver Package - KB835221
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Intel(R) PRO Network Adapters and Drivers
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Junk Mail filter update
Kiwee Toolbar
LimeWire 5.1.2
Liquid Desktop Free
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LogMeIn
Magic DVD Ripper V5.2.1 build 8
Map Button (Windows Live Toolbar)
MapleStory
Media Converter SA Edition 0.8
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Microsoft XML Parser and SDK
mIRC
MobileMe Control Panel
Moleskinsoft Clone Remover 3.3
Mozilla Firefox (2.0.0.16)
MSVC80_x86
MSVCRT
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Music Rescue
Music Rescue 3.1.6 iPod Distribution
Need for Madness
Network Play System (Patching)
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Norton PC Checkup
Norton Security Scan
Norton Security Scan (Symantec Corporation)
OneCare Advisor (Windows Live Toolbar)
OneStepSearch 1.0 build 182
OpenOffice.org Installer 1.0
PC Connectivity Solution
Popup Blocker (Windows Live Toolbar)
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Safari
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Segoe UI
Sloud Music Content Inspector 1.4 beta
Smart Link 56K Modem
Smart Menus (Windows Live Toolbar)
Soldat 1.5.0
Soldat 1.5.0
Sonic MyDVD
Sonic RecordNow!
Total Video Converter 3.12 080330
Uninstall 1.0.0.1
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Outlook 2007 Junk Email Filter (kb968503)
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Windows Driver Package - ASUSTeK (3xHybrid) MEDIA (05/05/2005 1.3.2.5)
Windows Driver Package - Nokia Modem (03/05/2008 3.7)
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1)
Windows Driver Package - Nokia Modem (10/27/2008 3.9)
Windows Driver Package - Nokia Modem (10/27/2008 7.01.0.1)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8 Release Candidate 1
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Favorites for Windows Live Toolbar
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Live Upload Tool
Windows Live Writer
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Xfire (remove only)

aycnrz
Novice
Novice

Posts Posts : 29
Joined Joined : 2009-05-15
OS OS : XP
Points Points : 27631
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by aycnrz on Sat May 16, 2009 1:55 pm

Wow.. I dont use half of that stuff. I needa do some cleaning Smile!
Computers getting slow XDD

aycnrz
Novice
Novice

Posts Posts : 29
Joined Joined : 2009-05-15
OS OS : XP
Points Points : 27631
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by Belahzur on Sat May 16, 2009 1:59 pm

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If Limewire is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Adobe Reader 8.1.2
    Java 2 Runtime Environment, SE v1.4.2_05
    Java(TM) 6 Update 2
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    LimeWire 5.1.2

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
OneStepSearch Service

Folder::
C:\_OTMoveIt
c:\program files\LimeWire
c:\program files\OneStep

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
"AntiVirusDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a2844de-99c3-11dd-acb4-00132014273f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{875c54c8-2d74-11de-90be-00132014273f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4ee268b-4d56-11dd-ac4e-00132014273f}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by aycnrz on Sat May 16, 2009 2:11 pm

Hmm.. Why do I need to delete adobe reader? and limewire *presses delete* sob sob*

aycnrz
Novice
Novice

Posts Posts : 29
Joined Joined : 2009-05-15
OS OS : XP
Points Points : 27631
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by aycnrz on Sat May 16, 2009 2:12 pm

a new update to combofix? >< *presses download*

aycnrz
Novice
Novice

Posts Posts : 29
Joined Joined : 2009-05-15
OS OS : XP
Points Points : 27631
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by Belahzur on Sat May 16, 2009 2:24 pm

You had a rootkit infection, do you want to it come back again? all because you downloaded an infection from Limewire.

Combofix is updated daily, so get the new version if it asks.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by aycnrz on Sat May 16, 2009 2:28 pm

ComboFix 09-05-15.06 - handsome kevin 05/17/2009 0:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.467 [GMT 10:00]
Running from: c:\documents and settings\handsome kevin\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\handsome kevin\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt
c:\_otmoveit\MovedFiles\05142009_231348.log
c:\_otmoveit\MovedFiles\05142009_231348.res
c:\_otmoveit\MovedFiles\05142009_231348\DOCUME~1\HANDSO~1\LOCALS~1\Temp\NGLALog.txt
c:\_otmoveit\MovedFiles\05142009_231348\DOCUME~1\HANDSO~1\LOCALS~1\Temp\NGLATempNokia\Nokia Sans Wide Bold v3.1.ttf
c:\_otmoveit\MovedFiles\05142009_231348\Documents and Settings\handsome kevin\Local Settings\Temporary Internet Files\Content.IE5\O0WPPG9P\MsgrConfig[7].asmx
c:\_otmoveit\MovedFiles\05142009_231348\Documents and Settings\handsome kevin\Local Settings\Temporary Internet Files\Content.IE5\O0WPPG9P\signin[2].htm
c:\_otmoveit\MovedFiles\05142009_231348\Documents and Settings\handsome kevin\Local Settings\Temporary Internet Files\Content.IE5\RREW40LA\acCA02GIG8.htm
c:\program files\LimeWire
c:\program files\LimeWire\hs_err_pid1340.log
c:\program files\LimeWire\lib\UnpackedJars.7z
c:\program files\LimeWire\LimeWire.rar
c:\program files\OneStep
c:\program files\OneStep\home.js
c:\program files\OneStep\onestep.exe
c:\program files\OneStep\osopt.exe
c:\program files\OneStep\readme.html
c:\program files\OneStep\uninstall.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ONESTEPSEARCH_SERVICE
-------\Service_OneStepSearch Service


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-13 11:15 . 2009-05-13 11:15 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-13 11:15 . 2009-05-13 11:15 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-24 09:23 . 2009-04-26 10:15 -------- d-----w c:\program files\Soldat
2009-04-23 05:57 . 2009-04-23 05:57 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-17 00:21 . 2009-04-17 00:21 -------- d-----w c:\program files\iPod
2009-04-17 00:21 . 2009-04-17 00:21 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 14:17 . 2008-06-14 11:12 -------- d-----w c:\program files\LogMeIn
2009-05-16 14:05 . 2007-06-28 02:09 -------- d-----w c:\program files\Java
2009-05-16 14:02 . 2007-08-14 01:13 -------- d-----w c:\program files\Common Files\Adobe
2009-05-15 08:00 . 2009-02-16 04:35 -------- d-----w c:\program files\Norton Security Scan
2009-05-14 13:55 . 2007-06-28 02:51 110168 ----a-w c:\documents and settings\handsome kevin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 08:01 . 2007-06-28 02:14 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-25 23:45 . 2008-06-02 06:08 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-25 23:45 . 2008-06-02 06:08 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-25 23:44 . 2008-06-02 06:08 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-23 11:26 . 2008-10-18 12:31 34 ----a-w c:\documents and settings\handsome kevin\jagex_runescape_preferences.dat
2009-04-17 00:21 . 2008-02-04 10:54 -------- d-----w c:\program files\iTunes
2009-04-17 00:21 . 2008-02-04 10:53 -------- d-----w c:\program files\Common Files\Apple
2009-04-14 09:32 . 2008-03-13 05:01 -------- d-----w c:\program files\Valve
2009-04-12 13:11 . 2008-02-28 10:32 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-10 09:37 . 2009-04-10 09:37 -------- d-----w c:\program files\NeedforMadness_at
2009-04-06 23:44 . 2009-04-06 23:40 -------- d-----w c:\program files\Messenger Plus! Live
2009-04-06 07:39 . 2009-04-05 09:46 -------- d-----w c:\program files\mIRC
2009-04-06 07:20 . 2008-11-03 06:49 -------- d-----w c:\program files\Warcraft III
2009-04-05 08:34 . 2007-06-28 02:09 -------- d-----w c:\program files\ATI Technologies
2009-04-02 09:16 . 2007-07-03 14:47 -------- d-----w c:\program files\Google
2009-03-25 04:56 . 2009-03-25 04:56 -------- d-----w c:\program files\QuickTime
2009-03-25 04:51 . 2008-03-29 00:54 -------- d-----w c:\program files\Safari
2009-03-25 04:50 . 2009-03-25 04:50 -------- d-----w c:\program files\Bonjour
2009-03-19 06:32 . 2008-01-29 01:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:44 . 2004-08-10 06:38 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-05 12:59 . 2009-03-25 04:53 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 12:59 . 2008-08-02 03:08 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-08-11 08:41 . 2007-10-04 22:49 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-08-11 08:41 . 2007-10-04 22:49 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-08-11 08:41 . 2008-03-07 08:30 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-08-11 08:41 . 2008-03-07 08:30 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-08-11 08:41 . 2007-10-04 22:49 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-16 14:18 . 2009-05-16 14:18 16384 c:\windows\Temp\Perflib_Perfdata_850.dat
+ 2009-05-16 14:18 . 2009-05-16 14:18 16384 c:\windows\Temp\Perflib_Perfdata_428.dat
+ 2004-08-10 06:38 . 2009-05-16 05:40 63188 c:\windows\system32\perfc009.dat
- 2004-08-10 06:38 . 2009-05-15 14:17 63188 c:\windows\system32\perfc009.dat
+ 2004-08-10 06:38 . 2009-05-16 05:40 403968 c:\windows\system32\perfh009.dat
- 2004-08-10 06:38 . 2009-05-15 14:17 403968 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll" [2008-03-14 265360]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}]
2008-03-14 03:08 265360 ----a-w c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll" [2008-03-14 265360]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll" [2008-03-14 265360]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EzStatus"="c:\apps\EZHome\EZStatus.exe" [2004-12-20 94208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2004-10-07 81920]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"VCSPlayer"="c:\program files\Virtual CD v4 SDK\system\vcsplay.exe" [2004-03-04 299008]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"KiweeHook"="c:\program files\Kiwee Toolbar2\1.4.127\kwtbaim.exe" [2008-03-14 56456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-08 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-25 1947928]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-05 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2004-09-10 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-09-15 2557952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"EzStatus"="c:\apps\EZHome\EZStatus.exe" [2004-12-20 94208]

c:\documents and settings\handsome kevin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-12-17 625952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-25 23:45 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 11:10 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

aycnrz
Novice
Novice

Posts Posts : 29
Joined Joined : 2009-05-15
OS OS : XP
Points Points : 27631
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by aycnrz on Sat May 16, 2009 2:28 pm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Nexon\\MapleStory\\Patcher.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\Warcraft III\\war3.exe"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Soldat\\Soldat.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\Games\\halo\\halo.exe"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Media Converter SA Edition\\Media Converter.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6122:TCP"= 6122:TCP:Warcraft

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/2/2008 4:08 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/2/2008 4:08 PM 108552]
R1 vcsmpdrv;vcsmpdrv;c:\windows\system32\drivers\vcsmpdrv.sys [6/28/2007 12:18 PM 49024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/9/2009 7:34 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/9/2009 7:34 PM 298776]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2/28/2008 3:31 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [6/14/2008 9:12 PM 47640]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [1/14/2009 4:53 PM 226656]
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\Virtual CD v4 SDK\System\vcssecs.exe [6/28/2007 12:18 PM 139264]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2/5/2008 8:29 PM 710144]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2/28/2008 3:31 PM 12192]
S3 Cap713x;Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [1/1/1980 751104]
S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [2/5/2008 8:58 PM 15360]
S3 PageFau1t;PageFau1t;\??\c:\documents and settings\handsome kevin\Desktop\PageFau1t.sys --> c:\documents and settings\handsome kevin\Desktop\PageFau1t.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva092;XDva092;\??\c:\windows\system32\XDva092.sys --> c:\windows\system32\XDva092.sys [?]
S3 XDva093;XDva093;\??\c:\windows\system32\XDva093.sys --> c:\windows\system32\XDva093.sys [?]
S3 XDva104;XDva104;\??\c:\windows\system32\XDva104.sys --> c:\windows\system32\XDva104.sys [?]
S3 XDva129;XDva129;\??\c:\windows\system32\XDva129.sys --> c:\windows\system32\XDva129.sys [?]
S3 XDva181;XDva181;\??\c:\windows\system32\XDva181.sys --> c:\windows\system32\XDva181.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]

2008-12-23 c:\windows\Tasks\At3.job
- c:\program files\norton pc checkup\pc_checkup.exe [2009-01-29 22:10]

2009-05-16 c:\windows\Tasks\At4.job
- c:\program files\norton pc checkup\pc_checkup.exe [2009-01-29 22:10]

2009-05-15 c:\windows\Tasks\Norton Security Scan for handsome kevin.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-18 09:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} -
DPF: CabBuilder - [You must be registered and logged in to see this link.]
DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} - [You must be registered and logged in to see this link.]
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - [You must be registered and logged in to see this link.]
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-17 00:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,6c,84,a2,95,e8,
c3,ee,d8,c8,28,51,af,b0,29,a3,98,1b,5a,55,b7,2c,fe,65,30,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,43,0b,e8,7a,a4,
8c,3f,82,71,3b,04,66,8b,46,0d,96,2c,46,83,03,6a,cf,97,1f,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,b3,d4,5d,e6,86,
b5,2c,29,25,da,ec,7e,55,20,c9,26,af,00,5d,1d,59,65,64,70,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,88,24,86,e3,1b,
da,87,b2,3e,1e,9e,e0,57,5a,93,61,d2,3c,be,a3,d6,6e,8a,73,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,e8,03,56,95,d5,
56,8e,59,cd,44,cd,b9,a6,33,6c,cd,96,78,13,26,0a,c5,33,44,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,83,3c,4d,52,6f,
aa,2d,7b,b0,18,ed,a7,3f,8d,37,a4,6a,2b,ff,76,41,fc,ce,ce,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,49,1c,62,bd,f4,
7d,5d,5c,31,77,e1,ba,b1,f8,68,02,7e,e8,49,bf,57,38,78,0b,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,21,3c,6c,95,81,
93,15,34,83,6c,56,8b,a0,85,96,ab,f5,f5,9f,b3,b7,ba,fb,55,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d5,82,08,44,f1,
e9,71,db,51,fa,6e,91,28,9e,14,cc,a3,28,39,2c,10,03,cf,1a,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,6b,11,b5,e1,83,
8c,54,e9,b1,cd,45,5a,a8,c4,f8,b9,5d,dd,cc,ea,a1,1a,a1,6d,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,0b,0b,75,91,54,
38,34,a6,e3,0e,66,d5,eb,bc,2f,6b,d8,b5,95,c0,8d,2a,77,26,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,1a,af,7b,92,3f,
7a,e1,8e,fa,ea,66,7f,d4,3b,6b,70,06,40,74,9e,b5,92,40,cd,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(880)
c:\program files\CyberLink\Shared Files\CLRCEngine.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\apps\ABoard\AOSD.EXE
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-05-16 0:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 14:23
ComboFix2.txt 2009-05-15 14:45

Pre-Run: 68,714,438,656 bytes free
Post-Run: 68,597,166,080 bytes free

360 --- E O F --- 2009-05-13 13:19

aycnrz
Novice
Novice

Posts Posts : 29
Joined Joined : 2009-05-15
OS OS : XP
Points Points : 27631
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by aycnrz on Sat May 16, 2009 2:29 pm

What about adobe reader?

aycnrz
Novice
Novice

Posts Posts : 29
Joined Joined : 2009-05-15
OS OS : XP
Points Points : 27631
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by Belahzur on Sat May 16, 2009 2:30 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by aycnrz on Sat May 16, 2009 2:36 pm

Nothing detected by AVG, and it seems to run smoother with less lag Smile!
Thanks heaps.
Could you give me a list of the infections I had just so I can do a bit of research on what they do
Thanks

aycnrz
Novice
Novice

Posts Posts : 29
Joined Joined : 2009-05-15
OS OS : XP
Points Points : 27631
# Likes # Likes : 0

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by Belahzur on Sat May 16, 2009 2:39 pm

The main infection was that rootkit, part of the TDSS family.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: win32/cryptor found in Iexplorer.exe and evchost.exe

Post by aycnrz on Sat May 16, 2009 2:40 pm

Thank again, you helped heaps goodnight.

aycnrz
Novice
Novice

Posts Posts : 29
Joined Joined : 2009-05-15
OS OS : XP
Points Points : 27631
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum