System infecred with Win32/Cryptor Virus

View previous topic View next topic Go down

System infecred with Win32/Cryptor Virus

Post by Helaman on Sun May 17, 2009 4:30 pm

Hello, I pickup some rouge software and it really hammered my system.
I have AVG8 and it detected the win32/cryptor virus. Besides that problem, it had a
few other little gems which I seem to have cleared up but there are still some things
I can't find.

It installed a batch file in my startup called santa which renamed a goofy named text file in my system 32 folder to an exe. deleted that but still getting infected on each reboot. AVG8 finds dozens of the virus in my windows folders and deletes them but in third party programs it can't delete or healed them, there are 20 third party programs infected invluding AVG8.

Most of my programs that boot up with windows have been disabled, malwarebytes, spybot, kodak, and others. I can't run Hijackthis, mostly can't install anything,

to save some time downloaded Combofix, renamed it in saving as you have suggested but still says, " this file has been changed, probably do to a file patching virus, (Virut)

Have managed to run DDS and will post here.

Helaman
Novice
Novice

Status :
Online
Offline

Posts Posts : 6
Joined Joined : 2009-05-17
OS OS : XP

View user profile

Back to top Go down

Re: System infecred with Win32/Cryptor Virus

Post by Belahzur on Sun May 17, 2009 4:33 pm

Yikes, that's isn't good.
Standing by for DDS log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

DDS won''t leave post whole file 1st half

Post by Helaman on Sun May 17, 2009 4:35 pm

DDS (Ver_09-05-14.01) - NTFSx86
Run by Helaman at 9:11:15.00 on Sun 05/17/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.967 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AGI\common\win32\PythonService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\Program Files\Invisible Browsing\servers\IBService.exe
D:\Program Files\Invisible Browsing\servers\Socks\IBSocksManager.exe
D:\Program Files\Invisible Browsing\servers\Http\ibhttp.exe
D:\Program Files\Invisible Browsing\servers\Socks\IBSocks.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\RunDll32.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
D:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
D:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
D:\Program Files\Invisible Browsing\InvisibleBrowsing.exe
D:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
D:\Program Files\Registry Mechanic\RegMech.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\Program Files\Raxco\PerfectDisk\PDAgent.exe
D:\Program Files\Spyware Doctor\pctsAuxs.exe
D:\Program Files\kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\VCOM\PowerDesk\pddlghlp.exe
D:\Program Files\Nuance\NaturallySpeaking9\Program\natspeak.exe
D:\Program Files\ACD Systems\ImageFox\ImageFox.exe
D:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\Webshots\webshots.scr
D:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe
D:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\alg.exe
D:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\TEMP\VRT47.tmp
svchost.exe C:\WINDOWS\TEMP\VRT49.tmp
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
D:\Program Files\Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
M:\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local
uURLSearchHooks: H - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\program files\spybot - search & destroy\SDHelper.dll
BHO: {c2ba40a1-74f3-42bd-f434-12345a2c8953} - No File
BHO: {e7f15ac4-e0a9-43f0-921b-70dfea621220} - No File
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RegistryMechanic] d:\program files\registry mechanic\RegMech.exe /H
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [C6501Sound] RunDll32 c6501.cpl,CMICtrlWnd
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [Acrobat Assistant 8.0] "d:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TrueImageMonitor.exe] d:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] d:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Malwarebytes' Anti-Malware] "d:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [InvisibleBrowsing] d:\program files\invisible browsing\InvisibleBrowsing.exe
mRun: [ISTray] "d:\program files\spyware doctor\pctsTray.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Secure AntiVirus Pro] c:\windows\AV.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\helaman\startm~1\programs\startup\dialog~1.lnk - d:\program files\vcom\powerdesk\pddlghlp.exe
StartupFolder: c:\docume~1\helaman\startm~1\programs\startup\dragon~1.lnk - d:\program files\nuance\naturallyspeaking9\program\natspeak.exe
StartupFolder: c:\docume~1\helaman\startm~1\programs\startup\imagefox.lnk - d:\program files\acd systems\imagefox\ImageFox.exe
StartupFolder: c:\docume~1\helaman\startm~1\programs\startup\webshots.lnk - c:\program files\webshots\Launcher.exe
StartupFolder: c:\docume~1\helaman\startm~1\programs\startup\wordwe~1.lnk - d:\program files\wordweb\wweb32.exe
StartupFolder: c:\docume~1\helaman\startm~1\programs\startup\yahoo!~1.lnk - d:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - d:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: &WordWeb... - c:\windows\wweb32.dll/lookup.html
IE: Append to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - [You must be registered and logged in to see this link.] files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - d:\program files\micros~1\office11\EXCEL.EXE/3000
IE: Fill Forms - [You must be registered and logged in to see this link.] files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Open using &Advanced JPEG Compressor - d:\advanced jpeg compressor\ajcieex.htm
IE: RoboForm Toolbar - [You must be registered and logged in to see this link.] files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - [You must be registered and logged in to see this link.] files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - d:\program files\micros~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: motive.com\pattta.att
Trusted Zone: motive.com\patttbc.att
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
STS: {C2BA40A1-74F3-42BD-F434-12345A2C8953} - No File
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - d:\program files\qualcomm\eudora\EuShlExt.dll
SEH: Quick View Plus - ShellExecute Hook: {0cab0400-7395-11d0-a5e5-0020afe2fdd9} - qvphook.dll
LSA: Authentication Packages = msv1_0 relog_ap

Helaman
Novice
Novice

Status :
Online
Offline

Posts Posts : 6
Joined Joined : 2009-05-17
OS OS : XP

View user profile

Back to top Go down

DDS 2nd half

Post by Helaman on Sun May 17, 2009 4:36 pm

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\helaman\applic~1\mozilla\firefox\profiles\hefx2052.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - virtuemart Customized Web Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\helaman\application data\mozilla\firefox\profiles\hefx2052.default\extensions\{759830b0-e406-41b4-b2d3-e472e4a21153}\components\FFExternalAlert.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: d:\program files\adobe\acrobat 8.0\acrobat\browser\nppdf32.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600

============= SERVICES / DRIVERS ===============

R0 HFXP2;HFXP2;c:\windows\system32\drivers\hfxp2.sys [2009-5-7 17264]
R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2009-1-25 39472]
R0 ikfilesec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-5-16 40840]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-4-14 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-4-14 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-14 108552]
R1 iksysflt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-5-16 66952]
R1 iksyssec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-5-16 81288]
R2 AGWinService;AG Windows Service;c:\program files\agi\common\win32\pythonservice.exe [2009-1-25 30720]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-4-14 298776]
R2 IBService;IBService;d:\program files\invisible browsing\servers\IBService.exe [2009-1-26 71728]
R2 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-1-25 179856]
R2 sdauxservice;PC Tools Auxiliary Service;d:\program files\spyware doctor\pctsAuxs.exe [2009-5-16 356920]
R2 sdcoreservice;PC Tools Security Service;d:\program files\spyware doctor\pctsSvc.exe [2009-5-16 1079176]
R2 SFSZ;DataPlow SFS for Zetera Storage Devices;c:\windows\system32\drivers\sfsz.sys [2009-1-25 345984]
R2 Z-SANService;Z-SAN Service;c:\program files\netgear\netgear storage central manager utility\Z-SANService.exe [2009-1-25 397371]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-1-25 15504]
R3 ZetBus;Zetera Virtual Bus;c:\windows\system32\drivers\ZetBus.sys [2009-1-25 15488]
R3 ZetMPD;ZetMPD;c:\windows\system32\drivers\ZetMPD.sys [2009-1-25 5120]
S0 ZetSFD;ZetSFD;c:\windows\system32\drivers\ZetSFD.sys [2009-1-25 12800]
S2 KodakSvc;Kodak AiO Device Service;d:\program files\kodak\printer\center\KodakSvc.exe [2008-10-30 49152]
S2 spoolsv.exe;spoolsv.exe;c:\windows\system32\drivers\etc\services.exe /name:"spoolsv.exe" /start:"install.exe" --> c:\windows\system32\drivers\etc\Services.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

============== File Associations ===============

txtfile="d:\program files\jgsoft\editpadpro\EditPadPro.exe" "%1"

=============== Created Last 30 ================

2009-05-17 08:57 0 ----hr-- c:\windows\system32\NTICDMK7.dll
2009-05-17 08:36 1 a------- c:\windows\system32\4C.tmp
2009-05-17 08:36 84 a------- c:\windows\system32\4A.tmp
2009-05-17 08:36 292,864 a------- c:\windows\AV.EXE
2009-05-17 01:42 1 a------- c:\windows\system32\48.tmp
2009-05-17 01:42 84 a------- c:\windows\system32\47.tmp
2009-05-17 01:33 0 a------- c:\windows\win.ini
2009-05-17 01:17 1 a------- c:\windows\system32\46.tmp
2009-05-17 01:17 84 a------- c:\windows\system32\45.tmp
2009-05-16 23:46 1 a------- c:\windows\system32\44.tmp
2009-05-16 23:46 84 a------- c:\windows\system32\43.tmp
2009-05-16 23:39 1 a------- c:\windows\system32\41.tmp
2009-05-16 23:39 84 a------- c:\windows\system32\40.tmp
2009-05-16 23:22 1 a------- c:\windows\system32\3F.tmp
2009-05-16 23:22 84 a------- c:\windows\system32\3E.tmp
2009-05-16 23:02 1 a------- c:\windows\system32\33.tmp
2009-05-16 23:02 84 a------- c:\windows\system32\32.tmp
2009-05-16 22:56 2,126 a------- c:\windows\system32\wpa.dbl
2009-05-16 22:45 --d----- c:\windows\pss
2009-05-16 22:32 --d----- C:\temp system32
2009-05-16 22:11 --d----- c:\windows\system32\xircom
2009-05-16 22:11 --d----- c:\windows\system32\npp
2009-05-16 22:11 --d----- c:\windows\srchasst
2009-05-16 22:11 --d----- c:\program files\msn gaming zone
2009-05-16 19:22 --d----- c:\program files\Coreguard Antivirus 2009
2009-05-16 18:58 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-05-16 18:58 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-05-16 18:58 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-05-16 18:58 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-05-16 18:58 --d----- c:\docume~1\helaman\applic~1\PC Tools
2009-05-16 18:52 182,912 a------- c:\windows\system32\dllcache\ndis.sys
2009-05-16 18:52 104,012 a------- c:\windows\system32\drivers\203577d4.sys
2009-05-16 18:51 292,864 a------- c:\temp\AV.EXE
2009-05-16 18:51 106,496 ---sh--- c:\docume~1\helaman\applic~1\pic16.exe
2009-05-16 18:51 114,688 ---sh--- c:\docume~1\helaman\applic~1\pic08.exe
2009-05-12 21:55 --d----- c:\program files\FreeUndelete
2009-05-09 04:46 68 a------- c:\windows\MyProg.ini
2009-05-07 10:22 --d----- c:\program files\common files\Everstrike Software
2009-05-07 10:02 17,264 a------- c:\windows\system32\drivers\hfxp2.sys
2009-05-07 09:48 4,202 a------- c:\windows\hfxp.INI
2009-05-03 11:43 --d----- c:\docume~1\alluse~1\applic~1\Azureus
2009-05-03 11:43 --d----- c:\docume~1\helaman\applic~1\Azureus
2009-05-03 10:58 --d----- c:\docume~1\alluse~1\applic~1\ArcSoft
2009-05-03 10:56 2,363,392 a------- c:\windows\system32\xerces-c_2_7.dll
2009-05-03 10:56 45,056 a------- c:\windows\system32\KPDDynCC.DLL
2009-05-03 10:56 40,960 a------- c:\windows\system32\KPDLM.dll
2009-05-03 10:11 --d----- c:\docume~1\helaman\applic~1\KodakCredentialStore
2009-05-01 14:11 --d-h--- c:\windows\PIF
2009-05-01 12:10 --d----- c:\windows\system32\VIEWERS
2009-05-01 12:10 45,056 a------- c:\windows\qvphook.dll
2009-05-01 12:10 90,112 a------- c:\windows\uninsqvp.exe
2009-04-30 13:49 --d----- C:\lucy3
2009-04-29 11:33 --d----- c:\program files\Ontrack
2009-04-29 09:31 32,768 a------- c:\windows\system32\diskio.dll
2009-04-29 09:31 20,296 a------- c:\windows\system32\diskrw.dll
2009-04-24 06:56 --d----- c:\windows\system32\XPSViewer
2009-04-23 10:45 14,048 -------- c:\windows\system32\spmsg2.dll
2009-04-22 10:03 --d----- c:\program files\common files\Corel
2009-04-22 10:00 2,880 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-04-20 12:27 --d----- c:\program files\AIM6
2009-04-20 11:38 --d----- C:\Inetpub

==================== Find3M ====================

2009-05-16 18:52 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-05-10 01:10 2,277,376 a------- c:\windows\system32\TUKernel.exe
2009-05-09 09:57 117,560 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-05-02 10:03 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-02 10:03 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-02 10:03 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-15 08:05 639,224 a------- c:\windows\system32\drivers\sptd.sys
2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-28 08:13 392,320 a------- c:\windows\system32\drivers\timntr.sys
2009-03-28 08:13 32,768 a------- c:\windows\system32\drivers\tifsfilt.sys
2009-03-28 08:13 114,048 a------- c:\windows\system32\drivers\snapman.sys
2009-03-15 11:35 2,993 a------- c:\docume~1\helaman\applic~1\SAS7_000.DAT
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 14:21 44,032 a------- c:\windows\system32\inform.dat
2009-03-01 01:38 270,336 -------- c:\windows\Setup1.exe
2009-03-01 01:38 93,696 a------- c:\windows\ST6UNST.EXE
2007-12-17 18:23 1,136,640 a------- c:\program files\common files\ewutils2.dll

============= FINISH: 9:12:22.93 ===============

Helaman
Novice
Novice

Status :
Online
Offline

Posts Posts : 6
Joined Joined : 2009-05-17
OS OS : XP

View user profile

Back to top Go down

ATTACH.txt

Post by Helaman on Sun May 17, 2009 4:39 pm

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-05-14.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/25/2009 12:12:34 PM
System Uptime: 5/17/2009 8:33:49 AM (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | M2N-E SLI
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ | Socket AM2 | 2613/200mhz
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ | Socket AM2 | 2613/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 78 GiB total, 50.289 GiB free.
D: is FIXED (NTFS) - 152 GiB total, 79.163 GiB free.
E: is FIXED (NTFS) - 143 GiB total, 105.84 GiB free.
F: is FIXED (NTFS) - 80 GiB total, 37.192 GiB free.
G: is FIXED (NTFS) - 79 GiB total, 14.292 GiB free.
H: is FIXED (NTFS) - 73 GiB total, 16.558 GiB free.
M: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&C964BA9&0&01
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0057\4&C964BA9&0&01
Service: NVENETFD

==== System Restore Points ===================

RP148: 5/4/2009 3:21:31 PM - Installed Platform
RP149: 5/5/2009 5:00:49 PM - System Checkpoint
RP150: 5/6/2009 4:19:16 PM - Installed Connect Service
RP151: 5/7/2009 6:02:20 PM - System Checkpoint
RP152: 5/9/2009 4:04:45 AM - System Checkpoint
RP153: 5/10/2009 10:24:26 AM - System Checkpoint
RP154: 5/11/2009 1:18:30 PM - System Checkpoint
RP155: 5/12/2009 10:21:04 AM - Installed Eudora
RP156: 5/13/2009 3:47:30 PM - System Checkpoint
RP157: 5/15/2009 9:49:06 AM - System Checkpoint
RP158: 5/16/2009 9:37:34 AM - Avg8 Update
RP159: 5/16/2009 10:09:13 PM - Removed SendBlaster
RP160: 5/17/2009 1:17:26 AM - Restore Operation
RP161: 5/17/2009 1:21:43 AM - Restore Operation
RP162: 5/17/2009 1:22:32 AM - Restore Operation
RP163: 5/17/2009 1:42:48 AM - Restore Operation
RP164: 5/17/2009 9:09:11 AM - Removed Java(TM) 6 Update 12

==== Installed Programs ======================


7-Zip 4.65
ACDSee 10 Photo Manager
Acronis True Image Home
Adobe Acrobat 8 Professional - English, Français, Deutsch
Adobe Acrobat 8.1.5 Professional
Adobe AIR
Adobe Anchor Service CS4
Adobe CMaps CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Dreamweaver CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe InDesign CS
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe XMP Panels CS4
Advanced JPEG Compressor 4.8
AI RoboForm (All Users)
AIM 6
aiofw
aioocr
aioprnt
aioscnnr
AnswerWorks 5.0 English Runtime
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
AT&T Self Support Tool
AVG 8.5
Business Plan Pro 2007
C-Media 6501 Sound
CCleaner (remove only)
CCScore
center
Codec Pack - All In 1 6.0.3.0
ColorImpact 3.1.1
Connect
CorelDRAW Graphics Suite X3
CPL All-in-One
Crimson Editor (remove only)
Data Lifeguard Diagnostic for Windows
DataRobot Premium
Day-Timer Organizer 2000
DeadAIM
Dragon NaturallySpeaking 9
EasyRecovery Professional
EN
EPSON Printer Software
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
Eudora
FontExpert 2007
FontNav
Help_CTR
helptut
helpug
Hide Folders XP 2.9.2 for Windows XP/Vista
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB945060-v3)
Hoyle Casino
ImageFox
Innovatools Add/Remove Plus! 5.0
Invisible Browsing 6.5
Ipswitch WS_FTP Professional 2006
JGsoft EditPad Pro 4.5.4 DEMO
kgcbaby
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
ksdip
kuler
LifeGlobe Sharks, Terrors of the Deep
LightScribe 1.4.136.1
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Shockwave Player
Magic ISO Maker v5.4 (build 0239)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Web Publishing Wizard 1.52
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (2.0.0.19)
MSXML 6.0 Parser (KB925673)
MySQL Server 5.0
Natura Sound Therapy
netbrdg
NETGEAR Storage Central Manager Utility
NotePad++ 3.6
NTI CD & DVD-Maker
NTI CD & DVD-Maker 7 Platinum Trial
NVIDIA Drivers
O&O DiskRecovery
OfotoXMI
Paragon Partition Manager 9.0 Professional
PayPal Shop Maker 3.0
PerfectDisk
Photo-Objects 50,000 Premium Image Collection
PhotoImpact X3
Photoshop Camera Raw
POS Maid 2.28 by Alexandria Computers, LLC
PowerDesk 6
PowerISO
PrintMaster 16
PrintMaster Platinum 4.00
Quick View Plus
Quicken 2009
QuickTime
Registry Mechanic 8.0
Safe Data Recovery 2.3
ScanSoft OmniPage 16
ScanSoft PDF Create! 4
SFR
SHASTA
Shockwave
skin0001
SKINXSDK
Spybot - Search & Destroy
staticcr
Suite Shared Configuration CS4
tooltips
Top Chef
TuneUp Utilities 2008
Update Manager
VBA
VLC media player 0.9.9
VPRINTOL
Webshots Desktop
Whisper 32
Winamp
Windows Communication Foundation
Windows Imaging Component
Windows Internet Explorer 7
Windows Presentation Foundation
Windows Workflow Foundation
WinRAR archiver
WIRELESS
WordWeb Pro
Xara3D6
XML Paper Specification Shared Components Pack 1.0
Yahoo! Widgets

==== Event Viewer Messages From Past Week ========

5/17/2009 12:18:34 AM, error: Service Control Manager [7034] - The PC Tools Auxiliary Service service terminated unexpectedly. It has done this 1 time(s).
5/16/2009 7:47:28 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
5/16/2009 7:47:28 PM, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/16/2009 7:46:45 PM, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).
5/16/2009 7:37:44 PM, error: Service Control Manager [7034] - The McciCMService service terminated unexpectedly. It has done this 1 time(s).
5/16/2009 7:37:13 PM, error: Service Control Manager [7034] - The PDAgent service terminated unexpectedly. It has done this 1 time(s).
5/16/2009 7:09:22 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
5/16/2009 7:05:54 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Viewpoint Manager Service service to connect.
5/16/2009 7:05:54 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/16/2009 7:05:54 PM, error: Service Control Manager [7000] - The Automatic Updates service failed to start due to the following error: The system cannot find the file specified.
5/16/2009 11:38:51 PM, error: Cdrom [11] - The driver detected a controller error on \Device\CdRom0.
5/16/2009 11:22:08 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the path specified.
5/16/2009 10:52:53 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/16/2009 10:50:33 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT Processor RasAcd Rdbss SCDEmu Tcpip
5/16/2009 10:50:33 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
5/16/2009 10:50:33 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/16/2009 10:50:33 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
5/16/2009 10:50:33 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
5/16/2009 10:49:57 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/15/2009 9:16:00 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer WHITEFANG that believes that it is the master browser for the domain on transport NetBT_Tcpip_{2F791E97-2402-4313. The master browser is stopping or an election is being forced.
5/13/2009 9:52:51 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avg8wd service.
5/13/2009 2:35:22 PM, error: NetBT [4322] - NetBT failed to process a request because it encountered OutOfResources exception(s) in the last 1 hour.
5/12/2009 7:47:57 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Kodak AiO Device Service service to connect.
5/12/2009 7:47:57 AM, error: Service Control Manager [7000] - The spoolsv.exe service failed to start due to the following error: The system cannot find the file specified.
5/12/2009 7:47:57 AM, error: Service Control Manager [7000] - The Kodak AiO Device Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/11/2009 9:05:07 AM, error: Dhcp [1002] - The IP address lease 192.168.1.100 for the Network Card with network address 00045A47BD88 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
5/11/2009 1:24:48 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: ZetSFD
5/10/2009 3:44:42 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service upnphost with arguments "" in order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
5/10/2009 12:17:14 PM, error: Srv [2011] - The server's configuration parameter "irpstacksize" is too small for the server to use a local device. Please increase the value of this parameter.
5/10/2009 1:05:26 AM, error: Disk [11] - The driver detected a controller error on \Device\Harddisk3\D.

==== End Of File ===========================

Helaman
Novice
Novice

Status :
Online
Offline

Posts Posts : 6
Joined Joined : 2009-05-17
OS OS : XP

View user profile

Back to top Go down

Re: System infecred with Win32/Cryptor Virus

Post by Belahzur on Sun May 17, 2009 4:45 pm

Yikes.

Bad news for you.

You are dealing with a polymorphic file infecter known as Virut. Sad to say it's game over for this machine and my best advice would be format and reinstall, this is the fastest and especially the safest solution.

See here:
[You must be registered and logged in to see this link.]

I suggest you start to backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
Doing so may restore the infection because the above file types are infected with this virut.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

question on backing up

Post by Helaman on Sun May 17, 2009 4:57 pm

I had to moved over to my linux machine, as windows became too unstable.

I kind of figured that I would have to hose the windows.

Question on backing up...
I use partitions, I run windows on C drive, my programs on d Drive and my data on E: drive.
How far will this virus go. that is, If I just delete C and the program file directory on D will
other partitions E, F, G,H etc be safe?

thanks

Helaman
Novice
Novice

Status :
Online
Offline

Posts Posts : 6
Joined Joined : 2009-05-17
OS OS : XP

View user profile

Back to top Go down

Re: System infecred with Win32/Cryptor Virus

Post by Belahzur on Sun May 17, 2009 5:02 pm

No.
If you back up ANY .exe files, you backup the infection and it will keep coming back, the same applies to .scr type files.

That's why I asked that you do not back up any exe file. If you nothing worry backing up, then just throw everything and start fresh.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: System infecred with Win32/Cryptor Virus

Post by Helaman on Sun May 17, 2009 5:21 pm

thanks

Helaman
Novice
Novice

Status :
Online
Offline

Posts Posts : 6
Joined Joined : 2009-05-17
OS OS : XP

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum