Win 32/cryptor

View previous topic View next topic Go down

Win 32/cryptor

Post by tdantes on 20th May 2009, 9:19 pm

I have been having problems for about 1 month, I was locked out of system restore, malwarebytes, spybot and others. The computer freezes or just restarts at random. I was lock out of AVG but was able to uninstall it and restall it. The items that have moved to Virus Vault keep coming back. AVG is working for the moment but I am unable to run it or any of the other programs in safe mode.
Here is Avg scan log-
"\\?\globalroot\systemroot\system32\UACteldkdhv.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACteldkdhv.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACteldkdhv.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACteldkdhv.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACteldkdhv.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACteldkdhv.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACteldkdhv.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACteldkdhv.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACteldkdhv.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACteldkdhv.dll";"Virus identified Win32/Cryptor";"Moved to Virus Vault"
"C:\Program Files\Internet Explorer\iexplore.exe (1440)";"Virus identified Win32/Cryptor";""
"C:\Program Files\Internet Explorer\iexplore.exe (2556)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (1192)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (1260)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (2024)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (708)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (756)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (828)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (864)";"Virus identified Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (916)";"Virus identified Win32/Cryptor";""

Hijackthis log-
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:24 PM, on 5/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 SP2 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Shimri Yancey\Desktop\hijackgpthis.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r4.attbi.com;localhost;
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: NetAssistantBHO Class - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\My.Freeze.com NetAssistant\NetAssistant.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
N2 - Netscape 6: # Mozilla User Preferences
// This is a generated file!

user_pref(".aim.im.playall", true);
user_pref("aim.session.finishedwizard", true);
user_pref("aim.session.firsttime", false);
user_pref("aim.session.screenname", "hunter");
user_pref("browser.download.dir", "C:\\Documents and Settings\\Shimri Yancey\\My Documents\\Zipped Elements\\New Folder");
user_pref("browser.download.progressDnldDialog.keepAlive", false);
user_pref("browser.history.last_page_visited", "file:///C:/Documents%20and%20Settings/Shimri%20Yancey/My%20Documents/My%20Pictures/DSCF0834.png");
user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCA%7E1%5Csearchplugins%5CSBWeb_01.src");
user_pref("hunter.aim.im.playall", true);
user_pref("hunter.aim.session.autologin", true);
user_pref("hunter.aim.session.password", "0aHVudGVy");
user_pref("hunter.aim.session.storepassword", true);
user_pref("intl.charsetmenu.browser.cache", "windows-1252, UTF-8");
user_pref("ldap_2.prefs_migrated", true);
use
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
O1 - Hosts: 91.212.65.122 antiwareprotect.com
O1 - Hosts: 91.212.65.122 [You must be registered and logged in to see this link.]
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)
O2 - BHO: adssite - {352f1042-c6a9-10ea-c541-1c8c60f3ee9f} - C:\WINDOWS\system32\nsk1EA.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {7ff7} - {53779d6b-f5e8-4f55-98e4-7802d7ec9737} - C:\WINDOWS\system32\yfbimeox.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {497bb4c4-162e-8d59-f084-b1f475c05bf8} - {8fb50c57-4f1b-480f-95d8-e2614c4bb794} - C:\WINDOWS\system32\ucgapv.dll (file missing)
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O2 - BHO: (no name) - {9C8A568E-4201-478a-8536-526CF371D2E2} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\avgtoolbar.dll
O2 - BHO: (no name) - {a5e876a6-7df1-4715-be03-138df71e4872} - C:\WINDOWS\system32\yobijile.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: BHO - {ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - C:\WINDOWS\system32\iehelper.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: NetAssistantBHO - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\My.Freeze.com NetAssistant\NetAssistant.dll
O2 - BHO: 796525 helper - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - C:\WINDOWS\system32\796525\796525.dll (file missing)
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
O3 - Toolbar: (no name) - {1028F737-81E7-452B-A860-E50CAD90A08C} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKLM\..\RunOnce: [IERESETATTRIB] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes
O4 - HKLM\..\RunOnce: [Installing-ie8] C:\DOCUME~1\SHIMRI~1\LOCALS~1\Temp\IE8-WindowsXP-x86-ENU.exe /passive
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [yuzonedija] Rundll32.exe "C:\WINDOWS\system32\lidepomo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [yuzonedija] Rundll32.exe "C:\WINDOWS\system32\lidepomo.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - [You must be registered and logged in to see this link.] Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6AE4CC6E-999C-11D4-A3F0-009027427750} (NSAuto Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - [You must be registered and logged in to see this link.]
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\fikeposu.dll numbdh.dll ucgapv.dll c:\windows\system32\liguzeju.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O24 - Desktop Component 0: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 1: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 10: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 11: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 12: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 13: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 14: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 15: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 16: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 17: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 18: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 19: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 2: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 3: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 4: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 5: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 6: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 7: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 8: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 9: (no name) - [You must be registered and logged in to see this link.]

--
End of file - 12270 bytes

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by Belahzur on 20th May 2009, 9:26 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
    O1 - Hosts: ::1 localhost
    O1 - Hosts: 91.212.65.122 browser-security.microsoft.com
    O1 - Hosts: 91.212.65.122 antiwareprotect.com
    O1 - Hosts: 91.212.65.122 [You must be registered and logged in to see this link.]
    O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - (no file)
    O2 - BHO: adssite - {352f1042-c6a9-10ea-c541-1c8c60f3ee9f} - C:\WINDOWS\system32\nsk1EA.dll
    O2 - BHO: {7ff7} - {53779d6b-f5e8-4f55-98e4-7802d7ec9737} - C:\WINDOWS\system32\yfbimeox.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: {497bb4c4-162e-8d59-f084-b1f475c05bf8} - {8fb50c57-4f1b-480f-95d8-e2614c4bb794} - C:\WINDOWS\system32\ucgapv.dll (file missing)
    O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
    O2 - BHO: (no name) - {9C8A568E-4201-478a-8536-526CF371D2E2} - (no file)
    O2 - BHO: (no name) - {a5e876a6-7df1-4715-be03-138df71e4872} - C:\WINDOWS\system32\yobijile.dll (file missing)
    O2 - BHO: BHO - {ABD45510-9B22-41cd-9ACD-8182A2DA7C63} - C:\WINDOWS\system32\iehelper.dll (file missing)
    O2 - BHO: NetAssistantBHO - {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - C:\Program Files\My.Freeze.com NetAssistant\NetAssistant.dll
    O2 - BHO: 796525 helper - {E7F15AC4-E0A9-43F0-921B-70DFEA621220} - C:\WINDOWS\system32\796525\796525.dll (file missing)
    O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\Toolbar.dll (file missing)
    O3 - Toolbar: (no name) - {1028F737-81E7-452B-A860-E50CAD90A08C} - (no file)
    O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
    O4 - HKLM\..\RunOnce: [Installing-ie8] C:\DOCUME~1\SHIMRI~1\LOCALS~1\Temp\IE8-WindowsXP-x86-ENU.exe /passive
    O4 - HKUS\S-1-5-19\..\Run: [yuzonedija] Rundll32.exe "C:\WINDOWS\system32\lidepomo.dll",s (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [yuzonedija] Rundll32.exe "C:\WINDOWS\system32\lidepomo.dll",s (User 'NETWORK SERVICE')
    O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - [You must be registered and logged in to see this link.] Files\UpromiseRemindU\System\Temp\upromise_script0.htm (file missing) (HKCU)
    O20 - AppInit_DLLs: C:\WINDOWS\system32\fikeposu.dll numbdh.dll ucgapv.dll c:\windows\system32\liguzeju.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)


  • Press "Fix Checked"
  • Close Hijack This.

Next,

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 20th May 2009, 10:36 pm

ok, i did everything up to double clicking on combo-fix.......i was able to get a small box up that look like a scan bar but then computer frozed. I restarted the computer, double click and nothing...

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by Belahzur on 20th May 2009, 10:39 pm

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

Try running Combofix in safe mode.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 12:09 am

ok, I was able to get open.
Here is the message I got....

Combfix has detected the presence of rootkit activity and need to rebbot the michine. Kindly note down on paper the name of each file. We may need it later.

C:/WINDOWS/system32/driver/UACwrytript.sys
C:/WINDOWS/system32/UACcoxqpcxy.dll
C:/WINDOWS/system32/UACcimxnbnc.dll
C:/WINDOWS/system32/UACnhrfmutq.dll
C:/WINDOWS/system32/UACwinkqtl.dll
C:/WINDOWS/system32/UAC teldkdhu.dll
C:/WINDOWS/system32/UACkfnxcugg.log
C:/WINDOWS/system32/UACvebuvqky.log
C:/WINDOWS/system32/UACmwqetpta.log

now what?

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by Belahzur on 21st May 2009, 12:26 am

Let it continue the run, I know about the rootkit, I know it's the UAC varaint.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 2:07 am

ok, after a few tries this i what I got.

ComboFix 09-05-20.A0 - Shimri Yancey 05/20/2009 18:48.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.364 [GMT -7:00]
Running from: c:\documents and settings\Shimri Yancey\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\str.sys
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\ZangoSA
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSA_kyf.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAau.dat
c:\documents and settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht
c:\documents and settings\Shimri Yancey\My Documents\My Music\My Music.url
c:\program files\\setup.exe
c:\program files\INSTALL.LOG
c:\program files\Mozilla Firefox\components\c2397428-4905-78f4-245f-df578be9b86a.dll
c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
c:\windows\IE4 Error Log.txt
c:\windows\ld08.exe
c:\windows\Readme.txt
c:\windows\smdat32m.sys
c:\windows\system32\adssite-remove.exe
c:\windows\system32\aggjoofb.ini
c:\windows\system32\ahatitav.ini
c:\windows\system32\akidugos.ini
c:\windows\system32\anajasop.ini
c:\windows\system32\bvjhajcu.ini
c:\windows\system32\ciwxtdjp.ini
c:\windows\system32\cont_adssite-remove.exe
c:\windows\system32\drivers\str.sys
c:\windows\system32\elowupoz.ini
c:\windows\system32\eragigib.ini
c:\windows\system32\erajozez.ini
c:\windows\system32\evilidon.ini
c:\windows\system32\ewofehiv.ini
c:\windows\system32\gdfghwiq.ini
c:\windows\system32\hwjiwrer.ini
c:\windows\system32\igenumuz.ini
c:\windows\system32\ipabojus.ini
c:\windows\system32\iylhbmwr.ini
c:\windows\system32\izizozus.ini
c:\windows\system32\jbqtcwne.ini
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lwusakwp.ini
c:\windows\system32\mcgxrnsa.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mugetnmo.ini
c:\windows\system32\mysidesearch_sidebar.dll
c:\windows\system32\mysidesearch_sidebar_uninstall.exe
c:\windows\system32\ogelapiw.ini
c:\windows\system32\ogulezif.ini
c:\windows\system32\oleyalol.ini
c:\windows\system32\onnwvxdu.ini
c:\windows\system32\opiriwoy.ini
c:\windows\system32\opolatin.ini
c:\windows\system32\qdlanodl.ini
c:\windows\system32\rwedggvd.ini
c:\windows\system32\sdra64.exe
c:\windows\system32\uacinit.dll
c:\windows\system32\uhnpmsoq.ini
c:\windows\system32\ulomohuh.ini
c:\windows\system32\womqbrmi.ini
c:\windows\system32\xwxycfhk.ini
c:\windows\system32\xwxycfhk.ini2
c:\windows\system32\yvcsmxrd.ini
c:\windows\Tasks\wwbwptab.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOONTY_GAMES
-------\Service_Boonty Games
-------\Service_UACd.sys
-------\Legacy_BOONTY_GAMES


((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 00:20 . 2009-05-21 00:20 -------- d-----w c:\windows\LastGood.Tmp
2009-05-20 21:58 . 2009-05-20 21:59 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-05-20 20:45 . 2009-05-20 20:45 16883056 ----a-w c:\program files\IE8-WindowsXP-x86-ENU.exe
2009-05-20 19:36 . 2009-05-20 19:36 -------- d-----w c:\program files\JavaRa
2009-05-20 19:36 . 2009-05-20 19:36 69512 ----a-w c:\program files\JavaRa.zip
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\documents and settings\Shimri Yancey\Application Data\SUPERAntiSpyware.com
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-20 17:11 . 2009-05-20 17:20 -------- d-----w c:\program files\something3
2009-05-20 16:05 . 2009-05-20 16:05 -------- d-----w c:\documents and settings\Shimri Yancey\Application Data\True Sword
2009-05-20 16:01 . 2005-10-11 21:40 356352 ----a-w c:\windows\eSellerateEngine.dll
2009-05-20 16:01 . 2003-06-06 18:21 81920 ----a-w c:\windows\eSellerateControl350.dll
2009-05-20 16:01 . 2009-05-20 16:50 -------- d-----w c:\program files\True Sword 5
2009-05-20 16:01 . 2009-05-20 16:01 8667730 ----a-w c:\program files\TrueSword5.exe
2009-05-20 13:41 . 2009-05-20 19:01 -------- d--h--w C:\$AVG8.VAULT$
2009-05-20 13:36 . 2009-05-20 13:36 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-20 13:36 . 2009-05-20 13:36 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-20 13:36 . 2009-05-20 13:36 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-20 13:35 . 2009-05-21 01:11 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-20 13:35 . 2009-05-20 13:43 -------- d-----w c:\documents and settings\Shimri Yancey\Application Data\AVGTOOLBAR
2009-05-20 13:32 . 2009-05-20 13:32 65103168 ----a-w c:\program files\something1.exe
2009-05-20 00:24 . 2009-05-20 00:57 140288 ----a-w c:\program files\something.exe
2009-05-19 23:45 . 2009-05-19 23:45 2701824 ----a-w c:\program files\rmdndup.exe
2009-05-18 23:54 . 2009-05-18 23:54 60544 ----a-w c:\windows\system32\drivers\lmielwq.sys
2009-05-18 23:54 . 2009-05-18 23:54 190 ----a-w C:\4321f456.bat
2009-05-14 14:47 . 2009-05-14 14:47 -------- d-sh--w c:\documents and settings\Shimri Yancey\IECompatCache
2009-05-08 16:15 . 2009-05-08 16:15 1887408 ----a-w c:\program files\GoogleToolbarInstaller_en_signed.exe
2009-05-03 17:02 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 17:02 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 17:02 . 2009-05-03 17:02 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 17:02 . 2009-05-20 17:06 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-03 17:01 . 2009-05-03 17:02 2967800 ----a-w c:\program files\mbam-setup.com
2009-05-03 02:35 . 2009-05-03 02:35 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-03 02:28 . 2009-05-03 02:28 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-03 00:59 . 2009-05-03 00:59 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-03 00:56 . 2009-05-03 00:56 -------- d-sh--w c:\documents and settings\Shimri Yancey\PrivacIE
2009-05-03 00:55 . 2009-05-03 00:55 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-03 00:55 . 2009-05-03 00:55 -------- d-sh--w c:\documents and settings\Shimri Yancey\IETldCache
2009-05-03 00:42 . 2009-05-20 20:47 -------- d-----w c:\windows\ie8updates
2009-05-03 00:38 . 2004-08-04 07:56 81920 ----a-w c:\windows\system32\ieencode.dll
2009-05-03 00:26 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-01 23:03 . 2009-05-02 15:43 -------- d-----w c:\windows\system32\796525

.

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 2:09 am

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 23:10 . 2002-09-13 19:53 -------- d-----w c:\program files\ICQ
2009-05-20 23:10 . 2008-11-26 02:00 -------- d-----w c:\program files\Free Offers from Freeze.com
2009-05-20 23:10 . 2009-01-23 15:10 -------- d-----w c:\program files\Advanced Registry Optimizer
2009-05-20 23:10 . 2005-03-08 00:26 -------- d-----w c:\program files\FinePixViewer
2009-05-15 13:45 . 2004-11-18 23:25 -------- d-----w c:\program files\Google
2009-05-07 00:09 . 2004-09-22 19:45 -------- d-----w c:\program files\Microsoft Digital Image 10
2009-05-03 00:05 . 2009-01-20 16:43 -------- d-----w c:\program files\Panda Security
2009-04-10 01:02 . 2009-04-10 01:02 35822080 ----a-w c:\program files\Freedom-1_8_1_9-setup-windows.exe
2009-04-09 18:28 . 2009-01-30 01:46 85661 ----a-w c:\windows\system32\6f600fde-ef4b-0a5c-e6e4-c588d70da6eb.exe
2009-03-22 18:13 . 2009-03-22 18:13 -------- d-----w c:\program files\WinPcap
2009-03-06 14:44 . 2002-09-13 18:59 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-24 01:08 . 2003-03-22 18:40 257584 ----a-w c:\documents and settings\Shimri Yancey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-21 21:00 . 2009-02-21 20:59 60939848 ----a-w c:\program files\avg_free_stf_en_8_237a1428.exe
2009-02-21 20:52 . 2009-02-21 20:52 140288 ----a-w c:\program files\vcleaner.exe
2009-01-23 15:10 . 2009-01-23 15:10 2803448 ----a-w c:\program files\AROTrial_bt.exe
2009-01-23 15:06 . 2009-01-23 15:06 3166208 ----a-w c:\program files\saSetup64.exe
2008-12-22 14:50 . 2008-12-22 14:50 34031720 ----a-w c:\program files\GoogleSketchUpWEN.exe
2008-10-08 00:45 . 2008-10-08 00:45 8155992 ----a-w c:\program files\sd8_smartpdf.exe
2008-09-15 02:41 . 2008-09-15 02:40 300272 ----a-w c:\program files\MySpaceIM_Setup.exe
2008-03-06 01:30 . 2008-03-06 01:30 8317952 ----a-w c:\program files\epson11220.exe
2008-02-04 16:12 . 2008-02-04 16:12 60536 ----a-w c:\program files\delicious.exe
2008-02-04 16:11 . 2008-02-04 16:11 397312 ----a-w c:\program files\delicious.msi
2008-01-20 20:51 . 2008-01-20 20:51 2400784 ----a-w c:\program files\WLinstaller.exe
2007-09-18 00:09 . 2007-09-18 00:06 353598016 ----a-w c:\program files\SimpleStartFSEDirect.exe
2007-04-11 03:10 . 2007-04-11 02:29 306240 ----a-w c:\program files\Install_AIM.exe
2007-03-26 20:41 . 2007-03-26 20:41 722992 ----a-w c:\program files\aolsetup.exe
2007-03-26 20:41 . 2007-03-26 20:41 4424 ----a-w c:\program files\aolsetup.bin
2007-02-14 20:13 . 2007-02-14 20:08 21822168 ----a-w c:\program files\AdbeRdr80_en_US.exe
2006-10-31 08:10 . 2006-10-31 08:10 671845 ----a-w c:\program files\data1.cab
2006-10-31 08:10 . 2006-10-31 08:10 552214 ----a-w c:\program files\ISSetup.dll
2006-10-31 08:10 . 2006-10-31 08:10 546 ----a-w c:\program files\setup.iss
2006-10-31 08:10 . 2006-10-31 08:10 491 ----a-w c:\program files\setup.ini
2006-10-31 08:10 . 2006-10-31 08:10 455 ----a-w c:\program files\layout.bin
2006-10-31 08:10 . 2006-10-31 08:10 385968 ----a-w c:\program files\_Setup.dll
2006-10-31 08:10 . 2006-10-31 08:10 364218 ----a-w c:\program files\data2.cab
2006-10-31 08:10 . 2006-10-31 08:10 205926 ----a-w c:\program files\setup.inx
2006-10-31 08:10 . 2006-10-31 08:10 17991 ----a-w c:\program files\data1.hdr
2006-06-27 05:39 . 2006-06-27 05:39 12527920 ----a-w c:\program files\IE7BETA2-WindowsXP-x86-enu.exe
2006-06-24 01:20 . 2006-06-24 01:19 3044468 ----a-w c:\program files\cpg272.exe
2005-11-28 03:06 . 2005-11-28 03:06 15666960 ----a-w c:\program files\avg71free_362a652.exe
2005-11-20 19:16 . 2005-11-20 19:16 78597807 ----a-w c:\program files\OOo_2.0.0_Win32Intel_install.exe
2005-11-09 04:16 . 2005-03-23 22:35 29232536 ----a-w c:\program files\pcs4.exe
2005-10-09 22:51 . 2005-05-20 22:53 1695 ----a-w c:\program files\TBass4.INI
2005-09-16 16:24 . 2004-09-25 03:07 2855080 ----a-w c:\program files\aawsepersonal.exe
2005-08-10 04:08 . 2005-05-23 23:43 0 ----a-w c:\program files\filenames.txt
2005-06-07 03:59 . 2005-06-07 03:59 7363784 ----a-w c:\program files\INSTALL_MSN_MESSENGER_DL.EXE
2005-05-21 16:29 . 2005-05-21 16:26 75029 ----a-w c:\program files\DeIsL1.isu
2005-05-08 00:46 . 2005-05-07 23:01 33388 ----a-w c:\program files\FxSobr.log
2005-05-07 22:53 . 2005-05-07 22:53 198784 ----a-w c:\program files\FxSobr.exe
2005-02-22 01:54 . 2005-02-22 01:54 3742383 ----a-w c:\program files\CoffeeFreeFTPInstaller.exe
2005-02-22 01:42 . 2005-02-22 01:42 3797175 ----a-w c:\program files\CoffeeFTP62.exe
2005-01-09 21:06 . 2005-01-09 21:05 6342279 ----a-w c:\program files\fcp45setup.exe
2004-02-20 07:44 . 2004-02-20 07:44 5545537 ----a-w c:\program files\win2k_xp140.exe
2004-01-18 21:04 . 2004-01-18 21:04 1881144 ----a-w c:\program files\GrouperSetup.exe
2004-01-02 17:41 . 2004-01-02 17:41 893712 ----a-w c:\program files\proxyconn.exe
2001-04-10 21:30 . 2004-10-10 20:17 1949 ----a-w c:\program files\Alien Skinformation.html
2001-04-02 23:31 . 2004-10-10 20:17 550602 ----a-w c:\program files\EyeCand3.8bf
2001-04-02 23:22 . 2004-10-10 20:17 409600 ----a-w c:\program files\EC3-ENG.8BF
2000-09-26 19:45 . 2000-09-26 19:45 7356 ----a-w c:\program files\readmePatch1004.txt
2000-08-23 16:02 . 2000-08-23 16:02 702 ----a-w c:\program files\Update1.tbv
1999-06-25 17:56 . 2004-10-10 20:17 127184 ----a-w c:\program files\UNWISE.EXE
2007-06-02 20:18 . 2006-06-28 16:53 61038 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-06-02 20:18 . 2006-06-28 16:53 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-02 20:18 . 2006-06-28 16:53 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2009-02-12 07:06 . 2009-02-12 07:06 5465 --sh--w c:\windows\system32\huvewahi.dll
2009-02-11 19:06 . 2009-02-11 19:06 5465 --sh--w c:\windows\system32\nutedede.dll
.

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 2:10 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-06-09 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-20 1947928]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-20 13:36 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=c:\windows\pss\$McRebootA5E6DEAA56$.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adware Filter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adware Filter.lnk
backup=c:\windows\pss\Adware Filter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AdwareFilter Background Protection.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AdwareFilter Background Protection.lnk
backup=c:\windows\pss\AdwareFilter Background Protection.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=c:\windows\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Free WebSite Tools.lnk
backup=c:\windows\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^OpenOffice.org 1.9.79.lnk]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\OpenOffice.org 1.9.79.lnk
backup=c:\windows\pss\OpenOffice.org 1.9.79.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"McciCMService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager-061008-081103"=3 (0x3)
"Boonty Games"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aspnet_state"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wjview.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CoffeeCup Software\\CoffeeCup Free FTP\\FreeFTP.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Virtual Mechanics\\SiteSpinner V2.7\\bin\\SiteSpinnerV2.exe"=
"c:\\Program Files\\Avanquest\\Web Easy Professional 7\\WebEasy.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1999:UDP"= 1999:UDP:Windows Media Format SDK (firefox.exe)
"1998:UDP"= 1998:UDP:Windows Media Format SDK (firefox.exe)

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/20/2009 6:36 AM 108552]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/20/2009 6:36 AM 325896]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/20/2009 6:35 AM 908568]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/20/2009 6:35 AM 298776]
S2 dphkbhyxrlue;dphkbhyxrlue;c:\windows\system32\drivers\lmielwq.sys [5/18/2009 4:54 PM 60544]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/15/2007 1:30 PM 34064]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [3/19/2003 12:55 PM 91520]
.

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 2:10 am

Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]

2009-05-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-06 18:25]

2009-05-21 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SmartDraw 2009\Messages\SDNotify.exe [2008-10-07 14:29]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.r4.attbi.com;localhost
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {6AE4CC6E-999C-11D4-A3F0-009027427750} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Shimri Yancey\Application Data\Mozilla\Firefox\Profiles\24ykkije.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\documents and settings\Shimri Yancey\Application Data\Mozilla\Firefox\Profiles\24ykkije.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar.dll
FF - component: c:\documents and settings\Shimri Yancey\Application Data\Mozilla\Firefox\Profiles\24ykkije.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\metrics.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - user.js: keyword.enabled - true
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-20 18:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(440)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-05-21 19:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 02:02

Pre-Run: 23,429,177,344 bytes free
Post-Run: 23,413,506,048 bytes free

382 --- E O F --- 2009-05-20 17:17

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by Belahzur on 21st May 2009, 8:30 am

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
dphkbhyxrlue

File::
c:\documents and settings\Shimri Yancey\Application Data\Mozilla\Firefox\Profiles\24ykkije.default\user.js
c:\windows\system32\drivers\lmielwq.sys
C:\4321f456.bat
c:\program files\something1.exe
c:\program files\something.exe
c:\program files\rmdndup.exe

Folder::
c:\windows\system32\796525
c:\Program Files\LimeWire

Firefox::
FF - ProfilePath - c:\documents and settings\Shimri Yancey\Application Data\Mozilla\Firefox\Profiles\24ykkije.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 1:40 pm

here is the log...

ComboFix 09-05-20.A1 - Shimri Yancey 05/21/2009 6:18.3 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.325 [GMT -7:00]
Running from: c:\documents and settings\Shimri Yancey\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Shimri Yancey\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
C:\4321f456.bat
c:\documents and settings\Shimri Yancey\Application Data\Mozilla\Firefox\Profiles\24ykkije.default\user.js
c:\program files\rmdndup.exe
c:\program files\something.exe
c:\program files\something1.exe
c:\windows\system32\drivers\lmielwq.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\4321f456.bat
c:\documents and settings\Shimri Yancey\Application Data\Mozilla\Firefox\Profiles\24ykkije.default\user.js
c:\program files\LimeWire
c:\program files\LimeWire\.NetworkShare\LimeWirePackedJars4.12.6.7z
c:\program files\LimeWire\.NetworkShare\LimeWireWin4.12.6.exe
c:\program files\LimeWire\clink.jar
c:\program files\LimeWire\commons-httpclient.jar
c:\program files\LimeWire\commons-logging.jar
c:\program files\LimeWire\commons-net.jar
c:\program files\LimeWire\COPYING
c:\program files\LimeWire\daap.jar
c:\program files\LimeWire\data.ser
c:\program files\LimeWire\donotremove.htm
c:\program files\LimeWire\GenericWindowsUtils.dll
c:\program files\LimeWire\hashes
c:\program files\LimeWire\i18n.jar
c:\program files\LimeWire\icu4j.jar
c:\program files\LimeWire\id3v2.jar
c:\program files\LimeWire\install.log
c:\program files\LimeWire\jcraft.jar
c:\program files\LimeWire\jl011.jar
c:\program files\LimeWire\jmdns.jar
c:\program files\LimeWire\language.prop
c:\program files\LimeWire\LimeWire On Startup.lnk
c:\program files\LimeWire\LimeWire.exe
c:\program files\LimeWire\LimeWire.ico
c:\program files\LimeWire\LimeWire.jar
c:\program files\LimeWire\LimeWire20.dll
c:\program files\LimeWire\log4j.jar
c:\program files\LimeWire\log4j.properties
c:\program files\LimeWire\looks.jar
c:\program files\LimeWire\MessagesBundle.properties
c:\program files\LimeWire\MessagesBundles.jar
c:\program files\LimeWire\mp3sp14.jar
c:\program files\LimeWire\pmf.ico
c:\program files\LimeWire\ProgressTabs.jar
c:\program files\LimeWire\root\magnet10\badge.img
c:\program files\LimeWire\root\magnet10\canHandle.img
c:\program files\LimeWire\root\magnet10\limewire.gif
c:\program files\LimeWire\root\magnet10\options.js
c:\program files\LimeWire\root\magnet10\silentdetect.js
c:\program files\LimeWire\SOURCE
c:\program files\LimeWire\spacer.gif
c:\program files\LimeWire\themes.jar
c:\program files\LimeWire\tritonus.jar
c:\program files\LimeWire\uninstall.exe
c:\program files\LimeWire\unpack.log
c:\program files\LimeWire\update.ver
c:\program files\LimeWire\vorbis.jar
c:\program files\LimeWire\WindowsFirewall.dll
c:\program files\LimeWire\WindowsV5PlusUtils.dll
c:\program files\LimeWire\xerces.jar
c:\program files\LimeWire\xml-apis.jar
c:\program files\LimeWire\xml.war
c:\program files\rmdndup.exe
c:\program files\something.exe
c:\program files\something1.exe

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 1:41 pm

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOONTY_GAMES
-------\Legacy_DPHKBHYXRLUE
-------\Service_dphkbhyxrlue


((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 02:55 . 2009-05-21 02:55 -------- d-----w c:\documents and settings\Shimri Yancey\Application Data\Malwarebytes
2009-05-20 21:58 . 2009-05-20 21:59 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-05-20 20:45 . 2009-05-20 20:45 16883056 ----a-w c:\program files\IE8-WindowsXP-x86-ENU.exe
2009-05-20 19:36 . 2009-05-20 19:36 -------- d-----w c:\program files\JavaRa
2009-05-20 19:36 . 2009-05-20 19:36 69512 ----a-w c:\program files\JavaRa.zip
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\documents and settings\Shimri Yancey\Application Data\SUPERAntiSpyware.com
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-20 17:11 . 2009-05-21 03:03 -------- d-----w c:\program files\something3
2009-05-20 16:05 . 2009-05-20 16:05 -------- d-----w c:\documents and settings\Shimri Yancey\Application Data\True Sword
2009-05-20 16:01 . 2005-10-11 21:40 356352 ----a-w c:\windows\eSellerateEngine.dll
2009-05-20 16:01 . 2003-06-06 18:21 81920 ----a-w c:\windows\eSellerateControl350.dll
2009-05-20 16:01 . 2009-05-20 16:50 -------- d-----w c:\program files\True Sword 5
2009-05-20 16:01 . 2009-05-20 16:01 8667730 ----a-w c:\program files\TrueSword5.exe
2009-05-20 13:41 . 2009-05-21 05:09 -------- d--h--w C:\$AVG8.VAULT$
2009-05-20 13:36 . 2009-05-20 13:36 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-20 13:36 . 2009-05-20 13:36 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-20 13:36 . 2009-05-20 13:36 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-20 13:35 . 2009-05-21 01:11 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-20 13:35 . 2009-05-20 13:43 -------- d-----w c:\documents and settings\Shimri Yancey\Application Data\AVGTOOLBAR
2009-05-14 14:47 . 2009-05-14 14:47 -------- d-sh--w c:\documents and settings\Shimri Yancey\IECompatCache
2009-05-08 16:15 . 2009-05-08 16:15 1887408 ----a-w c:\program files\GoogleToolbarInstaller_en_signed.exe
2009-05-03 17:02 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 17:02 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 17:02 . 2009-05-03 17:02 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 17:02 . 2009-05-20 17:06 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-03 17:01 . 2009-05-03 17:02 2967800 ----a-w c:\program files\mbam-setup.com
2009-05-03 02:35 . 2009-05-03 02:35 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-03 02:28 . 2009-05-03 02:28 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-03 00:59 . 2009-05-03 00:59 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-03 00:56 . 2009-05-03 00:56 -------- d-sh--w c:\documents and settings\Shimri Yancey\PrivacIE
2009-05-03 00:55 . 2009-05-03 00:55 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-03 00:55 . 2009-05-03 00:55 -------- d-sh--w c:\documents and settings\Shimri Yancey\IETldCache
2009-05-03 00:42 . 2009-05-20 20:47 -------- d-----w c:\windows\ie8updates
2009-05-03 00:38 . 2004-08-04 07:56 81920 ----a-w c:\windows\system32\ieencode.dll
2009-05-03 00:26 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 23:10 . 2002-09-13 19:53 -------- d-----w c:\program files\ICQ
2009-05-20 23:10 . 2008-11-26 02:00 -------- d-----w c:\program files\Free Offers from Freeze.com
2009-05-20 23:10 . 2009-01-23 15:10 -------- d-----w c:\program files\Advanced Registry Optimizer
2009-05-20 23:10 . 2005-03-08 00:26 -------- d-----w c:\program files\FinePixViewer
2009-05-15 13:45 . 2004-11-18 23:25 -------- d-----w c:\program files\Google
2009-05-07 00:09 . 2004-09-22 19:45 -------- d-----w c:\program files\Microsoft Digital Image 10
2009-05-03 00:05 . 2009-01-20 16:43 -------- d-----w c:\program files\Panda Security
2009-04-10 01:02 . 2009-04-10 01:02 35822080 ----a-w c:\program files\Freedom-1_8_1_9-setup-windows.exe
2009-03-22 18:13 . 2009-03-22 18:13 -------- d-----w c:\program files\WinPcap
2009-03-06 14:44 . 2002-09-13 18:59 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-24 01:08 . 2003-03-22 18:40 257584 ----a-w c:\documents and settings\Shimri Yancey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-21 21:00 . 2009-02-21 20:59 60939848 ----a-w c:\program files\avg_free_stf_en_8_237a1428.exe
2009-02-21 20:52 . 2009-02-21 20:52 140288 ----a-w c:\program files\vcleaner.exe
2009-01-23 15:10 . 2009-01-23 15:10 2803448 ----a-w c:\program files\AROTrial_bt.exe
2009-01-23 15:06 . 2009-01-23 15:06 3166208 ----a-w c:\program files\saSetup64.exe
2008-12-22 14:50 . 2008-12-22 14:50 34031720 ----a-w c:\program files\GoogleSketchUpWEN.exe
2008-10-08 00:45 . 2008-10-08 00:45 8155992 ----a-w c:\program files\sd8_smartpdf.exe
2008-09-15 02:41 . 2008-09-15 02:40 300272 ----a-w c:\program files\MySpaceIM_Setup.exe
2008-03-06 01:30 . 2008-03-06 01:30 8317952 ----a-w c:\program files\epson11220.exe
2008-02-04 16:12 . 2008-02-04 16:12 60536 ----a-w c:\program files\delicious.exe
2008-02-04 16:11 . 2008-02-04 16:11 397312 ----a-w c:\program files\delicious.msi
2008-01-20 20:51 . 2008-01-20 20:51 2400784 ----a-w c:\program files\WLinstaller.exe
2007-09-18 00:09 . 2007-09-18 00:06 353598016 ----a-w c:\program files\SimpleStartFSEDirect.exe
2007-04-11 03:10 . 2007-04-11 02:29 306240 ----a-w c:\program files\Install_AIM.exe
2007-03-26 20:41 . 2007-03-26 20:41 722992 ----a-w c:\program files\aolsetup.exe
2007-03-26 20:41 . 2007-03-26 20:41 4424 ----a-w c:\program files\aolsetup.bin
2007-02-14 20:13 . 2007-02-14 20:08 21822168 ----a-w c:\program files\AdbeRdr80_en_US.exe
2006-10-31 08:10 . 2006-10-31 08:10 671845 ----a-w c:\program files\data1.cab
2006-10-31 08:10 . 2006-10-31 08:10 552214 ----a-w c:\program files\ISSetup.dll
2006-10-31 08:10 . 2006-10-31 08:10 546 ----a-w c:\program files\setup.iss
2006-10-31 08:10 . 2006-10-31 08:10 491 ----a-w c:\program files\setup.ini
2006-10-31 08:10 . 2006-10-31 08:10 455 ----a-w c:\program files\layout.bin
2006-10-31 08:10 . 2006-10-31 08:10 385968 ----a-w c:\program files\_Setup.dll
2006-10-31 08:10 . 2006-10-31 08:10 364218 ----a-w c:\program files\data2.cab
2006-10-31 08:10 . 2006-10-31 08:10 205926 ----a-w c:\program files\setup.inx
2006-10-31 08:10 . 2006-10-31 08:10 17991 ----a-w c:\program files\data1.hdr
2006-06-27 05:39 . 2006-06-27 05:39 12527920 ----a-w c:\program files\IE7BETA2-WindowsXP-x86-enu.exe
2006-06-24 01:20 . 2006-06-24 01:19 3044468 ----a-w c:\program files\cpg272.exe
2005-11-28 03:06 . 2005-11-28 03:06 15666960 ----a-w c:\program files\avg71free_362a652.exe
2005-11-20 19:16 . 2005-11-20 19:16 78597807 ----a-w c:\program files\OOo_2.0.0_Win32Intel_install.exe
2005-11-09 04:16 . 2005-03-23 22:35 29232536 ----a-w c:\program files\pcs4.exe
2005-10-09 22:51 . 2005-05-20 22:53 1695 ----a-w c:\program files\TBass4.INI
2005-09-16 16:24 . 2004-09-25 03:07 2855080 ----a-w c:\program files\aawsepersonal.exe
2005-08-10 04:08 . 2005-05-23 23:43 0 ----a-w c:\program files\filenames.txt
2005-06-07 03:59 . 2005-06-07 03:59 7363784 ----a-w c:\program files\INSTALL_MSN_MESSENGER_DL.EXE
2005-05-21 16:29 . 2005-05-21 16:26 75029 ----a-w c:\program files\DeIsL1.isu
2005-05-08 00:46 . 2005-05-07 23:01 33388 ----a-w c:\program files\FxSobr.log
2005-05-07 22:53 . 2005-05-07 22:53 198784 ----a-w c:\program files\FxSobr.exe
2005-02-22 01:54 . 2005-02-22 01:54 3742383 ----a-w c:\program files\CoffeeFreeFTPInstaller.exe
2005-02-22 01:42 . 2005-02-22 01:42 3797175 ----a-w c:\program files\CoffeeFTP62.exe
2005-01-09 21:06 . 2005-01-09 21:05 6342279 ----a-w c:\program files\fcp45setup.exe
2004-02-20 07:44 . 2004-02-20 07:44 5545537 ----a-w c:\program files\win2k_xp140.exe
2004-01-18 21:04 . 2004-01-18 21:04 1881144 ----a-w c:\program files\GrouperSetup.exe
2004-01-02 17:41 . 2004-01-02 17:41 893712 ----a-w c:\program files\proxyconn.exe
2001-04-10 21:30 . 2004-10-10 20:17 1949 ----a-w c:\program files\Alien Skinformation.html
2001-04-02 23:31 . 2004-10-10 20:17 550602 ----a-w c:\program files\EyeCand3.8bf
2001-04-02 23:22 . 2004-10-10 20:17 409600 ----a-w c:\program files\EC3-ENG.8BF
2000-09-26 19:45 . 2000-09-26 19:45 7356 ----a-w c:\program files\readmePatch1004.txt
2000-08-23 16:02 . 2000-08-23 16:02 702 ----a-w c:\program files\Update1.tbv
1999-06-25 17:56 . 2004-10-10 20:17 127184 ----a-w c:\program files\UNWISE.EXE
2007-06-02 20:18 . 2006-06-28 16:53 61038 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-06-02 20:18 . 2006-06-28 16:53 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-02 20:18 . 2006-06-28 16:53 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2009-02-12 07:06 . 2009-02-12 07:06 5465 --sh--w c:\windows\system32\huvewahi.dll
2009-02-11 19:06 . 2009-02-11 19:06 5465 --sh--w c:\windows\system32\nutedede.dll
.

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 1:41 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-06-09 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-20 1947928]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-20 13:36 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=c:\windows\pss\$McRebootA5E6DEAA56$.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adware Filter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adware Filter.lnk
backup=c:\windows\pss\Adware Filter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AdwareFilter Background Protection.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AdwareFilter Background Protection.lnk
backup=c:\windows\pss\AdwareFilter Background Protection.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=c:\windows\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Free WebSite Tools.lnk
backup=c:\windows\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^OpenOffice.org 1.9.79.lnk]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\OpenOffice.org 1.9.79.lnk
backup=c:\windows\pss\OpenOffice.org 1.9.79.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"McciCMService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager-061008-081103"=3 (0x3)
"Boonty Games"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aspnet_state"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wjview.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CoffeeCup Software\\CoffeeCup Free FTP\\FreeFTP.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Virtual Mechanics\\SiteSpinner V2.7\\bin\\SiteSpinnerV2.exe"=
"c:\\Program Files\\Avanquest\\Web Easy Professional 7\\WebEasy.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1999:UDP"= 1999:UDP:Windows Media Format SDK (firefox.exe)
"1998:UDP"= 1998:UDP:Windows Media Format SDK (firefox.exe)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/20/2009 6:36 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/20/2009 6:36 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/20/2009 6:35 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/20/2009 6:35 AM 298776]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/15/2007 1:30 PM 34064]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [3/19/2003 12:55 PM 91520]
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]

2009-05-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-06 18:25]

2009-05-21 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SmartDraw 2009\Messages\SDNotify.exe [2008-10-07 14:29]
.
.

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 1:42 pm

------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.r4.attbi.com;localhost
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {6AE4CC6E-999C-11D4-A3F0-009027427750} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Shimri Yancey\Application Data\Mozilla\Firefox\Profiles\24ykkije.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-21 06:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(620)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-21 6:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 13:39
ComboFix2.txt 2009-05-21 02:03

Pre-Run: 23,411,867,648 bytes free
Post-Run: 23,163,326,464 bytes free

371 --- E O F --- 2009-05-21 13:34

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 1:43 pm

I will say this much, I didn't catch the safe mode when the combo fix rebooted me and guess what....the computer hasn't shut down on me yet! Cheesy Grin (sparkly

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by Belahzur on 21st May 2009, 3:39 pm

Hello.
The rebooting problem was caused by the malware, I've played with this myself, I know what it does.

One last script to pick up some leftovers I missed.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\system32\huvewahi.dll
c:\windows\system32\nutedede.dll
c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\LimeWire On Startup.lnk

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 4:26 pm

ComboFix 09-05-20.A1 - Shimri Yancey 05/21/2009 9:07.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.203 [GMT -7:00]
Running from: c:\documents and settings\Shimri Yancey\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Shimri Yancey\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\LimeWire On Startup.lnk
c:\windows\system32\huvewahi.dll
c:\windows\system32\nutedede.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\huvewahi.dll
c:\windows\system32\nutedede.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOONTY_GAMES


((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 02:55 . 2009-05-21 02:55 -------- d-----w c:\documents and settings\Shimri Yancey\Application Data\Malwarebytes
2009-05-20 21:58 . 2009-05-20 21:59 -------- d-----w C:\32788R22FWJFW.0.tmp
2009-05-20 20:45 . 2009-05-20 20:45 16883056 ----a-w c:\program files\IE8-WindowsXP-x86-ENU.exe
2009-05-20 19:36 . 2009-05-20 19:36 -------- d-----w c:\program files\JavaRa
2009-05-20 19:36 . 2009-05-20 19:36 69512 ----a-w c:\program files\JavaRa.zip
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\program files\SUPERAntiSpyware
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\documents and settings\Shimri Yancey\Application Data\SUPERAntiSpyware.com
2009-05-20 17:39 . 2009-05-20 17:39 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-05-20 17:11 . 2009-05-21 03:03 -------- d-----w c:\program files\something3
2009-05-20 16:05 . 2009-05-20 16:05 -------- d-----w c:\documents and settings\Shimri Yancey\Application Data\True Sword
2009-05-20 16:01 . 2005-10-11 21:40 356352 ----a-w c:\windows\eSellerateEngine.dll
2009-05-20 16:01 . 2003-06-06 18:21 81920 ----a-w c:\windows\eSellerateControl350.dll
2009-05-20 16:01 . 2009-05-20 16:50 -------- d-----w c:\program files\True Sword 5
2009-05-20 16:01 . 2009-05-20 16:01 8667730 ----a-w c:\program files\TrueSword5.exe
2009-05-20 13:41 . 2009-05-21 05:09 -------- d--h--w C:\$AVG8.VAULT$
2009-05-20 13:36 . 2009-05-20 13:36 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-20 13:36 . 2009-05-20 13:36 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-20 13:36 . 2009-05-20 13:36 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-20 13:35 . 2009-05-21 01:11 -------- d-----w c:\windows\system32\drivers\Avg
2009-05-20 13:35 . 2009-05-20 13:43 -------- d-----w c:\documents and settings\Shimri Yancey\Application Data\AVGTOOLBAR
2009-05-14 14:47 . 2009-05-14 14:47 -------- d-sh--w c:\documents and settings\Shimri Yancey\IECompatCache
2009-05-08 16:15 . 2009-05-08 16:15 1887408 ----a-w c:\program files\GoogleToolbarInstaller_en_signed.exe
2009-05-03 17:02 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-03 17:02 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-03 17:02 . 2009-05-03 17:02 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-03 17:02 . 2009-05-20 17:06 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-03 17:01 . 2009-05-03 17:02 2967800 ----a-w c:\program files\mbam-setup.com
2009-05-03 02:35 . 2009-05-03 02:35 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-03 02:28 . 2009-05-03 02:28 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-05-03 00:59 . 2009-05-03 00:59 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-03 00:56 . 2009-05-03 00:56 -------- d-sh--w c:\documents and settings\Shimri Yancey\PrivacIE
2009-05-03 00:55 . 2009-05-03 00:55 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-05-03 00:55 . 2009-05-03 00:55 -------- d-sh--w c:\documents and settings\Shimri Yancey\IETldCache
2009-05-03 00:42 . 2009-05-20 20:47 -------- d-----w c:\windows\ie8updates
2009-05-03 00:38 . 2004-08-04 07:56 81920 ----a-w c:\windows\system32\ieencode.dll
2009-05-03 00:26 . 2009-02-28 04:55 105984 -c----w c:\windows\system32\dllcache\iecompat.dll

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 4:26 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 23:10 . 2002-09-13 19:53 -------- d-----w c:\program files\ICQ
2009-05-20 23:10 . 2008-11-26 02:00 -------- d-----w c:\program files\Free Offers from Freeze.com
2009-05-20 23:10 . 2009-01-23 15:10 -------- d-----w c:\program files\Advanced Registry Optimizer
2009-05-20 23:10 . 2005-03-08 00:26 -------- d-----w c:\program files\FinePixViewer
2009-05-15 13:45 . 2004-11-18 23:25 -------- d-----w c:\program files\Google
2009-05-07 00:09 . 2004-09-22 19:45 -------- d-----w c:\program files\Microsoft Digital Image 10
2009-05-03 00:05 . 2009-01-20 16:43 -------- d-----w c:\program files\Panda Security
2009-04-10 01:02 . 2009-04-10 01:02 35822080 ----a-w c:\program files\Freedom-1_8_1_9-setup-windows.exe
2009-03-22 18:13 . 2009-03-22 18:13 -------- d-----w c:\program files\WinPcap
2009-03-06 14:44 . 2002-09-13 18:59 283648 ----a-w c:\windows\system32\pdh.dll
2009-02-24 01:08 . 2003-03-22 18:40 257584 ----a-w c:\documents and settings\Shimri Yancey\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-21 21:00 . 2009-02-21 20:59 60939848 ----a-w c:\program files\avg_free_stf_en_8_237a1428.exe
2009-02-21 20:52 . 2009-02-21 20:52 140288 ----a-w c:\program files\vcleaner.exe
2009-01-23 15:10 . 2009-01-23 15:10 2803448 ----a-w c:\program files\AROTrial_bt.exe
2009-01-23 15:06 . 2009-01-23 15:06 3166208 ----a-w c:\program files\saSetup64.exe
2008-12-22 14:50 . 2008-12-22 14:50 34031720 ----a-w c:\program files\GoogleSketchUpWEN.exe
2008-10-08 00:45 . 2008-10-08 00:45 8155992 ----a-w c:\program files\sd8_smartpdf.exe
2008-09-15 02:41 . 2008-09-15 02:40 300272 ----a-w c:\program files\MySpaceIM_Setup.exe
2008-03-06 01:30 . 2008-03-06 01:30 8317952 ----a-w c:\program files\epson11220.exe
2008-02-04 16:12 . 2008-02-04 16:12 60536 ----a-w c:\program files\delicious.exe
2008-02-04 16:11 . 2008-02-04 16:11 397312 ----a-w c:\program files\delicious.msi
2008-01-20 20:51 . 2008-01-20 20:51 2400784 ----a-w c:\program files\WLinstaller.exe
2007-09-18 00:09 . 2007-09-18 00:06 353598016 ----a-w c:\program files\SimpleStartFSEDirect.exe
2007-04-11 03:10 . 2007-04-11 02:29 306240 ----a-w c:\program files\Install_AIM.exe
2007-03-26 20:41 . 2007-03-26 20:41 722992 ----a-w c:\program files\aolsetup.exe
2007-03-26 20:41 . 2007-03-26 20:41 4424 ----a-w c:\program files\aolsetup.bin
2007-02-14 20:13 . 2007-02-14 20:08 21822168 ----a-w c:\program files\AdbeRdr80_en_US.exe
2006-10-31 08:10 . 2006-10-31 08:10 671845 ----a-w c:\program files\data1.cab
2006-10-31 08:10 . 2006-10-31 08:10 552214 ----a-w c:\program files\ISSetup.dll
2006-10-31 08:10 . 2006-10-31 08:10 546 ----a-w c:\program files\setup.iss
2006-10-31 08:10 . 2006-10-31 08:10 491 ----a-w c:\program files\setup.ini
2006-10-31 08:10 . 2006-10-31 08:10 455 ----a-w c:\program files\layout.bin
2006-10-31 08:10 . 2006-10-31 08:10 385968 ----a-w c:\program files\_Setup.dll
2006-10-31 08:10 . 2006-10-31 08:10 364218 ----a-w c:\program files\data2.cab
2006-10-31 08:10 . 2006-10-31 08:10 205926 ----a-w c:\program files\setup.inx
2006-10-31 08:10 . 2006-10-31 08:10 17991 ----a-w c:\program files\data1.hdr
2006-06-27 05:39 . 2006-06-27 05:39 12527920 ----a-w c:\program files\IE7BETA2-WindowsXP-x86-enu.exe
2006-06-24 01:20 . 2006-06-24 01:19 3044468 ----a-w c:\program files\cpg272.exe
2005-11-28 03:06 . 2005-11-28 03:06 15666960 ----a-w c:\program files\avg71free_362a652.exe
2005-11-20 19:16 . 2005-11-20 19:16 78597807 ----a-w c:\program files\OOo_2.0.0_Win32Intel_install.exe
2005-11-09 04:16 . 2005-03-23 22:35 29232536 ----a-w c:\program files\pcs4.exe
2005-10-09 22:51 . 2005-05-20 22:53 1695 ----a-w c:\program files\TBass4.INI
2005-09-16 16:24 . 2004-09-25 03:07 2855080 ----a-w c:\program files\aawsepersonal.exe
2005-08-10 04:08 . 2005-05-23 23:43 0 ----a-w c:\program files\filenames.txt
2005-06-07 03:59 . 2005-06-07 03:59 7363784 ----a-w c:\program files\INSTALL_MSN_MESSENGER_DL.EXE
2005-05-21 16:29 . 2005-05-21 16:26 75029 ----a-w c:\program files\DeIsL1.isu
2005-05-08 00:46 . 2005-05-07 23:01 33388 ----a-w c:\program files\FxSobr.log
2005-05-07 22:53 . 2005-05-07 22:53 198784 ----a-w c:\program files\FxSobr.exe
2005-02-22 01:54 . 2005-02-22 01:54 3742383 ----a-w c:\program files\CoffeeFreeFTPInstaller.exe
2005-02-22 01:42 . 2005-02-22 01:42 3797175 ----a-w c:\program files\CoffeeFTP62.exe
2005-01-09 21:06 . 2005-01-09 21:05 6342279 ----a-w c:\program files\fcp45setup.exe
2004-02-20 07:44 . 2004-02-20 07:44 5545537 ----a-w c:\program files\win2k_xp140.exe
2004-01-18 21:04 . 2004-01-18 21:04 1881144 ----a-w c:\program files\GrouperSetup.exe
2004-01-02 17:41 . 2004-01-02 17:41 893712 ----a-w c:\program files\proxyconn.exe
2001-04-10 21:30 . 2004-10-10 20:17 1949 ----a-w c:\program files\Alien Skinformation.html
2001-04-02 23:31 . 2004-10-10 20:17 550602 ----a-w c:\program files\EyeCand3.8bf
2001-04-02 23:22 . 2004-10-10 20:17 409600 ----a-w c:\program files\EC3-ENG.8BF
2000-09-26 19:45 . 2000-09-26 19:45 7356 ----a-w c:\program files\readmePatch1004.txt
2000-08-23 16:02 . 2000-08-23 16:02 702 ----a-w c:\program files\Update1.tbv
1999-06-25 17:56 . 2004-10-10 20:17 127184 ----a-w c:\program files\UNWISE.EXE
2007-06-02 20:18 . 2006-06-28 16:53 61038 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-06-02 20:18 . 2006-06-28 16:53 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-06-02 20:18 . 2006-06-28 16:53 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2002-09-13 18:59 . 2007-12-18 14:40 417792 c:\windows\system32\vbscript.dll
- 2002-09-13 18:59 . 2004-08-04 07:56 417792 c:\windows\system32\vbscript.dll
- 2003-01-13 21:57 . 2006-05-18 05:24 450560 c:\windows\system32\jscript.dll
+ 2003-01-13 21:57 . 2007-12-18 14:40 450560 c:\windows\system32\jscript.dll
+ 2003-01-13 21:57 . 2007-12-18 14:40 450560 c:\windows\system32\dllcache\jscript.dll
- 2003-01-13 21:57 . 2006-05-18 05:24 450560 c:\windows\system32\dllcache\jscript.dll
.

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 4:26 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-06-09 98304]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-20 1947928]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-20 13:36 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^$McRebootA5E6DEAA56$.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\$McRebootA5E6DEAA56$.lnk
backup=c:\windows\pss\$McRebootA5E6DEAA56$.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adware Filter.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adware Filter.lnk
backup=c:\windows\pss\Adware Filter.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AdwareFilter Background Protection.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AdwareFilter Background Protection.lnk
backup=c:\windows\pss\AdwareFilter Background Protection.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Creating Keepsakes Scrapbook Designer Event Reminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Creating Keepsakes Scrapbook Designer Event Reminder.lnk
backup=c:\windows\pss\Creating Keepsakes Scrapbook Designer Event Reminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=c:\windows\pss\Exif Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Free WebSite Tools.lnk
backup=c:\windows\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^OpenOffice.org 1.9.79.lnk]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\OpenOffice.org 1.9.79.lnk
backup=c:\windows\pss\OpenOffice.org 1.9.79.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=c:\windows\pss\OpenOffice.org 2.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Shimri Yancey^Start Menu^Programs^Startup^Yahoo! Widgets.lnk]
path=c:\documents and settings\Shimri Yancey\Start Menu\Programs\Startup\Yahoo! Widgets.lnk
backup=c:\windows\pss\Yahoo! Widgets.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McDetect.exe"=2 (0x2)
"McciCMService"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"GoogleDesktopManager-061008-081103"=3 (0x3)
"Boonty Games"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aspnet_state"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\wjview.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\CoffeeCup Software\\CoffeeCup Free FTP\\FreeFTP.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Virtual Mechanics\\SiteSpinner V2.7\\bin\\SiteSpinnerV2.exe"=
"c:\\Program Files\\Avanquest\\Web Easy Professional 7\\WebEasy.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1999:UDP"= 1999:UDP:Windows Media Format SDK (firefox.exe)
"1998:UDP"= 1998:UDP:Windows Media Format SDK (firefox.exe)

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/20/2009 6:36 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/20/2009 6:36 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [5/20/2009 6:35 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/20/2009 6:35 AM 298776]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [11/15/2007 1:30 PM 34064]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [3/19/2003 12:55 PM 91520]
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 19:20]

2009-05-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-06 18:25]

2009-05-21 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SmartDraw 2009\Messages\SDNotify.exe [2008-10-07 14:29]

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 4:27 pm

.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.r4.attbi.com;localhost
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: DirectAnimation Java Classes - [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {6AE4CC6E-999C-11D4-A3F0-009027427750} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Shimri Yancey\Application Data\Mozilla\Firefox\Profiles\24ykkije.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-21 09:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1488)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2009-05-21 9:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-21 16:24
ComboFix2.txt 2009-05-21 13:39
ComboFix3.txt 2009-05-21 02:03

Pre-Run: 23,280,222,208 bytes free
Post-Run: 23,281,831,936 bytes free

316 --- E O F --- 2009-05-21 13:34

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by Belahzur on 21st May 2009, 5:07 pm

Okay, that should do it.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by tdantes on 21st May 2009, 5:16 pm

So far it has been wonderful....that is all I need to do?

tdantes
Novice
Novice

Posts Posts : 17
Joined Joined : 2009-05-20
OS OS : xp
Points Points : 27619
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win 32/cryptor

Post by Belahzur on 21st May 2009, 5:24 pm

Yep.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum