Win32/Cryptor on Vista machine

Page 1 of 2 1, 2  Next

View previous topic View next topic Go down

Win32/Cryptor on Vista machine

Post by Shereiner on 20th May 2009, 10:59 pm

I have a machine that I am running AVG 8.5 on and it has detected the Cryptor virus/malware. I have been running the AVG scan and will post a log of what it comes up with when it finishes. Is there anything I can do while it is running that scan in the mean-time to prepare for removal?

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 20th May 2009, 11:03 pm

Hello.
I doubt AVG will be able to remove the main rootkit.

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 20th May 2009, 11:05 pm

can I do that with a usb drive? I can't get that machine to log on consistently... Obvious issue there! Smile

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 20th May 2009, 11:07 pm

Hello.
The malware is probably to blame, try booting to safe mode and running Hijack This.

But yes, use a USB stick if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 20th May 2009, 11:16 pm

ok... I feel like a complete idiot saying this, but I cannot get it to load the HJT! It won't even open the file! Am I doing something wrong? I ask it to save to the usb, it says download complete... I have transfered the usb to the infected machine, then double clicked on it - nothing. I have even drug the file to the desktop - nothing. I click and it does absolutely nothing!

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 20th May 2009, 11:22 pm

Hmm, right click the setup file and rename it.
Doesn't matter what you rename it to, just aslong as it's renamed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 20th May 2009, 11:27 pm

Thanks! That worked... Here is the text file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:20 PM, on 5/20/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O1 - Hosts: ::1 localhost
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Dell DataSafe Online] "C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe" /m
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Dell Games\Dell Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10819 bytes

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 20th May 2009, 11:53 pm

Hello.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
    O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
    O23 - Service: SessionLauncher - Unknown owner - C:\Users\ADMINI~1\AppData\Local\Temp\DX9\SessionLauncher.exe (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Next,

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts.
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 20th May 2009, 11:57 pm

ummmm.... again, I am stuck on the fact that it won't allow me to even open Spybot... Sorry to be such a pain... I did tell it to exit in the system tray when I was in the regular mode. Did that do anything for me when I rebooted into safemode?

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 12:05 am

tried renaming the spybot shortcut... didn't do anything for me... Should I uninstall?

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 12:06 am

Ah.
Spybot shouldn't be active in safe mode then, just download and run Combo-Fix.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 12:31 am

ok... I have tried that. didn't let me do it. I rebooted at the end of the HJT, was that a mistake? this silly thing is making me feel very unintelligent!

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 12:39 am

Did you follow my instructions exactly step by step? Combofix should run if renamed to Combo-Fix BEFORE downloading it.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 12:42 am

I found my mistake... The ComboFix didn't download correctly the first time.... Trying the install again. I did follow exactly the first time, the program must have been interrupted. I was not aware I may have clicked the mouse area while it was downloading... Hopefully back with the file in a minute...

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 12:43 am

ok. In safe mode the combofix has detected the spybot running... what now?

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 12:46 am

Allow it to run anyway, Spybot shouldn't interfere in normal mode anyhow.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 1:01 am

ok... I ran it through. It (the CF) all installed and scanned. Lots of messages saying that it needed Administrator log in, access denied. It then said it found the rootkit stuff that shows up on my AVG issues. I got those written down like it said and I rebooted like it said. when I rebooted the AVG said I had the virus..... Do I start over? do I not reboot when it tells me to? I am SOOOOOO Sorry!

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 1:11 am

Combofix should of made the machine reboot, then continued after reboot.

Did it not do that? Has your user acc got administrator permission to write/delete in the registry, etc?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 1:15 am

It did reboot after it found the rootkit stuff and I hit ok. It did not continue, however. Just stopped. then when the Spybot loaded and warned of changes and the AVG showed the virus in the Registry Monitor thingy, i shut those down and waited. I closed those programs in the start line. I waited. I have restarted in safemode now. I will await your next move... I can try checking on the Administrator access. How do I do that in safemode?

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 1:19 am

Looks like Spybot is interfering. Lets uninstall it this time.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

  • Spybot Search and Destory

Now re-run Combofix, Spybot won't interfere on reboot this time.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 1:28 am

ok... In the process now. Now I have a window that says that the CF may be tainted???????? It is suggesting I get a new copy. I clicked ok and then clicked next on the next screen. I is attemtpting to create a new system Restore... It has above that Access denied on files again. It moves to teh second screen and scans for infected files. at SED it says it can read nt-osSvcDump00: No such file or directory twice. Then access denied: Admin permissions need to use selected options. Now it finds the rootkit stuff. I am hitting ok... Gives me lots of access denieds... Reboots machine...

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 1:31 am

Crud. Sad tearing

You maybe dealing with a file infecter, known as Virut.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 1:35 am

now the AVG is back up saying I have an infection.... No Spybot since we uninstalled it... on your post about dowloading to the desktop... Can I still do the USB thing, or should I download it somewhere I can get a strong signal and hope I can connect? I am still talking to you via my other machine that is not infected...

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 1:44 am

I don't mean to be to the bearer of bad news, but Virut is a file infecter, spreading across the entire system, and the Virut code inside the malware is somewhat buggy. So when it infects file, they also become corrupt, that's why Combofix needs that warning.

Right now, your machine has either good Virut or it hasn't, which right now, is a 50/50 chance.

See here:
[You must be registered and logged in to see this link.]

If you do have Virut, then it's game over for the infected machine. Virut infections cannot be fixed.

DDS will show me modified files, which hopefully will show if Virut is present or not.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 1:47 am

so can i download it (the finder program) to my usb dongle or do I have to download it onto the infected machine direct? Can I download the file to my dongle then transfer the information to the infected machine via the dongle or will it only work if we install it direct onto the infected machine?

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 1:50 am

double post, sorry

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 1:52 am

Either way, I need to see that log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 2:00 am

ok... when I have tried the dds in normal mode, I get a screen like an anti-virus screen that asks if I am the one attempting to load the dds. I say yes, load, I know what it is ... then the dds gives me a c prompt that says I need to disable script blockers... doesn't go any further, just general information on what to do once it gives me the log, but it never gives me the log....
Do I try in safemode?

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 2:05 am

here is the log...

DDS (Ver_09-05-14.01) - NTFSx86 MINIMAL
Run by Emily at 20:01:39.35 on Wed 05/20/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1013.680 [GMT -6:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Users\Emily\Documents\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: My Web Search: {07b18ea9-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\1.bin\MWSBAR.DLL
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: []
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\deskto~1.lnk - c:\program files\research in motion\blackberry\DesktopMgr.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Search - ?p=ZKxdm021YYUS
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~2\googledesktopnetwork3.dll c:\windows\system32\avgrsstx.dll

============= SERVICES / DRIVERS ===============

S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-19 325896]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-5-19 108552]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-11-12 73728]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-19 298776]
S2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [2008-12-15 28762]
S2 RoxLiveShare10;LiveShare P2P Server 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxLiveShare10.exe [2008-5-14 309744]
S2 RoxWatch10;Roxio Hard Drive Watcher 10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxWatch10.exe [2008-5-14 166384]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-11-12 111616]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2008-5-14 1120752]
S4 SessionLauncher;SessionLauncher;c:\users\admini~1\appdata\local\temp\dx9\sessionlauncher.exe --> c:\users\admini~1\appdata\local\temp\dx9\SessionLauncher.exe [?]

=============== Created Last 30 ================

2009-05-20 19:59 109,976,122 a------- c:\windows\MEMORY.DMP
2009-05-20 19:23 --ds---- C:\Combo-Fix
2009-05-20 19:23 318,976 a------- c:\windows\system32\CF9893.exe
2009-05-20 18:48 318,976 a------- c:\windows\system32\CF2130.exe
2009-05-20 18:40 161,792 a------- c:\windows\SWREG.exe
2009-05-20 18:40 130,048 a------- c:\windows\PEV.exe
2009-05-20 18:40 98,816 a------- c:\windows\sed.exe
2009-05-20 18:39 318,976 a------- c:\windows\system32\CF880.exe
2009-05-20 17:25 --d----- c:\program files\Trend Micro
2009-05-19 18:42 1,905 a------- c:\windows\diagwrn.xml
2009-05-19 18:42 1,905 a------- c:\windows\diagerr.xml
2009-05-19 11:43 --d-h--- C:\$AVG8.VAULT$
2009-05-19 11:29 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-19 11:29 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-19 11:29 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-19 11:29 --d----- c:\windows\system32\drivers\Avg
2009-05-19 11:28 --d----- c:\programdata\avg8
2009-05-19 11:28 --d----- c:\program files\AVG
2009-05-19 11:28 --d----- c:\progra~2\avg8
2009-05-11 17:44 --d----- c:\programdata\Spybot - Search & Destroy
2009-05-11 17:44 --d----- c:\program files\Spybot - Search & Destroy
2009-05-11 17:44 --d----- c:\progra~2\Spybot - Search & Destroy
2009-05-02 12:08 --d----- c:\program files\common files\Uninstall
2009-05-02 12:08 --d----- c:\program files\PAV

==================== Find3M ====================

2009-03-20 20:13 3 a------- c:\programdata\SysLoader.exe
2009-03-20 20:13 3 a------- c:\progra~2\SysLoader.exe
2009-03-16 21:38 40,960 a------- c:\windows\apppatch\apihex86.dll
2009-03-16 21:38 13,824 a------- c:\windows\system32\apilogen.dll
2009-03-16 21:38 24,064 a------- c:\windows\system32\amxread.dll
2009-03-02 22:46 3,599,328 a------- c:\windows\system32\ntkrnlpa.exe
2009-03-02 22:46 3,547,632 a------- c:\windows\system32\ntoskrnl.exe
2009-03-02 22:40 827,392 a------- c:\windows\system32\wininet.dll
2009-03-02 22:39 183,296 a------- c:\windows\system32\sdohlp.dll
2009-03-02 22:39 551,424 a------- c:\windows\system32\rpcss.dll
2009-03-02 22:39 26,112 a------- c:\windows\system32\printfilterpipelineprxy.dll
2009-03-02 22:37 78,336 a------- c:\windows\system32\ieencode.dll
2009-03-02 22:37 98,304 a------- c:\windows\system32\iasrecst.dll
2009-03-02 22:37 54,784 a------- c:\windows\system32\iasads.dll
2009-03-02 22:37 44,032 a------- c:\windows\system32\iasdatastore.dll
2009-03-02 21:04 666,624 a------- c:\windows\system32\printfilterpipelinesvc.exe
2009-03-02 20:38 17,408 a------- c:\windows\system32\iashost.exe
2009-03-02 20:28 26,624 a------- c:\windows\system32\ieUnatt.exe
2009-01-31 19:40 143,360 a------- c:\windows\inf\infstrng.dat
2009-01-31 19:40 51,200 a------- c:\windows\inf\infpub.dat
2009-01-31 19:39 86,016 a------- c:\windows\inf\infstor.dat
2008-11-29 07:35 327,680 a------- c:\users\emily\appdata\roaming\DataSafeDotNet.exe
2008-11-12 16:09 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 20:57 174 a--sh--- c:\program files\desktop.ini
2006-11-02 06:39 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 06:39 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 06:39 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 06:39 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 03:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 03:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-11-20 21:16 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-11-20 21:16 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-11-20 21:16 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 20:02:04.79 ===============

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 8:26 am

I don't think it's Virut, I think it's Combofix that doesn't like Vista.
Lets try it this way.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Leave the script box empty.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 1:33 pm

Here's the log file... But I do have to tell you after it rebooted, the virus still comes up on the AVG Resident Sheild alert

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 3:37 pm

Lets see if this will run.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 4:26 pm

it wouldn't let me do it in normal mode... Trying now in safemode...

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 4:28 pm

it will not allow me to run the program... does nothing, won't even start the installation process...

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 4:49 pm

just FYI... I am not opposed to completely starting over. There is not anything on this machine that cannot be replaced or reloaded. I am just not experienced in doing that. When I do attempt to reload Windows, it tells me that I don't have enough space on the drives, which is crap. So the virus will likely make me format the drives and this came with a partition from Dell. The partition won't let me install from there either, and to be honest, I don't understand all the ins and outs of a partition.

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 5:10 pm

Partitioning Windows, Wikipedia:
[You must be registered and logged in to see this link.]

If you want to start over, then feel free to do so if you feel its safer/faster that way.

[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 5:14 pm

don't get me wrong... If you think this is just a hitch in the get-along, Im all willing to keep going and keep trying. Not trying to say anything about that at all! Just wanting to let you know the situation if you feel the only way left is reformatting, Im ok with that. Now, that said... What's our next step?

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 5:23 pm

Well, I don't think Virut is present, so try running Combo-Fix again.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 5:35 pm

K. Tried it again in safemode... (I just happened to be in safemode, so no adgenda there...) Still giving me the Caution screen (saying my copy of ComboFix might be tainted) after alot of Access Denieds... I hit ok to continue, gives me the disclaimer page... Back to blue screen, creating Restore Point, tells me it finds the virus in the rootkit... Reboots in normal mode... tells me virus is still there doesn't give me anything else... Im in normal mode now...

I have a couple of questions... Should I turn the password entry screen? I don't know if that interferes? it's just that screen that happens when you password before it loads your desktop...

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 5:36 pm

oh! And should I run ComboFix as Administrator? Like when I right click and it gicves me that option instead of just clickin?

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 5:37 pm

Yeah, run as administrator, and use safe mode if needed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 5:38 pm

trying that now...

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 5:50 pm

Same exact response as before. It says to use an Administrator Command prompt to complete these tasks... It says Administrator at the top of the window.... and I did do the right click thing to tell it to run as administrator... Darned Vista!

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 5:58 pm

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from [You must be registered and logged in to see this link.].
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.


  • Select ALL of the checkboxes and then click OK and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 6:06 pm

That program worked and is working... Will post when complete

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 6:19 pm

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/05/21 12:04
Program Version: Version 1.2.3.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\Windows\System32\Drivers\dump_iaStor.sys
Address: 0x88E0A000 Size: 815104 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA4E00000 Size: 45056 File Visible: No
Status: -

Name: UACcuxinqqcevvnmxq.sys
Image Path: C:\Windows\system32\drivers\UACcuxinqqcevvnmxq.sys
Address: 0x8A256000 Size: 77824 File Visible: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{1c440d8f-338e-11de-9c18-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{1c440d95-338e-11de-9c18-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{1c440d9c-338e-11de-9c18-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{1c440dab-338e-11de-9c18-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{1c440db6-338e-11de-9c18-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{1c440ddb-338e-11de-9c18-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2ccd6f30-1c8e-11de-b03e-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2ccd6f3a-1c8e-11de-b03e-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2ccd6f4d-1c8e-11de-b03e-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{2ccd6f62-1c8e-11de-b03e-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{581e89a0-2bb6-11de-80b0-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{581e89c3-2bb6-11de-80b0-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{581e89d6-2bb6-11de-80b0-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6f858871-256b-11de-9ec5-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6f85887c-256b-11de-9ec5-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6f85888b-256b-11de-9ec5-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6f858894-256b-11de-9ec5-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{6f85890f-256b-11de-9ec5-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{fba69bfd-4497-11de-8baa-00219bf822e9}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\Windows\WindowsUpdate.log
Status: Allocation size mismatch (API: 1359872, Raw: 1331200)

Path: C:\Windows\System32\UACboxvxrrxuibghes.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACgxbipvhpfwmpwgx.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACmrmlebcircxmhsh.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACpicijbatwermtkt.dat
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACrihwldaoantxuxo.dll
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACrttlbtmwpqoetbx.log
Status: Invisible to the Windows API!

Path: C:\Windows\System32\UACxsioqdpdqpvdiny.dll
Status: Invisible to the Windows API!

Path: C:\ProgramData\avg8\Log\avgcore.log
Status: Allocation size mismatch (API: 393216, Raw: 262144)

Path: C:\ProgramData\avg8\Log\avgsched.log
Status: Allocation size mismatch (API: 524288, Raw: 458752)

Path: C:\ProgramData\avg8\Log\avgrs.log
Status: Allocation size mismatch (API: 131072, Raw: 0)

Path: C:\ProgramData\avg8\Log\avgwd.log
Status: Allocation size mismatch (API: 131072, Raw: 0)

Path: C:\ProgramData\avg8\scanlogs\I_00000009.log
Status: Allocation size mismatch (API: 4096, Raw: 40)

Path: C:\Windows\System32\drivers\UACcuxinqqcevvnmxq.sys
Status: Invisible to the Windows API!

Path: C:\Windows\System32\drivers\UACpmxqfwaicvcxxdr.sys
Status: Invisible to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wbem\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\System32\wfp\wfpdiag.etl
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 6:20 pm

Part 2:

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.16767_none_48e0ac03ef0db56a\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6000.20941_none_4979e8d10820826f\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.18160_none_4abfe8a3ec3a94fa\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~1.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~2.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.0.6001.22292_none_4b2b163f056ebb45\PORTAB~3.MOF
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl
Status: Allocation size mismatch (API: 16384, Raw: 4096)

Path: C:\Users\Emily\AppData\Local\Temp\UAC000
Status: Invisible to the Windows API!

Path: C:\Users\Emily\AppData\Local\Temp\UACab17.tmp
Status: Invisible to the Windows API!

Path: C:\Users\Emily\AppData\Local\Temp\UACb6c0.tmp
Status: Invisible to the Windows API!

Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 6:21 pm

part 3:

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Locked to the Windows API!

Processes
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1876 Status: Locked to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: UACboxvxrrxuibghes.dll]
Process: wininit.exe (PID: 556) Address: 0x00280000 Size: 45056

Object: Hidden Module [Name: UACrihwldaoantxuxo.dll]
Process: wininit.exe (PID: 556) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACboxvxrrxuibghes.dll]
Process: winlogon.exe (PID: 608) Address: 0x00840000 Size: 45056

Object: Hidden Module [Name: UACrihwldaoantxuxo.dll]
Process: winlogon.exe (PID: 608) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACrihwldaoantxuxo.dll]
Process: services.exe (PID: 656) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACboxvxrrxuibghes.dll]
Process: services.exe (PID: 656) Address: 0x008a0000 Size: 45056

Object: Hidden Module [Name: UACboxvxrrxuibghes.dll]
Process: lsass.exe (PID: 668) Address: 0x012a0000 Size: 45056

Object: Hidden Module [Name: UACrihwldaoantxuxo.dll]
Process: lsass.exe (PID: 668) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UACboxvxrrxuibghes.dll]
Process: lsm.exe (PID: 676) Address: 0x008a0000 Size: 45056

Object: Hidden Module [Name: UACrihwldaoantxuxo.dll]
Process: lsm.exe (PID: 676) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: MpEvMsg.dll]
Process: svchost.exe (PID: 1472) Address: 0x00180000 Size: 57344

Object: Hidden Module [Name: WinMgmtR.dll]
Process: svchost.exe (PID: 1472) Address: 0x00850000 Size: 8192

Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1472) Address: 0x01ef0000 Size: 323584

Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1472) Address: 0x02160000 Size: 323584

Object: Hidden Module [Name: MpEvMsg.dll]
Process: svchost.exe (PID: 1472) Address: 0x742b0000 Size: 57344

Object: Hidden Module [Name: WinMgmtR.dll]
Process: svchost.exe (PID: 1472) Address: 0x71ad0000 Size: 8192

Object: Hidden Module [Name: tquery.dll]
Process: svchost.exe (PID: 1472) Address: 0x714c0000 Size: 1589248

Object: Hidden Module [Name: wlansvc.dll]
Process: svchost.exe (PID: 1472) Address: 0x73ea0000 Size: 528384

Object: Hidden Module [Name: profsvc.dll]
Process: svchost.exe (PID: 1472) Address: 0x74330000 Size: 163840

Object: Hidden Module [Name: wevtapi.dll]
Process: svchost.exe (PID: 1472) Address: 0x754a0000 Size: 258048

Object: Hidden Module [Name: msvcm80.dll]
Process: bcmwltry.exe (PID: 1696) Address: 0x03d60000 Size: 507904

Object: Hidden Module [Name: bcmwlrmt.dll]
Process: bcmwltry.exe (PID: 1696) Address: 0x03d20000 Size: 77824

Object: Hidden Module [Name: WLTRAY.EXE]
Process: bcmwltry.exe (PID: 1696) Address: 0x05b00000 Size: 3952640

Object: Hidden Module [Name: imageres.dll]
Process: Explorer.EXE (PID: 3336) Address: 0x67410000 Size: 15822848

Object: Hidden Module [Name: bcmwlrmt.dll]
Process: WLTRAY.EXE (PID: 836) Address: 0x043c0000 Size: 77824

Object: Hidden Module [Name: msvcm80.dll]
Process: WLTRAY.EXE (PID: 836) Address: 0x04410000 Size: 507904

Object: Hidden Module [Name: BalloonWindow.dll]
Process: DataSafeOnline.exe (PID: 3164) Address: 0x01b20000 Size: 61440

Object: Hidden Module [Name: SdbShared.dll]
Process: DataSafeOnline.exe (PID: 3164) Address: 0x01ae0000 Size: 258048

Object: Hidden Module [Name: SdbUI.dll]
Process: DataSafeOnline.exe (PID: 3164) Address: 0x01b80000 Size: 86016

Object: Hidden Module [Name: SdbShared.XmlSerializers.dll]
Process: DataSafeOnline.exe (PID: 3164) Address: 0x05850000 Size: 118784

Object: Hidden Code [ETHREAD: 0x8333dab0]
Process: System Address: 0x866570c8 Size: -

Object: Hidden Code [ETHREAD: 0x833622d8]
Process: System Address: 0xa5d831c8 Size: -

Object: Hidden Code [ETHREAD: 0x83363020]
Process: System Address: 0x8e3ec050 Size: -

Object: Hidden Code [ETHREAD: 0x89fe3840]
Process: System Address: 0x89fe3a34 Size: -

Object: Hidden Code [ETHREAD: 0x8aa4ad78]
Process: System Address: 0x8e3ed3d8 Size: -

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\Windows\system32\drivers\UACcuxinqqcevvnmxq.sys

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Belahzur on 21st May 2009, 6:25 pm

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACcuxinqqcevvnmxq.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245121
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor on Vista machine

Post by Shereiner on 21st May 2009, 6:36 pm

Here we are... ARGH!

Logfile of The Avenger Version 2.0, (c) by Swandog46
[You must be registered and logged in to see this link.]

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.

Error: could not delete file "C:\WINDOWS\system32\drivers\UACcuxinqqcevvnmxq.sys"
Deletion of file "C:\WINDOWS\system32\drivers\UACcuxinqqcevvnmxq.sys" failed!
Status: 0xc0000156


Completed script processing.

*******************

Finished! Terminate.

Shereiner
Intermediate
Intermediate

Posts Posts : 99
Joined Joined : 2009-05-20
OS OS : Vista
Points Points : 28092
# Likes # Likes : 0

View user profile

Back to top Go down

Page 1 of 2 1, 2  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum