WiredWX Hobby Weather ToolsLog in

 


Win32/Cryptor

3 posters

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
Even in safemode, spyware doctor still reports on. I was unable to see it anywhre as i had it off for some tme.

even logged in as admin, the consle window pops up and found access denied asince i need to run as admin command line?

also, it did bring up a popup window, stating UACxxxxxxxxx.dll/sys/log


Win32/Cryptor - Page 2 Rootkit

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
I can't find any of the above files so I can have Jotti's website scan them either.

C:\Windows\system32\drivers\UACfmypqifhmbticyj.sys
C:\Windows\system32\UACwnshtlevujtrnju.dll
C:\Windows\system32\UACijrordxgrwgkvoe.dat
C:\Windows\system32\UACgnasusnvmxpptuy.dll
C:\Windows\system32\UACspopqjypwixodyb.dll
C:\Windows\system32\UACshcmpbejitmugjs.dll
C:\Windows\system32\UACsmjvwmfvslydjhu.dll
C:\Windows\system32\UACtxxbxtvrdlneggi.log
C:\Windows\system32\UAChvaibehlvoyecrd.log
C:\Windows\system32\UACxseiwwmdukekcvp.log

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
I even turned off hide windows protected files.

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
Hello.
I already know about the rootkit, don't need the files name.
Allow Combofix to run and it will delete those files.

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
Each time I run Combofix, it wants to reboot. When I rboot and log back into Admin, it no longer runs.

Running in safemode made no difference.
Running as Admin (right click) made no difference.

The problem is when the command/terminal window popsup that is being run as normal user, not admin user even though i am logged in as local admin and ran as admin.

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz

  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
    "EnableLUA"=dword:00000000


  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

Try running it now UAC is off.

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
Okay, that seemed to have run now. How can I post the log, it says it is too big.

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
On a side note, HijackThis was finally able to install the version you had requested last week.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:49 PM, on 6/8/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16830)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SweetIM ToolbarURLSearchHook Class - {EEE6C35D-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgHelper.dll
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: SWEETIE - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: SweetIM Toolbar for Internet Explorer - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\chantal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
O13 - Gopher Prefix:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/CursorManiaInitialSetup1.0.1.1.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Update Service (gupdate1c997c458eb46d8) (gupdate1c997c458eb46d8) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 7940 bytes

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
Split the log up into more than one piece.

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
ComboFix 09-06-05.07 - Administrator 06/08/2009 13:41.1 - NTFSx86
Microsoft®️ Windows Vista™️ Home Premium 6.0.6000.0.1252.1.1033.18.1790.1359 [GMT -4:00]
Running from: c:\users\Administrator\Desktop\Combo-Fix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
SP: Spyware Doctor *disabled* (Updated) {1C3EDD79-273E-46ac-99F8-EFA9E7CBC301}
SP: Windows Defender *enabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ShoppingReport
c:\program files\zango
c:\users\Administrator\AppData\Roaming\020000000e861978598C.manifest
c:\users\Administrator\AppData\Roaming\020000000e861978598O.manifest
c:\users\Administrator\AppData\Roaming\020000000e861978598P.manifest
c:\users\Administrator\AppData\Roaming\020000000e861978598S.manifest
c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
c:\windows\system32\drivers\UACfmypqifhmbticyj.sys
c:\windows\system32\UACgnasusnvmxpptuy.dll
c:\windows\system32\UAChvaibehlvoyecrd.log
c:\windows\system32\UACijrordxgrwgkvoe.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACshcmpbejitmugjs.dll
c:\windows\system32\UACsmjvwmfvslydjhu.dll
c:\windows\system32\UACspopqjypwixodyb.dll
c:\windows\system32\UACtxxbxtvrdlneggi.log
c:\windows\system32\UACwnshtlevujtrnju.dll
c:\windows\system32\UACxseiwwmdukekcvp.log
c:\windows\system32\x64
c:\windows\system32\x64\csnp2uvc.dll
c:\windows\system32\x64\rsnpvc64.dll
c:\windows\system32\x64\sncduvc.sys
c:\windows\system32\x64\snp2uvc.sys
c:\windows\system32\x64\vsnpvc64.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-08 to 2009-06-08 )))))))))))))))))))))))))))))))
.

2009-06-08 17:45 . 2009-06-08 17:45 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-06-08 17:32 . 2009-06-08 17:45 -------- d-s---w- \Combo-Fix
2009-06-08 17:01 . 2009-06-08 17:01 -------- d-----w- c:\users\Administrator\AppData\Local\Apple
2009-06-08 16:31 . 2009-06-08 16:31 0 ----a-w- c:\windows\nsreg.dat
2009-06-08 16:31 . 2009-06-08 16:31 -------- d-----w- c:\users\Administrator\AppData\Local\Mozilla
2009-06-06 05:04 . 2009-06-06 05:50 -------- d-sh--w- \Config.Msi
2009-06-06 04:22 . 2009-06-06 04:23 -------- d-----w- \Qoobox
2009-06-05 21:58 . 2009-06-05 21:58 -------- d-----w- c:\program files\trend micro
2009-06-05 21:58 . 2009-06-05 21:58 -------- d-----w- C:\rsit
2009-06-05 21:58 . 2009-06-05 21:58 -------- d-----w- \rsit
2009-06-05 16:02 . 2009-06-05 16:02 70104 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-05 14:23 . 2009-06-07 22:12 680 ----a-w- c:\users\Administrator\AppData\Local\d3d9caps.dat
2009-06-05 14:23 . 2009-06-05 14:23 -------- d-----w- c:\users\Administrator\AppData\Local\Windows Live Writer
2009-06-05 14:22 . 2009-06-07 22:02 -------- d-----w- c:\users\Administrator\AppData\Local\Google
2009-06-02 18:08 . 2009-06-02 18:08 -------- d-----w- c:\users\Administrator\AppData\Roaming\yahoo!
2009-06-02 18:01 . 2009-06-02 18:01 -------- d-----w- c:\users\Administrator\AppData\Local\AOL
2009-06-02 17:48 . 2009-06-02 17:48 -------- d-----w- c:\program files\AVG
2009-05-27 00:20 . 2009-05-27 00:20 -------- d-----w- c:\program files\Common Files\Uninstall
2009-05-17 02:31 . 2009-05-17 02:31 1372 ----a-w- c:\windows\system32\Vy8pM7a3Jbrnc.vbs
2009-05-17 02:30 . 2009-05-17 02:30 1372 ----a-w- c:\windows\system32\efsxl.vbs
2009-05-17 02:29 . 2009-05-17 02:29 1372 ----a-w- c:\windows\system32\zkmSCos.vbs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-08 17:35 . 2008-01-03 19:06 2191851520 --sha-w- \pagefile.sys
2009-06-07 20:54 . 2008-05-17 21:14 -------- d-----w- c:\progra~2\Google Updater
2009-06-06 05:50 . 2007-07-25 11:10 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-06 05:39 . 2007-07-25 11:11 -------- d-----w- c:\progra~2\Symantec
2009-06-06 05:38 . 2007-07-25 11:11 -------- d-----w- c:\program files\Symantec
2009-06-02 18:09 . 2007-07-25 11:00 -------- d-----w- c:\program files\Acer GameZone
2009-06-02 18:08 . 2008-05-08 00:20 -------- d-----w- c:\progra~2\Yahoo!
2009-06-02 18:08 . 2008-03-21 17:20 -------- d-----w- c:\program files\Yahoo!
2009-06-02 18:07 . 2008-12-19 23:47 -------- d-----w- c:\program files\Angle Interactive
2009-06-02 18:06 . 2009-05-09 03:01 -------- d-----w- c:\program files\Pando Networks
2009-06-02 18:05 . 2008-05-07 23:54 -------- d-----w- c:\program files\MySpace
2009-06-02 18:05 . 2008-03-28 04:18 -------- d-----w- c:\progra~2\GamesBar
2009-06-02 18:02 . 2008-08-31 20:44 -------- d-----w- c:\program files\Common Files\AOL
2009-06-01 20:26 . 2009-05-02 12:30 -------- d-----w- c:\progra~2\NVIDIA
2009-06-01 20:26 . 2009-05-02 12:30 42237 ----a-w- c:\progra~2\nvModes.dat
2009-06-01 20:06 . 2009-05-02 23:43 -------- d-----w- c:\program files\LimeWire
2009-05-26 23:41 . 2008-05-01 06:57 -------- d-----w- c:\program files\Google
2009-05-16 10:04 . 2007-07-25 10:51 -------- d-----w- c:\progra~2\Microsoft Help
2009-05-09 03:15 . 2009-05-09 03:15 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-05-09 03:10 . 2009-05-09 03:10 -------- d-----w- c:\program files\Subagames
2009-04-26 04:10 . 2009-04-26 04:09 -------- d-----w- c:\program files\SweetIM
2009-04-26 04:09 . 2009-04-26 04:09 -------- d-----w- c:\progra~2\SweetIM
2009-03-17 03:16 . 2009-04-17 02:54 14848 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:16 . 2009-04-17 02:54 25600 ----a-w- c:\windows\system32\amxread.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847}]
2008-10-08 19:22 1172792 ----a-w- c:\program files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-03-23 1232896]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-17 68856]
"WindowsWelcomeCenter"="oobefldr.dll" - c:\windows\System32\oobefldr.dll [2006-11-02 2159104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Empowering Technology Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Empowering Technology Launcher.lnk
backup=c:\windows\pss\Empowering Technology Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^RDPlatinum v5.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\RDPlatinum v5.lnk
backup=c:\windows\pss\RDPlatinum v5.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^chantal^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\chantal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{93095D21-614D-4009-B519-EFD2A48F45DF}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{32945355-CDBE-48E8-AA99-E3234C3E3E07}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{D5107B99-FAD3-484B-B1FD-0F99B02215B0}"= c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{F2979B51-C7D7-4432-AC71-A5771C73BB2D}"= c:\program files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{9C8B4F34-9FE3-4EEC-9D40-CAEA3189C548}"= c:\program files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{A287267E-E282-4EE2-89E6-DBF838D4E07D}"= c:\program files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{6E26D721-FB49-41A6-832F-33DF89A541AE}"= c:\program files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{5E3D09CA-47DE-404C-AF59-C3631AFD2C92}"= c:\program files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{3D130451-2F92-44AD-97EE-EC2FF22CAC53}"= c:\program files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{A4867D41-14DC-4981-A644-5A2CD4590F12}"= c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{322FA7C2-D18B-4FC8-914A-C786562DE544}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{33614B01-2B02-47E2-A06C-F659B007FE42}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{01D47703-C87E-473E-A6DA-E02AAE7BCBD0}"= UDP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{7AC8D531-23BC-4C78-9F32-B0F8312CEE9B}"= TCP:c:\program files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{8D106D98-0123-49F0-B3FB-65F3B9F330ED}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{47A0D057-DDFE-4E67-946C-6311E2E32E2C}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{89AC77A3-75CA-4255-A08E-EA4856229FCC}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{7B8A817C-5805-4846-B3D6-A7163E13C571}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{F093D22E-5C81-4FFF-B12D-DB72EC8B9745}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{17B5AE29-39B2-4F30-9DDA-6805107C6800}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9EE0B88D-4229-413B-8DC1-3AEC22309E54}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{DE66F389-7EE9-4047-BD96-294A3DA20CB8}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C8E4853B-60C6-4398-9864-9E7D615C3B29}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{FBE69842-6727-440D-A79B-507E77C01023}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{DE8FFBB4-0CB8-4935-A573-210D3E269F23}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{D3F41BB1-3EFB-40C0-8C95-15E77EE18DFF}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{7EF47E1B-F8AE-477D-A4F6-5BFC7519384C}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{3A89D0CD-65F6-48A6-A14B-012D3274FB6F}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C22EAEB2-4973-4468-A20E-3A9218CF018C}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8FCB3EBD-3326-4974-89E7-AE8B18197F9C}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{166AD1FB-8098-4A60-B0FD-9D96486727A3}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C353F2F2-6CB4-4C89-9CE3-048A2E8B16D9}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{54A23342-88CE-4F96-9D99-6187DBDD29FE}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{3FD522D8-1894-4A34-B468-A9A618F6DEDF}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{A00E123D-9357-42CC-9EDA-E84F935EA8E4}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{D91C02E6-32C7-4416-A25C-ACCAAC9C58F0}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{0CD63A35-9FE0-4C78-B7D1-7957211557AF}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{220746E5-6FC8-4111-B033-DE3C78D8318E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl [1/3/2008 3:17 PM 13560]
R2 ALaunchService;ALaunch Service;c:\acer\ALaunch\ALaunchSvc.exe [7/25/2007 7:19 AM 50688]
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [7/25/2007 5:08 AM 32256]
S2 gupdate1c997c458eb46d8;Google Update Service (gupdate1c997c458eb46d8);c:\program files\Google\Update\GoogleUpdate.exe [2/25/2009 11:43 PM 133104]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/31/2008 4:46 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Acer Tour - (no file)
HKLM-Run-eRecoveryService - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
mStart Page = hxxp://home.sweetim.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\users\chantal\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/CursorManiaInitialSetup1.0.1.1.cab
FF - ProfilePath - c:\users\ADMINI~1\AppData\Roaming\Mozilla\Firefox\Profiles\talfcxov.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-08 13:45
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}]
"ImagePath"="\??\c:\program files\Acer Arcade Deluxe\Play Movie\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3349806231-111080178-1007298270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3349806231-111080178-1007298270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3349806231-111080178-1007298270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3349806231-111080178-1007298270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_USERS\S-1-5-21-3349806231-111080178-1007298270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="FirefoxHTML"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-08 13:46
ComboFix-quarantined-files.txt 2009-06-08 17:46

Pre-Run: 21,048,672,256 bytes free
Post-Run: 21,443,543,040 bytes free

249 --- E O F --- 2009-06-01 20:09

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
Hello.
Before removing the leftovers, lets uninstall a few things.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Acer Arcade Deluxe
Acer Assist
Acer Crystal Eye webcam
Acer Crystal Eye Webcam Video Class Camera
Acer eAudio Management
Acer eDataSecurity Management
Acer eLock Management
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Acer Mobility Center Plug-In
Acer Registration
Acer ScreenSaver
Acer Tour
Activation Assistant for the 2007 Microsoft Office suites
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.0
Adobe Shockwave Player
ALPS Touch Pad Driver
Apple Mobile Device Support
Apple Software Update
Bonjour
Google Chrome
Google Earth
Google SketchUp 6
Google SketchUp 6
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
HDAUDIO Soft Data Fax Modem with SmartCP
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
iTunes
J2SE Runtime Environment 5.0 Update 12
Java(TM) 6 Update 7
Launch Manager
LiveUpdate 3.2 (Symantec Corporation)
Map Button (Windows Live Toolbar)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
NVIDIA Drivers
OpenOffice.org Installer 1.0
PowerProducer 3.72
QuickTime
Realtek High Definition Audio Driver
Rhapsody
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.51.01
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Smart Menus (Windows Live Toolbar)
SweetIM for Messenger 2.6
SweetIM Toolbar for Internet Explorer 3.3
The Sims 2 Glamour Life Stuff
The Sims™️ 2 Double Deluxe
Update for 2007 Microsoft Office System (KB967642)
Viewpoint Media Player
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Writer
Yahoo! Messenger

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
Hello.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight the following:

    J2SE Runtime Environment 5.0 Update 12
    Java(TM) 6 Update 7
    Viewpoint Media Player


  • Click on the Uninstall/Change button at the top.

Now open a new notepad file.
Input this into the notepad file:

Driver::
npggsvc

File::
c:\windows\system32\Vy8pM7a3Jbrnc.vbs
c:\windows\system32\efsxl.vbs
c:\windows\system32\zkmSCos.vbs

Folder::
c:\progra~2\GamesBar
c:\program files\LimeWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{54A23342-88CE-4F96-9D99-6187DBDD29FE}"=-
"{3FD522D8-1894-4A34-B468-A9A618F6DEDF}"=-
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]

DDS::
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/CursorManiaInitialSetup1.0.1.1.cab


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
Win32/Cryptor - Page 2 Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

descriptionWin32/Cryptor - Page 2 EmptyRe: Win32/Cryptor

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum