WiredWX Christian Hobby Weather Tools
Would you like to react to this message? Create an account in a few clicks or log in to continue.

WiredWX Christian Hobby Weather ToolsLog in

 


win32/Crypto virus

3 posters

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus30th July 2009, 11:02 pm

more_horiz
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 17:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-18 39408]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-27 318272]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-26 25604904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2009-5-13 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-25 01:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57866:TCP"= 57866:TCP:Pando Media Booster
"57866:UDP"= 57866:UDP:Pando Media Booster
"56882:TCP"= 56882:TCP:Pando Media Booster
"56882:UDP"= 56882:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/8/2009 12:11 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/8/2009 12:11 PM 108552]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/10/2007 11:45 PM 124832]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/24/2009 6:51 PM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/24/2009 6:51 PM 298776]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2/10/2008 12:27 PM 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2/10/2008 12:27 PM 7424]
S2 gupdate1c9efadd513e000;Google Update Service (gupdate1c9efadd513e000);c:\program files\Google\Update\GoogleUpdate.exe [6/17/2009 5:43 PM 133104]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\User\My Documents\SysProtDrv.sys [7/29/2009 11:58 AM 44288]
S3 vtayn;vtayn;\??\c:\docume~1\User\LOCALS~1\Temp\vtayn.sys --> c:\docume~1\User\LOCALS~1\Temp\vtayn.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-07-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-18 00:42]

2009-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-18 00:43]

2009-07-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-18 00:43]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080210
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\hhawh3vp.default\
FF - prefs.js: browser.startup.homepage - hxxp://zeldaconnetion.deviantart.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 15:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3216)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\program files\Malwarebytes' Anti-Malware\mbamext.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\MSVCR80.dll
c:\windows\system32\browselc.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
.
Completion time: 2009-07-30 15:57
ComboFix-quarantined-files.txt 2009-07-30 22:57
ComboFix2.txt 2009-07-28 19:55

Pre-Run: 205,185,646,592 bytes free
Post-Run: 205,536,481,280 bytes free

358 --- E O F --- 2009-07-29 15:43

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus30th July 2009, 11:02 pm

more_horiz
Done.


Uh, one side note. I just noticed some weird folders in my local disk.
"qoobox" "cmdcons" the second is full of system files and dll's o.O the first looks to be a quaratine folder.
Then there is a "boot.bak" file. Seems also that when I turn on my computer lately, once in a "CHKDSK" will start, the typical "The type of the file system is NTFS The volume is dirty" then run through a bunch of files. It happened last time I was infect, so it unnerved me a bit. Just giving you this extra info in case it helps any, my apologies if this is unrelated.

Last edited by Saeiane on 31st July 2009, 12:33 am; edited 2 times in total

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus31st July 2009, 3:43 pm

more_horiz
Please download SysProt AntiRootkit v1.0.1.0 by Swatkat

  • Next run the file; *Note: If running vista right click and select run as administrator
  • Once opened, navigate to the log tab and select all the areas including the hidden objects only box and click on the create log button
  • A scan will start and then a window will pop up with two options, select scan all drives
  • Once finished it will give you a location where it was saved, navigate to that place usually the desktop, and open the log, post all the contents of the log back here.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

win32/Crypto virus - Page 1 2wg6fte

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus1st August 2009, 12:27 am

more_horiz
I'm still running into that problem with SysProt, it just wound up making my whole computer crash. I can't use it, sorry. It just wont work.

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus1st August 2009, 2:39 am

more_horiz
Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

win32/Crypto virus - Page 1 2wg6fte

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus1st August 2009, 11:22 am

more_horiz
Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 2

8/1/2009 4:09:33 AM
mbam-log-2009-08-01 (04-09-33).txt

Scan type: Quick Scan
Objects scanned: 97712
Time elapsed: 8 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\UACjcfmlidqvp.dll (Trojan.Agent) -> Quarantined and deleted successfully.
that's the log, it seemed to get one of them. Maybe if later on today (it's 4:12AM) I'll run a full scan and see if I can get anything else, eh?

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus1st August 2009, 6:20 pm

more_horiz
Download the GMER rootkit scan from here: GMER

  1. Unzip it and start GMER.
  2. Click the >>> tab and then click the Scan button.
  3. Once done, click the Copy button.
  4. This will copy the results to your clipboard.
  5. Paste the results in your next reply.
Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

win32/Crypto virus - Page 1 2wg6fte

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 2:44 am

more_horiz
I was nearing the end of the GMER scan when my computer crashed, when I restarted, Malwarebytes' decided to do a full scan, so I'm letting that finish before I re-run the GMER I'll post the results of both here, if you like.

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 6:49 pm

more_horiz
Yes please do so.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

win32/Crypto virus - Page 1 2wg6fte

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 7:41 pm

more_horiz
The scan didn't pick anything up, and my computer crashed in the middle of the GMER scan (This was yesterday) so I just restarted it today.
Okay. It happened again. My computer keeps crashing in the middle of the GMER scan. I'm not sure if it is the program or the viruses at this point.

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 7:45 pm

more_horiz
Lets try a different approach:

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

  • Please download RootRepeal.zip from here.
  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
    win32/Crypto virus - Page 1 Ty87394lm6zwsm8gt

  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
    win32/Crypto virus - Page 1 Jzploa1hjbxcmszn3j35
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

win32/Crypto virus - Page 1 2wg6fte

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 8:02 pm

more_horiz
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/08/02 12:51
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8846000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA63C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7514000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\user\local settings\temp\fla63.tmp
Status: Allocation size mismatch (API: 2949120, Raw: 2818048)

Path: c:\documents and settings\user\application data\skype\saeiane\etilqs_7r0j4aicmwmhc55aafyn
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\user\application data\skype\saeiane\etilqs_hgblquk2kqg4q6lkfx4f
Status: Allocation size mismatch (API: 16384, Raw: 0)

Path: c:\documents and settings\user\application data\skype\saeiane\etilqs_hgmijg7yn9hlghnj1xtf
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\documents and settings\user\application data\skype\saeiane\etilqs_nmsmyvwobxpmqgz02gn2
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Documents and Settings\User\Local Settings\Temp\foxtab\thumbs\1_13
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\User\Local Settings\Temp\foxtab\thumbs\1_13_S
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\U5dsINtWHZrCp40BtRZ0fSnEPgQ=.dt2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\U5dsINtWHZrCp40BtRZ0fSnEPgQ=.id2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\uYiL3I6wECi2FBZ18LoLa42F3DbAA=.dt2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\uYiL3I6wECi2FBZ18LoLa42F3DbAA=.id2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\VU+2LRozWygfvX2ToZ3yVItvBqU=.dt2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\VU+2LRozWygfvX2ToZ3yVItvBqU=.id2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\W3z2Fl7BcwHo7TvupXULPDmuHbmg=.dt2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\W3z2Fl7BcwHo7TvupXULPDmuHbmg=.id2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\wQUC3SBMDf9nRLHrU4D0EOEr+Xw=.dt2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\wQUC3SBMDf9nRLHrU4D0EOEr+Xw=.id2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\WrX9UQfQ42sdQJHnKKHntqwsjW8=.dt2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\WrX9UQfQ42sdQJHnKKHntqwsjW8=.id2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\iX8I+4RxAx7eNJMfPu3UVCEJPu4=.dt2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\iX8I+4RxAx7eNJMfPu3UVCEJPu4=.id2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\J67nDZ9YeJaRytjW9SUlu+Flj+8=.dt2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\J67nDZ9YeJaRytjW9SUlu+Flj+8=.id2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\kfJ0h2i2Fg6VdM2Y2FFjTHxh78JT0=.dt2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\kfJ0h2i2Fg6VdM2Y2FFjTHxh78JT0=.id2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\MEf+nDAhOVpN0z65Bhf2FlzIjcRk=.dt2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\MEf+nDAhOVpN0z65Bhf2FlzIjcRk=.id2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\muhp0Kv+Hqp4clcZPe1Bd53SqCM=.dt2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\muhp0Kv+Hqp4clcZPe1Bd53SqCM=.id2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\n1B2FD6Eb+pwuhV8sVO0HIq9pgcc=.dt2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\n1B2FD6Eb+pwuhV8sVO0HIq9pgcc=.id2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Messenger\no_regrets200@hotmail.com\ObjectStore\UserTile\8EOQRkQwSKwnRcnwZkRaMfcGa54=.dt2
Status: Invisible to the Windows API!
Done and done.

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 8:04 pm

more_horiz
1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
c:\documents and settings\user\local settings\temp\fla63.tmp
c:\documents and settings\user\application data\skype\saeiane\etilqs_7r0j4aicmwmhc55aafyn
c:\documents and settings\user\application data\skype\saeiane\etilqs_hgblquk2kqg4q6lkfx4f
c:\documents and settings\user\application data\skype\saeiane\etilqs_hgmijg7yn9hlghnj1xtf
c:\documents and settings\user\application data\skype\saeiane\etilqs_nmsmyvwobxpmqgz02gn2



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

win32/Crypto virus - Page 1 2wg6fte

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 8:12 pm

more_horiz
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\documents and settings\user\local settings\temp\fla63.tmp" deleted successfully.
File "c:\documents and settings\user\application data\skype\saeiane\etilqs_7r0j4aicmwmhc55aafyn" deleted successfully.

Error: file "c:\documents and settings\user\application data\skype\saeiane\etilqs_hgblquk2kqg4q6lkfx4f" not found!
Deletion of file "c:\documents and settings\user\application data\skype\saeiane\etilqs_hgblquk2kqg4q6lkfx4f" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\documents and settings\user\application data\skype\saeiane\etilqs_hgmijg7yn9hlghnj1xtf" not found!
Deletion of file "c:\documents and settings\user\application data\skype\saeiane\etilqs_hgmijg7yn9hlghnj1xtf" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\documents and settings\user\application data\skype\saeiane\etilqs_nmsmyvwobxpmqgz02gn2" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 8:17 pm

more_horiz
Now open a new notepad file.
Input this into the notepad file:

Driver::
vtayn



Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
win32/Crypto virus - Page 1 Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

win32/Crypto virus - Page 1 2wg6fte

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 9:09 pm

more_horiz
ComboFix 09-08-01.09 - User 08/02/2009 13:53.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2038.1365 [GMT -7:00]
Running from: c:\documents and settings\User\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\User\My Documents\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-07-02 to 2009-08-02 )))))))))))))))))))))))))))))))
.

2009-07-31 00:22 . 2004-08-04 11:00 6656 ----a-w- c:\windows\system32\dllcache\c_is2022.dll
2009-07-30 22:47 . 2009-07-30 22:57 -------- d-s---w- C:\ComboFix1
2009-07-30 03:11 . 2009-07-30 03:11 -------- d-sh--w- C:\found.006
2009-07-28 19:49 . 2009-07-28 19:55 -------- d-s---w- C:\Combo-Fix
2009-07-28 00:57 . 2009-07-28 00:57 -------- d-----w- c:\program files\Trend Micro
2009-07-25 10:37 . 2009-07-25 10:37 -------- d-----w- c:\program files\SnailWeb
2009-07-25 10:37 . 2009-07-25 10:37 -------- d-----w- c:\windows\system32\Temp
2009-07-25 10:29 . 2009-08-02 20:31 -------- d-----w- c:\program files\AOA
2009-07-21 03:35 . 2009-07-21 03:35 -------- d-----w- c:\documents and settings\User\Application Data\Ultra Fractal 5
2009-07-20 06:45 . 2009-07-20 06:45 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-07-20 06:45 . 2009-08-02 17:41 -------- d-----w- c:\documents and settings\User\Application Data\skypePM
2009-07-20 06:43 . 2009-08-02 20:48 -------- d-----w- c:\documents and settings\User\Application Data\Skype
2009-07-20 06:42 . 2009-07-20 06:42 -------- d-----w- c:\program files\Common Files\Skype
2009-07-20 06:42 . 2009-07-20 23:02 -------- d-----r- c:\program files\Skype
2009-07-20 06:42 . 2009-07-20 06:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-07-16 12:51 . 2009-07-16 12:51 -------- d-sh--w- C:\found.005
2009-07-15 11:45 . 2009-07-15 11:49 -------- d-----w- c:\program files\Realspace3_at
2009-07-11 18:41 . 2009-07-11 18:41 -------- d-----w- c:\documents and settings\Debbie\Local Settings\Application Data\Apple Computer
2009-07-11 17:24 . 2009-07-11 17:25 -------- d-----w- c:\program files\Shockwave.com
2009-07-07 02:16 . 2009-07-07 03:32 -------- d-----w- c:\windows\system32\Adobe
2009-07-04 15:08 . 2009-07-04 15:07 2054424 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-04 15:08 . 2009-07-04 15:07 2167576 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgresf.dll
2009-07-04 15:08 . 2009-07-04 15:07 3403032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-02 20:57 . 2009-06-27 22:43 -------- d-----w- c:\documents and settings\User\Application Data\DNA
2009-08-02 20:47 . 2009-06-27 22:43 -------- d-----w- c:\program files\DNA
2009-08-02 19:27 . 2009-04-14 00:19 4058 ----a-w- c:\documents and settings\User\Application Data\wklnhst.dat
2009-08-02 01:32 . 2009-06-20 00:44 -------- d-----w- c:\program files\Apophysis 2.0
2009-08-01 11:00 . 2009-04-08 18:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-01 11:00 . 2009-04-08 18:50 3775175 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-29 03:30 . 2009-05-13 19:46 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2009-07-29 03:30 . 2009-05-13 19:43 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2009-07-13 20:36 . 2009-04-08 18:49 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-04-08 18:49 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-04 15:07 . 2009-04-08 19:11 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 16:12 . 2004-08-10 18:51 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-10 18:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-27 23:20 . 2009-06-27 22:42 -------- d-----w- c:\program files\GamersFirst
2009-06-27 23:20 . 2008-02-10 19:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-26 08:28 . 2009-04-22 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-06-26 06:55 . 2009-06-25 11:17 -------- d-----w- c:\documents and settings\User\Application Data\GetRightToGo
2009-06-25 22:46 . 2009-06-25 22:46 -------- d-----w- c:\program files\Acclaim
2009-06-25 01:51 . 2009-06-25 01:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-25 01:51 . 2009-06-25 01:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-25 01:51 . 2009-04-08 19:11 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-25 01:51 . 2009-04-08 19:11 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-18 00:44 . 2008-02-10 20:08 -------- d-----w- c:\program files\Google
2009-06-18 00:42 . 2009-06-18 00:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-16 14:55 . 2004-08-10 18:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2004-08-10 18:51 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 23:07 . 2009-06-27 13:44 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-14 08:33 . 2008-02-10 20:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-14 08:25 . 2009-06-12 20:21 -------- d-----w- c:\program files\iWin Games
2009-06-13 14:53 . 2009-06-12 20:12 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-13 13:40 . 2009-06-13 13:40 -------- d-----w- c:\documents and settings\Debbie\Application Data\iWin
2009-06-12 20:22 . 2009-06-12 20:22 -------- d-----w- c:\documents and settings\All Users\Application Data\iWin Games
2009-06-12 20:12 . 2009-06-12 20:12 -------- d-----w- c:\documents and settings\Debbie\Application Data\pixelStorm
2009-06-11 19:28 . 2008-02-10 20:45 -------- d-----w- c:\program files\Microsoft Works
2009-06-11 17:29 . 2009-06-11 03:21 -------- d-----w- c:\documents and settings\Debbie\Application Data\AVGTOOLBAR
2009-06-11 03:21 . 2009-06-11 03:21 -------- d-----w- c:\documents and settings\Debbie\Application Data\Yahoo!
2009-06-05 01:04 . 2009-06-05 01:04 -------- d-----w- c:\documents and settings\User\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-03 19:27 . 2004-08-10 18:51 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-01 01:59 . 2009-06-05 01:04 38200 ----a-w- c:\documents and settings\User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-23 06:56 . 2009-04-08 17:18 56528 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-19 10:59 . 2009-05-19 11:00 17416 ----a-w- c:\windows\Fonts\RUNE.TTF
2009-05-08 23:56 . 2009-05-08 23:56 92 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\uninst2.bat
2009-05-08 23:55 . 2009-05-08 23:55 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstWMP\unins000.exe
2009-05-07 15:44 . 2004-08-10 18:51 344064 ----a-w- c:\windows\system32\localspl.dll
2009-07-23 04:01 . 2009-04-10 17:03 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-02-10 19:55 . 2008-02-10 19:55 76 --sh--r- c:\windows\CT4CET.bin
.
The rest in subsequent messages.

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 9:11 pm

more_horiz

((((((((((((((((((((((((((((( SnapShot_2009-07-30_22.55.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-02 20:47 . 2009-08-02 20:47 16384 c:\windows\Temp\Perflib_Perfdata_c60.dat
+ 2009-07-31 00:22 . 2004-08-04 11:00 76288 c:\windows\system32\uniime.dll
+ 2004-08-10 18:51 . 2009-08-02 20:51 63418 c:\windows\system32\perfc009.dat
- 2004-08-10 18:51 . 2009-07-30 22:27 63418 c:\windows\system32\perfc009.dat
+ 2009-07-31 00:23 . 2004-08-04 11:00 98304 c:\windows\system32\msir3jp.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 70656 c:\windows\system32\korwbrkr.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 10240 c:\windows\system32\IME\TINTLGNT\TMIGRATE.DLL
+ 2009-07-31 00:22 . 2004-08-04 11:00 44032 c:\windows\system32\IME\TINTLGNT\TINTLPHR.EXE
+ 2009-07-31 00:22 . 2004-08-04 11:00 67584 c:\windows\system32\IME\PINTLGNT\PMIGRATE.DLL
+ 2009-07-31 00:22 . 2004-08-04 11:00 70144 c:\windows\system32\IME\PINTLGNT\PINTLPHR.EXE
+ 2009-07-31 00:22 . 2004-08-04 11:00 59392 c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
+ 2009-07-31 00:22 . 2004-08-04 11:00 86073 c:\windows\system32\dllcache\voicesub.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 76288 c:\windows\system32\dllcache\uniime.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 10240 c:\windows\system32\dllcache\tmigrate.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 44032 c:\windows\system32\dllcache\tintlphr.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 67584 c:\windows\system32\dllcache\pmigrate.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 70144 c:\windows\system32\dllcache\pintlphr.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 53760 c:\windows\system32\dllcache\pintlcsd.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 15360 c:\windows\system32\dllcache\padrs804.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 14336 c:\windows\system32\dllcache\padrs412.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 36927 c:\windows\system32\dllcache\padrs411.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 15872 c:\windows\system32\dllcache\padrs404.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 98304 c:\windows\system32\dllcache\msir3jp.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 70656 c:\windows\system32\dllcache\korwbrkr.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 59392 c:\windows\system32\dllcache\imscinst.exe
+ 2009-07-31 00:23 . 2004-08-04 11:00 59904 c:\windows\system32\dllcache\imkrinst.exe
+ 2009-07-31 00:23 . 2004-08-04 11:00 45109 c:\windows\system32\dllcache\imjpuex.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 81976 c:\windows\system32\dllcache\imjpdct.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 57398 c:\windows\system32\dllcache\imjpdadm.exe
+ 2009-07-31 00:23 . 2004-08-04 11:00 44032 c:\windows\system32\dllcache\imekrmig.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 86016 c:\windows\system32\dllcache\imekrmbx.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 36864 c:\windows\system32\dllcache\hanjadic.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 57399 c:\windows\system32\dllcache\cplexe.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 56320 c:\windows\system32\dllcache\chtskdic.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 97792 c:\windows\system32\dllcache\chtmbx.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 19456 c:\windows\system32\dllcache\agt0804.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 19456 c:\windows\system32\dllcache\agt0412.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 19456 c:\windows\system32\dllcache\agt0411.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 19456 c:\windows\system32\dllcache\agt0404.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 19456 c:\windows\msagent\intl\agt0804.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 19456 c:\windows\msagent\intl\agt0412.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 19456 c:\windows\msagent\intl\agt0411.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 19456 c:\windows\msagent\intl\agt0404.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 15360 c:\windows\ime\shared\res\padrs804.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 14336 c:\windows\ime\shared\res\padrs412.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 36927 c:\windows\ime\shared\res\padrs411.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 15872 c:\windows\ime\shared\res\PADRS404.DLL
+ 2009-07-31 00:23 . 2004-08-04 11:00 59904 c:\windows\ime\imkr6_1\imkrinst.exe
+ 2009-07-31 00:23 . 2004-08-04 11:00 44032 c:\windows\ime\imkr6_1\imekrmig.exe
+ 2009-07-31 00:23 . 2004-08-04 11:00 36864 c:\windows\ime\imkr6_1\dicts\hanjadic.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 86016 c:\windows\ime\imkr6_1\applets\imekrmbx.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 45109 c:\windows\ime\imjp8_1\imjpuex.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 81976 c:\windows\ime\imjp8_1\imjpdct.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 57398 c:\windows\ime\imjp8_1\imjpdadm.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 57399 c:\windows\ime\imjp8_1\cplexe.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 86073 c:\windows\ime\imjp8_1\applets\voicesub.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 56320 c:\windows\ime\CHTIME\Applets\CHTSKDIC.DLL
+ 2009-07-31 00:22 . 2004-08-04 11:00 97792 c:\windows\ime\CHTIME\Applets\CHTMBX.DLL
+ 2009-07-31 00:22 . 2004-08-04 11:00 53760 c:\windows\ime\chsime\applets\PINTLCSD.DLL
+ 2009-07-31 00:23 . 2004-08-04 11:00 7680 c:\windows\system32\kbdnecNT.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 9216 c:\windows\system32\kbdnecAT.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 7168 c:\windows\system32\kbdnec95.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 6144 c:\windows\system32\kbdlk41j.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 6656 c:\windows\system32\kbdlk41a.dll
+ 2009-07-31 00:22 . 2001-08-18 05:36 8192 c:\windows\system32\kbdkor.dll
+ 2009-07-31 00:22 . 2001-08-18 05:36 8704 c:\windows\system32\kbdjpn.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 7168 c:\windows\system32\kbdibm02.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 6144 c:\windows\system32\kbdax2.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 6144 c:\windows\system32\kbd106n.dll
+ 2009-07-31 00:22 . 2001-08-17 21:55 6144 c:\windows\system32\kbd106.dll
+ 2009-07-31 00:22 . 2001-08-17 21:55 5632 c:\windows\system32\kbd103.dll
+ 2009-07-31 00:22 . 2001-08-17 21:55 6144 c:\windows\system32\kbd101c.dll
+ 2009-07-31 00:22 . 2001-08-17 21:55 6144 c:\windows\system32\kbd101b.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 6144 c:\windows\system32\kbd101a.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 6144 c:\windows\system32\kbd101.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 7168 c:\windows\system32\f3ahvoas.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 7680 c:\windows\system32\dllcache\kbdnecnt.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 9216 c:\windows\system32\dllcache\kbdnecat.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 7168 c:\windows\system32\dllcache\kbdnec95.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 6144 c:\windows\system32\dllcache\kbdlk41j.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 6656 c:\windows\system32\dllcache\kbdlk41a.dll
+ 2009-07-31 00:22 . 2001-08-18 05:36 8192 c:\windows\system32\dllcache\kbdkor.dll
+ 2009-07-31 00:22 . 2001-08-18 05:36 8704 c:\windows\system32\dllcache\kbdjpn.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 7168 c:\windows\system32\dllcache\kbdibm02.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 6144 c:\windows\system32\dllcache\kbdax2.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 6144 c:\windows\system32\dllcache\kbd106n.dll
+ 2009-07-31 00:22 . 2001-08-17 21:55 6144 c:\windows\system32\dllcache\kbd106.dll
+ 2009-07-31 00:22 . 2001-08-17 21:55 5632 c:\windows\system32\dllcache\kbd103.dll
+ 2009-07-31 00:22 . 2001-08-17 21:55 6144 c:\windows\system32\dllcache\kbd101c.dll
+ 2009-07-31 00:22 . 2001-08-17 21:55 6144 c:\windows\system32\dllcache\kbd101b.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 6144 c:\windows\system32\dllcache\kbd101a.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 6144 c:\windows\system32\dllcache\kbd101.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 7168 c:\windows\system32\dllcache\f3ahvoas.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 6656 c:\windows\system32\c_is2022.dll
- 2004-08-10 18:51 . 2009-07-30 22:27 402974 c:\windows\system32\perfh009.dat
+ 2004-08-10 18:51 . 2009-08-02 20:51 402974 c:\windows\system32\perfh009.dat
+ 2009-07-31 00:22 . 2004-08-04 11:00 811064 c:\windows\system32\imjp81k.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 455168 c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
+ 2009-07-31 00:22 . 2004-08-04 11:00 480256 c:\windows\system32\IME\CINTLGNT\CINTSETP.EXE
+ 2009-07-31 00:22 . 2004-08-04 11:00 198656 c:\windows\system32\IME\CINTLGNT\CINTIME.DLL
+ 2004-08-10 18:57 . 2009-07-31 12:53 236760 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-31 00:22 . 2004-08-04 11:00 426041 c:\windows\system32\dllcache\voicepad.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 455168 c:\windows\system32\dllcache\tintsetp.exe
+ 2009-07-31 00:23 . 2004-08-04 11:00 143422 c:\windows\system32\dllcache\softkey.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 175104 c:\windows\system32\dllcache\pintlcsa.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 229439 c:\windows\system32\dllcache\multibox.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 315452 c:\windows\system32\dllcache\imskf.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 471102 c:\windows\system32\dllcache\imskdic.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 102456 c:\windows\system32\dllcache\imlang.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 274489 c:\windows\system32\dllcache\imjputyc.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 262200 c:\windows\system32\dllcache\imjputy.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 233527 c:\windows\system32\dllcache\imjprw.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 208952 c:\windows\system32\dllcache\imjpmig.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 196665 c:\windows\system32\dllcache\imjpinst.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 155705 c:\windows\system32\dllcache\imjpdsvr.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 307257 c:\windows\system32\dllcache\imjpdct.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 716856 c:\windows\system32\dllcache\imjpcus.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 368696 c:\windows\system32\dllcache\imjpcic.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 811064 c:\windows\system32\dllcache\imjp81k.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 311359 c:\windows\system32\dllcache\imepadsv.exe
+ 2009-07-31 00:23 . 2004-08-04 11:00 102463 c:\windows\system32\dllcache\imepadsm.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 106496 c:\windows\system32\dllcache\imekrcic.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 480256 c:\windows\system32\dllcache\cintsetp.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 198656 c:\windows\system32\dllcache\cintime.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 173568 c:\windows\system32\dllcache\chtskf.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 838144 c:\windows\system32\dllcache\chtbrkr.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 218112 c:\windows\system32\dllcache\c_g18030.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 838144 c:\windows\system32\chtbrkr.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 218112 c:\windows\system32\c_g18030.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 102456 c:\windows\ime\shared\imlang.dll
had to cut this one off in the middle

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 9:11 pm

more_horiz

+ 2009-07-31 00:23 . 2004-08-04 11:00 311359 c:\windows\ime\shared\imepadsv.exe
+ 2009-07-31 00:23 . 2004-08-04 11:00 102463 c:\windows\ime\shared\imepadsm.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 106496 c:\windows\ime\imkr6_1\imekrcic.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 274489 c:\windows\ime\imjp8_1\imjputyc.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 262200 c:\windows\ime\imjp8_1\imjputy.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 233527 c:\windows\ime\imjp8_1\imjprw.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 208952 c:\windows\ime\imjp8_1\imjpmig.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 196665 c:\windows\ime\imjp8_1\imjpinst.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 155705 c:\windows\ime\imjp8_1\imjpdsvr.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 307257 c:\windows\ime\imjp8_1\imjpdct.exe
+ 2009-07-31 00:22 . 2004-08-04 11:00 716856 c:\windows\ime\imjp8_1\imjpcus.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 368696 c:\windows\ime\imjp8_1\imjpcic.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 426041 c:\windows\ime\imjp8_1\applets\voicepad.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 143422 c:\windows\ime\imjp8_1\applets\softkey.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 229439 c:\windows\ime\imjp8_1\applets\multibox.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 315452 c:\windows\ime\imjp8_1\applets\imskf.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 471102 c:\windows\ime\imjp8_1\applets\imskdic.dll
+ 2009-07-31 00:22 . 2004-08-04 11:00 173568 c:\windows\ime\CHTIME\Applets\CHTSKF.DLL
+ 2009-07-31 00:22 . 2004-08-04 11:00 175104 c:\windows\ime\chsime\applets\PINTLCSA.DLL
+ 2009-07-31 00:23 . 2004-08-04 11:00 1677824 c:\windows\system32\dllcache\chsbrkr.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 1677824 c:\windows\system32\chsbrkr.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 10129408 c:\windows\system32\dllcache\hwxkor.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 13463552 c:\windows\system32\dllcache\hwxjpn.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 10096640 c:\windows\system32\dllcache\hwxcht.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 10129408 c:\windows\ime\imkr6_1\applets\hwxkor.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 13463552 c:\windows\ime\imjp8_1\applets\hwxjpn.dll
+ 2009-07-31 00:23 . 2004-08-04 11:00 10096640 c:\windows\ime\CHTIME\Applets\HWXCHT.DLL
.
-- Snapshot reset to current date --
.
final post next

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 9:11 pm

more_horiz

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 17:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-03-18 4363504]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-18 39408]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-06-27 318272]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-06-26 25604904]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2009-5-13 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-25 01:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57866:TCP"= 57866:TCP:Pando Media Booster
"57866:UDP"= 57866:UDP:Pando Media Booster
"56882:TCP"= 56882:TCP:Pando Media Booster
"56882:UDP"= 56882:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/8/2009 12:11 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/8/2009 12:11 PM 108552]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [9/10/2007 11:45 PM 124832]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/24/2009 6:51 PM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/24/2009 6:51 PM 298776]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2/10/2008 12:27 PM 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2/10/2008 12:27 PM 7424]
S2 gupdate1c9efadd513e000;Google Update Service (gupdate1c9efadd513e000);c:\program files\Google\Update\GoogleUpdate.exe [6/17/2009 5:43 PM 133104]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\User\My Documents\SysProtDrv.sys [7/29/2009 11:58 AM 44288]
S3 vtayn;vtayn;\??\c:\docume~1\User\LOCALS~1\Temp\vtayn.sys --> c:\docume~1\User\LOCALS~1\Temp\vtayn.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-08-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-18 00:42]

2009-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-18 00:43]

2009-08-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-18 00:43]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4080210
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\hhawh3vp.default\
FF - prefs.js: browser.startup.homepage - hxxp://zeldaconnetion.deviantart.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-02 14:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(176)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-02 14:05
ComboFix-quarantined-files.txt 2009-08-02 21:05
ComboFix2.txt 2009-07-30 22:57
ComboFix3.txt 2009-07-28 19:55

Pre-Run: 205,751,316,480 bytes free
Post-Run: 205,944,090,624 bytes free

359 --- E O F --- 2009-07-31 10:47

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 9:16 pm

more_horiz
1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to delete:
vtayn.sys



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
3. Please copy/paste the content of c:\avenger.txt into your reply.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

win32/Crypto virus - Page 1 2wg6fte

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 9:23 pm

more_horiz
Oh dear. No log file came up, and I can't access the "my computer" folder to look for it. It comes up as the searching for files flashlight. Nor can I open msn or yim. They automatically come up usually, but not even manually (I tried to open them to see if I could trace it back to My Computer)

It took a while but I was able to open them, except, no log.

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 9:27 pm

more_horiz
Lets try another ComboFix script:

Now open a new notepad file.
Input this into the notepad file:

Rootkit::
c:\docume~1\User\LOCALS~1\Temp\vtayn.sys


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
win32/Crypto virus - Page 1 Sfxdaw

This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

............................................................................................

While my help is always free, please consider donating to keep this site alive: Donate

win32/Crypto virus - Page 1 2wg6fte

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus2nd August 2009, 9:59 pm

more_horiz
It froze (I think) around stage 16, something came up (It might've been from accidentally opening FF) and it stopped scanning further, so should I retry?

________________________________
I tried it again, no open windows, no opening anything, lol and it stopped again at stage 16. So I tried to restart and my computer wouldn't turn off fully (I did it manually) and so, here I am now...

So I'm going to ask you at this point if I should just wait it out until I DO have enough money to say, go to Debug Computers, or if you think you really can help any further, I'm sure by now I've pushed on your nerves and possibly your limits, so. What do you think?

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus3rd August 2009, 7:58 pm

more_horiz
Hello.
Aside from a driver, and the file that doesn't exist anyway, how is the machine running?

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
win32/Crypto virus - Page 1 DXwU4
win32/Crypto virus - Page 1 VvYDg

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus4th August 2009, 1:11 am

more_horiz
It runs well, occasionally IE will try to become the default browser which is a little annoying, but as of so far, no major problems have occurred; at least that I've noticed. I'm still able to browse the internet and my own files normally (I mainly use this computer for gaming, keeping up with people, and art.).

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus4th August 2009, 7:13 pm

more_horiz
Okay, this should be fine now.

............................................................................................

Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
win32/Crypto virus - Page 1 DXwU4
win32/Crypto virus - Page 1 VvYDg

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus4th August 2009, 7:41 pm

more_horiz
Thanks for the help mates, I recommended you guys to a friend.

descriptionwin32/Crypto virus - Page 1 EmptyRe: win32/Crypto virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum