win32/cryptor found in Iexplorer.exe and evchost.exe

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 11:47 am

Scanned with AVG internet security. found the above. Help please. symptoms: slow, crashing.
__________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:24 PM, on 5/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Kiwee Toolbar2\1.4.127\kwtbaim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Apps\EZHome\EZStatus.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\handsome kevin\Desktop\hijackgpthis.exe

Thanks.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 11:48 am

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll
O1 - Hosts: 87.118.118.162 nprotect.roseonlinegame.com
O1 - Hosts: 87.118.118.162 update.nprotect.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: 100% Free Chess Toolbar Helper - {AE4F4014-3BF4-4CEB-B46C-3730A2340C4E} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: 100% Free Chess Toolbar - {6F4F95AF-1647-4B72-A632-055405455423} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll (file missing)
O3 - Toolbar: Kiwee Toolbar - {6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - C:\Program Files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KiweeHook] "C:\Program Files\Kiwee Toolbar2\1.4.127\kwtbaim.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Bron-Spizaetus] "C:\WINDOWS\ShellNew\sempalong.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EzStatus] C:\Apps\EZHome\EZStatus.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\handsome kevin\Local Settings\Application Data\smss.exe"
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [sysav] C:\Documents and Settings\handsome kevin\Application Data\winav.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: iTunes.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe (User 'Default user')
O4 - .DEFAULT Startup: iTunes.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: iTunes.lnk = ?
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n034p/EN/install/gtdownlr.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} (DataStore Class) - http://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - http://secure.gopetslive.com/dev/GoPetsWeb.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ?? LiveUpdate ??? (Automatic LiveUpdate Scheduler) - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MrHealthy (MrHealthyService) - Symantec Corporation - C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: OneStepSearch Service - OneStepSearch.net, Inc. - C:\Program Files\OneStep\onestep.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe

--
End of file - 16894 bytes

Sorry, It said the post was too large, so two posts Smile!

Thanks.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:01 pm

Hello.

Open HijackThis
Choose "Do a system scan only"
Check the boxes in front of these lines:

O1 - Hosts: 87.118.118.162 nprotect.roseonlinegame.com
O1 - Hosts: 87.118.118.162 update.nprotect.com
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
O2 - BHO: WinInet Class - {39fc2065-c9c7-49cd-8942-44cc2dedc844} - C:\WINDOWS\ieocx.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: 100% Free Chess Toolbar Helper - {AE4F4014-3BF4-4CEB-B46C-3730A2340C4E} - C:\Program Files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll (file missing)
O4 - HKCU\..\Run: [Tok-Cirrhatus] "C:\Documents and Settings\handsome kevin\Local Settings\Application Data\smss.exe"
O4 - HKCU\..\Run: [sysav] C:\Documents and Settings\handsome kevin\Application Data\winav.exe
Press "Fix Checked"
Close Hijack This.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

Leave the script box empty.
Leave the ticked box "Scan for rootkit" ticked.
Then tick "Disable any rootkits found"
Now click on the Execute to begin execution of the script.
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

3. Please copy/paste the content of c:\avenger.txt into your reply.

............................................................................................
Site Admin / Security Administrator

Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
win32/cryptor found in Iexplorer.exe and evchost.exe DXwU4

win32/cryptor found in Iexplorer.exe and evchost.exe DXwU4

win32/cryptor found in Iexplorer.exe and evchost.exe VvYDg

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:13 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Completed script processing.

*******************

Finished! Terminate.

Thanks for the quick reply Smile!

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:22 pm

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:27 pm

The installation is not working. I click it, press 'run'. it loads for a while then nothing happens.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:29 pm

Hello.
This rootkit has stepped up a step, the avenger can no longer see it. But, don't give up hope, we still have many tools at our disposal.

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

Please download RootRepeal.zip from here.
Extract the program file to your Desktop.
Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
Select ALL of the checkboxes and then click OK and it will start scanning your system.
If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
When done, click on Save Report
Save it to the Desktop.
Please copy/paste the contents of the report in your next reply.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:51 pm

ROOTREPEAL (c) AD, 2007-2008
==================================================
Scan Time: 2009/05/15 23:35
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: duauik.sys
Image Path: C:\WINDOWS\system32\drivers\duauik.sys
Address: 0xAAD2F000 Size: 61440 File Visible: No
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xAAA7D000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7ACB000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA6BA6000 Size: 45056 File Visible: No
Status: -

Name: UACwpdwyhktlvltabo.sys
Image Path: C:\WINDOWS\system32\drivers\UACwpdwyhktlvltabo.sys
Address: 0xAAC94000 Size: 77824 File Visible: -
Status: Hidden from Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\UAChrmlamyxqvoyjte.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAChwvvuptgjilxfuj.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UAColmeypneflcxunu.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqdsxndlakmvekec.log
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACqidlvrdomtlkklf.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACswwwptpxubrqoxg.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACuyavwyqubhyiqrr.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\92b11594-431f-435e-a76d-27076ba66f96.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\fd2910c3-5f9f-45c0-8af9-b7096397a818.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\UACwpdwyhktlvltabo.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Temp\UACea89.tmp
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Apple Computer\Safari\WebpageIcons.db
Status: Allocation size mismatch (API: 544768, Raw: 540672)

Path: C:\Documents and Settings\handsome kevin\My Documents\LimeWire\Incomplete\LPG3GGDE27LNQRLKGLED3UW6YS74CTSC\The Beatles - The White Album (MP3@320Kbps)\The Beatles - The White Album (MP3@320Kbps)\CD 2\04 - Everybody's Got Something to Hide Except Me and My Monkey.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Aycnrz@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{F937BB9E-B1AB-4609-B67C-AFDF9C29B3ED}\01\10-{F937BB9E-B1AB-4609-B67C-AFDF9C29B3ED}-v1-{2136D1B7-6323-4590-82B3-B7BF801003BF}-v10-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Aycnrz@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{F937BB9E-B1AB-4609-B67C-AFDF9C29B3ED}\11\11-{2136D1B7-6323-4590-82B3-B7BF801003BF}-v11-{2136D1B7-6323-4590-82B3-B7BF801003BF}-v11-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Aycnrz@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{F937BB9E-B1AB-4609-B67C-AFDF9C29B3ED}\12\12-{2136D1B7-6323-4590-82B3-B7BF801003BF}-v12-{2136D1B7-6323-4590-82B3-B7BF801003BF}-v12-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Aycnrz@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{F937BB9E-B1AB-4609-B67C-AFDF9C29B3ED}\13\13-{2136D1B7-6323-4590-82B3-B7BF801003BF}-v13-{2136D1B7-6323-4590-82B3-B7BF801003BF}-v13-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Aycnrz@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{F937BB9E-B1AB-4609-B67C-AFDF9C29B3ED}\14\14-{2136D1B7-6323-4590-82B3-B7BF801003BF}-v14-{2136D1B7-6323-4590-82B3-B7BF801003BF}-v14-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Aycnrz@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{F937BB9E-B1AB-4609-B67C-AFDF9C29B3ED}\15\15-{2136D1B7-6323-4590-82B3-B7BF801003BF}-v15-{2136D1B7-6323-4590-82B3-B7BF801003BF}-v15-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\muckajuck_ohmygoatcheese@msn.com\DFSR\Staging\CS{968427C6-A9EF-3CFE-86F6-6CF97505F4DE}\01\128-{968427C6-A9EF-3CFE-86F6-6CF97505F4DE}-v1-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v128-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\muckajuck_ohmygoatcheese@msn.com\DFSR\Staging\CS{968427C6-A9EF-3CFE-86F6-6CF97505F4DE}\11\87-{436C83D7-38E8-42ED-AE6E-711812629189}-v11-{64BBCC7A-7CA6-4EAA-8E7B-9C866F1BC0C8}-v87-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\muckajuck_ohmygoatcheese@msn.com\DFSR\Staging\CS{968427C6-A9EF-3CFE-86F6-6CF97505F4DE}\12\88-{436C83D7-38E8-42ED-AE6E-711812629189}-v12-{64BBCC7A-7CA6-4EAA-8E7B-9C866F1BC0C8}-v88-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\andyho6@hotmail.com\DFSR\Staging\CS{320D828C-AB19-60E8-38D4-92B517609C78}\01\22-{320D828C-AB19-60E8-38D4-92B517609C78}-v1-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v22-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\andyho6@hotmail.com\DFSR\Staging\CS{320D828C-AB19-60E8-38D4-92B517609C78}\59\59-{4045DD9D-BF7C-4ABC-BAAF-4C9701CFA946}-v59-{4045DD9D-BF7C-4ABC-BAAF-4C9701CFA946}-v59-Partial.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\billabong_boy202@hotmail.com\DFSR\Staging\CS{C5FAEAE4-33B0-5829-5A66-350B20E943B0}\01\170-{C5FAEAE4-33B0-5829-5A66-350B20E943B0}-v1-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v170-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\billabong_boy202@hotmail.com\DFSR\Staging\CS{C5FAEAE4-33B0-5829-5A66-350B20E943B0}\71\171-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v171-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v171-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\brigismylife.really@hotmail.com\DFSR\Staging\CS{4313AB4F-0A7E-E41B-CDA8-BD479B5AC9D9}\01\179-{4313AB4F-0A7E-E41B-CDA8-BD479B5AC9D9}-v1-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v179-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\brigismylife.really@hotmail.com\DFSR\Staging\CS{4313AB4F-0A7E-E41B-CDA8-BD479B5AC9D9}\11\11-{291949F4-0D07-43DE-82F5-6063B0956F1C}-v11-{291949F4-0D07-43DE-82F5-6063B0956F1C}-v11-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\brigismylife.really@hotmail.com\DFSR\Staging\CS{4313AB4F-0A7E-E41B-CDA8-BD479B5AC9D9}\13\13-{29~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\brigismylife.really@hotmail.com\DFSR\Staging\CS{4313AB4F-0A7E-E41B-CDA8-BD479B5AC9D9}\13\13-{29~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:52 pm

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\brigismylife.really@hotmail.com\DFSR\Staging\CS{4313AB4F-0A7E-E41B-CDA8-BD479B5AC9D9}\13\13-{29~2.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\brigismylife.really@hotmail.com\DFSR\Staging\CS{4313AB4F-0A7E-E41B-CDA8-BD479B5AC9D9}\14\14-{291949F4-0D07-43DE-82F5-6063B0956F1C}-v14-{291949F4-0D07-43DE-82F5-6063B0956F1C}-v14-Partial.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\brigismylife.really@hotmail.com\DFSR\Staging\CS{4313AB4F-0A7E-E41B-CDA8-BD479B5AC9D9}\31\231-{291949F4-0D07-43DE-82F5-6063B0956F1C}-v231-{291949F4-0D07-43DE-82F5-6063B0956F1C}-v231-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\guy_dickson4@hotmail.com\DFSR\Staging\CS{7CB7B07D-297C-3DA6-B0F6-B4474FAADC98}\01\123-{7CB7B07D-297C-3DA6-B0F6-B4474FAADC98}-v1-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v123-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\ice_mango16@hotmail.com\DFSR\Staging\CS{D1D48278-6455-F679-E5B8-44169A7A18BD}\01\124-{D1D48278-6455-F679-E5B8-44169A7A18BD}-v1-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v124-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\ice_mango16@hotmail.com\DFSR\Staging\CS{D1D48278-6455-F679-E5B8-44169A7A18BD}\40\140-{D~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\ice_mango16@hotmail.com\DFSR\Staging\CS{D1D48278-6455-F679-E5B8-44169A7A18BD}\40\140-{D~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\ice_mango16@hotmail.com\DFSR\Staging\CS{D1D48278-6455-F679-E5B8-44169A7A18BD}\40\140-{D~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\ice_mango16@hotmail.com\DFSR\Staging\CS{D1D48278-6455-F679-E5B8-44169A7A18BD}\40\140-{D~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\ice_mango16@hotmail.com\DFSR\Staging\CS{D1D48278-6455-F679-E5B8-44169A7A18BD}\40\140-{D~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\ice_mango16@hotmail.com\DFSR\Staging\CS{D1D48278-6455-F679-E5B8-44169A7A18BD}\40\140-{D~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\ice_mango16@hotmail.com\DFSR\Staging\CS{D1D48278-6455-F679-E5B8-44169A7A18BD}\40\140-{D~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\jisonio@hotmail.com\DFSR\Staging\CS{BA0FEB34-3840-3382-8CFA-E6047CA4924D}\01\187-{BA0FEB34-3840-3382-8CFA-E6047CA4924D}-v1-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v187-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\meanie_mean@hotmail.com\DFSR\Staging\CS{612F1502-4679-C32C-0FC2-447F73B16C4F}\01\127-{612F1502-4679-C32C-0FC2-447F73B16C4F}-v1-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v127-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\01\141-{3831FC23-EDF9-B501-C014-93719F7979F0}-v1-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v141-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\19\3830-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\19\3830-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\19\3830-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\19\3830-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\19\3830-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\24\3996-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\24\3996-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\24\3996-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\42\3829-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v142-{D884371E-8F7C-4BB2-AB54-D287CC7B2DC7}-v3829-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\43\3831-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v143-{D884371E-8F7C-4BB2-AB54-D287CC7B2DC7}-v3831-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\44\4135-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\44\4135-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\44\4135-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\44\4135-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\44\4135-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\44\4135-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\44\4135-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\56\5003-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v156-{D884371E-8F7C-4BB2-AB54-D287CC7B2DC7}-v5003-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\57\5088-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\57\5088-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\57\5088-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\57\5088-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\58\5004-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\58\5004-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\58\5004-{~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduck@hotmail.com\DFSR\Staging\CS{3831FC23-EDF9-B501-C014-93719F7979F0}\61\5366-{D2B6D563-A548-4545-83E8-A4BBED260EBA}-v161-{D884371E-8F7C-4BB2-AB54-D287CC7B2DC7}-v5366-Downloaded.frx
Status: Locked to the Windows API!

Path: C:\Documents and Settings\handsome kevin\Local Settings\Application Data\Microsoft\Messenger\Die_hard_168@hotmail.com\SharingMetadata\mistygolduckStealth Objects
-------------------

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:53 pm

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: winlogon.exe (PID: 732) Address: 0x006a0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: winlogon.exe (PID: 732) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: services.exe (PID: 780) Address: 0x00720000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: services.exe (PID: 780) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: lsass.exe (PID: 792) Address: 0x00870000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: lsass.exe (PID: 792) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: Ati2evxx.exe (PID: 968) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: Ati2evxx.exe (PID: 968) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: svchost.exe (PID: 1004) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: svchost.exe (PID: 1004) Address: 0x007f0000 Size: 45056

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: svchost.exe (PID: 1120) Address: 0x007f0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: svchost.exe (PID: 1120) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: svchost.exe (PID: 1492) Address: 0x007f0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: svchost.exe (PID: 1492) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: svchost.exe (PID: 1600) Address: 0x007f0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: svchost.exe (PID: 1600) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: Ati2evxx.exe (PID: 1624) Address: 0x00aa0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: Ati2evxx.exe (PID: 1624) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: svchost.exe (PID: 1820) Address: 0x007f0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: svchost.exe (PID: 1820) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: spoolsv.exe (PID: 180) Address: 0x00a90000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: spoolsv.exe (PID: 180) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: svchost.exe (PID: 440) Address: 0x007f0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: svchost.exe (PID: 440) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: AppleMobileDeviceService.exe (PID: 472) Address: 0x00730000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: AppleMobileDeviceService.exe (PID: 472) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: AluSchedulerSvc.exe (PID: 520) Address: 0x00790000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: AluSchedulerSvc.exe (PID: 520) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: avgwdsvc.exe (PID: 552) Address: 0x00720000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: avgwdsvc.exe (PID: 552) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: mDNSResponder.exe (PID: 568) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: mDNSResponder.exe (PID: 568) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: avgrsx.exe (PID: 344) Address: 0x00750000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: avgrsx.exe (PID: 344) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: avgnsx.exe (PID: 348) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: avgnsx.exe (PID: 348) Address: 0x007b0000 Size: 45056

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: mdm.exe (PID: 696) Address: 0x00ac0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: mdm.exe (PID: 696) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: npkcmsvc.exe (PID: 1356) Address: 0x00750000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: npkcmsvc.exe (PID: 1356) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: SeaPort.exe (PID: 1872) Address: 0x009d0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: SeaPort.exe (PID: 1872) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: slserv.exe (PID: 140) Address: 0x00a40000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: slserv.exe (PID: 140) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: Explorer.EXE (PID: 1560) Address: 0x00d20000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: Explorer.EXE (PID: 1560) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: svchost.exe (PID: 1632) Address: 0x007f0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: svchost.exe (PID: 1632) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: vcssecs.exe (PID: 1980) Address: 0x00810000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: vcssecs.exe (PID: 1980) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: avgemc.exe (PID: 1920) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: avgemc.exe (PID: 1920) Address: 0x00b90000 Size: 45056

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: avgcsrvx.exe (PID: 2248) Address: 0x00a00000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: avgcsrvx.exe (PID: 2248) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: ctfmon.exe (PID: 2340) Address: 0x009a0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: ctfmon.exe (PID: 2340) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: regedit.exe (PID: 3060) Address: 0x00710000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: regedit.exe (PID: 3060) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: alg.exe (PID: 3164) Address: 0x00790000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: alg.exe (PID: 3164) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: wltuser.exe (PID: 3988) Address: 0x00ca0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: wltuser.exe (PID: 3988) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: SOUNDMAN.EXE (PID: 2448) Address: 0x00b10000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: SOUNDMAN.EXE (PID: 2448) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: ALCWZRD.EXE (PID: 784) Address: 0x00c60000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: ALCWZRD.EXE (PID: 784) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: jusched.exe (PID: 2728) Address: 0x00ce0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: jusched.exe (PID: 2728) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: PCMService.exe (PID: 2760) Address: 0x00b10000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: PCMService.exe (PID: 2760) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: ABoard.exe (PID: 2936) Address: 0x00940000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: ABoard.exe (PID: 2936) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: vcsplay.exe (PID: 2948) Address: 0x00b80000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: vcsplay.exe (PID: 2948) Address: 0x00c40000 Size: 45056

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: GrooveMonitor.exe (PID: 3112) Address: 0x00d00000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: GrooveMonitor.exe (PID: 3112) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: AOSD.exe (PID: 3104) Address: 0x00a90000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: AOSD.exe (PID: 3104) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: svchost.exe (PID: 3268) Address: 0x007f0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: svchost.exe (PID: 3268) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: kwtbaim.exe (PID: 3356) Address: 0x00920000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: kwtbaim.exe (PID: 3356) Address: 0x00bf0000 Size: 45056

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: realsched.exe (PID: 3424) Address: 0x00a70000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: realsched.exe (PID: 3424) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: QTTask.exe (PID: 3620) Address: 0x00af0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: QTTask.exe (PID: 3620) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: iTunesHelper.exe (PID: 3636) Address: 0x00be0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: iTunesHelper.exe (PID: 3636) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: EZStatus.exe (PID: 3684) Address: 0x00950000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: EZStatus.exe (PID: 3684) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: GoogleToolbarNotifier.exe (PID: 3292) Address: 0x00a60000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: GoogleToolbarNotifier.exe (PID: 3292) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: PCSuite.exe (PID: 3868) Address: 0x00f00000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: PCSuite.exe (PID: 3868) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: ServiceLayer.exe (PID: 868) Address: 0x00980000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: ServiceLayer.exe (PID: 868) Address: 0x00a50000 Size: 45056

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: NclUSBSrv.exe (PID: 2484) Address: 0x00970000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: NclUSBSrv.exe (PID: 2484) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: NclRSSrv.exe (PID: 2104) Address: 0x00a70000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: NclRSSrv.exe (PID: 2104) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: iPodService.exe (PID: 3148) Address: 0x00770000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: iPodService.exe (PID: 3148) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: wuauclt.exe (PID: 1396) Address: 0x00990000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: wuauclt.exe (PID: 1396) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: Safari.exe (PID: 4260) Address: 0x011a0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: Safari.exe (PID: 4260) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: jucheck.exe (PID: 5568) Address: 0x00df0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: jucheck.exe (PID: 5568) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: NOTEPAD.EXE (PID: 5684) Address: 0x00a90000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: NOTEPAD.EXE (PID: 5684) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: RootRepeal.exe (PID: 4444) Address: 0x00ef0000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: RootRepeal.exe (PID: 4444) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: Iexplore.exe (PID: 5260) Address: 0x00b20000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: Iexplore.exe (PID: 5260) Address: 0x10000000 Size: 40960

Object: Hidden Module [Name: UAColmeypneflcxunu.dll]
Process: Iexplore.exe (PID: 2576) Address: 0x00b20000 Size: 45056

Object: Hidden Module [Name: UAChwvvuptgjilxfuj.dll]
Process: Iexplore.exe (PID: 2576) Address: 0x10000000 Size: 40960

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACwpdwyhktlvltabo.sys

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:54 pm

And umm.. May I suggest adding a attach button to attach these HUGEE logs ><

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:06 pm

I know.

I already asked our forum admin for a huge post character limit so it doesn't take more than one post, but you have to pay for that on Forumotion I think.

Anyhow, that found the rootkit.

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
UACd.sys

Files to delete:
C:\WINDOWS\system32\drivers\UACwpdwyhktlvltabo.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Input script here:", paste in the script from the quote box above.
Leave the ticked box "Scan for rootkit" ticked.
Then tick "Disable any rootkits found"
Now click on the Execute to begin execution of the script.
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

3. Please copy/paste the content of c:\avenger.txt into your reply.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:16 pm

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACwpdwyhktlvltabo.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:18 pm

I suspect MBAM still won't run, so lets try what I did earlier with another user.

Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
Link 1
Link 2
Double click DDS.scr to run.
When complete, two logs will open. Save both of the report to your Desktop.
Copy and paste DDS.txt back here, I don't need to see attach.txt.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:22 pm

DDS (Ver_09-05-14.01) - NTFSx86
Run by handsome kevin at 0:19:47.14 on Sat 05/16/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.292 [GMT 10:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\apps\ABoard\AOSD.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kiwee Toolbar2\1.4.127\kwtbaim.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Apps\EZHome\EZStatus.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Documents and Settings\handsome kevin\Desktop\dds.scr

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:22 pm

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files\kiwee toolbar2\1.4.127\KiweeIEToolbar.dll
mURLSearchHooks: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files\kiwee toolbar2\1.4.127\KiweeIEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files\kiwee toolbar2\1.4.127\KiweeIEToolbar.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: 100% Free Chess Toolbar: {6f4f95af-1647-4b72-a632-055405455423} - c:\program files\100% free chess toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
TB: Kiwee Toolbar: {6638a9de-0745-4292-8a2e-ae530e7b9b3f} - c:\program files\kiwee toolbar2\1.4.127\KiweeIEToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [EzStatus] c:\apps\ezhome\EZStatus.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [AdobeBridge]
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [PCMService] "c:\apps\powercinema\PCMService.exe"
mRun: [ACTIVBOARD] c:\apps\aboard\ABoard.exe
mRun: [VCSPlayer] "c:\program files\virtual cd v4 sdk\system\vcsplay.exe"
mRun: [PinnacleDriverCheck] c:\windows\system32\PSDrvCheck.exe -CheckReg
mRun: [CleanEasyImg] c:\apps\easydvd\cleanall.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KiweeHook] "c:\program files\kiwee toolbar2\1.4.127\kwtbaim.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Bron-Spizaetus] "c:\windows\shellnew\sempalong.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [EzStatus] c:\apps\ezhome\EZStatus.exe
dRun: [Tok-Cirrhatus] "c:\documents and settings\handsome kevin\local settings\application data\smss.exe"
StartupFolder: c:\docume~1\handso~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\handso~1\startm~1\programs\startup\hamachi.lnk - c:\program files\hamachi\hamachi.exe
StartupFolder: c:\docume~1\handso~1\startm~1\programs\startup\itunes.lnk - c:\windows\installer\{80fd852f-5aac-4129-b931-06aaffa43138}\iTunesIco.exe
StartupFolder: c:\docume~1\handso~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116} - c:\program files\shoppingreport\bin\2.5.0\ShoppingReport.dll
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} - c:\program files\shoppingreport\bin\2.5.0\ShoppingReport.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - hxxp://inst.c-wss.com/n034p/EN/install/gtdownlr.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxp://secure.gopetslive.com/dev/GoPetsWeb.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:22 pm

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-2 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-2 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-2 108552]
R1 vcsmpdrv;vcsmpdrv;c:\windows\system32\drivers\vcsmpdrv.sys [2007-6-28 49024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-9 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-9 298776]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-2-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-6-14 47640]
R2 MrHealthyService;MrHealthy;c:\program files\norton pc checkup\executables\mrhealthy\mrhealthy.exe -service --> c:\program files\norton pc checkup\executables\mrhealthy\MrHealthy.exe -service [?]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\virtual cd v4 sdk\system\vcssecs.exe [2007-6-28 139264]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2008-2-5 710144]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-2-28 12192]
RUnknown jtzy;jtzy; [x]
S2 OneStepSearch Service;OneStepSearch Service;c:\program files\onestep\onestep.exe [2008-9-5 5632]
S3 Cap713x;Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [1980-1-1 751104]
S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [2008-2-5 15360]
S3 PageFau1t;PageFau1t;\??\c:\documents and settings\handsome kevin\desktop\pagefau1t.sys --> c:\documents and settings\handsome kevin\desktop\PageFau1t.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\xdva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva092;XDva092;\??\c:\windows\system32\xdva092.sys --> c:\windows\system32\XDva092.sys [?]
S3 XDva093;XDva093;\??\c:\windows\system32\xdva093.sys --> c:\windows\system32\XDva093.sys [?]
S3 XDva104;XDva104;\??\c:\windows\system32\xdva104.sys --> c:\windows\system32\XDva104.sys [?]
S3 XDva129;XDva129;\??\c:\windows\system32\xdva129.sys --> c:\windows\system32\XDva129.sys [?]
S3 XDva181;XDva181;\??\c:\windows\system32\xdva181.sys --> c:\windows\system32\XDva181.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\xdva186.sys --> c:\windows\system32\XDva186.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-05-14 23:13 --d----- C:\_OTMoveIt
2009-04-24 19:23 --d----- c:\program files\Soldat
2009-04-17 10:21 --d----- c:\program files\iPod
2009-04-17 10:21 --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-16 12:45 283,648 -------- c:\windows\system32\dllcache\pdh.dll
2009-04-16 12:45 60,416 -------- c:\windows\system32\dllcache\colbact.dll
2009-04-16 12:45 473,088 -------- c:\windows\system32\dllcache\fastprox.dll
2009-04-16 12:45 399,360 -------- c:\windows\system32\dllcache\rpcss.dll
2009-04-16 12:45 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 12:45 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-04-16 12:45 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 12:45 616,960 -------- c:\windows\system32\dllcache\advapi32.dll
2009-04-16 12:45 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-04-16 12:44 215,552 -------- c:\windows\system32\dllcache\wordpad.exe

==================== Find3M ====================

2009-04-26 09:45 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-26 09:45 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-04-26 09:44 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-04-23 21:26 34 a------- c:\documents and settings\handsome kevin\jagex_runescape_preferences.dat
2009-03-22 00:18 986,112 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-19 16:32 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-07 00:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-05 22:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll

============= FINISH: 0:20:26.29 ===============

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:26 pm

Wow, what a mess.
You also have an email worm, it likes to call home and download more malware.

Download combofix from here
Link 1
Link 2
We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV. (AVG8)
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:30 pm

Nothins happening when I click ComboFix.exe
I have closed AVG8

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:31 pm

Hello.
Delete your copy of Combofix you have right now.

Now do this. Re-download Combofix again, but before doing so, read this next instructions for renaming Combofix.

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:

win32/cryptor found in Iexplorer.exe and evchost.exe CF_download_FF

win32/cryptor found in Iexplorer.exe and evchost.exe CF_download_FF

win32/cryptor found in Iexplorer.exe and evchost.exe CF_download_rename

3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:49 pm

ComboFix 09-05-14.07 - handsome kevin 05/16/2009 0:40.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.611 [GMT 10:00]
Running from: c:\documents and settings\handsome kevin\Desktop\Combo-Fix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\handsome kevin\Application Data\ShoppingReport
c:\documents and settings\handsome kevin\Application Data\ShoppingReport\cs\Config.xml
c:\documents and settings\handsome kevin\Application Data\ShoppingReport\cs\db\Aliases.dbs
c:\documents and settings\handsome kevin\Application Data\ShoppingReport\cs\db\Sites.dbs
c:\documents and settings\handsome kevin\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
c:\documents and settings\handsome kevin\Application Data\ShoppingReport\cs\report\aggr_storage.xml
c:\documents and settings\handsome kevin\Application Data\ShoppingReport\cs\report\send_storage.xml
c:\documents and settings\handsome kevin\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
c:\documents and settings\handsome kevin\My Documents\mc-installer-0.8.exe
c:\program files\ShoppingReport
c:\program files\ShoppingReport\Uninst.exe
c:\recycler\ADAPT_Installer.exe
c:\windows\100%_Free_Chess_Toolbar_Uninstaller_4921.exe
c:\windows\system32\drivers\UAClkjlnssckbvspfy.sys
c:\windows\system32\drivers\UACwpdwyhktlvltabo.sys
c:\windows\system32\UAChrmlamyxqvoyjte.dll
c:\windows\system32\UAChwvvuptgjilxfuj.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UAColmeypneflcxunu.dll
c:\windows\system32\UACqdsxndlakmvekec.log
c:\windows\system32\UACqidlvrdomtlkklf.dll
c:\windows\system32\UACqppepmkhaqkivwm.dll
c:\windows\system32\UACswwwptpxubrqoxg.dll
c:\windows\system32\UACuyavwyqubhyiqrr.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-04-15 to 2009-05-15 )))))))))))))))))))))))))))))))
.

2009-05-14 13:13 . 2009-05-14 13:13 -------- d-----w C:\_OTMoveIt
2009-05-13 11:15 . 2009-05-13 11:15 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-13 11:15 . 2009-05-13 11:15 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-24 09:23 . 2009-04-26 10:15 -------- d-----w c:\program files\Soldat
2009-04-23 05:57 . 2009-04-23 05:57 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-17 00:21 . 2009-04-17 00:21 -------- d-----w c:\program files\iPod
2009-04-17 00:21 . 2009-04-17 00:21 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-16 02:45 . 2009-03-06 14:44 283648 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-16 02:45 . 2005-07-26 04:39 60416 ------w c:\windows\system32\dllcache\colbact.dll
2009-04-16 02:45 . 2009-02-09 10:20 399360 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-16 02:45 . 2009-02-06 17:14 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-16 02:45 . 2009-02-09 10:20 473088 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-16 02:45 . 2009-02-06 16:39 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-16 02:45 . 2009-02-09 10:20 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-16 02:45 . 2009-02-09 10:20 616960 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-16 02:45 . 2009-02-09 10:20 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-16 02:44 . 2008-04-21 10:02 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-15 14:12 . 2008-06-14 11:12 -------- d-----w c:\program files\LogMeIn
2009-05-15 08:58 . 2007-06-28 02:09 -------- d-----w c:\program files\Java
2009-05-15 08:00 . 2009-02-16 04:35 -------- d-----w c:\program files\Norton Security Scan
2009-05-14 13:55 . 2007-06-28 02:51 110168 ----a-w c:\documents and settings\handsome kevin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 08:01 . 2007-06-28 02:14 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-01 12:38 . 2008-02-07 06:15 -------- d-----w c:\program files\LimeWire
2009-04-25 23:45 . 2008-06-02 06:08 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-25 23:45 . 2008-06-02 06:08 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-25 23:44 . 2008-06-02 06:08 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-23 11:26 . 2008-10-18 12:31 34 ----a-w c:\documents and settings\handsome kevin\jagex_runescape_preferences.dat
2009-04-17 00:21 . 2008-02-04 10:54 -------- d-----w c:\program files\iTunes
2009-04-17 00:21 . 2008-02-04 10:53 -------- d-----w c:\program files\Common Files\Apple
2009-04-14 09:32 . 2008-03-13 05:01 -------- d-----w c:\program files\Valve
2009-04-12 13:11 . 2008-02-28 10:32 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-10 09:37 . 2009-04-10 09:37 -------- d-----w c:\program files\NeedforMadness_at
2009-04-06 23:44 . 2009-04-06 23:40 -------- d-----w c:\program files\Messenger Plus! Live
2009-04-06 07:39 . 2009-04-05 09:46 -------- d-----w c:\program files\mIRC
2009-04-06 07:20 . 2008-11-03 06:49 -------- d-----w c:\program files\Warcraft III
2009-04-05 08:34 . 2007-06-28 02:09 -------- d-----w c:\program files\ATI Technologies
2009-04-02 09:16 . 2007-07-03 14:47 -------- d-----w c:\program files\Google
2009-03-25 04:56 . 2009-03-25 04:56 -------- d-----w c:\program files\QuickTime
2009-03-25 04:51 . 2008-03-29 00:54 -------- d-----w c:\program files\Safari
2009-03-25 04:50 . 2009-03-25 04:50 -------- d-----w c:\program files\Bonjour
2009-03-19 06:32 . 2008-01-29 01:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-17 04:55 . 2009-03-15 07:51 -------- d-----w c:\program files\Microsoft Silverlight
2009-03-06 14:44 . 2004-08-10 06:38 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-05 12:59 . 2009-03-25 04:53 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 12:59 . 2008-08-02 03:08 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-08-11 08:41 . 2007-10-04 22:49 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-08-11 08:41 . 2007-10-04 22:49 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-08-11 08:41 . 2008-03-07 08:30 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-08-11 08:41 . 2008-03-07 08:30 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-08-11 08:41 . 2007-10-04 22:49 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:49 pm

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll" [2008-03-14 265360]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}]
2008-03-14 03:08 265360 ----a-w c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll" [2008-03-14 265360]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll" [2008-03-14 265360]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EzStatus"="c:\apps\EZHome\EZStatus.exe" [2004-12-20 94208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-21 144784]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2004-10-07 81920]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"VCSPlayer"="c:\program files\Virtual CD v4 SDK\system\vcsplay.exe" [2004-03-04 299008]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"KiweeHook"="c:\program files\Kiwee Toolbar2\1.4.127\kwtbaim.exe" [2008-03-14 56456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-08 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-25 1947928]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-05 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2004-09-10 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-09-15 2557952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"EzStatus"="c:\apps\EZHome\EZStatus.exe" [2004-12-20 94208]

c:\documents and settings\handsome kevin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-12-17 625952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-25 23:45 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 11:10 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="1"
"AntiVirusDisableNotify"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Nexon\\MapleStory\\Patcher.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\Warcraft III\\war3.exe"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Soldat\\Soldat.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\Games\\halo\\halo.exe"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Media Converter SA Edition\\Media Converter.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6122:TCP"= 6122:TCP:Warcraft

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/2/2008 4:08 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/2/2008 4:08 PM 108552]
R1 vcsmpdrv;vcsmpdrv;c:\windows\system32\drivers\vcsmpdrv.sys [6/28/2007 12:18 PM 49024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/9/2009 7:34 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/9/2009 7:34 PM 298776]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2/28/2008 3:31 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [6/14/2008 9:12 PM 47640]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [1/14/2009 4:53 PM 226656]
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\Virtual CD v4 SDK\System\vcssecs.exe [6/28/2007 12:18 PM 139264]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2/5/2008 8:29 PM 710144]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2/28/2008 3:31 PM 12192]
S2 OneStepSearch Service;OneStepSearch Service;c:\program files\OneStep\onestep.exe [9/5/2008 10:23 AM 5632]
S3 Cap713x;Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [1/1/1980 751104]
S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [2/5/2008 8:58 PM 15360]
S3 PageFau1t;PageFau1t;\??\c:\documents and settings\handsome kevin\Desktop\PageFau1t.sys --> c:\documents and settings\handsome kevin\Desktop\PageFau1t.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva092;XDva092;\??\c:\windows\system32\XDva092.sys --> c:\windows\system32\XDva092.sys [?]
S3 XDva093;XDva093;\??\c:\windows\system32\XDva093.sys --> c:\windows\system32\XDva093.sys [?]
S3 XDva104;XDva104;\??\c:\windows\system32\XDva104.sys --> c:\windows\system32\XDva104.sys [?]
S3 XDva129;XDva129;\??\c:\windows\system32\XDva129.sys --> c:\windows\system32\XDva129.sys [?]
S3 XDva181;XDva181;\??\c:\windows\system32\XDva181.sys --> c:\windows\system32\XDva181.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20568520-5420-11dc-aae9-00132014273f}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a2844de-99c3-11dd-acb4-00132014273f}]
\Shell\AutoRun\command - F:\mkofh1rk.bat
\Shell\explore\Command - F:\mkofh1rk.bat
\Shell\open\Command - F:\mkofh1rk.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{875c54c8-2d74-11de-90be-00132014273f}]
\Shell\AutoRun\command - tmf3w3g0.com
\Shell\explore\Command - tmf3w3g0.com
\Shell\open\Command - tmf3w3g0.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b32cf1f8-5ec6-11dc-aaf3-00132014273f}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4ee268b-4d56-11dd-ac4e-00132014273f}]
\Shell\AutoRun\command - E:\tmf3w3g0.com
\Shell\explore\Command - E:\tmf3w3g0.com
\Shell\open\Command - E:\tmf3w3g0.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{beaed5c3-3216-11dd-ac1d-00132014273f}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ed1e835f-251e-11dc-aac6-806d6172696f}]
\Shell\AutoRun\command - D:\launch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]

2008-12-23 c:\windows\Tasks\At3.job
- c:\program files\norton pc checkup\pc_checkup.exe [2009-01-29 22:10]

2009-05-10 c:\windows\Tasks\At4.job
- c:\program files\norton pc checkup\pc_checkup.exe [2009-01-29 22:10]

2009-05-15 c:\windows\Tasks\Norton Security Scan for handsome kevin.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-18 09:20]
.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:50 pm

- - - - ORPHANS REMOVED - - - -

Toolbar-{6F4F95AF-1647-4B72-A632-055405455423} - c:\program files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
WebBrowser-{6F4F95AF-1647-4B72-A632-055405455423} - c:\program files\100% Free Chess Toolbar\v3.2.0.0\100%_Free_Chess_Toolbar.dll
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-AdobeBridge - (no file)
HKLM-Run-CleanEasyImg - c:\apps\easydvd\cleanall.exe
HKU-Default-Run-Tok-Cirrhatus - c:\documents and settings\handsome kevin\Local Settings\Application Data\smss.exe

.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116} - c:\program files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} - c:\program files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxp://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 00:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,6c,84,a2,95,e8,
c3,ee,d8,c8,28,51,af,b0,29,a3,98,1b,5a,55,b7,2c,fe,65,30,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,43,0b,e8,7a,a4,
8c,3f,82,71,3b,04,66,8b,46,0d,96,2c,46,83,03,6a,cf,97,1f,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,b3,d4,5d,e6,86,
b5,2c,29,25,da,ec,7e,55,20,c9,26,af,00,5d,1d,59,65,64,70,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,88,24,86,e3,1b,
da,87,b2,3e,1e,9e,e0,57,5a,93,61,d2,3c,be,a3,d6,6e,8a,73,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,e8,03,56,95,d5,
56,8e,59,cd,44,cd,b9,a6,33,6c,cd,96,78,13,26,0a,c5,33,44,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,83,3c,4d,52,6f,
aa,2d,7b,b0,18,ed,a7,3f,8d,37,a4,6a,2b,ff,76,41,fc,ce,ce,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,49,1c,62,bd,f4,
7d,5d,5c,31,77,e1,ba,b1,f8,68,02,7e,e8,49,bf,57,38,78,0b,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,21,3c,6c,95,81,
93,15,34,83,6c,56,8b,a0,85,96,ab,f5,f5,9f,b3,b7,ba,fb,55,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d5,82,08,44,f1,
e9,71,db,51,fa,6e,91,28,9e,14,cc,a3,28,39,2c,10,03,cf,1a,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,6b,11,b5,e1,83,
8c,54,e9,b1,cd,45,5a,a8,c4,f8,b9,5d,dd,cc,ea,a1,1a,a1,6d,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,0b,0b,75,91,54,
38,34,a6,e3,0e,66,d5,eb,bc,2f,6b,d8,b5,95,c0,8d,2a,77,26,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,1a,af,7b,92,3f,
7a,e1,8e,fa,ea,66,7f,d4,3b,6b,70,06,40,74,9e,b5,92,40,cd,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
.
Completion time: 2009-05-15 0:45
ComboFix-quarantined-files.txt 2009-05-15 14:45

Pre-Run: 68,565,262,336 bytes free
Post-Run: 68,550,029,312 bytes free

367 --- E O F --- 2009-05-13 13:19

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:51 pm

Am I close to done? It's almost 1AM and I have saturday school (damn-it!) tomorrow morn. ><

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:53 pm

Yeah, theres a few things to tidy up, but it can wait, no serious threat anymore.

Go get some sleep.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:55 pm

Haha alright Smile!

Thanks.
Good night.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 5:49 am

Im backkk!
What's my next step ><

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 1:46 pm

Getting an uninstall log. Smile...

Open HijackThis.
When Hijack This opens, click "Open the Misc Tools section"
Then select "Open Uninstall Manager"
Click on "Save List..." (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 1:48 pm

100% Free Chess Toolbar
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
3D Interstellar Voyager
3-D Salt Water Fish Tank Dem-esd Screen Saver
3DVIA player 4.1
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.2
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Any Video Converter 2.6.2
AoA Audio Extractor 1.0
Apple Mobile Device Support
Apple Software Update
Ashampoo Photo Commander 5.40
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI Parental Control & Encoder
AVG 8.5
BA Installer
Bonjour
Choice Guard
Combat Arms
Counter-Strike 1.6
COWON Media Center - jetAudio Basic
Cube Maniak 1.8.0.0
Cucusoft YouTube Mate 7.13
Desktop Destroyer 3D Screensaver Free
Digital Locker Assistant
Easy Duplicate Finder v. 2.1
Free Video to iPod Converter version 3.1
Free YouTube Uploader version 1.5
Gabbasoft Cube Demo
GameArena The Arena
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
GunboundWC
Hamachi 1.0.3.0
High Definition Audio Driver Package - KB835221
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Intel(R) PRO Network Adapters and Drivers
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Junk Mail filter update
Kiwee Toolbar
LimeWire 5.1.2
Liquid Desktop Free
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LogMeIn
Magic DVD Ripper V5.2.1 build 8
Map Button (Windows Live Toolbar)
MapleStory
Media Converter SA Edition 0.8
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Microsoft XML Parser and SDK
mIRC
MobileMe Control Panel
Moleskinsoft Clone Remover 3.3
Mozilla Firefox (2.0.0.16)
MSVC80_x86
MSVCRT
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Music Rescue
Music Rescue 3.1.6 iPod Distribution
Need for Madness
Network Play System (Patching)
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
Norton PC Checkup
Norton Security Scan
Norton Security Scan (Symantec Corporation)
OneCare Advisor (Windows Live Toolbar)
OneStepSearch 1.0 build 182
OpenOffice.org Installer 1.0
PC Connectivity Solution
Popup Blocker (Windows Live Toolbar)
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Safari
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Segoe UI
Sloud Music Content Inspector 1.4 beta
Smart Link 56K Modem
Smart Menus (Windows Live Toolbar)
Soldat 1.5.0
Soldat 1.5.0
Sonic MyDVD
Sonic RecordNow!
Total Video Converter 3.12 080330
Uninstall 1.0.0.1
Unity Web Player
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Outlook 2007 Junk Email Filter (kb968503)
Update for Windows Internet Explorer 8 (KB961813)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Windows Driver Package - ASUSTeK (3xHybrid) MEDIA (05/05/2005 1.3.2.5)
Windows Driver Package - Nokia Modem (03/05/2008 3.7)
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1)
Windows Driver Package - Nokia Modem (10/27/2008 3.9)
Windows Driver Package - Nokia Modem (10/27/2008 7.01.0.1)
Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8 Release Candidate 1
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Favorites for Windows Live Toolbar
Windows Live Mail
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Live Upload Tool
Windows Live Writer
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Xfire (remove only)

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 1:55 pm

Wow.. I dont use half of that stuff. I needa do some cleaning Smile!

Computers getting slow XDD

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 1:59 pm

Hello.

I see that you are running Limewire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

If Limewire is not removed, then I won't help you.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

Adobe Reader 8.1.2
Java 2 Runtime Environment, SE v1.4.2_05
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
LimeWire 5.1.2

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
OneStepSearch Service

Folder::
C:\_OTMoveIt
c:\program files\LimeWire
c:\program files\OneStep

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=-
"AntiVirusDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2a2844de-99c3-11dd-acb4-00132014273f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{875c54c8-2d74-11de-90be-00132014273f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b4ee268b-4d56-11dd-ac4e-00132014273f}]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:
win32/cryptor found in Iexplorer.exe and evchost.exe Sfxdaw

win32/cryptor found in Iexplorer.exe and evchost.exe Sfxdaw

This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:11 pm

Hmm.. Why do I need to delete adobe reader? and limewire *presses delete* sob sob*

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:12 pm

a new update to combofix? >< *presses download*

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:24 pm

You had a rootkit infection, do you want to it come back again? all because you downloaded an infection from Limewire.

Combofix is updated daily, so get the new version if it asks.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:28 pm

ComboFix 09-05-15.06 - handsome kevin 05/17/2009 0:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1022.467 [GMT 10:00]
Running from: c:\documents and settings\handsome kevin\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\handsome kevin\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\_OTMoveIt
c:\_otmoveit\MovedFiles\05142009_231348.log
c:\_otmoveit\MovedFiles\05142009_231348.res
c:\_otmoveit\MovedFiles\05142009_231348\DOCUME~1\HANDSO~1\LOCALS~1\Temp\NGLALog.txt
c:\_otmoveit\MovedFiles\05142009_231348\DOCUME~1\HANDSO~1\LOCALS~1\Temp\NGLATempNokia\Nokia Sans Wide Bold v3.1.ttf
c:\_otmoveit\MovedFiles\05142009_231348\Documents and Settings\handsome kevin\Local Settings\Temporary Internet Files\Content.IE5\O0WPPG9P\MsgrConfig[7].asmx
c:\_otmoveit\MovedFiles\05142009_231348\Documents and Settings\handsome kevin\Local Settings\Temporary Internet Files\Content.IE5\O0WPPG9P\signin[2].htm
c:\_otmoveit\MovedFiles\05142009_231348\Documents and Settings\handsome kevin\Local Settings\Temporary Internet Files\Content.IE5\RREW40LA\acCA02GIG8.htm
c:\program files\LimeWire
c:\program files\LimeWire\hs_err_pid1340.log
c:\program files\LimeWire\lib\UnpackedJars.7z
c:\program files\LimeWire\LimeWire.rar
c:\program files\OneStep
c:\program files\OneStep\home.js
c:\program files\OneStep\onestep.exe
c:\program files\OneStep\osopt.exe
c:\program files\OneStep\readme.html
c:\program files\OneStep\uninstall.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ONESTEPSEARCH_SERVICE
-------\Service_OneStepSearch Service

((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-13 11:15 . 2009-05-13 11:15 -------- d-sh--w c:\documents and settings\Administrator\PrivacIE
2009-05-13 11:15 . 2009-05-13 11:15 -------- d-sh--w c:\documents and settings\Administrator\IETldCache
2009-04-24 09:23 . 2009-04-26 10:15 -------- d-----w c:\program files\Soldat
2009-04-23 05:57 . 2009-04-23 05:57 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-17 00:21 . 2009-04-17 00:21 -------- d-----w c:\program files\iPod
2009-04-17 00:21 . 2009-04-17 00:21 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 14:17 . 2008-06-14 11:12 -------- d-----w c:\program files\LogMeIn
2009-05-16 14:05 . 2007-06-28 02:09 -------- d-----w c:\program files\Java
2009-05-16 14:02 . 2007-08-14 01:13 -------- d-----w c:\program files\Common Files\Adobe
2009-05-15 08:00 . 2009-02-16 04:35 -------- d-----w c:\program files\Norton Security Scan
2009-05-14 13:55 . 2007-06-28 02:51 110168 ----a-w c:\documents and settings\handsome kevin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-10 08:01 . 2007-06-28 02:14 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-25 23:45 . 2008-06-02 06:08 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-25 23:45 . 2008-06-02 06:08 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-25 23:44 . 2008-06-02 06:08 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-23 11:26 . 2008-10-18 12:31 34 ----a-w c:\documents and settings\handsome kevin\jagex_runescape_preferences.dat
2009-04-17 00:21 . 2008-02-04 10:54 -------- d-----w c:\program files\iTunes
2009-04-17 00:21 . 2008-02-04 10:53 -------- d-----w c:\program files\Common Files\Apple
2009-04-14 09:32 . 2008-03-13 05:01 -------- d-----w c:\program files\Valve
2009-04-12 13:11 . 2008-02-28 10:32 -------- d-----w c:\program files\Windows Live Safety Center
2009-04-10 09:37 . 2009-04-10 09:37 -------- d-----w c:\program files\NeedforMadness_at
2009-04-06 23:44 . 2009-04-06 23:40 -------- d-----w c:\program files\Messenger Plus! Live
2009-04-06 07:39 . 2009-04-05 09:46 -------- d-----w c:\program files\mIRC
2009-04-06 07:20 . 2008-11-03 06:49 -------- d-----w c:\program files\Warcraft III
2009-04-05 08:34 . 2007-06-28 02:09 -------- d-----w c:\program files\ATI Technologies
2009-04-02 09:16 . 2007-07-03 14:47 -------- d-----w c:\program files\Google
2009-03-25 04:56 . 2009-03-25 04:56 -------- d-----w c:\program files\QuickTime
2009-03-25 04:51 . 2008-03-29 00:54 -------- d-----w c:\program files\Safari
2009-03-25 04:50 . 2009-03-25 04:50 -------- d-----w c:\program files\Bonjour
2009-03-19 06:32 . 2008-01-29 01:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:44 . 2004-08-10 06:38 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-05 12:59 . 2009-03-25 04:53 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-05 12:59 . 2008-08-02 03:08 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-08-11 08:41 . 2007-10-04 22:49 67696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-08-11 08:41 . 2007-10-04 22:49 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-08-11 08:41 . 2008-03-07 08:30 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-08-11 08:41 . 2008-03-07 08:30 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-08-11 08:41 . 2007-10-04 22:49 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-15_14.44.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-16 14:18 . 2009-05-16 14:18 16384 c:\windows\Temp\Perflib_Perfdata_850.dat
+ 2009-05-16 14:18 . 2009-05-16 14:18 16384 c:\windows\Temp\Perflib_Perfdata_428.dat
+ 2004-08-10 06:38 . 2009-05-16 05:40 63188 c:\windows\system32\perfc009.dat
- 2004-08-10 06:38 . 2009-05-15 14:17 63188 c:\windows\system32\perfc009.dat
+ 2004-08-10 06:38 . 2009-05-16 05:40 403968 c:\windows\system32\perfh009.dat
- 2004-08-10 06:38 . 2009-05-15 14:17 403968 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll" [2008-03-14 265360]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}]
2008-03-14 03:08 265360 ----a-w c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll" [2008-03-14 265360]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{6638A9DE-0745-4292-8A2E-AE530E7B9B3F}"= "c:\program files\Kiwee Toolbar2\1.4.127\KiweeIEToolbar.dll" [2008-03-14 265360]

[HKEY_CLASSES_ROOT\clsid\{6638a9de-0745-4292-8a2e-ae530e7b9b3f}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{259EEB17-79AA-44DF-8410-8E55F82A902A}]
[HKEY_CLASSES_ROOT\KiweeIEToolbar.KiweeToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"EzStatus"="c:\apps\EZHome\EZStatus.exe" [2004-12-20 94208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-10 68856]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-12-03 1205760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-12 339968]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2004-10-07 81920]
"ACTIVBOARD"="c:\apps\ABoard\ABoard.exe" [2003-05-02 24576]
"VCSPlayer"="c:\program files\Virtual CD v4 SDK\system\vcsplay.exe" [2004-03-04 299008]
"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe" [2004-03-10 406016]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-23 33648]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"KiweeHook"="c:\program files\Kiwee Toolbar2\1.4.127\kwtbaim.exe" [2008-03-14 56456]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-08 185896]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-25 1947928]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-02-28 63048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-05 177472]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-03-17 61952]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2004-09-10 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-09-15 2557952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
"EzStatus"="c:\apps\EZHome\EZStatus.exe" [2004-12-20 94208]

c:\documents and settings\handsome kevin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-12-17 625952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-25 23:45 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-18 11:10 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:28 pm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Nexon\\MapleStory\\Patcher.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\softnyx\\GunboundWC\\GunBound.gme"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\Warcraft III\\war3.exe"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Valve\\hl.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Soldat\\Soldat.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\ATI Technologies\\ATI.ACE\\CLI.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\Games\\halo\\halo.exe"=
"c:\\Documents and Settings\\handsome kevin\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Media Converter SA Edition\\Media Converter.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Safari\\Safari.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6122:TCP"= 6122:TCP:Warcraft

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/2/2008 4:08 PM 325896]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/2/2008 4:08 PM 108552]
R1 vcsmpdrv;vcsmpdrv;c:\windows\system32\drivers\vcsmpdrv.sys [6/28/2007 12:18 PM 49024]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [1/9/2009 7:34 PM 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/9/2009 7:34 PM 298776]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2/28/2008 3:31 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [6/14/2008 9:12 PM 47640]
R2 MrHealthyService;MrHealthy;c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service --> c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe -service [?]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [1/14/2009 4:53 PM 226656]
R2 VCSSecS;Virtual CD v4 Security service (SDK - Version);c:\program files\Virtual CD v4 SDK\System\vcssecs.exe [6/28/2007 12:18 PM 139264]
R3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2/5/2008 8:29 PM 710144]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2/28/2008 3:31 PM 12192]
S3 Cap713x;Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [1/1/1980 751104]
S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [2/5/2008 8:58 PM 15360]
S3 PageFau1t;PageFau1t;\??\c:\documents and settings\handsome kevin\Desktop\PageFau1t.sys --> c:\documents and settings\handsome kevin\Desktop\PageFau1t.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva092;XDva092;\??\c:\windows\system32\XDva092.sys --> c:\windows\system32\XDva092.sys [?]
S3 XDva093;XDva093;\??\c:\windows\system32\XDva093.sys --> c:\windows\system32\XDva093.sys [?]
S3 XDva104;XDva104;\??\c:\windows\system32\XDva104.sys --> c:\windows\system32\XDva104.sys [?]
S3 XDva129;XDva129;\??\c:\windows\system32\XDva129.sys --> c:\windows\system32\XDva129.sys [?]
S3 XDva181;XDva181;\??\c:\windows\system32\XDva181.sys --> c:\windows\system32\XDva181.sys [?]
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys --> c:\windows\system32\XDva186.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]

2008-12-23 c:\windows\Tasks\At3.job
- c:\program files\norton pc checkup\pc_checkup.exe [2009-01-29 22:10]

2009-05-16 c:\windows\Tasks\At4.job
- c:\program files\norton pc checkup\pc_checkup.exe [2009-01-29 22:10]

2009-05-15 c:\windows\Tasks\Norton Security Scan for handsome kevin.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-18 09:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: {{C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} -
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {8DE6AB9C-8C62-486B-8C06-5C9AD6FD06F1} - hxxp://txn02.hkjc.com/BetSlip/object/eWinCtl.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxp://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-17 00:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,6c,84,a2,95,e8,
c3,ee,d8,c8,28,51,af,b0,29,a3,98,1b,5a,55,b7,2c,fe,65,30,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,43,0b,e8,7a,a4,
8c,3f,82,71,3b,04,66,8b,46,0d,96,2c,46,83,03,6a,cf,97,1f,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,b3,d4,5d,e6,86,
b5,2c,29,25,da,ec,7e,55,20,c9,26,af,00,5d,1d,59,65,64,70,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,88,24,86,e3,1b,
da,87,b2,3e,1e,9e,e0,57,5a,93,61,d2,3c,be,a3,d6,6e,8a,73,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,e8,03,56,95,d5,
56,8e,59,cd,44,cd,b9,a6,33,6c,cd,96,78,13,26,0a,c5,33,44,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,83,3c,4d,52,6f,
aa,2d,7b,b0,18,ed,a7,3f,8d,37,a4,6a,2b,ff,76,41,fc,ce,ce,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,49,1c,62,bd,f4,
7d,5d,5c,31,77,e1,ba,b1,f8,68,02,7e,e8,49,bf,57,38,78,0b,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,21,3c,6c,95,81,
93,15,34,83,6c,56,8b,a0,85,96,ab,f5,f5,9f,b3,b7,ba,fb,55,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,d5,82,08,44,f1,
e9,71,db,51,fa,6e,91,28,9e,14,cc,a3,28,39,2c,10,03,cf,1a,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,6b,11,b5,e1,83,
8c,54,e9,b1,cd,45,5a,a8,c4,f8,b9,5d,dd,cc,ea,a1,1a,a1,6d,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:2a,b7,cc,b5,b9,7f,41,e7,0b,0b,75,91,54,
38,34,a6,e3,0e,66,d5,eb,bc,2f,6b,d8,b5,95,c0,8d,2a,77,26,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:6c,43,2d,1e,aa,22,2f,9c,1a,af,7b,92,3f,
7a,e1,8e,fa,ea,66,7f,d4,3b,6b,70,06,40,74,9e,b5,92,40,cd,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(880)
c:\program files\CyberLink\Shared Files\CLRCEngine.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Norton PC Checkup\executables\mrHealthy\MrHealthy.exe
c:\nexon\Mabinogi\npkcmsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\apps\ABoard\AOSD.EXE
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\iTunes\iTunes.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-05-16 0:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 14:23
ComboFix2.txt 2009-05-15 14:45

Pre-Run: 68,714,438,656 bytes free
Post-Run: 68,597,166,080 bytes free

360 --- E O F --- 2009-05-13 13:19

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:29 pm

What about adobe reader?

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:30 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

win32/cryptor found in Iexplorer.exe and evchost.exe CF_Cleanup

win32/cryptor found in Iexplorer.exe and evchost.exe CF_Cleanup

This will also reset your restore points.

How is the machine running now?

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:36 pm

Nothing detected by AVG, and it seems to run smoother with less lag Smile!

Thanks heaps.
Could you give me a list of the infections I had just so I can do a bit of research on what they do
Thanks

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:39 pm

The main infection was that rootkit, part of the TDSS family.

Re: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:40 pm

Thank again, you helped heaps goodnight.

win32/cryptor found in Iexplorer.exe and evchost.exe

descriptionwin32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 11:47 am

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 11:48 am

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:01 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:13 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:22 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:27 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:29 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:51 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:52 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:52 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:53 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 1:54 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:06 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:16 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:18 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:22 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:22 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:22 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:26 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:30 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:31 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:49 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:49 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:50 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:51 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:53 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe15th May 2009, 2:55 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 5:49 am

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 1:46 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 1:48 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 1:55 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 1:59 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:11 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:12 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:24 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:28 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:28 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:29 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:30 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:36 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:39 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe16th May 2009, 2:40 pm

descriptionRe: win32/cryptor found in Iexplorer.exe and evchost.exe