Jump to content

Windows Antivirus Pro infection...2nd post...


Recommended Posts

Hi,

I posted this a couple of days ago and nobody answered it, so Im trying again.

This nightmare started about a week ago when google searches would redirect me. The day before yesterday my computer was paralyzed by Windows Antivirus Pro scam. I was able to get most of that out but at this stage Ive run malwarebytes many times over and it says it cleaned everything out but when I restart and rerun the same two items come back. I use AVG and when I scan it says Im infected with win32\cryptor. Whatever help anyone can offer would be greatly appreciated. This bug is stuck like velcro to my laptop...

As instructed here are the latest malware and hijackthis logs:

Malwarebytes' Anti-Malware 1.40

Database version: 2561

Windows 5.1.2600 Service Pack 3

8/5/2009 2:42:12 AM

mbam-log-2009-08-05 (02-42-12).txt

Scan type: Full Scan (C:\|)

Objects scanned: 199582

Time elapsed: 44 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\geyekrckjtmurq.dll (Trojan.TDSS) -> Delete on reboot.

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

\\?\globalroot\systemroot\system32\geyekrckjtmurq.dll (Trojan.TDSS) -> Quarantined and deleted successfully.

===============================================================================

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:11:58 AM, on 8/7/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe

C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

C:\WINDOWS\system32\dlcqcoms.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lxdwcoms.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TOSHIBA\TouchPad\TPTray.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe

C:\Program Files\Dell Photo AIO Printer 966\dlcqmon.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\TOSHIBA\Power Management\CePMTray.exe

C:\WINDOWS\System32\ZoomingHook.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\WINDOWS\system32\ICO.EXE

C:\Program Files\Dell Photo AIO Printer 966\memcard.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Lexmark 7600 Series\lxdwmon.exe

C:\Program Files\Lexmark 7600 Series\lxdwMsdMon.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\WINDOWS\system32\RAMASST.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://*.mcafee.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://eversave.coupons.smartsource.com/download/cscmv5X.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: CeEPwrSvc - COMPAL ELECTRONIC INC. - C:\Program Files\Toshiba\Power Management\CeEPwrSvc.exe

O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: lxbx_device - Unknown owner - C:\WINDOWS\system32\lxbxcoms.exe (file missing)

O23 - Service: lxdwCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdwserv.exe

O23 - Service: lxdw_device - - C:\WINDOWS\system32\lxdwcoms.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\Ivp\Swupdate\swupdtmr.exe (file missing)

--

End of file - 11380 bytes

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Extra note..

I use AVG and when I scan it says Im infected with win32\cryptor
What files are this about? Does it flag legitimate files as well like that? If so, then it's also Virut you are dealing with, so I really hope this isn't the case here..
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.