W32/cryptor

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

W32/cryptor, infected userinit.

Options

mgumpher View Member Profile	Apr 30 2009, 12:37 PM Post #1
New Member Group: Members Posts: 1 Joined: 30-April 09 Member No.: 327,002	I ran AVG and it said i have the W32/Cryptor virus, it has infected userinit.exe and frmwrk32.exe Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:36:08 PM, on 4/30/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Razer\Lachesis\razerhid.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Razer\Tarantula\razerhid.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zune\ZuneLauncher.exe C:\Program Files\COMODO\COMODO Internet Security\cfp.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\FileZilla Server\FileZilla Server.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe C:\Program Files\Razer\Lachesis\OSD.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe C:\WINDOWS\System32\nvsvc32.exe c:\WINDOWS\system32\ZuneBusEnum.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\Razer\Lachesis\razertra.exe C:\Program Files\Razer\Lachesis\razerofa.exe C:\Program Files\Razer\Tarantula\razertra.exe C:\WINDOWS\system32\wuauclt.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\WINDOWS\system32\wpabaln.exe C:\Program Files\Steam\Steam.exe C:\WINDOWS\system32\userinit.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\AVG\AVG8\avgui.exe C:\Program Files\Trillian\trillian.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [Lachesis] C:\Program Files\Razer\Lachesis\razerhid.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [Tarantula] C:\Program Files\Razer\Tarantula\razerhid.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe" O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe" O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1239907111497 O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe O23 - Service: NVIDIA-OMEGA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe -- End of file - 5413 bytes

aommaster View Member Profile	May 13 2009, 06:28 AM Post #2
I !<3 malware Group: HJT Senior Classmen Posts: 2,189 Joined: 8-June 08 From: Ontario Member No.: 214,918	Hello, mgumpher. My name is aommaster and I will be helping you with your log. I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up. If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine. Thanks Also, you may want to consider tracking this topic by either adding it to your favourites or clicking the Options button at the top of this thread. Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first. Download random's system information tool (RSIT) by random/random from here and save it to your desktop. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized) In your next reply, please include the following: RSIT Log -------------------- My website: http://www.aommaster.com

aommaster View Member Profile	May 16 2009, 06:42 AM Post #3
I !<3 malware Group: HJT Senior Classmen Posts: 2,189 Joined: 8-June 08 From: Ontario Member No.: 214,918	Hello mgumpher Are you still with us? -------------------- My website: http://www.aommaster.com

kahdah View Member Profile	May 18 2009, 07:35 PM Post #4
Forum Addict Group: HJT Team Coach Posts: 7,376 Joined: 27-October 06 From: Florida Member No.: 92,376	Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic. -------------------- Please do not pm for help, post it in the forums instead. If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications. If I have helped you then please consider donating to continue the fight against malware

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 9th February 2010 - 04:09 PM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides