Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Cryptor


  • Please log in to reply
14 replies to this topic

#1 browha

browha

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 26 July 2009 - 05:51 AM

Hiya.

Another Win32/Cryptor virus, sorry to be boring.

Just a couple background details:

I have two operating systems installed (partitioned off the same drive), XP and Vista. My XP is infected (I was browsing, of all things, goal.com and noticed a background process starting) - I ran AVG immediately and it picked up on the identity of the virus and killed/cured a few files. Had to restart for the next part and it goes to the XP log in screen (you know, where you select the user) and freezes there. The mouse still moves around but won't let me actually do anything.

I can get into XP safe mode fine (and have done as much).


So right now I'm using my Vista partition to solve the problem. I've run AVG in Vista on both partitions and cured up a few things - trojans and the like, but not the win32/cryptor.

Having read around a bit, I know that the next step is the Malwarebytes' Anti-Malware


This is currently in the process of being run - it found a single infection of a registry key in my Vista partition, and is currently scanning the XP partition.


I will post the logs as soon as I get them.

Cheers



----------------------------

Summary of my action since this first post (saves you reading everythign below)

Ran Malwarebytes, it solved out a few problems, I can boot into XP now, but I'm getting audio adverts playing and hijacked google links. Running another Malwarebytes (in vista - it doesn't work in XP, or safe mode XP) to look for the problem, but so far no infections discovered.

Edited by browha, 26 July 2009 - 12:45 PM.


BC AdBot (Login to Remove)

 


#2 browha

browha
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 26 July 2009 - 06:33 AM

My computer blue screened halfway through the run. I say blue screen but the blue screen didn't actually come up, it just crashed.

I'm currently re-running the scan and I'll post results

#3 browha

browha
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 26 July 2009 - 07:20 AM

The results are this:

Malwarebytes' Anti-Malware 1.39
Database version: 2504
Windows 6.0.6001 Service Pack 1

26/07/2009 13:19:41
mbam-log-2009-07-26 (13-19-41).txt

Scan type: Full Scan (D:\|)
Objects scanned: 269679
Time elapsed: 48 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\documents and settings\Henry\local settings\Temp\d.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
d:\documents and settings\Henry\local settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\documents and settings\Henry\local settings\Temp\rasvsnet.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
d:\documents and settings\Henry\local settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
d:\WINDOWS\msa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.




Note: I only scanned the XP drive - I previously scanned the Vista drive to get :

Malwarebytes' Anti-Malware 1.39
Database version: 2504
Windows 6.0.6001 Service Pack 1

26/07/2009 11:46:45
mbam-log-2009-07-26 (11-46-45).txt

Scan type: Quick Scan
Objects scanned: 71872
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by browha, 26 July 2009 - 07:20 AM.


#4 browha

browha
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 26 July 2009 - 09:56 AM

An update


This seems to have fixed XP fine, so I booted up my computer and loaded it, all okay, no crashes.

Went away to another room for 5 minutes, came back and it was playing adverts - have made no progress other than this, been checking through the processes under task manager and they seem to be fairly legit... but obviously that doesn't mean anything

Another sympton of the virus is that it's deflecting my google searches - go onto google, do a search, click a link and it opens a new tab to a fake search site.


AVG hasn't picked it up at all yet, and Malwarebytes is running a full scan now but so far no joy.

Edited by browha, 26 July 2009 - 11:55 AM.


#5 browha

browha
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 26 July 2009 - 01:00 PM

Interesting update

Malwarebytes passed the system no problem

Windows Defender/Resident Shield has flagged up 3 infections;

XP Sysm32\UACeppporkvyq.dll, UACopueuiyqo.dll, and \system32\drivers\UACmvitejlqg.sys

Trojan horse FakeAlert.FX
Trojan horse generic14.ffs
and trojan horse pakes.dxz

Any suggestions? Cheers

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:09 AM

Posted 04 August 2009 - 01:52 PM

Sorry for the late reply. All the replies to yourself made your topic appear as if someone was helping you.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all six boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 browha

browha
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 04 August 2009 - 02:37 PM

Hiya.

My own fault.


Here's the log




=====================================================



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/04 20:23
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xADEC6000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7995000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7A50000 Size: 1664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xAB822000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF798D000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Henry\Local Settings\Application Data\Mozilla\Firefox\Profiles\et4n9nw6.default\Cache\561FC189d01
Status: Invisible to the Windows API!

Path: c:\documents and settings\henry\local settings\application data\mozilla\firefox\profiles\et4n9nw6.default\cache\_cache_003_
Status: Size mismatch (API: 7448786, Raw: 7435857)

Path: C:\Documents and Settings\Henry\Local Settings\Application Data\Mozilla\Firefox\Profiles\et4n9nw6.default\Cache\D7787361d01
Status: Visible to the Windows API, but not on disk.

Path: G:\Documents and Settings
Status: Locked to the Windows API!

Path: G:\ProgramData\Desktop
Status: Locked to the Windows API!

Path: G:\ProgramData\Documents
Status: Locked to the Windows API!

Path: G:\ProgramData\Favorites
Status: Locked to the Windows API!

Path: G:\ProgramData\Start Menu
Status: Locked to the Windows API!

Path: G:\ProgramData\Templates
Status: Locked to the Windows API!

Path: G:\Users\All Users
Status: Locked to the Windows API!

Path: G:\Users\Default User
Status: Locked to the Windows API!

Path: G:\Users\Default\Application Data
Status: Locked to the Windows API!

Path: G:\Users\Default\Cookies
Status: Locked to the Windows API!

Path: G:\Users\Default\Local Settings
Status: Locked to the Windows API!

Path: G:\Users\Default\My Documents
Status: Locked to the Windows API!

Path: G:\Users\Default\NetHood
Status: Locked to the Windows API!

Path: G:\Users\Default\PrintHood
Status: Locked to the Windows API!

Path: G:\Users\Default\Recent
Status: Locked to the Windows API!

Path: G:\Users\Default\SendTo
Status: Locked to the Windows API!

Path: G:\Users\Default\Start Menu
Status: Locked to the Windows API!

Path: G:\Users\Default\Templates
Status: Locked to the Windows API!

Path: G:\Users\Henry\Application Data
Status: Locked to the Windows API!

Path: G:\Users\Henry\Cookies
Status: Locked to the Windows API!

Path: G:\Users\Henry\Local Settings
Status: Locked to the Windows API!

Path: G:\Users\Henry\My Documents
Status: Locked to the Windows API!

Path: G:\Users\Henry\NetHood
Status: Locked to the Windows API!

Path: G:\Users\Henry\PrintHood
Status: Locked to the Windows API!

Path: G:\Users\Henry\Recent
Status: Locked to the Windows API!

Path: G:\Users\Henry\SendTo
Status: Locked to the Windows API!

Path: G:\Users\Henry\Start Menu
Status: Locked to the Windows API!

Path: G:\Users\Henry\Templates
Status: Locked to the Windows API!

Path: G:\Users\Default\Documents\My Music
Status: Locked to the Windows API!

Path: G:\Users\Default\Documents\My Pictures
Status: Locked to the Windows API!

Path: G:\Users\Default\Documents\My Videos
Status: Locked to the Windows API!

Path: G:\Users\Henry\Documents\My Music
Status: Locked to the Windows API!

Path: G:\Users\Henry\Documents\My Pictures
Status: Locked to the Windows API!

Path: G:\Users\Henry\Documents\My Videos
Status: Locked to the Windows API!

Path: G:\Users\Public\Documents\My Music
Status: Locked to the Windows API!

Path: G:\Users\Public\Documents\My Pictures
Status: Locked to the Windows API!

Path: G:\Users\Public\Documents\My Videos
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\amd64_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_46a1dccfe6d329bd\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_462aa7cec12b7884.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_93b21c24844efba7.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_1104655151b6fd4c.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_10d7056abdf6e439.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_ca3f79d486b08636.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_8f16b0d88731ea9c.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_49e66f4952a1b53b.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_338673a60d08dbcc.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_4267897f5770321e.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_fc42961a63b5a82b.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_2eab5f6df03dcab0.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_94ebd770837bf1eb.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_c6eef3b6608113e0.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_1492cce54f6d20f0.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_63ff01d1f3725efb.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_c46a533c8a667ee7.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_fe32d14209d44781.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_c905be8887838ff2.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0d13e71b543b9dd3.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_465807b554eb9197.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: G:\Users\Default\AppData\Local\Application Data
Status: Locked to the Windows API!

Path: G:\Users\Default\AppData\Local\History
Status: Locked to the Windows API!

Path: G:\Users\Default\AppData\Local\Temporary Internet Files
Status: Locked to the Windows API!

Path: G:\Users\Henry\AppData\Local\Application Data
Status: Locked to the Windows API!

Path: G:\Users\Henry\AppData\Local\History
Status: Locked to the Windows API!

Path: G:\Users\Henry\AppData\Local\Temporary Internet Files
Status: Locked to the Windows API!

Path: G:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: G:\Windows\assembly\GAC_64\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf750787e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf7507bfe

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACmvitetjlqg.sys

==EOF==

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:09 AM

Posted 04 August 2009 - 02:49 PM

Hello ,I can see the Rootkit. but it didn't open. Run RootRepeal
Click Settings - Options
Set the Disk Access Level slider in the general tab to High

Try scanning now with the settings as described above.


Then Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Edited by boopme, 04 August 2009 - 02:50 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 browha

browha
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 04 August 2009 - 03:50 PM

Hiya

Here's the latest log dump

I haven't had the change to rerun malware yet


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/04 21:01
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xADEC6000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7995000 Size: 8192 File Visible: No Signed: -
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7A50000 Size: 1664 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xABC1D000 Size: 49152 File Visible: No Signed: -
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF798D000 Size: 5248 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: G:\Documents and Settings
Status: Locked to the Windows API!

Path: G:\ProgramData\Desktop
Status: Locked to the Windows API!

Path: G:\ProgramData\Documents
Status: Locked to the Windows API!

Path: G:\ProgramData\Favorites
Status: Locked to the Windows API!

Path: G:\ProgramData\Start Menu
Status: Locked to the Windows API!

Path: G:\ProgramData\Templates
Status: Locked to the Windows API!

Path: G:\Users\All Users
Status: Locked to the Windows API!

Path: G:\Users\Default User
Status: Locked to the Windows API!

Path: G:\Users\Default\Application Data
Status: Locked to the Windows API!

Path: G:\Users\Default\Cookies
Status: Locked to the Windows API!

Path: G:\Users\Default\Local Settings
Status: Locked to the Windows API!

Path: G:\Users\Default\My Documents
Status: Locked to the Windows API!

Path: G:\Users\Default\NetHood
Status: Locked to the Windows API!

Path: G:\Users\Default\PrintHood
Status: Locked to the Windows API!

Path: G:\Users\Default\Recent
Status: Locked to the Windows API!

Path: G:\Users\Default\SendTo
Status: Locked to the Windows API!

Path: G:\Users\Default\Start Menu
Status: Locked to the Windows API!

Path: G:\Users\Default\Templates
Status: Locked to the Windows API!

Path: G:\Users\Henry\Application Data
Status: Locked to the Windows API!

Path: G:\Users\Henry\Cookies
Status: Locked to the Windows API!

Path: G:\Users\Henry\Local Settings
Status: Locked to the Windows API!

Path: G:\Users\Henry\My Documents
Status: Locked to the Windows API!

Path: G:\Users\Henry\NetHood
Status: Locked to the Windows API!

Path: G:\Users\Henry\PrintHood
Status: Locked to the Windows API!

Path: G:\Users\Henry\Recent
Status: Locked to the Windows API!

Path: G:\Users\Henry\SendTo
Status: Locked to the Windows API!

Path: G:\Users\Henry\Start Menu
Status: Locked to the Windows API!

Path: G:\Users\Henry\Templates
Status: Locked to the Windows API!

Path: G:\Users\Default\Documents\My Music
Status: Locked to the Windows API!

Path: G:\Users\Default\Documents\My Pictures
Status: Locked to the Windows API!

Path: G:\Users\Default\Documents\My Videos
Status: Locked to the Windows API!

Path: G:\Users\Henry\Documents\My Music
Status: Locked to the Windows API!

Path: G:\Users\Henry\Documents\My Pictures
Status: Locked to the Windows API!

Path: G:\Users\Henry\Documents\My Videos
Status: Locked to the Windows API!

Path: G:\Users\Public\Documents\My Music
Status: Locked to the Windows API!

Path: G:\Users\Public\Documents\My Pictures
Status: Locked to the Windows API!

Path: G:\Users\Public\Documents\My Videos
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\amd64_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_46a1dccfe6d329bd\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_462aa7cec12b7884.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_93b21c24844efba7.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_1104655151b6fd4c.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_91949b06671d08ae.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_10d7056abdf6e439.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_ca3f79d486b08636.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_8f16b0d88731ea9c.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_49e66f4952a1b53b.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_338673a60d08dbcc.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_4267897f5770321e.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_fc42961a63b5a82b.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_2eab5f6df03dcab0.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_94ebd770837bf1eb.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_c6eef3b6608113e0.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_1492cce54f6d20f0.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_63ff01d1f3725efb.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_c46a533c8a667ee7.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_fe32d14209d44781.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_c905be8887838ff2.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0d13e71b543b9dd3.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\amd64_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_465807b554eb9197.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365.cat
Status: Locked to the Windows API!

Path: G:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: G:\Users\Default\AppData\Local\Application Data
Status: Locked to the Windows API!

Path: G:\Users\Default\AppData\Local\History
Status: Locked to the Windows API!

Path: G:\Users\Default\AppData\Local\Temporary Internet Files
Status: Locked to the Windows API!

Path: G:\Users\Henry\AppData\Local\Application Data
Status: Locked to the Windows API!

Path: G:\Users\Henry\AppData\Local\History
Status: Locked to the Windows API!

Path: G:\Users\Henry\AppData\Local\Temporary Internet Files
Status: Locked to the Windows API!

Path: G:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: G:\Windows\assembly\GAC_64\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "Lbd.sys" at address 0xf750787e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "Lbd.sys" at address 0xf7507bfe

Hidden Services
-------------------
Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACmvitetjlqg.sys

==EOF==

#10 browha

browha
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 04 August 2009 - 04:05 PM

Malware's running at the minute, and Windows Resident Shield is picking it up as a virus - which is why I deleted it in the first place.

3 Objects infected so far, will let you know how it finishes off

#11 browha

browha
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 04 August 2009 - 05:42 PM

Sh*tting hell.

A lot worse than I expected.

I'm a bit worried that this might be systemic of another virus, that Malware isn't picking up.


Anyway, here's the log;

Malwarebytes' Anti-Malware 1.40
Database version: 2560
Windows 5.1.2600 Service Pack 3

04/08/2009 23:40:44
mbam-log-2009-08-04 (23-40-41).txt

Scan type: Full Scan (C:\|G:\|H:\|)
Objects scanned: 442232
Time elapsed: 1 hour(s), 40 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\qaccess.tchongabho (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a34fa88d-8437-4634-8a60-e913011ef2e5} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a34fa88d-8437-4634-8a60-e913011ef2e5} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MicroAV (Rogue.MicroAntiVirus) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.103,85.255.112.23 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.103,85.255.112.23 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.103,85.255.112.23 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job (Rogue.AntiSpyware) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\gaopdxcounter (Trojan.Agent) -> No action taken.
C:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\UACjnqbpqwrqx.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\UACnstewxxyof.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\UACrtgrgjovtx.dll (Trojan.Agent) -> No action taken.



I've subsequently and successfully deleted all of the above.

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:09 AM

Posted 04 August 2009 - 06:29 PM

Load rootrepeal up in xp and do just a file scan of C drive, what's G?
Chewy

No. Try not. Do... or do not. There is no try.

#13 browha

browha
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 04 August 2009 - 06:44 PM

All the stuff today has been done in XP so far, sorry, I should clarify.

G drive is my Vista partition (as loaded from XP, of course, in Vista the D drive is my xp partition)

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:09 AM

Posted 04 August 2009 - 07:58 PM

You ran a root repeal scan from XP of your Vista partition?

I don't think that's what Boopme wanted
Chewy

No. Try not. Do... or do not. There is no try.

#15 browha

browha
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:12:09 AM

Posted 05 August 2009 - 04:20 AM

Hiya, sorry;

I ran RootRepeal in XP on my XP drive, Vista drive, and my storage drive.

I then ran Malware from my XP drive on all three drives as well.

All the infections picked up were, I think, in the XP partition.


When you load up an OS it boots its native partition as the C drive



I reran the RootRepeal as you suggested for hidden files on all three drives as well.

Cheers


-----------

edit;

I guess we should keep this semi-consistent from now on...

I primairly use XP (out of habit more than anything) when I use my computer, so in that aspect, C -> XP Partition (the one that was originally infected, but is now bootable), G-> Vista Partition (had minor infections, but now cleaned I think), H-> Media/Storage

Edited by browha, 05 August 2009 - 04:21 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users