Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32/Cryptor virus [Split topic]


  • Please log in to reply
5 replies to this topic

#1 passenger

passenger

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 03 August 2009 - 12:30 AM

Hello I have a similar problem with win32/Cryptor virus and I cant get rid of it. I have AVG Free. I downloaded the Malwarebytes Antimalware. It found around 20 infected objects but it still has 2 infections that it cant get rid of.

AVG finds 72 copies of the Win32/Cryptor virus and it is not able to delete/quarantine them. I also run AVG on safe mode but it couldnt check many files because they were locked. I attach you the results of Malwarebytes Antimalware and of AVG. Please advice!

Malwarebytes' Anti-Malware 1.39
Έκδοση βάσης δεδομένων: 2547
Windows 5.1.2600 Service Pack 3

3/8/2009 8:28:40 πμ
mbam-log-2009-08-03 (08-28-35).txt

Τύπος σάρωσης: Γρήγορη σάρωση
Αντικείμενα που σαρώθηκαν: 117597
Χρόνος που έχει διανυθεί: 4 minute(s), 1 second(s)

Μολυσμένες διεργασίες στη μνήμη: 0
Μολυσμένα στοιχεία στη μνήμη: 1
Μολυσμένα κλειδιά στο μητρώο: 0
Μολυσμένες τιμές στο μητρώο: 0
Μολυσμένα αντικείμενα δεδομένων στο μητρώο: 0
Μολυσμένοι φάκελοι: 0
Μολυσμένα αρχεία: 1

Μολυσμένες διεργασίες στη μνήμη:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)

Μολυσμένα στοιχεία στη μνήμη:
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll (Trojan.TDSS) -> No action taken.

Μολυσμένα κλειδιά στο μητρώο:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)

Μολυσμένες τιμές στο μητρώο:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)

Μολυσμένα αντικείμενα δεδομένων στο μητρώο:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)

Μολυσμένοι φάκελοι:
(Δεν εντοπίστηκαν επιβλαβή αντικείμενα)

Μολυσμένα αρχεία:
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll (Trojan.TDSS) -> No action taken.
Posted Image

Edited by passenger, 03 August 2009 - 12:47 AM.


BC AdBot (Login to Remove)

 


#2 passenger

passenger
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 03 August 2009 - 12:31 AM

AVG SCAN
------------------------------------------------
Scan "Scan whole computer" was finished.
Infections;"72";"0";"72"
Folders selected for scanning:;"Scan whole computer"
Scan started:;"Δευτέρα, 3 Αυγούστου 2009, 1:48:18 πμ"
Scan finished:;"Δευτέρα, 3 Αυγούστου 2009, 2:28:00 πμ (39 minute(s) 41 second(s))"
Total object scanned:;"689792"
User who launched the scan:;"Νίκος"

Infections
File;"Infection";"Result"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Bonjour\mDNSResponder.exe (144);"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (1236);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Java\jre6\bin\jqs.exe (456);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (3748);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (1376);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Microsoft LifeCam\MSCamS32.exe (756);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\HPZipm12.exe (1052);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\LEXPPS.EXE (1856);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\nvsvc32.exe (864);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\LEXBCES.EXE (1812);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\lsass.exe (928);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\services.exe (916);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\spoolsv.exe (1852);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\svchost.exe (1324);"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\hjgruixfmkyabr.dll;"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe (3656);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (2244);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Java\jre6\bin\jusched.exe (2072);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Sitecom\Common\WLANUtil.exe (2784);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Skype\Phone\Skype.exe (2132);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\explorer.exe (3272);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\RTHDCPL.exe (3472);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\ctfmon.exe (1556);"Virus identified Win32/Cryptor";"Infected"
F:\PROGRA~1\AVG\AVG8\avgtray.exe (3764);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\svchost.exe (1476);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\wbem\wmiapsrv.exe (2404);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\winlogon.exe (856);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\system32\wuauclt.exe (3836);"Virus identified Win32/Cryptor";"Infected"
C:\WINDOWS\vVX1000.exe (3728);"Virus identified Win32/Cryptor";"Infected"
F:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (2100);"Virus identified Win32/Cryptor";"Infected"
F:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (140);"Virus identified Win32/Cryptor";"Infected"
F:\Program Files\AVG\AVG8\avgrsx.exe (220);"Virus identified Win32/Cryptor";"Infected"
F:\Program Files\AVG\AVG8\avgui.exe (3236);"Virus identified Win32/Cryptor";"Infected"
F:\Program Files\AVG\AVG8\avgcsrvx.exe (3040);"Virus identified Win32/Cryptor";"Infected"
F:\Program Files\AVG\AVG8\avgscanx.exe (2968);"Virus identified Win32/Cryptor";"Infected"
F:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe (1576);"Virus identified Win32/Cryptor";"Infected"
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (1568);"Virus identified Win32/Cryptor";"Infected"

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:05 PM

Posted 03 August 2009 - 12:49 AM

Split from this topic: http://www.bleepingcomputer.com/forums/t/176761/virus-found-win32cryptor/ ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:05 PM

Posted 03 August 2009 - 12:52 AM

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop:
  • Extract RootRepeal.exe from the zip archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check the Files box: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 passenger

passenger
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 03 August 2009 - 11:06 AM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/03 18:57
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\hjgruiddrfvxtl.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruinibmweem.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiwxyqmoqv.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruixfmkyabr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\hjgruimcdchqfqym.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruiamttkkwp.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Νίκος\Local Settings\Application Data\Microsoft\Messenger\nudismfun@hotmail.com\SharingMetadata\basilakis_133@hotmail.com\DFSR\Staging\CS{7BB3EB19-9B06-470A-249B-A0ADBCE0B10E}\11\12-{07~1.FRX:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
Status: Visible to the Windows API, but not on disk.

==EOF==

#6 passenger

passenger
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:05 PM

Posted 03 August 2009 - 01:18 PM

Well...thanks for your help........but the solution was to reinstall my windows as my pc started to have mysterious security allerts and I thought better to clean the disk to be 100% sure! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users