Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winxp w/cryptor virus


  • Please log in to reply
6 replies to this topic

#1 matix87

matix87

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 09 August 2009 - 10:31 AM

i am workin on my freinds laptop. its a compaq c300 with xp . after running avg i found several instances of cryptor virus. i finally got malware bytes loaded and runnin and i cleared some of it but im still seein more and every few minutes there some broadcast coming out of the audio. i cant really tell what it is but its never the same. any help will be appreciated

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Attached Files



BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:54 AM

Posted 09 August 2009 - 02:04 PM

Can you copy and paste your log to this topic. Thanks!

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#3 matix87

matix87
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 09 August 2009 - 02:10 PM

Malwarebytes' Anti-Malware 1.40
Database version: 2581
Windows 5.1.2600 Service Pack 3

8/9/2009 10:14:29 AM
mbam-log-2009-08-09 (10-14-25).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 239567
Time elapsed: 34 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\hjgruioduiybwe.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\hjgruioduiybwe.dll (Trojan.TDSS) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:54 AM

Posted 09 August 2009 - 02:14 PM

You have a rootkit.

Install RootRepeal

Click here - Official Rootrepeal Site, and download RootRepeal.zip. I recommend downloading to your desktop.
Fatdcuk at Malwarebytes posted a comprehensive tutorial - Self Help guide can be found here if needed.: Malwarebytes Removal and Self Help Guides.
Click RootRepeal.exe to open the scanner.
Click the Report tab, now click on Scan. A Window will open asking what to include in the scan.
Check the following items:
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

Click OK
Scan your C Drive (Or your current system drive) and click OK. The scan will begin. This my take a moment, so please be patient. When the scan completes, click Save Report.
Name the log RootRepeal.txt and save it to your Documents folder - (Default folder).
Paste the log into your next reply.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 matix87

matix87
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 09 August 2009 - 02:53 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/09 14:30
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9BB15000 Size: 876544 File Visible: No Signed: -
Status: -

Name: gpddife.sys
Image Path: C:\WINDOWS\system32\drivers\gpddife.sys
Address: 0xA6141000 Size: 61440 File Visible: No Signed: -
Status: -

Name: hjgruiyxfmqhti.sys
Image Path: C:\WINDOWS\system32\drivers\hjgruiyxfmqhti.sys
Address: 0xA51CF000 Size: 163840 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9AD17000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\hjgruioduiybwe.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiqqmrsuhx.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiwekrsuqj.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruixtlfcacw.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACfdhiloonbikpxovys.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACievwbmeuwpdnontti.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\uacinit.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACmlwewuipjpibyuwvr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACrsrexhxqmivkqdyag.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\UACwwkcpvxiubffyyqxf.dll
Status: Invisible to the Windows API!

Path: c:\windows\temp\2f95af6f-334e-477e-93cd-e3c2ef7f39b9.tmp
Status: Allocation size mismatch (API: 393216, Raw: 0)

Path: C:\WINDOWS\temp\abcaa717-a39a-4e14-8f6c-dba6ee4fee7b.tmp
Status: Invisible to the Windows API!

Path: c:\windows\temp\c7b1b843-f072-4f0c-b86f-092f0eeb99b0.tmp
Status: Allocation size mismatch (API: 11010048, Raw: 0)

Path: C:\WINDOWS\temp\hjgruivananwyukh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\hjgruiyjwbjinhwh.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UAC1e22.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UAC315b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UAC3b7d.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UAC3cc5.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UAC3dcf.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UAC5c5b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UAC5f1a.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UAC6072.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UAC619b.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UAC62d3.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UACc7fe.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\UACec0.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\temp\b6bb7cfb-a9cc-4eb5-a78f-8ab1686fc1c7.tmp
Status: Visible to the Windows API, but not on disk.

Path: C:\WINDOWS\system32\drivers\hjgruiyxfmqhti.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\UACpbnywltexrqaavpab.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\LISA LANTZ\Local Settings\Temp\UAC4cf2.tmp
Status: Invisible to the Windows API!

Stealth Objects
-------------------
Object: Hidden Module [Name: hjgruiqqmrsuhx.dll]
Process: svchost.exe (PID: 948) Address: 0x006f0000 Size: 57344

Object: Hidden Module [Name: UAC5f1a.tmppvxiubffyyqxf.dll]
Process: svchost.exe (PID: 948) Address: 0x00990000 Size: 73728

Object: Hidden Module [Name: UACrsrexhxqmivkqdyag.dll]
Process: svchost.exe (PID: 948) Address: 0x02ba0000 Size: 45056

Object: Hidden Module [Name: UACfdhiloonbikpxovys.dll]
Process: svchost.exe (PID: 948) Address: 0x02c90000 Size: 49152

Object: Hidden Module [Name: hjgruioduiybwe.dll]
Process: svchost.exe (PID: 948) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: UACrsrexhxqmivkqdyag.dll]
Process: iexplore.exe (PID: 2628) Address: 0x08d40000 Size: 45056

Object: Hidden Module [Name: UACfdhiloonbikpxovys.dll]
Process: iexplore.exe (PID: 2628) Address: 0x08df0000 Size: 49152

Object: Hidden Module [Name: UACrsrexhxqmivkqdyag.dll]
Process: iexplore.exe (PID: 2200) Address: 0x08d40000 Size: 45056

Object: Hidden Module [Name: UACfdhiloonbikpxovys.dll]
Process: iexplore.exe (PID: 2200) Address: 0x08df0000 Size: 49152

Object: Hidden Module [Name: UACfdhiloonbikpxovys.dll]
Process: avgscanx.exe (PID: 468) Address: 0x00cc0000 Size: 49152

Object: Hidden Module [Name: UACrsrexhxqmivkqdyag.dll]
Process: avgscanx.exe (PID: 468) Address: 0x00c10000 Size: 45056

Object: Hidden Module [Name: UACrsrexhxqmivkqdyag.dll]
Process: avgcsrvx.exe (PID: 2404) Address: 0x00c00000 Size: 45056

Object: Hidden Module [Name: UACfdhiloonbikpxovys.dll]
Process: avgcsrvx.exe (PID: 2404) Address: 0x00cc0000 Size: 49152

Object: Hidden Module [Name: UACrsrexhxqmivkqdyag.dll]
Process: RootRepeal.exe (PID: 3788) Address: 0x08d40000 Size: 45056

Object: Hidden Module [Name: UACfdhiloonbikpxovys.dll]
Process: RootRepeal.exe (PID: 3788) Address: 0x08f00000 Size: 49152

Hidden Services
-------------------
Service Name: hjgruilthxnsvk
Image Path: C:\WINDOWS\system32\drivers\hjgruiyxfmqhti.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACpbnywltexrqaavpab.sys

==EOF==

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:11:54 AM

Posted 09 August 2009 - 07:52 PM

Interesting log...

Our next step...

1st - update Malwarebytes. Do not run it yet...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:
  • Path: C:\WINDOWS\system32\hjgruioduiybwe.dll
  • Path: C:\WINDOWS\system32\hjgruiqqmrsuhx.dll
  • Path: C:\WINDOWS\system32\hjgruiwekrsuqj.dat
  • Path: C:\WINDOWS\system32\hjgruixtlfcacw.dat
  • Path: C:\WINDOWS\system32\UACfdhiloonbikpxovys.dll
  • Path: C:\WINDOWS\system32\UACievwbmeuwpdnontti.dat
  • Path: C:\WINDOWS\system32\uacinit.dll
  • Path: C:\WINDOWS\system32\UACmlwewuipjpibyuwvr.dll
  • Path: C:\WINDOWS\system32\UACrsrexhxqmivkqdyag.dll
  • Path: C:\WINDOWS\system32\UACwwkcpvxiubffyyqxf.dll
  • Path: C:\WINDOWS\temp\hjgruivananwyukh.tmp
  • Path: C:\WINDOWS\temp\hjgruiyjwbjinhwh.tmp
  • Path: C:\WINDOWS\temp\UAC1e22.tmp
  • Path: C:\WINDOWS\temp\UAC315b.tmp
  • Path: C:\WINDOWS\temp\UAC3b7d.tmp
  • Path: C:\WINDOWS\temp\UAC3cc5.tmp
  • Path: C:\WINDOWS\temp\UAC3dcf.tmp
  • Path: C:\WINDOWS\temp\UAC5c5b.tmp
  • Path: C:\WINDOWS\temp\UAC5f1a.tmp
  • Path: C:\WINDOWS\temp\UAC6072.tmp
  • Path: C:\WINDOWS\temp\UAC619b.tmp
  • Path: C:\WINDOWS\temp\UAC62d3.tmp
  • Path: C:\WINDOWS\temp\UACc7fe.tmp
  • Path: C:\WINDOWS\temp\UACec0.tmp
  • Path: C:\WINDOWS\system32\drivers\hjgruiyxfmqhti.sys
  • Path: C:\WINDOWS\system32\drivers\UACpbnywltexrqaavpab.sys
  • Path: C:\Documents and Settings\LISA LANTZ\Local Settings\Temp\UAC4cf2.tmp
Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only then immediately reboot the computer.

Rerun Malwarebytes in full mode. - Let me know if you need any help with these steps.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 matix87

matix87
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:54 AM

Posted 10 August 2009 - 02:49 AM

ok i've done everything and here is my mbam log
Malwarebytes' Anti-Malware 1.40
Database version: 2588
Windows 5.1.2600 Service Pack 3

8/10/2009 2:40:03 AM
mbam-log-2009-08-10 (02-40-03).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 242168
Time elapsed: 1 hour(s), 6 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hjgruioduiybwe.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hjgruiqqmrsuhx.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACfdhiloonbikpxovys.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACmlwewuipjpibyuwvr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACrsrexhxqmivkqdyag.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACwwkcpvxiubffyyqxf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\hjgruiyxfmqhti.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACpbnywltexrqaavpab.sys (Trojan.Agent) -> Quarantined and deleted successfully.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users