Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptor Virus Help


  • This topic is locked This topic is locked
2 replies to this topic

#1 peterparker000

peterparker000

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 04 February 2010 - 09:57 PM

Bleepingcomputer,

Greetings. Unfortuantely, today is a bad day for me. My AVG Resident Shield has detected Cryptor virus in my computer system. I have tried a system restore but the problem is still there.

The HJT log is below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:20 AM, on 2/5/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesAVGAVG9avgchsvx.exe
C:Program FilesAVGAVG9avgrsx.exe
C:Program FilesAVGAVG9avgcsrvx.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesAVGAVG9avgwdsvc.exe
C:WINDOWSsystem32FsUsbExService.Exe
C:Program FilesJavajre6binjqs.exe
C:WINDOWSExplorer.EXE
C:WINDOWSsystem32nvsvc32.exe
C:Program FilesSigmaTelC-Major AudioWDMSTacSV.exe
C:Program FilesAVGAVG9avgnsx.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSsttray.exe
C:Program FilesVDOToolTBPanel.exe
C:WINDOWSsystem32RUNDLL32.EXE
C:Program FilesD-LinkAirPlus GAirGCFG.exe
C:Program FilesANIANIWZCS2 ServiceWZCSLDR2.exe
C:Program FilesCyberLinkPowerDVDPDVDServ.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:PROGRA~1AVGAVG9avgtray.exe
C:Program FilesJavajre6binjusched.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesSamsungSamsung New PC StudioNPSAgent.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesTrend MicroHijackThisHijackThis.exe
C:Program FilesMozilla Firefoxfirefox.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet ExplorerSearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:PROGRA~1Yahoo!CompanionInstallscpnyt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:PROGRA~1Yahoo!CompanionInstallscpnyt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:Program FilesFlashGetjccatch.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:Program FilesRealRealPlayerrpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:Program FilesAVGAVG9avgssie.dll
O2 - BHO: IEHlprObj Class - {7F23592B-8F2C-4C08-83A8-BBE01BF9CC64} - C:WINDOWSsystem32ieban0.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:Program FilesJavajre6libdeployjqsiejqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:Program FilesFlashGetgetflash.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:PROGRA~1Yahoo!CompanionInstallscpnYTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:PROGRA~1Yahoo!CompanionInstallscpnyt.dll
O4 - HKLM..Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM..Run: [Gainward] C:Program FilesVDOToolTBPanel.exe /A
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [D-Link AirPlus G] C:Program FilesD-LinkAirPlus GAirGCFG.exe
O4 - HKLM..Run: [ANIWZCS2Service] C:Program FilesANIANIWZCS2 ServiceWZCSLDR2.exe
O4 - HKLM..Run: [NeroFilterCheck] C:WINDOWSsystem32NeroCheck.exe
O4 - HKLM..Run: [RemoteControl] "C:Program FilesCyberLinkPowerDVDPDVDServ.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 9.0ReaderReader_sl.exe"
O4 - HKLM..Run: [Adobe ARM] "C:Program FilesCommon FilesAdobeARM1.0AdobeARM.exe"
O4 - HKLM..Run: [AVG9_TRAY] C:PROGRA~1AVGAVG9avgtray.exe
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre6binjusched.exe"
O4 - HKCU..Run: [cdloader] "C:Documents and SettingsmichaelApplication Datamjusbspcdloader2.exe" MAGICJACK
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [AutoStartNPSAgent] C:Program FilesSamsungSamsung New PC StudioNPSAgent.exe
O4 - HKCU..Run: [cybansos] C:WINDOWSsystem32cyban.exe
O4 - HKUSS-1-5-18..RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS.DEFAULT..RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Action Manager 32 (OpticSlim 2400+).lnk = C:Program FilesPlustekOpticSlim 2400+AM32.exe
O8 - Extra context menu item: &Download All with FlashGet - C:PROGRA~1FlashGetjc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:PROGRA~1FlashGetjc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2OFFICE11EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:PROGRA~1MICROS~2OFFICE11REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:Program FilesFlashGetFlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:Program FilesFlashGetFlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:Program FilesAVGAVG9avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:WINDOWSSYSTEM32avgrsstx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:Program FilesANIANIWZCS2 ServiceANIWZCSdS.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:Program FilesAVGAVG9avgwdsvc.exe
O23 - Service: FsUsbExService - Teruten - C:WINDOWSsystem32FsUsbExService.Exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:Program FilesJavajre6binjqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:Program FilesPC Connectivity SolutionServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:Program FilesSigmaTelC-Major AudioWDMSTacSV.exe

--
End of file - 8491 bytes


Hoping for a fix from you guys. Thanks in advance.

peterparker000

Bleepingcomputer,

I was able to search the forum and found entries regarding Cryptor Virus. I have downloaded are run MalwareBytes and found it to be very effective. It was able to remove Cryptor from my computer system. I would not be able to overcome this problem if it not for this forum.

Here is the logfile for those interested.

Malwarebytes' Anti-Malware 1.44
Database version: 3691
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

2/5/2010 11:56:49 AM
mbam-log-2010-02-05 (11-56-49).txt

Scan type: Full Scan (C:|D:|F:|)
Objects scanned: 54230
Time elapsed: 16 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOTiehlprobj.iehlprobj.1 (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTInterface{7f23592c-8f2c-4c08-83a8-bbe01bf9cc64} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTCLSID{7f23592b-8f2c-4c08-83a8-bbe01bf9cc64} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOTTypelib{7f235922-8f2c-4c08-83a8-bbe01bf9cc64} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionExtStats{7f23592b-8f2c-4c08-83a8-bbe01bf9cc64} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{7f23592b-8f2c-4c08-83a8-bbe01bf9cc64} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I've had it with AVG and this crazy Cryptor virus. There seems to be a direct correlation between AVG Free and Cryptor virus. All of the complaints I saw was a detection from AVG. I finally decided to switch to Avast anti virus software. Everything seems to be working good so far.

Frankly, I think AVG is giving out a false positive result after Cryptor is removed from the system. I am not sure but I think switching away from AVG did the trick.


While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large, as are other comparable sites that help others with malware issues. Athough our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, you wouldn't want someone to assist you who is not familiar with your issue and attempt to fix it, would you?

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Edited by garmanma, 05 February 2010 - 11:10 AM.


BC AdBot (Login to Remove)

 


#2 peterparker000

peterparker000
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 06 February 2010 - 04:02 AM

Thanks again for responding. I fixed my problem by changing to Avast Free antivirus. I think it is a bug in AVG that is causing the problem since all of the problems raised about Cryptor came from AVG Free. It may be giving out a false positive result.

Anyway, Avast seems to have taken care of that issue.

#3 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:05:36 PM

Posted 12 February 2010 - 03:14 PM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users