PDA

View Full Version : Win32/Cryptor



visakan
2009-11-04, 04:21
Hi There,

I am new to this forum, I do not know weather this is the correct place to submit this query. Please guid me to the correct place if I am wrong.

I am managing few computers. I have done a simple folder share on a xp home machine. I have AVG installed. I recently got win32/Cryptor. Which has damaged all my word files in to .exe

1. I need to know how to remove this completely
2. How to recover the .doc files back from .exe

Thank you

shelf life
2009-11-08, 15:55
hi visakan,

Your log is a few days old. If you still need help you can do this:

Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
Copy/paste both logs in your reply.

visakan
2009-11-09, 04:42
Hi shelf life,

Thank you for your reply
As per your instruction I have got both text files attached here for you.


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 13/08/2009 22:07:05
System Uptime: 21/10/2009 13:32:14 (453 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-7222
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Socket 775 | 2800/200mhz
Processor: Intel(R) Pentium(R) D CPU 2.80GHz | Socket 775 | 2800/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 15 GiB total, 12.436 GiB free.
D: is FIXED (NTFS) - 60 GiB total, 56.868 GiB free.
E: is CDROM ()
O: is NetworkDisk (NTFS) - 57 GiB total, 55.908 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_1106&DEV_3344&SUBSYS_72221462&REV_01\4&8CA73A7&0&0008
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_1106&DEV_3344&SUBSYS_72221462&REV_01\4&8CA73A7&0&0008
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_72221462&REV_80\3&13C0B0C5&0&78
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_72221462&REV_80\3&13C0B0C5&0&78
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_47604005&REV_60\3&13C0B0C5&0&8D
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1106&DEV_3059&SUBSYS_47604005&REV_60\3&13C0B0C5&0&8D
Service:

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

AVG 8.5
DynDNS Updater
Encrypted FTP
Foxit Reader
Microsoft Visual C++ 2005 Redistributable
NetSupport Manager
UltraVNC v1.0.2
Update for Windows XP (KB911164)
WebFldrs XP

==== End Of File ===========================

----------------------------------

DDS (Ver_09-10-26.01) - NTFSx86
Run by Management at 10:29:58.87 on 09/11/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190.16 [GMT 8:00]

AV: AVG Anti-Virus plus Firewall *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\NetSupport\NetSupport Manager\client32.exe
C:\Program Files\DynDNS Updater\DynUpSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\DynDNS Updater\DynTray.exe
C:\Program Files\EFTP\EFTP3Server.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Documents and Settings\Management\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dyndns~1.lnk - c:\program files\dyndns updater\DynTray.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {B8A2A500-6082-4912-A67E-F15515D54433} = 202.188.0.132,202.188.1.5
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-13 12552]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-13 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-13 108552]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-8-13 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-13 297752]
R2 avgfws8;AVG8 Firewall;c:\progra~1\avg\avg8\avgfws8.exe [2009-8-13 1370488]
R2 DynDNS Updater;DynDNS Updater;c:\program files\dyndns updater\DynUpSvc.exe [2008-6-24 65536]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-8-13 29208]
S2 EFTP3Server;EFTP3 Server;c:\program files\eftp\EFTP3ServerService.exe [2009-8-14 612864]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-8-13 29208]

=============== Created Last 30 ================

2009-11-08 17:24:06 523776 ----a-w- C:\dds.scr
2009-10-14 04:00:29 595445 ----a-w- C:\Autoruns.zip
2009-10-14 03:58:55 0 d-----w- C:\AVGTemp
2009-10-14 03:56:45 1282 ----a-w- C:\Scan Results.csv
2009-10-14 03:15:02 353624 ----a-w- C:\avgproci_en.exe

==================== Find3M ====================

2009-10-02 09:21:07 5920 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-10-02 09:21:05 5816 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-10-02 09:21:05 315424 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-10-02 09:21:05 1604 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-14 08:33:14 417772 ----a-w- C:\DynUpSetup.exe
2009-08-13 15:58:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-13 15:57:50 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-08-13 14:01:34 21640 ----a-w- c:\windows\system32\emptyregdb.dat

============= FINISH: 10:30:32.84 ===============

shelf life
2009-11-10, 01:01
ok thanks for the info. Log looks ok. Running one of these below and Malwarebytes should provide for another opinion about the file AVG is flagging:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit icon to start the program.
* press start
* Allow the program to run the initial express scan
* This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
* Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
* Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
* During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
* Close Dr.Web Cureit.
* Please post the Dr.Web.txt report in your next reply

I also suggest malware removing software which you can keep, update and use as a on-demand scanner. Its called Malwarebytes;

Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
NOTE: The free version must be updated manually.