Win32/Cryptor

View previous topic View next topic Go down

Win32/Cryptor

Post by mainad on 28th March 2009, 8:05 pm

I have an old Dell PowerEdge 400SC Desktop, BIOS Rev. A10 that is infected (advanced stages) with Win32/Crypto. My son installs stuff like Gunbound (ijji), and other highly suspicious software (we're working on that...).
AVG detects the "virus/trojan" even in avg executables. Running processes seem to be hijacked and freeze to the point where the system has to be cold booted. Cannot get it into safe mode, either blue screens or reboots. A "Last known good" was the only way to get it to boot into the Windows XP shell, but that doesn't last long until the above happens. The System Restore app is not functioning.
MBAM does not install (shows in the processes list as running, but no UI appears).
AVG will run in command line mode and detect crypto until it eats itself.
I have no bootable XP disk. I have disconnected the machine from the network and am communicating with it via USB stick. My data is backed up to an external USB harddrive array that i believe is clean.
Can you puleeze help me?

[You must be registered and logged in to see this link.]


Last edited by mainad on 29th March 2009, 12:33 am; edited 1 time in total

mainad
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-03-28
OS OS : Windows XP
Points Points : 28151
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on 28th March 2009, 8:20 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
    O1 - Hosts: 74.125.19.147 hechoenperu.net
    O1 - Hosts: 74.125.19.147 [You must be registered and logged in to see this link.]
    O1 - Hosts: 74.125.19.147 [You must be registered and logged in to see this link.]
    O1 - Hosts: 74.125.19.147 [You must be registered and logged in to see this link.]
    O1 - Hosts: 74.125.19.147 portablessa.com
    O1 - Hosts: 74.125.19.147 [You must be registered and logged in to see this link.]
    O1 - Hosts: 74.125.19.147 [You must be registered and logged in to see this link.]
    O1 - Hosts: 74.125.19.147 [You must be registered and logged in to see this link.]
    O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll (file missing)
    O8 - Extra context menu item: &Search - ?p=ZNxmk762MSUS


  • Press "Fix Checked"
  • Close Hijack This.

1. Please download The Avenger by Swandog46 to your Desktop
Link: [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.].

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+CCrying


Files to delete:
C:\WINDOWS\system32\sdra64.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mainad on 28th March 2009, 8:57 pm

Wow. Thanks for the prompt reply! Here's where I am:

Ran HijackThis.
Ran Avenger.
After reboot, it runs CHKDSK on startup.
Aborts and reboots about halfway through (45%), runs chkdsk again...
Safe mode boot aborts after loading drivers (as before). Reboots.
Checkdisk. Aborts... reboots.
"Last known good" (aka "last known fubared") gets it to "loading personal settings". Freezes. Hard reboot.
Normal boot.
no avenger.txt.
Looks like HijackThis changes have been applied.

Shall I try avenger mods again?

mainad
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-03-28
OS OS : Windows XP
Points Points : 28151
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on 28th March 2009, 9:00 pm

See if you can get MBAM to load up first. If it loads up fine, the the avenger's actions still happened.

If not, you'll need to use the avenger again.

Let me know which option you had to go for.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mainad on 28th March 2009, 9:15 pm

Mbam setup did not run.
Avenger said something was queued up on reboot. (sdra64 still there)
Rebooted.
sdra64 gone. Mbam installer still doesn't run.

mainad
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-03-28
OS OS : Windows XP
Points Points : 28151
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on 28th March 2009, 9:22 pm

Was there an avenger log this time?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mainad on 28th March 2009, 9:41 pm

No avenger.txt

Ran AVG commandline again and it gives me (same as before)
[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

mainad
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-03-28
OS OS : Windows XP
Points Points : 28151
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on 28th March 2009, 9:47 pm

Hmm.
Thanks for the logs, we'll give Combofix a try.


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • We also have to rename Combofix before using it because the rootkit will block it from running.

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mainad on 28th March 2009, 10:23 pm

Ran combofix. Froze while (or after) installing the REcovery Console.
(seems to have a 5-minute time-bomb from system start)
Hard reboot.
Ran combofix. Recovery C. must have finished installing before, as it moved straight into the scan.
Found about a dozen infections (sdra64, and UAC.. derivatives), and rebooted normally. Combofix continued to run, and is still running (stage 50).

Will send update when it's done. Smile

mainad
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-03-28
OS OS : Windows XP
Points Points : 28151
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on 28th March 2009, 10:27 pm

Hello.
As soon as that UACd.sys rootkit driver is killed, Combofix will run with no problems as the rootkit will have been disabled/delete.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mainad on 28th March 2009, 10:54 pm

Ok. Combofix finished.
Reboot. Chkdsk ran, this time successfully, fixed two files.
Combofix finished after reboot.
Log file here: [You must be registered and logged in to see this link.]

I will examine file and system now, and try to run mbam again.

mainad
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-03-28
OS OS : Windows XP
Points Points : 28151
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on 28th March 2009, 11:03 pm

Don't run MBAM yet, we aren't done with Combofix.

Hello.

I see you have Viewpoint Manager, this is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". See [You must be registered and logged in to see this link.] and [You must be registered and logged in to see this link.] for more info.

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
FAELZZZ
GR207
iCheat1

File::
C:\cleanup.bat
C:\cleanup.exe
C:\zip.exe
c:\windows\system32\drivers\otmgo.sys
c:\windows\Tasks\RegistrySmart Scheduled Scan.job
c:\windows\Tasks\RegistrySmart Scheduled Scan.job

Folder::
c:\program files\Viewpoint
c:\documents and settings\Calviin\Application Data\Viewpoint
c:\documents and settings\Calviin\Application Data\LimeWire

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViewMgr"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mainad on 28th March 2009, 11:27 pm

Cool. Done.
[You must be registered and logged in to see this link.]

mainad
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-03-28
OS OS : Windows XP
Points Points : 28151
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mainad on 28th March 2009, 11:43 pm

Also done running mbam- no issues found.
[You must be registered and logged in to see this link.]

mainad
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-03-28
OS OS : Windows XP
Points Points : 28151
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on 29th March 2009, 1:04 am

Hello.
Some of the drivers runnign are game cheat engines as far as I can tell. Be careful using game cracks/keygens/game modifiers, they will no doubt get you infected.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by mainad on 29th March 2009, 2:34 pm

Some sound advice there, Balahzur! This one proved that it can go downhill quickly - between two virus scan runs....

To finalize, I ran the AVG full scan, removed some adware, emptied all IE temp files, uninstalled some crap, and it looks that the machine is clean and functioning.

I will go over to the survey promptly (I saw a donation link too). Thank you Balahzur, for your amazingly prompt, and accurate responses. You guys are providing an incredibly valuable service, and -if i may say- in a really pleasant and courteous manner too. A great experience. THANK YOU!!

I will be removing the log files in a couple of days for privacy.

mainad
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-03-28
OS OS : Windows XP
Points Points : 28151
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Win32/Cryptor

Post by Belahzur on 29th March 2009, 2:40 pm

Glad I could help. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245111
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum