Win32/Cryptor Virus Is There Any Hope ?

Ah.
Allow Combofix to run then, even if it's active, because it's in safe mode and won't interfere.

again thank u for your help and i do pledge allegance in the fight against these monstrosities through this experience not only do i hope to gain knowledge on getting back control of my laptop but i also would like to help others fight against this war on terror in the form of viruses!!!!
so they will not have to suffer the despair i have......
because this is utterly poposturouse

ok running combo fix now

ok combo fix message popped up and says
Rootkit!!
ComboFix has detected the presence of rootkit activity and needs to reboot the machine.
Kindly note down on paper, the name of each file we may need it later
C:\Windows\system32\drivers\UACnrryvpcimctxiwqpj.sys
C:\Windows\system32\UACtloexwmvapmdxehpm.dll
C:\Windows\system32\UACqemqpysdqcfcpowpu.dll
C:\Windows\system32\UACifiveebsnnwtbupqb.dat
C:\Windows\system32\UACgpmotwvpqyqeauptj.dll
C:\Windows\system32\UACnbofqwxarxnjrsxea.dll
C:\Windows\system32\UACxxwvvgtjkrlytoonp.log
and it has a tab OK
now should i go ahead and press ok and after which i do so will it automaticaly reboot in safe mode or do i have to press F8 and do it manually so it will go to safe mode

waiting for instruction

Hello.
I already know there would be a rootkit, so hit ok and it continue.

ok but when it reboots should i pressF8 or would it reboot in safe mode automaticaly ?

Press F8.

ok the system has rebooted and i have pressed F8 for it to run in safe mode again ready for the next step

It should of continued after reboot, if it's finished, please post the log.

it didnt continue its just showing the desktrop and its in safe mode

Hmm. Reboot normally and see if you can get into normal mode this time.

ok rebooting normally now

still booting

ok i still have the black screen in normal mode with the mouse pointer as the only thing showing

ok it has been 3 hours in normal mode and there is still just a black screen with just the mouse pointer should i shut down and restart in safe mode again ?

ok in safe mode again
waiting for instructions
this is utterly rediculouse

i think i am at the point where i have take the virus out manually

Okay, lets use something else.

Download the GMER rootkit scan from here: GMER

1. Unzip it and start GMER.
   
2. Click the >>> tab and then click the Scan button.
   
3. Once done, click the Copy button.
   
4. This will copy the results to your clipboard.
   
5. Paste the results in your next reply.
   

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

The log maybe quite long, so please upload the log to rapidshare.com

Please read all of the posts before making suggestions
my laptop is only running in safe mode so i cannot download any thing to it .
I am corresponding on My Pc desktop which is how im getting online my laptop wont get online , I was told in order to run hijack this and paste the scan no, one hes even referd to that and i had to diable my resident shield in order to do the hijackthis thing at which point the virus got aggressive so please read all of the posts b4 u make suggestions due to the fact i dnt want to make it worse than it already is .......

There's a rootkit on this machine, HJT won't do anything for that, not powerful enough.
That's why I wanted to use GMER, it can find the rootkit, then we can kill it.

Use a USB stick to transfer tools across from if needed.

ok so download gmer on my pc ..
then transfer via gig stick to laptop
question how do i get the laptop to read the gig stick in safe mode because normal mode doesnt work ???
Do i put the gig stick in first before booting up to safe mode ??
or how does that work
thanks
belahzur

Once you boot up, plug the USB stick in and run the above instructions.

OK running GMER scan now , my guess is that i will have to save the results to the gig stick and upload them to my pc desktop and put them on here correct ?

yes that is correct.

ok cool its still scanning
will post the results as soon as its done

deleted

Last edited by elohem78 on 14th July 2009, 4:13 am; edited 2 times in total

1. Download Link: Click here to download file
http://rapidshare.com/files/255580827/scan_results.log.html
MD5: 194435BC90E999B73EE3BA87E9591BCB

sorry about that started to copy and paste on here then i saw the rapid share thing so i put it on there so u can download and see the results
thank you and waiting for the next step

am i going to use this same program to kill the virus ???
the results are up
i feel assured
and the results from gmer is still left on the laptop waiting
for the next step in the removal process
score
cryptor 2
us 2

anyone there?
wanted to know if anyone read the report of the log from gmer that i posted
my laptop is still at the finnished scan screen of gmer ready to move froward to the next step dont want to touch anything because im not familiar with this program......
what should i do now?
thank you all for your help

Hello.
Sorry for the delay, your post got pushed back.

Lets see if we can kill this rootkit now.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
UACd.sys

Files to delete:
C:\Windows\system32\drivers\UACnrryvpcimctxiwqpj.sys

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
HKLM\SYSTEM\ControlSet002\Services\UACd.sys
HKLM\SYSTEM\ControlSet003\Services\UACd.sys
HKLM\SYSTEM\ControlSet004\Services\UACd.sys
HKLM\SYSTEM\ControlSet005\Services\UACd.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

the scan has shown 2 rootkits

Please post the avenger.txt.

ok do i follow the same procedure with using it on my laptop as i did with gmer by downloading to desktop and putting on gig stick then running it in safe mode on laptop ?

Yes that is correct.

ok doing it now ... give me a few mins

ok sorry got all the way to the part where avenger is rebooting the system should i F8 to make it go back into safe mode due to normal mode not working ? and will this mess with the avengers reboot process if i do this ?

ok normal mode is up and running and i see in the avenger notepad the logfile hooorray havent seen normal mode in about a week
im posting the avenger text logfile now

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.

Error: could not delete file "C:\Windows\system32\drivers\UACnrryvpcimctxiwqpj.sys"
Deletion of file "C:\Windows\system32\drivers\UACnrryvpcimctxiwqpj.sys" failed!
Status: 0xc0000156


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet002\Services\UACd.sys" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet003\Services\UACd.sys" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet004\Services\UACd.sys" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet005\Services\UACd.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

I have also noticed the laptop is saying there is no sound device there is this normal?, and will my built in web cam and mic along with the sound work again i havent done anything yet but my laptop is running in normal mode
score cryptor 2
Us 3

ok ready for the next step .....

Alright we should be able to run MBAM now:

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

ok i have downloaded the malwarebytes but the program is not responding when i run set up .........

Rename it to winlogon.exe and see if it runs.

ok perfect running now after renaming it , will post results soon as done

ok it set up and installed and i have the desktop icon but when i go to run it , it says a program needs my permission to continue i push continue and nothing happens ... now what should i do ? rename the desktop icon also ?

and should i also keep avg's resident shield disabled or should i enable ?

Either way it won't effect the scan.

ok malwarebytes has updated and is running the scan i will post the results when done

Malwarebytes' Anti-Malware 1.39
Database version: 2432
Windows 6.0.6001 Service Pack 1

7/14/2009 7:43:08 PM
mbam-log-2009-07-14 (19-42-52).txt

Scan type: Quick Scan
Objects scanned: 79572
Time elapsed: 7 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.Shopping.Report) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Adware.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Adware.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Adware.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Adware.Ascentive) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\c:\Windows\System32\SysRestore.dll (Adware.Ascentive) -> No action taken.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\SysRestore.dll (Adware.Ascentive) -> No action taken.
c:\Windows\System32\UACgpmotwvpqyqeauptj.dll (Trojan.TDSS) -> No action taken.
c:\Windows\System32\UACnbofqwxarxnjrsxea.dll (Trojan.TDSS) -> No action taken.
c:\Windows\System32\UACqemqpysdqcfcpowpu.dll (Trojan.TDSS) -> No action taken.
c:\Windows\System32\UACtloexwmvapmdxehpm.dll (Trojan.TDSS) -> No action taken.
c:\Windows\System32\drivers\UACnrryvpcimctxiwqpj.sys (Trojan.TDSS) -> No action taken.
c:\Users\Kyle\Desktop\avenger.exe (Trojan.Agent) -> No action taken.
C:\Windows\System32\uacinit.dll (Trojan.Agent) -> No action taken.

ok I have posted the results and the malwarebytes results screen is still up ready to proceed to the next step there are about 20 things cheaked off on the remove selected list .... waiting for instructions ....and the next step of what to do ?