Win32/Cryptor

Reg HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd@imagepath \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main@aid 10099
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main@sid 0
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\injector@* geyekrwsp.dll
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrrk.sys \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrcmd.dll \systemroot\system32\geyekroswbvuto.dll
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrlog.dat \systemroot\system32\geyekrvpxuxcve.dat
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekrwsp.dll \systemroot\system32\geyekrwiigvcwd.dll
Reg HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd\modules@geyekr.dat \systemroot\system32\geyekreetmbfnm.dat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION E32589FD12BE0D4F597AFD0BE6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6A0AC4980AC79338EDD5E5BE2F6E667A2D97226D213B55504911C3324D50297A7D96BA154257028FB08244BFCE12D69FC4688B236E05809E8777990457CD486DC831D5FFA097129EC6E92BA968DA7BF5EC1BA074A5A6E3D664490F3BCE694177E010CC0A8013179C3229A61055121D06E19A2674128161A519722BB8FA0B5876A554AAE3D0F4677092CBDD69FC2EF36FE7A54358D950895E267F13968CDF14D635C6C8ABCCB8CB3A6E88327E18F313E42E866CB418441DB3978C73416A2C59010400DA7CB629FF3ED8D7652EDF8C0EC523BF37797EA804C55687365086C732F7A03484A3892E332901E254D8451C477AB9B1EF8EB50C97B1DA6427AD507003811F8C1AF6E2E7D1C27F2A17E900323482D890805C0D466AF5A778B17B965B371264B9D06811E58122D3C84C21B09077F9B57D846B9A662E538F025508F0E1BD2717586712A5CA1A901F9E5EA5673DFEDA0AB3D59200D8DCA4A016EAF5C9B89088BC92A87C1F84B2EE683E53A9466611AC780E3CDE0E0FBC406E5C634C33C92F1F26D39D3C7970C9C060227E7CE1C013F812701A90C8F866BC234124F8FB010A60C576A56DE6D5EA469F1CFA1215EFA4C2240CB66D719C78740533

---- Files - GMER 1.0.15 ----

File C:\Users\Mark & Adriana\AppData\Local\Temp\geyekr000 0 bytes
File C:\Windows\System32\drivers\geyekrsbmxtfyx.sys 66048 bytes
File C:\Windows\Temp\geyekreqewgtxxti.tmp 18432 bytes
File C:\Windows\Temp\geyekrgrekyqlxqw.tmp 18432 bytes
File C:\Windows\Temp\geyekrnxifftxxsv.tmp 18432 bytes

---- EOF - GMER 1.0.15 ----

Hmm, this again. ¬.¬

We have to put a stop to the main driver file before we can delete it, trust me, tried straight out deleting it with one of our most powerful tools on another machine, doesn't work.

Go to Start and in the little search box, type in "Run", now when the Run command appears, right click, select "Run as administrator".

Now when the run box opens, copy/paste in the following:

notepad "C:\Windows\System32\drivers\geyekrsbmxtfyx.sys"

This opens the rootkits driver file in Notepad, and it just appears as lots of funny characters you can't understand, this is normal.
Highlight everything inside it (Ctrl+A), and press the backspace so it removes everything and leaves it blank.

Now go to File > select "Save" so it saves it blank.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to disable:
geyekrfrvqidfd

Drivers to delete:
geyekrfrvqidfd

Files to delete:
C:\Users\Mark & Adriana\AppData\Local\Temp\geyekr000
C:\Windows\System32\drivers\geyekrsbmxtfyx.sys
C:\Windows\Temp\geyekreqewgtxxti.tmp
C:\Windows\Temp\geyekrgrekyqlxqw.tmp
C:\Windows\Temp\geyekrnxifftxxsv.tmp

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd
HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Hello,

File "C:\Windows\System32\drivers\geyekrsbmxtfyx.sys" not be found in Safe Mode, but successfully run in normal mode.

After Avenger ran, became a little worried as Vista rebooted twice (first time saying couldn't boot due to group policy error). On second reboot Logfile appeared on desktop.

I should add that the nasty dialogue box - bad image has now disappeared. Looks like we are close to a solution...

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

script file opened successfully.
script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "geyekrfrvqidfd" found!
ImagePath: \systemroot\system32\drivers\geyekrsbmxtfyx.sys
Driver disabled successfully.

Rootkit scan completed.

Driver "geyekrfrvqidfd" disabled successfully.
Driver "geyekrfrvqidfd" deleted successfully.
File "C:\Users\Mark & Adriana\AppData\Local\Temp\geyekr000" deleted successfully.
File "C:\Windows\System32\drivers\geyekrsbmxtfyx.sys" deleted successfully.
File "C:\Windows\Temp\geyekreqewgtxxti.tmp" deleted successfully.
File "C:\Windows\Temp\geyekrgrekyqlxqw.tmp" deleted successfully.
File "C:\Windows\Temp\geyekrnxifftxxsv.tmp" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet005\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet006\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet007\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd" not found!
Deletion of registry key "HKLM\SYSTEM\ControlSet008\Services\geyekrfrvqidfd" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet009\Services\geyekrfrvqidfd" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Hello.
Run MBAM now, post the log when done.

Malwarebytes' Anti-Malware 1.40
Database version: 2594
Windows 6.0.6002 Service Pack 2

10/08/2009 16:04:50
mbam-log-2009-08-10 (16-04-50).txt

Scan type: Quick Scan
Objects scanned: 81572
Time elapsed: 9 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

How is the machine running now?

Hi there,

Computer runs fine & faster than previously.

In addition to MBAM I thought a quick scan of Avast would be a good idea. Avast found following file C:\Windows\System32\geyekroswbvuto.dll which has Malware name of Win32-Alureon-CE [Rtk] - could it be a false positive?

mday01376

Last edited by mday01376 on 11th August 2009, 2:24 am; edited 1 time in total (Reason for editing : Filename entered in incorrect place on reply.)

No, probably a leftover file.
Combofix wasn't getting the rootkit, so we had to use GMER to find it, and if GMER doesn't list EVERY file that comes from the rootkit, then I can't kill it if I can't see it.

Just delete it manually.

Hi there,

I felt that I owed an update on the Win32/Cryptor situation. I have now run full scans of MBAM, Super Anti-Spyware, Ad-Aware & Avast & am pleased to advise that after manually deleting leftover files, my machine now appears clean & more importantly is running as good as new.

Many thanks to all at Geek Police - donation to follow.

mday01376

Not a problem!

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.