Win32/Cryptor

I have an old Dell PowerEdge 400SC Desktop, BIOS Rev. A10 that is infected (advanced stages) with Win32/Crypto. My son installs stuff like Gunbound (ijji), and other highly suspicious software (we're working on that...).
AVG detects the "virus/trojan" even in avg executables. Running processes seem to be hijacked and freeze to the point where the system has to be cold booted. Cannot get it into safe mode, either blue screens or reboots. A "Last known good" was the only way to get it to boot into the Windows XP shell, but that doesn't last long until the above happens. The System Restore app is not functioning.
MBAM does not install (shows in the processes list as running, but no UI appears).
AVG will run in command line mode and detect crypto until it eats itself.
I have no bootable XP disk. I have disconnected the machine from the network and am communicating with it via USB stick. My data is backed up to an external USB harddrive array that i believe is clean.
Can you puleeze help me?

Hijackthis log

Last edited by mainad on 29th March 2009, 12:33 am; edited 1 time in total

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
  R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
  F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
  O1 - Hosts: 74.125.19.147 hechoenperu.net
  O1 - Hosts: 74.125.19.147 www.hechoenperu.net
  O1 - Hosts: 74.125.19.147 http://hechoenperu.net
  O1 - Hosts: 74.125.19.147 http://www.hechoenperu.net/index.php
  O1 - Hosts: 74.125.19.147 portablessa.com
  O1 - Hosts: 74.125.19.147 www.portablessa.com
  O1 - Hosts: 74.125.19.147 http://portablessa.com
  O1 - Hosts: 74.125.19.147 http://www.portablessa.com
  O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
  O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
  O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll (file missing)
  O8 - Extra context menu item: &Search - ?p=ZNxmk762MSUS
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\sdra64.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Wow. Thanks for the prompt reply! Here's where I am:

Ran HijackThis.
Ran Avenger.
After reboot, it runs CHKDSK on startup.
Aborts and reboots about halfway through (45%), runs chkdsk again...
Safe mode boot aborts after loading drivers (as before). Reboots.
Checkdisk. Aborts... reboots.
"Last known good" (aka "last known fubared") gets it to "loading personal settings". Freezes. Hard reboot.
Normal boot.
no avenger.txt.
Looks like HijackThis changes have been applied.

Shall I try avenger mods again?

See if you can get MBAM to load up first. If it loads up fine, the the avenger's actions still happened.

If not, you'll need to use the avenger again.

Let me know which option you had to go for.

Mbam setup did not run.
Avenger said something was queued up on reboot. (sdra64 still there)
Rebooted.
sdra64 gone. Mbam installer still doesn't run.

Was there an avenger log this time?

No avenger.txt

Ran AVG commandline again and it gives me (same as before)
AVG log

New HJT Log

Hmm.
Thanks for the logs, we'll give Combofix a try.

• Download combofix from here
  Link 1
  Link 2
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (AVG8)
  
• We also have to rename Combofix before using it because the rootkit will block it from running.
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Ran combofix. Froze while (or after) installing the REcovery Console.
(seems to have a 5-minute time-bomb from system start)
Hard reboot.
Ran combofix. Recovery C. must have finished installing before, as it moved straight into the scan.
Found about a dozen infections (sdra64, and UAC.. derivatives), and rebooted normally. Combofix continued to run, and is still running (stage 50).

Will send update when it's done.

Hello.
As soon as that UACd.sys rootkit driver is killed, Combofix will run with no problems as the rootkit will have been disabled/delete.

Ok. Combofix finished.
Reboot. Chkdsk ran, this time successfully, fixed two files.
Combofix finished after reboot.
Log file here: Combofix.txt

I will examine file and system now, and try to run mbam again.

Don't run MBAM yet, we aren't done with Combofix.

Hello.

I see you have Viewpoint Manager, this is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". See here and here for more info.

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
FAELZZZ
GR207
iCheat1

File::
C:\cleanup.bat
C:\cleanup.exe
C:\zip.exe
c:\windows\system32\drivers\otmgo.sys
c:\windows\Tasks\RegistrySmart Scheduled Scan.job
c:\windows\Tasks\RegistrySmart Scheduled Scan.job

Folder::
c:\program files\Viewpoint
c:\documents and settings\Calviin\Application Data\Viewpoint
c:\documents and settings\Calviin\Application Data\LimeWire

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ViewMgr"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Cool. Done.
ComboFix Logfile

Also done running mbam- no issues found.
Mbam Logfile

Hello.
Some of the drivers runnign are game cheat engines as far as I can tell. Be careful using game cracks/keygens/game modifiers, they will no doubt get you infected.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Some sound advice there, Balahzur! This one proved that it can go downhill quickly - between two virus scan runs....

To finalize, I ran the AVG full scan, removed some adware, emptied all IE temp files, uninstalled some crap, and it looks that the machine is clean and functioning.

I will go over to the survey promptly (I saw a donation link too). Thank you Balahzur, for your amazingly prompt, and accurate responses. You guys are providing an incredibly valuable service, and -if i may say- in a really pleasant and courteous manner too. A great experience. THANK YOU!!

I will be removing the log files in a couple of days for privacy.

Glad I could help.