help with win32 cryptor & generic 13 -- log review

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tdogny, Jun 5, 2009.

  1. tdogny

    tdogny Private E-2

    I am running XP Pro. I first started getting popups saying things like "you're computer is infected, click to clean" and was not able to run tools like Spybot. AVG found win32 cryptor and generic 13 but was not able to fully clean those up.

    I have made it through most of the standard cleaning procedure, but I have not been able to get ComboFix to run. It would run in SafeMode, but I was not sure how to disable AVG within safe mode. However, I did successfully run SAS, Malwarebytes and MGtools (which found and removed various things).

    Still though, after a reboot I find sometimes Windows hangs just before one would see the login screen. The fix for this seems to be rebooting into safe mode, then restarting normally. I am not getting the popups anymore though.

    Also, shortly after booting up I hear a "click-click" like a program is launching, but I have no idea what (suspicious).

    Logs attached.

    Thanks in advance.
     

    Attached Files:

    tdogny, Jun 5, 2009
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It appears as though the scans took care of the malware, but we can clean up a few things. You also have TeaTimer running and I suspect that having that running as well as not disabling your AV software could have stopped Combo from running. So lets do this:

    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!
    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run CCLeaner and then check that this folder is emptied:
    C:\Documents and Settings\name removed by request\Local Settings\Temp\

    Now see if you can run Combo.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
     
    Last edited by a moderator: Sep 2, 2009
    TimW, Jun 6, 2009
    #2
  3. tdogny

    tdogny Private E-2

    Thanks for your reply. Before I read it I actually managed to get Combofix to run. I ran Malwarebytes and Superantispyware repeatedly (had to rename .exe's to run them) until I got down to MB only complaing about "C:\Windows\system32\uacinit.dll" needing to be deleted on reboot. Well, it would never succeed in that. At this point I gave Combofix a try -- it did run and succeeded in deleting the malicious UAC files it found.

    I aimed to follow your instructions, but after running MGTools\analyse.exe I did not see the O2 - BHO lines you mentioned.

    Things appear to be OK now, and the scanning tools don't seem to be complaining about anything. However, I've seen reference to uacinit.dll being part of a rootkit install -- any truth to that? If I've been rootkit'ed, would it be advisable to nuke the hard drive and reinstall Windows?

    I'm attaching my latest MGTools and Combofix logs.

    Thanks for your assistance.
     

    Attached Files:

    tdogny, Jun 8, 2009
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We are making progress......Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
jpla
pllxsI

File::
c:\windows\system32\drivers\qziv.sys
c:\windows\system32\drivers\vbfppee.sys
C:\WINDOWS\system32\tmp.txt
C:\WINDOWS\system32\uactmp.db    
C:\Documents and Settings\name removed on request\Local Settings\temp\um.um

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    [​IMG]
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    Last edited by a moderator: Sep 2, 2009
    TimW, Jun 10, 2009
    #4
  5. tdogny

    tdogny Private E-2

    I followed your instructions and am attaching the resulting logs.

    Things have been mostly OK since my last post, but I've had some incidents of weird Windows hiccups -- like all of a sudden folders displaying nothing in them or losing the ability to right-click. Rebooting has alleviated these things.

    Nothing unusual since the latest Combofix run though.
     

    Attached Files:

    tdogny, Jun 10, 2009
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean ....any other issues should be addressed in the software section. :)

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

      • Delete the C:\combofix folder from combofix (if it exists)

    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Jun 12, 2009
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds