Win32/Cryptor Virus

Welcome to Major Geeks!

Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.

• If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First. If TDSSserv is not found, just continue on with the READ & RUN ME.
  
  • TDSSserv Non-Plug & Play Driver Disable

READ & RUN ME FIRST. Malware Removal Guide

• If something does not run, write down the info to explain to us later but keep on going.
• Do not assume that because one step does not work that they all will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

I need the newfiles.txt, runkeys.txt and hijackthis log.

 

They are within the C:\MGLogs.zip. Try copying the zip to a cd and then attach it.

 

Download Dr.WebCureit to your pen drive and then copy to the computer. Then:
move Dr.Web CureIt to your desktop.

• Doubleclick the cureit-beta.exe file and allow to run
• If it prompts you about getting any updates, get the update and then rerun the cureit-beta.exe installation.
• When it finishes you will have a green window with a Start and and Update selection. Click Start
• the Express Scan of your PC window will come up. Click OK to scan main memory to detect infected process in memory.
• If anything is found in memory, click the yes button when it asks you if you want to cure it. This is only a short scan.
• You may see a popup window to Buy or get a discount on the program. Just click the X at the top right to close this popup. The scan will continue.
• Once the short scan is completed, click the Custom Scan radio button. Then Select each of your hard disk drives (that is if you have more than one). A red dot shows which drives have been chosen.
• Click the green arrow at the right under the Dr.Web logo, and the scan will start.
• Click 'Yes to all' if it finds any problems and asks if you want to cure or move the file.
• When the scan has finished, look if you can click next icon next to the files found:
  http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
• This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! This is necessary because there could be files in use that will be moved or deleted during reboot.
• After reboot, rename the DrWeb.csv file to DrWeb.txt so that it can be uploaded here and then attach the log from Dr.Web to your next reply

 

Now see if you can run the scans and get me the logs.

 

Run DrWeb again... and then see if you can run SAS and MBAM

 

Again...copy each individual log from NGLogs.zip :
Newfiles
RunKeys
HJT

 

MGtools.exe was not downloaded and run from the correct location!

As stated in the Using MGtools instructions, the file must be saved to the root folder of the drive where Windows is installed. This was not done as can be seen from the attached filelog.txt file. Once MGtools.exe is saved to the C:\ folder as necessary, it will run properly and produce the needed C:\MGlogs.zip file.

 

Are you saying that you don't know how to copy a file from one location to another using Windows Explorer???????

 

With Window Explorer open and the MGtools.exe file selected, can you right click it and drag it to your Desktop?

 

It has to be run from the C drive since that is where Windows is installed or it will not work properly. You cannot use a shortcut to it.

Click Start, Run and enter cmd and click OK. Does a command prompt window open?

 

Okay then assuming your pen drive is inserted, and that it is drive F, and you have the MGtools.exe file in the root folder of the pen drive, see if the below commands can be run from in the command prompt window.

copy F:\MGtools.exe
MGtools.exe

The first command should copy the file from the pen drive to the folder you are currently in which is your C:\Documents and Settings\UserAccountName folder. The second command should attempt to run MGtools. Does the above work.

 

No! Attach the single log which is C:\MGlogs.zip now as it should contain all of the logs assuming everything ran properly. Then TimW will be able to continue with you tomorrow when he checks back in.

 

Not even from the command prompt like we used to copy MGtools.exe from the pen drive.

Let me take a quick look at your logs to see if I can get any idea from just the MGtools logs as to what is going on.

By the way if you rename the Malwarebytes installer program to something like, mb.exe can you copy it to your C drive (from the command prompt windows) and can you run it like we did with MGtools.exe?

 

Okay based on your logs, you are in big trouble. All of your critical Windows Services have been disabled. Had you been tinkering around trying to do any performance improvements and were you disabling any services? It is important that we know what you may have been doing on this PC. The malware that was reported by Dr.Web is not known to cause problems like this. The other possibility would be that malware has corrupted or deleted necessary Windows system files and I do not see any obvious signs of this other than the services that are not running.

This is the reason why you are having problems doing anything like copying files, installing programs, why you have no internet access, .....etc. Without the services running, almost everything will not work properly. Even trying to do a System Restore would probably not work since it would not be able to run. You could be looking at a repair install or possibly a reinstall. BUT let's see if you can do the below.

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://internetsearchservice.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://internetsearchservice.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.incredimail.com/page.asp?
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivguardian.com
O1 - Hosts: 94.232.248.66 www.antivguardian.com
O2 - BHO: BHO - {BBD4551A-9B23-41cd-9BCD-818AA2DA7B63} - C:\WINDOWS\system32\iehelper.dll (file missing)
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - HKCU\..\Run: [wblogon] C:\WINDOWS\system32\ubpr01.exe
O4 - HKCU\..\Run: [McAfee Update] C:\DOCUME~1\JB8E6~1.STO\LOCALS~1\Temp\mcupdate_1242118630.exe /insfin C:\DOCUME~1\JB8E6~1.STO\LOCALS~1\Temp\mcupdate_1242118630.ini /syncfin
O4 - HKUS\S-1-5-21-842925246-329068152-839522115-1003\..\Run: [system tool] C:\WINDOWS\sysguard.exe (User '?')
O4 - HKUS\S-1-5-21-842925246-329068152-839522115-1003\..\Run: [wblogon] C:\WINDOWS\system32\ubpr01.exe (User '?')
O4 - HKUS\S-1-5-21-842925246-329068152-839522115-1003\..\Run: [McAfee Update] C:\DOCUME~1\JB8E6~1.STO\LOCALS~1\Temp\mcupdate_1242118630.exe /insfin C:\DOCUME~1\JB8E6~1.STO\LOCALS~1\Temp\mcupdate_1242118630.ini /syncfin (User '?')
O22 - SharedTaskScheduler: incorrectnesses - {201a14d7-b5b4-422c-816f-5f2a1e92e0e7} - C:\WINDOWS\system32\xevhbpw.dll (file missing)

After clicking Fix, exit HJT.

Then reboot your PC into safe mode and see if you can find and delete an of the below files
C:\WINDOWS\sysguard.exe
C:\WINDOWS\system32\ubpr01.exe

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\J.Stonnell\Local Settings\Temp\

Now reboot into normal mode.

Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Then attach the below log:

• C:\MGlogs.zip

If you still cannot get the C:\MGlogs.zip file, then copy the below new files to your pen drive and attach them here:

• C:\MGtools\hijackthis.log
• C:\MGtools\newfiles.txt
  [*]C:\MGtools\runkeys.txt
  

Make sure you tell me how things are working now!

 

Were you able to run analyse.exe as requested? None of the items I asked you to fix were actually fixed. Did you have problem doing this step?

 

You have both xp home and xp pro on you computer. Are you able to boot into the other version?

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now download to your thumb drive and transfer overThe Avenger by Swandog469, and save it to your Desktop.

* Extract+ avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* -Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now look at you HJT log and then go to start / run / type "services.msc" without quotes and check all those service in the hjt log and see if you can set them to auto.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\Avenger.txt
* C:\MGlogs.zip --> or the individual logs.

 

Let me repeat myself and Chaslang:

Can you boot into the other partition/OS?
Did you have a problem with HJT as nothing was fixed ( as well as the reg. patch I gave you)?

You will probably need to start moving your personal data and files only off this system and prepare to totally wipe that partition and re-install that OS.

 

The reg patch was what you saved in notepad as fixMe.reg and you should have gotten a success notice when you ran it. At this point, I suggest that you start removing your data and personal files ( no exe files!!) from this partition so that you can reinstall the OS. You will need to do a complete reformat and clean install.

 

Once you have copied all your data and personal files and saved them to a thumb drive, you will need to do a clean install back to that partition. Once you have done that and are back up and running clean, scan all the files you copy back to the system before put them on and then we can copy the hal.dll to the other system files in the other OS.

 

This is something you need to address in the software forum. Be sure to mention that you have home on one partition and pro on the other and that you are needing to reinstall the home version.