Trojan Horse Crypt is at it

Hello!

I am very grateful for MajorGeeks and your assistance. I appreciate your help and would like to thank you in advance.

OS: Windows XP Pro 2002 SP3

Problems:

1. AVG scan detected Trojan Horse "Crypt.ANVH" found in netbt.sys and white-listed object on January 21, 2012. AVG cannot remove it. I am not aware of any unusual activity associated to this incident.
2. Cannot connect to internet or enable network connection; only shows IP address: 0.0.0.0, subnet mask: 0.0.0.0 (assigned by DHCP); when trying to repair receive error message that it could not repair because problem of "renewing IP address". This initial problem has now been remedied after the malware cleaning procedure.

There are three messages containing all the logs for the explanation of this problem.
I followed all steps with the cable connected to the back of the computer and the modem, though without internet connection.

Step 1

Completed all 5 steps of the "Fixing Google Redirection/hijacking and other redirection problems". Logs of GooredFix, TDSSkiller and MBRCheck are attached.

The "Proxy Server - Changing Settings" did not remedy the failing internet connection.

Step 2

My only antivirus program is AVGfree last updated 1-21-12.
My only firewall is ZoneAlarm Firewall free.
For anti-malware I use Malwarebytes.

Step 3

Updating Java: Removed two older Java versions. Installed newest Java 7.2 (needed to force shut down to reboot). Disabled java update scheduler.

Deleted AVG quarantined items. Could not find ZoneAlarm Firewall quarantine. Emptied recycle bin.

Step 4

I have Windows XP Pro SP3 32-bit.
Enabled viewing of hidden files/folders.
Set MSconfig to normal startup.
Installed HJT (needed to again force shut down to reboot; Windows Defender error message at reboot "Application failed to initiate: 0x80070006. The handle is invalid".

Step 5

Removed the software "Search Toolbar".

Step 6

Installed Defogger. When disabling programs with Defogger, AVG Resident Shield alerted of Trojan Horse Crypt.ANVH "detected on open" in c:\WINDOWS\system32\drivers\netbt.sys.
Now was able to restart computer through start menu as usual.

Step 7

Installed SUPERAntiSpyware (no updates because no internet). Scanned and attached first log.
Later realized that I can install SASdatabase definitions updates directly from superantispywware.com using flashdrive, currently version 5.0.1142 with Database version 8159. Scanned again with the updated version and threats removed. Attached second log as well. (AVG alerted again about "Trojan horse Crypt.ANVH" in c:\WINDOWS\system32\drivers\netbt.sys. Also after reboot could not open SAS because ZoneAlarm was stuck in "IU initializing", next day it was not stuck anymore).

Already had Malwarebytes Anti-Malware installed and previously used on computer (mbam version 1.60.0.1800 with database version v2012.01.19.01). Scanned, disinfected and attached log.

Copied Combofix installer on desktop. Ran AVG Removal Tool. Ran Combofix. When prompted for the "Microsoft Windows Recovery Console" I clicked "No" since I didn't have an active internet connection. Following a screen appeared with the message: "ComboFix - Zero Access: You are infected with RootkitZeroAccess. It has inserted itself into the tcp/ip stack. This is a particularly difficult infection." Then the Autoscan resumed through the various stages of the ComboFix scan. Log is attached. Installed then the Windows Recovery Console with the XP CD. Then I realized ComboFix had fixed the failing internet connection. I have now a connection again!

I re-read the instructions and realized that by mistake I already had copied the RootRepeal.rar file on the desktop previous to the running of the other malware cleaning procedures. But I had not installed it yet. Installed it and ran it. Attached log.

Copied MGtools installer into C:\ folder. Ran it and attached zipped log.


This message contains following logs:
AVG scan log
GooredFix log
TDSSKiller log
MBRCheck log

 

Continuation of problem "Trojan horse Crypt.ANVH"
Message #2

Containing logs of:
First SAS Scan log
Second SAS scan log
MBAM log
ComboFix log

 

Continuation of problem "Trojan horse Crypt.ANVH"
Message #3

Containing logs of:
RootRepeal log
MGTools log

 

Hi and welcome to Major Geeks, Coniver!

http://img823.imageshack.us/img823/2039/msnmsg.gif Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]FireFox::[/COLOR]
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\htarn16q.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2645238&SearchSource=3&q={searchTerms}
[COLOR="DarkRed"]File::[/COLOR]
C:\Documents and Settings\Administrator\Local Settings\Application Data\6i63vt0p47v304
C:\Documents and Settings\Administrator\Local Settings\Application Data\ihp5yq0lclxrr37p00njb83
C:\Documents and Settings\Administrator\Local Settings\Application Data\uvgdhb2f0onf8ajc8mso2l078m0f
C:\Documents and Settings\All Users\Application Data\6i63vt0p47v304
C:\Documents and Settings\All Users\Application Data\uvgdhb2f0onf8ajc8mso2l078m0f
C:\Documents and Settings\Administrator\Templates\6i63vt0p47v304
C:\Documents and Settings\Administrator\Templates\uvgdhb2f0onf8ajc8mso2l078m0f
[COLOR="DarkRed"]Folder::[/COLOR]
c:\windows\$NtUninstallKB62280$
C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit
C:\$AVG
[COLOR="DarkRed"]Registry::[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1E73965B-8B48-48be-9C8D-68B920ABC1C4}"=-

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how your PC is running after completing these steps.

 

Hello thisisu!

Thank-you for your help! I appreciate the clear and easy to follow instructions.

1. I ran "Disable/Remove Windows Messenger"

2. New ComboFix log attached.

3. MGlogs.zip also attached.

So far so good. The internet connection has enabled and seems to work just fine.
Sometimes ZoneAlarm does not open (e.g. when I would like to disable it). The ZoneAlarm icon in the tray shows the message "Protection is up. UI is initializing" and seems to hang there. Most of the time when I reboot the computer it will get 'unstuck'. However, after the last scan it works fine.
I have not used the internet much after the last scan (since I don't have any protection up yet) to check out if I am still redirected to odd sites, but so far this has not happened anymore.

Thank-you!

 

You're welcome.

Just one remaining task to do:

http://img205.imageshack.us/img205/4783/regeditb.gif Open Notepad and copy everything in the code box below into it.

Code:

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{FA9D12CD-3734-4EE3-BA58-32959B1586DD}]

• File -> Save As -> Save as type: "All Files" -> File Name: fixme.reg > Save.

Now merge this into the registry by double-clicking it.
Let me know if the merge was successful or not.

If it was successful, yon can proceed with these final cleanup instructions as the rest of your logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!

 

Hello!

The code box merged into the register fine.

I followed the "last steps" and the instructions in "How to protect yourself from malware".

Now I realize that the Windows Defender error message still appears every time I reboot:

Windows Defender
Application failed to initialize: 0x80070006. The handle is invalid.

I am actually not interested keeping Windows Defender active, instead I might choose another real-time anti-spyware tool from your list. But I cannot disable Windows Defender because it does not open either. I hope this is not a serious problem.

Any advice?

 

Hi,

It would probably be easiest to try to completely reinstall it by going here: Windows® Defender
Click the download button and begin installation. Then just follow the prompts.
Then if you don't want to use it, you can disable it through the GUI.
Tools -> Options -> uNcheck "Use Windows Defender" at the very bottom.
Then click the Save button.

Hope this helps

 

Hi thisisu!

Everything works just fine. No problems have appeared anymore. Thank you so much for your help and patient assistance.

Grateful,
Coniver

 

No problem. Take care!