Struggling to get rid of Crypt Trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by kevinkhrg, Mar 28, 2010.

  1. kevinkhrg

    kevinkhrg Private E-2

    Hi,

    I had not used my laptop for months and had not had any virus problems with it before – it is running XP with SP2, 32 bit, using AVG Free and Windows Firewall, and I do not surf the web much. When I started it again March 21, I first tried to update my AVG which was a long download and unusually slow, and after that AVG started finding trojans it labelled Crypt.QNA, Crypt.QNC, Crypt.QMY etc., and Sheur3.LEF. It killed these but the Crypt trojans (not sure if this is Xpack.gen or other variants) kept recreating themselves every time I would restart or connect to Internet. I also noticed a process called ‘tmp6295’ or some number like that in the processes list. These then completely disabled my AVG and did some other things – if I try to boot in Safe mode the computer crashes with a blue screen; if I set Windows Explorer to show system files it immediately sets it back to not show them; when online it starts trying to phone my Skype contacts etc. Since then I have stayed offline while trying to fix it because it’s when online that the thing seems to get hyperactive.

    I looked for answers online using another computer and downloaded SDFix from another forum, but it didn’t work because it only runs in Safe Mode and I am blocked from Safe Mode.

    I found the Read and Run Me file on Major Geeks and tried following the instructions to the letter – none of the suspicious entries in your list were in Add and Remove programs, but SuperAntiSpyware found 2 infected files and 1 registry entry (see attached log file).

    Though I followed the instructions, every time I tried to run Malwarebytes Anti-Malware the initial 2 or 3 screens would come up (Choose Language, sometimes I got as far as Accept User Agreement) but every time after about 5 seconds my computer crashed with a blue screen. I tried running it under several different filenames from different locations, even downloading it a second time from another source server in case the file was corrupted, but always the same result.

    Then I tried the Combofix instructions. I manually downloaded and installed Windows Recovery Console as instructed. Then when I run Combofix, it shows a Combofix green progress bar for 2-3 seconds, then nothing at all no matter how long I wait, and the hard drive is not being accessed. The same with Root Repeal – I run it, an initial screen comes up for a second and then vanishes, nothing more – though it leaves behind an ‘install.dat’ file which I’m afraid to touch. I ran MGTools which didn’t show any feedback but did seem to generate a log (see attached).

    I’d be very grateful for any help on what to do, because this is my only computer but I’ve just about given up hope that this beast can be killed, it seems to anticipate my every move and block it. Even at this moment it's messing up my access to this site. My apologies if the full answer is already on another thread, please just point me to it.
     

    Attached Files:

    kevinkhrg, Mar 28, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    MGTools did not run to completion. So let's do this first:

    Download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip
     
    TimW, Mar 28, 2010
    #2
  3. kevinkhrg

    kevinkhrg Private E-2

    Thanks very much for the information.

    I put avenger.exe on my desktop and ran it, but I usually get to the first screen before the Trojan kills it – the window just closes, which also happened before with Combofix and Rootrepeal (with Malwarebytes it crashes the system with a blue screen STOP error). So I ran Cclean and SuperAntiSpyware again, and SuperAntispyware found Trojan.dropper/START-WV in the following files:
    C:\Documents and Settings\Kevin-limited\START MENU\PROGRAMS\STARTUP\WMICVRTS.EXE
    C:\WINDOWS\PREFETCH\WMICVRTS.EXE-1FF0CF26.PF

    Then I tried Avenger again with the same failed result, but through trying about 40 times I was finally able to open it, paste the script and execute before the Trojan could close it. Avenger gave a syntax error on the following line:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | MSConfig
    saying it could not accept ‘CURRENT_USER’ but only ‘LOCAL_(something – could never read this before the Trojan closed the window). So with not much to lose at this stage, I removed that 1 line from the script and tried again, finally racing through faster than the Trojan and getting to the reboot stage.

    Then ran Cclean without problem. MGLogs/Getlogs.bat ran for some time, until an acceptance window for HighjackThis came up, and then within a split second my system crashed with a blue screen STOP error. I tried a second time with the same result, only this time it crashed slightly earlier before a ZIP file was made.

    I have attached
    Avenger.txt
    MGLogs.zip which resulted from the first (partial) run of Getlogs.bat
    MG partial logs.zip, which I pieced together from the newly generated text files after the second run of MGLogs crashed.

    I hope this gives enough to get further. This things gets more nasty every time I connect to the internet, it lets me run things like Word but blocks anti-malware programs, and I am already losing hope. Just wondering, if I were to reformat my hard drive and reinstall everything from backups, would this thing die or would it be like the cockroach in a nuclear blast?

    Thanks again.
     

    Attached Files:

    kevinkhrg, Mar 30, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Making progress now. Let's do this:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Mar 30, 2010
    #4
  5. kevinkhrg

    kevinkhrg Private E-2

    Your instructions seem to have worked!

    First, created fixME.reg, ran it and got a message saying it was successfully added to the registry.

    Second, ran avenger again and had the same problem (malware closes it after a few seconds), but after a couple of tries I managed to win the race and get it to execute the script and start the reboot before the malware could intervene.

    Ran Ccleaner without problem, then ran Mgtools/GetLogs.bat which ran smoothly all the way to the finish this time, without the malware stopping it prematurely.

    I’ve attached Avenger.txt and Mglogs.zip, looking at the contents it looks like they were successful.

    Since then I did a quick scan in superantispyware which came up clean, but haven’t tried anything else in order not to mess things up; but haven’t seen any further sign of erratic behaviour. Since connecting to internet to upload this, there hasn't been the crazy behaviour on my screen I saw a few days ago. Will await further instructions…
     

    Attached Files:

    kevinkhrg, Mar 31, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Still more to do.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.
    Now:
    Download HostsXpert and then follow the below steps.

    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program


    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    Code:
    Files to delete:
C:\WINDOWS\noddvm.txt
C:\WINDOWS\temp\scsf.tmp
C:\Documents and Settings\Kevin\Local Settings\Temp\100.dat       
C:\Documents and Settings\Kevin\Local Settings\Temp\3801091.bat   
C:\Documents and Settings\Kevin\Local Settings\Temp\tmp12981.exe  
C:\Documents and Settings\Kevin\Local Settings\Temp\tmp2173 .exe
C:\Documents and Settings\Kevin\Local Settings\Temp\tmp3192.exe   
C:\Documents and Settings\Kevin\Local Settings\Temp\tmp643.exe   
C:\Documents and Settings\Kevin\Local Settings\Temp\tmp712.exe    
C:\Documents and Settings\Kevin\Local Settings\Temp\tmp8291.exe  
C:\Documents and Settings\Kevin\Local Settings\Temp\tmp912 .exe
    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Mar 31, 2010
    #6
  7. kevinkhrg

    kevinkhrg Private E-2

    Ran through the latest instructions without problem, latest logs are attached. This time Avenger ran without the malware trying to close it down.

    Regarding how things are running now, things appear to be returning to normal and I can go online without things going crazy, though I have avoided doing so except to post logs to this thread. A couple of things still seem out of order even after these latest changes:
    1) If I press F8 during system boot I get the screen asking which operating system I want to boot with, but there is only one choice given: Windows XP Home Version; there is no option given for Safe Mode. When the malware was in control, I had the option of safe mode but choosing it led to immediate blue-screen system crash.
    2) AVG Free 9.0 installation fails with the installation program giving the following error:
    Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key.... Access is denied.

    I’m not sure if this is due to some leftover block on registry access left around by the malware, or whether it is due to some uncleared trash from a previously failed AVG installation which is confusing the installation program. When the malware took control it completely disabled my AVG but left it in place, so I uninstalled it and then re-installed using a clean installation, which worked briefly but was then disabled by the malware again so I uninstalled it and left it off until now. Now I am trying to reinstall using a clean copy but it won’t work.

    I haven't tried running Malwarebytes Antimalware again just to see if it still makes the system crash.

    Thanks very much again and will await the next steps...
     

    Attached Files:

    kevinkhrg, Apr 1, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's see if we can get Combo to work.

    Is this a renamed MBAM file: C:\Documents and Settings\Kevin\mhb.exe?
    If not, leave it in the fix. Remove it from the fix if it is and rename it.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

File::
C:\Documents and Settings\Kevin\mhb.exe
C:\Documents and Settings\Kevin\secupdat.dat
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now go to start / run / and type:
    sfc /scannow --> have your xp disc handy! Run it twice.

    You should also consider doubling your RAM.

    Now try running MBAM and see if you can get a log. If so, log into the other user account and run both SAS and MBAM on that account. Attach any log that shows malware.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Apr 1, 2010
    #8
  9. kevinkhrg

    kevinkhrg Private E-2

    Got through all the steps though had to go out of town so it was spread over 2 days.

    Mhb.exe was not mine so I left it in the fix; I had renamed mbam under more obscure names like ‘flower’ and ‘idea’.

    Ran combofix using Cfscript without problem; log is attached. Then ran sfc /scannow twice; both times it ran through slowly until finished, without giving any messages so I guess that means it was clean.

    I ran MBAM and SAS on both user accounts without problem and both came up clean. I’ve attached the MBAM log from the run on the Kevin account.

    Mglogs is also attached.

    At present no more sign of erratic behaviour, though I haven’t tried installing AVG again (as mentioned in the previous post, this fails with an error saying access is denied to the registry).

    Thanks! Will await further instructions...
     

    Attached Files:

    kevinkhrg, Apr 3, 2010
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    One last time:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
bykrxlru

File::
c:\windows\System32\Drivers\bykrxlru.sys

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
"PendingFileRenameOperations"=""
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the prvevious file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Apr 3, 2010
    #10
  11. kevinkhrg

    kevinkhrg Private E-2

    Things were looking good but now I think the beast is regenerating itself.

    I ran Combofix as instructed without problem – though when it was rebooting the system, a Windows error temporarily popped up saying ‘Catchme.cfxxe – DLL initialization failed; The application failed to initialize because the window station is shutting down’. The Combofix log is attached.

    After that I ran SAS and Malwarebytes on both user accounts – the quick scans came up clean, but when I did full scans Malwarebytes found and removed 5 infected files: see attached log.

    After that I successfully re-installed AVG Free 9.0 antivirus, and updated it. After that I used it to scan the whole computer, and it found Trojans Generic17.RHD, Generic17.OZP, Generic17.HKX, Agent2.APFV, Crypt.QNC, and Crypt.QMY in folder C/System Volume Information . See attached AVG log.

    I then ran another quick scan with SAS and with Malwarebytes, and both came up clean. So I ran the Mgtools/getlogs.bat (see attached log).

    It seems as though I might have been reinfected when I did the AVG update – which was what I was doing when I got this thing the first time too.

    Not sure what to do next. I haven't done any of the cleanup instructions in your post which followed the combofix run, because I wanted to make sure I'm clean first and it looks like maybe I'm not yet.
     

    Attached Files:

    kevinkhrg, Apr 4, 2010
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The only things being reported are items in your system restore folders. We will remove them when you do the final clean up and toggle system restore.

    Please use add/remove programs to uninstall:
    Java 2 Runtime Environment, SE v1.4.2_05

    Reboot and download and install:
    Java Runtime 6

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
     
    TimW, Apr 5, 2010
    #12
  13. kevinkhrg

    kevinkhrg Private E-2

    Followed your instructions and after that all scans came up clean. Since then I've updated Windows and IE and beefed up my system security in various ways using the advice in the Protecting Yourself document, and now everything seems to be working well (though the Windows updates seem to have blocked out my non-Microsoft-approved modem, but that's not too major).

    Anyway, thanks very very much for your help. I had just about given up hope but you have saved my computer, and saved me having to discard it and buy a new one. I looked for a Donate button on the Majorgeeks web site but can't find one. You guys are doing great work and providing a fantastic service.

    All the best,
    Kevin
     
    kevinkhrg, Apr 13, 2010
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are quite welcome. Safe surfing. :)
     
    TimW, Apr 13, 2010
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds