Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Cryptor & Rootkit.Pakes & Backdoor Genric rebooting computer


  • Please log in to reply
10 replies to this topic

#1 Nikoteen

Nikoteen

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 17 August 2009 - 01:00 AM

Hi all, I'm in need of some help please and any is appreciated, thank you in advance :thumbsup:

I'm running my laptop on Windows XP with AVG in place but for the last day or so AVG has been detecting Win32/Cryptor and other viruses. The laptop starts up fine, but after a few minutes of use it detects these, then automatically AVG and any other programs/screens that are open will close and Windows reboots itself.

It runs fine in safe mode, so I've run an MBAM quick-scan and a RootRepeal report on it in safe mode. After the MBAM scan the laptop needed to reboot to finish clearing the viruses, but after it rebooted into normal Windows (not safe mode) the same thing happened with AVG detecting the viruses. After this I went back into safe mode and ran the RootRepeal report.

Thanks for any help, here are the logs:

MBAM Quick Scan log

Malwarebytes' Anti-Malware 1.40
Database version: 2630
Windows 5.1.2600 Service Pack 3 (Safe Mode)

17/08/2009 1:41:29 AM
mbam-log-2009-08-17 (01-41-29).txt

Scan type: Quick Scan
Objects scanned: 92097
Time elapsed: 9 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0X6BKPI7\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4PANWHMV\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\W9QVGTUZ\Install[1].exe (Rogue.PC_Antispyware2010) -> Quarantined and deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

RootRepeal Report

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/17 02:00
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF716A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BBC000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF674E000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 173 Function Name: NtQuerySystemInformation
Status: Hooked by "C:\WINDOWS\System32\Drivers\Beep.SYS" at address 0xf77801a0

==EOF==


Any help is appreciated. Thank you!

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 17 August 2009 - 01:12 AM

Run another MBAM scan and post the new log (in Safe Mode if you have to).
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Nikoteen

Nikoteen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 17 August 2009 - 03:52 AM

I did a MBAM quick scan in safe mode

Malwarebytes' Anti-Malware 1.40
Database version: 2630
Windows 5.1.2600 Service Pack 3 (Safe Mode)

17/08/2009 6:38:49 PM
mbam-log-2009-08-17 (18-38-49).txt

Scan type: Quick Scan
Objects scanned: 92112
Time elapsed: 10 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax
(Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32
(Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and
deleted successfully.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> Quarantined and deleted
successfully.
C:\WINDOWS\system32\braviax.exe (Trojan.FakeAlert) -> Quarantined and
deleted successfully.
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.sys) -> Quarantined and
deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted
successfully.
C:\WINDOWS\Temp\BN2.tmp (Trojan.Agent) -> Quarantined and deleted
successfully.
C:\Documents and
Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
(Trace.Pandex) -> Quarantined and deleted successfully.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted
successfully.

After it rebooted into normal Windows, AVG detected the viruses again (in C:\WINDOWS\system32\braviax.exe, C:\WINDOWS\system32\dllcache\figaro.sys, C:\WINDOWS\system32\drivers\ntfs.sys)

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 17 August 2009 - 04:07 AM

Run another RootRepeal scan but this time do the Files scan.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 gwrinkles

gwrinkles

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 17 August 2009 - 04:26 AM

Hi,
I had this problem too and after messing around with Combofix, Malwarebytes and other such software, I was getting nowhere. Yesterday morning, I just deleted my C:\WINDOWS\system32\drivers\ntfs.sys file and rebooted. This actually resulted in my old ntfs.sys file being restored. The infected ntfs.sys file was the root of all the problems. The only problem I had then was the braviax.exe one which I was able to remove by running Spybot at startup when I rebooted. Machine is clean now. Hope this
helps.

#6 Nikoteen

Nikoteen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 17 August 2009 - 04:41 AM

I ran the RootReport scan in safe mode - here is the log (i think it found one file)


ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/08/17 19:33
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Hidden/Locked Files
-------------------
Path: c:\windows\ntbtlog.txt
Status: Size mismatch (API: 1786888, Raw: 1786830)

Edited by Nikoteen, 17 August 2009 - 04:42 AM.


#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 17 August 2009 - 05:45 AM

Nothing much there in the RootRepeal log. Try scanning with SUPERAntiSpyware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 Nikoteen

Nikoteen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 17 August 2009 - 05:58 AM

Thanks Budapest and gwrinkles. I think i've pinpointed it down to the C:\WINDOWS\system32\drivers\ntfs.sys file as well, cause I've run an AVG scan on my C:\WINDOWS folder before AVG made any detections itself and the results of the scan were that there were infections in:

  • C:\WINDOWS\system32\drivers\ntfs.sys
  • C:\WINDOWS\system32\dllcache\figaro.sys
  • C:\WINDOWS\system32\braviax.exe
The braviax and figaro infections were moved to the virus vault by AVG and then I emptied the vault. But the C:\WINDOWS\system32\drivers\ntfs.sys file is "white-listed" and can't be removed. grwinkles I'm feeling like i should just do what you did and delete that and then reboot. I'm a total noob at these computers though - if I do that, will I lose any data thats on my cpu?

Thanks again

#9 gwrinkles

gwrinkles

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 17 August 2009 - 11:02 AM

Hi Nikoteen,
I am not a expert, but I don't think normally it is a good idea to delete ntfs.sys, because mine got deleted before and I had to get a Windows XP recovery CD to reinstall it. I deleted the corrupted ntfs.sys out of frustration because I figured that that file was generating all the viruses and messages, and I preferred having to do a system recovery rather than have viruses being downloaded onto my machine, because other viruses were appearing on my machine aswell as the ones you have mentioned. I have to admit I was surprised when I was able to boot up after deleting ntfs.sys. I got this virus last Friday and I think a few other people got it too, but I haven't really seen any solutions apart from my one. The worst case scenario is that if the system doesn't replace ntfs.sys with the original version of the file, you may have to get a recovery CD to put it back on your machine. As I said it happened to me before but in the end I lost none of the files I had on my computer.

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:59 AM

Posted 17 August 2009 - 05:03 PM

If you have a Windows XP CD you can replace the ntfs.sys file by following these instructions:

http://www.computerhope.com/issues/ch000876.htm

Then you should immediately boot into Safe Mode and scan with SUPERAntiSpyware.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 Nikoteen

Nikoteen
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 18 August 2009 - 03:35 AM

Thanks for all of the help in here. I think my virus problem has been solved by running ComboFix - in its first scan it detected the corrupted the ntfs.sys file and disinfected it:

  • Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected
  • Restored copy from - c:\windows\ServicePackFiles\i386\ntfs.sys
I've been using this laptop all of today and all of last night now and there hasn't been any detected viruses. I've scanned the c:\windows\system32\ with AVG as well which has given the all-clear.

If anyone is experiencing the same problem, first narrow the virus down to the c:\windows\system32\drivers\ntfs.sys file by running AVG (or I guess any other similar program) which detects and heals the other infected files. Then run ComboFix to fix the c:\windows\system32\drivers\ntfs.sys file. Otherwise, just run ComboFix to fix the c:\windows\system32\drivers\ntfs.sys file and then if any viruses are left over use a general anti-virus program like AVG to heal those remaining infected files.

Fingers crossed this has solved this virus problem for good. Thanks again for the help Budapest and gwrinkles, it's much appreciated :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users