Avast WEBforum

Other => Viruses and worms => Topic started by: Brickstin on May 26, 2012, 09:53:17 AM

Title: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 26, 2012, 09:53:17 AM

It all started with this stuff... *

 Started on Sunday, May 13, 2012 8:31:51 PM
* VPS: 120507-1, 05/07/2012
*

\\tsclient\a\a.dll [L] Win32:Agent-AOKE [Trj] (0)
\\tsclient\a\a.dll [L] Win32:Agent-AOKE [Trj] (0)
While moving file to chest, error occurred: The network name cannot be found

________________________________________________________________________
I found this Win32:Crypt-MIZ[Trj] in the file z:\imbtools\drivers\PZ2Z25US\HDDDriverInfo.exe

It even migrated into the system restore data.

-----------------
I tried to scan for this network.. I did some research.. It was some kind of infection.. That I thought I might have gotten on one of the profiles of XP Pro SP2.

Then this happened.

C:\3210208955144ed7387c7d\5A5CE835-DCD2-430A-BA82-D40734EF0F24mpasdlta.vdm.new.temp [L] INF:AutoRun-AA [Wrm] (0)


When I researched this.. I tried to find traces and evidence of the payload of this other worm too.. I didn't really notice anything odd with the registry at first.. I ve still been trying to crack this..

I just know that my registry was altered by a worm somehow..

But.. this worm is starting to  create startups in the root directory of my main drives.. . It didn't create any autorun.inf files... So.. I'm a little lost as to how and when I first got infected.. and the client server.. unauthorized connections is confusing me.. I can't seem to find out where this all happened.. But im listing this stuff from start to finish.


Even after avast disinfects the files and chests them... they still re appear..

C:\ibmtools\drivers\PZ2Z25US\HDDDriveInfo.exe [L] Win32:Crypt-MIZ [Trj] (0)
C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP444\A0152943.exe [L] Win32:Crypt-MIZ [Trj] (0)

C:\System Volume Information\_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP444\A0152943.exe [L] Win32:Crypt-MIZ [Trj] (0)

Started on Thursday, May 24, 2012 9:45:00 PM
* VPS: 120521-0, 05/21/2012
*

H:\87e9d5575327307baa0050680c3e6216\427C33D4-7CD2-424F-A5F8-743B789D63E3mpasdlta.vdm.old.temp [L] INF:AutoRun-AA [Wrm] (0)

IT seems to only migrate to drives with a paging file on the drives I have set up.

It hasn't done anything to my Main Storage Drive.

The paging File is on Z: (aka C because I used a backup drive with my OS on it and put it into the system and I am booting up with that drive so it doesn't boot the Paging files in the other drives or the infected OS).

so Z: will be the infected C: Drive that I am scanning with my back up OS.


There is also another paging file on Drive H: (which is the performance drive for the main focus of paging. )

The worm seems to only try to infect other drives that has a paging system..

I didn't notice it trying to infect removable media yet.

The back up OS has AutoRun Autoplay disabled (aka Shell disabled via Msnconfig) for as a safety protocol.


I did a full updated AV database'd scan on Z: and H:
Only thing infected on H: was the pagefile.sys It's been deleted.

Can't detect the trojan in my Z: drive though I don't know why but just in case i'm deleting it too to refresh the pagefile.sys on Z:

Malwarebytes only detects the following

Z:\Program Files\Avanquest\SystemSuite\helpfiles.exe
Z:\Program Files\Avanquest\SystemSuite\fcs.exe

Those were never infected before.. Avanquest has never giving me trouble till now... So that confused me there..

All i know is around May 8th is when I noticed my backup account profile in WXP SP2 on infected Z:

 was acting up.. Programs would execute when the Windows Logon screen for fast user switching was on... aka PC Locked or something when IM logged onto my Admin account Brickstin..

Somehow Backup was being logged into remotely.. so I killed Desktop remote ect and the likes. There was no password on Backup at first so I tried putting a pass called Backup.

It was still being logged into..

So I killed the account and removed deleted the files associated with that profile.

And also disabled the guest account..

can anyone shed some light ?

I'm still scanning As I type this.

Thanks in advance,
                              Sincerely,
                                               Erick
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Pondus on May 26, 2012, 10:01:04 AM
you can upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners to see if other detect same file
alternative  http://virusscan.jotti.org/en  /   http://www.metascan-online.com/  /  http://virscan.org/




follow this guide and attach (not copy and paste) logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0


when done, a malware removal specialist will check you logs...... may be several hours before he arrive

 
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 26, 2012, 10:37:28 AM
Quote from: Pondus on May 26, 2012, 10:01:04 AM
you can upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners to see if other detect same file
alternative  http://virusscan.jotti.org/en  /   http://www.metascan-online.com/  /  http://virscan.org/




follow this guide and attach (not copy and paste) logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0


when done, a malware removal specialist will check you logs...... may be several hours before he arrive

Uploaded both suspicious files to virustotal.com :  both fcs.exe and Helpfiles.exe were all green out of 40.

So they're clean : Malwarebytes suspected false positives?


Note to Tech: on the Malwarebyte Report uploads: there is an extra because I did a scann while inside the infected Z OS. I had first scanned on first notice of the infection when I was on my original drive.

So the second file is named Z: location.. The First one in C: is my back drive OS which I just did another scan right now only detecting other things in Drive Z:

Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 26, 2012, 10:58:41 AM
I forgot to upload these files.

Looks like it started in the guest account.. One of my room mates.. decided to hop on it.. and I remembered. I caught him using a few bad sites, (. OH Dear Goodness.. infection location.. URL hazard)

 :(

Ugh and he kept saying he didn't get my PC infected... psh ya right  ;¬_¬


1:59 PM 5/26/2012   Update: Still scanning.. been deleting the Win32:Crypt-MIZ[Trj] out of Restore points in Z:  . .. . ..  I don't know if this will fully disinfect it though.. I am using the other tools in the help area. There good tools.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: true indian on May 26, 2012, 11:41:52 AM
U didnt attach Aswmbr log yet..please do that  ;D
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on May 26, 2012, 02:19:12 PM
Hi,

Like true indian said please run aswMBR and attach that log...

and do the following...

Download CKScanner by askey127 from Here (http://downloads.malwareremoval.com/CKScanner.exe) & save it to your Desktop. ----------
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 26, 2012, 08:47:46 PM
Quote from: jeffce on May 26, 2012, 02:19:12 PM
Hi,

Like true indian said please run aswMBR and attach that log...

and do the following...

Download CKScanner by askey127 from Here (http://downloads.malwareremoval.com/CKScanner.exe) & save it to your Desktop.
  • Right-click and Run as Administrator CKScanner.exe then click Search For Files
  • When the cursor hourglass disappears, click Save List To File
  • A message box will verify the file saved
  • Double-click the CKFiles.txt icon on your desktop then attach the contents in your next reply
----------


OP my bad lol .

It was late that night.. Sorry. Been up for two days trying to deal with this and pulled an all nighter the night before.  ???

Also.. I wanted to ask you guys something:

After Avast finished scanning the Z: drive (infected OS drive) Z:\Windows\Memory.dmp file has the infection Win32:Taterf-F [Wrm]
I have windows Debug console installed with symbols.  If i used WinDBG to read the infected DUMP file.. would it spread infection into my Back up OS? via the WinDBG.exe ?

I'm just asking because I want to know if the techs can use information of whats in memory maybe they can trace stuff?

Or reading the DMP file is useless? If risking infection then pointless i'm sure.  :P
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on May 26, 2012, 10:14:03 PM
Hi,

Quote
Or reading the DMP file is useless? If risking infection then pointless i'm sure.
We don't need to worry about that right now.  :)
---------------

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
----------
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 26, 2012, 10:46:52 PM
Quote from: jeffce on May 26, 2012, 10:14:03 PM
Hi,

Quote
Or reading the DMP file is useless? If risking infection then pointless i'm sure.
We don't need to worry about that right now.  :)
---------------

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Attach the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)
----------

ok heres the log.. thing is some of these scanning programs that I used in the instructions for scanning for help with: is that it doesn't have options to select the root Drive I need scanned.. Im wondering if I should also do an entire Different scan with each linked provided program while using the OS on my Z: drive instead.. Some of these programs only scan C: and I didn't see any options to change it to Z.

so if I boot into Z it will be zoned as C: in the OS. I think I might do that, im cleaning what i can outside of the OS with malwayre and Avast ect. and the provided ones you linked me.

:)  ?


Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on May 26, 2012, 10:51:14 PM
Hi,

We need to be sure to run the tools that we are using on the infected OS.  If you need to transfer the files to the infected machine via CD/USB drive that is fine, but a lot of these programs that we use will have automated features that we will need to utilize.  :)

I hope that I understood what you were saying. 
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 26, 2012, 11:04:36 PM
Quote from: jeffce on May 26, 2012, 10:51:14 PM
Hi,

We need to be sure to run the tools that we are using on the infected OS.  If you need to transfer the files to the infected machine via CD/USB drive that is fine, but a lot of these programs that we use will have automated features that we will need to utilize.  :)

I hope that I understood what you were saying.

ok I have to head out and do an arrend will fast. (Work)

When I get back I am going to reboot into the infected Operating System and Use all of the tools again in order from start to finish. Then if need be I can repost the logs. It is missing the Z: on some of these scanners.

Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on May 26, 2012, 11:18:39 PM
Hi,

No don't run everything...just run a scan with aswMBR and OTL then we can go from there.  :)
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 27, 2012, 02:35:27 AM
Quote from: jeffce on May 26, 2012, 11:18:39 PM
Hi,

No don't run everything...just run a scan with aswMBR and OTL then we can go from there.  :)

I'm back from down town: oh ok so just ASW and OTL inside the infected OS Drive? ok Restarting now and doing the scan.

Check the logs. I uploaded them in a different post below mine.
Title: Re: Win32:Crypt-MIZ[Trj] (uploaded)
Post by: Brickstin on May 27, 2012, 10:30:59 AM
ok here's the new aswMBR LOG and the OTL Log.txt files

It was ran on the infected OS I swapped out the back drive and put back my Original OS Drive in boot up order.


Sorry I took so long... x.x
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on May 28, 2012, 12:51:59 AM
Hi,

Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 28, 2012, 04:26:07 AM
Quote from: jeffce on May 28, 2012, 12:51:59 AM
Hi,

Please download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A window will open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.
  • If nothing unusual is found just press Enter[/i]
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. 
  • Please post the contents of that file.

ok do I pres Yes? Because it found something unusual in the Master boot records. on three drives


Update:
 Never mind I miss read what you said. Here is the log file.

Also the MBR on the Seagate model thats a 300GB drive.. Thats the only one that is completely unknown to me. I used a program called Bootice.exe

I checked my infected C Drive and the master boot record is IBM F11

The 80 WD800JB EIDE is a Windows NT 5.x Default MBR

the G: Drive is my storage drive it's MBR Is fully unknown to me.. .

The attached log is there.

Just a note.. I had to re upload the attachment because I uploaded a scan when I was scanning another drive I had attached with a USB device. I removed that and did another scan with the program. So if you already read the first txt file disregard that one and use the new updated one I just re uploaded.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on May 28, 2012, 04:39:00 AM
Quote
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.
:)
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 28, 2012, 04:44:52 AM
Quote from: jeffce on May 28, 2012, 04:39:00 AM
Quote
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.
:)

LOL sorry Jeff I was uploading the stuff and changing my original post. I got it now thank you for the help. The correct attachment is on my previous post before yours.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on May 28, 2012, 04:45:07 AM
Hi,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

(http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png)

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/RC2-1.png)

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
----------
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 28, 2012, 07:55:17 AM
Ok got the scan done.. took nearly a hour but it's done Check attachment.

Thank you in advance.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on May 28, 2012, 03:24:15 PM
Hi,

Any particular reason that you have not updated Windows XP to Service Pack 3? 

Code: [Select]
ClearJavaCache::

DDS::
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: alacritysim.com\www
Trusted Zone: neonwolfgames.com\www

Firefox::
FF - ProfilePath - c:\documents and settings\Brickstin\Application Data\Mozilla\Firefox\Profiles\vkcm1hux.default\
FF - prefs.js: network.proxy.ftp - 212.182.64.86
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 212.182.64.86
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 212.182.64.86
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

RegLock::
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *5*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *6*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *7*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *?*]

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"=-
"3540:UDP"=-
"3389:TCP"=-
"2232:TCP"=-
"5000:UDP"=-
"1723:TCP"=-
"1701:UDP"=-
"500:UDP"=-
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 29, 2012, 02:10:45 AM
Quote from: jeffce on May 28, 2012, 03:24:15 PM
Hi,

Any particular reason that you have not updated Windows XP to Service Pack 3? 

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code: [Select]
ClearJavaCache::

DDS::
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: alacritysim.com\www
Trusted Zone: neonwolfgames.com\www

Firefox::
FF - ProfilePath - c:\documents and settings\Brickstin\Application Data\Mozilla\Firefox\Profiles\vkcm1hux.default\
FF - prefs.js: network.proxy.ftp - 212.182.64.86
FF - prefs.js: network.proxy.ftp_port - 3128
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.socks - 212.182.64.86
FF - prefs.js: network.proxy.socks_port - 3128
FF - prefs.js: network.proxy.ssl - 212.182.64.86
FF - prefs.js: network.proxy.ssl_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.proxy.type - 0
FF - user.js: network.proxy.http -
user_pref(network.proxy.http_port,);
FF - user.js: network.proxy.no_proxies_on -

RegLock::
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *5*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *6*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *7*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *?*]

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"=-
"3540:UDP"=-
"3389:TCP"=-
"2232:TCP"=-
"5000:UDP"=-
"1723:TCP"=-
"1701:UDP"=-
"500:UDP"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    (http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif)

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

I never up'ed to SP3 because some of my programs became unstable. Not to mention the OS seemed to run a little harder... .I don't know why.. so instead of going SP3 I just get all the other updates. Because SP3 is basically a newer version of explorer.exe and other system files but the updates covers most of them.. Just missing some parts of other security features in SP3 are made up with my avast. I could try SP3 again.. To see how it would work again but I can't quite entirely remember how it worked with my current configuration.

Here is the attached new log from Combofix with the custom script dragged into the executable.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on May 29, 2012, 03:51:22 AM
Hi,

We definitely need to update, but we will do that after we get your system more stable.  It is very important to keep your Windows operating system up to date...if not, the older software are just waiting to be infected along with the rest of your system.
-----------
Code: [Select]
RegNull::
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{424E7FAC-A75D-EA1D-2D56-21BF79D08CF9}*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F6251AEA-5583-E39F-6B40-DFB43F427BD4}*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *5*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *6*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *7*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *?*]
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 29, 2012, 06:00:00 AM
Quote from: jeffce on May 29, 2012, 03:51:22 AM
Hi,

We definitely need to update, but we will do that after we get your system more stable.  It is very important to keep your Windows operating system up to date...if not, the older software are just waiting to be infected along with the rest of your system.
-----------
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code: [Select]
RegNull::
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{424E7FAC-A75D-EA1D-2D56-21BF79D08CF9}*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F6251AEA-5583-E39F-6B40-DFB43F427BD4}*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *5*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *6*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *7*]
[HKEY_USERS\S-1-5-21-3970982898-453622554-3694266668-1006\ *?*]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    (http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif)

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------


ok Got it  :)
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on May 29, 2012, 02:18:35 PM
Hi,

P2P - I see you have P2P software Limewire and uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation.  This page (http://malwareremoval.com/p2pindex.php) will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.
----------

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner (http://www.eset.com/onlinescan/)
Note: You will need to use Internet Explorer for this scan[/i]
In your next reply please attach the logs made by Malwarebytes and ESET online scanner.  :)
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on May 31, 2012, 12:21:53 AM
Quote from: jeffce on May 29, 2012, 02:18:35 PM
Hi,

P2P - I see you have P2P software Limewire and uTorrent installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections and possibly Identity Theft. It likely contributed to your current situation.  This page (http://malwareremoval.com/p2pindex.php) will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.
----------

Malwarebytes

I see that you have Malwarebytes already on your computer.  Please open Malwarebytes, update it and then run a Quick Scan.  Save the log that is created for your next reply.
----------

Please run a free online scan with the ESET Online Scanner (http://www.eset.com/onlinescan/)
Note: You will need to use Internet Explorer for this scan[/i]
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

In your next reply please attach the logs made by Malwarebytes and ESET online scanner.  :)

I realize the majority of the dangers of P2P software and despite that i use a legit Utorrent software, I do everything with the knowledge I have to ensure I don't get wares from such p2p software.. I have only once downloaded something with uTorrent that was a fake and my avast detected it and aborted the connection. I'm thankful enough to such anti viral software such as avast.

But Limewire.. was another p2p that I uninstalled a year ago.. There is no program file information on it on this drive.. I checked my remove programs and files list.. in windows.. and I don't see an uninstall shield for Limewire... I Don't understand why it's still present somehow on my PC.. perhaps the uninstaller didn't remove keys from the registry hives?.. Is there any way to get rid of the rest of limewire? ..

One thing that really shocks me is that.. There is some legit software from Avanquest.. That is being found bad on the ESET scanner... Which really has me nervous now.. I paid a lot of money for that software.. and it's bad?

Take a look at the scanner.. And also the malwarebytes scanner picked upa PUM mod for my start menue for log off... Why would it be doing that? No matter how many times I remove it.. it comes back.. and i noticed when I select to get rid of the malware my Log off button in the start menue vanishes.. so I have to config the Menu bar to bring it back.. Then when I scan again.. Malwarebytes detects the same PUM again.. Is this a false positive? or is there something in the registry that is maliciously coded by an unknown infection that not even avast can detect? It just started happening after a Malwarebytes update just five months ago..



P.S : I traced the the origin of the infection that got onto my computer.. it was via Firefox due to the fact that each separate profile on Windows XP ... has it's own cache and profile set up in Firefox for each Windows Logon user.. In the documents and settings folder under  Guest.. there was an infection detected originally in the cache and temp files that came from Firefox.. That was neutralized via Avast and Malwarebytes scans.
I know also am 100% it was due to the guest account because it was the first detection that Avast found when a guest came to my computer to use it. It wasnt on my account or any other account in Windows XP.


Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on May 31, 2012, 02:38:02 AM
Hi,

Rerun Malwarebytes and remove that entry and attach the new log.  :)
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on June 01, 2012, 12:23:28 AM
Quote from: jeffce on May 31, 2012, 02:38:02 AM
Hi,

Rerun Malwarebytes and remove that entry and attach the new log.  :)

ok.. I have noticed.. that right after I did that ESET Scanner online.. Scan.. My PC has been really getting slow bad now. I don't know why..

Another thing.. During startup I see the select operating system configurations start up in the Boot.ini ... Now I have a selection  for Windows XP Professional and then " C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons"   ,,,, then another for do not select this" /debug . .. .

When this process fix is done.. Will the Debug selection disappear and be uninstalled from my computer?



Removed the logoff PUM and all is clear now.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on June 01, 2012, 03:22:00 AM
Hi,

So when is you system getting slow again?  Is it just when working with programs on your system or while on the internet?  Let me know exactly what you are experiencing.

The entries that you see on startup are normal since we added the Recovery Console.  :)
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on June 01, 2012, 04:28:33 AM
Quote from: jeffce on June 01, 2012, 03:22:00 AM
Hi,

So when is you system getting slow again?  Is it just when working with programs on your system or while on the internet?  Let me know exactly what you are experiencing.

The entries that you see on start up are normal since we added the Recovery Console.  :)

It just got slow for about 39 mins.. It's ok now.. I think. .It doesn't seem really slow anymore.. Anyways that was the final log.. Is there anything else that needs to be done? and that Debug. ... theres two.. theres the Recovery console.. and then there's a different one called "UnsupportedDebug="do not select this" /debug"    It's a different selection.

What is the next step after this? Awaiting instructions.

Thanks in advance.

It was both.. Not the internet connection it self: the internet speeds are fine.. It firefox.. and among other programs too even windows explorer.exe And when I'm working with other programs too.. It did it earlier today... In the morning.. But now it's not doing it: i haven't noticed any lag in the actual operating system now..

Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on June 01, 2012, 03:02:35 PM
Hi,

Quote
But now it's not doing it: i haven't noticed any lag in the actual operating system now..
Ok that is good.  There are many reasons why a system may become slow that are not malware related. 

Let's get some updates and let your system settle back in. 

You have an older version of Adobe Reader.  You can download the current version HERE (http://www.adobe.com/products/acrobat/readstep2.html)

You may want to consider   Foxit Reader (http://www.foxitsoftware.com/downloads/index.php) instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum (http://www.foxitsoftware.com/bbs/forumdisplay.php?f=3)

In either case you should uninstall Adobe Reader 6.0 first. Be sure to move any PDF documents to another folder first though.
----------

Quote
there's a different one called "UnsupportedDebug="do not select this" /debug"
We can remove that as well later, but it is there as a result of running ComboFix.  :)

Let me know when you get that finished.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on June 03, 2012, 06:37:09 AM
Quote from: jeffce on June 01, 2012, 03:02:35 PM
Hi,

Quote
But now it's not doing it: i haven't noticed any lag in the actual operating system now..
Ok that is good.  There are many reasons why a system may become slow that are not malware related. 

Let's get some updates and let your system settle back in. 

You have an older version of Adobe Reader.  You can download the current version HERE (http://www.adobe.com/products/acrobat/readstep2.html)

You may want to consider   Foxit Reader (http://www.foxitsoftware.com/downloads/index.php) instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum (http://www.foxitsoftware.com/bbs/forumdisplay.php?f=3)

In either case you should uninstall Adobe Reader 6.0 first. Be sure to move any PDF documents to another folder first though.
----------

Quote
there's a different one called "UnsupportedDebug="do not select this" /debug"
We can remove that as well later, but it is there as a result of running ComboFix.  :)

Let me know when you get that finished.

Well I updated Reader.. Sorry I'm slow in response.. I've been very busy the past couple of days.. x.x

I'm going to do windows updates.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on June 03, 2012, 02:10:56 PM
No problem...there is no time frame to respond with.  :)
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on June 05, 2012, 02:03:52 PM
Quote from: jeffce on June 03, 2012, 02:10:56 PM
No problem...there is no time frame to respond with.  :)



Well all updates have been done..  Only thing I didn't choose to do was put SP3 into XP. I don't know if I should do that or not.. Might be kinda risky considering I've been having a different problem with my computer.. RAM, HD or HD Cables are faulty. Been replacing parts and doing testing.

As far as the OS concerned is there anything else that needs to be done?

Again sorry for the late reply.

my sincere thanks to all of you for your support in this matter.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on June 05, 2012, 04:23:24 PM
Hi,

Quote
As far as the OS concerned is there anything else that needs to be done?
I am not seeing anything malware related in the logs you are providing.  The only thing that I would highly recommend is that you upgrade to Windows XP SP3 as soon as you can. 

Quote
Quote
there's a different one called "UnsupportedDebug="do not select this" /debug"
There is not anything wrong with this. 

How is your system behaving? 
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on June 07, 2012, 07:28:27 PM
Quote from: jeffce on June 05, 2012, 04:23:24 PM
Hi,

Quote
As far as the OS concerned is there anything else that needs to be done?
I am not seeing anything malware related in the logs you are providing.  The only thing that I would highly recommend is that you upgrade to Windows XP SP3 as soon as you can. 

Quote
Quote
there's a different one called "UnsupportedDebug="do not select this" /debug"
There is not anything wrong with this. 

How is your system behaving?

Something seriously just happened with my system!!!!

It's saying one of my hard drives messed up via windows debugging report to microsoft.

Windows was temporarily unable to read your hard disk drive. We don't know the exact cause of the problem. In most cases, this type of condition is momentary and doesn't indicate a serious problem, but sometimes it means that a hard disk is failing.



I know this is a viral malware forum... do you know any forums that can help diagnose which drive of mine is failing? I have three total hard drives on this system and I don't know which one it is.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on June 07, 2012, 08:43:41 PM
Hi,

You can check the drives and see which one is failing using HDTune. 

Please download HD Tune (http://www.hdtune.com/download.html) (the free version not the trial), run an error scan on your primary harddrive (full not quick) and report back if any blocks aren't green. It tests your hard drive for bad sectors.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on June 12, 2012, 08:06:05 PM
Quote from: jeffce on June 07, 2012, 08:43:41 PM
Hi,

You can check the drives and see which one is failing using HDTune. 

Please download HD Tune (http://www.hdtune.com/download.html) (the free version not the trial), run an error scan on your primary harddrive (full not quick) and report back if any blocks aren't green. It tests your hard drive for bad sectors.

Primary Hard drive is all Green.

Sorry for the late reply.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on June 13, 2012, 01:48:51 PM
No problem with any delay.  :)  Are you still having the problem or was it momentary like the warning stated?
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on June 14, 2012, 10:47:19 AM
Quote from: jeffce on June 13, 2012, 01:48:51 PM
No problem with any delay.  :)  Are you still having the problem or was it momentary like the warning stated?

No it is actually becoming more chronic.. Thing is.. I don't know how to identify the hardware codes to figure out which Hard drive it is.. I only know  it's something as a hex decimal type that may ID the drives... that or has values of 0, 1, 2 .... being I have three drives.. I don't know if that will say anything in the recent Debug Files I have from all the crash dumps.. So far I have had 14 total crashes related to Hard drive issues..

thing is.. if I knew which drive it was.. I could fix the problem.. see.. theres no failed sectors in any of the three drives.. they are all green across the board.. and so I think it might be due to a bad power cable or a bad Data Cable to one of the three drives.. but if I don't know which one is having issues: Then I would be having to replace ALL cables which would put extra money out of my pocket..




As Far as the virus and malware is concerned.. you all have helped me a great deal and I appreciate it.. There is this other forums with savy techs that might be able to help me with the hardware issues.. Do you know any good ones?..

Again thank you again so much for your assistance; you guys are amazing and gracefully helpful.

             Sincerely,
                                        Erick J. Vasquez
                                                                   PC ER Services, Inc
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on June 14, 2012, 01:42:23 PM
Hi,

With help for your hardware issues I would visit Geeks to Go which you can find here >> http://www.geekstogo.com/forum/  You will need to register first but it is free to do so.  The techs there are exceptional and you will be in good hands.  :)
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on June 27, 2012, 08:25:31 AM
I am seriously having another issue now... For some reason.. every single DRIVE that is on my system is set to read only :

All folders and sub folders have greyed out read only attributes within the properties of each object.
 

When I uncheck to make all files within sub folder and folders including files is done: I click apply and ok then re open and check the properties.

It is still greyed out and now because of this I am having saving issues with programs that I run on a daily basis.

This is a serious situation that has stopped me on filing things and doing my work.

What is even more weird is that every single Hard drive is set to sharing and I cannot change the permissions for each sharing details of each drive in the properties box of those drive objects.


I have also checked the permissions in security tab for the properties.. My permissions have been revoked..

what could have possibly happened?



UPDATE:


I have found something else disturbing.. EVERY computer in the entire network in our household is completely affected by this strange OS behavior too.. Everything is set to read only on every single computer's Hard drives and USB Drives.. External media (excluding CD Roms & DVDs) because those are considered a read only media.

What in the world is going on? Please someone help me:

I am in deep dire needs!  :-\
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on June 27, 2012, 04:32:30 PM
Hi,

Sorry to hear of your problems.  Did you ever go to Geeks to Go and start a topic there for your hardware problems previously?  Since this seems to be affecting all systems on your network I would temporarily disconnect all computers not needed until we get this resolved. 

Let's get a fresh look and see what is happening to try and rule out malware.

Please run new scans with OTL and aswMBR and then attach the logs to your next reply.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on June 28, 2012, 04:10:32 AM
Quote from: jeffce on June 27, 2012, 04:32:30 PM
Hi,

Sorry to hear of your problems.  Did you ever go to Geeks to Go and start a topic there for your hardware problems previously?  Since this seems to be affecting all systems on your network I would temporarily disconnect all computers not needed until we get this resolved. 

Let's get a fresh look and see what is happening to try and rule out malware.

Please run new scans with OTL and aswMBR and then attach the logs to your next reply.

Scan results

I also included a hiJackthis Log scan for more info.



Sorry no I never had time.. I was very busy for the past couple of weeks and I still am. .x.x going through personal issues that I have to focus on.. one of them being work. I thought the HD issue could wait since it wasn't that severe yet and as my data is constantly backed up anyhow incase of a sudden permanent crash.

Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on June 28, 2012, 01:43:58 PM
Hi,

I have to say that if you have a complete backup of your system and you are using this for work, you may even be better served by just starting over with a fresh install of your operating system.  It would only really take a few hours to do and be more beneficial to both you and any customers that you have in both time and security of information.    If you would like to continue though, please do the following...

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
----------
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on July 14, 2012, 01:14:09 AM
I'm sorry I had to leave for a week out of town to deal with an emergency.. x.x I am back now.. I am going to start the tests.. Sorry for the trouble.

 Sincerely,
                  Erick
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on July 14, 2012, 02:35:26 AM
No trouble at all.  :) 
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on July 21, 2012, 06:03:23 AM
I'm sorry for being so slow in replies: and I thank you for your patience, you are wonderful to work with.

So I wanted to take the time to thank you and give you my great appreciation for your assistance in my distraught situation with my computer.

I have done the TDSkiller scan and It found no threats with the Detect option you told me to include..

The log is included in the following attachment.

I may want to inform you though that for some reason today Firefox crashed out of the blue and the following file spooldr.sys was the cause for my issue,

I ran a MIcrosoft Safety Scanner and it found 17 infections so far....

Here is an example of the error with Windows Debugging tools:


DRIVER_CORRUPTED_EXPOOL (c5)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is
caused by drivers that have corrupted the system pool.  Run the driver
verifier against any new (or suspect) drivers, and if that doesn't turn up
the culprit, then use gflags to enable special pool.
Arguments:
Arg1: ffe7006d, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000000, value 0 = read operation, 1 = write operation
Arg4: 8054a0ba, address which referenced memory

FAULTING_IP:
nt!ExDeferredFreePool+b4
8054a0ba 8b10            mov     edx,dword ptr [eax]

DEFAULT_BUCKET_ID:  DRIVER_FAULT

PROCESS_NAME:  firefox.exe

TRAP_FRAME:  aebb57d8 -- (.trap 0xffffffffaebb57d8)
ErrCode = 00000000
eax=0000000f ebx=0000000e ecx=dd851c00 edx=00000000 esi=8a5b8020 edi=00000000
eip=80569209 esp=aebb584c ebp=aebb5898 iopl=0         nv up ei ng nz ac po cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010293
nt!CcMapData+0xef:
Page a61d9 not present in the dump file. Type ".hh dbgerr004" for details
80569209 8a0c0a          mov     cl,byte ptr [edx+ecx]      ds:0023:dd851c00=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from 8054a0ba to 805444e8
SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  nt!ExDeferredFreePool+b4

FOLLOWUP_NAME:  Pool_corruption

IMAGE_NAME:  Pool_Corruption

DEBUG_FLR_IMAGE_TIMESTAMP:  0

MODULE_NAME: Pool_Corruption

FAILURE_BUCKET_ID:  0xC5_2_VRF_nt!ExDeferredFreePool+b4

BUCKET_ID:  0xC5_2_VRF_nt!ExDeferredFreePool+b4





OH my God... Look what happened.. I did a Avast scan again.. and I am INFECTED AGAIN?! I could have sworn to God we got rid of these.. what is going on?

C:\WINDOWS\Memory.dmp
Win32:FakeAlert-NO [Trj]
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on July 23, 2012, 01:08:13 AM
Hi,

Sorry for any delay...my own system was having some technical difficulties.   :-\

Could you post the results of that Microsoft Safety Scanner so I can look at that also?  Thanks.


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

**If you are using a 64bit system please use either of the following links for your download instead:
Link 1 (http://jpshortstuff.247fixes.com/SystemLook_x64.exe)
Link 2 (http://images.malwareremoval.com/jpshortstuff/SystemLook_x64.exe)

Code: [Select]
:file
C:\WINDOWS\Memory.dmp
Note: The log can also be found on your Desktop entitled SystemLook.txt
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on July 24, 2012, 03:46:11 AM
Unfortunately i cannot post logs for Microsoft safety scanner.. . I don't even know if that program posts logs or not.. I can't remember.. where it would store it.. do you know where it is stored? it had about 17 infections and I already removed and cleaned them out.. had something to do with an old program i used to use.. which is a avanquest portable software program.

I deleted that however and no longer use it.

But despite being 17 infections when I went to selection area in that program it only showed one. which made no sense.. I also used superantispyware scanner and found infections. I have deleted them as well... here is the logs for that..

see attachements.. as far as running

SystemLoook.. The Avast program deleted the MEMORY.DMP file.. so I cannot use that custom script that you specified.. . x.x


And I don't know what I can do to re enact a BSOD so it can make a dump file again..

I am going to try and do a few things to see if I can make a BSOD.

so Ill just keep going what im doing and see if it happens again..

Any other suggestions? I tried get it back for NTFS to see if the file was still there.. It's already been over written with paging file data and other data  that traffics through my OS drive.. so yeah.. its pretty much scrapped..

P.S.. what is wrong with your computer?



WHAT IN THE WORLD?.. I'm somehow infected again.. I don't understand how I keep getting re infected.....


7/24/2012 12:27:20 AM   Brickstin   272   Sign of "Win32:WinPump-D [Adw]" has been found in "G:\C eMachines\Download\Games\FH\FHPatchV1.03toV1.05.exe.exe" file. 


7/24/2012 1:05:09 AM   Brickstin   6272   Sign of "Win32:FakeAlert-CSB [Trj]" has been found in "G:\C eMachines\Documents and Settings\default\My Documents\IO\CCast.nrg" file. 

That file was completely fine.. now my EXE files are starting to get infected!

how the heck? I have found so many in so many different versions of this program

Win32:SwizDrop-BE [Trj] in each file

4.23.0.276_MsgPlusLive-423.exe

4.50.0.312_MsgPlusLive-450.exe
4.60.0.326_MsgPlusLive-460.exe

4.81.358.0_MsgPlusLive-481.exe
4.82.368_MsgPlusLive.exe

Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on July 24, 2012, 01:58:53 PM
Hi,

Oh my system is back in working order.  I was having problems downloading attachments and found a corrupted file.  I was able to fix it up.  :)
----------

Let's get another online scan.

Please run a free online scan with the ESET Online Scanner (http://www.eset.com/onlinescan/)
Note: You will need to use Internet Explorer for this scan[/i]**Note** If not threats are found there will not be a log created.
----------
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on July 27, 2012, 06:09:44 AM
F.Y.I : This scanner took.. 18 hours.. to scan... Jesus.. It scanned every single drive i had.. x.x

33 infections found...

0 cleaned..

manually delete? or different scanner must be used?

C:\Program Files\Avanquest\SystemSuite\W32Int13.dll   a variant of Win32/Kryptik.FNT trojan

C:\Program Files\Common Files\Wise Installation Wizard\WIS6A615007721D4063B226EA41EB6604B9_8_0_1_1.MSI   a variant of Win32/Kryptik.FNT trojan

G:\C eMachines\Documents and Settings\default\My Documents\My Received Files\Tune Up Utilities 2007.rar   multiple threats

G:\C eMachines\Download\Games\CheatEngine561.exe   multiple threats

G:\C eMachines\Download\Games\AoE\aoe_no_fog_trainer.exe   a variant of Win32/GameHack.AD application

G:\C eMachines\Download\Games\AoE\popchange.exe   Win32/Keylogger.HotKeysHook.A virus

G:\C eMachines\Download\Games\AoE\swiftpc.zip   Win32/Keylogger.HotKeysHook.A virus

G:\C eMachines\Download\Games\Furcadia\DeSmuMeProxy.zip   a variant of Win32/Injector.FOC trojan

G:\C eMachines\Download\Games\Furcadia\Other Furc stuff\Decryption\setup_spamduh_extension.exe   probably a variant of Win32/Agent.LJZWTSD trojan

G:\C eMachines\Download\Games\Tribes Updaters\xfire_installer_43094.exe   Win32/OpenCandy application

G:\C eMachines\Download\Messengers\AIM\AIM_5.9.3702.0.exe   Win32/Adware.WBug.A application

G:\C eMachines\Download\Messengers\Win MSN MSGR\MPL\MPL4\4.83.376_MsgPlusLive-483.exe   a variant of Win32/Adware.CiDHelp application

G:\C eMachines\Download\Messengers\Win MSN MSGR\MPL\MPL4\4.83.380_MsgPlusLive.exe   a variant of Win32/Adware.CiDHelp application

G:\C eMachines\Download\Music Programs\WA\winamp5.581_full_emusic-7plus_en-us.exe   Win32/OpenCandy application

G:\C eMachines\Download\Music Programs\WA\winamp5.601_full_emusic-7plus_en-us.exe   Win32/OpenCandy application

G:\C eMachines\Download\Music Programs\WA\winamp5.62.3_full_emusic-7plus_en-us.exe   Win32/OpenCandy application

G:\C eMachines\Download\Music Programs\WA\winamp5.622_full_emusic-7plus_all.exe   Win32/OpenCandy application

G:\C eMachines\Download\Programs\Art Programs\Adobe\Adobe Photoshop Elements 8.0 Multilingual [h33t] [pmsyb]\cr-pes80.iso   a variant of Win32/Keygen.BH application

G:\C eMachines\Download\Programs\Compressors\7zip_installer_1650.exe   a variant of Win32/InstallIQ application

G:\C eMachines\Download\Uni PC Tools\Viral ATK.rar   multiple threats

G:\C eMachines\Download\Uni PC Tools\Fix PC\2SDFix.exe    Win32/PrcView application

G:\C eMachines\Download\Uni PC Tools\Fix PC\3FindAWF.exe    Win32/PrcView application

G:\C eMachines\Download\Uni PC Tools\Fix PC\Fix PC.zip    Win32/PrcView application

G:\C eMachines\Download\Uni PC Tools\Fix PC\Blocking\Hide Your IP Address v1.0.rar   Win32/HackTool.Patcher.A application

G:\C eMachines\Download\Uni PC Tools\Fix PC\Data Recover\HDDat Recover\Mac\dmge-latest.exe   Win32/OpenCandy application

G:\C eMachines\Download\Uni PC Tools\Fix PC\Data Recover\HDDat Recover\Mac\HFSExplorer\SoftonicDownloader_for_hfsexplorer.exe   a variant of Win32/SoftonicDownloader.D application

G:\C eMachines\Download\Uni PC Tools\Fix PC\Data Recover\HDDat Recover\Mac\MacDrive\MacDrive-v8.0.5.31-Keygen.included.zip   a variant of Win32/Keygen.CX application

G:\C eMachines\Download\Uni PC Tools\Fix PC\Fix OS\PerfectUninstaller_Setup.exe   a variant of Win32/PerfectUninstaller application

G:\C eMachines\Download\Video Programs\VeohWebPlayerSetup_eng.exe   multiple threats

G:\C eMachines\Program Files\Hiwire\HWUpdateMove.exe   Win32/Adware.HiWire application

G:\GreenDisk\Transfer\Mel's Stuff\vitamin string atreyu [dvd rip].mp3   a variant of WMA/TrojanDownloader.GetCodec.gen trojan

G:\GreenDisk\Transfer\Mel's Stuff\vitamin string atreyu.mp3   a variant of WMA/TrojanDownloader.GetCodec.gen trojan

H:\EIDE 80GB\Games\fff-ea175.exe   probably a variant of Win32/Agent.GAFQWEO trojan
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: mchain on July 27, 2012, 10:00:36 AM
Hi Brickstin,

Hold off on deleting or cleaning.  ESET is used to find some files other scanners miss, but some are false positive, so.... do nothing at the moment.  Jeffce will know exactly what to check and look for, so...

Quarantine or delete? 

If you quarantine a file in the virus chest, it can do no harm from that location as it is in a protected area isolated from the rest of the operating system.  If, say, later, this flle is found to be clean, then the option to restore it is still available.  Quarantine or delete?  I quarantine wherever possible.  If it is a necessary system file, I choose ignore, not quarantine, otherwise system may become unbootable. 
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on July 27, 2012, 01:09:45 PM
I had a strange crash.. it said something like ... 0X0000007E (0XC00000CS

I was doing a system restore because now im having another issue.. For some reason every minute.. the mouse icon turns into a mouse with a hour glass.. for a total of 4-6 seconds.. I noticed it was lagging on my Seagate LP 1.5 TEra drive... It only did it when I had that connected.. so I decided to disconnnect it.. (It was an inside an external inclosure) .. my PC stopped doing this lag thing for a day.. then yesterday around 7pm .. it started to do it again.. regardless if I had the External plugged in or not.. Mind you this is an internal Sata Drive that is just being used in a external inclosure. ... 

 I don't know whats going on.. But other then that.. I came back upstairs.. and my PC was BSOD'ed ..

I also noticed that in the event logs system I am getting MULTIP counts of ERROR ID:s

The driver detected a controller error on \Device\Harddisk2\D.

I was able to figure out that harddisk tool in the disk management profile is my C Drive.. which is the one I have infections. on. I don't know if they are related to the issue of the viruses or if it's due to the fact that I am having problems with a cable.. or possibly a bad connection to the C: Drive...

Here are a time frame of the following errors:


7/22/2012 10:25:30 PM
EVENT ID : 11
The driver detected a controller error on \Device\Harddisk2\D.
This ID event happened 17 times in one day.. from a period of the time listed above to the end time of 10:29 PM





I also got multiple A parity error was detected on \Device\Ide\IdePort3. errors..

Event ID : 5


I don't know which one is Port 3.. but.. I don't know if it's related to the SATA area of were my C: drive is located of it's related to one of the CD ROM Drives I have.. Quite Frankly that the source of that event ID said ATAPI .. which is a CD DVD ROM RW Drive driver.

I am going to replace both ribbon cables and see if that does anything for that ATAPI part..

as far as the other disk events... heres something else:

Event ID51
An error was detected on device \Device\Harddisk2\D during a paging operation.

This happened that same day.. multiple times from 10:26:28 PM ... . to 10:30:53 PM  . .. 


There has been times were my hard drive has frozen.. the C Drive.. And the PC has locked up before because of this.. After replacing the SATA Cable.. I haven't noticed anything odd going on with it.. But just yesterday.. again as I have mentioned.. now my System lags ever minute for 4-6 seconds at a time..

This is seriously scaring me.. I am going to switch the Sata power connector out on the C: to the optional 4 PIN molex power connector to see if that does anything also..


If this doesn't work.. I am scared that my motherboard might be failing on the south bridge...



I just really hope to God that this is only mainly happening because of virus malware issues.. :/
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on July 27, 2012, 01:46:12 PM
Hi,

I feel like the issues you are having are not necessarily malware related.

However....

Quote
I was doing a system restore because now im having another issue..
When you are doing a system restore without being asked you are releasing the malware that may still be on that restore point and I have no real way of knowing what is going on with the system.  In essence, even though you have the best intentions I am sure, we have taken several steps backwards in removing the malware from your system.  Please do not do anything without being asked.  Thanks.

Please download DDS from either of these links

LINK 1 (http://download.bleepingcomputer.com/sUBs/dds.com)
LINK 2 (http://download.bleepingcomputer.com/sUBs/dds.scr)

and save it to your desktop.
---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt

Attach.txt
----------


Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on July 28, 2012, 11:49:49 AM
my Apologies: on the system restore,  I will wait for further instruction.

Thank you all for taking the time to assist me in this dire situation I am grateful.

Sorry this is painfully taking so long LOL.

Attachments are below this post.


Just letting you know.. now double clicking on desktop items no longer function, Also my quick start bar is gone now too. .. I know i must be still infected because some type of malware or script is hiding and disabling certain functions within my operating system..

Also.. I am no longer able to double click and look at event log properties for each object anymore..

Internet Explorer no longer functions anymore either.

I have had accounts like msnlive and Yahoo suddenly been hacked.. I have had to change their passwords thank God I have backup options to retrieve resets and different email forwards...

I think there is a keyLogger inside my PC as well.. Otherwise how would my passwords suddenly become inaccessible  ? ... In total 4 accounts were hacked.

Things are really starting to degridate .. .x.x

I am just letting you know the symptoms of what is happening to my system. To be on the safe side I am asking if I could detach my storage drives to prevent / prevent further, infection in those drives.  I can simply scan those outside with another Operating system on a different drive.

Considering all the tools you guys have been giving me to repair my PC, I have found valuable information and tools to do the some of the same procedures to clean/delete infected files.

There is software on those storage drives that are literally irreplaceable.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on July 28, 2012, 11:51:29 AM
Quote from: mchain on July 27, 2012, 10:00:36 AM
Hi Brickstin,

Hold off on deleting or cleaning.  ESET is used to find some files other scanners miss, but some are false positive, so.... do nothing at the moment.  Jeffce will know exactly what to check and look for, so...

Quarantine or delete? 

If you quarantine a file in the virus chest, it can do no harm from that location as it is in a protected area isolated from the rest of the operating system.  If, say, later, this flle is found to be clean, then the option to restore it is still available.  Quarantine or delete?  I quarantine wherever possible.  If it is a necessary system file, I choose ignore, not quarantine, otherwise system may become unbootable.

Thanks for the advice friend! :)
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on July 29, 2012, 06:40:53 PM
Hi,

Sorry for any delays. 

Quote
There is software on those storage drives that are literally irreplaceable.
I would back those up someplace else just to be on the safe side until we get this resolved.
----------

Please delete the current version of Combofix.exe from your desktop and download a new version from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.

Disable your AntiVirus and AntiSpyware applications.

Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on August 02, 2012, 06:23:12 PM
Quote from: jeffce on July 29, 2012, 06:40:53 PM
Hi,

Sorry for any delays. 

Quote
There is software on those storage drives that are literally irreplaceable.
I would back those up someplace else just to be on the safe side until we get this resolved.
----------

Please delete the current version of Combofix.exe from your desktop and download a new version from here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.

Disable your AntiVirus and AntiSpyware applications.

Right-click and Run as Administrator on the Combofix.exe and follow the prombts on your display. When finish, it will create a C:\Combofix.txt. Please post this log for further review.
---------


Sorry for the delays my self...

http://pastebin.com/irTTdXKp (http://pastebin.com/irTTdXKp)  <---- That goes to my pastebin profile, combofix log is there. I couldn't post here because of a 1k limit and a upload limit .
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on August 08, 2012, 06:37:49 PM
Well those people at Geekstogo.com didn't bother to help me at all.. They all just ignored me and replied to like 27 different forums instead of mine.


I don't know any other places to find any information on getting a diagnosis or hints on what could be wrong with my motherboard or hard drives.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on August 09, 2012, 10:32:01 PM
Hi,

(http://img.photobucket.com/albums/v706/ried7/CFScriptB-4.gif)

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on August 15, 2012, 02:37:20 PM
I am unable to continue the cleaning procedure until further notice: the motherboard finally took a dive; screwed up all my hard drives with errors.

I've been getting assistance at that website you linked me to: if you wish to follow up please go there as now I am having to fix the hardware issue before I can continue fixing the OS internally with the virus issue.
http://www.geekstogo.com/forum/topic/320611-possible-motherboard-failure/page__gopid__2191893#entry2191893 (http://www.geekstogo.com/forum/topic/320611-possible-motherboard-failure/page__gopid__2191893#entry2191893)

I am building a second unit that is pre built already, a gaming rig but it has no OS and I have to install the needed tools all over again.

There is two ways we can go with this; that combo fix script is probably scripted to be used inside within the infected OS correct? if that is the case it is set to config to scan the C: drive... considering that the mainboard on that OS no longer works, I am having to use another PC, whatever Drive letter the infected OS HD is set to; can it just be re scripted to scan that drive alone?

Or is it needed for the OS To be running (infected OS Drive) to do this script scan properly?
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on August 16, 2012, 06:07:43 PM
It would probably be in your best interest to get your system back up and running and then drop the infected hard drive into the new system so that we can continue with the cleaning.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on September 09, 2012, 10:09:42 AM
Quote from: jeffce on August 16, 2012, 06:07:43 PM
It would probably be in your best interest to get your system back up and running and then drop the infected hard drive into the new system so that we can continue with the cleaning.

again I must appologise for not replying sooner or getting back to you I have been very busy lately with work and also personal stuff.

I got my system back up and running with a new OS copy and everything else.

The infected drive however I just decided to Format.

The other files I had backed up and I still have other data that still can be scanned:

So the infected hard drive with the infected OS is no longer available.

But I am awaiting further instruction to check other files if there is still any remaining infections left.

Sincerely,
              Erick @ PC ER Services.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: jeffce on September 10, 2012, 03:27:57 AM
Hi,

Good to see you back.  :)

You say that you formatted the hard drive and put a new operating system on it?  That drive should be good to go then.  :)

As for the other files that you had backed up where are you keeping in?  On an external hard drive or thumb drive?  If that is the case you would be ok to run Malwarebytes and a normal antivirus scan on those to be sure there is nothing lurking on them.  Nothing that I recall malwarewise was something that would jump from system to system.  Let me know how those go when you get the finished up.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on September 20, 2012, 08:59:18 PM
So found one of my programs are infected... C:\Program Files\IObit\IObit SmartDefrag\SDInit.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Why didn't malwarebytes, SUPERAntiSpyware Free Edition, and Avast detect the infected IoBit installer? This is very odd.. considering that it was only detected after decompression.. I dont know if this file is a false positive or not but.. IoBit sofware i have is a defragmentation program.

I have done a full scan and haven't found anything yet so far.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: mchain on September 20, 2012, 10:51:39 PM
What program quarantined iObit?  Just wondering.
Title: Re: Win32:Crypt-MIZ[Trj]
Post by: Brickstin on September 22, 2012, 12:44:41 AM
Quote from: mchain on September 20, 2012, 10:51:39 PM
What program quarantined iObit?  Just wondering.

Malwarebytes detected it

C:\Program Files\IObit\IObit SmartDefrag\SDInit.exe (Trojan.Agent) -> Quarantined and deleted successfully.