Author Topic: Relentless Win32:AuCrypt [Cryp]  (Read 36202 times)

0 Members and 1 Guest are viewing this topic.

Quackamolian

  • Guest
Relentless Win32:AuCrypt [Cryp]
« on: March 17, 2008, 06:14:10 PM »
I know its from the [Cryp] side and all, but this thing is becoming a major pain. I've tried every action in avast on it and its still here + now its spread to my external HD. Does anybody have any advice for getting rid of it? So far what I've found is that it places a file (C:\i8.com) and then locks me out of directly accessing my C:\ drive (though I can access it by going to, for example, C:\program files\world of warcraft\ and then pressing the 'up one level' button.

Any help would be greatly appreciated.

(Ps: I know its not really from the [Cryp] side, lulz  ;D)

psw

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #1 on: March 17, 2008, 07:26:50 PM »
There is a kind of solution preventing autorunf.inf spreading but in your case the main problem is that this solution is for healthy PC only. It's prevents autorun and restore some Explorer registry keys.
This registry modification doesn't cure any active malware, probably avmo in your case.

Code: [Select]
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"NoDriveAutoRun"=dword:000000ff
"NoFolderOptions"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Trick with @SYS:DoesNotExist was taken from http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #2 on: March 17, 2008, 07:33:21 PM »
Hi Quackamolian

Please download FindAWF to your Desktop from: http://noahdfear.geekstogo.com/FindAWF.exe
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.
Please post the result of this scan before proceeding.

Download CureIt from here: ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
and do a full scan.
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #3 on: March 17, 2008, 07:38:24 PM »
Maybe, after the suggestion of Polonus, you could try the general cleaning procedure:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.
The best things in life are free.

edek004

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #4 on: March 17, 2008, 08:34:15 PM »
Same problem.
Log from FindAWF is empty.

Fast scan in Dr.Web found nothing
« Last Edit: March 17, 2008, 08:40:01 PM by edek004 »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #5 on: March 17, 2008, 08:55:51 PM »
Howdy edek004,

If you have amvo.exe on your comp, consider this:
http://www.prevx.com/filenames/1360796256778365074-X1/AMVO.EXE.html

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

edek004

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #6 on: March 17, 2008, 09:23:05 PM »
Wait for while. Dr.Web working on full scan and found lots of infected files.
10 % left

P.S. Pozdro rodaku ?!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #7 on: March 17, 2008, 09:44:26 PM »
Witam, witam.
Proszę zamelduj co DrWeb znalazł,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Ania007

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #8 on: March 17, 2008, 09:50:16 PM »
Wait for while. Dr.Web working on full scan and found lots of infected files.
10 % left

P.S. Pozdro rodaku ?!

Hello edek004,

We've have the same problem. If you find the solution, please let us know.

P.S. Ciesze sie ze nie tylko ja mam problem z AuCrypt. W internecie prawie nie ma informacji. Nowe swinstwo, dzis je zlapalam.
Prosze, prosze. Kółko polonijne się tu na forum zebrało....

edek004

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #9 on: March 17, 2008, 09:54:09 PM »
Dr.Web rulez! Log in attachment. Same problem was on all partitions.

Program sobie poradził tylko muszę jeszcze rozwiązać problem z wejściem do dysków. Mam ten sam kłopot z terzema kompami w domowej sieci  ???

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #10 on: March 17, 2008, 10:16:18 PM »
Hi edek004,

Well I continue in English as we are an English speaking forum here. DrWeb has three scan modules: Quick Scan, Full Scan and then comes the Third Scan Mode (I do not know how that is called in the Polish version of DrWeb's CureIt), choose that one and then do the specific disk scans. In the mean time we will have a look at the log and set out a strategy to tackle this malware. Nie martw się, wszystko będzie dobrze!

Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

michals

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #11 on: March 17, 2008, 10:29:55 PM »
Hello guys.

I'm writing just to tell that I have the same problem (probably caught today and I have no idea where from :/). So I will be also very grateful for any idea how we could fix it !
What I noticed is that although I can't enter my drives from 'My Computer' , there is no problem to do this using Total Commander.

Greetings for people from Poland - mam nadzieje ze rozwiązemy ten problem.

michał

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #12 on: March 17, 2008, 10:54:22 PM »
Cześć,

Consider this cleansing routine:
http://www.geekstogo.com/forum/amvo-exe-Win32-nsanti-help1-exe-malware-Please-help-t183392.html

Download this program, Flash Drive Disinfector by sUBs from

http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe

Plug in your usb hd, pen drive etc.

Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well (D: and external Disk)
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Then we have to perform an extra scan with DDS to be downloaded here:
http://www.techsupportforum.com/sectools/Deckard/dss.exe

The first thing I want you to do is download Deckard's System Scanner.

   1. Close all applications and windows.
   2. Double-click on dss.exe to run it, and follow the prompts.
   3. When the scan is complete, a text file will open - Main.txt
   4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
   5. A folder, C:\Deckard, will also open. In it will be another text file, Extra.txt.
   6. Attach Extra.txt to your post.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

What Deckard's System Scanner will do:

    * create a new System Restore point in Windows XP and Vista.
    * clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
    * check some important areas of your system and produce a report for your analyst to review. Deckard's System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

When you get the two notepad documents, attach them to your next reply Main.txt & Extra.txt,
After you have run both flashdrive disinfector and DSS, also attach a fresh HJT log.txt,

pozdrawiam,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

edek004

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #13 on: March 17, 2008, 11:30:43 PM »
I think Dr.Web is enough. After that scan & fix I used MKS online and Avast. Nothing more was found.
Any USB device was connected last two days.
I will see tomorrow - infected computers are in my neighbours house. Now I'm going to my house for enjoy Tyskie  ;D

I just still don't now how to fix problem with opening disks.

P.S. In attachment is log from other computer.
« Last Edit: March 17, 2008, 11:44:45 PM by edek004 »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #14 on: March 18, 2008, 12:19:51 AM »
Cześć, edek004,

"Małe piwko, potem kosteczkę czekolady," I asked around for a solution for you to be able to enter your drives, I'll post it when it gets to me. And for later: "karaluchy pod poduchy", do jutra,

polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!