Author Topic: Relentless Win32:AuCrypt [Cryp]  (Read 36183 times)

0 Members and 1 Guest are viewing this topic.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #15 on: March 18, 2008, 09:58:04 AM »
Win32:AuCrypt [Cryp] is a generic detection of AutoRun / OnLineGames... you can apply the same disinfection procedures here... and we are working on the detections for more inf files to stop the reinfection after deleting the files found with this gen detection...

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #16 on: March 18, 2008, 07:24:05 PM »
Hi edek004,

Turn autoruns off on all drives exept cd/dvd using:
http://download.sysinternals.com/Files/Autoruns.zip

Download "Clean Autoruns":From HERE

http://forums.techguy.org/attachments/103397d1176780296/clean-autoruns.zip

Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.

Please post those

polonus
« Last Edit: March 18, 2008, 07:30:18 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

zekiyagli

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #17 on: March 18, 2008, 08:59:24 PM »

Hello Polonus,

I have a very similar problem to the one of Quackamolian.
So I tried the same prescription.
You aslked to post the result of awf scan.
Here it is:

Find AWF report by noahdfear ©2006
               Version 1.40



  bak folders found
  ~~~~~~~~~~~



  Duplicate files of bak directory contents
  ~~~~~~~~~~~~~~~~~~~~~~~



  end of report

Should I proceed with the next step now?

Rgds

Zeki

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #18 on: March 18, 2008, 09:15:53 PM »
Yep,

Turn autoruns off on all drives exept cd/dvd using:
http://download.sysinternals.com/Files/Autoruns.zip

Download "Clean Autoruns":From HERE

http://forums.techguy.org/attachments/103397d1176780296/clean-autoruns.zip

Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.

Please post those
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #19 on: March 18, 2008, 09:35:03 PM »
Hi zekiyagli,

An additional step you could take:
Download: Clear the Cache (freeware)
http://www.ccleaner.com/
Once installed, run CCleaner click the Windows [tab]
Select the following options:

see picture
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

zekiyagli

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #20 on: March 18, 2008, 10:12:51 PM »

Hello Polonus,

My problem is apparently solved now.

Thank you very much.

Zeki

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #21 on: March 18, 2008, 10:15:16 PM »
Hi Zekiyagli,

So far so good, I am happy when you are. Thanks for reporting,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

zekiyagli

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #22 on: March 19, 2008, 07:44:02 PM »

Hello Polonus & others,

I was happy yesterday because after an AWF+CClean, I did apperently remove the virus.
But halas, after having shut my PC and reponed it some time later the same virus reappeared.

This time AWF+CClean was not successfull.

Can anybody suggest something to progress?

Thanks in advance.

Zeki

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #23 on: March 19, 2008, 07:55:49 PM »
Hi zeki,

Did you do autoruns and clean autoruns? Do also a full scan with DrWebCureIt from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Please attach the log file to your next posting,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

zekiyagli

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #24 on: March 19, 2008, 09:25:04 PM »

Hi Polonus,

Autoruns hangs half way down.
Clean autorun has nothing to clean yet.

I will CureIt and retry Autoruns.
I will post the result

Rgds

Zeki

zekiyagli

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #25 on: March 19, 2008, 11:46:37 PM »
Hello Populus,

My CureIt full scan is still ongoing.

Several malicious object are found. Some are deleted and some moved to quarantain.

What do you suggest me to do with the ones in the quarantaine? Delete? Just leave them there?

Regards

Zeki

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #26 on: March 20, 2008, 12:37:51 AM »
    Hi zekiyagli,

    I think it is best to remove them to avoid reinfestation, do this at the end of the full scan, but first attach the log file of all that CureIt finds. If that would not be sufficient, we have some other measures up our sleeves.
    Please download ComboFix from
Here or Here to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
[list=1]
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
    -----------------------------------------------------------
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you. 
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

pcnaive

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #27 on: March 25, 2008, 02:25:33 PM »
Hi....also seem to have the Win32:AuCrypt[Cryp] virus and read all the instructions. However, this is my first virus (avast has protected me so well until now) and I am not sure I follow all the instructions....also the last one with all the colored warnings is a bit scary. Would it be at all possible to summarize what I should do (and write it like you are talking to a very young and rather stupid child, cause that is about my level)?

Also, could I just back stuff up on my external HD, reformat my C drive, reinstall avast, scan the HD and get rid of it that way?

Thanks in advance

Confused and overwhelmed

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #28 on: March 25, 2008, 04:53:17 PM »
Hi pcnaive,

1) Delete the Autorun.inf file of your C: drive, for it :
Open the command prompt, and type :
cd \
attrib -s -h -r autorun.inf
del autorun.inf

Now download DrWeb's CureIt from here: ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
and do a full scan,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

pcnaive

  • Guest
Re: Relentless Win32:AuCrypt [Cryp]
« Reply #29 on: March 27, 2008, 01:38:06 PM »
THANK YOU!!!!!!!!!!!!!!!!!!!

I think I am cured...but please tell me if you agree. I can now click on my c drive and it opens fine...however I can't view my hidden files and folders

I did what you told me (command prompt and cureit scan) and then shut down my computer, ran a boot scan with avast and here are the results:

3/27/2008 16:25
Scan of all local drives
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP581\A0084381.exe\InstMsia.exe\msi.dll Error 42127 {CAB archive is corrupted.}
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP581\A0084381.exe\InstMsia.exe Error 42127 {CAB archive is corrupted.}

Number of searched folders: 11101
Number of tested files: 468707
Number of infected files: 0

It is worth noting that Cureit found a virus in almost the same location (it was in C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP586 and the file name was A0085096.inf) Cureit identified it as a virus called Win32.HLLW.Autorunner.1491.dll. Cureit deleted the file.

IS THIS BAD...SHOULD I BE WORRIED (because of the corrupted files and fact that I can't see my hidden files) OR AM I VIRUS FREE AND SAFE TO MIX WITH THE REST OF THE PC WORLD?

Please advise me....

Thanks again for all the help you've already given.