Win32:Crypt-MIZ[Trj]

It all started with this stuff… *

Started on Sunday, May 13, 2012 8:31:51 PM

  • VPS: 120507-1, 05/07/2012

\tsclient\a\a.dll [L] Win32:Agent-AOKE [Trj] (0)
\tsclient\a\a.dll [L] Win32:Agent-AOKE [Trj] (0)
While moving file to chest, error occurred: The network name cannot be found


I found this Win32:Crypt-MIZ[Trj] in the file z:\imbtools\drivers\PZ2Z25US\HDDDriverInfo.exe

It even migrated into the system restore data.


I tried to scan for this network… I did some research… It was some kind of infection… That I thought I might have gotten on one of the profiles of XP Pro SP2.

Then this happened.

C:\3210208955144ed7387c7d\5A5CE835-DCD2-430A-BA82-D40734EF0F24mpasdlta.vdm.new.temp [L] INF:AutoRun-AA [Wrm] (0)

When I researched this… I tried to find traces and evidence of the payload of this other worm too… I didn’t really notice anything odd with the registry at first… I ve still been trying to crack this…

I just know that my registry was altered by a worm somehow…

But… this worm is starting to create startups in the root directory of my main drives… . It didn’t create any autorun.inf files… So… I’m a little lost as to how and when I first got infected… and the client server… unauthorized connections is confusing me… I can’t seem to find out where this all happened… But im listing this stuff from start to finish.

Even after avast disinfects the files and chests them… they still re appear…

C:\ibmtools\drivers\PZ2Z25US\HDDDriveInfo.exe [L] Win32:Crypt-MIZ [Trj] (0)
C:\System Volume Information_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP444\A0152943.exe [L] Win32:Crypt-MIZ [Trj] (0)

C:\System Volume Information_restore{81D97640-A600-45A6-B0D3-BD06AB5A81A7}\RP444\A0152943.exe [L] Win32:Crypt-MIZ [Trj] (0)

Started on Thursday, May 24, 2012 9:45:00 PM

  • VPS: 120521-0, 05/21/2012

H:\87e9d5575327307baa0050680c3e6216\427C33D4-7CD2-424F-A5F8-743B789D63E3mpasdlta.vdm.old.temp [L] INF:AutoRun-AA [Wrm] (0)

IT seems to only migrate to drives with a paging file on the drives I have set up.

It hasn’t done anything to my Main Storage Drive.

The paging File is on Z: (aka C because I used a backup drive with my OS on it and put it into the system and I am booting up with that drive so it doesn’t boot the Paging files in the other drives or the infected OS).

so Z: will be the infected C: Drive that I am scanning with my back up OS.

There is also another paging file on Drive H: (which is the performance drive for the main focus of paging. )

The worm seems to only try to infect other drives that has a paging system…

I didn’t notice it trying to infect removable media yet.

The back up OS has AutoRun Autoplay disabled (aka Shell disabled via Msnconfig) for as a safety protocol.


I did a full updated AV database’d scan on Z: and H:
Only thing infected on H: was the pagefile.sys It’s been deleted.

Can’t detect the trojan in my Z: drive though I don’t know why but just in case i’m deleting it too to refresh the pagefile.sys on Z:

Malwarebytes only detects the following

Z:\Program Files\Avanquest\SystemSuite\helpfiles.exe
Z:\Program Files\Avanquest\SystemSuite\fcs.exe

Those were never infected before… Avanquest has never giving me trouble till now… So that confused me there…

All i know is around May 8th is when I noticed my backup account profile in WXP SP2 on infected Z:

was acting up… Programs would execute when the Windows Logon screen for fast user switching was on… aka PC Locked or something when IM logged onto my Admin account Brickstin…

Somehow Backup was being logged into remotely… so I killed Desktop remote ect and the likes. There was no password on Backup at first so I tried putting a pass called Backup.

It was still being logged into…

So I killed the account and removed deleted the files associated with that profile.

And also disabled the guest account…

can anyone shed some light ?

I’m still scanning As I type this.

Thanks in advance,
Sincerely,
Erick

you can upload suspicious file(s) to www.virustotal.com and test with 40+ malware scanners to see if other detect same file
alternative http://virusscan.jotti.org/en / http://www.metascan-online.com/ / http://virscan.org/

follow this guide and attach (not copy and paste) logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

when done, a malware removal specialist will check you logs… may be several hours before he arrive

[b]Uploaded both suspicious files to virustotal.com : both fcs.exe and Helpfiles.exe were all green out of 40.

So they’re clean : Malwarebytes suspected false positives?
[/b]

[u]Note to Tech: on the Malwarebyte Report uploads: there is an extra because I did a scann while inside the infected Z OS. I had first scanned on first notice of the infection when I was on my original drive.

So the second file is named Z: location… The First one in C: is my back drive OS which I just did another scan right now only detecting other things in Drive Z:
[/u]

I forgot to upload these files.

Looks like it started in the guest account… One of my room mates… decided to hop on it… and I remembered. I caught him using a few bad sites, (. OH Dear Goodness… infection location… URL hazard)

:frowning:

Ugh and he kept saying he didn’t get my PC infected… psh ya right ;¬_¬

1:59 PM 5/26/2012 Update: Still scanning… been deleting the Win32:Crypt-MIZ[Trj] out of Restore points in Z: . … . … I don’t know if this will fully disinfect it though… I am using the other tools in the help area. There good tools.

U didnt attach Aswmbr log yet…please do that ;D

Hi,

Like true indian said please run aswMBR and attach that log…

and do the following…

Download CKScanner by askey127 from Here & save it to your Desktop.
[*] Right-click and Run as Administrator CKScanner.exe then click Search For Files
[*] When the cursor hourglass disappears, click Save List To File
[*] A message box will verify the file saved
[*] Double-click the CKFiles.txt icon on your desktop then attach the contents in your next reply


OP my bad lol .

It was late that night… Sorry. Been up for two days trying to deal with this and pulled an all nighter the night before. ???

Also… I wanted to ask you guys something:

After Avast finished scanning the Z: drive (infected OS drive) Z:\Windows\Memory.dmp file has the infection Win32:Taterf-F [Wrm]
I have windows Debug console installed with symbols. If i used WinDBG to read the infected DUMP file… would it spread infection into my Back up OS? via the WinDBG.exe ?

I’m just asking because I want to know if the techs can use information of whats in memory maybe they can trace stuff?

Or reading the DMP file is useless? If risking infection then pointless i’m sure. :stuck_out_tongue:

Hi,

Or reading the DMP file is useless? If risking infection then pointless i'm sure.
We don't need to worry about that right now. :) ---------------

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)


ok heres the log… thing is some of these scanning programs that I used in the instructions for scanning for help with: is that it doesn’t have options to select the root Drive I need scanned… Im wondering if I should also do an entire Different scan with each linked provided program while using the OS on my Z: drive instead… Some of these programs only scan C: and I didn’t see any options to change it to Z.

so if I boot into Z it will be zoned as C: in the OS. I think I might do that, im cleaning what i can outside of the OS with malwayre and Avast ect. and the provided ones you linked me.

:slight_smile: ?

Hi,

We need to be sure to run the tools that we are using on the infected OS. If you need to transfer the files to the infected machine via CD/USB drive that is fine, but a lot of these programs that we use will have automated features that we will need to utilize. :slight_smile:

I hope that I understood what you were saying.

ok I have to head out and do an arrend will fast. (Work)

When I get back I am going to reboot into the infected Operating System and Use all of the tools again in order from start to finish. Then if need be I can repost the logs. It is missing the Z: on some of these scanners.

Hi,

No don’t run everything…just run a scan with aswMBR and OTL then we can go from there. :slight_smile:

I’m back from down town: oh ok so just ASW and OTL inside the infected OS Drive? ok Restarting now and doing the scan.

Check the logs. I uploaded them in a different post below mine.

ok here’s the new aswMBR LOG and the OTL Log.txt files

It was ran on the infected OS I swapped out the back drive and put back my Original OS Drive in boot up order.

Sorry I took so long… x.x

Hi,

Please download MBRCheck.exe to your desktop.

[*]Be sure to disable your security programs
[*]Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*]A window will open on your desktop
[*]if an unknown bootcode is found you will have further options available to you, at this time press N then press [i]Enter[/i] twice.
[*]If nothing unusual is found just press [i]Enter[/i][]A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
[
]Please post the contents of that file.

ok do I pres Yes? Because it found something unusual in the Master boot records. on three drives

Update:
Never mind I miss read what you said. Here is the log file.

Also the MBR on the Seagate model thats a 300GB drive… Thats the only one that is completely unknown to me. I used a program called Bootice.exe

I checked my infected C Drive and the master boot record is IBM F11

The 80 WD800JB EIDE is a Windows NT 5.x Default MBR

the G: Drive is my storage drive it’s MBR Is fully unknown to me… .

The attached log is there.

Just a note… I had to re upload the attachment because I uploaded a scan when I was scanning another drive I had attached with a USB device. I removed that and did another scan with the program. So if you already read the first txt file disregard that one and use the new updated one I just re uploaded.

if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter[/i] twice.
:)

LOL sorry Jeff I was uploading the stuff and changing my original post. I got it now thank you for the help. The correct attachment is on my previous post before yours.

Hi,

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Ok got the scan done… took nearly a hour but it’s done Check attachment.

Thank you in advance.