Crypt_s.CCD

[ex]

Anyone had any experience dealing with this Trojan?  This thing is all over another computer in my house, and AVG detects it, but can't remove it (says file is locked or something equally dumb).  Any advice on how to get rid of this?

[quadz]

This page has some stats about Crypt_s, though no specific removal instructions:

http://www.avgthreatlabs.com/virus-and-malware-information/info/crypt_s/

In the "Top Domains Affected" section, it suggests you might have gotten it from pornadultbukkakedickcumshot.de 

An article last year provided details on how to remove a particularly nasty rootkit on Windows. I saved it because some of the software and procedures it lists may be helpful for removing other malware as well. Hopefully Crypt_s isn't quite this tough:

The payload: a software nastie called Sirefef. This itself is actually irrelevant; even Microsoft Security Essentials can find and kill most variants. The purpose of Sirefef is to serve as the staging component for the coup de grace: the highly sophisticated Zeroaccess rootkit (Sirefef downloaded some other friends too, but once the rootkit is dealt with, they are easily dispatched.)

Zeroaccess is a nightmare. It creates a hidden partition to run components from, deletes the BITS and Windows Update services, infects system restore and then removes the system restore interface from Windows. It locks you out of various sections of your file system it has decided to secrete backup copies of itself into. (C:\Windows\Temp, C:\Windows\System32\Config\Systemprofile and so forth.)

Zeroaccess knows all the standard tricks; it hides itself from Trend Micro's virus scanner Housecall, kills industrial-strength bleach Combofix (attempting to run this tool will freeze the system), resists cleaning by SurfRight's Hitman Pro, Symantec's resident AV and so forth. If you delete the hidden partition after booting from a Linux Live CD, chances are you didn't get every last remnant of the thing and it will be back in due time. It also prevents remote support app Teamviewer from starting properly with Windows.

If any residue of the rootkit lingers, or if Sirefef and/or its downloaded friends remain, they will all download and reinstall one another and we get to play whack-a-malware one more time. Bonus points were awarded for exploiting known Windows 7 vulnerabilities to infect every other machine on the network; that was a nice touch that really made my Friday.

Cleaning up this one Trojan-horse town:

So what's the solution? It turns out that some combination therapy kills the Zeroaccess variant in question. The solution I have settled upon is this:


- Disconnect every Windows system from the network; if one is infected, they are all infected. (I have absolutely no idea what they used to get through the firewalls on client PCs, but it was effective.) You need to clean all systems one at a time on a quarantine basis. If you have a way to automate the rest of this list for enterprise deployment, please let me know.
- Create a new local user with admin privileges, reboot and log on as that user. (You need as clean a profile as possible.)
- Download and run Symantec's Zeroaccess removal tool. It will ask you to reboot; do so. A widget will pop up when you next log in that says the rootkit was not found. This is a lie. The removal tool got rid of it, and you have already been reinfected. Fortunately, it can't do anything until the next reboot.
- Run Trend Micro's Housecall; kill all the things. Do not reboot.

- Repair the background intelligent transfer service (BITS).

- Repair the Windows automatic updates service. (If you get the popup for the "Microsoft Fixit" tool, use it. It will fix your broken Windows update service.)
- Install Windows updates. Do not reboot.

- Run Microsoft Security Essentials; kill all the things. Do not reboot. At this point, you should have killed all of Zeroaccess's little friends.

- Re-run the Symantec Zeroaccess removal tool. It should kill the newly reinfected (but still dormant) variant of Zeroaccess.
- Reboot. When the system comes back up, make sure you log in as the "new" local administrative account you created.

- Run Combofix. If it doesn't lock up your system, you're good!
- Reboot back into your regular account, and delete the local account you created for this process. You win.

If you are infected with Zeroaccess, exercise extreme caution. Someone is actively versioning this rootkit. I detected at least three different variants on one network alone. More to the point, the little friends that serve as satellite malware are also seeing some rapid evolution; what worked for me today may not work a week from now.

One step from the above that might be prudent is: "Create a new local user with admin privileges, reboot and log on as that user."

Then you might try running Combofix or some of the other tools described above...

[cr33pz]

If you still have this problem, don't forget to run whatever malware/ virus scanner in safe mode, after its updated. If you run more then 2 diff types of scanning software, be sure to uninstall others before installin new ones.

[|iR|Focalor]

Zeroaccess is a nightmare.

Oh wow. That sucks. I think at one point I might've had one of the variations of 0access either on THIS machine or the old WinXP one. I'm sure you remember me talking about the fucking MYRIADS of problems I constantly had with that old junker. Seems like whatever the hell was infecting it was working exactly like that, but I never was able to nail down what it was specifically to ever call it by any name. At first I thought it was just a plain old virus that could be killed with plain old antivirus software. The AV would find parts of it and quarantine it and then tell me to to reboot. Upon rebooting, one of the same components would pop back up with a completely different completely random named file. So when that proved to be an exercise of uselessness, I tried formating the disk and reinstalling WinXP. That seemed to work for about a day and a half each time, but after that, it'd go back to running slow and retarded again. So then I finally had to delete all the partitions and format the entire disk from edge to edge. That finally killed it, or at least disabled it from functioning. Problem with having to format and delete partitions and shit though... my mobo was shot and had failing parts all over it from when a previous PSU went bad and fried the RAM and old HDD along with it. So whenever something was transfering large amounts of data from the CD drives to anywhere else, it would often reboot... so in the middle of trying to format and reinstall windows, it would reboot 100 times, making me have to REPEATEDLY try try try try trysomemore try try try before it would finally get from 1 to 100% without rebooting in the middle of it. SUPER fucking annoying. Many cuss words were said, some in languages not native to this fucking planet.

Anyway. Dunno if it was 0access on that old machine or not, but it might've been. I'm pretty sure I had a 0access variant on THIS machine though. I seem to remember AVG specifically finding some small thing and calling it that. I seem to remember having to scan a handful of times before AVG finally cut it out. Maybe I booted in safe mood to get it gone, I don't really remember. But since then, I haven't had any problems that I know of really. PC seems to be running A-OK. I have one game in particular, 18 Wheels of Steel - Extreme Trucker that seems to run a bit sluggish now when it didn't at all when I first installed it. Then again, it's torrented. I have a few other games like Saints Row 3 and GTA4 that run kinda sluggish, but I got them AFTER I removed the 0access shit. Doesn't seem likely that it's a virus or a rootkit causing slow graphics performance. Nothing else runs slower than it used to. Seems pretty stupid and/or impossible to make a virus or rootkit that only effects video memory. I've updated video drivers, so maybe updating drivers has messed up a config for that game or something.

Anyway, from what I read up on 0access at the time, it gives the author of the specific form of the rootkit the ability to remotely access your data, steal credit card info, banking data, personal ID shit, pictures, anything at all that's there to be had. It also said that you can "appear" to have gotten rid of it but still have it, and as a precaution you shouldn't discontinue using that machine to transfer sensitive personal data that a thief might be interested in. So who knows. Maybe I still fucking have it. But I'm no dummy. No credit card numbers get shot through this box.

[|iR|Focalor]

If you still have this problem, don't forget to run whatever malware/ virus scanner in safe mode, after its updated. If you run more then 2 diff types of scanning software, be sure to uninstall others before installin new ones.

Some rootkits seem to be "smarter" than others. The authors realize that people will boot in safe mode and then run the AV to dig it out before it can start up. Problem with some rootkits though is that they don't always operate by way of a process within the main partition. Some can actually reside in the BIOS. Or elsewhere.

Anyway, sounds like the problem ex is having really isn't all that serious. Once the infected process starts, it can change shit in the registry to prevent you from being able to delete it. Booting in safe mode and preventing unnecessary (and possibly infected) processes from running BEFORE running an AV scan so that it can grab it all before it can replicate itself... might work. If not, then you might wanna look at booting in safe mode and then running some registry fix before scanning.

[ex]

The main problem I'm noticing is that it doesn't want to be deleted in the normal way.  It is putting itself in the C:\$Recycle_Bin\ dir or whatever and says it's a locked file so it can't be deleted.  Also, it's spawning new copies of itself at will with different extensions and totally different names of files as well.  Crypt_c.CCD was only the first, the latest was saying something like .JSA or .JSRA...something like that.  I downloaded Avast and it deleted the originating files (I think), but I'm not sure if it got all of it.  I'll have to work on it more tomorrow.

BTW, I think this was received via e-mail, since that computer is used for work ONLY and never goes onto any questionable sites, period...so even if that wasn't a joke, quadz, the porn thing is out.  :p  Also, quadz, the link you posted is the exact first link I went to when researching this issue.  The incidence graph shows a spike July 26'th...that's the day the computer started slowing down and not loading things online, and by the 27'th, it wasn't loading hardly anything.  For some reason the common infection from this hit a high point on Friday.  Strange.

I was actually hoping some of the coding experts or IT employees that are on here could help out with this as well.  I think, all jokes aside, Vae actually does know quite a bit about this, and would like to know if he knows anything.  Also Elysium or any others who know how to deal with this kinda shit.

Also, ty Alpha, I'll try both of those tomorrow and see if anything still comes up (probably will).



BTW, just as a friendly reminder to some of our more immature residents of Tastyspleen:  This is a help thread.  This is not for trolling.  Do that elsewhere.  Any more such posts will be deleted on sight.  Thank you.  :>

[ex]

Also, from the link quadz posted:

Diamondo25
• 7 months ago

We recently got an email from "Incoming.Fax@{INSERT YOUR DOMAIN HERE}" with a ZIP that contained this application/virus that used the Adobe Reader icon. Avast didn't detect it directly (only after a Sandbox scan) and after a Jotti scan http: //virusscan. jotti. org/nl/scanresult/d811206e618caacb7fc46c389ab61b400765c8c7 I noticed that only 2 virusscanners identifies it.

I also noticed, while looking at the ASM code, that it has some FTP and Mutex imports, which is quite scary.

This last part is really bothering me, since there are work-related things on that computer.  Any more help would be appreciated.

[|iR|Focalor]

If it's reappearing after a full virus and rootkit scan, then I'd recommend immediately backing up all important work files that you want to keep... that is IF it's working well enough to allow you to do that. Any exe's I'd stay away from backing up unless you absolutely HAVE to. Often shit will attach itself to every single exe file and reinstall itself when you run them. If it's shit that just refuses to die no matter what you try, then you always have the option of going Nagasaki on it's ass with a full format and clean install of Windows. It's a time consuming pain in the ass to start from scratch, but it beats ripping your hair out for days on end trying to figure out how to fix shit that refuses to cooperate. If you have to take that route, don't forget to delete all the partitions in the process too. You'll have designate sizes for new one/s once you do, but it's really simple.

[VaeVictis]

just boot a linux boot disk (centos, debian, fedora, ubuntu, doesn't matter which)

not sure if ntfs volumes store the same stats, but you can hop in and use something like

find / -mtime -2

that will find all files created in past couple of days... obviously don't want to delete EVERYTHING but going through with rm on a command line doesn't move things to a recycle bin GONE FOREVER

if you wanted to just auto delete everything newer than 2 days (not suggested, but hey, why not)

find /path/to/mounted/drive/ -mtime -2 -exec rm {} \;

that should do the trick... if you have a command line AV in linux, as some do exist like the linux version of avg or clamav, you could probably use the -exec function to scan each individual file

having a linux boot disk hanging around, even if it is just for virus removal, is one of the BEST things to help with cleaning computers... i always just find out what the problem is inside of windows (mostly safe mode), and reboot into my debian partition for clean up works like a charm

[bluemeanies]

Nuke it from orbit...it's the only way to be sure...

[Whirlingdervish]

best bet is usually to make that new user with admin access, log only into that.

use something like ccleaner or msconfig to set up a very clean startup list in case its executing from there.

if it lets you do it, rename all of the old user account folders manually adding a digit to the end of them so you could recover with ease later:

example: C:\Documents and Settings\user
becomes C:\Documents and Settings\user2

any stuff in the registry that the virus added will now not be accessing a good path to whatever file it's using if it stored it in the many user temp folders. (very common spot to stash it)

You can usually sort by date modified in the other folders to spot the file names of the virus in question. (windows\system32 and others)

write down every suspect file name from the period right around infection. the more accurate the time/date the more effective this is.
If you had a virus scanner "find" it but not be able to delete it, write down those files/paths too.

use a linux boot disk, or a windows recovery disc/recovery console or anything you are comfy using to get to some sort of command line outside of the OS from which you can navigate in and either rename or delete the files you wrote down earlier.

I like renaming as it makes it easy to unbreak stuff.

once you've scrubbed it like that, try a restart with the new admin user only.

do full scans with any AV to see if they pick up new stuff. rinse and repeat a few times until nothing comes up.

after you're relatively sure of it's cleanliness, you should wait a week or so in case the AV wasn't picking it up because it's some 0 day shit, then migrate the old user content off the box. (scanning it again before you do)

It's not as easy as starting with a new bare drive, but I've had to do this many times to recover business docs and such on work comps.