Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

Virus/Malware Virus /Rootkits Thread, Work In Progress

views
     
saintangelius
post Dec 26 2008, 02:55 AM

New Member
*
Junior Member
46 posts

Joined: Oct 2005
From: KL


Greetings and Happy Holidays!

I come baring a not so delightful little 'gift'

At the end of last week I notice something strange with my desktop and my laptop. A series of scans showed me that I have been infected by a virus called Trojan Horse Crypt.AYG. I tried many means possible. Even took my lappy over to my IT guy in the office and the 2 of us couldn't crack it at all. Here is a summary of what I've done so far.

1. unplugged desktop from internet to stop it from further infestation. Since the lappy was newer and had less important stuff on it, I kinda used it to search around the net for solutions but to no avail.

2. I took the comps off the router and went direct dial but internet would cut itself off every 20 minutes because the dialer would have hung.
Noted an extra svchost.exe process running with massive mem usage. java.exe also takes more mem than usual. The only way to get back online was the restart the comp. It seems that if I'm on the LAN there is no problems with the connection but when I do direct dial it happens. At times FF3 would even autoshutdown.

3. AVG 8 picks up the virus, says it healed it/dumped it in the vault but then it pops up all over again. I have...
a) cleaning the vaults
b) manually deleting the folders/files and emptying the recycle bin each time. They come out in these:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5

C:\Documents and Settings\LocalService\Network Settings\Temporary Internet Files\Content.IE5

folders inside them would be in random 8 letter alpha numeric names( e.g. TwEot5FY) and the files in them would be 4 letter 1 number in bracket jpegs(e.g.rspw[1].jpg).

After healing/vaulting, a popup appears 10 minutes later with the same infection but a slightly dissimilar file name.


4. Tried the following without much luck:
a) AVG 8
b) hijack this (nothing unusual showed up)
c) system restore (no difference)
d)Panda online scan (wants me to pay to disinfect)
e)Tea Timer spybot search and destroy (couldn't find it)
f)Geekz Virus remover (couldn't even run the program for some strange reason says it's a runtime error)
g)a number of other BIOS and windows based ones my IT just has on his super secret weapon CD virus annihilator! (couldn't find it-it hides too well)

5. In my frustration I deleted all the contents of the C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 above (specifically the desktop.ini and index.dat) and it seems to have stopped popping up on AVG now whenever I run a scan.

I'm not sure if what I did was right or wrong. I feel like I've just kinda put a lid on it but haven't cleared it out entirely. Please correct me if I'm wrong. My main desktop is still in suspended animation. I fear turning it on. Because it has less ram and processing power than my lappy, explorer.exe hangs every time the dialer dies.

This is a pretty obscure version of the crypt virus. I haven't been able to find one similar to it on google or trendmicro. Can it possibly be a dialer virus? I'm at my wits end trying to understand this one.


 

Change to:
| Lo-Fi Version
0.0272sec    0.28    7 queries    GZIP Disabled
Time is now: 29th March 2024 - 03:26 AM