BleepingComputer.com: Trojan horse Crypt.ANVH, msgsvc.dll

Okay, just to check if there is an alternative to the file that Combofix is using.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  msgsvc.dll
  

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Next run Combofix again to see if the file stays replaced. Post the log.

Here are the logs. Also, when I was running the fix on OTL a few posts back, the process finished immediately after I clicked Run Fix. Was that supposed to happen?

SystemLook 30.07.11 by jpshortstuff
Log created at 22:54 on 10/02/2012 by Owner
Administrator - Elevation successful

========== filefind ==========

Searching for "msgsvc.dll"
C:\WINDOWS\ERDNT\cache\msgsvc.dll --a---- 33792 bytes [17:36 09/04/2011] [09:00 23/08/2001] 986B1FF5814366D71E0AC5755C88F2D3
C:\WINDOWS\system32\msgsvc.dll --a---- 33792 bytes [09:00 23/08/2001] [09:00 23/08/2001] 986B1FF5814366D71E0AC5755C88F2D3

-= EOF =-

Both copies must be infected. Have you got the XP disc or another XP machine where you could export the msgsvc.dll file from?

Yes, I have both.

Find the msgsvc.dll file on the disk and replace the infected one. Instructions are here

Then rerun Combofix one more time and post the log.

I tried following the included instructions and could find no "Other Devices" section in the Device Manager. I tried doing several searches in the Windows XP (with SP3) CD, and did find an archive recognized by WinRAR called DRIVER.CAB, but I could not find msgsvc.dll in that archive. It did not find the file anywhere else. The only instructions relating to the Windows CD involve finding the driver in question in Device Manager and opting to install from a specific location (the CD, of course), but I cannot find anything in Device Manager that would search the disk for the driver I need. If it's fine to simply copy the .dll from another computer and replace it here, I could also do that.

Also, when I opened Control Panel, I noticed a blank file (no title and just a generic file icon) at the top left. Clicking it highlights the icon, and right clicking brings up options to cut, create shortcut or delete it. Not sure what it is, and the rest of the control panel is fine.

Okay, see if you can copy the driver over and replace it.

Once that's been done, rerun Combofix and post the log.

I copied the file from another PC to a flash drive and replaced both the file in system32 and ERDNT/cache. Combofix appears to report the same replacement notice.

Might it be possible to do the same thing I did with netbt.sys and use Malwarebytes's FileASSASSIN to delete msgsvc.dll? If it isn't essential, I could always replace it with the copy from my flash drive afterward.

I think we may need to replace this in the recovery environment. The file is a system driver so deleting it is only half the solution.
We'll start with the copy already on the system but we may use the one you transferred in if this fails.

First we need to copy a clean file to replace the infected one.

Please do this:

• Click on the Start button, then click on Run...
  
  
  
• In the empty "Open:" box provided, type cmd and press Enter This will launch a Command Prompt window (looks like DOS).
  
  
  
• Copy the entire blue text below to the clipboard by highlighting all of it and pressing Ctrl+C (or after highlighting, right-click and select Copy).
  
  copy C:\WINDOWS\ERDNT\cache\msgsvc.dll C:\ /y
  
  
  
• In the Command Prompt window, paste the copied text by right-clicking and selecting Paste.
  
  
  
• Press Enter. When successfully, you should get this message within the Command Prompt: "1 file(s) copied"
  
  
• Exit the Command Prompt window.

Now we need to boot into the Recovery Environment:

Reboot your computer. Combofix should have installed the recovery console so this should already be available.

Follow the instructions here to start it

Next

Type cd system32\drivers and press Enter.
Type ren msgsvc.dll msgsvc.vir and press Enter.
Then type copy C:\msgsvc.dll msgsvc.dll and press Enter.
Now type exit and press Enter to reboot your computer into normal mode.


Then run Combofix and let's see if that deals with it.

Aside from msgsvc.dll being in system32 instead of the drivers folder, I did everything and ran Combofix after. The scan is attached.

Is AVG being disabled before you run Combofix?

Yes, to the point that Combofix doesn't complain before starting. However, once Combofix starts AVG raises an alert which I have to allow before it will start. I could probably stop that by also deactivating identity protection along with the active defense, because that's what the alert is for.

This post has been edited by Corryn: 13 February 2012 - 02:49 PM

Can you do this, I think AVG is interfering with Combofix.

I deactivated both the general protection and ID protection. Combofix ran without any warnings from AVG.

Please run ESET and see if it finds the infected driver. It won't be able to cure it though.

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
  
• Click the button.
  
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
    
  • Double click on the icon on your desktop.
  
  
• Check
  
• Click the button.
  
• Accept any security warnings from your browser.
  
• Under scan settings, check and check Remove found threats
  
• Click Advanced settings and select the following:
  • Scan potentially unwanted applications
    
  • Scan for potentially unsafe applications
    
  • Enable Anti-Stealth technology
  
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• Copy and paste the resulting log in your next reply

If no log is generated that means nothing was found. Please let me know if this happens.