Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse; Cryptne.dll I Cannot Remove This


  • Please log in to reply
13 replies to this topic

#1 Charlie929

Charlie929

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 14 December 2007 - 06:30 PM

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan Horse
File: C:\WINDOWS\system32\cryptne.dll
Location: C:\WINDOWS\system32
Computer: COMPUTER
User: Default
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Saturday, December 15, 2007 6:18:01 PM

I've run a virus scan both in Safe mode and ....not so safe mode. The program finds it but cannot remove or quarantine or do anything with this. I've searched the "Regedit" to find it in there to remove it (as per the removal instructions) but fear I may do more damage than anything.
Can anyone out there help with this?
C.

Edited by rigel, 14 December 2007 - 09:13 PM.
Mod Edit - Moved to a more appropriate forum


BC AdBot (Login to Remove)

 


m

#2 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 14 December 2007 - 08:04 PM

Ok This is a trojan virus, that much I think I'm pretty sure of..well...maybe not. Anyway, every time I open something up, I get the message from the virus protection that I posted above. I've tried every thing I can think of to clean this but nothing works. yet that is. :thumbsup: Somebody pleeeease!!! If I could figure this out, I wouldn't sell pumps for a living!

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:26 AM

Posted 15 December 2007 - 06:37 AM

PREVX identifies that file as TROJAN.AGENT.GEN. I'd like to see what any of the other anti-virus vendors are showing about it.

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, click the "browse" button and locate the following file:
C:\WINDOWS\System32\mbssm32.exe <- this file
Click "Open", then click the "Submit" button.
Please copy the results and paste them in your next reply.

Download FileASSASSIN.zip and save to your desktop (this tool is compatible with Win 2000/NT/XP/Vista only).
  • Create a new folder on your C:\ drive called FileASSASSIN and extract (unzip) the file to that folder. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.)
  • Open the folder and double-click on FileASSASSIN.exe.
  • Select the following file(s) to delete by dragging it onto the text area or select it using the (...) browse button.
    • cryptne.dll <-- C:\Windows\system32\ folder
  • Select a removal method. Start with "Attempt FileASSASSIN's method of file removal."
  • Click delete and the removal process will begin.
  • If that did not work, start the program again, select the file(s) the same way as before and this time check "Use delete on reboot function from windows."
Note: If you cannot find the file(s), you may have to Reconfigure Windows XP to show hidden files, folders. (We are doing this so we can look for and delete hidden files if necessary but don't delete anything other than what I ask you to delete. After your system is clean, follow the same procedure to hide these files and folders again to protect them from accidental deletion).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 15 December 2007 - 11:44 AM

The file you listed does not exist on my computor ??

#5 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 15 December 2007 - 11:57 AM

"C:\windows\system32\cryptne.dll " The program (file assassin) could not delete the file....

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:26 AM

Posted 15 December 2007 - 02:06 PM

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, click the "browse" button and locate the following file:
C:\WINDOWS\System32\cryptne.dll <- this file
Click "Open", then click the "Submit" button.
Please copy the results and paste them in your next reply.

Please download OTMoveIt by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt.exe to launch the program.
  • Copy the file(s)/folder(s) paths listed below - highlight everything in red and press CTRL+C or right-click and choose Copy.

C:\WINDOWS\system32\cryptne.dll

  • Then in OTMoveIt, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results for each line will be displayed in the right-hand pane.
  • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Click Exit when done.
  • A log of the results is automatically created and saved to C:\_OTMoveIt\MovedFiles \mmddyyyy_hhmmss.log <- the date/time the tool was run.
  • Please copy/paste the contents of that log in your next reply.
-- Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process.
If asked to reboot, choose Yes.


Caution: Be careful of what you copy and paste with this tool. OTMoveIt is a powerful program, designed to move highly persistent files and folders. Not following the directions as instructed or using incorrectly could lead to disastrous problems with your operating system.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 15 December 2007 - 06:04 PM

This is the message I get from trying to upload the file for scanning. I ran spybot S&D but there was nothing there but "Bearshare" and a Microsoft alert about the firewall being off (which I turned off to try and upload the file). I'll run Spyware Doctor and see if that turns up anything.

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

#8 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 15 December 2007 - 06:49 PM

Results from OTmoveit program

LoadLibrary failed for C:\WINDOWS\system32\cryptne.dll
C:\WINDOWS\system32\cryptne.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\cryptne.dll scheduled to be moved on reboot.

Created on 12/16/2007 18:49:41

#9 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 15 December 2007 - 07:00 PM

After reboot, the trojan message is still there:

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan Horse
File: C:\WINDOWS\system32\cryptne.dll
Location: C:\WINDOWS\system32
Computer: COMPUTER
User: Default
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Sunday, December 16, 2007 7:01:50 PM

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:26 AM

Posted 15 December 2007 - 11:24 PM

Download Killbox and save to your Desktop.
alternate download site 1
alternate download site 2
  • Double-click on Killbox.exe to start.
  • Select "Delete on Reboot" option and check the box "Unregister dll Before Deleting" (if available).
  • Highlight all the entries in the quote box below, right-click and copy them.

    C:\Windows\system32\cryptne.dll

  • Then in Killbox, go to the File menu, choose "Paste from Clipboard".
  • Click the "Single Files" button.
  • Click the Red & White "Delete File" button (red circle with a white 'X') to delete the file(s).
  • Click "Yes" at the Delete on Reboot confirmation message prompt that will appear.
  • A second message will ask to Reboot now? You will need to click "Yes" to allow the reboot.
  • If your computer does not restart automatically then please restart it manually. If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
  • Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files.
  • After rebooting, open up Killbox again, click File -> Logs -> Actions History Log or go to Start > Run and type:
    notepad systemdrive%\!Killbox\Logs\kb.log
  • Copy and paste the contents of kb.log and post it in your next reply.
If that does not work, repeat the above but this time select "Replace on Reboot" and Use Dummy, then follow the rest of the instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 16 December 2007 - 04:43 PM

Log info as per request. Message is still there.

Pocket Killbox version 2.0.0.648
Running on Windows XP as Default(Administrator)
was started @ Monday, December 17, 2007, 4:32 PM

# 1 [Delete on Reboot]
Path = C:\Windows\system32\cryptne.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 4:38:36 PM
# 2 [Delete on Reboot]
Path = C:\Windows\system32\cryptne.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 4:39:01 PM
Killbox Closed(Exit) @ 4:39:02 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Default(Administrator)
was started @ Monday, December 17, 2007, 4:43 PM

#12 Charlie929

Charlie929
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:12:26 PM

Posted 16 December 2007 - 04:50 PM

Ran Killbox both ways as per instructions. Log attached. Still have the message.....

Pocket Killbox version 2.0.0.648
Running on Windows XP as Default(Administrator)
was started @ Monday, December 17, 2007, 4:32 PM

# 1 [Delete on Reboot]
Path = C:\Windows\system32\cryptne.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 4:38:36 PM
# 2 [Delete on Reboot]
Path = C:\Windows\system32\cryptne.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 4:39:01 PM
Killbox Closed(Exit) @ 4:39:02 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Default(Administrator)
was started @ Monday, December 17, 2007, 4:43 PM

# 1 [Replace on Delete]
Path = C:\Windows\system32\cryptne.dll
*Replaced with C:\Documents and Settings\Default\Local Settings\Temp\kbdummy.0

I Rebooted @ 4:47:27 PM
Killbox Closed(Exit) @ 4:47:30 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Default(Administrator)
was started @ Monday, December 17, 2007, 4:51 PM

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:26 AM

Posted 17 December 2007 - 08:56 AM

Killbox is not working but there are other specialized tools which will. Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 oudine2

oudine2

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:26 AM

Posted 20 March 2009 - 12:53 AM

I was googling for the same answer that the one who started this topic. Finally I found the solution booting my pc with Ubuntu. So if someone has the same problem try downloading Ubuntu (or i think any other linux OS) and with just running it without installing it you can kill that file :thumbsup:

I know this is my first message in the forum, but wanted to post that fo anyone who has the same problem.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users