Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crypt3.dll / Troj Agent.aeua


  • This topic is locked This topic is locked
11 replies to this topic

#1 jpd9930

jpd9930

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 20 December 2007 - 01:06 AM

Hi everyone,

I have a problem with a non-deleteable, non quarantinable file.

I run PC-Cillian as well as ad-aware, spybot, hijack this, and superantispyware on XP-pro. PC-Cillian identifies CRYPT3.dll as an infected file with troj agent.aeua. PCC cant quarantine this and I can't deleted it. The file is located C:\windows\system32. sister files of crypt3.2/.3/.4.dll all have been saved to disk then originals deleted (also located in sys32). I can not delete crypt3.dll as it is in use. even hijack this cant delete this from its BHO entry. I have tried entering safe mode to delete but PCC wont work, superantispyware doesnt reconize it and its still in use. PCC detects it but their site doesnt have any reference in their library...

The PCC warning comes up every time I open IE and randomly on page changes. Unknown if this affects Firefox.

I dont see any odd programs running in task manager.

I guess my basic questions are should I delete crypt3.dll? how can I if I should? or can I delete troj agent.aeua without touching crypt3.dll?

Edited by jpd9930, 20 December 2007 - 01:08 AM.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:08:10 AM

Posted 20 December 2007 - 03:08 AM

Hi jpd9930 and welcome to BleepingComputer.

Try downloading Asquared and run it in safe mode. I've had good results with this utility finding trojans.

Edited by dc3, 20 December 2007 - 03:10 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 21 December 2007 - 12:29 AM

I tried Asquared's security and hijack...neither found the virus (trojan) thus unable to delete it. It did find a few other things I don't want though. Thanks for the tip dc3.

what I need is how to delete crypt3.dll, or anything for that matter, when even in safe mode it wont delete.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:10 AM

Posted 21 December 2007 - 04:51 PM

Please download and install SUPERAntiSpyware Free Home version.
Double-click SUPERAntiSypware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from HERE and unzip into the program's folder.)
Under the "Configuration and Preferences", click the Preferences... button.
Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

Click the "Close" button to leave the control center screen and exit the program.
Do not run a scan just yet.

Reboot your computer in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 22 December 2007 - 07:01 PM

Hehehe, on page 3 now...anyway

I tired trend micro for a solution.

they sent me unlocker 1.8.5. It didnt work: "No Locking Handles Found." "The Object could not be deleted." It would not delete in reboot either.

I tried to zip (winzip and winRar) but I dont have "Permission".
I tried to open with various text editors but I dont have "permission".

I was unable to attach the file to my email to trend micro as well.


is there a program I can get to force permission?


thanks again!!!!!!

PS boopme you where posting as I was...I've already used superantispyware but I will try it again with the settings you listed above...thanks

Edited by jpd9930, 22 December 2007 - 07:04 PM.


#6 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 22 December 2007 - 08:05 PM

the vundo keeps coming back.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/22/2007 at 07:42 PM

Application Version : 3.9.1008

Core Rules Database Version : 3363
Trace Rules Database Version: 1362

Scan type : Complete Scan
Total Scan Time : 00:28:16

Memory items scanned : 186
Memory threats detected : 0
Registry items scanned : 6612
Registry threats detected : 4
File items scanned : 35634
File threats detected : 48

Adware.Vundo-Variant/B
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2F29F4B6-5434-44A5-A379-8DBEA4B179C2}
HKCR\CLSID\{2F29F4B6-5434-44A5-A379-8DBEA4B179C2}
HKCR\CLSID\{2F29F4B6-5434-44A5-A379-8DBEA4B179C2}\InprocServer32
HKCR\CLSID\{2F29F4B6-5434-44A5-A379-8DBEA4B179C2}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\CRYPT3.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Jon\Cookies\jon@statse.webtrendslive[2].txt
C:\Documents and Settings\Jon\Cookies\jon@www.burstnet[1].txt
C:\Documents and Settings\Jon\Cookies\jon@richmedia.yahoo[2].txt
C:\Documents and Settings\Jon\Cookies\jon@atdmt[2].txt
C:\Documents and Settings\Jon\Cookies\jon@cbcnewmedia.112.2o7[1].txt
C:\Documents and Settings\Jon\Cookies\jon@adopt.specificclick[1].txt
C:\Documents and Settings\Jon\Cookies\jon@doubleclick[1].txt
C:\Documents and Settings\Jon\Cookies\jon@tribalfusion[1].txt
C:\Documents and Settings\Jon\Cookies\jon@tacoda[1].txt
C:\Documents and Settings\Jon\Cookies\jon@ad.yieldmanager[1].txt
C:\Documents and Settings\Jon\Cookies\jon@mediaplex[2].txt
C:\Documents and Settings\Jon\Cookies\jon@ads.revsci[1].txt
C:\Documents and Settings\Jon\Cookies\jon@xiti[1].txt
C:\Documents and Settings\Jon\Cookies\jon@specificclick[2].txt
C:\Documents and Settings\Jon\Cookies\jon@questionmarket[2].txt
C:\Documents and Settings\Jon\Cookies\jon@casalemedia[2].txt
C:\Documents and Settings\Jon\Cookies\jon@buycom.122.2o7[1].txt
C:\Documents and Settings\Jon\Cookies\jon@adinterax[1].txt
C:\Documents and Settings\Jon\Cookies\jon@bluestreak[1].txt
C:\Documents and Settings\Jon\Cookies\jon@media.adrevolver[3].txt
C:\Documents and Settings\Jon\Cookies\jon@www.burstbeacon[1].txt
C:\Documents and Settings\Jon\Cookies\jon@2o7[2].txt
C:\Documents and Settings\Jon\Cookies\jon@adrevolver[1].txt
C:\Documents and Settings\Jon\Cookies\jon@eb.adbureau[2].txt
C:\Documents and Settings\Jon\Cookies\jon@edge.ru4[1].txt
C:\Documents and Settings\Jon\Cookies\jon@traffic.buyservices[1].txt
C:\Documents and Settings\Jon\Cookies\jon@ads.as4x.tmcs[1].txt
C:\Documents and Settings\Jon\Cookies\jon@counter.surfcounters[1].txt
C:\Documents and Settings\Jon\Cookies\jon@ads.bridgetrack[1].txt
C:\Documents and Settings\Jon\Cookies\jon@realmedia[2].txt
C:\Documents and Settings\Jon\Cookies\jon@pro-market[2].txt
C:\Documents and Settings\Jon\Cookies\jon@media.adrevolver[2].txt
C:\Documents and Settings\Jon\Cookies\jon@zedo[2].txt
C:\Documents and Settings\Jon\Cookies\jon@anad.tacoda[1].txt
C:\Documents and Settings\Jon\Cookies\jon@partner2profit[1].txt
C:\Documents and Settings\Jon\Cookies\jon@interclick[2].txt
C:\Documents and Settings\Jon\Cookies\jon@revsci[1].txt
C:\Documents and Settings\Jon\Cookies\jon@burstnet[2].txt
C:\Documents and Settings\Jon\Cookies\jon@adopt.euroclick[2].txt
C:\Documents and Settings\Jon\Cookies\jon@advertising[1].txt
C:\Documents and Settings\Jon\Cookies\jon@serving-sys[2].txt
C:\Documents and Settings\Jon\Cookies\jon@trafficmp[1].txt
C:\Documents and Settings\Jon\Cookies\jon@eas.apm.emediate[1].txt
C:\Documents and Settings\Jon\Cookies\jon@fastclick[2].txt
C:\Documents and Settings\Jon\Cookies\jon@ads.pointroll[2].txt
C:\Documents and Settings\Jon\Cookies\jon@bs.serving-sys[1].txt
C:\Documents and Settings\Jon\Cookies\jon@server.iad.liveperson[1].txt



here is hijack this after the virus scan:

Logfile of HijackThis v1.99.1
Scan saved at 8:02:48 PM, on 12/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
f:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
J:\TRENDM~3\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
J:\TRENDM~3\Tmntsrv.exe
J:\TRENDM~3\TmPfw.exe
J:\TRENDM~3\tmproxy.exe
F:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
J:\trend micro\pccguide.exe
D:\Utopia\Angel\Angel.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
J:\TRENDM~3\PcScnSrv.exe
C:\WINDOWS\System32\svchost.exe
F:\WINZIP\winzip32.exe
C:\Documents and Settings\Jon\Local Settings\Temp\wz437f\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F29F4B6-5434-44A5-A379-8DBEA4B179C2} - C:\WINDOWS\system32\crypt3.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM\..\Run: [HP OfficeJet Series 500] "f:\Program Files\Hewlett-Packard\HP OfficeJet Series 500\bin\ktchnsnk.exe" -reg "Software\Hewlett-Packard\OfficeJet Series 500\Install"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [pccguide.exe] "J:\trend micro\pccguide.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Utopia Angel] "D:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Timex Data Link USB Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1189200242343
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1189200229171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS3\Services\Tcpip\..\{3C09C8CD-35C7-4B74-90A5-D0F64F4992CF}: NameServer = 4.2.2.2,4.2.2.1
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjrs32 - winjrs32.dll (file missing)
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - f:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - J:\TRENDM~3\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - J:\TRENDM~3\PcScnSrv.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - (no file)
O23 - Service: RoxUpnpRenderer - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - J:\TRENDM~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - J:\TRENDM~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - J:\TRENDM~3\tmproxy.exe

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,489 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:10 AM

Posted 22 December 2007 - 08:30 PM

Ok we're going to try this before we go to the HJ log as that needs to be done in the HJT forum.
Run this Vundo fix FIRST,if it still persists run the Virtumundo Begone fix in the Tutorial
How To Remove Vundo/Winfixer Infection

Now Download Attribune's ATF Cleaner save to desktop.

Now reboot into Safe Mode: How to start Windows in Safe Mode
Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox browser click Firefox at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser click Opera at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 22 December 2007 - 09:49 PM

sorry about the HJT post...I didnt see the requirements until after I posted...

vundofix found 1 file unrelated to this problem..it has been deleted..

[12/22/2007, 20:48:25] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Jon\Desktop\VirtumundoBeGone.exe" )
[12/22/2007, 20:48:31] - Detected System Information:
[12/22/2007, 20:48:31] - Windows Version: 5.1.2600, Service Pack 2
[12/22/2007, 20:48:31] - Current Username: Jon (Admin)
[12/22/2007, 20:48:31] - Windows is in NORMAL mode.
[12/22/2007, 20:48:31] - Searching for Browser Helper Objects:
[12/22/2007, 20:48:31] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/22/2007, 20:48:31] - BHO 2: {2F29F4B6-5434-44A5-A379-8DBEA4B179C2} ()
[12/22/2007, 20:48:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/22/2007, 20:48:31] - Checking for HKLM\...\Winlogon\Notify\crypt3
[12/22/2007, 20:48:31] - Key not found: HKLM\...\Winlogon\Notify\crypt3, continuing.
[12/22/2007, 20:48:31] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/22/2007, 20:48:31] - Finished Searching Browser Helper Objects
[12/22/2007, 20:48:31] - Finishing up...
[12/22/2007, 20:48:31] - Nothing found! Exiting...

[12/22/2007, 21:02:08] - VirtumundoBeGone v1.5 ( "D:\Downloads\VirtumundoBeGone.exe" )
[12/22/2007, 21:02:10] - Detected System Information:
[12/22/2007, 21:02:10] - Windows Version: 5.1.2600, Service Pack 2
[12/22/2007, 21:02:10] - Current Username: Jon (Admin)
[12/22/2007, 21:02:10] - Windows is in NORMAL mode.
[12/22/2007, 21:02:10] - Searching for Browser Helper Objects:
[12/22/2007, 21:02:10] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/22/2007, 21:02:10] - BHO 2: {2F29F4B6-5434-44A5-A379-8DBEA4B179C2} ()
[12/22/2007, 21:02:10] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/22/2007, 21:02:10] - Checking for HKLM\...\Winlogon\Notify\crypt3
[12/22/2007, 21:02:10] - Key not found: HKLM\...\Winlogon\Notify\crypt3, continuing.
[12/22/2007, 21:02:10] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/22/2007, 21:02:10] - Finished Searching Browser Helper Objects
[12/22/2007, 21:02:10] - Finishing up...
[12/22/2007, 21:02:10] - Nothing found! Exiting...

[12/22/2007, 21:40:05] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Jon\Desktop\VirtumundoBeGone.exe" )
[12/22/2007, 21:40:07] - Detected System Information:
[12/22/2007, 21:40:07] - Windows Version: 5.1.2600, Service Pack 2
[12/22/2007, 21:40:07] - Current Username: Jon (Admin)
[12/22/2007, 21:40:07] - Windows is in SAFE mode.
[12/22/2007, 21:40:07] - Searching for Browser Helper Objects:
[12/22/2007, 21:40:07] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[12/22/2007, 21:40:07] - BHO 2: {2F29F4B6-5434-44A5-A379-8DBEA4B179C2} ()
[12/22/2007, 21:40:07] - WARNING: BHO has no default name. Checking for Winlogon reference.
[12/22/2007, 21:40:07] - Checking for HKLM\...\Winlogon\Notify\crypt3
[12/22/2007, 21:40:07] - Key not found: HKLM\...\Winlogon\Notify\crypt3, continuing.
[12/22/2007, 21:40:07] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[12/22/2007, 21:40:07] - Finished Searching Browser Helper Objects
[12/22/2007, 21:40:07] - Finishing up...
[12/22/2007, 21:40:07] - Nothing found! Exiting...


look2me

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 12/22/2007 8:49:01 PM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded



ATF cleaner run also

#9 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 23 December 2007 - 04:47 PM

how about if I delete this:

"Checking for HKLM\...\Winlogon\Notify\crypt3
Key not found: HKLM\...\Winlogon\Notify\crypt3, continuing."


Why can't I do anything the easy way?

Edited by jpd9930, 23 December 2007 - 04:50 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:10 AM

Posted 23 December 2007 - 11:34 PM

This file can be difficult to remove because it is protected by a driver which loads much earlier than actions taken to delete it. Further, the infection is often accompanied by other .dll files which need to be identified and removed. Successful removal also requires identification of the CLSID (unique id number) associated with the BHO and use of specialized fix tools.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) - You are using an outdated version

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 jpd9930

jpd9930
  • Topic Starter

  • Members
  • 221 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:10 AM

Posted 26 December 2007 - 04:15 PM

HJT log reference:

http://www.bleepingcomputer.com/forums/t/122259/crypt3dlltroj-agentaeua/

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,734 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:10 AM

Posted 26 December 2007 - 04:26 PM

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic until you are cleared by the HJT Team. If you still need assistance after your log has been reviewed and you have been cleared, please PM me or another moderator and we will re-open this topic.

Thanks for your cooperation and good luck with your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users