Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection With Cryptex.dll


  • This topic is locked This topic is locked
4 replies to this topic

#1 stug

stug

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 24 March 2008 - 10:42 AM

hi, have a really persistent infection with Trojan Horse Pakes. Avg has found it but doesn't seem to make any difference when it moves it to the vault. File location is C:\windows\system32\cryptex.dll. Can't be removed by deleting in explorer. I'm running XP. whenever I start any program avg picks up on the trojan and asks what to do with it. Have run spybot. Here is Hijack log, would be very gratefull for any help. Stuart
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:51 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\GIRSOF~1\avgamsvr.exe
C:\PROGRA~1\GIRSOF~1\avgupsvc.exe
C:\PROGRA~1\GIRSOF~1\avgemc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\GIRSOF~1\avgcc.exe
C:\heap41a\svchost.exe
C:\heap41a\svchost.exe
C:\XP Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\GIRSOF~1\avgwb.dat
C:\PROGRA~1\GIRSOF~1\avgvv.exe
C:\XP Program Files\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ekit.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\XP Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\XPPROG~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CAD849EC-8FF2-46D7-84DA-38D09E9EA9B4} - C:\WINDOWS\system32\cryptex.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GIRSOF~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\XP Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [status] present
O4 - HKLM\..\Policies\Explorer\Run: [winlogon] C:\heap41a\svchost.exe C:\heap41a\std.txt
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\GIRSOF~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\GIRSOF~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\GIRSOF~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\GIRSOF~1\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\XP Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\XPPROG~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\XPPROG~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C105685-B319-4D82-ABAD-A7439CC93068}: NameServer = 218.248.240.208 218.248.240.135
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\GIRSOF~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\GIRSOF~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\GIRSOF~1\avgemc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegService - Xircom - C:\XIRCOM\Update\RegService.exe

--
End of file - 3923 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:15 AM

Posted 24 March 2008 - 06:10 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 stug

stug
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 02 April 2008 - 01:30 PM

Hi, first of all sorry for the delay in posting, not due to my lack of interest in your help, just wasn't expecting such a quick response. Have run combofix, got a few MS-DOS subsystem errors while running. Managed to use ignore option most of the time, then had to use terminate after it had rebooted, but seemed to cary on running anyway. On first try when starting programs avg no longer jumps in with virus found so fingers crossed. Here is the log:

ComboFix 08-04-01.2 - Stuart 2008-04-02 23:26:47.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.282 [GMT 5.5:30]
Running from: C:\Documents and Settings\Stuart.STUART-21DF0F58\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cryptex.dll
C:\WINDOWS\system32\drivers\mylwocwx.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RUMNUGIU
-------\Service_rumnugiu


((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-03-26 23:31 . 2008-03-26 23:31 <DIR> d-------- C:\Documents and Settings\Stuart.STUART-21DF0F58\Application Data\skypePM
2008-03-26 23:31 . 2008-03-26 23:31 32 --a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\ezsid.dat
2008-03-26 23:29 . 2008-03-26 23:49 <DIR> d-------- C:\Documents and Settings\Stuart.STUART-21DF0F58\Application Data\Skype
2008-03-26 23:28 . 2008-03-26 23:28 <DIR> d-------- C:\Program Files\Skype
2008-03-26 23:28 . 2008-03-26 23:28 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-03-26 23:27 . 2008-03-26 23:28 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Skype
2008-03-24 14:34 . 2008-03-24 16:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 15:07 --------- d-----w C:\Program Files\girsoftavg
2008-03-24 05:20 --------- d-----w C:\Documents and Settings\Stuart.STUART-21DF0F58\Application Data\AVG7
2008-03-08 14:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-02-13 18:45 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7
2008-02-13 14:29 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-13 14:28 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft
2004-03-12 22:24 271 --sh--w C:\Program Files\DESKTOP.INI
2004-03-12 22:24 21,952 ---ha-w C:\Program Files\FOLDER.HTT
2003-08-03 14:23 707 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAD849EC-8FF2-46D7-84DA-38D09E9EA9B4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\XP Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
"AVG7_CC"="C:\PROGRA~1\GIRSOF~1\avgcc.exe" [2008-02-14 00:20 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\GIRSOF~1\avgw.exe" [2008-02-14 00:21 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"status"= present
"winlogon"= C:\heap41a\svchost.exe C:\heap41a\std.txt

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\XP Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\girsoftavg\\avginet.exe"=
"C:\\Program Files\\girsoftavg\\avgamsvr.exe"=
"C:\\Program Files\\girsoftavg\\avgcc.exe"=
"C:\\Program Files\\girsoftavg\\avgemc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 maestro;ESS Maestro 3 Audio Driver (WDM);C:\WINDOWS\system32\drivers\es198x.sys [2001-08-17 17:49]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys [2005-06-15 10:01]
S3 cem56;Xircom CreditCard 10/100 + Modem 56 Network;C:\WINDOWS\system32\DRIVERS\CEM56n5.sys [2001-08-17 12:13]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2005-06-15 10:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7be58060-edc4-11dc-9c5e-88b31ef9e987}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f373a80-4904-11d8-98da-00038a000015}]
\Shell\Auto\command - F:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{945a9d50-7213-11d8-98f8-000103fbd97b}]
\Shell\Auto\command - G:\MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdeff9d4-79be-11dc-ad99-000103fbd97b}]
\Shell\Auto\command - MicrosoftPowerPoint.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MicrosoftPowerPoint.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 17:30:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 23:40:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\GIRSOF~1\avgamsvr.exe
C:\PROGRA~1\GIRSOF~1\avgupsvc.exe
C:\PROGRA~1\GIRSOF~1\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\heap41a\svchost.exe
C:\heap41a\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-02 23:44:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-02 18:14:29
Pre-Run: 3,765,221,376 bytes free
Post-Run: 4,040,281,088 bytes free

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:15 AM

Posted 02 April 2008 - 07:13 PM

I'm suspicious of a file that shows up in your log.
Please go to http://www.virustotal.com/ and submit this file to be scanned.

C:\heap41a\svchost.exe

Be patient while it gets scanned. When it's all done copy the text and post it back here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:15 AM

Posted 20 April 2008 - 09:00 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users