Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan.CRYPTREDOL.GEN.5 infection


  • Please log in to reply
3 replies to this topic

#1 sondunn1128

sondunn1128

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 14 October 2009 - 12:01 AM

Hello,

My brother is running Windows XP MCE and just reverted back to SP2 to help diagnose a wireless issue after SP3 was installed. Reverting back placed an icon called Security Tool on the Desktop and the rogue antivirus software telling him he had umpteen infections.

I'm not here to flex muscle or look cool, but I'll give background: I am a SysAdmin veteran with much experience diganosing PC's and rendering a fix. I've been networking in Microsoft environments for a very long time. I am 100% computer literate and will do whatever you need me to do. However, upon reading your site, it seems that I may not have proper malware knowledge under my belt to deal with such an infection (or use some of the tools as I thought I did) (after all the failed attempts to fix this). Here's what I have done:

--I ran Hijackthis: removed the rogue entries, rebooted, still there
--I tried to run MalwareBytes but the OS reports the file missing. Went online to download a new version. Installed it with Error Code 2, Can not find MBAM.EXE
--I tried uninstalling it and re-installing it several times after each uninstall trying a different method (renaming the installer, installing to a different location, removing old registry entries, installing under safe mode, installing under the local admin account) No Luck
--I used ATF Cleaner to remove all selected items, uninstalled Mozilla, cleaned the IE temps and cache from within IE, went to any temp folder I could think of and deleted everything there (wasn't much there but the stagnant IE folders inside Temporary Internet Files) then used Combofix (I know yell at me now) I have used Combofix and fixed many a PC that were hell-ish. I have no issue using a repair install or re-installing Windows if I must, however, I have never had that issue before (and not now either)
--Combofix killed the rogue software, but MBAM still would not install. Obviously, the PC is still infected with something.
--I tried running more tools GMER (deleted things I knew were safe. 99% of it was in the recycle bin), PEPERFIX(old school infection thought to be in here b/c of the ambiguous names in hijackthis), SMITREM, VUNDOFIX... no luck re-installing MBAM
--Then I tried to use an alternative Antimalware ( I know make fun of me) the new Adaware. It found 2 registry keys and an "unknown" in Unknown location. I knew this was the issue. After removing this, I had 2 new ambiguous file names in Hijackthis... it's weakening.
--I then downloaded my favorite antivirus, F-Secure (I have used this for years to clean infected PC's back in 03-06 where people had Norton or McAfee and they would either find or not find something, but couldn't remove whatever it found, installed F-Secure always seemed to be good enough to get the job done) --Anyway, F-Secure found TROJAN.CRYPTREDOL.GEN.5. All def's up to date. I deleted the infection and then more popups seemed to come out and tried to phish when testing webpages requiring a login. This was NOT a symptom before the F-Secure find and delete. MalwareBytes will still not install. I would guess this is weakening or angering the infection... but it is definitely doing something.


I'm glad to finally be a member of Bleepingcomputer (the combofix capitol) Any help would be appreciated.

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 14 October 2009 - 02:42 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.


Please download Dr. Web the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr. Web Cureit as follows:
Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).
If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
When complete, click Select All, then choose Cure > Move incurable.
(This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
Now put a check next to Complete scan to scan all local disks and removable media.
In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
In the top menu, click file and choose save report list.
Save the DrWeb.csv report to your desktop.
Exit Dr.Web Cureit when done.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)
Computer Pro

#3 sondunn1128

sondunn1128
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:36 AM

Posted 15 October 2009 - 11:05 PM

Seems like DrWeb only found some tools I used to help fix the PC... I downloaded these tools from Atribune and other trusted sites... Here's some new information.
On the reboot after the Dr.WebCureIT scan, F-Secure automatically found another infection Application popup: F-Secure Anti-Virus : Malicious code found in file C:\WINDOWS\system32\zevilezi.dll.
Infection: Trojan:W32/Vundo.SO
Looks like a Vundo infection. Powerful enough to shut down explorer and F-Secure doesn't even ask what I want to do with it (never seen F-Secure weak like that before). Just information. I rebooted...

Upon the reboot it found the infection right away and disinfected it then wanted me to reboot. I am not going to reboot. I'm going to shut down after this post and let you have me perform another analysis method. Thanks for your help. Here's the scan report from DrWeb CureIT

smitRem.exe\smitRem/Process.exe;C:\Documents and Settings\Administrator\Desktop\smitRem.exe;Tool.Prockill;;
smitRem.exe\smitRem/pv.exe;C:\Documents and Settings\Administrator\Desktop\smitRem.exe;Program.PrcView.3741;;
smitRem.exe;C:\Documents and Settings\Administrator\Desktop;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\Administrator\Desktop\smit\smitRem;Tool.Prockill;Incurable.Moved.;
pv.exe;C:\Documents and Settings\Administrator\Desktop\smit\smitRem;Program.PrcView.3741;Incurable.Moved.;
VirtumundoBeGone.exe\data005;C:\Documents and Settings\Dustin Demirci\Desktop\VirtumundoBeGone.exe;Tool.Prockill;;
VirtumundoBeGone.exe;C:\Documents and Settings\Dustin Demirci\Desktop;Archive contains infected objects;Moved.;

I'll also save you the post and give you a hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:58:36 PM, on 10/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program Files\F-Secure\Common\FSHDLL32.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
C:\Program Files\F-Secure\Anti-Virus\fssm32.exe
C:\Program Files\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\taskkill.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dustin Demirci\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {a3d07d0e-1c28-4975-9b70-e5c0bbbeefd2} - dawuyoha.dll (file missing)
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TDispVol] TDispVol.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [gikuregita] Rundll32.exe "sumovena.dll",s
O4 - HKLM\..\Run: [40217822] C:\Documents and Settings\All Users\Application Data\40217822\40217822.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O21 - SSODL: nuzovaliv - {a1a5874c-7bbc-4098-93d6-27d6e1ba7190} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {a1a5874c-7bbc-4098-93d6-27d6e1ba7190} - (no file)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\F-Secure\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\F-Secure\ORSP Client\fsorsp.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 4632 bytes

Taskkill popped up on its own while logged onto this website. Perhaps infected?

Also, obviously the following are not good:
O2 - BHO: (no name) - {a3d07d0e-1c28-4975-9b70-e5c0bbbeefd2} - dawuyoha.dll (file missing)
O4 - HKLM\..\Run: [40217822] C:\Documents and Settings\All Users\Application Data\40217822\40217822.exe <-- cryptredol infection
O21 - SSODL: nuzovaliv - {a1a5874c-7bbc-4098-93d6-27d6e1ba7190} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {a1a5874c-7bbc-4098-93d6-27d6e1ba7190} - (no file) <-- deleted this from task scheduler (after scan)


Here is a tasklist /svc output for you as well


Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 684 N/A
csrss.exe 740 N/A
winlogon.exe 768 N/A
services.exe 812 Eventlog, PlugPlay
lsass.exe 824 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 1012 DcomLaunch, TermService
svchost.exe 1116 RpcSs
svchost.exe 1280 AudioSrv, BITS, CryptSvc, Dhcp, dmserver,
ERSvc, EventSystem,
FastUserSwitchingCompatibility, helpsvc,
lanmanserver, lanmanworkstation, Netman,
Nla, seclogon, SENS, SharedAccess,
ShellHWDetection, srservice, Themes, TrkWks,
W32Time, winmgmt, wscsvc
EvtEng.exe 1348 EvtEng
S24EvMon.exe 1396 S24EventMonitor
svchost.exe 1560 Dnscache
svchost.exe 1648 LmHosts
LEXBCES.EXE 292 LexBceS
LEXPPS.EXE 332 N/A
spoolsv.exe 336 Spooler
svchost.exe 1208 WebClient
CFSvcs.exe 1360 CFSvcs
fsgk32st.exe 1732 F-Secure Gatekeeper Handler Starter
FSMA32.EXE 1752 FSMA
fsgk32.exe 1764 N/A
FSHDLL32.EXE 1928 N/A
RegSrvc.exe 2024 RegSrvc
svchost.exe 192 SSDPSRV
svchost.exe 264 stisvc
TAPPSRV.exe 628 TAPPSRV
fsdfwd.exe 3228 FSDFWD
fsorsp.exe 3388 FSORSPClient
fssm32.exe 3460 N/A
alg.exe 3480 ALG
fsav32.exe 3680 N/A
explorer.exe 1084 N/A
FSM32.EXE 1828 N/A
firefox.exe 1380 N/A
mmc.exe 2300 N/A
cmd.exe 1140 N/A
taskkill.exe 1200 N/A
mmc.exe 1864 N/A
notepad.exe 2392 N/A
HiJackThis.exe 4016 N/A
notepad.exe 2184 N/A
cmd.exe 3760 N/A
tasklist.exe 2008 N/A
wmiprvse.exe 3504 N/A


Look forward to hearing from you

#4 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 16 October 2009 - 07:47 PM

Your very welcome for the help. It looks like we maybe dealing with a rootkit here:

Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K
Unzip that to your Desktop and then click RootRepeal.exe to open the scanner.

*Open the folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
* Click on the FILES tab, then click the Scan button.
* In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
* When the scan has completed, a list of files will be generated in the RootRepeal window.
* Click on the Save Report button and save it as rootrepeal.txt to your desktop or the same location where you ran the tool from.
* Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
* Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High


Note 2: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "Safe Mode".
Computer Pro




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users