Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

crut.i trojan


  • This topic is locked This topic is locked
17 replies to this topic

#1 sean2009

sean2009

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Plymouth,UK
  • Local time:09:22 AM

Posted 17 November 2009 - 02:56 PM

i have previously posted aanother topic on "am i infected" stating that every program i use to defend against and search for spyware, malware ,virus etc are halted whenevr i try to start them and then i am mostly told i do not have the required permission to accsess them ,if aything at all!
The only scan log of such i have is from Win32kDiag.exe which i will post here,i was told to download rootapeal and dds, i have tried to run both these but as stated in my previous post it seems that the problem can just stop everything i try including, the above mentioned, the only program which got anywhere near to helping was Counterspy which found 4 or 5 problems one of which was called crut.i or something similar however when the scan had finished i selected repair and it went to 51 % then craAttached File  scanlog.txt   7.86KB   2 downloadsshed and i could no longer use the said program,the same go's for spybot search and destoy,malwarebytes anti malware,and advanced sytem care pro,i have already trieed the rkill program i read in a very similar post ,including installin anti malware after running the 4 given versions of rkill,however nothing seems to work
im running win xp pro with service pack 3 and avg 8.5 which although is in the taskbar will not scan but will update,if there is anything else i can tell you i would be more than happy to.
any help would be greatly appreciated

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:22 AM

Posted 25 November 2009 - 07:31 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 sean2009

sean2009
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Plymouth,UK
  • Local time:09:22 AM

Posted 26 November 2009 - 08:20 AM

Hi myrti,
The computer i have is old and not very fast but i do have windows xp pro installed service pack 3 i belive,running avg 8.5. i noticed about two weeks ago that it was becoming slower in response times so i tried to do a full virus scan with avg and was unable to do anything with it what so ever, the only thing it would do was update the database,i then decided to run spybot search and destroy as i had not done it for a while,once i started it ,it ran breifly then completly dissapered from the desktop,i once again tried to run it and was told i did not have the required permision to run this app,i then tried another program called "advance system care pro" which did exactly the same thing, i searched "not having required permission" and eventually found a similiar problem to mine which suggested running a program called counter spy ,which i did download and try, once the scan had run it said it had found 5 problems some of which i could "explain away" but only one which had a high threat was called crut.i,i then selected immunize and intially it did start to, but upon reaching 51% again it just totally disappered from my screen and i was unable to run it again due to the above mentioned.
i then found bleeping.com and saw a similiar problem again and downloaded the app win32diag which did complete a log file which i posted in my topic,it seems that every bit of virus/malware searching or removal software i try, gets disabled shortly after running, but other than knowing something was wrong the computer looks like there is nothing wrong, avg is still in the taskbar, looks good but will not do anything,i have also downloaded malwarebytes which also stopped working,all of these programs are now on my desktop just as dos boxes.
a program called dds which again attempted to run but would not finish, with this one ever since doing that, it has started to pop up of its own accord every few hours and run to the same point it did when i first installed it then just disappere again.
however with the combofix you asked me to download there was no problems at all and it seemed to work fine downloading windows recovery and deleting various files of which i have uploaded the log for.
i appreciate your help so far and if there is anything else you require i would be more than happy to help
regards
Sean

Attached Files



#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:22 AM

Posted 26 November 2009 - 09:00 PM

Hi,

Combofix should have disabled that infection and allow us to run other tools as well now. :(

please run win32kdiag.exe again, with the following command to fix some malware related changes.
Please make sure that a copy of win32kdiag.exe is located on your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK:

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

We need to scan the system with this special tool.
  • Please download Junction.zip and save it.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Go to Start => Run... => Copy and paste the following command in the run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

    A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
Please post back with the logs from these two programs in your next reply.

We should be able to unlock all locked files and run other removal software after that.
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 sean2009

sean2009
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Plymouth,UK
  • Local time:09:22 AM

Posted 27 November 2009 - 12:41 PM

hi myrti,
please find enclosed required log files ,all ran without any problems
regards
Sean

Attached Files



#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:22 AM

Posted 28 November 2009 - 09:46 AM

Hi,

please run the following tool:
We need to reset the permissions altered by the malware on some files.
  • Download this tool and save it to the desktop: http://download.bleepingcomputer.com/sUBs/...xes/Inherit.exe
  • Go to Start => Run => Copy and paste the first line of the following lines in the run box and click OK:

    "%userprofile%\desktop\inherit" "c:\Documents and Settings\All Users\Documents\Kaspersky Internet Security 2010\avp.exe"
    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Sean\Desktop\HijackThis.exe"
    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Sean\Desktop\RootRepeal.exe"
    "%userprofile%\desktop\inherit" "c:\Documents and Settings\Sean\Desktop\roobuster\RootkitBuster.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\AVG\AVG8\avgcsrvx.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\AVG\AVG8\avgscanx.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\DrDepth\Spybot - Search & Destroy\SpybotSD.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\Sunbelt Software\CounterSpy\SBAMSvc.exe"
    "%userprofile%\desktop\inherit" "c:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE"
    "%userprofile%\desktop\inherit" "c:\Program Files\Trend Micro\HijackThis\HijackThis.exe"

  • If you get a security warning select Run.
  • You will get a "Finish" popup. Click OK.
  • Do the same for the rest of the lines until you have run all the above commands one by one.
Afterwards please provide a log from OTL:
We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 sean2009

sean2009
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Plymouth,UK
  • Local time:09:22 AM

Posted 28 November 2009 - 12:33 PM

Hi myrti,
have done all the reset permissons without any problems,but with the otl thing, it scans a little then for some reason stops,it stops whilst scanning
HKEY_USERS\S-1-5-21-1482476501-1580436667-1417001333-1003\INTERNET EXPLORER SETTINGS...
I have tried it a few times, also without "scan all user setting" enabled but it is the same,there are no logs to upload as none are generated!,
however avg popped up saying it had found tracking cookies i am tempted to try a full scan but wont until you respond, as i dont want to interfere with your help
regards
Sean

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:22 AM

Posted 29 November 2009 - 08:12 PM

Hi,

sorry I somehow missed your answer.

Are you running Kaspersky as well as AVG? Or are the Kaspersky files only leftovers?

You can run a scan with AVG, but I would like to see the log at the end if possible.

Did you download a fresh copy of OTL to run the scan? If not please try to do that.

If OTL still won't run please provide a log from DDS instead:
Please run a scan with DDS:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
    DDS.scr
    DDS.pif
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.


Information on A/V control HERE

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 sean2009

sean2009
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Plymouth,UK
  • Local time:09:22 AM

Posted 30 November 2009 - 06:58 AM

Hi myrti,
regarding kaspersky i had a 1 year trial which ended as far as i was aware i had removed it and started using avg instead,its only since doing these scans i have noticed some files still around,i have tried reinstalling OTL but the same happens as before,so i have included the dds log files which you asked for,i have not run a full virus scan, that is in progress with avg, but i have to go to sea very shortly, i am a fisherman, but will include it when i return if required
regards
Sean

Attached Files



#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:22 AM

Posted 01 December 2009 - 08:45 AM

Hi,

no problem, I'll keep the topic open for you. :(

The log is looking good, how is your PC doing?

Once you return please try the following steps to remove Kaspersky:

You should be able to remove Kaspersky Anti-Virus via Start > Control Panel > Add or Remove Programs,
If you need instructions on how to do so, please consult: How To Remove An Installed Program From Your Computer

The following removal utility can be used to uninstall the program if the uninstall via Add/remove does not work:
  • Download the archive Kavremover
  • Unpack kavremover10.exe from the archive
  • Run the file kavremover10.exe
  • Enter the code from the picture
  • Click remove
  • Wait until the program confirms the removal and click ok
  • Restart your computer
For illustrated instructions please refer to here: Kaspersky-FAQ

Afterwards please run an online scan with Eset:
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Please post back the results from Eset and a new log from DDS in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 sean2009

sean2009
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Plymouth,UK
  • Local time:09:22 AM

Posted 06 December 2009 - 08:38 PM

Hi myrti,
sorry about the delay in responding due to work commitments,however in answear to your question regarding my pc,yeah its good, a hell of a lot better ,all the programs that had stopped working and turned into just dos boxes, have returned and now funcion correctly,with regard to the kaspersky removal thing you posted ,i did download it, but unfortunaltly there was no pictuer to enter as such,into the program,so i could not complete that bit,i have however, as far as i am aware managed to remove all traces of kaspersky either manually or with eset,i have included the scan logs from both eset and dds again, looking through them just now,i notice kaspersky is still in parts installed.
using the add/remove program told me certain files could not be found, so the option to remove was not there so i deleted these manually ,however kaspersky is still listed in the add/remove menu,other than that as i said ealier everything seems to be working again thanks to your help,fine,
i appreciate your help ,time and patience in helping me rectifiy this problem,thank you very much.
Regards
Sean

Attached Files



#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:22 AM

Posted 11 December 2009 - 10:03 AM

Hi,

I'm terribly sorry for the delay. :( I had unexpected family issues to deal with, which left me without internet access for most of the week, but I'm back in the internet connected world now and I hope there won't be any more delays.

If you can not uninstall the program through add/remove maybe try revo-uninstaller: revo uninstaller

Please also remove all the outdated Java versions:
Java 2 Runtime Environment Standard Edition v1.3.1_02
Java™ SE Runtime Environment 6

You have already installed the latest version: Version 6 Update 17.

Let me know if this works out for you. If you can't remove kaspersky with revo I will provide you a regfix to remove Kaspersky from the Add/remove entries.

Sorry once more,
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:22 AM

Posted 21 December 2009 - 08:37 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:22 AM

Posted 21 December 2009 - 06:59 PM

Hi,

topic reopened. Did revo solve your problems? Have you uninstalled the outdated java versions?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 sean2009

sean2009
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Plymouth,UK
  • Local time:09:22 AM

Posted 22 December 2009 - 07:07 AM

Hi myrti,
Yes revo unistalled everything to do with kaspersky and i have unistalled all outdated java programs with it also ,handy little programe that by the way :(
thanks for that,just having it clean up other stuff now.
Regards
Sean




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users