Guest Bob Havens Posted October 30, 2008 Posted October 30, 2008 I am using Windows XP Home with all the latest updates and SP3. Trend Micro PC Cillin is my AV program. I also have Spybot Search and Destroy and AdAware. Several days ago when I was web surfing my AV program detected Cryp_Xed-3. I think the virus may have executed since the computer shut down by itself. Since then I have been having trouble opening IE (Version 6). I have run the full AV program, Spybot and Adaware and nothing helps. Sometimes I can get on IE but most of the time I can't. I get an error report window. As near as I can tell the problem is confined to IE. Other programs seem to work OK. I was able to copy the file name from the error report but was unable to copy the remaining information. Here are several file names from the error report, PC Cillin log file and Hijack This log. I would like some help in getting IE working again. Thank you, Bob BAD FILE PER ERROR REPORT C:\DOCUME~1\bob\LOCALS~1\Temp\204e_appcompat.txt C:\DOCUME~1\bob\LOCALS~1\Temp\8642_appcompat.txt C:\DOCUME~1\bob\LOCALS~1\Temp\10c6_appcompat.txt C:\DOCUME~1\bob\LOCALS~1\Temp\9842_appcompat.txt C:\DOCUME~1\bob\LOCALS~1\Temp\2e06_appcompat.txt C:\DOCUME~1\bob\LOCALS~1\Temp\30d3_appcompat.txt C:\DOCUME~1\bob\LOCALS~1\Temp\76c4_appcompat.txt C:\DOCUME~1\bob\LOCALS~1\Temp\37f3_appcompat.txt Here is the PC Cillin virus log: TREND MICRO PCCILLIN LOG FILE "Virus Scan","2008/10/26","BOB-A2BCEN3PAYN" "Time","Event","Source Type","Virus Name","File Name","First Action","Second Action" "21:19","Real-time Protection","File","Cryp_Xed-3","C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\YZ0FC9YQ\index[1]","","" "21:19","Real-time Protection","File","Cryp_Xed-3","C:\Documents and Settings\bob\Local Settings\Temporary Internet Files\Content.IE5\YZ0FC9YQ\index[1]","","" "21:19","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS ~1\Temp\AtKB.exe","","" "21:20","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS ~1\Temp\92.tmp","","" "21:20","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS ~1\Temp\AtKB.exe","","" "21:20","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS ~1\Temp\AtKB.exe","","" "21:20","Real-time Protection","File","Cryp_Xed-3","C:\WINDOWS\TEMP\97.tmp" ,"","" "21:20","Real-time Protection","File","Cryp_Xed-3","C:\WINDOWS\TEMP\98.tmp" ,"","" Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:07:26 PM, on 10/30/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe C:\WINDOWS\system32\cidaemon.exe C:\Documents and Settings\bob\My Documents\OLD FILES\Computer RH\HIJACK THIS\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O3 - Toolbar: ReadingBar - {5420be57-2ed4-4f4f-9eb9-381cec2290e7} - C:\Program Files\ReadBar\ReadBar.dll O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TextAloud\TAForIE.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe" O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: http://maps.live.com O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) - O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://72.32.179.44/filter/cameraviewer/isetup.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/p...obat/nos/gp.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} - O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: APC UPS Service - Unknown owner - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe (file missing) O23 - Service: getPlus Quote
Guest 1PW Posted October 30, 2008 Posted October 30, 2008 On 10/30/2008 11:15 AM, Bob Havens sent:<span style="color:blue"> > I am using Windows XP Home with all the latest updates and SP3. Trend > Micro PC Cillin is my AV program. I also have Spybot Search and Destroy > and AdAware. > > Several days ago when I was web surfing my AV program detected > Cryp_Xed-3. I think the virus may have executed since the computer shut > down by itself. Since then I have been having trouble opening IE > (Version 6). I have run the full AV program, Spybot and Adaware and > nothing helps. Sometimes I can get on IE but most of the time I can't. > I get an error report window. As near as I can tell the problem is > confined to IE. Other programs seem to work OK. I was able to copy the > file name from the error report but was unable to copy the remaining > information. Here are several file names from the error report, PC > Cillin log file and Hijack This log. > > I would like some help in getting IE working again. > > Thank you, > Bob</span> Snip, snip... <span style="color:blue"> > -- > End of file - 6186 bytes > </span> Hello Bob: Within the last few days, David H. Lipman has posted many site URLs that will automatically decipher your HJT output. Please give that a try and then let us know how you are doing from that point. Best wishes. -- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t] Quote
Guest David H. Lipman Posted October 30, 2008 Posted October 30, 2008 From: "Bob Havens" <bhavens@flash-removetoreply-.net> | I am using Windows XP Home with all the latest updates and SP3. Trend Micro | PC Cillin is my AV program. I also have Spybot Search and Destroy and | AdAware. | Several days ago when I was web surfing my AV program detected Cryp_Xed-3. | I think the virus may have executed since the computer shut down by itself. | Since then I have been having trouble opening IE (Version 6). I have run | the full AV program, Spybot and Adaware and nothing helps. Sometimes I can | get on IE but most of the time I can't. I get an error report window. As | near as I can tell the problem is confined to IE. Other programs seem to | work OK. I was able to copy the file name from the error report but was | unable to copy the remaining information. Here are several file names from | the error report, PC Cillin log file and Hijack This log. | I would like some help in getting IE working again. | Thank you, | Bob | BAD FILE PER ERROR REPORT | C:\DOCUME~1\bob\LOCALS~1\Temp\204e_appcompat.txt | C:\DOCUME~1\bob\LOCALS~1\Temp\8642_appcompat.txt | C:\DOCUME~1\bob\LOCALS~1\Temp\10c6_appcompat.txt | C:\DOCUME~1\bob\LOCALS~1\Temp\9842_appcompat.txt | C:\DOCUME~1\bob\LOCALS~1\Temp\2e06_appcompat.txt | C:\DOCUME~1\bob\LOCALS~1\Temp\30d3_appcompat.txt | C:\DOCUME~1\bob\LOCALS~1\Temp\76c4_appcompat.txt | C:\DOCUME~1\bob\LOCALS~1\Temp\37f3_appcompat.txt | Here is the PC Cillin virus log: | TREND MICRO PCCILLIN LOG FILE | "Virus Scan","2008/10/26","BOB-A2BCEN3PAYN" | "Time","Event","Source Type","Virus Name","File Name","First | Action","Second Action" "21::19","Real-time Protection","File","Cryp_Xed-3","C:\Documents and | Settings\bob\Local Settings\Temporary Internet | Files\Content.IE5\YZ0FC9YQ\index[1]","","" "21::19","Real-time Protection","File","Cryp_Xed-3","C:\Documents and | Settings\bob\Local Settings\Temporary Internet | Files\Content.IE5\YZ0FC9YQ\index[1]","","" "21::19","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS | ~1\Temp\AtKB.exe","","" "21::20","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS | ~1\Temp\92.tmp","","" "21::20","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS | ~1\Temp\AtKB.exe","","" "21::20","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS | ~1\Temp\AtKB.exe","","" "21::20","Real-time | Protection","File","Cryp_Xed-3","C:\WINDOWS\TEMP\97.tmp" ,"","" "21::20","Real-time | Protection","File","Cryp_Xed-3","C:\WINDOWS\TEMP\98.tmp" ,"","" It is most likely a faux conclusion that what Trend PCCillin detected was a "virus". The "Cryp_Xed-3" is related to trojans, not a virus. Looking at the log Trend made, it looked like it successfully a web based exploitation attempt which is a good thing. However when I search the Trend Micro library I came up with... http://www.trendmicro.com/vinfo/virusencyc...e=TROJ_AGENT.RH http://www.trendmicro.com/vinfo/virusencyc...ROJ_DLOADER.VHS The first URL concerns me because it shows the TROJ_AGENT.RH is synonymous to "TR/Drop.Srizbi.D (Avira)". The Srizbi Trojan is a nasty RootKit. Although it appears that Trend Micro stopped the process we want to be sure. Please download and run Gmer which is an anti RootKit utility that detects Srizbi. http://www.gmer.net/files.php Posting HJT logs in the Microsoft News Groups, and in Usenet in general, is not allowed. If you had asked before posting the HJT logs, you would have been told this. There are "expert" forums setup specifically to handle one-on-one assitance that start with the posting of HJT logs. Forums where you can get expert advice for HiJack This! (HJT) Logs. NOTE: Registration is REQUIRED in any of the below before posting a log. It is suggested that you post your GMer log with you HJT logs and the information you have collected and I provided you about what Trend Micro detected. Suggested primary: http://www.thespykiller.co.uk/index.php?board=3.0 Suggested secondary: http://www.bleepingcomputer.com/forums/forum22.html http://castlecops.com/forum67.html http://www.malwarebytes.org/forums/index.php?showforum=7 Suggested tertiary: http://www.dslreports.com/forum/cleanup http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 http://www.atribune.org/forums/index.php?showforum=9 http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html http://gladiator-antivirus.com/forum/index.php?showforum=170 http://forum.networktechs.com/forumdisplay.php?f=130 http://forums.maddoktor2.com/index.php?showforum=17 http://www.spywarewarrior.com/viewforum.php?f=5 http://forums.spywareinfo.com/index.php?showforum=18 http://forums.techguy.org/f54-s.html http://forums.tomcoyote.org/index.php?showforum=27 http://forums.subratam.org/index.php?showforum=7 http://www.5starsupport.com/ipboard/index.php?showforum=18 http://aumha.net/viewforum.php?f=30 http://makephpbb.com/phpbb/viewforum.php?f=2 http://forums.techguy.org/54-security/ http://forums.security-central.us/forumdisplay.php?f=13 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.