I have a virus Cryp_Xed-3

  • Thread starter Thread starter Bob Havens
  • Start date Start date
B

Bob Havens

Guest
I am using Windows XP Home with all the latest updates and SP3. Trend Micro
PC Cillin is my AV program. I also have Spybot Search and Destroy and
AdAware.

Several days ago when I was web surfing my AV program detected Cryp_Xed-3.
I think the virus may have executed since the computer shut down by itself.
Since then I have been having trouble opening IE (Version 6). I have run
the full AV program, Spybot and Adaware and nothing helps. Sometimes I can
get on IE but most of the time I can't. I get an error report window. As
near as I can tell the problem is confined to IE. Other programs seem to
work OK. I was able to copy the file name from the error report but was
unable to copy the remaining information. Here are several file names from
the error report, PC Cillin log file and Hijack This log.

I would like some help in getting IE working again.

Thank you,
Bob

BAD FILE PER ERROR REPORT
C:\DOCUME~1\bob\LOCALS~1\Temp\204e_appcompat.txt
C:\DOCUME~1\bob\LOCALS~1\Temp\8642_appcompat.txt
C:\DOCUME~1\bob\LOCALS~1\Temp\10c6_appcompat.txt
C:\DOCUME~1\bob\LOCALS~1\Temp\9842_appcompat.txt
C:\DOCUME~1\bob\LOCALS~1\Temp\2e06_appcompat.txt
C:\DOCUME~1\bob\LOCALS~1\Temp\30d3_appcompat.txt
C:\DOCUME~1\bob\LOCALS~1\Temp\76c4_appcompat.txt
C:\DOCUME~1\bob\LOCALS~1\Temp\37f3_appcompat.txt

Here is the PC Cillin virus log:

TREND MICRO PCCILLIN LOG FILE
"Virus Scan","2008/10/26","BOB-A2BCEN3PAYN"
"Time","Event","Source Type","Virus Name","File Name","First
Action","Second Action"
"21:19","Real-time Protection","File","Cryp_Xed-3","C:\Documents and
Settings\bob\Local Settings\Temporary Internet
Files\Content.IE5\YZ0FC9YQ\index[1]","",""
"21:19","Real-time Protection","File","Cryp_Xed-3","C:\Documents and
Settings\bob\Local Settings\Temporary Internet
Files\Content.IE5\YZ0FC9YQ\index[1]","",""
"21:19","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS
~1\Temp\AtKB.exe","",""
"21:20","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS
~1\Temp\92.tmp","",""
"21:20","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS
~1\Temp\AtKB.exe","",""
"21:20","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS
~1\Temp\AtKB.exe","",""
"21:20","Real-time
Protection","File","Cryp_Xed-3","C:\WINDOWS\TEMP\97.tmp" ,"",""
"21:20","Real-time
Protection","File","Cryp_Xed-3","C:\WINDOWS\TEMP\98.tmp" ,"",""


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:07:26 PM, on 10/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\bob\My Documents\OLD FILES\Computer RH\HIJACK
THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Trend Micro Antifraud Toolbar -
{06647158-359E-4D10-A8DE-E6145DA90BE9} -
C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: ReadingBar - {5420be57-2ed4-4f4f-9eb9-381cec2290e7} -
C:\Program Files\ReadBar\ReadBar.dll
O3 - Toolbar: Trend Micro Antifraud Toolbar -
{871F91FD-3A92-4988-A842-16AB2CFF5AF1} -
C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} -
C:\PROGRA~1\TextAloud\TAForIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet
Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_07\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -
C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://maps.live.com
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} (LiveUpdate Crescendo) -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) -
https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements
Lab) -
http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield
International Setup Player) -
http://72.32.179.44/filter/cameraviewer/isetup.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) -
http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} -
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft -
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: APC UPS Service - Unknown owner - C:\Program Files\APC\APC
PowerChute Personal Edition\mainserv.exe (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program
Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend
Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro
Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. -
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. -
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6186 bytes
 
Re: I have a virus Cryp_Xed-3

On 10/30/2008 11:15 AM, Bob Havens sent:
> I am using Windows XP Home with all the latest updates and SP3. Trend
> Micro PC Cillin is my AV program. I also have Spybot Search and Destroy
> and AdAware.
>
> Several days ago when I was web surfing my AV program detected
> Cryp_Xed-3. I think the virus may have executed since the computer shut
> down by itself. Since then I have been having trouble opening IE
> (Version 6). I have run the full AV program, Spybot and Adaware and
> nothing helps. Sometimes I can get on IE but most of the time I can't.
> I get an error report window. As near as I can tell the problem is
> confined to IE. Other programs seem to work OK. I was able to copy the
> file name from the error report but was unable to copy the remaining
> information. Here are several file names from the error report, PC
> Cillin log file and Hijack This log.
>
> I would like some help in getting IE working again.
>
> Thank you,
> Bob

Snip, snip...

> --
> End of file - 6186 bytes
>

Hello Bob:

Within the last few days, David H. Lipman has posted many site URLs that
will automatically decipher your HJT output. Please give that a try and
then let us know how you are doing from that point.

Best wishes.

--
1PW

@?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
 
Re: I have a virus Cryp_Xed-3

From: "Bob Havens" <bhavens@flash-removetoreply-.net>

| I am using Windows XP Home with all the latest updates and SP3. Trend Micro
| PC Cillin is my AV program. I also have Spybot Search and Destroy and
| AdAware.

| Several days ago when I was web surfing my AV program detected Cryp_Xed-3.
| I think the virus may have executed since the computer shut down by itself.
| Since then I have been having trouble opening IE (Version 6). I have run
| the full AV program, Spybot and Adaware and nothing helps. Sometimes I can
| get on IE but most of the time I can't. I get an error report window. As
| near as I can tell the problem is confined to IE. Other programs seem to
| work OK. I was able to copy the file name from the error report but was
| unable to copy the remaining information. Here are several file names from
| the error report, PC Cillin log file and Hijack This log.

| I would like some help in getting IE working again.

| Thank you,
| Bob

| BAD FILE PER ERROR REPORT
| C:\DOCUME~1\bob\LOCALS~1\Temp\204e_appcompat.txt
| C:\DOCUME~1\bob\LOCALS~1\Temp\8642_appcompat.txt
| C:\DOCUME~1\bob\LOCALS~1\Temp\10c6_appcompat.txt
| C:\DOCUME~1\bob\LOCALS~1\Temp\9842_appcompat.txt
| C:\DOCUME~1\bob\LOCALS~1\Temp\2e06_appcompat.txt
| C:\DOCUME~1\bob\LOCALS~1\Temp\30d3_appcompat.txt
| C:\DOCUME~1\bob\LOCALS~1\Temp\76c4_appcompat.txt
| C:\DOCUME~1\bob\LOCALS~1\Temp\37f3_appcompat.txt

| Here is the PC Cillin virus log:

| TREND MICRO PCCILLIN LOG FILE
| "Virus Scan","2008/10/26","BOB-A2BCEN3PAYN"
| "Time","Event","Source Type","Virus Name","File Name","First
| Action","Second Action"
"21::19","Real-time Protection","File","Cryp_Xed-3","C:\Documents and
| Settings\bob\Local Settings\Temporary Internet
| Files\Content.IE5\YZ0FC9YQ\index[1]","",""
"21::19","Real-time Protection","File","Cryp_Xed-3","C:\Documents and
| Settings\bob\Local Settings\Temporary Internet
| Files\Content.IE5\YZ0FC9YQ\index[1]","",""
"21::19","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS
| ~1\Temp\AtKB.exe","",""
"21::20","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS
| ~1\Temp\92.tmp","",""
"21::20","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS
| ~1\Temp\AtKB.exe","",""
"21::20","Real-time Protection","File","Cryp_Xed-3","C:\DOCUME~1\bob\LOCALS
| ~1\Temp\AtKB.exe","",""
"21::20","Real-time
| Protection","File","Cryp_Xed-3","C:\WINDOWS\TEMP\97.tmp" ,"",""
"21::20","Real-time
| Protection","File","Cryp_Xed-3","C:\WINDOWS\TEMP\98.tmp" ,"",""


It is most likely a faux conclusion that what Trend PCCillin detected was a "virus". The
"Cryp_Xed-3" is related to trojans, not a virus.

Looking at the log Trend made, it looked like it successfully a web based exploitation
attempt which is a *good* thing.

However when I search the Trend Micro library I came up with...
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.RH
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADER.VHS

The first URL concerns me because it shows the TROJ_AGENT.RH is synonymous to
"TR/Drop.Srizbi.D (Avira)".

The Srizbi Trojan is a *nasty* RootKit. Although it appears that Trend Micro stopped the
process we want to be sure.

Please download and run Gmer which is an anti RootKit utility that detects Srizbi.
http://www.gmer.net/files.php

Posting HJT logs in the Microsoft News Groups, and in Usenet in general, is not allowed.
If you had asked before posting the HJT logs, you would have been told this. There are
"expert" forums setup specifically to handle one-on-one assitance that start with the
posting of HJT logs.


Forums where you can get expert advice for HiJack This! (HJT) Logs.

NOTE: Registration is REQUIRED in any of the below before posting a log. It is suggested
that you post your GMer log with you HJT logs and the information you have collected and I
provided you about what Trend Micro detected.

Suggested primary:
http://www.thespykiller.co.uk/index.php?board=3.0

Suggested secondary:
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.malwarebytes.org/forums/index.php?showforum=7

Suggested tertiary:
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://aumha.net/viewforum.php?f=30
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 

Similar threads

L
XP - SP2
2
Replies
25
Views
731
~BD~
B
J
Windows Vista Another Antivirus 2009 webscanner issue- Hijackthis log attached
Replies
3
Views
267
jaskel
J
N
HELP ME PLEASE!!!! win32/renos.aor & win32/zlob
Replies
1
Views
220
Malke
M
I
I cannot assessing to https:// web sites on Internet explorer 7
Replies
2
Views
139
PA Bear [MS MVP]
P
J
problems with malware
Replies
1
Views
209
PA Bear [MS MVP]
P
Back
Top