Assistance Required in Removing Trojan Crypt EML

By TheSmartDog
Jun 2, 2009
Topic Status:
Not open for further replies.
  1. Hello.

    Well, I followed the 8 steps protocol, as best I could, but there were a few snags. SuperAnti I already had, but it no longer works as of the appearance of this Trojan. At startup Windows informs me that the program has stopped responding and eventually prompts me to close the program. Any attempts to repair or restart the program result in the Blue Screen. HiJack This also fails to install, as does Malwarebytes. (Yes, I followed the links given.) Therefore, I'm suffering from a rather pitiful lack of logs to report my situation. My sincerest apologies.

    My Java Runtime environment also reported itself as being the most up to date version available.

    The actual problem goes something like this: Upon startup everything appears normal, however SuperAnti fails to start properly and ends up closing. For this reason, I suspected something was awry with my computer. Upon opening a browser window, AVG informed me of a "multiple threat detection" in file(s) C:\WIndows\System32\gxvxcispxdiftgekofnlhgxgojqfirncwuems.dll. It classifies the infection as "Trojan Horse Crypt.EML". The file also conspicuously absent from its supposed location, but perhaps it is hidden..? Futhermore, AVG reports that the files are either moved to the virus vault, or deleted, but when the computer is rebooted and a browser opened, the same alert appears. AVG is the only service to detect this infection; Avira does not detect anything. However, when I use the scan system 'Luke FIlewalker' it always freezes when it begins to scan C:\Windows\System32\Config or something akin to that.

    I've been googling "Trojan Horse Crypt EML" and variations of that, but my search queries have returned with very little. There appears to be very little information concerning this infection, that, or perhaps my searches were poorly conducted. Avira's database apparently contained no information regarding the infection, and searching AVG's databases produced equally fruitless results. So far, this appears to be the most reliable locale to field any inquiries. Hopefully a little help can be spared..? =)
  2. touch

    touch Newcomer, in training Posts: 978

    Hello TheSmartDog

    The not easy to pronounce file ->gxvxcispxdiftgekofnlhgxgojqfirncwuems.dll - Looks like a rootkit, and it is problably why you can´t install malwarebyte, hijckthis as it´s blocking for them.

    I´ll therefore suggest you try combofix ->

    Please download combofix here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

    Now, please make sure no other programs are running, close all other windows.

    Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
    Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
    It may take a while to complete scanning and this is normal.

    You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
    scanning has completed.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
  3. ADRideau

    ADRideau Newcomer, in training

    I need assistance with the same exact issue. And SmartDog is right, there wasn't hardly any info regarding this variant on the Net

    I'll be sure to follow-up here when something effective comes up.

    -AD
  4. ADRideau

    ADRideau Newcomer, in training

    *resolved*

    Thanks Touch! ComboFix was the answer after all. Followed everything down and it worked! That was a disgusting lil bug.

    :)
  5. TheSmartDog

    TheSmartDog Newcomer, in training Topic Starter

    Alrighty, mine worked out too, with a couple snags along the way, but all's well that ends well. Thanks a million, touch. At the very least, now there's a resource available to others with this problem and a solution in conjuction with it. Thanks again!

    =P Glad you managed to find your way to touch's solution as well, ADRideau. Hopefully anyone unfortunate enough to have that rootkit find its way onto their computer will be able to locate this solution too.

    As requested, the log file that ComboFix produced is attached. Hopefully there's nothing more I should be worrying about. Again, many thanks for this simple solution, wish you all the best, good samaritan. =)

    Attached Files:

  6. touch

    touch Newcomer, in training Posts: 978

  7. spin57

    spin57 Newcomer, in training

    Virus from Hell

    Many thanks for your advice on this virus. I had almost given up but after reading your info, tried it and its gone finally. Once again thank you

    Cheers
  8. TheSmartDog

    TheSmartDog Newcomer, in training Topic Starter

    Okay, deleted that folder.

    Ran the Antivirus/AntiSpyware programs listed in the '8 Steps' guide.
    They found a few odds and ends apparently still lurking about my system.
    Attached are the log files from Malwarebytes, SUPERAntiSpyware, and Hijackthis.

    Thanks again for all the help!
  9. touch

    touch Newcomer, in training Posts: 978

    Run malwarebyte, and have it to fix what it find.

    You have 3 antivirus programs running (AVG8, Avira and Norton), it is waste of recourses, and they will conflict.

    Have you paid for Norton/Symantec ?
  10. TheSmartDog

    TheSmartDog Newcomer, in training Topic Starter

    I fixed the issues it detected when it finished the scan.

    Er...well, I have AVG8 and only installed Avira in an attempt to remove that nasty rootkit I previously had. Formerly, I was relying solely on AVG for real time protection. Norton is not functional, or at least I'm not aware of it running. It doesn't appear as a running program on my taskbar. I tried uninstalling it, but some error was given about the file not being located.

    No, I haven't paid for Norton/Symantec. It was bundled as a free sixty day trial with the purchase of the computer, but has long since expired.
  11. touch

    touch Newcomer, in training Posts: 978

    Ok. Then I suggest we remove Norton and AVG8.

    AVG8, because of this:
    "AVG Free does not contain Anti-Rootkit protection so rootkits may be hidden in your system." It was a rootkit there were the issue here ;)


    Uninstall your AVG Antivirus
    Run the AVGRemove Tool

    Reboot.

    Download the Norton Removal Tool (SymNRT) to your Desktop.
    Norton Removal Tool
    Once downloaded please close ALL open browsers, also save any work because this may require a restart.

    Go to your desktop and double click on the removal tool and then click Setup.
    Once open Click Next
    Accept the license agreement and click Next
    Type in the letters/numbers that you see into the text box then click Next.
    Then click Next and the tool will start running.
    Once finished restart the PC and run the tool again to ensure everything has been removed.
    Delete Nortonremoval tool from your Desktop.
    Restart.

    Attach new hijackthis log, and tell how things are running now ?
  12. TheSmartDog

    TheSmartDog Newcomer, in training Topic Starter

    Not to contradict a seasoned professional like yourself, but when I had that rootkit, it was AVG that detected the presence of an infection when I opened a browser. Avira reported nothing...

    I can remove Norton though. That's certainly alright, since I don't use it whatsoever.
  13. kritius

    kritius TechSpot Guru Posts: 2,087

    More than one antuvirus program will cause conflicts and let things slip through.

    Decide which one you want to keep and ditch the other 2.
     
  14. spin57

    spin57 Newcomer, in training

    Well all has been good for a while but it seems it is back. AVG didnt pick it, MalwareBytes hasnt found it so I'll have to run this proggy again and see what it finds!
    It only seems to be when we look at Hotmail emails etc??
    comes up with APPCRASH as the reason for Internet Explorer shutting down??
  15. ADRideau

    ADRideau Newcomer, in training

    wow,.. are you serious?

    I haven't had any problems since. Let us know how you made out after applying the Combofix and removing your system restore points.
  16. spin57

    spin57 Newcomer, in training

    Well I re downloaded Combofix and ran it again.
    It found some bug again and removed it.....gggrrrrrrr
    Must have been in an attachment and got through.
    I need to get NOD32 me thinks.

    All good again so far, fingers crossed...:)
  17. russellme

    russellme Newcomer, in training

    I followed the directions given on this website to remove the Trojan Horse Crypt.EML virus from my computer as well.

    Anyways, ComboFix ran fine and generated a log report.

    However, now all my programs won't work and instead say "Illegal operation attempted on a registry key that has been marked for deletion" when i try to run them.

    Can somebody please help me fix this???

    I have attched the combofix log if that helps.

    Thanks-
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.