TechSpot

Cannot find out how to get rid of win32/crypt.exe virus

By jimflint1
Oct 8, 2006
Topic Status:
Not open for further replies.
  1. I've tried all the trojan etc. fixes suggested by Howard for generalized fixes, but I can't figure out how to get rid of this virus. Apparently it changes names everytime you shut off the comp, so should I leave my comp on until it's solved or what? Do you have any ideas for ridding myself of this pest?

    Thanks,

    Shane
  2. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Go and read the Trojan Pakes and other nasties preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as an attachments into this thread, only after doing the above.

    Regards Howard :)

    This thread is for the use of jimflint1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  3. tomrca

    tomrca Newcomer, in training Posts: 1,051

    untill howard gets back to you, as i am sure he will, look here
    for info o its alias and variations
  4. jimflint1

    jimflint1 TechSpot Enthusiast Topic Starter Posts: 235

    Hi Howard. Here are my hijackthis log and AVG antispyware log. I actually have done this twice (your outlined procedure). I did it the second time because I wasn't sure I'd done everything exactly right, so the AVG log doesn't show anything--or maybe it's not supposed to. Anyway, here they are:
  5. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of jimflint1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. jimflint1

    jimflint1 TechSpot Enthusiast Topic Starter Posts: 235

    Thanks, Howard. I will let you know if anything else rears its ugly head! :)
  7. jimflint1

    jimflint1 TechSpot Enthusiast Topic Starter Posts: 235

    Howard, I just ran the AVG Virus Scan again and it's still showing the Win32/Crypt.exe virus.
  8. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Download and run this tool HERE.

    Please let me know the results.

    If AVG still finds the virus, pleas let me know the full filepath to it.

    Regards Howard :)

    This thread is for the use of jimflint1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. jimflint1

    jimflint1 TechSpot Enthusiast Topic Starter Posts: 235

    The tools turned up nothing, but AVG still did. I found the full path to the file containing the virus. Here it is: C:\Documents and Settings\Shane.EHANMIGDAINE\Application Data\IDM\DwnlData\Shane\TRUE_89
  10. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Ok, download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

    Once your system has rebooted, turn system restore back on and rehide your protected OS files.

    Let me know the results and post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of jimflint1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  11. jimflint1

    jimflint1 TechSpot Enthusiast Topic Starter Posts: 235

    Howard, you are a saint! The file appears now to be gone. I appreciate your time and advice very much. Here's my hijackthis log below.

    Best wishes,

    Shane
     
  12. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your HJT log is clean.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of jimflint1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  13. jimflint1

    jimflint1 TechSpot Enthusiast Topic Starter Posts: 235

    Yikes, Howard, I think I still have it. I ran another virus scan just a few minutes ago and the same virus turned up again, with another path. The former path was c:\documentsandsettings\shane.ehanmigdaine\applicationdata\IDM\downldata\Shane\TRUE_89

    Now the virus is back again with this path name: C:\!killbox\true_89\TRUE

    Or, does this mean it's quarantined in killbox?
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    That`s the killbox backup of the file you deleted. Just delete the killbox backups file.

    Regards Howard :)

    This thread is for the use of jimflint1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  15. jimflint1

    jimflint1 TechSpot Enthusiast Topic Starter Posts: 235

    okay, thanks!

    Shane
  16. jimflint1

    jimflint1 TechSpot Enthusiast Topic Starter Posts: 235

    More and more pop-ups

    I'm getting flooded with pop-ups these days and I don't enjoy having to click on them to get rid of them. Any good ways to block them?
  17. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Post a HJT log as an attachment and I`ll take a look.

    Regards Howard :)

    This thread is for the use of jimflint1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  18. jimflint1

    jimflint1 TechSpot Enthusiast Topic Starter Posts: 235

    Here's the log.
  19. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    I have merged your new thread into this one.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    QFSCHD110.EXE

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.usefulware.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.usefulware.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.usefulware.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com

    O4 - HKLM\..\Run: [QuickFinder Scheduler] "F:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"

    Click on the fix checked button.

    Close HJT.

    Reboot your system and post a fresh HJT log. Let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of jimflint1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  20. jimflint1

    jimflint1 TechSpot Enthusiast Topic Starter Posts: 235

    Okay, here's the newest logfile:
  21. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Your HJT log is clean.

    Regards Howard :)

    This thread is for the use of jimflint1 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.