TechSpot

Need Help With Trojan.crypt.e

By Jazzy
Jun 16, 2006
  1. I really need help with this problem I'm having. I can't get rid of this Trojan.Crypt.E and Backdor.Rbot.Gen. I've booted Windows XP in safe mode and ran Spyware Doctor. PLEASE HELP ME!
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    You are Hijacked with the newnet infection. Do the following.

    Click Start/Control Panel/Add/Remove Programs and uninstall: New.net Application or New.net Domains
    If neither is listed, download and run this: www.new.net/support/uninstall6_38.exe

    Please post a fresh HJT log.

    Regards Howard :wave: :wave:
     
  3. tomrca

    tomrca TS Rookie Posts: 1,000

    sorry to break in howard, but iwas looking at the hjt and i have noticed that there's no evidence of an AV programme etc.
    probabley wrong, but hey! wont be the last time
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`re quite right mate.

    Once Jazzy`s system is clean I was going to suggest he get some antivirus/firewall protection lol.

    Regards Howard :)
     
  5. Jazzy

    Jazzy TS Rookie Topic Starter

    AWESOME. :cool: I'm praying that I am cured. I did as you instructed and I am attaching my HJT log. I might be celebrating too early but hopefully this is it. I will look around for a firewall though. Will I still get pop ups? Because unfortunately I just got one.

    Btw, Jazzy is a lady. :)
     
  6. Tedster

    Tedster Techspot old timer..... Posts: 6,000   +15

    trojan.crypt.e AKA Downloader-EA (McAfee), W32.Spybot.Worm (Symantec), Win32.HLLW.MyBot (Doctor Web), Troj/Pyfls-A (Sophos), TROJ_DLOADER.JB (Trend Micro), TR/Crypt.E (H+BEDV), Trojan.Crypt.E (SOFTWIN), Trj/Downloader.CZU (Panda), Win32/Crypt.E (Eset)

    removal:

    http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

    Also stop using Peer to peer software like kazaa. This is an open invitation to garbage like this.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    outlook
    Warez P2P Client

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    outlook.exe
    ?srss.exe
    NDNUNI~2.EXE
    warez.exe


    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - _{32EA1CE4-8083-48AA-BD8F-2DC97A1CDB7E} - (no file)

    O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll (file missing)

    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto

    O4 - HKCU\..\Run: [warez] "C:\Program Files\Warez P2P Client\warez.exe" -h

    O4 - HKCU\..\Run: [Ejue] C:\WINDOWS\a?sembly\?srss.exe

    O15 - Trusted Zone: *.musicmatch.com
    O15 - Trusted Zone: *.musicmatch.com (HKLM)

    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1444/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab

    O17 - HKLM\System\CCS\Services\Tcpip\..\{BE651D6B-8D6A-474E-BB24-2E4EA9B17FC7}: NameServer = 209.244.0.3 209.244.0.4<Only fix this, if it doesn`t belong to your ISP.

    O20 - Winlogon Notify: awvtt - C:\WINDOWS\system32\awvtt.dll (file missing)

    O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\MAW3PRT.DLL (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\a?sembly\?srss.exe
    C:\Program Files\Warez P2P Client\warez.exe
    C:\Program Files\outlook\outlook.exe
    C:\WINDOWS\NDNUNI~2.EXE

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.


    Regards Howard :)
     
  8. tomrca

    tomrca TS Rookie Posts: 1,000

    hi jazzy i cant see any antivirus programme. there many free antivirus prog such as AVG, www.grisoft.com . do you know how to activate your windows firewall ? if you dont have a firewall you can get a free one too from zonealarm, www.zonealarm.com
     
  9. Jazzy

    Jazzy TS Rookie Topic Starter

    There is an application in my windows file that says dfndr and I cannot delete it unless I am in safe mode. I have deleted this thing before but apparently it's back. Also some of the things that you told me to check in HJT won't show up in Safe Mode, such as the
    04-HKCU\..Run:[warez] "C: :program Files\Warez P2P Client\warez.exe"-h
    04-HKCU\:Run:[Ejue] C:\Windows\a?sembly\?srss.exe
    015-Trusted Zone:*.musicmatch.com

    Also I think this has something to do with the dfndr thing.

    O4 - HKLM\..\Run: [newname] C:\\nwnm.exe
    O4 - HKLM\..\Run: [defender] C:\\dfndr.exe
     
  10. tomrca

    tomrca TS Rookie Posts: 1,000

    jazzy. it seems that you do not have any antirus programme on you pc. visit grisoft, they have an anti-virus free for home us called AVG. www.grisoft.com/doc/1
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Download and install the following two programmes.

    AVG free and Zonalarm free from HERE and HERE.

    Install Zonealarm, followed by AVG. Reboot your computer and run the AVG updates.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Run a full system scan with AVG and delete whatever it finds.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    dfndr.exe
    ?srss.exe
    nwnm.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=

    R3 - URLSearchHook: (no name) - _{32EA1CE4-8083-48AA-BD8F-2DC97A1CDB7E} - (no file)

    O4 - HKLM\..\Run: [newname] C:\\nwnm.exe

    O4 - HKLM\..\Run: [defender] C:\\dfndr.exe

    O4 - HKCU\..\Run: [Ejue] C:\WINDOWS\a?sembly\?srss.exe

    O15 - Trusted Zone: *.musicmatch.com

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\a?sembly\?srss.exe
    C:\\dfndr.exe
    C:\\nwnm.exe

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.


    Regards Howard :)
     
  12. Jazzy

    Jazzy TS Rookie Topic Starter

    ok new HJT log posted. I am praying for good news.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I`m pleased to say, your HJT log is clean.

    Regards Howard :)
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...