Any advise how to get rid of Win32:JunkPoly [Cryp] virus?

Recently my Avast antivirus started to detecting a virus called Win32:JunkPoly [Cryp]

The infected files are C:/gm.exe and C:/rklm.exe i always select delete but it keeps comming back.

So, any suggestions how to get rid of this virus ?

It’s safer send to Chest than direct deleting files…
I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

I got the same virus in my PC
If you know of a free antivirus / antirootkit / antispyware that has proved to work to remove it please post it here

I’ve tried several programs so far:

avast 4.8 (avast detects and delete it but it appears again after reboot)
spybot search and destroy
sophos anti rootkit
pctools spyware doctor
XoftSpySE Anti-Spyware.
Avast antirootkit

it would be useful to run a HiJackThis scan and post the results here…

If you think it helps . . . here you are

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:23:09, on 11/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\scvhost.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Aplicaciones descargadas\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Archivos de programa\eread7.0\IEeREAD.dll (file missing)
O4 - HKLM..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SERVICIO LOCAL’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Servicio de red’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Acceso directo a del.bat.lnk = C:\Documents and Settings\Manuel\Escritorio\del.bat
O4 - Startup: Acceso directo a prueba.bat.lnk = C:\Temp\prueba.bat
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe


End of file - 4008 bytes

do you know what these items standing for?

O4 - Startup: Acceso directo a del.bat.lnk = C:\Documents and Settings\Manuel\Escritorio\del.bat
O4 - Startup: Acceso directo a prueba.bat.lnk = C:\Temp\prueba.bat

are they made by you?

yeah, 2 bat files made by me, nothing to worry about

C:\WINDOWS\system32\scvhost.exe

http://www.bleepingcomputer.com/startups/SCVHOST.exe-16634.html

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the above files to VirusTotal for analysis. Post the results here.

Shit! I had suspected from this file, but it seemed to be part of windows, so I let it alone. It’s the first time I’ve been told the file to have something wrong in it, and I’m not sure if it’s the mentioned junkpoly or another one. What I’m supposed to do now? There’s another thread where it says that this same file triggered a false positive

Análisis del archivo scvhost.exe recibido el 12.06.2008 14:08:07 (CET)Motor antivirus Versión Última actualización Resultado
AhnLab-V3 2008.6.11.0 2008.06.12 -
AntiVir 7.8.0.55 2008.06.12 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.06.12 W32/Backdoor2.AMYW
Avast 4.8.1195.0 2008.06.12 -
AVG 7.5.0.516 2008.06.12 BackDoor.Generic9.ATVW
BitDefender 7.2 2008.06.12 -
CAT-QuickHeal 9.50 2008.06.11 Backdoor.DsBot.ox
ClamAV 0.92.1 2008.06.12 -
DrWeb 4.44.0.09170 2008.06.12 Trojan.Packed.470
eSafe 7.0.15.0 2008.06.11 Win32.DsBot.ox
eTrust-Vet 31.6.5868 2008.06.12 -
Ewido 4.0 2008.06.12 Backdoor.DsBot.ox
F-Prot 4.4.4.56 2008.06.12 W32/Backdoor2.AMYW
F-Secure 6.70.13260.0 2008.06.12 Backdoor.Win32.DsBot.ox
Fortinet 3.14.0.0 2008.06.12 -
GData 2.0.7306.1023 2008.06.12 Backdoor.Win32.DsBot.ox
Ikarus T3.1.1.26.0 2008.06.12 Backdoor.Win32.DsBot.ox
Kaspersky 7.0.0.125 2008.06.12 Backdoor.Win32.DsBot.ox
McAfee 5315 2008.06.11 Generic BackDoor
Microsoft 1.3604 2008.06.12 VirTool:Win32/Obfuscator.AT
NOD32v2 3180 2008.06.12 -
Norman 5.80.02 2008.06.12 -
Panda 9.0.0.4 2008.06.11 Suspicious file
Prevx1 V2 2008.06.12 Cloaked Malware
Rising 20.48.32.00 2008.06.12 -
Sophos 4.30.0 2008.06.12 Mal/Generic-A
Sunbelt 3.0.1145.1 2008.06.05 -
Symantec 10 2008.06.12 -
TheHacker 6.2.92.344 2008.06.12 Backdoor/DsBot.ox
VBA32 3.12.6.7 2008.06.12 Net-Worm.Win32.Kolabc.yi
VirusBuster 4.3.26:9 2008.06.11 -
Webwasher-Gateway 6.6.2 2008.06.12 Trojan.Crypt.XPACK.Gen

Información adicional
Tamano archivo: 48971 bytes
MD5…: d34b6c3f35a4782cef35c52f40508f63
SHA1…: 405b33c412d8b454f8fa2cbc7d6b817a419f6df2
SHA256: 0e905b12ae2ede50f2b408bf8000bcfd7d9ff5bb9a50cf5537635076dd3f8f65
SHA512: 917d6ba80242734ff1ff6d5e4d7986c1331199080574ad258d5bab4782ff8950
7a7d4e2a8c23211d7fb340842045a2d6e17e2fdd75d72da51611dad136bae240
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x472000
timedatestamp…: 0x482efcfc (Sat May 17 15:42:52 2008)
machinetype…: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.pepsi 0x1000 0x70000 0xb414 7.48 8dfe6fd369aedc7680bb04be58859ad4
n_coded 0x71000 0x1000 0x600 5.75 cd20334f7b52ef9ec15900b71a2d50e8
.asd___ 0x72000 0x1000 0x14b 5.03 4813d451cecfe7d025e3b05cdee36014

( 1 imports )
> kernel32.dll: ExitProcess, GetModuleHandleA, GetProcAddress, LoadLibraryA, RtlZeroMemory, VirtualAlloc, VirtualFree, VirtualProtect

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=38B703664B9F3241BF79007C98E9D3007B8F30F6
packers (Kaspersky): NCode

It’s running as a service.

Click “Start” > “Run” and type “Services.msc” (without quotes) then hit “Ok”.

Click the “Extended” tab.

Scroll down and find the service called Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe
Click once on the service to highlight it.

Click “Stop”.

Right-click on the service.

Click on “Properties”.

Select the “General” tab.

Click the Arrow-down tab on the right-hand side on the “Start-up Type” box.

From the drop-down menu, click on “Disabled”.

Click “Apply”, then “OK”.

Now you will want to delete the service:

Open HijackThis.

Click on the “Open Misc. tools section” button.

Click on the “Delete an NT service” button.

Type “Windows Action Script” in the space provided and click OK.

The program will ask you to reboot. Accept.

Run HijackThis! again, tick the following entry, close all other windows and click ‘fix’:

O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe

Reboot into Safe Mode and delete the following file:

C:\WINDOWS\system32\scvhost.exe

That should fix it.

Thanks, with just the first steps the virus doesn’t seem to resist the cleaning anymore. I badly need my computer at this time, I will go further and delete service and file in some time when I finish my work and I can risk to mess a bit my PC

Ok. I was away for 5 days but finally i got back… so here is mine HijackThis file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:59, on 2008-06-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
E:\Razer\DeathAdder\razerhid.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\scvhost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Razer\DeathAdder\razerofa.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.lt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [VTTimer] VTTimer.exe
O4 - HKLM..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [DeathAdder] E:\Razer\DeathAdder\razerhid.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM..\Run: [NvGraphicsInterface] C:\winhost.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [BitTorrent DNA] “C:\Program Files\DNA\btdna.exe”
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://www.gamescampus.com/luncher/GamesCampus.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - E:\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - E:\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Windows Action Script - Unknown owner - C:\WINDOWS\system32\scvhost.exe


End of file - 7274 bytes

it’s the same scvhost problem (the valid file is svchost)… you should fix the related service entry and reboot your computer…

How to run in Safe mode? and other thing, C:/backup.exe and C:/winhost.exe started to apearing and auto-running themself…

C:/backup.exe
C:\winhost.exe

Please disable ‘Hide protected operating system files’ and enable ‘View Hidden Files and Folders’, and upload the above files to VirusTotal for analysis. Post the results here.

backup.exe file analysis


MD5: d34b6c3f35a4782cef35c52f40508f63
First received: 06.06.2008 08:28:16 (CET)
Date: 06.13.2008 16:18:59 (CET) [>2D]
Results: 21/32
Permalink: analisis/30451b127fd52dc1388e17a549425497

winhost.exe file analysis


Antivirus Version Last Update Result
AhnLab-V3 2008.6.13.1 2008.06.15 -
AntiVir 7.8.0.55 2008.06.15 -
Authentium 5.1.0.4 2008.06.15 -
Avast 4.8.1195.0 2008.06.15 -
AVG 7.5.0.516 2008.06.14 -
BitDefender 7.2 2008.06.15 -
CAT-QuickHeal 9.50 2008.06.14 -
ClamAV 0.92.1 2008.06.15 -
DrWeb 4.44.0.09170 2008.06.15 -
eSafe 7.0.15.0 2008.06.15 -
eTrust-Vet 31.6.5873 2008.06.14 -
Ewido 4.0 2008.06.15 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.15 -
Fortinet 3.14.0.0 2008.06.15 -
GData 2.0.7306.1023 2008.06.15 -
Ikarus T3.1.1.26.0 2008.06.15 -
Kaspersky 7.0.0.125 2008.06.15 -
McAfee 5317 2008.06.13 -
Microsoft 1.3604 2008.06.15 -
NOD32v2 3187 2008.06.15 -
Norman 5.80.02 2008.06.13 -
Panda 9.0.0.4 2008.06.15 -
Prevx1 V2 2008.06.15 -
Rising 20.48.62.00 2008.06.15 -
Sophos 4.30.0 2008.06.15 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.15 -
TheHacker 6.2.92.350 2008.06.14 -
VBA32 3.12.6.7 2008.06.14 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.15 -
Additional information
File size: 472 bytes
MD5…: ca25c3c9a978ccf2762434dcd8d731c0
SHA1…: d310b075d45ad2db7e227f97f8207fc65ebf0501
SHA256: f607b6d741e3f3979c92066f9733fad24172e7a7145893a2ee5b16f49732fefb
SHA512: df1d030886444a596359060e3777697e32f8558b590303f0d88a183b0f280059
13cbe1b1a5500b3ab19197a6e6d127ce6b8d8dcba125731b63e5824b3728d79a
PEiD…: -
PEInfo: -

Here you go.

Some new virus have infected another file…
Virus name : Win32:Mirar-B [Adw]
File location : C:\DOCUME~1\user\LOCALS~1\Temp\Mirar_V56_VC_Setup_876956.exe
i moved it to chest.

There only seem to be results for one file. ???

winhost.exe file analysis


Antivirus Version Last Update Result
AhnLab-V3 2008.6.13.1 2008.06.15 -
AntiVir 7.8.0.55 2008.06.15 -
Authentium 5.1.0.4 2008.06.15 -
Avast 4.8.1195.0 2008.06.15 -
AVG 7.5.0.516 2008.06.14 -
BitDefender 7.2 2008.06.15 -
CAT-QuickHeal 9.50 2008.06.14 -
ClamAV 0.92.1 2008.06.15 -
DrWeb 4.44.0.09170 2008.06.15 -
eSafe 7.0.15.0 2008.06.15 -
eTrust-Vet 31.6.5873 2008.06.14 -
Ewido 4.0 2008.06.15 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.15 -
Fortinet 3.14.0.0 2008.06.15 -
GData 2.0.7306.1023 2008.06.15 -
Ikarus T3.1.1.26.0 2008.06.15 -
Kaspersky 7.0.0.125 2008.06.15 -
McAfee 5317 2008.06.13 -
Microsoft 1.3604 2008.06.15 -
NOD32v2 3187 2008.06.15 -
Norman 5.80.02 2008.06.13 -
Panda 9.0.0.4 2008.06.15 -
Prevx1 V2 2008.06.15 -
Rising 20.48.62.00 2008.06.15 -
Sophos 4.30.0 2008.06.15 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.15 -
TheHacker 6.2.92.350 2008.06.14 -
VBA32 3.12.6.7 2008.06.14 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.15 -
Additional information
File size: 472 bytes
MD5…: ca25c3c9a978ccf2762434dcd8d731c0
SHA1…: d310b075d45ad2db7e227f97f8207fc65ebf0501
SHA256: f607b6d741e3f3979c92066f9733fad24172e7a7145893a2ee5b16f49732fefb
SHA512: df1d030886444a596359060e3777697e32f8558b590303f0d88a183b0f280059
13cbe1b1a5500b3ab19197a6e6d127ce6b8d8dcba125731b63e5824b3728d79a
PEiD…: -
PEInfo: -

backup.exe file analysis


Antivirus Version Last Update Result
AhnLab-V3 2008.6.13.1 2008.06.15 -
AntiVir 7.8.0.55 2008.06.15 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.06.15 W32/Heuristic-210!Eldorado
Avast 4.8.1195.0 2008.06.15 -
AVG 7.5.0.516 2008.06.15 SHeur.BOZS
BitDefender 7.2 2008.06.15 Packer.Krunchy.A
CAT-QuickHeal 9.50 2008.06.14 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.06.15 PUA.Packed.Krunchy
DrWeb 4.44.0.09170 2008.06.15 Trojan.Packed.162
eSafe 7.0.15.0 2008.06.15 -
eTrust-Vet 31.6.5873 2008.06.14 -
Ewido 4.0 2008.06.15 -
F-Prot 4.4.4.56 2008.06.12 W32/Heuristic-210!Eldorado
F-Secure 6.70.13260.0 2008.06.15 Trojan-Proxy.Win32.Agent.aon
Fortinet 3.14.0.0 2008.06.15 -
GData 2.0.7306.1023 2008.06.15 Trojan-Proxy.Win32.Agent.aon
Ikarus T3.1.1.26.0 2008.06.15 Packer.Krunchy.A
McAfee 5317 2008.06.13 -
Microsoft 1.3604 2008.06.15 -
NOD32v2 3188 2008.06.15 -
Norman 5.80.02 2008.06.13 W32/Smalltroj.EUPX
Panda 9.0.0.4 2008.06.15 Suspicious file
Prevx1 V2 2008.06.15 Malicious Software
Rising 20.48.62.00 2008.06.15 -
Sophos 4.30.0 2008.06.15 Mal/EncPk-BP
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.15 -
TheHacker 6.2.92.350 2008.06.14 -
VBA32 3.12.6.7 2008.06.14 Trojan-Downloader.Win32.Delf.czz
VirusBuster 4.3.26:9 2008.06.12 Packed/FRBR
Webwasher-Gateway 6.6.2 2008.06.15 Trojan.Crypt.XPACK.Gen
Additional information
File size: 32256 bytes
MD5…: 12b191f592fcc5af78ca244fe60331f8
SHA1…: c14d3b295437a3f5b6c7862bee5d1fce172050c4
SHA256: 6bc6d4c5e1cf771b9e2845b0821628fd4084e8e009b1a2f4465c80964db6a537
SHA512: 5bd5019f405014ddec5a640decd99c16070b14acbcd24bdc16b9f32aeb5f6696
fba74c2e206b2080f9540e98918a70ff5a813cbe2e4159351dc37280bf5d60d9
PEiD…: kkrunchy → Ryd
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3e7bd5
timedatestamp…: 0x472db526 (Sun Nov 04 12:03:50 2007)
machinetype…: 0x14c (I386)

( 1 sections )
name viradd virsiz rawdsiz ntrpy md5
kkrunchy 0x1000 0x39bdb 0x6e00 7.99 e7241db9b20b13a1ca442378732fd8cc

( 1 imports )

KERNEL32.DLL: LoadLibraryA, GetProcAddress

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=65139B7700ABEEEA7EAE002544FDD000BCC4CB9F
packers (F-Prot): Malware_Prot.J
packers (Authentium): Malware_Prot.J


sorry for that misunderstanding ^^