system
1
Hi All,
I just received a popup from Avast Free Version 6.0.1367, Virus Definitions 111212-0.
The message is as follows:
Infection Details
URL: hxxp://68.169.92.55/click.php?c (URL modified to prevent an active link)
Process: file://c:\Documents and Settings\mainuser\LocalSettings\Application Data\usrPathmon\usrcrtTime.dll
Infection: url:Mal
The folder usrPathmon was created last night, and the file usrcrtTime.dll is still there.
I used a couple of online scanners on this .dll file, and received this:
NOD32 6704 2011.12.12 probably a variant of Win32/Sefnit.CD
AntiVir 7.11.19.67 2011.12.12 TR/Crypt.XPACK.Gen5
eset 2011-12-12 Win32/Sefnit.CD
Antivir:
Virus: TR/Crypt.XPACK.Gen5
Date discovered: 25/01/2007
Type: Trojan
In the wild: Yes
Reported Infections: Low
Distribution Potential: Low
Damage Potential: Low
Static file: No
Engine version: 7.03.00.32
Special detection TR/Crypt.XPACK.Gen5
I don’t know what to do next!
I thought that Avast would have moved or deleted the usrcrtTime.dll file, but it’s still there.
I didn’t (knowingly) create the file or the folder it’s in.
Please let me know what I should do about this file, and what other steps, scans, etc. I should do.
Thanks!
DavidR
2
First - Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
You could also check the usrcrtTime.dll file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page.
If not detected by avast! which it doesn’t appear to all that it is registering is that this file tried to make the connection to the site with click.php.
- Send the usrcrtTime.dll sample to avast as a possible Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update. Note: manually adding to the chest doesn’t remove them from the original location, so they still have to be dealt with in that location.
Or
Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.
MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. Download, Install, Update, Run and post the contents of the log.
Pondus
3
DavidR
4
Whilst that may be the case now but that doesn’t it couldn’t in the future. So when a site is down I generally don’t care as the important thing is dealing with the attempted connection to what was considered a malicious site.
The ISPrime thing has been around for some considerable time, so I rather think it isn’t gone forever. It just says that it is temporarily unavailable.
It may be that we need to give essexboy a run at this one also.
system
5
Hi David,
Thanks for your response.
First - Please 'modify' your post [b]change the URL from http to hXXp or www to wXw[/b], to break the link and avoid accidental exposure to suspect sites, thanks.
Done!
You could also check the usrcrtTime.dll file at: [url=http://www.virustotal.com/][b]VirusTotal - Multi engine on-line virus scanner[/b][/url] and [b]report the findings here, post the URL in the Address bar of the VT results page[/b].
Done!
Here’s the link:
http://www.virustotal.com/file-scan/report.html?id=182a145511e6e30cb03ff357396de4fca617806e416a34838688384af6863b3f-1323711187
If not detected by avast! which it doesn't appear to all that it is registering is that this file tried to make the connection to the site with click.php.
This file is not being detected by Avast! It did block access to the webserver, though.
- Send the usrcrtTime.dll sample to avast as a possible Undetected Malware:
Open the chest...
Done!
Note: manually adding to the chest doesn't remove them from the original location, so they still have to be dealt with in that location.
I had already renamed the file, so it’s still sitting where I found it, but not doing anything. Good that you told me, though. I’d assuming “adding to chest” was more like “moving to chest.”
I keep getting popup messages saying that the .dll can’t be found, so there is some process running that’s trying to access it. Any idea on how to find it?
MalwareBytes Anti-Malware (MBAM)...
I’ve actually been running MBAM since I found this virus today. It’s been running for over two hours, and so far has reported two objects infected.
Thanks for your help!
I await more advice on what to look for now that this virus has been found.
Pondus
6
I've actually been running MBAM since I found this virus today. It's been running for over two hours, and so far has reported two objects infected.
It is not necessary to run a full scan..
polonus
7
Also consider this -
There is a redirect -http://click.ph redirects to .> -https://bitly.com/
with the following suspicious code:
-www.youtube.com/ suspicious
[suspicious:2] (ipaddr:74.125.226.106) (iframe) -www.youtube.com/
status: (referer=bitly.com/s/v380/js/compressed.js)saved 125292 bytes 3620e2a2ad87980f1d915f1d4cacacd5bf9cbea4
info: [script] -s.ytimg.com/yt/jsbin/www-core-vflDiOJwz.js
info: [script] -s.ytimg.com/yt/jsbin/www-guide-vflFbQPew.js
info: [img] -s.ytimg.com/yt/img/pixel-vfl3z5WfW.gif
info: [iframe] -ad-g.doubleclick.net/adi/com.ythome/default;sz=970x250,960x250;tile=1;dcopt=ist;klg=en;kt=K;kga=-1;kgg=-1;kcr=us;dedup=1;kmyd=1;kbsg=HPUS111212;ord=4167667384826780?
info: [img] -i4.ytimg.com/vi/__/default.jpg
info: [decodingLevel=0] found JavaScript
suspicious
polonus
DavidR
8
@ polonus
But fortunately since avast blocks access to the click.php page the redirect is also redundant. Which is why I generally don’t go investigating further levels
@ alleyandy
Yes a MBAM Quick scan is generally good enough as a first look as Pondus mentions.
The message that it can’t find the .dll is probably a registry entry trying to register/run the dll, which I was hopefully that MBAM would find suspect and remove.
I don’t know if the Full scan should take this long anyway. You could make a note of what it has found so far and stop it and run a Quick scan.
Given your first post and the VT results show it is effectively only two detections as Nod32 and ESet are one and the same scanning engine. Both of these however are using either generic or heuristic detections, but given what the file is actually trying to do (connect to a malicious site) it is at the least highly suspect.
polonus
9
Well in this case avast blocking saved the user from a lot of misery,
polonus
system
10
Hi All,
My MBAM full scan just ended! Not bad for just under six hours…
I ran the full scan because I had run the quick scan a few days ago, and found no problem. I just wanted to be sure I got whatever caused the problem today.
Here’s a copy of the MBAM results, edited to remove unimportant info.
Malwarebytes' Anti-Malware 1.51.2.1300
Database version: 8357
Windows 5.1.2600 Service Pack 3
Scan type: Full scan (C:\|)
Objects scanned: 698361
Time elapsed: 5 hour(s), 55 minute(s), 46 second(s)
Registry Values Infected: 1
Files Infected: 6
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\usrcrtTime (Trojan.Agent) -> Value: usrcrtTime -> Quarantined and deleted successfully.
Files Infected:
c:\documents (Trojan.Agent) -> Quarantined and deleted successfully
c:\documents and settings\mike\local settings\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\fsquirt.exe (Trojan.Dropper.BCM) -> Quarantined and deleted successfully.
c:\WINDOWS\servicepackfiles\i386\fsquirt.exe (Trojan.Dropper.BCM) -> Quarantined and deleted successfully.
c:\downloads\miopocket 3.0 release 59\mfcce300.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\downloads\miopocket 3.0 release 59\MFCCE400.DLL (Malware.Packer.Gen) -> Quarantined and deleted successfully.
I’m not sure what the first File Infected is referring to, since there’s no file name.
The second one, ms0cfg32.exe, may be a legitimate find.
The third and fourth, fsquirt, may be a false positive, since I’m reading that it’s just started popping up in scans lately.
The last two, part of a download of utilities for a GPS (miopocket) may or may not be legit. Those files are actually meant to run on Windows CE, so I’m wondering if standard Windows malware scanners would report false positive, or if it is a legitimate find.
MBAM did find the registry entry for the program that was trying to phone home, so the original problem (when Avast! found a problem with usrcrtTime.dll) should be resolved at this point.
I welcome any further comments on this little escapade, but it seems that it is now under control.
Thanks to all who helped!
DavidR
11
Not a lot can be said about the first.
The second I rather doubt it is a legit file given it is an exe file in a Temp folder and a search on the file name returns many hits indicating at the least highly suspect. Check at VirusTotal, see #### below.
I think 3&4 may well be FP detections if you have had these on the system for some time (file properties) fsquirt info
The last two if you A) don’t have a WinCE enabled phone or B) you have no recollection of installing this software then upload to VT for checking (#### below).
Good that it removed the orphan registry entry, that should stop the error message, but you should delete the renamed file also. First ensure that you still have the copy in the avast virus chest and periodically scan it to see when avast adds it to the virus signatures.
Upload any suspect/doubtful file/s to VirusTotal:
To do that you would have to temporarily restore the file from the MBAM Quarantine to do that.
If found to be infected, add those to the avast chest and send a copy to avast virus labs again.
Run MBAM again and allow them to be quarantined again.