Win32:Wali [Cryp]

Hi,

I am having an apparent issue with this particular malware “Win32:Wali [Cryp]”. Avast is displaying this warning multiple time a day, please see attachment. I have both deleted it and moved it to the chest. I ran a full scan and no viruses were detected. I see the “2.exe” file in system32 when I get the warning but it disppears as it’s supposed to after deleting or moving it.

I searched on the web but have not found any of the files or registry entries stated in any posts on my PC.

This is the home version running on Vista 64-bit.

Thanks for any help you can offer.

kotb

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

disable the system restore and re-scan again.

Did you solve this? I have the same problem and I have done everything I can up with, but it will still come back.

I still have not resolved this issue. I installed both suggested A/V programs and disabled System Restore. With the Avast Virus Warning display on the screen, I have run both A/V programs and neither one finds a problem with “2.exe” sitting in the system32 folder or finds anything that would generate/create the “2.exe” file. All SuperAV found was some cookies and deleted them. It didn’t prevent it from happeneing again.

It was suggested to me that I run a boot-time scan but that is not available to me in Avast with my 64-bit OS.

I think this evening I will research a better A/V solution for my environment and just buy it and hope for the best.

Fortunately, while this message displays x times/day there are no other symptoms that I can see. I will post anything of value when I come across it.

kotb

Try using PC Tools Firewall Plus so you can actually see what going on with your computer.

Download: http://www.pctools.com/mirror/fwinstall.exe

By the way, what does [Cryp] mean, i’ve never heard a term like that in Security before.

http://tinyurl.com/Win32AWailCryp

First I would like to thank all who have offered help, DavidR, Calcu007 and Donovansrb10. I truly appreciate your assistance. Unfortunately this malware seems to have the upper hand. Just a note, The PCTools product did not install, it is not compatible with the 64-bit OS environment.

I am determined to resolve this without wipping the hard drive and starting over and I will post any findings.

Thanks to all,

kotb

Good!

Thats the spirit bro!^^

Just dnt give up and dnt ever ever loose hope^^

Umm u could try avira free antivir^^(http://www.free-av.com/)

Download, install and update^^Then do a FULL SYSTEM SCAN^^That might help^^

Good luck and God bless^^

-AnimeLover^^

Hello Kotb, you could try Avira rescue cd, it is vista 64 compatible. This is an excellent tool, that will scan your pc without booting windows.
Also try and post a HJT log, I believe it is also compatable, bt not 100% sure

http://forum.avira.com/wbb/index.php?page=Thread&postID=730130#post730130

http://filehippo.com/download_hijackthis/

The [Cryp] at the end means the malware is crypted.

I see…

This is probably a network-distributed virus which the company I work for recently had a big problem with. Check the other PCs on your network. 1.exe will be Microsoft’s psExec and 2.exe will be the thing which actually spreads it to other PCs.

Also check for a psexesvc.exe process and kill it & delete the file in the Windows folder.

Run to %appdata%, kill the process running in the background, then delete the .exe in %appdata%. You will also need to check the same folder on any other user profiles on the PC, as well as their Start Menu’s Startup folder for any unknown .exes. Make sure that you can see hidden files.

As for preventing it reoccurring, clean your other PCs or speak with your IT staff as other PCs will be infected.

Note that this is a password-stealing trojan with an emphasis of online banking.

For a workaround, try creating the 1.exe and 1.exe in your %temp% folder and set them as read-only and hidden. Also create uninstall.exe (maybe notepad?) in your Start Menu’s Startup folder and perhaps also the various filenames in your %appdata% folder so that the virus can’t create it’s own files there:

logon.exe lsas.exe update.exe 1.exe 2.exe lsas.exe taskmon.exe dumpreport.exe svchosts.exe rundll.exe upnpsvc.exe EVENT.exe helper.exe service.exe msiexeca.exe uninstall.exe sound.exe

The AV makers have been dead slow in updating their signatures to find the files related to this.

To aid in your research on alternative AV scanners, here is the virustotal.com analysis of the file soon after all the infections started - the winners were a-squared, CAT-QuickHeal, McAfee-GW-Edition and Microsoft (!!!)

http://www.virustotal.com/analisis/e2f98e9d863914ab68aa193469f4f57fb3724e5ffec7d4630ec58005c1cb8c97-1243861321

I’ve been using this script to clean PCs. It won’t work properly on Windows 2000 (it doesn’t have taskkill.exe) and will need admin rights to clean other profiles:


@echo off

echo Computer name: 
set /p comp=

rem include ie
taskkill /s %comp% /f     /im logon.exe /im lsas.exe /im psexesvc.exe /im update.exe /im 1.exe /im 2.exe /im lsas.exe /im taskmon.exe /im dumpreport.exe /im svchosts.exe /im rundll.exe /im upnpsvc.exe /im EVENT.exe /im helper.exe /im service.exe /im msiexeca.exe /im uninstall.exe /im sound.exe /im iexplore.exe

rem exclude ie
rem taskkill /s %comp% /f /im logon.exe /im lsas.exe /im psexesvc.exe /im update.exe /im 1.exe /im 2.exe /im lsas.exe /im taskmon.exe /im dumpreport.exe /im svchosts.exe /im rundll.exe /im upnpsvc.exe /im EVENT.exe /im helper.exe /im service.exe /im msiexeca.exe /im uninstall.exe /im sound.exe

del "\\%comp%\c$\windows\psexesvc.exe"
del "\\%comp%\c$\winnt\psexesvc.exe"

for /f %%f in ('dir /b /AD "\\%comp%\c$\Documents and settings\"') do (

del "\\%comp%\c$\documents and settings\%%f\Start Menu\Programs\Startup\uninstall.exe"
del "\\%comp%\c$\documents and settings\%%f\local settings\temp\1.exe"
del "\\%comp%\c$\documents and settings\%%f\local settings\temp\2.exe"
del /p "\\%comp%\c$\documents and settings\%%f\application data\*.exe"


)

pause