Author Topic: Any advise how to get rid of Win32:JunkPoly [Cryp] virus? (Read 40179 times)

goldbe · « **Reply #15 on:** June 15, 2008, 09:46:11 PM »

backup.exe file analysis

------------------------------------------------------
MD5: d34b6c3f35a4782cef35c52f40508f63
First received: 06.06.2008 08:28:16 (CET)
Date: 06.13.2008 16:18:59 (CET) [>2D]
Results: 21/32
Permalink: analisis/30451b127fd52dc1388e17a549425497
-------------------------------------------------------

winhost.exe file analysis

-------------------------------------------------------
Antivirus Version Last Update Result
AhnLab-V3 2008.6.13.1 2008.06.15 -
AntiVir 7.8.0.55 2008.06.15 -
Authentium 5.1.0.4 2008.06.15 -
Avast 4.8.1195.0 2008.06.15 -
AVG 7.5.0.516 2008.06.14 -
BitDefender 7.2 2008.06.15 -
CAT-QuickHeal 9.50 2008.06.14 -
ClamAV 0.92.1 2008.06.15 -
DrWeb 4.44.0.09170 2008.06.15 -
eSafe 7.0.15.0 2008.06.15 -
eTrust-Vet 31.6.5873 2008.06.14 -
Ewido 4.0 2008.06.15 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.15 -
Fortinet 3.14.0.0 2008.06.15 -
GData 2.0.7306.1023 2008.06.15 -
Ikarus T3.1.1.26.0 2008.06.15 -
Kaspersky 7.0.0.125 2008.06.15 -
McAfee 5317 2008.06.13 -
Microsoft 1.3604 2008.06.15 -
NOD32v2 3187 2008.06.15 -
Norman 5.80.02 2008.06.13 -
Panda 9.0.0.4 2008.06.15 -
Prevx1 V2 2008.06.15 -
Rising 20.48.62.00 2008.06.15 -
Sophos 4.30.0 2008.06.15 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.15 -
TheHacker 6.2.92.350 2008.06.14 -
VBA32 3.12.6.7 2008.06.14 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.15 -
Additional information
File size: 472 bytes
MD5...: ca25c3c9a978ccf2762434dcd8d731c0
SHA1..: d310b075d45ad2db7e227f97f8207fc65ebf0501
SHA256: f607b6d741e3f3979c92066f9733fad24172e7a7145893a2ee5b16f49732fefb
SHA512: df1d030886444a596359060e3777697e32f8558b590303f0d88a183b0f280059
13cbe1b1a5500b3ab19197a6e6d127ce6b8d8dcba125731b63e5824b3728d79a
PEiD..: -
PEInfo: -
-------------------------------------------------------

Here you go.

goldbe · « **Reply #16 on:** June 15, 2008, 10:18:41 PM »

Some new virus have infected another file...
Virus name : Win32:Mirar-B [Adw]
File location : C:\DOCUME~1\user\LOCALS~1\Temp\Mirar_V56_VC_Setup_876956.exe
i moved it to chest.

FreewheelinFrank · « **Reply #17 on:** June 15, 2008, 11:02:55 PM »

There only seem to be results for one file.

goldbe · « **Reply #18 on:** June 15, 2008, 11:45:47 PM »

winhost.exe file analysis

-------------------------------------------------------
Antivirus Version Last Update Result
AhnLab-V3 2008.6.13.1 2008.06.15 -
AntiVir 7.8.0.55 2008.06.15 -
Authentium 5.1.0.4 2008.06.15 -
Avast 4.8.1195.0 2008.06.15 -
AVG 7.5.0.516 2008.06.14 -
BitDefender 7.2 2008.06.15 -
CAT-QuickHeal 9.50 2008.06.14 -
ClamAV 0.92.1 2008.06.15 -
DrWeb 4.44.0.09170 2008.06.15 -
eSafe 7.0.15.0 2008.06.15 -
eTrust-Vet 31.6.5873 2008.06.14 -
Ewido 4.0 2008.06.15 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.15 -
Fortinet 3.14.0.0 2008.06.15 -
GData 2.0.7306.1023 2008.06.15 -
Ikarus T3.1.1.26.0 2008.06.15 -
Kaspersky 7.0.0.125 2008.06.15 -
McAfee 5317 2008.06.13 -
Microsoft 1.3604 2008.06.15 -
NOD32v2 3187 2008.06.15 -
Norman 5.80.02 2008.06.13 -
Panda 9.0.0.4 2008.06.15 -
Prevx1 V2 2008.06.15 -
Rising 20.48.62.00 2008.06.15 -
Sophos 4.30.0 2008.06.15 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.15 -
TheHacker 6.2.92.350 2008.06.14 -
VBA32 3.12.6.7 2008.06.14 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.15 -
Additional information
File size: 472 bytes
MD5...: ca25c3c9a978ccf2762434dcd8d731c0
SHA1..: d310b075d45ad2db7e227f97f8207fc65ebf0501
SHA256: f607b6d741e3f3979c92066f9733fad24172e7a7145893a2ee5b16f49732fefb
SHA512: df1d030886444a596359060e3777697e32f8558b590303f0d88a183b0f280059
13cbe1b1a5500b3ab19197a6e6d127ce6b8d8dcba125731b63e5824b3728d79a
PEiD..: -
PEInfo: -
-------------------------------------------------------

goldbe · « **Reply #19 on:** June 15, 2008, 11:53:30 PM »

backup.exe file analysis

--------------------------------------------------
Antivirus Version Last Update Result
AhnLab-V3 2008.6.13.1 2008.06.15 -
AntiVir 7.8.0.55 2008.06.15 TR/Crypt.XPACK.Gen
Authentium 5.1.0.4 2008.06.15 W32/Heuristic-210!Eldorado
Avast 4.8.1195.0 2008.06.15 -
AVG 7.5.0.516 2008.06.15 SHeur.BOZS
BitDefender 7.2 2008.06.15 Packer.Krunchy.A
CAT-QuickHeal 9.50 2008.06.14 (Suspicious) - DNAScan
ClamAV 0.92.1 2008.06.15 PUA.Packed.Krunchy
DrWeb 4.44.0.09170 2008.06.15 Trojan.Packed.162
eSafe 7.0.15.0 2008.06.15 -
eTrust-Vet 31.6.5873 2008.06.14 -
Ewido 4.0 2008.06.15 -
F-Prot 4.4.4.56 2008.06.12 W32/Heuristic-210!Eldorado
F-Secure 6.70.13260.0 2008.06.15 Trojan-Proxy.Win32.Agent.aon
Fortinet 3.14.0.0 2008.06.15 -
GData 2.0.7306.1023 2008.06.15 Trojan-Proxy.Win32.Agent.aon
Ikarus T3.1.1.26.0 2008.06.15 Packer.Krunchy.A
McAfee 5317 2008.06.13 -
Microsoft 1.3604 2008.06.15 -
NOD32v2 3188 2008.06.15 -
Norman 5.80.02 2008.06.13 W32/Smalltroj.EUPX
Panda 9.0.0.4 2008.06.15 Suspicious file
Prevx1 V2 2008.06.15 Malicious Software
Rising 20.48.62.00 2008.06.15 -
Sophos 4.30.0 2008.06.15 Mal/EncPk-BP
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.15 -
TheHacker 6.2.92.350 2008.06.14 -
VBA32 3.12.6.7 2008.06.14 Trojan-Downloader.Win32.Delf.czz
VirusBuster 4.3.26:9 2008.06.12 Packed/FRBR
Webwasher-Gateway 6.6.2 2008.06.15 Trojan.Crypt.XPACK.Gen
Additional information
File size: 32256 bytes
MD5...: 12b191f592fcc5af78ca244fe60331f8
SHA1..: c14d3b295437a3f5b6c7862bee5d1fce172050c4
SHA256: 6bc6d4c5e1cf771b9e2845b0821628fd4084e8e009b1a2f4465c80964db6a537
SHA512: 5bd5019f405014ddec5a640decd99c16070b14acbcd24bdc16b9f32aeb5f6696
fba74c2e206b2080f9540e98918a70ff5a813cbe2e4159351dc37280bf5d60d9
PEiD..: kkrunchy -> Ryd
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3e7bd5
timedatestamp.....: 0x472db526 (Sun Nov 04 12:03:50 2007)
machinetype.......: 0x14c (I386)

( 1 sections )
name viradd virsiz rawdsiz ntrpy md5
kkrunchy 0x1000 0x39bdb 0x6e00 7.99 e7241db9b20b13a1ca442378732fd8cc

( 1 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=65139B7700ABEEEA7EAE002544FDD000BCC4CB9F
packers (F-Prot): Malware_Prot.J
packers (Authentium): Malware_Prot.J

-----------------------------------------------------------------------

sorry for that misunderstanding ^^

FreewheelinFrank · « **Reply #20 on:** June 16, 2008, 08:32:20 AM »

Well, backup.exe is malware, but I can't see where it's starting from in HijackThis!

Follow the advice here to deal with scvhost.exe. (Don't confuse the spelling with the legitimate file!)

http://forum.avast.com/index.php?topic=36236.msg304354#msg304354

A full scan with DrWeb CureIT! should take care of backup.exe.

goldbe · « **Reply #21 on:** June 16, 2008, 09:50:56 PM »

Thanks! I finaly got rid of that virus... and that Dr.Web found a virus on scvhost.exe file and deleted it.

dr. jAcKaSS · « **Reply #22 on:** March 18, 2009, 10:11:16 PM »

I've also got this nice virus in with help of avast deleted many system exe files and still a lot of other exe files are infected.

I would like to know if it is possible to clean infected exe files or not? Because if not, than I have to format the disk and reinstall everything anyway.
I would also like to know which files does affect this virus? Only exe files or also some other files? I would like to know, because I have to make a backup of some data and I don't want to transfer virus to other computer.

Can I somehow get rid of the virus from linux and than repair windows (because at the moment I can log in, but half of the things are not working, neither avast resident protection - because of RPC error or something...)?

I tried Dr.Web LiveCD, but it is so slow... and after all night it friezed! =S

Lisandro · « **Reply #23 on:** March 19, 2009, 12:24:21 AM »

Not all the exe files can be clean by any infection.
If you cannot block file infectors in the very early beginning, it's easier format and reinstall.
If you can boot Linux you can mount the partition and backup your documents and data.

dr. jAcKaSS · « **Reply #24 on:** March 20, 2009, 07:29:35 PM »

Yes, I think I'm going to do that.

I can boot Linux from Live CD and transfer files, but I don't know how to check if they are infected. Because the ubunstu doesn't have java, flash... preinstaled so it is a bit impossible to scan with web scanner.

Where can I find some info which files can be infected with junkPoly?

Lisandro · « **Reply #25 on:** March 20, 2009, 08:24:43 PM »

Save to an USB disk, scan them at another computer that does NOT autoexecute (autorun) anything from the disk.
As far I know, it only infects .com and .exe files.

JunkPolyKiller · « **Reply #26 on:** September 13, 2009, 12:30:50 PM »

How I got rid of Junkpoly Win32:JunkPoly [Cryp].

I backed up all my important documents onto a USB stick.

But DO NOT back up any .exe files as they are likely to be infected. As soon as you run these junkpoly will come straight back.

Full format of the hard drive.

Copy files back onto PC after fresh install.

Author Topic: Any advise how to get rid of Win32:JunkPoly [Cryp] virus? (Read 40179 times)

goldbe

Re: Any advise how to get rid of Win32:JunkPoly [Cryp] virus?

goldbe

Re: Any advise how to get rid of Win32:JunkPoly [Cryp] virus?

FreewheelinFrank

Re: Any advise how to get rid of Win32:JunkPoly [Cryp] virus?

goldbe

Re: Any advise how to get rid of Win32:JunkPoly [Cryp] virus?

goldbe

Re: Any advise how to get rid of Win32:JunkPoly [Cryp] virus?

FreewheelinFrank

Re: Any advise how to get rid of Win32:JunkPoly [Cryp] virus?

goldbe

Re: Any advise how to get rid of Win32:JunkPoly [Cryp] virus?

dr. jAcKaSS

Re: Any advise how to get rid of Win32:JunkPoly [Cryp] virus?

Lisandro

Re: Any advise how to get rid of Win32:JunkPoly [Cryp] virus?

dr. jAcKaSS

Re: Any advise how to get rid of Win32:JunkPoly [Cryp] virus?

Lisandro

Re: Any advise how to get rid of Win32:JunkPoly [Cryp] virus?

JunkPolyKiller

Re: Any advise how to get rid of Win32:JunkPoly [Cryp] virus?