Solve : Help the broken Tosh!?!? :-) Trojan.Packed.Execryptor on Win

1.	Solve : Help the broken Tosh!?!? :-) Trojan.Packed.Execryptor on Windows XP SP3?
Answer» kdfmgr is not malware. It's part of your Trend Micro Internet Security.OMG so he has no idea what he is on about then? Doesn't look like it. Who told you that?This tech on Trend's live help. Use the VirusTotal.com - Multi engine on-line virus scanner (If more than one file needs scanned they must be done separately and logs posted for each one) Copy the file path in the below Code box: Code: [Select]C:\Windows\System32\kdfmgr.exe At the upload site, click once inside the window next to Browse. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window. Next click Send File Your file will possibly be entered into a queue which normally takes less than a minute to clear. This will perform a scan across multiple different virus scanning engines. Important: Wait for all of the scanning engines to complete. Copy and then Paste the link to the results in the next reply. Interesting!! File has already been analysed: MD5: dfc27f9e103c5203538cc7741251949b First received: 11.15.2007 18:03:28 (CET) Date: 08.21.2008 17:32:00 (CET) [>9D] Results: 5/36 Permalink: analisis/dc033d3dec7f506d6e70b3c251d8d2c2 Antivirus Version Last Update Result AhnLab-V3 2008.8.29.0 2008.08.29 - AntiVir 7.8.1.23 2008.08.30 - Authentium 5.1.0.4 2008.08.30 - Avast 4.8.1195.0 2008.08.30 - AVG 8.0.0.161 2008.08.30 - BitDefender 7.2 2008.08.30 - CAT-QuickHeal 9.50 2008.08.29 (Suspicious) - DNAScan ClamAV 0.93.1 2008.08.30 - DrWeb 4.44.0.09170 2008.08.30 - eSafe 7.0.17.0 2008.08.28 Suspicious File eTrust-Vet 31.6.6057 2008.08.29 - Ewido 4.0 2008.08.30 - F-Prot 4.4.4.56 2008.08.29 - F-Secure 7.60.13501.0 2008.08.30 Suspicious:W32/Malware!Gemini Fortinet 3.14.0.0 2008.08.30 - GData 19 2008.08.30 - Ikarus T3.1.1.34.0 2008.08.30 - K7AntiVirus 7.10.433 2008.08.30 - Kaspersky 7.0.0.125 2008.08.30 - MCAFEE 5373 2008.08.29 - Microsoft 1.3807 2008.08.25 - NOD32v2 3401 2008.08.30 - Norman 5.80.02 2008.08.29 - Panda 9.0.0.4 2008.08.30 - PCTools 4.4.2.0 2008.08.30 - Prevx1 V2 2008.08.30 - Rising 20.59.51.00 2008.08.30 - Sophos 4.33.0 2008.08.30 Sus/ComPack Sunbelt 3.1.1592.1 2008.08.30 - Symantec 10 2008.08.30 - TheHacker 6.3.0.6.068 2008.08.30 - TrendMicro 8.700.0.1004 2008.08.29 - VBA32 3.12.8.4 2008.08.30 - ViRobot 2008.8.30.1357 2008.08.30 - VirusBuster 4.5.11.0 2008.08.30 - Webwasher-Gateway 6.6.2 2008.08.30 Virus.Win32.FileInfector.gen (suspicious) Additional information File size: 722472 BYTES MD5...: dfc27f9e103c5203538cc7741251949b SHA1..: d6e03094b38e0643f02a58bdda391a0b7b6f70a 9 SHA256: 3915f3c01a941306a65cf6280a0cb7363dcd69d 9e7a954a3d74a37e871c3b46e SHA512: 19bc1c09075ff8948f4223c71bd574de8912a4f fdffa71abc33f136547e89454 cb61c4139c24fee9fe46e7ddd9bb5601c3c0e34 6396747980a658210e48e7296 PEiD..: UPX v1.03 - v1.04 TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x49e573 timedatestamp.....: 0x46df868c (Thu Sep 06 04:48:12 2007) machinetype.......: 0x14c (I386) ( 7 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x19000 0x19000 6.71 528b410618f8507d929805b1051f1a6f .rdata 0x1a000 0x5000 0x5000 4.96 276806fd758f7dd1b20540bc5185d149 .data 0x1f000 0x6000 0x3000 4.23 3cda64e68fdebf5af68177249a223466 .rsrc 0x25000 0x69000 0x69000 5.76 e1c8154f2bbe78b1ec042e5b783eaf86 13c2q.c. 0x8e000 0x3000 0x3000 4.60 9ef52caf3b18b14a916a1b735df7160e 8o42fxd9 0x91000 0x21000 0x20ba2 6.67 a48c6accf5ee4afb376a07acc039bc4d 0si31ee8 0xb2000 0x1000 0x1000 7.96 8c479de81d17284f4a4ffd9302de8849 ( 6 IMPORTS ) > VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA > KERNEL32.dll: DeviceIoControl, GetPrivateProfileStringA, ExitThread, SleepEx, SetEvent, Sleep, SetThreadPriority, CreateThread, CreateEventA, WaitForSingleObject, ReleaseMutex, GetTickCount, LocalFree, CreateMutexA, MapViewOfFile, CreateFileMappingA, UnmapViewOfFile, GetHandleInformation, GlobalMemoryStatus, WriteConsoleA, SetEnvironmentVariableA, CompareStringW, CompareStringA, SetFilePointer, InitializeCriticalSection, ReadFile, FlushFileBuffers, GetConsoleMode, GetConsoleCP, SetStdHandle, GetTimeZoneInformation, GetLocaleInfoA, GetVersion, GetStringTypeA, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, HeapReAlloc, HeapCreate, HeapDestroy, HeapSize, ExitProcess, DeleteCriticalSection, GetFileType, GetStdHandle, SetHandleCount, LeaveCriticalSection, EnterCriticalSection, GetCurrentDirectoryA, GetFullPathNameA, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, LCMapStringW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringA, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, IsValidCodePage, GetOEMCP, GetACP, InterlockedDecrement, GetSystemInfo, GetModuleHandleA, GetCurrentProcess, GetVersionExA, GetCurrentProcessId, GetCurrentThreadId, GetSystemDefaultLangID, GetUserDefaultLangID, OpenMutexA, GetLastError, GetWindowsDirectoryA, GetSystemDirectoryA, LoadLibraryA, GetProcAddress, DeleteFileA, FindResourceA, LoadResource, LockResource, GetFileAttributesA, SetFileAttributesA, CreateFileA, SizeofResource, WriteFile, CloseHandle, FreeLibrary, GetConsoleOutputCP, WriteConsoleW, SetEndOfFile, GetStringTypeW, InterlockedIncrement, GetCPInfo, GetStartupInfoA, GetProcessHeap, ResumeThread, GetPriorityClass, OpenProcess, VirtualAlloc, VirtualFree, SetLastError, CreateRemoteThread, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, GetDriveTypeA, FindFirstFileA, RtlUnwind, GetSystemTimeAsFileTime, HeapFree, HeapAlloc, RaiseException, GetCommandLineA > USER32.dll: FindWindowExA, GetWindowRect, SetWindowPos, GetDC, BeginPaint, EndPaint, RELEASEDC, DestroyWindow, UnregisterClassA, GetWindowTextA, GetWindow, GetKeyboardState, ToAscii, SendInput, MapVirtualKeyExA, GetKeyboardLayout, MapVirtualKeyA, MessageBoxA, GetKeyState, LoadStringA, GetMessageA, TranslateMessage, DispatchMessageA, LoadIconA, LoadCursorA, RegisterClassExA, GetFocus, InSendMessage, ReplyMessage, PostQuitMessage, DefWindowProcA, IsWindow, CreateDialogParamA, EndDialog, GetCursorPos, GetForegroundWindow, SetForegroundWindow, PostMessageA, KillTimer, EnumWindows, GetClassNameA, AttachThreadInput, SetTimer, CreateWindowExA, ShowWindow, UpdateWindow, FindWindowA, GetWindowThreadProcessId, LoadImageA, wsprintfA, OpenInputDesktop, GetUserObjectInformationA, CloseDesktop > GDI32.dll: GetObjectA, GetDeviceCaps, CreateCompatibleDC, BitBlt, SelectObject, DeleteDC, DeleteObject, CreateCompatibleBitmap > ADVAPI32.dll: OpenSCManagerA, StartServiceA, CreateServiceA, OpenServiceA, ChangeServiceConfigA, CloseServiceHandle, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, GetSecurityDescriptorSacl, GetCurrentHwProfileA > SHELL32.dll: ShellExecuteA, SHGetSpecialFolderPathA, Shell_NotifyIconA ( 0 exports ) ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=dfc27f9e103c5203538cc7741251949b packers (Kaspersky): PE_Patch packers (F-Prot): EXECryptor Quote TrendMicro 8.700.0.1004 2008.08.29 - Not a malicious file.Hey Kevin Im done with my poor Tosh performing like this hey and have no patience left to try and work out what is wrong with it. been reading online (even others you guys are helping) and there sounds like quite a number of ppl experiencing similar probs to what i am, no one appears to know WHAT the issue is or how to reslove it - unless you are an IT Guru. If someone told me 3 wks ago to do thise 20 step process that is around the place and that would fix it i would have given it a shot but since downloading a thousand different antivirus programs. installing/unistalling restarting, have run check disc on startup 3 TIMES, attempted to restore 6 times that all failed. Im over it. Can I just reinstall Windows? Will that fix this? You think it will work? Cheers M You might consider a reinstall. That is usually the only guaranteed way to get things back to normal. It might be a Hard Drive issue or something like that. You can look through and try any of the suggestions found here > Slow Computer? It May Not Be Malware

Solve : Help the broken Tosh!?!? :-) Trojan.Packed.Execryptor on Windows XP SP3?

Answer»

kdfmgr is not malware. It's part of your Trend Micro Internet Security.OMG so he has no idea what he is on about then?
Doesn't look like it.

Who told you that?This tech on Trend's live help. Use the VirusTotal.com - Multi engine on-line virus scanner
(If more than one file needs scanned they must be done separately and logs posted for each one)

Copy the file path in the below Code box:

Code: [Select]C:\Windows\System32\kdfmgr.exe

At the upload site, click once inside the window next to Browse.
Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
Next click Send File
- Your file will possibly be entered into a queue which normally takes less than a minute to clear.
This will perform a scan across multiple different virus scanning engines.
Important: Wait for all of the scanning engines to complete.
Copy and then Paste the link to the results in the next reply.

Interesting!!

File has already been analysed:
MD5: dfc27f9e103c5203538cc7741251949b
First received: 11.15.2007 18:03:28 (CET)
Date: 08.21.2008 17:32:00 (CET) [>9D]
Results: 5/36
Permalink: analisis/dc033d3dec7f506d6e70b3c251d8d2c2
Antivirus Version Last Update Result
AhnLab-V3 2008.8.29.0 2008.08.29 -
AntiVir 7.8.1.23 2008.08.30 -
Authentium 5.1.0.4 2008.08.30 -
Avast 4.8.1195.0 2008.08.30 -
AVG 8.0.0.161 2008.08.30 -
BitDefender 7.2 2008.08.30 -
CAT-QuickHeal 9.50 2008.08.29 (Suspicious) - DNAScan
ClamAV 0.93.1 2008.08.30 -
DrWeb 4.44.0.09170 2008.08.30 -
eSafe 7.0.17.0 2008.08.28 Suspicious File
eTrust-Vet 31.6.6057 2008.08.29 -
Ewido 4.0 2008.08.30 -
F-Prot 4.4.4.56 2008.08.29 -
F-Secure 7.60.13501.0 2008.08.30 Suspicious:W32/Malware!Gemini
Fortinet 3.14.0.0 2008.08.30 -
GData 19 2008.08.30 -
Ikarus T3.1.1.34.0 2008.08.30 -
K7AntiVirus 7.10.433 2008.08.30 -
Kaspersky 7.0.0.125 2008.08.30 -
MCAFEE 5373 2008.08.29 -
Microsoft 1.3807 2008.08.25 -
NOD32v2 3401 2008.08.30 -
Norman 5.80.02 2008.08.29 -
Panda 9.0.0.4 2008.08.30 -
PCTools 4.4.2.0 2008.08.30 -
Prevx1 V2 2008.08.30 -
Rising 20.59.51.00 2008.08.30 -
Sophos 4.33.0 2008.08.30 Sus/ComPack
Sunbelt 3.1.1592.1 2008.08.30 -
Symantec 10 2008.08.30 -
TheHacker 6.3.0.6.068 2008.08.30 -
TrendMicro 8.700.0.1004 2008.08.29 -
VBA32 3.12.8.4 2008.08.30 -
ViRobot 2008.8.30.1357 2008.08.30 -
VirusBuster 4.5.11.0 2008.08.30 -
Webwasher-Gateway 6.6.2 2008.08.30 Virus.Win32.FileInfector.gen (suspicious)
Additional information
File size: 722472 BYTES
MD5...: dfc27f9e103c5203538cc7741251949b
SHA1..: d6e03094b38e0643f02a58bdda391a0b7b6f70a 9
SHA256: 3915f3c01a941306a65cf6280a0cb7363dcd69d 9e7a954a3d74a37e871c3b46e
SHA512: 19bc1c09075ff8948f4223c71bd574de8912a4f fdffa71abc33f136547e89454
cb61c4139c24fee9fe46e7ddd9bb5601c3c0e34 6396747980a658210e48e7296
PEiD..: UPX v1.03 - v1.04
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x49e573
timedatestamp.....: 0x46df868c (Thu Sep 06 04:48:12 2007)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x19000 0x19000 6.71 528b410618f8507d929805b1051f1a6f
.rdata 0x1a000 0x5000 0x5000 4.96 276806fd758f7dd1b20540bc5185d149
.data 0x1f000 0x6000 0x3000 4.23 3cda64e68fdebf5af68177249a223466
.rsrc 0x25000 0x69000 0x69000 5.76 e1c8154f2bbe78b1ec042e5b783eaf86
13c2q.c. 0x8e000 0x3000 0x3000 4.60 9ef52caf3b18b14a916a1b735df7160e
8o42fxd9 0x91000 0x21000 0x20ba2 6.67 a48c6accf5ee4afb376a07acc039bc4d
0si31ee8 0xb2000 0x1000 0x1000 7.96 8c479de81d17284f4a4ffd9302de8849

( 6 IMPORTS )
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
> KERNEL32.dll: DeviceIoControl, GetPrivateProfileStringA, ExitThread, SleepEx, SetEvent, Sleep, SetThreadPriority, CreateThread, CreateEventA, WaitForSingleObject, ReleaseMutex, GetTickCount, LocalFree, CreateMutexA, MapViewOfFile, CreateFileMappingA, UnmapViewOfFile, GetHandleInformation, GlobalMemoryStatus, WriteConsoleA, SetEnvironmentVariableA, CompareStringW, CompareStringA, SetFilePointer, InitializeCriticalSection, ReadFile, FlushFileBuffers, GetConsoleMode, GetConsoleCP, SetStdHandle, GetTimeZoneInformation, GetLocaleInfoA, GetVersion, GetStringTypeA, QueryPerformanceCounter, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetModuleFileNameA, HeapReAlloc, HeapCreate, HeapDestroy, HeapSize, ExitProcess, DeleteCriticalSection, GetFileType, GetStdHandle, SetHandleCount, LeaveCriticalSection, EnterCriticalSection, GetCurrentDirectoryA, GetFullPathNameA, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, LCMapStringW, MultiByteToWideChar, WideCharToMultiByte, LCMapStringA, TlsFree, TlsSetValue, TlsAlloc, TlsGetValue, IsValidCodePage, GetOEMCP, GetACP, InterlockedDecrement, GetSystemInfo, GetModuleHandleA, GetCurrentProcess, GetVersionExA, GetCurrentProcessId, GetCurrentThreadId, GetSystemDefaultLangID, GetUserDefaultLangID, OpenMutexA, GetLastError, GetWindowsDirectoryA, GetSystemDirectoryA, LoadLibraryA, GetProcAddress, DeleteFileA, FindResourceA, LoadResource, LockResource, GetFileAttributesA, SetFileAttributesA, CreateFileA, SizeofResource, WriteFile, CloseHandle, FreeLibrary, GetConsoleOutputCP, WriteConsoleW, SetEndOfFile, GetStringTypeW, InterlockedIncrement, GetCPInfo, GetStartupInfoA, GetProcessHeap, ResumeThread, GetPriorityClass, OpenProcess, VirtualAlloc, VirtualFree, SetLastError, CreateRemoteThread, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, GetDriveTypeA, FindFirstFileA, RtlUnwind, GetSystemTimeAsFileTime, HeapFree, HeapAlloc, RaiseException, GetCommandLineA
> USER32.dll: FindWindowExA, GetWindowRect, SetWindowPos, GetDC, BeginPaint, EndPaint, RELEASEDC, DestroyWindow, UnregisterClassA, GetWindowTextA, GetWindow, GetKeyboardState, ToAscii, SendInput, MapVirtualKeyExA, GetKeyboardLayout, MapVirtualKeyA, MessageBoxA, GetKeyState, LoadStringA, GetMessageA, TranslateMessage, DispatchMessageA, LoadIconA, LoadCursorA, RegisterClassExA, GetFocus, InSendMessage, ReplyMessage, PostQuitMessage, DefWindowProcA, IsWindow, CreateDialogParamA, EndDialog, GetCursorPos, GetForegroundWindow, SetForegroundWindow, PostMessageA, KillTimer, EnumWindows, GetClassNameA, AttachThreadInput, SetTimer, CreateWindowExA, ShowWindow, UpdateWindow, FindWindowA, GetWindowThreadProcessId, LoadImageA, wsprintfA, OpenInputDesktop, GetUserObjectInformationA, CloseDesktop
> GDI32.dll: GetObjectA, GetDeviceCaps, CreateCompatibleDC, BitBlt, SelectObject, DeleteDC, DeleteObject, CreateCompatibleBitmap
> ADVAPI32.dll: OpenSCManagerA, StartServiceA, CreateServiceA, OpenServiceA, ChangeServiceConfigA, CloseServiceHandle, RegCloseKey, RegQueryValueExA, RegOpenKeyExA, GetSecurityDescriptorSacl, GetCurrentHwProfileA
> SHELL32.dll: ShellExecuteA, SHGetSpecialFolderPathA, Shell_NotifyIconA

( 0 exports )

ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=dfc27f9e103c5203538cc7741251949b
packers (Kaspersky): PE_Patch
packers (F-Prot): EXECryptor
Quote

TrendMicro 8.700.0.1004 2008.08.29 -

Not a malicious file.Hey Kevin
Im done with my poor Tosh performing like this hey and have no patience left to try and work out what is wrong with it.
been reading online (even others you guys are helping) and there sounds like quite a number of ppl experiencing similar probs to what i am, no one appears to know WHAT the issue is or how to reslove it - unless you are an IT Guru.
If someone told me 3 wks ago to do thise 20 step process that is around the place and that would fix it i would have given it a shot but since downloading a thousand different antivirus programs. installing/unistalling restarting, have run check disc on startup 3 TIMES, attempted to restore 6 times that all failed. Im over it.
Can I just reinstall Windows? Will that fix this? You think it will work?
Cheers
M
You might consider a reinstall. That is usually the only guaranteed way to get things back to normal. It might be a Hard Drive issue or something like that.

You can look through and try any of the suggestions found here > Slow Computer? It May Not Be Malware

Solve : Help the broken Tosh!?!? :-) Trojan.Packed.Execryptor on Windows XP SP3?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment