HEUR-DBLEXT/Crypted virus creates bogus svchost.exe in temp directory

  • Thread starter Thread starter franklinhu
  • Start date Start date
F

franklinhu

I encountered a virus which caused a browser window to quickly flash up
and go away. I couldn't see what it was doing. I downloaded the latest
AntiVir program and it found several infected files with trojan horse
TR/LowZones.AH.3, TR/Proxy.Small.DU.12, TR/Dldr.Agent.AP. After
removing all infected files and rebooting, AntiVir would still pop up
with a virus warning of HEUR-DBLEXT/Crypted and pointing at a file
named rd(1).htm. If I allowed it to execute, it would reinstall the
virus. Rescanning did not remove or detect the virus file. Finally, I
looked in the same temp directory as the rd(1).htm file and noticed a
bunch of new files that came from the date when my computer was
infected. There were numereous .exe programs which had numbers for
names like 34542343.exe and I saw some of these execute when my
computer was infected. I removed all of these files except for
svchost.exe which couldn't be removed because it was in use. I was able
to rename the file and then restart in safe mode. I then completely
removed the file and restarted. This seems to have cured the problem.
Anyone else seen this virus? There isn't much on it on the internet.
Even the AntiVir web site didn't have anything about the
HEUR-DBLEXT/Crypted detection.
 
From: <[email protected]>

| I encountered a virus which caused a browser window to quickly flash up
| and go away. I couldn't see what it was doing. I downloaded the latest
| AntiVir program and it found several infected files with trojan horse
| TR/LowZones.AH.3, TR/Proxy.Small.DU.12, TR/Dldr.Agent.AP. After
| removing all infected files and rebooting, AntiVir would still pop up
| with a virus warning of HEUR-DBLEXT/Crypted and pointing at a file
| named rd(1).htm. If I allowed it to execute, it would reinstall the
| virus. Rescanning did not remove or detect the virus file. Finally, I
| looked in the same temp directory as the rd(1).htm file and noticed a
| bunch of new files that came from the date when my computer was
| infected. There were numereous .exe programs which had numbers for
| names like 34542343.exe and I saw some of these execute when my
| computer was infected. I removed all of these files except for
| svchost.exe which couldn't be removed because it was in use. I was able
| to rename the file and then restart in safe mode. I then completely
| removed the file and restarted. This seems to have cured the problem.
| Anyone else seen this virus? There isn't much on it on the internet.
| Even the AntiVir web site didn't have anything about the
| HEUR-DBLEXT/Crypted detection.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *
 
| with a virus warning of HEUR-DBLEXT/Crypted

I saw a machine with that last week. Easy to clean, as I
recall. Soemthing like: remove registry entries for file
AntiVir flagged, then scan in Safe Mode, done.
 
Back
Top