1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

HTML/Crypted.Gen Virus:

Discussion in 'Windows XP' started by Navyguy, Apr 14, 2010.

  1. Navyguy

    Navyguy Flightless Bird

    I have a Dell Dimension 8200 with Windows Firewall, Avira antivirus,
    Spybot and Hive Cleanup and all the programs work well together and
    are up to date. However, my computer recently became infected with a
    HTML/Crypted.Gen virus.

    http://www.avira.com/en/threats/section/fulldetails/id_vir/3666/html_crypted.gen.html

    I ran Avira and Spybot and thought that it had corrected to problem
    but today when I logged on I had the same virus alert. I would
    appreciate any thoughts/suggestions on how to remove this virus from
    my computer.


    Thanks,

    Robert
     
  2. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    Always state your full Windows version (e.g., WinXP SP3; WinXP 64-bit SP2;
    Vista SP1; Vista 64-bit SP2; Win7; Win7 64-bit) when posting in a forum or
    newsgroup. Please do so in your next reply.

    Has a(another) Norton or McAfee application ever been installed on the
    computer (e.g., a free-trial version that came preinstalled when you bought
    it)?
    --
    ~Robear Dyer (PA Bear)
    MS MVP-IE, Mail, Security, Windows Client - since 2002


    Navyguy wrote:
    > I have a Dell Dimension 8200 with Windows Firewall, Avira antivirus,
    > Spybot and Hive Cleanup and all the programs work well together and
    > are up to date. However, my computer recently became infected with a
    > HTML/Crypted.Gen virus.
    >
    > http://www.avira.com/en/threats/section/fulldetails/id_vir/3666/html_crypted.gen.html
    >
    > I ran Avira and Spybot and thought that it had corrected to problem
    > but today when I logged on I had the same virus alert. I would
    > appreciate any thoughts/suggestions on how to remove this virus from
    > my computer.
     
  3. Daave

    Daave Flightless Bird

    Navyguy wrote:
    > I have a Dell Dimension 8200 with Windows Firewall, Avira antivirus,
    > Spybot and Hive Cleanup and all the programs work well together and
    > are up to date. However, my computer recently became infected with a
    > HTML/Crypted.Gen virus.
    >
    > http://www.avira.com/en/threats/section/fulldetails/id_vir/3666/html_crypted.gen.html
    >
    > I ran Avira and Spybot and thought that it had corrected to problem
    > but today when I logged on I had the same virus alert. I would
    > appreciate any thoughts/suggestions on how to remove this virus from
    > my computer.


    Sometimes, AV programs (Avira AntiVir included) detect false positives.

    What is the name of the file(s) associated with this particular type of
    malware (note that it is not a virus)? Can you upload it/them to these
    two sites?:

    http://www.virustotal.com/

    http://virusscan.jotti.org/en
     
  4. Navyguy

    Navyguy Flightless Bird

    On Apr 14, 4:43 pm, Navyguy <maginee...@yahoo.com> wrote:
    > I have a Dell Dimension 8200 XP SP3 with Windows Firewall, Avira antivirus,
    > Spybot and Hive Cleanup and all the programs work well together and
    > are up to date. However, my computer recently became infected with a
    > HTML/Crypted.Gen virus.
    >
    > http://www.avira.com/en/threats/section/fulldetails/id_vir/3666/html_...
    >
    > I ran Avira and Spybot and thought that it had corrected to problem
    > but today when I logged on I had the same virus alert. I would
    > appreciate any thoughts/suggestions on how to remove this virus from
    > my computer.
    >
    > Thanks,
    >
    > Robert
     
  5. David H. Lipman

    David H. Lipman Flightless Bird

    From: "Navyguy" <magineer02@yahoo.com>

    | I have a Dell Dimension 8200 with Windows Firewall, Avira antivirus,
    | Spybot and Hive Cleanup and all the programs work well together and
    | are up to date. However, my computer recently became infected with a
    | HTML/Crypted.Gen virus.

    | http://www.avira.com/en/threats/section/fulldetails/id_vir/3666/html_crypted.gen.html

    | I ran Avira and Spybot and thought that it had corrected to problem
    | but today when I logged on I had the same virus alert. I would
    | appreciate any thoughts/suggestions on how to remove this virus from
    | my computer.

    It is not a virus and you can't get infected by it. However if the script it represents
    its successfully executed it may lead to the installation of some other malware.

    What this is is a generic detection for a cryptic HTML script.

    If you got alerted on it then Avira AntiVir did its job and blocked the malicious code in
    the HTML script.

    Perform a full scan of your system using AntoVir to make sure the script is not in a
    cache somewhere.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
  6. Navyguy

    Navyguy Flightless Bird

    On Apr 14, 7:38 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
    wrote:
    > From: "Navyguy" <maginee...@yahoo.com>
    >
    > | I have a Dell Dimension 8200 with Windows Firewall, Avira antivirus,
    > | Spybot and Hive Cleanup and all the programs work well together and
    > | are up to date. However, my computer recently became infected with a
    > | HTML/Crypted.Gen virus.
    >
    > |http://www.avira.com/en/threats/section/fulldetails/id_vir/3666/html_...
    >
    > | I ran Avira and Spybot and thought that it had corrected to problem
    > | but today when I logged on I had the same virus alert. I would
    > | appreciate any thoughts/suggestions on how to remove this virus from
    > | my computer.
    >
    > It is not a virus and you can't get infected by it.  However if the script it represents
    > its successfully executed it may lead to the installation of some other malware.
    >
    > What this is is a generic detection for a cryptic HTML script.
    >
    > If you got alerted on it then Avira AntiVir did its job and blocked the malicious code in
    > the HTML script.
    >
    > Perform a full scan of your system using  AntoVir to make sure the script is not in a
    > cache somewhere.
    >
    > --
    > Davehttp://www.claymania.com/removal-trojan-adware.html
    > Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp


    I've already run Avria and Spybot and thought it had corrected the
    problem but I guess it didn't since I got the same message agai today
    with the same virus.

    This is the infected file: Documents and Settings\user name\Local
    Settings Temp\tempinternet files\Content IE5\MOMXYOEG\asrefinc
    101.jsw

    I tried looking for this file in the system but I can't seem to find
    it under Documents and Settings.

    Thanks,
    Robert
     
  7. David H. Lipman

    David H. Lipman Flightless Bird

    From: "Navyguy" <magineer02@yahoo.com>



    | I've already run Avria and Spybot and thought it had corrected the
    | problem but I guess it didn't since I got the same message agai today
    | with the same virus.

    | This is the infected file: Documents and Settings\user name\Local
    | Settings Temp\tempinternet files\Content IE5\MOMXYOEG\asrefinc
    | 101.jsw

    | I tried looking for this file in the system but I can't seem to find
    | it under Documents and Settings.

    Again -- It is NOT a virus !

    That is your IE Teemp Internet Files cache or TIF.

    Go to IE --> Tools --> Internet Options
    Delete all files in the cache and set the cache to be no larger than 50MB.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
  8. Navyguy

    Navyguy Flightless Bird

    On Apr 15, 3:11 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
    wrote:
    > From: "Navyguy" <maginee...@yahoo.com>
    >
    > | I've already run Avria and Spybot and thought it had corrected the
    > | problem but I guess it didn't since I got the same message agai today
    > | with the same virus.
    >
    > | This is the infected file: Documents and Settings\user name\Local
    > | Settings Temp\tempinternet files\Content IE5\MOMXYOEG\asrefinc
    > | 101.jsw
    >
    > | I tried looking for this file in the system but I can't seem to find
    > | it under Documents and Settings.
    >
    > Again -- It is NOT a virus !
    >
    > That is your IE Teemp Internet Files cache or TIF.
    >
    > Go to IE --> Tools --> Internet Options
    > Delete all files in the cache and set the cache to be no larger than 50MB..
    >
    > --
    > Davehttp://www.claymania.com/removal-trojan-adware.html
    > Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp


    Hello Dave,
    Although the file in question isn't a virus it managed to 'infect' my
    administrator's account's Internet temporary files as well as my User
    account. I was under the impression that when using a User
    account(which is what I use to surf the Internet) that the
    Administrator account (Internet temporary files) are separate?

    In any case I deleted all the files in both accounts in the Internet
    temporary files folder. However with regards to the User account there
    were (8) files it wouldn't let me delete ending with:

    Cookie: Username @ c.msn
    Cookie: Username @ bing
    Cookie: Username @ Windows Marketing Plan
    Cookie: Username @ c.Live
    Cookie: Username @ atdmt
    Cookie: Username @ MSN
    Cookie: Username @ aplshuffle

    Yet after I deleted all the files I went back to check and each time I
    look there's more files to delete. Maybe I didn't get them all but
    when I was doing this there were no other files that I saw to delete?


    Lastly, the good news is that so far the annoying and apprehensive
    alert for the last two days hasn't popped up. Hopefully this has
    corrected the problem.



    Thanks,

    Robert
     
  9. Navyguy

    Navyguy Flightless Bird

    On Apr 15, 3:11 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
    wrote:
    > From: "Navyguy" <maginee...@yahoo.com>
    >
    > | I've already run Avria and Spybot and thought it had corrected the
    > | problem but I guess it didn't since I got the same message agai today
    > | with the same virus.
    >
    > | This is the infected file: Documents and Settings\user name\Local
    > | Settings Temp\tempinternet files\Content IE5\MOMXYOEG\asrefinc
    > | 101.jsw
    >
    > | I tried looking for this file in the system but I can't seem to find
    > | it under Documents and Settings.
    >
    > Again -- It is NOT a virus !
    >
    > That is your IE Teemp Internet Files cache or TIF.
    >
    > Go to IE --> Tools --> Internet Options
    > Delete all files in the cache and set the cache to be no larger than 50MB..
    >
    > --
    > Davehttp://www.claymania.com/removal-trojan-adware.html
    > Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp


    Hi Dave,

    Ok the User account seems to be alright but my Administartot account
    is infected with this non-virus. I have deleted all the Temporary
    Internet files and changed the disk spaced used to 50 yet every time I
    restart the computer and login as the Administrator the same infected
    file pops up. I only use the Administrator account to update my
    computer so I'm baffled how my Administartor account became corrupted?

    I'd appreciate any help or advice to remove this.

    Thanks,
    Robert
     
  10. David H. Lipman

    David H. Lipman Flightless Bird

    From: "Navyguy" <magineer02@yahoo.com>

    | Hi Dave,

    | Ok the User account seems to be alright but my Administartot account
    | is infected with this non-virus. I have deleted all the Temporary
    | Internet files and changed the disk spaced used to 50 yet every time I
    | restart the computer and login as the Administrator the same infected
    | file pops up. I only use the Administrator account to update my
    | computer so I'm baffled how my Administartor account became corrupted?

    | I'd appreciate any help or advice to remove this.

    | Thanks,
    | Robert




    Download and execute HiJack This! (HJT)
    http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

    Then post the contents of the HJT log in your post with a full explanation of your problem
    and what you have done to date in one of the below expert forums...

    { Please - Do NOT post the HJT Log here ! }

    Forums where you can get expert advice for HiJack This! (HJT) Logs.

    NOTE: Registration is REQUIRED in any of the below before posting a log

    Suggested primary:
    http://www.thespykiller.co.uk/index.php?board=3.0

    Suggested secondary:
    http://www.bleepingcomputer.com/forums/forum22.html
    http://www.malwarebytes.org/forums/index.php?showforum=7

    Suggested tertiary:
    http://www.dslreports.com/forum/cleanup
    http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
    http://www.atribune.org/forums/index.php?showforum=9
    http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
    http://gladiator-antivirus.com/forum/index.php?showforum=170
    http://forum.networktechs.com/forumdisplay.php?f=130
    http://forums.maddoktor2.com/index.php?showforum=17
    http://www.spywarewarrior.com/viewforum.php?f=5
    http://forums.spywareinfo.com/index.php?showforum=18
    http://forums.techguy.org/f54-s.html
    http://forums.tomcoyote.org/index.php?showforum=27
    http://forums.subratam.org/index.php?showforum=7
    http://www.5starsupport.com/ipboard/index.php?showforum=18
    http://aumha.net/viewforum.php?f=30
    http://makephpbb.com/phpbb/viewforum.php?f=2
    http://forums.techguy.org/54-security/
    http://forums.security-central.us/forumdisplay.php?f=13

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
  11. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    cf.
    http://groups.google.com/group/microsoft.public.windowsxp.general/msg/f2e8ff1b44b6d9a9
    --
    ~PA Bear

    Navyguy wrote:
    > On Apr 14, 7:38 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
    > wrote:
    >> From: "Navyguy" <maginee...@yahoo.com>
    >>
    >>> I have a Dell Dimension 8200 with Windows Firewall, Avira antivirus,
    >>> Spybot and Hive Cleanup and all the programs work well together and
    >>> are up to date. However, my computer recently became infected with a
    >>> HTML/Crypted.Gen virus.

    >>
    >>> http://www.avira.com/en/threats/section/fulldetails/id_vir/3666/html_...

    >>
    >>> I ran Avira and Spybot and thought that it had corrected to problem
    >>> but today when I logged on I had the same virus alert. I would
    >>> appreciate any thoughts/suggestions on how to remove this virus from
    >>> my computer.

    >>
    >> It is not a virus and you can't get infected by it. However if the script
    >> it represents its successfully executed it may lead to the installation
    >> of
    >> some other malware.
    >>
    >> What this is is a generic detection for a cryptic HTML script.
    >>
    >> If you got alerted on it then Avira AntiVir did its job and blocked the
    >> malicious code in the HTML script.
    >>
    >> Perform a full scan of your system using AntoVir to make sure the script
    >> is not in a cache somewhere.
    >>
    >> --
    >> Davehttp://www.claymania.com/removal-trojan-adware.html
    >> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

    >
    > I've already run Avria and Spybot and thought it had corrected the
    > problem but I guess it didn't since I got the same message agai today
    > with the same virus.
    >
    > This is the infected file: Documents and Settings\user name\Local
    > Settings Temp\tempinternet files\Content IE5\MOMXYOEG\asrefinc
    > 101.jsw
    >
    > I tried looking for this file in the system but I can't seem to find
    > it under Documents and Settings.
    >
    > Thanks,
    > Robert
     
  12. Navyguy

    Navyguy Flightless Bird

    On Apr 16, 3:21 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
    wrote:
    > From: "Navyguy" <maginee...@yahoo.com>
    >
    > | Hi Dave,
    >
    > | Ok the User account seems to be alright but my Administartot account
    > | is infected with this non-virus. I have deleted all the Temporary
    > | Internet files and changed the disk spaced used to 50 yet every time I
    > | restart the computer and login as the Administrator the same infected
    > | file pops up. I only use the Administrator account to update my
    > | computer so I'm baffled how my Administartor account became corrupted?
    >
    > | I'd appreciate any help or advice to remove this.
    >
    > | Thanks,
    > | Robert
    >
    > Download and execute HiJack This! (HJT)http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
    >
    > Then post the contents of the HJT log in your post with a full explanation of your problem
    > and what you have done to date in one of the below expert forums...
    >
    > { Please - Do NOT post the HJT Log here ! }
    >
    > Forums where you can get expert advice for HiJack This! (HJT) Logs.
    >
    > NOTE: Registration is REQUIRED in any of the below before posting a log
    >
    > Suggested primary:http://www.thespykiller.co.uk/index.php?board=3.0
    >
    > Suggested secondary:http://www.bleepingcomputer.com/for...malwarebytes.org/forums/index.php?showforum=7
    >
    > Suggested tertiary:http://www.dslreports.com/forum/cle...ums.security-central.us/forumdisplay.php?f=13
    >
    > --
    > Davehttp://www.claymania.com/removal-trojan-adware.html
    > Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp



    I've been sick the last day or so so I haven't been able to respond.
    Firstly, bothmy User Account and my Administrator account are
    infected. I've done what you suggested and it keeps coming back. If
    this isn't a virus it sure is acting like one.

    I've tried using Hijack before and I never recieved a response from
    anyone.

    Robert
     
  13. Navyguy

    Navyguy Flightless Bird

    On Apr 16, 12:03 pm, "PA Bear [MS MVP]" <PABear...@gmail.com> wrote:
    > cf.http://groups.google.com/group/microsoft.public.windowsxp.general/msg....
    > --
    > ~PA Bear
    >
    >
    >
    > Navyguy wrote:
    > > On Apr 14, 7:38 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
    > > wrote:
    > >> From: "Navyguy" <maginee...@yahoo.com>

    >
    > >>> I have a Dell Dimension 8200 with Windows Firewall, Avira antivirus,
    > >>> Spybot and Hive Cleanup and all the programs work well together and
    > >>> are up to date. However, my computer recently became infected with a
    > >>> HTML/Crypted.Gen virus.

    >
    > >>>http://www.avira.com/en/threats/section/fulldetails/id_vir/3666/html_....

    >
    > >>> I ran Avira and Spybot and thought that it had corrected to problem
    > >>> but today when I logged on I had the same virus alert. I would
    > >>> appreciate any thoughts/suggestions on how to remove this virus from
    > >>> my computer.

    >
    > >> It is not a virus and you can't get infected by it. However if the script
    > >> it represents its successfully executed it may lead to the installation
    > >> of
    > >> some other malware.

    >
    > >> What this is is a generic detection for a cryptic HTML script.

    >
    > >> If you got alerted on it then Avira AntiVir did its job and blocked the
    > >> malicious code in the HTML script.

    >
    > >> Perform a full scan of your system using AntoVir to make sure the script
    > >> is not in a cache somewhere.

    >
    > >> --
    > >> Davehttp://www.claymania.com/removal-trojan-adware.html
    > >> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp

    >
    > > I've already run Avria and Spybot and thought it had corrected the
    > > problem but I guess it didn't since I got the same message agai today
    > > with the same virus.

    >
    > > This is the infected file: Documents and Settings\user name\Local
    > > Settings Temp\tempinternet files\Content IE5\MOMXYOEG\asrefinc
    > > 101.jsw

    >
    > > I tried looking for this file in the system but I can't seem to find
    > > it under Documents and Settings.

    >
    > > Thanks,
    > > Robert- Hide quoted text -

    >
    > - Show quoted text -


    If you look, I've posted that I'm using XP, SP3 on my second message.

    Robert
     
  14. David H. Lipman

    David H. Lipman Flightless Bird

    From: "Navyguy" <magineer02@yahoo.com>



    | I've been sick the last day or so so I haven't been able to respond.
    | Firstly, bothmy User Account and my Administrator account are
    | infected. I've done what you suggested and it keeps coming back. If
    | this isn't a virus it sure is acting like one.

    | I've tried using Hijack before and I never recieved a response from
    | anyone.


    Robert:

    If you post to the SpyKiller...
    http://www.thespykiller.co.uk/index.php?board=3.0

    And give me the URL, I will make sure you get immediate attention.


    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
     
  15. Navyguy

    Navyguy Flightless Bird

    On Apr 17, 11:58 am, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
    wrote:
    > From: "Navyguy" <maginee...@yahoo.com>
    >
    > | I've been sick the last day or so so I haven't been able to respond.
    > | Firstly, bothmy User Account and my Administrator account are
    > | infected. I've done what you suggested and it keeps coming back. If
    > | this isn't a virus it sure is acting like one.
    >
    > | I've tried using Hijack before and I never recieved a response from
    > | anyone.
    >
    > Robert:
    >
    > If you post to the SpyKiller...http://www.thespykiller.co.uk/index.php?board=3.0
    >
    > And give me the URL, I will make sure you get immediate attention.
    >
    > --
    > Davehttp://www.claymania.com/removal-trojan-adware.html
    > Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp



    Hi Dave,
    Here's the URL, I appreciate your helping me.

    http://thespykiller.co.uk/index.php/topic,9212.new.html

    Thanks,
    Robert
     
  16. David H. Lipman

    David H. Lipman Flightless Bird

  17. Navyguy

    Navyguy Flightless Bird

    On Apr 17, 2:15 pm, "David H. Lipman" <DLipman~nosp...@Verizon.Net>
    wrote:
    > From: "Navyguy" <maginee...@yahoo.com>
    >
    > | Hi Dave,
    > | Here's the URL, I appreciate your helping me.
    >
    > |http://thespykiller.co.uk/index.php/topic,9212.new.html
    >
    > I see that MS MVP Derek Knight has already responded.
    >
    > *You are in good hands!*
    >
    > --
    > Davehttp://www.claymania.com/removal-trojan-adware.html
    > Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp


    Hello Dave,
    I decided to delete my Internet temp files again both on the User
    account and Administrative account then ran the program from the link
    Derek gave on both accounts. It appears that both accounts are now
    clean and hopefully I won't see it again.

    I want to thank both you and Derek for helping me throught this.

    Robert
     
  18. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    David H. Lipman wrote:
    > From: "Navyguy" <magineer02@yahoo.com>
    >
    >> Hi Dave,
    >> Here's the URL, I appreciate your helping me.

    >
    >> http://thespykiller.co.uk/index.php/topic,9212.new.html

    >
    > I see that MS MVP Derek Knight has already responded.
    >
    > *You are in good hands!*


    +1
     
  19. PA Bear [MS MVP]

    PA Bear [MS MVP] Flightless Bird

    Navyguy wrote:
    <snippage>
    >>> http://thespykiller.co.uk/index.php/topic,9212.new.html

    >>

    > I decided to delete my Internet temp files again both on the User
    > account and Administrative account then ran the program from the link
    > Derek gave on both accounts. It appears that both accounts are now
    > clean and hopefully I won't see it again.
    >
    > I want to thank both you and Derek for helping me throught this.


    Please don't leave Derek hanging, Robert: Reply your forum thread ASAP.
    Thanks.
     

Share This Page