A problem with a process CRCAB.exe



Graham T
07-09-2005, 10:50 PM
Can anyone shed light on the CRCAB.exe process - what is it and how do I get
rid of it (I suspect its a trojan)

When I google a search the result is "do you mean crack.exe" so the web
doesn't know about it!

Very puzzling
GT
--
Selling Nothing
Buying Nothing
Doing Nothing

David H. Lipman
07-09-2005, 10:50 PM
From: "Graham T" <GrahamT@discussions.microsoft.com>

| Can anyone shed light on the CRCAB.exe process - what is it and how do I get
| rid of it (I suspect its a trojan)
|
| When I google a search the result is "do you mean crack.exe" so the web
| doesn't know about it!
|
| Very puzzling
| GT
| --
| Selling Nothing
| Buying Nothing
| Doing Nothing

Please submit CRCAB.exe to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against several different AV vendor's scanners.

Another way to submit is to send the suspect file to the following email address
scan<at>virustotal.com
{ replace <at> with @ } with only the word SCAN as the subject.

Please post back the EXACT results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Graham T
07-09-2005, 10:50 PM
David

Results as returned from http://www.virustotal.com/flash/index_en.html

This is a report processed by VirusTotal on 07/06/2005 at 21:16:53 (CET)
after scanning the file "crcab.exe" file.

Antivirus Version Update Result
AntiVir 6.31.0.7 07.06.2005 no virus found
AVG 718 07.04.2005 no virus found
Avira 6.31.0.7 07.06.2005 no virus found
BitDefender 7.0 07.06.2005 Trojan.Vundo.381952.A
ClamAV devel-20050501 07.06.2005 no virus found
DrWeb 4.32b 07.06.2005 no virus found
eTrust-Iris 7.1.194.0 07.05.2005 Win32/Vundo.381952!Trojan
eTrust-Vet 11.9.1.0 07.06.2005 Win32.Vundo.X
Fortinet 2.36.0.0 07.06.2005 no virus found
Ikarus 2.32 07.06.2005 no virus found
Kaspersky 4.0.2.24 07.06.2005 not-a-virus:AdWare.Virtumonde.f
McAfee 4529 07.06.2005 potentially unwanted program Adware-Virtumundo
NOD32v2 1.1162 07.06.2005 no virus found
Norman 5.70.10 07.05.2005 no virus found
Panda 8.02.00 07.06.2005 no virus found
Sybari 7.5.1314 07.06.2005 Win32/Vundo.381952!Trojan
Symantec 8.0 07.06.2005 no virus found
TheHacker 5.8.2.066 07.05.2005 no virus found
VBA32 3.10.4 07.06.2005 no virus found

Sounds like Win32/Vundo.381952!Trojan entries above are significant

GT

David H. Lipman
07-09-2005, 10:50 PM
From: "Graham T" <GrahamT@discussions.microsoft.com>

The McAfee module in the Multi-AV front end should get it.

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
viruses and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
through your FireWall to allow them to download the needed AV vendor related files.

* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Graham T
07-09-2005, 10:50 PM
I carried out the suggested procedure (took all night) but still had the
CRCAB.exe in the process list (Even in safe mode) so the various removal
tools failed to delete the file. The process in task mgr refuses to die when
terminated (it seems to respawn itself) and proceeds to take up to 90% of the
CPU time.

however I made boot dik and ran the sophos scan from dos and this deleted
the CRCAB.exe file

When windows was restarted a message saying that the CRCAB.exe was missing
(so something is still trying to load it - Reg entries?)

Anyway its gone and the PC is back from the dead

Maybe you need to include a DOS scan instruction in the procedures

Question - Do you need the full .LOG files from the various scans Ill mail
if necessary

Graham
--
Selling Nothing
Buying Nothing
Doing Nothing


"David H. Lipman" wrote:

> From: "Graham T" <GrahamT@discussions.microsoft.com>
>
> The McAfee module in the Multi-AV front end should get it.
>
> Dump the contents of the IE Temporary Internet Folder cache (TIF)
> Start --> Settings --> Control Panel --> Internet Options --> Delete Files
>
> Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
> Tools --> Options --> Privacy --> Cache --> Clear
>
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
>
> It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
> http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
> (.LNK) file, this PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
> simplify the process of using up to 3 different Anti Virus Command Line Scanners to remove
> viruses and various other malware.
>
> C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
> This will bring up the initial menu of choices and should be executed in Normal Mode. This
> way all the components can be downloaded from each AV vendor’s web site.
> The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
>
> You can choose to go to each menu item and just download the needed files or you can
> download the files and perform a scan in Normal Mode. Once you have downloaded the files
> needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
> during boot] and re-run the menu again and choose which scanner you want to run in Safe
> Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
>
> When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
> file.
>
> To use this utility, perform the following...
> Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
> Choose; Unzip
> Choose; Close
>
> Execute; C:\AV-CLS\StartMenu.BAT
> { or Double-click on 'Start Menu' in C:\AV-CLS }
>
> NOTE: You may have to disable your software FireWall or allow WGET.EXE and/or FTP.EXE to go
> through your FireWall to allow them to download the needed AV vendor related files.
>
> * * * Please report back your results * * *
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>
>

David H. Lipman
07-09-2005, 10:50 PM
From: "Graham T" <GrahamT@discussions.microsoft.com>

| I carried out the suggested procedure (took all night) but still had the
| CRCAB.exe in the process list (Even in safe mode) so the various removal
| tools failed to delete the file. The process in task mgr refuses to die when
| terminated (it seems to respawn itself) and proceeds to take up to 90% of the
| CPU time.
|
| however I made boot dik and ran the sophos scan from dos and this deleted
| the CRCAB.exe file
|
| When windows was restarted a message saying that the CRCAB.exe was missing
| (so something is still trying to load it - Reg entries?)
|
| Anyway its gone and the PC is back from the dead
|
| Maybe you need to include a DOS scan instruction in the procedures
|
| Question - Do you need the full .LOG files from the various scans Ill mail
| if necessary
|
| Graham
| --
| Selling Nothing
| Buying Nothing
| Doing Nothing
|
| "David H. Lipman" wrote:


I'll be happy to view the respective logs. Just remove ~nospam~ from my posted email
address or from the following email address David_H_Lipman~nospam~@Yahoo.Com

I also will be happy to entertain improving the DOS scanning process or improving the
documentation for DOS scanning from a DOS Boot Floppy or DOS Boot Floppy using NTFS4DOS.

As an additional note...

The utility has a running prodedure kill facility. This way if an executable is running and
can't be cleaned, the process can be killed prior to the scan and the cleaning/removing of
the infected file will have a higher success rate.

In your case the process would have been...


In the folder C:\AV-CLS you will find the file; killproc.txt [ C:\AV-CLS\killproc.txt ]

You would open it in your text editor (double click on the killproc.txt file) and you
would append to the list
crcab.exe and then save the file.

It would then have the following contents...

iexplore.exe
firefox.exe
crcab.exe

This is documented in the PDF Help File. Maybe the explanation of when to use this facility
can be improved.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


A problem with a process CRCAB.exe