Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected? Can't Get Rid Of File Crack.exe....


  • Please log in to reply
7 replies to this topic

#1 Amy_KB

Amy_KB

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 06 November 2007 - 10:22 AM

I've been fighting some trojan horses and a worm, but I can't figure this out. When I scan the computer for viruses, it gets stuck for quite a while in the Windows\Fonts folder, and comes up with a lot of weird names that almost all end in crack or keygen. When I search for crack.exe I get a file that appears to be in this folder, but if I open the folder I can't find it. Also, if I delete it, it comes back. Does anyone know what this is and how to get rid of it? I have searched the forums here and searched Google and can't seem to find it. Thanks.

BC AdBot (Login to Remove)

 


#2 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:04:02 AM

Posted 06 November 2007 - 10:48 AM

Are you able to use your AV to quarantine these files it identifies? Try running your AV in "safe mode" where there is less chance of the files being "protected."
Regards,
John
Whereof one cannot speak, thereof one should be silent.

#3 Amy_KB

Amy_KB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 06 November 2007 - 10:58 AM

John,

I'm using McAfee, and it doesn't identify them at all. I've also run House Call and it didn't identify it. But something's not right about it. I just see the names all come up as the scan is running and know they shouldn't be there.

Amy

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 AM

Posted 06 November 2007 - 12:14 PM

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download Sysclean Package & save it to your desktop.
  • Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
  • Place the sysclean.com inside that folder.
  • Then download the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number)
  • Extract (unzip) the lptxxx.zip pattern file into the Sysclean folder where you put sysclean.com. (Click here for information on how to extract a file if your not sure how to do this. DO NOT scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: Some anti-virus programs such as Avast will alert you to a virus attack when running sysclean so it's best to disable them before going to the next step.

Scan with Sysclean as follows:
  • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
  • Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
  • Click the Advanced >> button.
  • The scan options appear. Select the "Scan all local fixed drives".
  • Click the "Scan button" on the Trend Micro System Cleaner console.
  • It will take some time to complete. Be patient and let it clean whatever it finds.
  • Another MS-DOS window appears containing the log file (sysclean.log) generated in the same folder where the scan is completed - C:\Sysclean.
  • To view the log, click the "View button" on the Trend Micro System Cleaner console. The Trend Micro Sysclean Package - Log window appears.
    • The Files Detected section shows the viruses that were detected by System Cleaner.
    • The Files Clean section shows the viruses that were cleaned.
    • The Clean Fail section shows the viruses that were not cleaned.
  • Exit when done, reboot normally and re-enable your anti-virus program.
Instructions with screenshots are here if you need them.

When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have access rights to scan some locations. You can also Use the "Run As" Command to Start a Program as an Administrator. Even when doing that, the scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.

Then perform at least one of these online Virus scans:
(The following require Internet Explorer to work. Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.)
BitDefender Online Scanner <- Add a check by "Autoclean".
ESET Nod32 Online Scanner <- Vista compatible but Internet Explorer must be Run as Administrator.
F-Secure Online Scanner <- Be sure to follow the directions on the F-Secure page for proper Installation. (also checks for rootkits).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Amy_KB

Amy_KB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 06 November 2007 - 11:33 PM

I'm working on following your post...I only get a couple of hours in the evening to work on it and with those extra files it's taking forever to scan. I'll let you know the results when I'm done.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 AM

Posted 07 November 2007 - 08:52 AM

I understand so that's not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Amy_KB

Amy_KB
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:05:02 AM

Posted 07 November 2007 - 10:32 AM

All right, got it all done. I ran the ATF cleaner, and the SysClean. SysClean same up with nothing. I then ran the F-Secure Online Scanner and it detected some Malware and cleaned it. But then I searched and I'm still coming up with this crack.exe file, and it says the location is C:\Windows\Fonts\a.zip. Tried to delete it again but nothing happens. I also watched the SysClean, and it brought up all of those weird file names also. A lot of them are movie titles, some are x-rated titles, and they end in keygen or crack. Any ideas?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,897 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:02 AM

Posted 07 November 2007 - 11:09 AM

Without knowing the specific names of those other files its difficult to identify exactly what they are. I would also need to know where they are located at. Are the names like the files listed here or here?

As you can see from those examples, there may be numerous such files on your system. At this point, I think it would be best to post a hijackthis log so other tools can be used to investigate, find and remove these files.

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.)

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users