Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Crypt.XPACK.Gen


  • This topic is locked This topic is locked
3 replies to this topic

#1 rhartmannn

rhartmannn

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:24 PM

Posted 11 December 2009 - 06:40 PM

AntiVir Guard pops up very often with the message:
- Window title: AntiVir Guard: Watch out: Find!
- Subtitle: A virus or unwanted program was detected on your computer! - What should be done with the files?
- The document under c:\documents..settings\...\a.exe
- Is the Trojan Horse TR/Crypt.XPACK.Gen
- I am presented with the following options: Quarantine, Delete, Rename, Deny Access, Ignore and the tick box for 'Memorize action for this file (dangerous)'
but although I was trying all options the very frequent popups, sometimes almost every second for some time, remain.

DDS (Ver_09-12-01.01) - NTFSx86
Run by Andrea Schoch at 23:42:43.93 on 11.12.2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.49.1031.18.2046.900 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated)

{AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Gemeinsame Dateien\InstallShield\UpdateService\issch.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Programme\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Programme\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Programme\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Programme\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedhlp.exe
C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe
C:\Programme\Gemeinsame Dateien\Nokia\MPlatform\NokiaMServer.exe
C:\PROGRA~1\Bluewin\BLUEWI~1\BLUEWI~2.EXE
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Programme\Avira\AntiVir Desktop\avgnt.exe
C:\Programme\iTunes\iTunesHelper.exe
C:\Programme\Java\jdk1.6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programme\Skype\Phone\Skype.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Programme\Windows Desktop Search\WindowsSearch.exe
C:\Programme\Winzip\WZQKPICK.EXE
C:\Programme\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Programme\Gemeinsame Dateien\Acronis\Schedule2\schedul2.exe
C:\Programme\Avira\AntiVir Desktop\avguard.exe
C:\Programme\Gemeinsame Dateien\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\Programme\Java\jdk1.6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programme\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programme\Skype\Plugin Manager\skypePM.exe
C:\Programme\Gemeinsame Dateien\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Programme\ATI Technologies\ATI.ACE\cli.exe
C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programme\Mozilla Firefox\firefox.exe
C:\Programme\Gemeinsame Dateien\ParetoLogic\PLAS\plasservice.exe
C:\Programme\ParetoLogic\Anti-Virus PLUS\Pareto_AV.exe
C:\DOKUME~1\ANDREA~1\LOKALE~1\Temp\b.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\temp\Software von bleepingcomputer\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.bluewin.ch
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.ch/ig/dell?hl=de&client=dell-row&channel=ch&ibd=5070929
uSearchMigratedDefaultURL =

hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe

=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\programme\gemeinsame

dateien\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} -

c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer:

{3049c3e9-b461-4bc5-8870-4c09146192ca} -

c:\programme\real\realplayer\rpbrowserrecordplugin.dll
BHO: Altavista Toolbar: {4e7bd74f-2b8d-469e-92ea-ec65a294ae31} -

c:\programme\altavista\altavista.dll
BHO: XML Class: {500bca15-57a7-4eaf-8143-8c619470b13d} - c:\windows\system32\msxml71.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} -

c:\programme\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} -

c:\programme\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} -

c:\programme\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} -

c:\programme\java\jdk1.6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} -

c:\programme\java\jdk1.6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Altavista Toolbar: {4e7bd74f-2b8d-469e-92ea-ec65a294ae31} -

c:\programme\altavista\altavista.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\programme\google\google

toolbar\GoogleToolbar_32.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\programme\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DellSupportCenter] "c:\programme\dell support center\bin\sprtcmd.exe" /P

DellSupportCenter
uRun: [MailBlocker] c:\dokume~1\andrea~1\lokale~1\temp\b.exe
uRun: [Skype] "c:\programme\skype\\phone\Skype.exe" /nosplash /minimized
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATICCC] "c:\programme\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [ISUSPM Startup] c:\progra~1\gemein~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\programme\gemeinsame

dateien\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\programme\gemeinsame dateien\roxio

shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\programme\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\programme\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [TrueImageMonitor.exe] c:\programme\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\programme\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\programme\gemeinsame

dateien\acronis\schedule2\schedhlp.exe"
mRun: [TkBellExe] "c:\programme\gemeinsame dateien\real\update_ob\realsched.exe" -osboot
mRun: [DellSupportCenter] "c:\programme\dell support center\bin\sprtcmd.exe" /P

DellSupportCenter
mRun: [NokiaMServer] c:\programme\gemeinsame dateien\nokia\mplatform\NokiaMServer

/watchfiles
mRun: [Bluewin Sync ToolTray] c:\progra~1\bluewin\bluewi~1\BLUEWI~2.EXE
mRun: [AppleSyncNotifier] c:\programme\gemeinsame dateien\apple\mobile device

support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\programme\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avgnt] "c:\programme\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\programme\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\programme\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\programme\java\jdk1.6\bin\jusched.exe"
mRun: [ParetoLogic Anti-Virus PLUS] "c:\programme\paretologic\anti-virus plus\Pareto_AV.lnk"

-NM -hidesplash
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\hppsc2~1.lnk -

c:\programme\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\hpoddt~1.lnk -

c:\programme\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\nokian~1.lnk -

c:\programme\nokia\nnpcs\RunLauncher.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\window~1.lnk -

c:\programme\windows desktop search\WindowsSearch.exe
StartupFolder: c:\dokume~1\alluse~1\startm~1\progra~1\autost~1\winzip~1.lnk -

c:\programme\winzip\WZQKPICK.EXE
IE: AltaVista Search - file://c:\dokumente und einstellungen\andrea

schoch\anwendungsdaten\altavista\SelectedContextSearch_AltaVista Search.htm
IE: Google Sidewiki... - c:\programme\google\google

toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: Nach Microsoft &Excel exportieren - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Translate - file://c:\dokumente und einstellungen\andrea

schoch\anwendungsdaten\altavista\SelectedContextTranslation.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\programme\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} -

c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} -

c:\programme\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\windows\system32\INetHTTPFilter.dll
Trusted Zone: barium.se\live
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -

hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheck

Control.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

c:\progra~1\gemein~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} -

c:\programme\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\dokume~1\andrea~1\anwend~1\mozilla\firefox\profiles\8dhfa3wn.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\programme\nokia\nokia pc suite 7\bkmrksync\components\BkMrkExt.dll
FF - plugin: c:\programme\java\jdk\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\programme\java\jdk1.6\bin\new_plugin\npdeploytk.dll
FF - plugin: c:\programme\java\jdk1.6\bin\new_plugin\npjp2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant:

{20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows

presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\programme\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\programme\avira\antivir desktop\avgio.sys [2009-8-30 11608]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2009-12-11 186128]
R2 AntiVirSchedulerService;Avira AntiVir Planer;c:\programme\avira\antivir desktop\sched.exe

[2009-8-30 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\programme\avira\antivir desktop\avguard.exe

[2009-8-30 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-8-30 56816]
R2 ZeppelinService;plasservice;c:\programme\gemeinsame

dateien\paretologic\plas\plasservice.exe [2009-2-18 587216]
S0 kl1;kl1;c:\windows\system32\drivers\kl1.sys --> c:\windows\system32\drivers\kl1.sys [?]

=============== Created Last 30 ================

2009-12-11 22:39:24 0 d-----w- c:\temp\Software von bleepingcomputer
2009-12-11 20:16:16 5890336 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-12-11 20:16:16 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-12-11 20:16:16 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-12-11 20:16:16 1824 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-12-11 20:16:08 3372 ----a-w- C:\rollback.ini
2009-12-11 20:05:32 0 d-----w- c:\programme\ParetoLogic
2009-12-11 20:05:32 0 d-----w- c:\programme\gemeinsame dateien\ParetoLogic
2009-12-11 20:05:32 0 d-----w- c:\dokume~1\alluse~1\anwend~1\ParetoLogic

Anti-Virus PLUS
2009-12-11 20:05:31 0 d-----w- c:\dokume~1\alluse~1\anwend~1\ParetoLogic
2009-12-11 20:04:00 0 d-----w- c:\temp\TRCrypt.XPACK.Gen loswerden
2009-11-21 22:05:00 0 ----a-w- c:\dokumente und einstellungen\andrea

schoch\ftype
2009-11-21 21:44:44 0 d-----w- c:\programme\Sun
2009-11-21 21:44:36 73728 ----a-w- c:\windows\system32\javacpl.cpl
2009-11-21 17:27:06 0 d-----w- c:\dokumente und einstellungen\andrea

schoch\.SunDownloadManager
2009-11-21 17:01:42 0 d-----w- C:\jwork
2009-11-13 22:11:07 0 d-----w-

c:\dokume~1\alluse~1\anwend~1\IsolatedStorage

==================== Find3M ====================

2009-12-07 20:38:56 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-11-21 21:44:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-11-12 22:47:56 96220 ----a-w- c:\windows\system32\perfc007.dat
2009-11-12 22:47:56 488988 ----a-w- c:\windows\system32\perfh007.dat
2008-12-22 17:49:30 32768 --sha-w-

c:\windows\system32\config\systemprofile\lokale

einstellungen\verlauf\history.ie5\mshist012008122220081223\index.dat

============= FINISH: 23:43:19.40 ===============
***

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:24 PM

Posted 12 December 2009 - 08:02 AM

Hi rhartmannn,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.
  • Please tell me if you have previously installed a Kaspersky product on your computer.

  • Please download Malwarebytes' Anti-Malware from one of these locations:
    malwarebytes.org
    majorgeeks.com
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the MBAM log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:24 PM

Posted 16 December 2009 - 05:02 PM

Are you still there?

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,689 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:24 PM

Posted 17 December 2009 - 07:59 AM

This thread will now be closed due to inactivity.

If you should have the same or a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users