Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Crypt.XPACK.Gen 3 Trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 signalite

signalite

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:22 PM

Posted 02 June 2011 - 11:46 AM

I have had this virus problem for approximately 4 months. Maybe I am wrong and this is another virus but the name and behaviour is similar. It generates hundreds of virus files. I have tried to remove it with my Avira Antivirus and Malwarebytes but no luck so far. There are even several weeks when virus is being silent and Avira finds nothing but then again something triggers it and I am back to where I started with 1000 of viruses found by Avira (I am scanning my comp on daily basis). I made a backup copy of my pictures to DVD. Is there a possibility that this DVD also will be infected?

.
DDS (Ver_2011-06-02.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Signe at 19:12:00 on 2011-06-02
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonSvc.exe
C:\Program Files\Highresolution Enterprises\X-Mouse Button Control\XMouseButtonControl.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Tildes Birojs 2008\MDICTION.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Signe\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Tildes Birojs: {1e6700f0-0f85-40fd-8022-7eb60ab46f10} - c:\program files\tildes birojs 2008\IEjosla.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GR469A~1.DLL
TB: Tildes Birojs: {1e6700f0-0f85-40fd-8022-7eb60ab46f10} - c:\program files\tildes birojs 2008\IEjosla.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No File
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [DriverFinder] c:\program files\driverfinder\DriverFinder.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [hpvdnzcpc] qhwngbnjfpbcnhjarg.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Pianists] "c:\program files\tildes birojs 2008\Pianists.exe" /START
mRun: [mdiction] "c:\program files\tildes birojs 2008\mdiction.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Tulkot ar Tildes Datorvārdnīcu - c:\program files\tildes birojs 2008\TDVLauncher.DLL /201
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: T&ulkot ar Tildes Tulkotāju - c:\program files\tildes birojs 2008\LaunchMTS.htm
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 80.232.230.241 195.122.12.242
TCP: Interfaces\{3874A016-AD5C-425C-943D-28473B05B8E9} : DhcpNameServer = 80.232.230.241 195.122.12.242
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GRA32A~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GR469A~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\signe\appdata\roaming\mozilla\firefox\profiles\ft15nywv.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
============= SERVICES / DRIVERS ===============
.
R? b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? WatAdminSvc;Windows Activation Technologies Service
S? acedrv11;acedrv11
S? AMD External Events Utility;AMD External Events Utility
S? amdkmdag;amdkmdag
S? amdkmdap;amdkmdap
S? AntiVirSchedulerService;Avira AntiVir Scheduler
S? AntiVirService;Avira AntiVir Guard
S? avgntflt;avgntflt
S? RTL8167;Realtek 8167 NT Driver
S? XMouseButton Launcher;XMouseButton Launcher
.
=============== Created Last 30 ================
.
2011-06-02 15:45:22 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-25 14:31:13 26496 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-05-24 08:06:01 -------- d-----w- c:\users\signe\appdata\local\The Witcher
2011-05-23 15:13:24 -------- d-----w- c:\programdata\SpinTop Games
2011-05-22 15:49:08 -------- d-----w- c:\users\signe\appdata\local\The Witcher 2
2011-05-21 15:45:12 -------- d-----w- c:\users\signe\appdata\roaming\DisneyInteractiveStudios
2011-05-20 13:06:59 -------- d-----w- c:\programdata\Solidshield
2011-05-19 05:07:12 123904 ----a-w- c:\windows\system32\poqexec.exe
2011-05-14 06:14:32 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-12 14:48:58 -------- d-----w- c:\programdata\Skype Extras
2011-05-11 14:24:16 43008 ----a-w- c:\windows\system32\drivers\usbehci.sys
2011-05-11 14:24:16 284160 ----a-w- c:\windows\system32\drivers\usbport.sys
2011-05-11 14:24:15 75776 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2011-05-11 14:24:15 5888 ----a-w- c:\windows\system32\drivers\usbd.sys
2011-05-11 14:24:15 258560 ----a-w- c:\windows\system32\drivers\usbhub.sys
2011-05-11 14:24:15 24064 ----a-w- c:\windows\system32\drivers\usbuhci.sys
2011-05-11 14:24:15 20480 ----a-w- c:\windows\system32\drivers\usbohci.sys
2011-05-11 14:24:13 3957632 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-05-11 14:24:13 3901824 ----a-w- c:\windows\system32\ntoskrnl.exe
.
==================== Find3M ====================
.
2011-03-31 08:18:18 23376 ----a-w- c:\windows\system32\dopdfmn7.dll
2011-03-31 08:18:16 20304 ----a-w- c:\windows\system32\dopdfmi7.dll
2011-03-12 11:31:58 442880 ----a-w- c:\windows\system32\XpsPrint.dll
2011-03-11 05:44:09 146304 ----a-w- c:\windows\system32\drivers\storport.sys
2011-03-11 05:44:01 143744 ----a-w- c:\windows\system32\drivers\nvstor.sys
2011-03-11 05:44:01 1210240 ----a-w- c:\windows\system32\drivers\ntfs.sys
2011-03-11 05:44:01 117120 ----a-w- c:\windows\system32\drivers\nvraid.sys
2011-03-11 05:43:55 332160 ----a-w- c:\windows\system32\drivers\iaStorV.sys
2011-03-11 05:43:46 80256 ----a-w- c:\windows\system32\drivers\amdsata.sys
2011-03-11 05:43:46 22400 ----a-w- c:\windows\system32\drivers\amdxata.sys
2011-03-11 05:40:24 1164288 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-11 05:40:24 1137664 ----a-w- c:\windows\system32\mfc42.dll
2011-03-11 05:39:35 1686016 ----a-w- c:\windows\system32\esent.dll
2011-03-11 05:37:34 74240 ----a-w- c:\windows\system32\fsutil.exe
2011-03-08 05:38:13 740864 ----a-w- c:\windows\system32\inetcomm.dll
.
============= FINISH: 19:12:10.55 ===============

I gess I am too impatient so I posted a similar thread on Avira official forum. I know this violates your rules but I don't know how to remove this post. I just hope that I can get my help sooner. Please be merciful :cold:

EDIT: Please be patient. There are over 300 unanswered topics in this forum at present and the current average wait time to receive help is 10 days. ~Budapest

Attached Files


Edited by Budapest, 06 June 2011 - 05:03 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:22 AM

Posted 11 June 2011 - 07:35 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:10:22 AM

Posted 15 June 2011 - 06:01 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users