Trojan Infection (Crypt.XPACK / Downloader.Gen)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Matt.A, Apr 10, 2009.

  1. Matt.A

    Matt.A Private E-2

    Ok, so late last week (Thursday/Friday) I remember that norton detected a HACKER.ROOTKIT (I think). I came back to the computer on the monday and ran an Avira scan. Came up with loads of stuff in Local Settings > Temp and I deleted the contents of the folder. Ran a few more scans and I remember reading TR/Crypt.XPACK.Gen and TR/Downloader.Gen and thought Id got it and all was well. However, Norton still continues to detect INFOSTEALER (and removes it before it comes right back in a "Detects" .... wait a bit.... "Removes" then "Detects" straight after.
    Computer has also been REALLY slow sometimes.
    Anyway, directed here and followed the Read and Run stuff and XP cleaning thread but my Avira just detected something in "Documents and Settings> Application Data > Symantec ... (didnt write it down sorry).
    Thanks for reading.
    Oh, and I read the threads regarding Crypt.XPACK's but didnt really follow them, sorry.
     
    Matt.A, Apr 10, 2009
    #1
  2. Matt.A

    Matt.A Private E-2

    Log files from Read/Run

    also, I noticed whilst frantically looking through ym C; directory a few files named wgkiy (one was a .exe I think) before I unchecked "hide important system files" thingy. Couldn't find it anywhere online (as in couldn't find any info on it) and my computer literate friend hadnt heard of it. Could find if it seems important. I think the description thingy under the file was in french.
    Any ideas?
     

    Attached Files:

    Matt.A, Apr 10, 2009
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi and welcome. We are currently reviewing your logs and will get back to you with a set of instructions as soon as possible. Thanks for your patience during this time.

    Kes
     
    Kestrel13!, Apr 12, 2009
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    One of your problems right now is the fact that you are running more than one anti-virus. In fact you are running 3.

    • Norton AntiVirus
    • Norton Internet Security
    • avast! Antivirus
    • Avira AntiVir Personal - Free Antivirus

    You need to now decide which of the three you wish to keep hold of and uninstall the remaining two before we continue with the fix.

    If you opt to get rid of Norton:

    Please give the Norton Removal Tool (SymNRT) a run > reboot your machine and then run it again for good measure.


    FYI:

    You must only have one installed as they will be fighting for control over system files and you are reducing the effectiveness of each of them by doing this. It also can cause malware to go by unnoticed and it slows a PC down tremendously.

    Also:

    Ad-Aware SE Personal <-- old and ineffective, better to update to the current version or better still, uninstall it and use SAS and MBAM instead.

    Please disable all anti-virus and anti-spyware programs while we do the following, we need ti tidy up a little (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    After clicking Fix exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.

    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below code box into it
    (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
amd64si
ati64si
port135sik
securentm

File::
C:\DOCUME~1\Robert\LOCALS~1\Temp\Google Toolbar\gtb8.tmp.exe
c:\windows\Plojesebebebagu.bin
c:\windows\Bnoweqayofika.dat
c:\windows\system32\drivers\amd64si.sys
c:\windows\system32\drivers\ati64si.sys
c:\windows\system32\drivers\port135sik.sys
c:\windows\system32\drivers\securentm.sys

Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00 
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      [​IMG]

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combofix

    Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now.
     
    Kestrel13!, Apr 13, 2009
    #4
  5. Matt.A

    Matt.A Private E-2

    Sorry for (potentially) wasting your time, but seeing as ive just received this computer off a roomate, would factory resetting it be safe virus-wise. Just as its crowded with old programs anyway and there's nothing that I really will use on it.
    Thanks again for replying, if you advise, I'll follow the above instructions.
     
    Matt.A, Apr 16, 2009
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes. You could do this and start clean over. You could follow my above instructions of you wish and also set about removing un-needed programs and doing an all over spring clean, but the choice is yours :) I'll be waiting here if you decide to take my steps.
     
    Kestrel13!, Apr 16, 2009
    #6
  7. Matt.A

    Matt.A Private E-2

    cool. This is really not virus-related so I don't expect you to know, but can you order the recovery CDs from Dell for the UK online? I can only find a US page for it.

    Thanks again for the great work (not just in this thread)
     
    Matt.A, Apr 16, 2009
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there :)

    Make a post in the software forum regarding this. The guys and gals in there will set you straight regarding the recovery CD's.

    You're more than welcome for the help, it was our pleasure.
     
    Kestrel13!, Apr 16, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds