Help with Trojan Removal (Crypt XPACK)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jorianon, Dec 17, 2008.

  1. jorianon

    jorianon Private E-2

    A few days ago my antivirus (Avira) picked up the xpack trojan. I quarantined it but it seems to come back with every restart.

    I have run all the steps in the cleaning guide and attached the logs. The only step that I had trouble with was removing old software. For some reason, Norton Internet Security shows up five times (!!!) in the remove software window, but none of them give me the option to uninstall when selected. Similarly, Java Update 3 is installed but will not let me remove it.

    Please note that these logs are now several days old because right before I could post them I lost internet. Currently I can only access the internet when I am logged into safe mode. I don't know if this is related to the virus or something I did myself accidentally while running the scans. I spent an hour with my ISP tech support today but since I can connect in safe mode they say its not their problem. Any advice on how to fix this would also be appreciated.

    Any guidance much appreciated!
     

    Attached Files:

  2. jorianon

    jorianon Private E-2

    And here are the final two logs.
     

    Attached Files:

  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please run the below then reboot (do not skip the reboot). After reboot run it one more time.

    Norton Removal Tool (SymNRT)


    I don't see it in your logs. Just see if you can use the Tools in CCleaner to delete it.

    What are the below folders for which were created on 12/09/2008?
    Code:
    2008-12-09 10:33 . 2008-12-09 10:36 <DIR> d-------- c:\users\All Users\NOS
    2008-12-09 10:33 . 2008-12-09 10:36 <DIR> d-------- c:\programdata\NOS
    2008-12-09 10:33 . 2008-12-09 10:33 <DIR> d-------- c:\program files\NOS
    Since your logs are basically clean, your connection issues may not be due to malware. Perhaps it is just due to Norton.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  4. jorianon

    jorianon Private E-2

    I have run all of these scans and attached the new logs below.

    CCleaner seems to have done the trick. I also used it to remove a few other unneeded programs that I could not in the control panel (such as google toolbar for IE.)

    This is a download manager, apparently installed when I upgraded Acrobat on that day. A little research shows it to be legit but unnecessary, so I have removed it.

    After running the Norton removal tool and restarting, it popped up a webpage explaining how to reinstall any needed programs. It took me a minute to realize that the file was not on my machine, but on the web. I couldn't tell you why but internet has been working fine ever since, and this makes me very, very happy.



    • Just before it finished, this popped up an error message:
      Find String (GQREP) Utility has stopped working
      A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available.

      However, after I closed that dialog window, combofix seems to have finished successfully and provided a log.

      I have noticed nothing out of the ordinary so far since running the scans, and I'm hoping these logs indicate a clean computer. Thank you so much for your assistance!
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes this is why I said to uninstall it.

    Your MGlogs.zip file was not updated properly. Something stopped it from running completely. Are you sure you let it run all the way thru? Do you still have UAC disabled? It must be disabled and you have to reboot after disabling. Did you right click and select Run As Administator on the GetLogs.bat file? Did you get any error messages?

    Please delete the current c:\MGlogs.zip file and right click on the C:\MGtools\GetLogs.bat file and select Run As Administrator and let it finish running before you close the command prompt window. Then attach the new log. I want to make sure that all of the Symantec items were properly removed.
     
    Last edited: Dec 22, 2008

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds