Can't remove crypt.xpack.gen and patched.BU.6

Welcome to Major Geeks!

Please hangon while I look thru your logs. You should not just be randomly running things without guidance. Tools have very specific uses.

You first need to download and use the current version of MGtools. You are way out of date. Then attach a new log. Make sure you Save it to your PC. DO NOT attempt to Run or Open it from the download link.

 

I decided to continue with the logs you posted for now.

You need to uninstall NetMeter 1.1.3 now. See this: http://www.bleepingcomputer.com/startups/NetMeter.exe-3644.html


You need to move the below files into a proper folder for the application or delete the below. The do not belong in the root C:
\Program Files folder.

Code:

2007-03-12 23:17 882,264 ----a-w C:\Program Files\HyCam2.exe
2007-03-12 23:17 87,656 ----a-w C:\Program Files\UnHyCam2.exe
2007-02-23 01:54 69,632 ----a-w C:\Program Files\CamRes2.dll
2007-02-23 01:54 57,344 ----a-w C:\Program Files\MClick2.dll
2007-02-23 01:54 5,272 ----a-w C:\Program Files\HyCam2.tlb
2006-12-14 03:13 113,628 ----a-w C:\Program Files\HyCam2.chm
2006-12-14 00:18 3,274 ----a-w C:\Program Files\agreement.txt
2004-05-05 02:57 2,018 ----a-w C:\Program Files\readme.txt
2004-04-16 04:07 675 ----a-w C:\Program Files\HyCam2.cnt
1999-06-24 01:49 587 ----a-w C:\Program Files\8-44100d.wav
1999-06-24 01:49 421 ----a-w C:\Program Files\8-44100u.wav
1999-06-24 01:47 317 ----a-w C:\Program Files\8-22050d.wav
1999-06-24 01:47 225 ----a-w C:\Program Files\8-22050u.wav
1999-06-24 01:46 183 ----a-w C:\Program Files\8-11025d.wav
1999-06-24 01:46 135 ----a-w C:\Program Files\8-11025u.wav
1999-06-24 01:44 127 ----a-w C:\Program Files\8-8000u.wav
1999-06-24 01:43 151 ----a-w C:\Program Files\8-8000d.wav
1999-06-24 01:41 220 ----a-w C:\Program Files\16-8000u.wav
1999-06-24 01:40 260 ----a-w C:\Program Files\16-8000d.wav
1999-06-24 01:38 956 ----a-w C:\Program Files\16-44100u.wav
1999-06-24 01:37 1,186 ----a-w C:\Program Files\16-44100d.wav
1999-06-24 01:34 652 ----a-w C:\Program Files\16-22050d.wav
1999-06-24 01:34 442 ----a-w C:\Program Files\16-22050u.wav
1999-06-24 00:54 340 ----a-w C:\Program Files\16-11025d.wav
1999-06-24 00:50 326 ----a-w C:\Program Files\16-11025u.wav

Did you knowingly install the below Pando Toolbar stuff. This application is not recommended since it is considered adware.

Did you knowingly install Crawler Toolbar with Web Security Guard? This is normally seen with Spyware Terminator but you do not have Spyware Terminator installed. Did you uninstall it but decide to keep Crawler Toolbar?



The below show that you are having frequent crashes. You may want to post about this in the Software Forum. Include information on an error messages you may be seeing.

Code:

"C:\WINDOWS\"
dump3393.tmp  18 Jun 2008       94208  "DUMP3393.tmp"
dump34bc.tmp  14 Jun 2008       94208  "DUMP34bc.tmp"
dump3875.tmp  14 Jun 2008       94208  "DUMP3875.tmp"
dump38c3.tmp  12 Jun 2008       94208  "DUMP38c3.tmp"
dump3901.tmp  12 Jun 2008       94208  "DUMP3901.tmp"
dump3a59.tmp  17 Jun 2008       94208  "DUMP3a59.tmp"
dump3ad6.tmp  18 Jun 2008       94208  "DUMP3ad6.tmp"
dump3c1e.tmp  20 Jun 2008       94208  "DUMP3c1e.tmp"
dump3d09.tmp  13 Jun 2008       94208  "DUMP3d09.tmp"
dump48a1.tmp  19 Jun 2008       94208  "DUMP48a1.tmp"
dump5ec9.tmp  10 Jun 2008       94208  "DUMP5ec9.tmp"

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right
click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following
lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading
in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After clicking Fix, exit HJT.



Now we need to use ComboFix.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all
files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

Now run Ccleaner!

Now download and SAVE the current version of MGtools.exe to your C:\ folder. Get it here: MGtools.exe Then run it by double clicking on it.



Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Sounds to me like your download manager is causing problems.

Show me a log or a snapshot then. This sounds like a false positive if it is occurring when SAS is running.

It was really optional. It is not malware but some people just don't like excessive tool bars.

If you know you have bad RAM, you should address that issue first.

You did not uninstall NetMeter. Did you read the link I gave you?

You said you uninstalled Pando but I still see it in your logs. Did you uninstall after getting the logs rather than at the point I asked the question about it?

Other than NetMeter, your logs are clean.

 

But perhaps as I stated, you did not uninstall them before getting the new logs. They were still installed in your last logs.

Is there a good alternative to Netmeter that you know of? [/quote] Why do you even need it? Whatever you install, don't run it all the time at startup. Only run it when you really need it.

You are better off asking this in the Software Forum but take a look at the below:

Netstat Live

Okay but I can say that no one else is having problems downloading MGtools but you. And since you keep mentioning Download Manager and attachment.php sounds to me like it is related. The only time that others have an issue downloading MGtools is when you do not put a check in the Remember Me box while logging into MGs. So if you checked that button, either you have an issue with which browser you are using or an addon to the browser. It really does not matter at this point since you managed to get the proper tools.

Thunderstorm season. Yes there is a significant time difference but I'm often on until 2 or 3 AM my time which is 4 to 5 PM for you I believe.

Can you put copies of these two DLL files that are being detected ( C:\WINDOWS\system32\dmserver.dll and C:\WINDOWS\system32\gdimnt.dll ) into a ZIP file and attach the ZIP file here? dmserver.dll is a valid Microsoft file called Logical Disk Manager service and I want to see if you have a valid copy. Since the detection mentions Patched.BU.6 maybe something has patched the file.

 

That's it! Malware never sleeps nor does it take a vacation. We have to stay awake 24-7-365 just to keep up. :-D:-D

 

This is what should happen. When you check the Remember Me box a cookie is saved with your login information and you no longer have to login manually. It is automatic. If you delete cookies, you would then have the same problem again.

Size does not matter. It's what is in the file.

That may be the next step but it may not be necessary. It could be that the other file is the root of the problem.

I'll check these files out and get back to you.

 

Okay these files do appear to be infected and even though the dmserver.dll file is the same size as the valid Microsoft file and it even shows information stating it is a Microsoft DLL, it is not the valid file. It has been changed.

Please download this View attachment findfile.zip to your C:\MGtools folder. Then extract the findfile.bat file from the ZIP into that same folder. Now run the findfile.bat file by double clicking on it. It will search your hard disk for other copies of the dmserver.dll file and will create a log file named C:\flist.txt

Attach the c:\flist.txt file to your next message.

Then go to the C:\WINDOWS\system32\gdimnt.dll file and right click on it and select rename. Rename it to gdimnt.dll.bad Tell me if you are able to rename this file.

 

Reboot into safe mode and rename the C:\WINDOWS\system32\dmserver.dll file to dmsever.dll.bad. A new dmserver.dll file will probably show up soon afterwards. This is normal since the system will try to restore it from the copy here C:\WINDOWS\system32\dllcache\dmserver.dll

We are trying to see if this copy is also infected.

Double check to make sure that no new copies of gdimnt.dll showed up. Let me know if it did.


Then reboot normally. Does AntiVir still have detections? If it only finds the files we renamed with .bad then it is okay since we will soon delete them if AntiVir does not.

 

:-D I need to go home and get some dinner.

 

No! Too many people were always bothering me when they see me online so I hide it.

Does this file still exist? C:\WINDOWS\system32\dllcache\dmserver.dll

If yes, copy it from there to C:\WINDOWS\system32\dmserver.dll

 

Pando is not known to be malware or a problem. And just because AntiVir detects a "potential" problem, it does not mean it is a problem. The behavior of a program can sometimes trigger a red flag to an antivirus, antispyware, or firewall program but is does not always mean it is a problem. Any P2P program will typically cause red flags. All that being said, if you don't need Pando, uninstall it.

 

Only for your side of the world.

 

Sounds like we are finished.

If you are not having any other malware problems, it is time to do our final steps:

1. You can uninstall SUPERAntiSpyware now.
2. We recommed you keep Malwarebytes Anti-Malware as a scanner. It uses no resources except a little disk space until you run a scan.
4. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop & renamed it like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\cf" /u
     • Notes: The space between the cf" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\cf folder from combofix.
5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Go to add/remove programs and uninstall HijackThis.
7. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
8. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome.

No! It is not a Windows system file.