Infected with TR/Crypt.XPACK.Gen

Discussion in 'Malware Help (A Specialist Will Reply)' started by simpsycho, Mar 18, 2009.

  1. simpsycho

    simpsycho Private E-2

    I've got a computer that seems to be infected with tr/crypt.xpack.gen, or at least that's what Avira is telling me. It tells me that I need to restart the computer to get rid of it, but it just keeps telling me the same thing every time I restart the computer.

    I have already read the Malware Removal Guide but MGTools.exe is the only thing on the list that I can get to run. SUPERAntiSpyware installed, but every time I try to run the program, it says that it has encountered a problem and needs to close. Malwarebytes Anti-Malware installed, but when I click it, nothing happens. Nothing happens when I try to run the ComboFix installer either. I've attached the log from MGTools, hopefully it will be of some help.
     

    Attached Files:

    simpsycho, Mar 18, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!


    First you must disable Spybot's Teatimer as requested in the READ & RUN ME. See this: How to disable Spybot's TeaTimer

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below software:
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 3
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) SE Runtime Environment 6 Update 1
    Java(TM) 6 Update 2
    My Web Search (Cursor Mania)
    rradio
    Viewpoint Manager (Remove Only) <-- should have been uninstalled in step 1 of the READ ME
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
    O1 - Hosts: 216.34.131.135 www.porn.com porn.com
    O1 - Hosts: 207.17.52.115 www.sex.com sex.com
    O1 - Hosts: 207.17.52.115 www.porno.com porno.com
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: DeskalertsBHO - {9DD77D09-901B-4af0-8F89-812950DB6FF2} - C:\Program Files\DeskAlerts\deskbar.dll (file missing)
    O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll (file missing)
    O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
    O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
    O4 - HKLM\..\Run: [rradio] c:\program files\common files\system\k768zcv.exe
    O4 - HKLM\..\Run: [SeekmoToolbar] C:\Program Files\SeekmoToolbar\Bin\4.8.4.0\${HOOKOE_FILE}
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O20 - Winlogon Notify: __c00651F1 - C:\WINDOWS\system32\__c00651F1.dat (file missing)

    After clicking Fix, exit HJT.

    Please run the below then reboot. After reboot run it one more time.

    Norton Removal Tool (SymNRT)

    Now delete the below file and folders if found
    c:\program files\common files\system\k768zcv.exe
    C:\Program Files\DeskAlerts
    C:\Program Files\MyWebSearch
    C:\Program Files\SeekmoToolbar

    Now run Ccleaner!
    Now run attempt to run SUPERAntiSpyware, Malwarebytes, and ComboFix per the READ & RUN ME instructions.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the logs from SUPERAntiSpyware and Malwarebytes
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 22, 2009
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds