Possible TR/Crypt.XPACK.Gen infection.

Discussion in 'Malware Help (A Specialist Will Reply)' started by chr0me, Feb 11, 2010.

  1. chr0me

    chr0me Private E-2

    Hi,

    Avira found TR/Crypt.XPACK.Gen on my system and I deleted it. I'm not sure the virus is 100% gone, though, so I would really appreciate your help in checking if it renamed itself and is still lurking on my system. I hope I'm not being too paranoid :)

    All the logs are attached.
     

    Attached Files:

    chr0me, Feb 11, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Without knowing the exact path to the file in question, I can't say. Have you updated Avira recently? You need to tell me the path as the name Avira gave it is useless.
     
    TimW, Feb 12, 2010
    #2
  3. chr0me

    chr0me Private E-2

    I've had Avira update automatically at the time of its detecting the virus and ever since, too.

    Here's the direct path to the file in question: 'C:\Users\Road Runner\AppData\Local\Temp\BIT7D64.tmp

    Thank you very much for your help!
     
    chr0me, Feb 12, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Feb 14, 2010
    #4
  5. chr0me

    chr0me Private E-2

    I followed your instructions - ran Avenger, executed the code, rebooted the computer - however, Avenger did not produce a pop up window on startup, or a log file in the C:/ drive. I had disabled all anti-spyware and antivirus software prior to that, including fully uninstalling Avira, but in both attempts to run Avenger, there didn't seem to be any effect on start up.

    I did run CCleaner and MGTools afterwards, and am attaching MGlogs.zip to the message.

    Should I run Avenger with UAC turned off?

    Thank you again for your help and assistance!
     

    Attached Files:

    chr0me, Feb 15, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    UAC should have been turned off with the running of the MGTools. However, check to see if it is in fact off. Then use windows explorer to see if you can find that file we tried to remove.

    Let's try this again:

    Again, please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):
    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip
     
    TimW, Feb 16, 2010
    #6
  7. chr0me

    chr0me Private E-2

    I disabled the UAC using DisableUAC.reg from the MGtools folder, then restarted the computer and ran the script in Avenger. Nothing showed up after rebooting though - there was no pop up, no log file created, and the files specified in the quote were still present in their directories. I tried running Avenger in Safe mode, with the same result. According to Swandog46's site, the program is only compatible with 32-bit Vista, XP, and 2000, and there isn't a 64-bit version - since I am running a 64-bit Windows 7 system, could that be the cause?

    Either way, I am attaching the latest MGlog. Should I attempt to manually delete any of the files you specify in your last post?

    Thank you for your continued support and help!
     

    Attached Files:

    chr0me, Feb 16, 2010
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sigh, yes a 64 bit system does make a difference and I should have noticed that.

    Continue by downloading a tool we will need - Pocket KillBox

    Save it to its own folder somewhere that you will be able to locate it later.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.*(or on the folders option)*
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\Windows\System32\drivers\yruyrcc.sys
    C:\Windows\System32\drivers\deev.sys
    C:\Windows\System32\drivers\hkavsdq.sys
    C:\Windows\System32\drivers\kklsal.sys
    C:\Windows\SysWOW64\drivers\deev.sys
    C:\Windows\SysWOW64\drivers\hkavsdq.sys
    C:\Windows\SysWOW64\drivers\kklsal.sys
    C:\Windows\SysWOW64\drivers\yruyrcc.sys
    C:\Users\Road Runner\Local Settings\TEMP\lil85A7.tmp
    C:\Users\Road Runner\Local Settings\TEMP\lil85A8.tmp
    C:\Users\Road Runner\Local Settings\TEMP\lil85C8.tmp
    C:\Users\Road Runner\Local Settings\TEMP\lil85C9.tmp
    C:\Users\Road Runner\Local Settings\TEMP\lil85CA.tmp
    C:\Users\Road Runner\Local Settings\TEMP\lil85CB.tmp
    C:\Users\Road Runner\Local Settings\TEMP\lil85CC.tmp
    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
    TimW, Feb 16, 2010
    #8
  9. chr0me

    chr0me Private E-2

    Everything ran smoothly this time around, and the PendingFileRenameOperations prompt did not appear. I'm attaching the MGtools log. Thank you so much for helping me :)
     

    Attached Files:

    chr0me, Feb 16, 2010
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's try it again.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:

    * Delete on Reboot
    * then Click on the All Files button.*(or on the folders option)*
    * Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\Windows\System32\drivers\dbsf.sys
    C:\Windows\System32\drivers\deev.sys
    C:\Windows\System32\drivers\hkavsdq.sys
    C:\Windows\System32\drivers\jvdpb.sys
    C:\Windows\System32\drivers\kklsal.sys
    C:\Windows\System32\drivers\maomq.sys
    C:\Windows\System32\drivers\qqld.sys
    C:\Windows\System32\drivers\rkmkbcnh.sys
    C:\Windows\SysWOW64\drivers\dbsf.sys
    C:\Windows\SysWOW64\drivers\deev.sys
    C:\Windows\SysWOW64\drivers\hkavsdq.sys
    C:\Windows\SysWOW64\drivers\jvdpb.sys
    C:\Windows\SysWOW64\drivers\kklsal.sys
    C:\Windows\SysWOW64\drivers\maomq.sys
    C:\Windows\SysWOW64\drivers\qqld.sys
    C:\Windows\SysWOW64\drivers\rkmkbcnh.sys
    C:\Program Files (x86)\atvxe.txt
    C:\Program Files (x86)\bubdx.txt
    C:\Program Files (x86)\zhgc.txt
    C:\jdfk.txt
    C:\mjxi.txt
    C:\Windows\aazky.txt
    C:\Windows\zfrldxj.txt
    C:\Windows\system32\jmezw.txt
    C:\Windows\SysWOW64\jmezw.txt
    * Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

    If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

    If Killbox does not reboot just reboot your PC yourself.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip
     
    TimW, Feb 17, 2010
    #10
  11. chr0me

    chr0me Private E-2

    I did get a PendingFileRenameOperations prompt this time around and had to restart the PC manually.

    Also, while running MGtools, I got an error message saying that SteelWerX WhoAmI stopped working and had to click OK there.

    The logs are attached.

    I really appreciate your help with this. You're literally preventing me from freaking out like crazy over this. Thank you, TimW
     

    Attached Files:

    chr0me, Feb 17, 2010
    #11
  12. chr0me

    chr0me Private E-2

    I'm posting again because I realized I hadn't disabled the UAC when I ran the scans earlier today. I disabled it now and I ran Killbox and MGtools again; the new log is attached below. There was no prompt this time around.

    The only other thing is, I checked for the files Killbox is supposed to delete and they are still there. I'm really not sure what to do about that.

    Thank you for the help again and sorry for posting twice.
     

    Attached Files:

    chr0me, Feb 18, 2010
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.




    Code:
    :Files
C:\Windows\System32\drivers\dbsf.sys
C:\Windows\System32\drivers\jvdpb.sys
C:\Windows\System32\drivers\maomq.sys
C:\Windows\System32\drivers\qqld.sys
C:\Windows\System32\drivers\rkmkbcnh.sys
C:\Windows\SysWOW64\drivers\dbsf.sys
C:\Windows\SysWOW64\drivers\jvdpb.sys
C:\Windows\SysWOW64\drivers\maomq.sys
C:\Windows\SysWOW64\drivers\qqld.sys
C:\Windows\SysWOW64\drivers\rkmkbcnh.sys
C:\Windows\System32\drivers\dbsf.sys
C:\Windows\System32\drivers\deev.sys
C:\Windows\System32\drivers\hkavsdq.sys
C:\Windows\System32\drivers\jvdpb.sys
C:\Windows\System32\drivers\kklsal.sys
C:\Windows\System32\drivers\maomq.sys
C:\Windows\System32\drivers\qqld.sys
C:\Windows\System32\drivers\rkmkbcnh.sys
C:\Windows\SysWOW64\drivers\dbsf.sys
C:\Windows\SysWOW64\drivers\deev.sys
C:\Windows\SysWOW64\drivers\hkavsdq.sys
C:\Windows\SysWOW64\drivers\jvdpb.sys
C:\Windows\SysWOW64\drivers\kklsal.sys
C:\Windows\SysWOW64\drivers\maomq.sys
C:\Windows\SysWOW64\drivers\qqld.sys
C:\Windows\SysWOW64\drivers\rkmkbcnh.sys
C:\Program Files (x86)\atvxe.txt
C:\Program Files (x86)\bubdx.txt
C:\Program Files (x86)\zhgc.txt
C:\jdfk.txt
C:\mjxi.txt
C:\Windows\aazky.txt
C:\Windows\zfrldxj.txt
C:\Windows\system32\jmezw.txt
C:\Windows\SysWOW64\jmezw.txt
:Commands
[emptytemp]
[Reboot]

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach that document back here in your next post.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * OTM log
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Feb 18, 2010
    #13
  14. chr0me

    chr0me Private E-2

    I'm attaching the logs. OTM appears to have deleted the files, but I don't know enough to be sure :)

    I haven't been able to figure out if I had anything malicious running on my computer these past days, would you say those were residual files from a killed virus or an active infection?

    Thanks again for your time and patience on this!
     

    Attached Files:

    chr0me, Feb 21, 2010
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your logs are clean. I can not say whether the files were leftovers from an infection or active. But at least we know they are finally removed.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to tahe cleaning procedures ian step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    TimW, Feb 21, 2010
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds