R/Crypt.XPACK.Gen trojan

Hello to you all and especially the administrators,
My antivir software has been reporting TR/Crypt.XPACK.Gen trojan.
The file that is responsible for carrying the trojan is ssqfpgdc.dll under systemm32 folder.
Unfortunately, i followed all the procedure that was under the windows xp cleaning procedure but nothing happened.
The system initially seem to have been cleaned but after reboot the trojan is still there.
So here are the log files extracted from the various malware removal programs.
thanks for any response.
A.A

 

Here is another lof file from combofix

 

Hi felicekindness,
Welcome to Major Geeks!
Thank you for your kind name.

Were you able to run MalwareBytes and if so, did it find anything?

abri

 

Hi felicekindness,

Could you tell me what the following folders or files are? I can't read them and even if the characters were correct, I might still not know what they are:

C:\Documents and Settings\All Users\„§ *ᤜ ˜ œ¨š˜©å˜ª"
C:\Documents and Settings\Administrator\’˜ âšš¨˜*á £¦¬
C:\Documents and Settings\LocalService\’˜ âšš¨˜*á £¦¬

And now, please do the following:


1) Go to add/remove programs and uninstall the below:

MistikotitaTuIpologisti 1.1.48.0
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment Standard Edition v1.3.1
Java 2 Runtime Environment Standard Edition v1.3.1_04
Java 2 Runtime Environment, SE v1.4.2_04


2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment

4) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:


R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {03e037d3-f080-4c0b-bdb5-a70c693ae36d} - (no file)
O2 - BHO: (no name) - {DEBABA16-02E3-4654-A139-C841253CAB44} - C:\WINDOWS\system32\iifETkKd.dll (file missing)
O4 - HKLM\..\Run: [MistikotitaTuIpologisti] C:\Program Files\MistikotitaTuIpologisti\GDC.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (file missing) (HKCU)

After you click fix, just close hijackthis.

6) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
_111881690A7D

FILE::
C:\WINDOWS\system32\iifETkKd.dll
C:\WINDOWS\BMe3529040.txt
C:\WINDOWS\system32\_111881690A7D.sys

FOLDER::
C:\Documents and Settings\All Users\Application Data\MistikotitaTuIpologisti
C:\Program Files\MistikotitaTuIpologisti
C:\Program Files\Common Files\MistikotitaTuIpologisti
C:\Program Files\E9App2008

REGISTRY::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DEBABA16-02E3-4654-A139-C841253CAB44}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MistikotitaTuIpologisti"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


7) Now run CCleaner at the default setting with the Windows tab as the top one.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Avenger or Combofix log.


Let me know how things are running now?

abri

 

I attach the mbam log... i had forgotten it.
The funny characters are files in greek i ' ll check them and see what they are about.
Thanx for immediate responce

 

Hi felicekindness,
Were you able to go through the instructions in post 4?
abri

 

Hi abri,
I followed the instructions all right.
Up to now there is no message coming from my antivir software.
Thank you very much. This site was the first to provide me with useful info apart from formatting my fixed drives.
Thanx again,
AA

 

Hi felicekindness,

I'm glad things have been working better. Since we did have you remove malware entries it would be a good idea for you to go ahead with the last step in post 4 and attach the logs. I will be gone, so it will be several days before I can look at them. I suggest running that one scan on Monday or Tuesday and attaching the fresh MGlogs.zip along with the combofix log that was produced when you did the instructions in post 4. Please don't run combofix again unless I request it, as this will cover up the information from the log I need.

If youi do this early next week, this will enable me to make sure your computer is clean and then post the final cleanup instructions to you to get all of our tools and logs back out of your computer and have you set a clean restore point. Until I have a chance to make sure all the files got deleted, it's too early to tell you your computer is clean.

Thanks.
abri

 

I did everything just as you suggested...at least that's what i have in mind. I do not have any message from my software again up to now.
Here are the logs...thanx again.

 

Hi felicekindness,

Okay, now a little bit of easy light reading LOL Part of the instructions you did worked but the instructions I gave you for Combofix did not work, and it is very important for your computer that this works.


Before I give you the instructions, I would like to explain what we are doing, because if you know what we're doing, the instructions will make more sense and you will find they are quite easy.

You will see that the items in the code box below are bad and need to be removed from your computer. Just for your information, if you look at the following website, you can see that all of the entries related to MistikotitaTuIpologisti belong to a rogue antispyware program which got onto your computer. Rogue means that it creates false information like popups and other symptoms to tell you that your computer is infected to try to force you to buy their product to get rid of the symptoms. You can read about it here:

http://www.bleepingcomputer.com/startups/MistikotitaTuIpologisti-21958.html

Now, please read the following explanation carefully. It is only to give you some information about what we are trying to do.

To begin with, you must have combofix.exe located on your desktop. I cannot find it in your logs, so I think it is not there. It will appear on your desktop as a red disk with a white X in the middle and if you renamed it as per the instructions it will be called cf.exe rather than combofix.exe. For now it doesn't matter whether it is named cf.exe or combofix.exe. You don't have to rename it.

If you uninstalled it, please go to Using Combofix and reinstall it. Make sure it downloads to your desktop. If your browser takes it to a different location, you need to set the downloads setting in your browser (Internet Explorer or Firefox) to allow you to decide where things will be downloaded to, rather than things being downloaded to a default place like a downloads folder. You have to be the one to decide where it will download to. If it installs to Program Files and you put a link to the desktop, this is not correct. It needs to install onto the desktop.

After you've installed Combofix (you do not have to change the name this time) then we will do the next step which is to create a Notepad file using the contents of the code box in this post. In the code box there's a lot of text which includes file names like C:\WINDOWS\BMe3529040.txt and commands like KILLALL::

What I am going to have you do is to copy all of the contents of the code box and paste them into an empty Notepad window. To use Notepad go to Start / All Programs / Accessories / Notepad. Then copy all of the contents of the code box below and paste everything into the empty Notepad window. Then go to the top of Notepad and click on file and then on save. When you save it, you have to give it a certain name, and that name will be CFScript.txt. The location you have to save it to is the desktop which is where you need to have Combofix.exe. What matters is that the file you are creating called CFScript.txt and combofix.exe (or cf.exe) are in the same location. Otherwise the instructions won't work.

Once you have combofix.exe on your desktop with the red disk and the white X and you also have the file on your desktop called CFScript.txt, I will ask you to point your mouse at the CFScript.txt icon and without letting go of the mouse button, pull that text on top of the red and white combofix.exe icon. This will cause combofix to run, but it will run in a different way than if you just double click on it. When combofix runs, it will look at the code you are giving it and it will act according to the instructions in the code.

Okay, so now that you know what we are trying to do, I will give you the brief instructions again with the code box that you will be copying and pasting:

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KILLALL::

DRIVER::
_111881690A7D

FILE::
C:\WINDOWS\system32\iifETkKd.dll
C:\WINDOWS\BMe3529040.txt
C:\WINDOWS\system32\_111881690A7D.sys
C:\Program Files\MistikotitaTuIpologisti\GDC.exe

DIRLOOK::
C:\Program Files\E9App2008

FOLDER::
C:\Documents and Settings\All Users\Application Data\MistikotitaTuIpologisti
C:\Program Files\MistikotitaTuIpologisti
C:\Program Files\Common Files\MistikotitaTuIpologisti
C:\Program Files\E9App2008

REGISTRY::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DEBABA16-02E3-4654-A139-C841253CAB44}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MistikotitaTuIpologisti"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now run CCleaner at the default setting with the Windows tab as the top one.

Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the Combofix log.


Let me know how things are running now?

abri

 

I have done all the reading and here are the logs. Waiting for further info...

 

Hi felicekindness,
I need to understand what you are doing, because combofix is simply running a scan. It's not taking the instructions you are giving it and deleting the files you are asking it to delete. Please describe to me what you are doing.
Thanks.
abri