TR/Crypt.ZPACK.Gen

Discussion in 'Malware Help (A Specialist Will Reply)' started by tommyv, Dec 25, 2010.

  1. tommyv

    tommyv Private E-2

    Hello!

    I was browsing a website today on my netbook (Windows XP SP3) and my anti-virus software (Avira) generated a pop-up saying it found an infection TR/Crypt.ZPACK.Gen. This was followed by changes to my desktop:

    There is a "window" (more like an image embedded on top of my desktop) stating that my system is infected and that I need spyware removal tools and my wallpaper has been removed. The Avira messages do not stop and detect the same infection in a few different files (the messages refer to the same few files; a few are .dll and a few are another file type that I cannot recall).
    There was also a new "AntiMalware Doctor" shortcut on the desktop and a new "Antivirus 2010" in Add/Remove Programs (which was not in the Malware Removal List but I did unsuccessfully try to remove it using instructions at another website, the problem being that Malwarebyte's Anti-Malware quits, which was also encountered during the Read & Run Me procedure as described below). My browser has also been hijacked.

    I went through the Read & Run Me but was only able to run RootRepeal and MGtools successfully. The other tools could not complete scans:

    SuperAntiSpyware had to be run from Alternate Start, and quits when scan reaches ~5000 items into Registry Scan. There are no log files. Prior to closing, it detects the following:
    Threat Description Detected Items
    Trojan.Dropper/SVCHost-Fake 2
    Trojan.Agent/Gen-SSHNas(FakeAlert) 2
    Trojan.Agent/Gen-FakeDrop 2
    Trojan.Agent/Gen-FakeAlert 2
    Trojan.Agent/FrauderX 4
    Trojan.Agent/Gen-FakeSoft 2

    Malwarebytes' Anti-Malware quits 4 seconds into the Quick Scan while "Enumerating registry objects prior to scan." There are no log files. Attempting to re-open mbam.exe results in the message saying "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." I used "cacls" from the command prompt to reset the permissions and was able to open it, but re-scanning again causes the same quitting and loss of permissions.

    Upon opening Combofix, the "Combofix loading" progress bar fills and then nothing further occurs (the application quits). There is no log file.

    I tried to go through the sequence again after using RKill but there was no change in the functioning of SuperAntiSpyware, MBAM and Combofix.


    I would love some help.
    Thanks!
     
    tommyv, Dec 25, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please attach the logs that you were able to get.
     
    TimW, Dec 25, 2010
    #2
  3. tommyv

    tommyv Private E-2

    Hi TimW

    I've attached the logs. I know that I uploaded them last time but they didn't show up for some reason.
     

    Attached Files:

    tommyv, Dec 25, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you not get a prompt to run HJT? It is not in your logs. We will address that in a minute.'

    Please use add/remove programs to uninstall:
    Antivirus 2010

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract+ avenger.exe from the Zip file and save it to your desktop

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run Ccleaner to clean out only temp files and nothing else!

    Now see if you can run the other scans ( SAS, MBAM, ComboFix).

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). ( Make the agreement to run HJT when it pops up. )

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    Last edited: Dec 25, 2010
    TimW, Dec 25, 2010
    #4
  5. tommyv

    tommyv Private E-2

    I believe HJT did run, I received the license agreement and clicked on "I Accept."
    I did receive a success message after merging fixME.reg

    After Avenger and reboot, my desktop appears to be restored, but I received two messages:
    1) Error loading C:WINDOWS\hap3dhs.dll The specified module could not be found.
    2)Error loading C:\WINDOWS\ocazaqawicozi.dll The specified module could not be found.

    and my antivirus detects TR/Sirefef.F in shsvcs.dll.

    After disabling my antivirus software:
    SAS still quit once reaching ~5000 entries into the registry scan, but fewer total threats were detected (14 previously, 4 this time)
    MBAM still quits while "Enumerating registry objects prior to scan," with the same subsequent loss of permissions.
    ComboFix still quits after the desktop refreshes and the loading bar fills.

    MGtools ran, but there was no agreement this time (there was an agreement the previous time that I ran it)
     

    Attached Files:

    tommyv, Dec 25, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's do it again.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now go to C:\MGTools\analyse.exe and double click it. This should produce the HJT log.

    See if you can now run SAS, MBAM, and Combo.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip
     
    Last edited: Dec 25, 2010
    TimW, Dec 25, 2010
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As stated in the instructions, you must click on Accept twice to get it to actually accept. It appears that you did not do this since HijackThis is not registered in Add/Remove Programs yet.
     
    chaslang, Dec 25, 2010
    #7
  8. tommyv

    tommyv Private E-2

    I pasted the quoted text into Avenger and after clicking Execute, an error message came up:

    "Error: Invalid registry syntax in command:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run|Htoxuyasezaxijoy
    Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
    Skipping line. (Registry value deletion mode)"

    After reconfirming that I wish to execute the script, another error message:

    "Error: Invalid syntax in command:
    HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run Eyobekawepazuc
    Skipping line. (Registry value deletion mode)"

    After a restart, the same missing dll errors come up but my antivirus did not detect the malware as it did previously.

    Double-clicking analyse.exe caused an insufficient permissions error. I reset permissions using cacls in the command prompt. Running analyse.exe again, the program window opened and I clicked "scan and save a log file"

    SAS again quits while scanning the registry. Only 2 threats are detected this time (4 previously)
    MBAM quits a few seconds into the scan.
    Combofix still quits after loading.


    With respect to chaslang's comment, I clicked I Accept once and then the window disappeared.
     

    Attached Files:

    tommyv, Dec 25, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download OTM by Old Timer and save it to your Desktop.




    Code:
    :Processes
explorer.exe

:Files
C:\WINDOWS\hap3dhs.dll
C:\WINDOWS\ocazaqawicozi.dll
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Htoxuyasezaxijoy"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"Eyobekawepazuc"=-

:Commands
[purity]
[ResetHosts]
[createrestorepoint]
[emptytemp]
[start explorer]
[Reboot]

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large http://farm3.static.flickr.com/2782/4174320048_f01c448b32_o.png button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.


    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach this log file to your next message.
     
    TimW, Dec 25, 2010
    #9
  10. tommyv

    tommyv Private E-2

    I right-clicked otm.exe and there was no "Run as administrator," only "Run as." I suppose this is because my account is an administrator account (I'll have to change this for the future!) I ran it by clicking "Open"

    After clicking Move It, the program quit and running it again causes an insufficient permissions warning.

    Thanks for your help, I really appreciate it.
     
    tommyv, Dec 25, 2010
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Run avenger.exe by double-clicking on it.
    * -Do not change any check box options!!
    * Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

    * Now click the Execute button.
    * Click Yes to the prompt to confirm you want to execute.
    * Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    * Your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\Avenger.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Dec 25, 2010
    #11
  12. tommyv

    tommyv Private E-2

    There was a success message after merging fixME.reg

    After rebooting, there were no missing dll messages.
     

    Attached Files:

    tommyv, Dec 25, 2010
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We may have finally gotten a hand on it. Can you run the other scans yet?
     
    TimW, Dec 25, 2010
    #13
  14. tommyv

    tommyv Private E-2

    Hey Tim

    SAS, MBAM and ComboFix scans cannot be done, and SAS still detects 2 threats prior to quitting.
     
    tommyv, Dec 25, 2010
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What is it finding?
     
    TimW, Dec 25, 2010
    #15
  16. tommyv

    tommyv Private E-2

    SAS is finding:

    Trojan.Dropper/SVCHost-Fake
    with Detected Items: 2
    One is under Memory Items and one is under File Items (0 under Registry Items)
     
    tommyv, Dec 25, 2010
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I need more specific info, but let's try this:

    Copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
     
    TimW, Dec 25, 2010
    #17
  18. tommyv

    tommyv Private E-2

    The merge was successful.
     
    tommyv, Dec 25, 2010
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I really wish we could get Combo to run. However, let's have you do an online scan:
    eSet Online Scan.

    I am about to log off for the evening, so I will check the log tomorrow. I don't want to give you the final fix until we are sure all traces are gone.

    Hope you are having a happy holiday!! ;)
     
    TimW, Dec 25, 2010
    #19
  20. tommyv

    tommyv Private E-2

    I will not let this ruin my holiday mood :)

    See you tomorrow Tim!
     
    tommyv, Dec 25, 2010
    #20
  21. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    LOL....you shouldn't let it ruin anything, esp. not your holiday mood!! ;)

    You are virtually clean, we just need to make sure. I am confident we will have you in good order very soon. Have a good night and see you tomorrow!
     
    TimW, Dec 25, 2010
    #21
  22. tommyv

    tommyv Private E-2

    I was impulsive this morning and did a reformat and reinstall. I attached the eSET log in case you were curious!
     

    Attached Files:

    tommyv, Dec 26, 2010
    #22
  23. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Since you did a reformat and clean install, it would have wiped any remaining malware from your system.

    I hope all is working well now. :)
     
    TimW, Dec 26, 2010
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds