Alvira quarantined TR/Crypt.XPACK.Gen2 help

View previous topic View next topic Go down

Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Vendetta on 1st January 2011, 3:28 am

First, the computer I am on is a Windows XP Professional Version 2002 service pack 3

I realized my husband did not have any virus program on the computer he is currently using. After installing the free version of avira antivirus and running a full scan, it quarantined three files:
Alvira Report:
Beginning disinfection:
C:\Documents and Settings\george\My Documents\Downloads\movie.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4704d171.qua'.
C:\Documents and Settings\george\My Documents\Downloads\movie(3).exe
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '5f93fed7.qua'.
C:\Documents and Settings\george\My Documents\Downloads\movie(2).exe
[DETECTION] Is the TR/Crypt.XPACK.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '0dcca43f.qua'.

I downloaded the OTL link posted by Belhazur in another post and ran it:

OTL logfile created on: 12/31/2010 8:23:17 PM - Run 1
OTL by OldTimer - Version 3.2.18.2 Folder = C:\Documents and Settings\george\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 62.94 Gb Free Space | 84.46% Space Free | Partition Type: NTFS

Computer Name: GEORGE-TABLET | User Name: george | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2010/12/31 20:07:53 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\george\Desktop\OTL(2).exe
PRC - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/12/13 08:39:54 | 000,281,768 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/01/14 21:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/01/12 09:54:02 | 000,669,520 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Epson Software\Event Manager\EEventManager.exe
PRC - [2008/11/19 23:00:00 | 000,199,680 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIFIA.EXE
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/03/18 16:27:12 | 000,013,312 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe
PRC - [2007/07/24 08:22:02 | 000,185,624 | ---- | M] (Infineon Technologies AG) -- C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
PRC - [2007/07/24 08:21:48 | 000,140,568 | ---- | M] (Infineon Technologies AG) -- C:\WINDOWS\system32\IfxPsdSv.exe
PRC - [2007/02/07 01:30:00 | 000,065,536 | R--- | M] (Cognizance Corporation) -- C:\Program Files\Hewlett-Packard\IAM\Bin\asghost.exe
PRC - [2007/01/09 15:52:32 | 000,145,184 | ---- | M] (Hewlett-Packard Development Company, L.P.) -- C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
PRC - [2007/01/05 22:36:48 | 000,872,448 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe
PRC - [2006/12/19 18:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe
PRC - [2006/05/02 16:28:48 | 000,135,168 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient Mini\accoca.exe
PRC - [2006/04/20 18:39:24 | 000,176,128 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient Mini\accrdsub.exe
PRC - [2006/04/12 16:43:38 | 000,081,920 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient Mini\acachsrv.exe
PRC - [2006/04/10 17:56:36 | 000,081,920 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient Mini\acevents.exe
PRC - [2006/01/16 22:01:46 | 000,053,248 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\accelerometerST.exe
PRC - [2005/10/12 12:30:42 | 000,139,264 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2005/10/12 12:30:24 | 000,086,140 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe


========== Modules (SafeList) ==========

MOD - [2010/12/31 20:07:53 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\george\Desktop\OTL(2).exe
MOD - [2010/08/23 10:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2007/02/26 03:49:00 | 000,070,144 | R--- | M] (Bioscrypt Inc.) -- C:\WINDOWS\system32\APSHook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- C:\WINDOWS\System32\hidserv.dll -- (HidServ)
SRV - [2010/12/13 08:40:07 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2010/12/13 08:39:54 | 000,267,944 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/10/16 00:40:40 | 000,037,664 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/02/19 20:34:49 | 000,155,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\imapihp.exe -- (ImapiService)
SRV - [2008/03/18 16:27:12 | 000,013,312 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2007/07/24 08:21:48 | 000,140,568 | ---- | M] (Infineon Technologies AG) [Auto | Running] -- C:\WINDOWS\system32\IfxPsdSv.exe -- (PersonalSecureDriveService)
SRV - [2007/06/08 09:06:42 | 000,172,131 | R--- | M] (Hewlett-Packard Ltd) [On_Demand | Stopped] -- C:\WINDOWS\system32\flcdlock.exe -- (FLCDLOCK)
SRV - [2007/02/07 01:30:00 | 000,074,240 | R--- | M] (Cognizance Corporation) [Auto | Running] -- C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll -- (ASBroker)
SRV - [2006/12/19 18:23:20 | 000,094,208 | ---- | M] (SEIKO EPSON CORPORATION) [Auto | Running] -- C:\Program Files\Common Files\EPSON\EBAPI\eEBSvc.exe -- (EpsonBidirectionalService)
SRV - [2006/06/22 05:14:00 | 000,131,584 | R--- | M] (Cognizance Corporation) [Auto | Running] -- C:\Program Files\Hewlett-Packard\IAM\Bin\ASChnl.dll -- (ASChannel)
SRV - [2006/05/02 16:28:48 | 000,135,168 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\ActivIdentity\ActivClient Mini\accoca.exe -- (accoca)
SRV - [2006/04/12 16:43:38 | 000,081,920 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\ActivIdentity\ActivClient Mini\acachsrv.exe -- (acachsrv)
SRV - [2005/10/12 12:30:24 | 000,086,140 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe -- (IAANTMon) Intel(R)


========== Driver Services (SafeList) ==========

DRV - [2010/12/13 08:40:21 | 000,135,096 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/12/13 08:40:21 | 000,061,960 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2010/06/17 14:27:22 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/06/17 14:27:12 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/04/28 15:22:10 | 000,009,344 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2008/04/13 10:36:05 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/03/13 03:25:36 | 002,530,176 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel(R)
DRV - [2008/02/15 14:12:06 | 005,854,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)
DRV - [2008/01/18 10:49:24 | 000,220,640 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2007/12/14 09:21:56 | 000,290,816 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
DRV - [2007/10/01 18:27:40 | 000,281,600 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ADIHdAud.sys -- (ADIHdAudAddService)
DRV - [2007/08/28 15:47:36 | 000,146,560 | ---- | M] (AuthenTec, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\atswpdrv.sys -- (ATSWPDRV) AuthenTec TruePrint USB Driver (SwipeSensor)
DRV - [2007/07/24 08:21:52 | 000,038,816 | ---- | M] (Infineon Technologies AG) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\psd.sys -- (PersonalSecureDrive)
DRV - [2007/07/24 08:21:46 | 000,041,216 | ---- | M] (Infineon Technologies AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ifxtpm.sys -- (IFXTPM)
DRV - [2007/06/18 17:12:04 | 000,016,768 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2007/06/08 08:49:46 | 000,030,008 | R--- | M] (Hewlett-Packard Development Company L.P.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DAMDrv.sys -- (DAMDrv)
DRV - [2007/05/09 13:27:00 | 000,097,280 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\gtipci21.sys -- (GTIPCI21)
DRV - [2007/01/22 14:09:38 | 000,034,736 | ---- | M] (Wacom Technology) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wisdpen.sys -- (wisdpen)
DRV - [2006/08/28 14:40:48 | 001,160,320 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/01/10 01:00:04 | 000,022,016 | ---- | M] (Hewlett-Packard Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Accelerometer.sys -- (Accelerometer)
DRV - [2006/01/10 01:00:04 | 000,017,920 | ---- | M] (Hewlett-Packard Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\hpdskflt.sys -- (hpdskflt)
DRV - [2005/10/26 10:01:02 | 000,142,720 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2005/10/12 12:07:12 | 000,874,240 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\iaStor.sys -- (iaStor)
DRV - [2001/08/17 06:10:28 | 000,035,913 | ---- | M] (SMC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smcirda.sys -- (SMCIRDA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = ;*.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Google"
FF - prefs.js..browser.startup.homepage: "http://www.google.com/"
FF - prefs.js..keyword.URL: "http://www.google.com/search?sourceid=navclient&hl=en&q="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/12/12 21:43:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.13\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/12/12 21:43:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/11/18 20:25:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.0.1\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2010/02/19 20:20:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\george\Application Data\Mozilla\Extensions
[2010/02/19 20:20:52 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\george\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2010/12/31 08:36:56 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\george\Application Data\Mozilla\Firefox\Profiles\3v5pqqne.default\extensions
[2010/12/23 20:46:56 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\george\Application Data\Mozilla\Firefox\Profiles\3v5pqqne.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/02/19 19:43:20 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: ([2006/02/28 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Credential Manager for HP ProtectTools) - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll (Bioscrypt Inc.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AccelerometerSysTrayApplet] C:\WINDOWS\system32\accelerometerST.exe (Hewlett-Packard Corporation)
O4 - HKLM..\Run: [accrdsub] C:\Program Files\ActivIdentity\ActivClient Mini\accrdsub.exe (ActivIdentity)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CognizanceTS] C:\Program Files\Hewlett-Packard\IAM\Bin\ASTSVCC.dll (Cognizance Corporation)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\Cpqset.exe ()
O4 - HKLM..\Run: [EEventManager] C:\Program Files\Epson Software\Event Manager\EEventManager.exe (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
O4 - HKLM..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE (Hewlett-Packard Development Company, L.P.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKCU..\Run: [Epson Stylus NX510(Network)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIFIA.EXE (SEIKO EPSON CORPORATION)
O4 - Startup: C:\Documents and Settings\george\Start Menu\Programs\Startup\Epson all-in-one Registration.lnk = D:\Common\EpsonReg\EpsonReg.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.1
O20 - AppInit_DLLs: (APSHook.dll) - C:\WINDOWS\System32\APSHook.dll (Bioscrypt Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\ackpbsc: DllName - C:\Program Files\ActivIdentity\ActivClient Mini\ackpbsc.dll - C:\Program Files\ActivIdentity\ActivClient Mini\ackpbsc.dll (ActivIdentity)
O20 - Winlogon\Notify\acunlock: DllName - C:\Program Files\ActivIdentity\ActivClient Mini\acunlock.dll - C:\Program Files\ActivIdentity\ActivClient Mini\acunlock.dll (ActivIdentity)
O20 - Winlogon\Notify\DeviceNP: DllName - DeviceNP.dll - C:\WINDOWS\System32\DeviceNP.dll (Hewlett-Packard Limited)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O20 - Winlogon\Notify\OneCard: DllName - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll - C:\Program Files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll (Cognizance Corporation)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/02/19 19:29:13 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/12/31 20:07:52 | 000,602,624 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\george\Desktop\OTL(2).exe
[2010/12/31 17:56:17 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/12/31 17:47:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\george\Application Data\Avira
[2010/12/31 17:46:51 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/12/31 17:46:50 | 000,135,096 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/12/31 17:46:50 | 000,061,960 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/12/31 17:46:50 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/12/31 17:46:50 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/12/31 17:46:49 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/12/31 17:46:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/12/23 20:46:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\george\Local Settings\Application Data\Google
[2010/12/23 20:46:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/12/15 08:36:48 | 000,040,960 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ndproxy.sys
[2010/12/15 08:36:32 | 000,045,568 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wab.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/12/31 20:07:53 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\george\Desktop\OTL(2).exe
[2010/12/31 18:47:31 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/12/31 18:47:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/12/31 18:47:10 | 2138,492,928 | -HS- | M] () -- C:\hiberfil.sys
[2010/12/31 17:47:00 | 000,001,707 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/12/16 19:31:13 | 000,312,172 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/12/16 19:31:13 | 000,040,394 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/12/16 19:08:51 | 000,110,992 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/12/16 18:12:11 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/12/13 08:40:21 | 000,135,096 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/12/13 08:40:21 | 000,061,960 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/12/31 17:47:00 | 000,001,707 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avira AntiVir Control Center.lnk
[2010/11/20 22:10:48 | 000,000,000 | ---- | C] () -- C:\WINDOWS\EEventManager.INI
[2010/11/19 11:58:23 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2010/11/19 11:51:28 | 000,000,079 | ---- | C] () -- C:\WINDOWS\EPNX510.ini
[2010/10/27 13:15:32 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2010/02/19 20:46:25 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\george\Local Settings\Application Data\QSwitch.txt
[2010/02/19 20:46:25 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\george\Local Settings\Application Data\DSwitch.txt
[2010/02/19 20:46:25 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\george\Local Settings\Application Data\AtStart.txt
[2010/02/19 20:30:41 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\std201mt.dll
[2010/02/19 20:24:00 | 000,000,057 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2010/02/19 19:42:50 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4926.dll
[2010/02/19 09:23:17 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2007/06/08 09:05:38 | 000,274,432 | ---- | C] () -- C:\WINDOWS\System32\flcdlmsg.dll
[2007/01/31 16:02:14 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[1998/05/07 02:10:00 | 000,069,632 | R--- | C] () -- C:\WINDOWS\System32\ODMA32.dll

< End of report >

OTL Extras logfile created on: 12/31/2010 8:23:17 PM - Run 1
OTL by OldTimer - Version 3.2.18.2 Folder = C:\Documents and Settings\george\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 73.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 62.94 Gb Free Space | 84.46% Space Free | Partition Type: NTFS

Computer Name: GEORGE-TABLET | User Name: george | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]

[HKEY_CURRENT_USER\SOFTWARE\Classes\]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Epson Software\Event Manager\EEventManager.exe" = C:\Program Files\Epson Software\Event Manager\EEventManager.exe:*:Enabled:EEventManager.exe -- (SEIKO EPSON CORPORATION)
"C:\Program Files\EpsonNet\EpsonNet Setup\tool09\ENEasyApp.exe" = C:\Program Files\EpsonNet\EpsonNet Setup\tool09\ENEasyApp.exe:*:Enabled:EpsonNet Setup -- (SEIKO EPSON CORPORATION)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0515803B-5068-4599-8666-963E143C7381}" = HP Smart Card Security for ProtectTools 5.00 D4
"{075473F5-846A-448B-BCB3-104AA1760205}" = Sonic Data Module
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{2A981294-F14C-4F0F-9627-D793270922F8}" = Bonjour
"{2DB165DC-DDB4-403F-B985-19F3EC7D0357}" = HP ProtectTools Security Manager
"{308B6AEA-DE50-4666-996D-0FA461719D6B}" = Apple Mobile Device Support
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 H2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3E31400D-274E-4647-916C-2CACC3741799}" = EpsonNet Print
"{48F22622-1CC2-4A83-9C1E-644DD96F832D}" = Epson Event Manager
"{55B52830-024A-443E-AF61-61E1E71AFA1B}" = Device Access Manager for HP ProtectTools
"{75ECB75A-522C-4312-8DE7-597CDA9D96A3}" = HP Mobile Data Protection System
"{767B964C-D9B4-422D-802B-F7ACBE2D310A}" = TIPCI
"{7B73C666-BEFF-4F97-997A-9F995A4C0879}" = Embedded Security for HP ProtectTools
"{7F362F06-A9A3-440F-8B19-6A01A72723C4}" = AuthenTec Fingerprint Sensor Minimum Install
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel Matrix Storage Manager
"{97CDE011-0EE1-424F-A60F-6BBADC337C17}" = ActivClient Mini
"{A5CE7175-080D-49AC-B5A3-E7E3502428F5}" = HP Wireless Assistant
"{AE052EF7-2640-48D7-8915-69B810D975CB}" = HP BIOS Configuration for ProtectTools 2.00 D1
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom NetXtreme Ethernet Controller
"{BE41F3D2-FC73-4C3E-A2C2-5D2B08A5B2D0}" = Credential Manager for HP ProtectTools
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{C97DE62E-31E2-4146-AD23-4C6B0C028BCE}" = HP Java Card Security for ProtectTools 1.00 B4
"{E7004147-2CCA-431C-AA05-2AB166B9785D}" = QuickTime
"{EE6097DD-05F4-4178-9719-D3170BF098E8}" = Apple Application Support
"{FAE36873-1941-4076-A9A5-48812B5EA0B7}" = iTunes
"{FFFAE01B-466F-4C07-9821-A94FD753BDDA}" = EpsonNet Setup
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Agere Systems Soft Modem" = Agere Systems HDA Modem
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"EPSON NX510 Series" = EPSON NX510 Series Printer Uninstall
"EPSON Scanner" = EPSON Scan
"HDMI" = Intel(R) Graphics Media Accelerator Driver
"ie8" = Windows Internet Explorer 8
"InstallShield_{767B964C-D9B4-422D-802B-F7ACBE2D310A}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"Mozilla Firefox (3.6.13)" = Mozilla Firefox (3.6.13)
"Mozilla Thunderbird (3.0.1)" = Mozilla Thunderbird (3.0.1)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"WacomPenabled" = Wacom Pen Driver 2.7
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 12/31/2010 10:54:18 AM | Computer Name = GEORGE-TABLET | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 4546

Error - 12/31/2010 10:54:18 AM | Computer Name = GEORGE-TABLET | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 4546

Error - 12/31/2010 10:54:20 AM | Computer Name = GEORGE-TABLET | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 12/31/2010 4:36:42 PM | Computer Name = GEORGE-TABLET | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 6515

Error - 12/31/2010 4:36:42 PM | Computer Name = GEORGE-TABLET | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 6515

Error - 12/31/2010 5:05:18 PM | Computer Name = GEORGE-TABLET | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: Continuously busy for more than a second

Error - 12/31/2010 5:05:18 PM | Computer Name = GEORGE-TABLET | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledEvent 8985

Error - 12/31/2010 5:05:18 PM | Computer Name = GEORGE-TABLET | Source = Bonjour Service | ID = 100
Description = Task Scheduling Error: m->NextScheduledSPRetry 8985

Error - 12/31/2010 7:47:41 PM | Computer Name = GEORGE-TABLET | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This operation returned because the timeout period expired.

Error - 12/31/2010 8:48:04 PM | Computer Name = GEORGE-TABLET | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from:
with error: This operation returned because the timeout period expired.

[ Credential Manager Events ]
Error - 3/14/2010 7:37:44 PM | Computer Name = GEORGE-TABLET | Source = AuthWiz | ID = 100796068
Description = The submitted credentials were rejected. User: george@GEORGE-TABLET
Credentials:
Password Error: (0xC516020B) The system could not log you on. Verify your user
name and domain are correct and then type your password again. Letters in passwords
must be typed using the correct case. Verify that Caps Lock is off.

Error - 10/27/2010 3:21:20 PM | Computer Name = GEORGE-TABLET | Source = AuthWiz | ID = 100796068
Description = The submitted credentials were rejected. User: george@GEORGE-TABLET
Credentials:
Password Error: (0xC516020B) The system could not log you on. Verify your user
name and domain are correct and then type your password again. Letters in passwords
must be typed using the correct case. Verify that Caps Lock is off.

Error - 10/27/2010 3:22:43 PM | Computer Name = GEORGE-TABLET | Source = AuthWiz | ID = 100796068
Description = The submitted credentials were rejected. User: george@GEORGE-TABLET
Credentials:
Password Error: (0xC516020B) The system could not log you on. Verify your user
name and domain are correct and then type your password again. Letters in passwords
must be typed using the correct case. Verify that Caps Lock is off.

[ System Events ]
Error - 11/18/2010 10:48:23 PM | Computer Name = GEORGE-TABLET | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 11/18/2010 10:48:36 PM | Computer Name = GEORGE-TABLET | Source = Cdrom | ID = 262151
Description = The device, \Device\CdRom0, has a bad block.

Error - 11/18/2010 10:49:10 PM | Computer Name = GEORGE-TABLET | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 11/18/2010 10:49:10 PM | Computer Name = GEORGE-TABLET | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 11/18/2010 10:49:10 PM | Computer Name = GEORGE-TABLET | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 11/18/2010 10:49:10 PM | Computer Name = GEORGE-TABLET | Source = Cdrom | ID = 262155
Description = The driver detected a controller error on \Device\CdRom0.

Error - 11/20/2010 1:32:37 AM | Computer Name = GEORGE-TABLET | Source = Dhcp | ID = 1002
Description = The IP address lease 10.0.0.3 for the Network Card with network address
001CBF07E5F9 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a
DHCPNACK message).

Error - 11/21/2010 4:05:12 PM | Computer Name = GEORGE-TABLET | Source = Print | ID = 54
Description = Document Document was corrupted and has been deleted. The associated
driver is: EPSON NX510 Series.

Error - 12/13/2010 8:24:37 AM | Computer Name = GEORGE-TABLET | Source = Dhcp | ID = 1002
Description = The IP address lease 10.0.0.8 for the Network Card with network address
001CBF07E5F9 has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a
DHCPNACK message).

Error - 12/13/2010 8:24:40 AM | Computer Name = GEORGE-TABLET | Source = Dhcp | ID = 1001
Description = Your computer was not assigned an address from the network (by the
DHCP Server) for the Network Card with network address 001CBF07E5F9. The following
error occurred: %%1223. Your computer will continue to try and obtain an address
on its own from the network address (DHCP) server.


< End of report >

Please help with removal.

EDIT; I am sure everyone is partying, so I will check back in 12 plus hours. Hopefully the man won't cause any more trouble to his computer in the meantime, lol.

Vendetta
Novice
Novice

Posts Posts : 24
Joined Joined : 2010-04-19
Gender Gender : Female
OS OS : Windows Vista Home Premium
Points Points : 24431
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Sneakyone on 1st January 2011, 11:53 pm

Hi,

Please run OTL.exe.

  • Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = ;*.local
    O4 - HKLM..\Run: [] File not found
    O4 - Startup: C:\Documents and Settings\george\Start Menu\Programs\Startup\Epson all-in-one Registration.lnk = D:\Common\EpsonReg\EpsonReg.exe File not found



    :commands
    [emptytemp]
    [resethosts]


  • Return to OTL.exe, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.

  • Click the red Run Fix button.
  • A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTL.exe

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=================

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Vendetta on 5th January 2011, 4:25 am

After the custom scan step it required rebooting. This is the notepad that came up upon reboot:
All processes killed
========== OTL ==========
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ deleted successfully.
C:\Documents and Settings\george\Start Menu\Programs\Startup\Epson all-in-one Registration.lnk moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: george
->Temp folder emptied: 20574509 bytes
->Temporary Internet Files folder emptied: 127379093 bytes
->FireFox cache emptied: 99848764 bytes
->Flash cache emptied: 25820 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 571731 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2176856 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 48918 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 360110 bytes

Total Files Cleaned = 239.00 mb

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.18.2 log created on 01042011_221257

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Now onto the next step.
PS, since Belhazur calls you a log hog, you could always try a RickRoll on him. He definitely needs that, (says one of his former Rickroll victims).

Vendetta
Novice
Novice

Posts Posts : 24
Joined Joined : 2010-04-19
Gender Gender : Female
OS OS : Windows Vista Home Premium
Points Points : 24431
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Vendetta on 5th January 2011, 5:52 am

ComboFix 11-01-04.04 - george 01/04/2011 23:43:21.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1632 [GMT -6:00]
Running from: c:\documents and settings\george\desktop\commy.exe
Command switches used :: /stepdel
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\arp.exe
c:\windows\system32\SCardSvr.exe

.
((((((((((((((((((((((((( Files Created from 2010-12-05 to 2011-01-05 )))))))))))))))))))))))))))))))
.

2011-01-05 04:12 . 2011-01-05 04:12 -------- d-----w- C:\_OTL
2011-01-03 20:31 . 2008-04-13 18:45 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2011-01-03 20:31 . 2008-04-13 18:45 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2010-12-31 23:56 . 2010-12-31 23:56 -------- d-----w- c:\windows\system32\NtmsData
2010-12-31 23:46 . 2010-12-13 14:40 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-12-31 23:46 . 2010-12-13 14:40 135096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-12-31 23:46 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-12-31 23:46 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-12-31 23:46 . 2010-12-31 23:46 -------- d-----w- c:\program files\Avira
2010-12-31 23:46 . 2010-12-31 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-12-15 14:36 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 14:36 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2010-02-20 01:27 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-07 18:23 . 2010-10-07 18:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 18:23 . 2010-10-07 18:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 18:23 . 2010-10-07 18:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 18:23 . 2010-10-07 18:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-02-28 12:00 . 2008-04-14 00:12 95744 c:\windows\system32\dllcache\scardsvr.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
2006-04-27 21:43 98304 ----a-w- c:\program files\ActivIdentity\ActivClient Mini\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
2006-04-14 21:55 94208 ----a-w- c:\program files\ActivIdentity\ActivClient Mini\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 15:04 49152 ----a-r- c:\windows\system32\DeviceNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2007-02-07 07:30 74240 ----a-r- c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\APSHook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Epson Software\\Event Manager\\EEventManager.exe"=
"c:\\Program Files\\EpsonNet\\EpsonNet Setup\\tool09\\ENEasyApp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [7/24/2007 8:21 AM 38816]
R2 acachsrv;ActivClient Authentication Service;c:\program files\ActivIdentity\ActivClient Mini\acachsrv.exe [4/12/2006 4:43 PM 81920]
R2 accoca;ActivClient Middleware Service;c:\program files\ActivIdentity\ActivClient Mini\accoca.exe [5/2/2006 4:28 PM 135168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/31/2010 5:46 PM 135336]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 6:00 AM 14336]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [2/28/2006 6:00 AM 14336]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2/28/2006 5:05 PM 97280]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [10/21/2005 11:19 AM 41216]
R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [1/22/2007 2:09 PM 34736]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2/19/2010 8:00 PM 193840]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2/19/2010 8:34 PM 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [6/8/2007 9:06 AM 172131]
S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [2/19/2010 9:24 AM 14208]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contents of the 'Scheduled Tasks' folder

2010-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\george\Application Data\Mozilla\Firefox\Profiles\3v5pqqne.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2011-01-04 23:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\ActivIdentity\ActivClient Mini\ackpbsc.dll
c:\windows\system32\ACLIBEAY.dll
c:\windows\system32\aclog.dll
c:\windows\system32\acevtsub.dll
c:\windows\system32\asphat32.dll
c:\windows\system32\acauth.dll
c:\windows\system32\acerrmes.dll
c:\windows\system32\aspcom.dll
c:\program files\ActivIdentity\ActivClient Mini\Resources\acerrmrc.dll
c:\program files\ActivIdentity\ActivClient Mini\Resources\asphatrc.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
c:\program files\ActivIdentity\ActivClient Mini\acunlock.dll
c:\windows\system32\aipingui.dll
c:\program files\ActivIdentity\ActivClient Mini\Resources\acunlockrc.dll
c:\windows\system32\DeviceNP.dll
c:\program files\Hewlett-Packard\IAM\Bin\TrayIcon.dll
c:\program files\Hewlett-Packard\IAM\bin\HPBrand.dll
c:\program files\Hewlett-Packard\IAM\Bin\ASChnl.dll
.
Completion time: 2011-01-04 23:46:10
ComboFix-quarantined-files.txt 2011-01-05 05:46
ComboFix2.txt 2011-01-05 05:21

Pre-Run: 67,615,744,000 bytes free
Post-Run: 67,605,135,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DAC1777880E236E81D639946A4A14BA4

Vendetta
Novice
Novice

Posts Posts : 24
Joined Joined : 2010-04-19
Gender Gender : Female
OS OS : Windows Vista Home Premium
Points Points : 24431
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Belahzur on 6th January 2011, 9:28 am

PS, since Belhazur calls you a log hog, you could always try a RickRoll on him. He definitely needs that, (says one of his former Rickroll victims).

Haha, stick with Sneakyone hun and he'll have you cleaned up and ship shape in no time. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245101
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Vendetta on 6th January 2011, 1:09 pm

Oh, I am not worried. With a name like that, no malware would be clever enough to*sneak* past him. I am just glad to know that GeekPolice exists and that all of you are willing to put in your own valuable time, free of charge, to help anyone who needs it.

Guess I am getting a little off topic here, but it seems like the guys you *pay* automatically want to just wipe out your computer, data and all. It makes you very cynical after a while. Now, if you guys said I had to wipe the computer, I would be fine with that, because for GeekPolice that is a last resort.

Vendetta
Novice
Novice

Posts Posts : 24
Joined Joined : 2010-04-19
Gender Gender : Female
OS OS : Windows Vista Home Premium
Points Points : 24431
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Sneakyone on 7th January 2011, 1:16 am

Hi,

Please download Malwarebytes Anti-Malware from [You must be registered and logged in to see this link.].


Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

==================

Please run a free online scan with the [You must be registered and logged in to see this link.]
Note: You will need to use Internet Explorer for this scan

  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan (This scan can take several hours, so please be patient)
  • Once the scan is completed, you may close the window
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Vendetta on 8th January 2011, 2:02 am

Mbam did require an updqte. I performed both the quick and regular scan, neither of which showed any problems:

quickscan log:
Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 5481

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/7/2011 6:20:20 PM
mbam-log-2011-01-07 (18-20-20).txt

Scan type: Quick scan
Objects scanned: 128224
Time elapsed: 2 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Regular scan logs:
Malwarebytes' Anti-Malware 1.50.1.1100
[You must be registered and logged in to see this link.]

Database version: 5481

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/7/2011 6:42:26 PM
mbam-log-2011-01-07 (18-42-26).txt

Scan type: Full scan (C:\|)
Objects scanned: 160220
Time elapsed: 18 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Onto the next step.

Vendetta
Novice
Novice

Posts Posts : 24
Joined Joined : 2010-04-19
Gender Gender : Female
OS OS : Windows Vista Home Premium
Points Points : 24431
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Sneakyone on 8th January 2011, 6:00 am

Hi,

Do you also have the ESET log?


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Vendetta on 8th January 2011, 6:18 am

No, it appears my husband is not the administrator of his own computer. Not sure how he swung that one. so I got an error and it would not run. Not sure what to do about the admin thing, since we tried all his favorite pws, and none of them worked.

Vendetta
Novice
Novice

Posts Posts : 24
Joined Joined : 2010-04-19
Gender Gender : Female
OS OS : Windows Vista Home Premium
Points Points : 24431
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Sneakyone on 9th January 2011, 7:59 am

Hi,


Download [You must be registered and logged in to see this link.] to your Desktop.

  • You then need to extract the bootkit_remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: [You must be registered and logged in to see this link.]
  • After extracing bootkit_remover.exe to your Desktop, double-click on bootkit_remover.exe to run the program (Vista/7 users,right click on bootkit_remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL C
  • Open a Notepad and press CTRL V
  • Post the output back here.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Vendetta on 10th January 2011, 1:00 am

Bootkit Remover
(c) 2009 eSage Lab
[You must be registered and logged in to see this link.]

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

Vendetta
Novice
Novice

Posts Posts : 24
Joined Joined : 2010-04-19
Gender Gender : Female
OS OS : Windows Vista Home Premium
Points Points : 24431
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Sneakyone on 10th January 2011, 4:18 pm

Hi,

How is your computer running now?


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Vendetta on 11th January 2011, 7:29 pm

I think things are fine. Had to manually update alvira to get it to run again (probably a windows firewall or one of the scanner programs we did, happens with alvira sometimes). Ran the full scan, which previously had found and renamed those trojan download files). no warnings or problems. By the way, can I delete those renamed files? And should I leave all these other programs we used on my husband's computer?

Edit; Well, as far as malware goes anyway, things look good. Hey, I realized today that this computer used to be part of a network at my husband's office, hence the reason he had no virus software and I could not guess the pw. Should you want me to get the pw, I am likely to be able to get it from my husband's partner. just let me know.


Last edited by Vendetta on 12th January 2011, 12:48 am; edited 1 time in total (Reason for editing : additional info that could be of assistance)

Vendetta
Novice
Novice

Posts Posts : 24
Joined Joined : 2010-04-19
Gender Gender : Female
OS OS : Windows Vista Home Premium
Points Points : 24431
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Sneakyone on 12th January 2011, 5:21 am

Hi,

Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

Updating System Restore

Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE.


You now have a clean restore point.

To get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do a calculation of temporary/old files, and then display a dialogue box.
  • Select the More Options Tab.
  • At the bottom will be a System Restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done.


========

Removing the tools

Now, to remove all of the tools we used and the files and folders they created, please do the following:

Download [You must be registered and logged in to see this link.] by OldTimer:
  • Save it to your Desktop.
  • Double click OTC.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
    Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.


============

Service Pack upgrade

Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: [You must be registered and logged in to see this link.]

============

Update Programs

Please download the newest version of Adobe Acrobat Reader from [You must be registered and logged in to see this link.]

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Please download the newest version of Java from [You must be registered and logged in to see this link.].

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

===============

Staying Protected

If you don't have a Anti-Virus I recommend to download these free Anti-Virus programs:
1. [You must be registered and logged in to see this link.]
2. [You must be registered and logged in to see this link.]
3. [You must be registered and logged in to see this link.]

If you don't have a good firewall I recommend these free firewalls:
1. [You must be registered and logged in to see this link.]
2. [You must be registered and logged in to see this link.]

I recommend using [You must be registered and logged in to see this link.] for a anti-malware program.

If you don't have a anti-spyware I recommend to download these free programs to help keep you spyware free:
1. [You must be registered and logged in to see this link.]
2. [You must be registered and logged in to see this link.]

Please don't download more than one Anti-virus, firewall, or anti-spyware because they will conflict with each other making your computer slow, data loss, and false results so please just don't do it.

================

Here are some prevention tips:

1. Torrents are a conduit of malware; this is why we highly recommend not using them as chances are extremely high that you will be infected from them.

2. Cracks/warez/keygens are another conduit of malware and are illegal so don't use them.

3. Disable auto-run to prevent auto-run worms from infecting your machine through USB drives.[You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]

4. Always make sure you have the latest [You must be registered and logged in to see this link.].

5. Use a Site Advisor so you don't go to sites that will infect you. [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.]

6. Also there are many holes and flaws in Internet Explorer I recommend using [You must be registered and logged in to see this link.] or [You must be registered and logged in to see this link.] to keep you more safe.

7. Always keep your [You must be registered and logged in to see this link.] and Adobe Reader updated and all older versions removed to keep clear from exploits.

8. Don't fall for Scareware. What is Scareware? A rogue anti-virus on your system that will scare you into buying their fake software due to false detections.

9. Be sure to always have a firewall and anti-virus installed at all times.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Vendetta on 12th January 2011, 8:25 pm

That was helpful. Currently using Avira, spybot, and the windows firewall.

Question: I am currently using the windows firewall that came with vista. Do you prefer those you suggested to that? Also, I tried to figure out the whole auto-run thing, but while I now understand why it can be bad, I can't figure out whether mine is already disabled or not. I am afraid that is too complicated for me. Any suggestions on that?

Meanwhile, thank you for all the help. There will definitely be a small contribution to GP's costs.

Vendetta
Novice
Novice

Posts Posts : 24
Joined Joined : 2010-04-19
Gender Gender : Female
OS OS : Windows Vista Home Premium
Points Points : 24431
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Alvira quarantined TR/Crypt.XPACK.Gen2 help

Post by Sneakyone on 12th January 2011, 10:41 pm

You're welcome glad to help. Smile

Windows Firewall should be fine and if your external drives don't start as soon as you plug it in auto-run is off.


I'm livin' life in the fast lane.

Sneakyone
Master
Master

Posts Posts : 2707
Joined Joined : 2010-01-10
Gender Gender : Male
OS OS : Windows 7 Ultimate 64-bit
Protection Protection : Avast, Comodo Firewall, and Malwarebytes' Anti-Malware
Points Points : 56114
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum