Author Topic: persistent TR/Crypt.Xpack.gen (Read 34600 times)

an8el · « **Reply #15 on:** June 22, 2010, 08:20:06 PM »

Didn't want to go further in case the Rootkit Unhooker was going to be affected by not uninstalling the previous scanning prog. Thanks for the reassurance that it's just house-cleaning to be uninstalled later.

OK, had to download 7-zip. extracted to a folder as directed, randomly renamed it letusbeunhooked in the sysWOW64 progs...

After installing, Rootkit Unhooker did not start automatically.
Found the folder in the start-programs list, clicked on it...got an error message:

Error loading driver, NTSTATUS code: 0xC000036B

Crush · « **Reply #16 on:** June 22, 2010, 11:04:13 PM »

Hi,

Have you disabled CD Emulation with defogger?

an8el · « **Reply #17 on:** June 22, 2010, 11:19:34 PM »

I ran DeFogger but it did not urge me to restart because it said there was no CD emulation to suspend. I restarted anyway.

I have a couple of ideas (that I won't try unless prompted to do so, because that's what I agreed.)

1. I have not yet re-tried the download and install of either rootkit scanner from safe mode.

2. What if I download a current version of linux to find out if the build includes AVClam? (It is a virus scanner for windows files that runs on Linux systems.) Without installing Linux right now, most Linux install CDs are also a bootable "live CD" ISO disc. If the AVClam program was part of the live CD, it could be an effective scanner for the C:\drive because it wouldn't activate the trojan's defenses. The thugs who built this scanner probably didn't provide a defense against another OS.

Not sure if the program AVClam is part of the newest build of Linux Ubuntu (LucidLynx, LongTermSupport) , but I believe an update was or is in beta to be released, which may be good enough for our purposes right now even though it probably has a few bugs on the final install. Not sure either if AVClam would be thorough enough to clean up the trojan entirely. But probably the people who designed the virus didn't imagine another OS could have access to the machine.

Vastly am appreciating the help and attention I'm getting - this is a teaser problem that I could never solve on my own!

Crush · « **Reply #18 on:** June 23, 2010, 11:27:09 AM »

Hi an8el,

Before we try anything drastic like using a bootable CD, let's see if we can troubleshoot your RKUnhooker issue. Are you using a 64 bit OS?

an8el · « **Reply #19 on:** June 24, 2010, 02:44:07 AM »

Sorry I couldn't reply sooner - for some reason this site was unavailable for me until now.

Yes I am - 64-bit with Win7, Home edition - without the emulation for XP.
It was pre-installed when I bought the machine new. Don't have the install CDs because I was a financially challenged when I bought the thing.

Crush · « **Reply #20 on:** June 24, 2010, 01:04:58 PM »

Ah. That's the issue then, rootrepeal doesn't work on 64 bit machines. Not many tools do.

Please download SpiderKill and save it to your Desktop.

Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.

an8el · « **Reply #21 on:** June 24, 2010, 04:17:45 PM »

OK it worked - was worrying that the trojan wouldn't let a DOS window up, but it happened fine, allowing me to pause at each state and continue. - All of the results fit into one post.

SpiderKill by DragonMaster Jay
Microsoft Windows [Version 6.1.7600]

********************Drivers list********************

Volume in drive C is Acer
Volume Serial Number is 1429-B159

Directory of C:\Windows\System32\Drivers

06/07/2010 12:43 PM <DIR> .
06/07/2010 12:43 PM <DIR> ..
07/13/2009 02:06 PM 68,096 1394bus.sys
07/13/2009 02:07 PM 227,840 1394ohci.sys
07/13/2009 03:52 PM 334,416 acpi.sys
07/13/2009 01:27 PM 12,288 acpipmi.sys
07/13/2009 03:52 PM 491,088 adp94xx.sys
07/13/2009 03:52 PM 339,536 adpahci.sys
07/13/2009 03:52 PM 182,864 adpu320.sys
07/13/2009 01:21 PM 500,224 afd.sys
07/13/2009 02:10 PM 60,416 agilevpn.sys
07/13/2009 03:52 PM 61,008 AGP440.sys
07/13/2009 03:52 PM 15,440 aliide.sys
07/13/2009 03:52 PM 15,440 amdide.sys
07/13/2009 01:19 PM 64,512 amdk8.sys
07/13/2009 01:19 PM 60,928 amdppm.sys
07/13/2009 03:52 PM 106,576 amdsata.sys
07/13/2009 03:52 PM 194,128 amdsbs.sys
07/13/2009 03:52 PM 28,752 amdxata.sys
07/13/2009 01:52 PM 61,440 appid.sys
07/13/2009 03:52 PM 87,632 arc.sys
07/13/2009 03:52 PM 97,856 arcsas.sys
07/13/2009 02:10 PM 23,040 asyncmac.sys
07/13/2009 03:52 PM 24,128 atapi.sys
07/13/2009 03:52 PM 155,728 ataport.sys
10/05/2009 02:34 PM 1,542,656 athrx.sys
07/29/2009 01:06 AM 53,248 ati2erec.dll
07/29/2009 12:11 PM 6,038,016 atikmdag.sys
05/04/2009 03:30 AM 16,440 AtiPcie.sys
06/10/2009 10:36 AM 655,825 ativcaxx.cpa
06/10/2009 10:36 AM 929 ativcaxx.vp
06/10/2009 10:36 AM 2,096 ativdkxx.vp
06/10/2009 10:36 AM 2,096 ativokxx.vp
06/10/2009 10:36 AM 2,096 ativpkxx.vp
06/10/2009 10:36 AM 19,392 ativvpxx.vp
02/16/2010 02:24 PM 81,072 avgntflt.sys
03/02/2010 01:35 PM 116,568 avipbb.sys
06/10/2009 10:34 AM 270,848 b57nd60a.sys
07/13/2009 03:52 PM 28,240 battc.sys
07/13/2009 02:00 PM 6,656 beep.sys
07/13/2009 01:35 PM 45,056 blbdrive.sys
07/13/2009 01:23 PM 90,624 bowser.sys
06/10/2009 10:41 AM 18,432 BrFiltLo.sys
06/10/2009 10:41 AM 8,704 BrFiltUp.sys
07/13/2009 03:01 PM 95,232 bridge.sys
07/13/2009 03:18 PM 281,088 BrSerIb.sys
07/13/2009 03:19 PM 286,720 BrSerId.sys
06/10/2009 10:41 AM 47,104 BrSerWdm.sys
06/10/2009 10:41 AM 14,976 BrUsbMdm.sys
06/10/2009 10:41 AM 14,720 BrUsbSer.sys
06/10/2009 10:41 AM 15,360 BrUsbSIb.sys
07/13/2009 02:06 PM 72,192 bthmodem.sys
06/10/2009 10:34 AM 468,480 bxvbda.sys
07/13/2009 01:19 PM 92,160 cdfs.sys
07/13/2009 01:19 PM 147,456 cdrom.sys
07/13/2009 02:06 PM 45,568 circlass.sys
07/13/2009 03:52 PM 178,752 Classpnp.sys
07/13/2009 01:31 PM 17,664 CmBatt.sys
07/13/2009 03:52 PM 17,488 cmdide.sys
07/13/2009 03:43 PM 460,504 cng.sys
07/13/2009 03:52 PM 21,584 compbatt.sys
07/13/2009 02:00 PM 38,912 CompositeBus.sys
07/13/2009 03:47 PM 39,504 crashdmp.sys
07/13/2009 03:47 PM 24,144 crcdisk.sys
11/04/2009 02:58 AM 22,528 dc3d.sys
07/13/2009 01:23 PM 102,400 dfsc.sys
07/13/2009 01:37 PM 40,448 discache.sys
07/13/2009 03:47 PM 73,280 disk.sys
07/13/2009 03:47 PM 27,216 Diskdump.sys
07/13/2009 03:01 PM 116,224 drmk.sys
07/13/2009 02:06 PM 5,632 drmkaud.sys
07/13/2009 03:47 PM 28,736 Dumpata.sys
07/13/2009 03:43 PM 55,128 dumpfve.sys
07/13/2009 01:38 PM 16,896 dxapi.sys
07/13/2009 01:38 PM 98,816 dxg.sys
10/01/2009 06:32 PM 982,600 dxgkrnl.sys
07/13/2009 01:38 PM 258,048 dxgmms1.sys
07/13/2009 03:47 PM 530,496 elxstor.sys
07/13/2009 07:37 PM <DIR> en-US
07/13/2009 01:31 PM 9,728 errdev.sys
07/13/2009 05:20 PM <DIR> etc
06/10/2009 10:34 AM 3,286,016 evbda.sys
07/13/2009 01:23 PM 195,072 exfat.sys
07/13/2009 01:23 PM 204,800 fastfat.sys
07/13/2009 02:00 PM 29,696 fdc.sys
07/13/2009 03:47 PM 70,224 fileinfo.sys
07/13/2009 01:25 PM 34,304 filetrace.sys
07/13/2009 02:00 PM 24,576 flpydisk.sys
07/13/2009 03:47 PM 290,368 fltMgr.sys
07/13/2009 03:47 PM 55,376 fsdepends.sys
07/13/2009 03:47 PM 23,104 fs_rec.sys
07/13/2009 03:43 PM 223,448 fvevol.sys
07/13/2009 03:47 PM 288,336 FWPKCLNT.SYS
07/13/2009 03:47 PM 65,088 GAGP30KX.SYS
06/10/2009 10:30 AM 3,440,660 gm.dls
06/10/2009 10:30 AM 646 gmreadme.txt
06/10/2009 10:31 AM 31,232 hcw85cir.sys
07/13/2009 02:06 PM 122,368 hdaudbus.sys
07/13/2009 02:07 PM 350,208 HdAudio.sys
07/13/2009 01:31 PM 26,624 hidbatt.sys
07/13/2009 02:06 PM 100,864 hidbth.sys
07/13/2009 02:06 PM 76,288 hidclass.sys
07/13/2009 02:06 PM 46,592 hidir.sys
07/13/2009 02:06 PM 32,896 hidparse.sys
07/13/2009 02:06 PM 30,208 hidusb.sys
07/13/2009 03:47 PM 77,888 HpSAMD.sys
07/13/2009 01:22 PM 751,616 http.sys
07/13/2009 03:48 PM 14,416 hwpolicy.sys
07/13/2009 01:19 PM 105,472 i8042prt.sys
07/13/2009 03:48 PM 410,688 iaStorV.sys
07/13/2009 03:48 PM 44,112 iirsp.sys
07/13/2009 03:48 PM 16,960 intelide.sys
07/13/2009 01:19 PM 62,464 intelppm.sys
07/13/2009 02:10 PM 82,944 ipfltdrv.sys
07/13/2009 01:47 PM 78,848 IPMIDrv.sys
07/13/2009 02:10 PM 116,224 ipnat.sys
07/13/2009 02:09 PM 120,320 irda.sys
07/13/2009 02:08 PM 17,920 irenum.sys
07/13/2009 03:48 PM 20,544 isapnp.sys
07/13/2009 03:48 PM 50,768 kbdclass.sys
07/13/2009 02:00 PM 33,280 kbdhid.sys
07/13/2009 02:00 PM 243,200 ks.sys
07/13/2009 03:48 PM 95,312 ksecdd.sys
12/11/2009 12:29 AM 153,160 ksecpkg.sys
07/13/2009 02:00 PM 20,992 ksthunk.sys
11/13/2009 09:47 AM 67,072 L1C62x64.sys
07/13/2009 02:08 PM 60,928 lltdio.sys
07/13/2009 03:48 PM 114,752 lsi_fc.sys
07/13/2009 03:48 PM 106,560 lsi_sas.sys
07/13/2009 03:48 PM 65,600 lsi_sas2.sys
07/13/2009 03:48 PM 115,776 lsi_scsi.sys
07/13/2009 01:26 PM 113,152 luafv.sys
04/29/2010 03:39 PM 24,664 mbam.sys
07/13/2009 02:01 PM 22,016 mcd.sys
07/13/2009 03:48 PM 35,392 megasas.sys
07/13/2009 03:48 PM 284,736 MegaSR.sys
07/13/2009 02:10 PM 40,448 modem.sys
07/13/2009 01:38 PM 30,208 monitor.sys
07/13/2009 03:48 PM 49,216 mouclass.sys
07/13/2009 02:00 PM 31,232 mouhid.sys
07/13/2009 03:48 PM 94,784 mountmgr.sys
07/13/2009 03:48 PM 155,216 mpio.sys
07/13/2009 02:08 PM 77,312 mpsdrv.sys
07/13/2009 01:23 PM 140,800 mrxdav.sys
02/26/2010 09:52 PM 157,696 mrxsmb.sys
02/26/2010 09:52 PM 286,720 mrxsmb10.sys
02/26/2010 09:52 PM 125,952 mrxsmb20.sys
07/13/2009 03:48 PM 30,272 msahci.sys
07/13/2009 03:48 PM 140,352 msdsm.sys
07/13/2009 01:19 PM 26,112 msfs.sys
06/10/2009 10:45 AM 3 MsftWdf_Kernel_01009_Inbox_Critical.Wdf
07/13/2009 02:06 PM 8,192 mshidkmdf.sys
07/13/2009 03:48 PM 15,424 msisadrv.sys
07/13/2009 03:48 PM 224,832 msiscsi.sys
07/13/2009 02:00 PM 11,136 mskssrv.sys
07/13/2009 02:00 PM 7,168 mspclock.sys
07/13/2009 02:00 PM 6,784 mspqm.sys
07/13/2009 03:48 PM 367,168 msrpc.sys
07/13/2009 03:48 PM 32,320 mssmbios.sys
07/13/2009 02:00 PM 8,064 mstee.sys
07/13/2009 02:02 PM 15,360 MTConfig.sys
07/13/2009 03:48 PM 60,496 mup.sys
06/02/2009 01:15 AM 22,576 mwlPSDFilter.sys
06/02/2009 01:15 AM 20,016 mwlPSDNserv.sys
06/02/2009 01:15 AM 60,464 mwlPSDVDisk.sys
07/13/2009 03:48 PM 947,776 ndis.sys
07/13/2009 02:08 PM 35,328 ndiscap.sys
07/13/2009 02:10 PM 24,064 ndistapi.sys
07/13/2009 02:09 PM 56,320 ndisuio.sys
07/13/2009 02:10 PM 164,352 ndiswan.sys
07/13/2009 02:10 PM 57,856 ndproxy.sys
07/13/2009 02:09 PM 44,544 netbios.sys
07/13/2009 01:21 PM 259,072 netbt.sys
07/13/2009 03:48 PM 374,864 netio.sys
07/13/2009 03:48 PM 51,264 nfrd960.sys
07/13/2009 01:19 PM 44,032 npfs.sys
07/13/2009 01:21 PM 24,576 nsiproxy.sys
07/13/2009 03:48 PM 1,659,984 ntfs.sys
05/04/2009 10:46 PM 18,432 NTIDrvr.sys
05/08/2009 11:14 PM 15,752 nuidfltr.sys
07/13/2009 01:19 PM 6,144 null.sys
07/13/2009 03:48 PM 149,056 nvraid.sys
07/13/2009 03:45 PM 167,488 nvstor.sys
07/13/2009 03:48 PM 122,960 NV_AGP.SYS
07/13/2009 02:07 PM 318,976 nwifi.sys
07/13/2009 02:06 PM 72,832 ohci1394.sys
07/13/2009 02:09 PM 131,584 pacer.sys
07/13/2009 02:00 PM 97,280 parport.sys
07/13/2009 03:45 PM 75,840 partmgr.sys
07/13/2009 03:45 PM 183,872 pci.sys
07/13/2009 03:45 PM 12,352 pciide.sys
07/13/2009 03:45 PM 48,720 pciidex.sys
07/13/2009 03:45 PM 220,752 pcmcia.sys
07/13/2009 03:45 PM 50,768 pcw.sys
07/13/2009 03:01 PM 651,264 PEAuth.sys
07/13/2009 02:06 PM 230,400 portcls.sys
07/13/2009 01:19 PM 60,416 processr.sys
07/13/2009 03:45 PM 1,524,816 ql2300.sys
07/13/2009 03:45 PM 128,592 ql40xx.sys
07/13/2009 02:09 PM 46,592 qwavedrv.sys
07/13/2009 02:10 PM 14,848 rasacd.sys
07/13/2009 02:10 PM 130,048 rasl2tp.sys
07/13/2009 02:10 PM 92,672 raspppoe.sys
07/13/2009 02:10 PM 111,616 raspptp.sys
07/13/2009 02:10 PM 83,968 rassstp.sys
07/13/2009 01:24 PM 309,248 rdbss.sys
07/13/2009 02:17 PM 24,064 rdpbus.sys
07/13/2009 02:16 PM 7,680 RDPCDD.sys
07/13/2009 02:16 PM 7,680 RDPENCDD.sys
07/13/2009 02:16 PM 8,192 RDPREFMP.sys
07/13/2009 02:16 PM 204,800 rdpwd.sys
07/13/2009 03:45 PM 214,096 rdyboost.sys
07/13/2009 02:09 PM 145,920 rmcast.sys
07/13/2009 02:09 PM 41,472 RNDISMP.sys
07/13/2009 02:10 PM 11,264 rootmdm.sys
07/13/2009 02:08 PM 76,800 rspndr.sys
07/30/2009 02:02 AM 173,292 RTConvEQ.dat
06/26/2005 11:29 AM 520 RTEQEX0.dat
06/26/2005 11:29 AM 520 RTEQEX1.dat
08/20/2008 07:43 PM 520 RTEQEX2.dat
07/30/2009 02:02 AM 1,016 RtHdatEx.dat
07/12/2007 08:11 PM 8 rtkhdaud.dat
07/28/2009 03:00 AM 1,966,624 RTKVHD64.sys
07/13/2009 03:45 PM 104,016 sbp2port.sys
07/13/2009 01:50 PM 29,696 scfilter.sys
07/13/2009 03:45 PM 171,600 scsiport.sys
06/10/2009 10:37 AM 23,040 secdrv.sys
07/13/2009 02:00 PM 23,552 serenum.sys
07/13/2009 02:00 PM 94,208 serial.sys
07/13/2009 02:00 PM 26,624 sermouse.sys
07/13/2009 02:01 PM 14,336 sffdisk.sys
07/13/2009 02:01 PM 13,824 sffp_mmc.sys
07/13/2009 02:01 PM 14,336 sffp_sd.sys
07/13/2009 02:01 PM 16,896 sfloppy.sys
07/13/2009 03:45 PM 43,584 sisraid2.sys
07/13/2009 03:45 PM 80,464 sisraid4.sys
07/13/2009 02:09 PM 93,184 smb.sys
07/13/2009 02:00 PM 20,992 smclib.sys
07/13/2009 03:45 PM 19,008 spldr.sys
06/10/2009 10:48 AM 426,496 spsys.sys
12/07/2009 10:32 PM 464,896 srv.sys
07/13/2009 01:25 PM 407,040 srv2.sys
12/07/2009 10:32 PM 162,304 srvnet.sys
07/13/2009 03:45 PM 24,656 stexstor.sys
07/13/2009 03:45 PM 185,936 storport.sys
07/13/2009 02:06 PM 68,864 stream.sys
07/13/2009 03:45 PM 12,496 swenum.sys
06/18/2009 02:12 AM 272,432 SynTP.sys
07/13/2009 02:01 PM 29,184 tape.sys
07/13/2009 03:45 PM 1,898,576 tcpip.sys
07/13/2009 02:09 PM 44,544 tcpipreg.sys
07/13/2009 01:21 PM 26,624 tdi.sys
07/13/2009 02:16 PM 15,872 tdpipe.sys
07/13/2009 02:16 PM 23,552 tdtcp.sys
07/13/2009 01:21 PM 99,840 tdx.sys
07/13/2009 03:45 PM 62,544 termdd.sys
07/13/2009 02:16 PM 38,400 tssecsrv.sys
07/13/2009 02:09 PM 125,440 tunnel.sys
07/13/2009 03:45 PM 64,080 UAGP35.SYS
05/04/2009 10:46 PM 16,896 UBHelper.sys
07/13/2009 01:23 PM 327,168 udfs.sys
07/13/2009 03:45 PM 64,592 ULIAGPKX.SYS
07/13/2009 02:06 PM 48,640 umbus.sys
11/12/2009 06:06 PM <DIR> UMDF
07/13/2009 02:06 PM 9,728 umpass.sys
07/13/2009 02:09 PM 19,968 usb8023.sys
07/13/2009 02:06 PM 32,896 USBCAMD2.sys
07/13/2009 02:06 PM 98,816 usbccgp.sys
07/13/2009 02:06 PM 100,352 usbcir.sys
07/13/2009 02:06 PM 7,936 usbd.sys
07/13/2009 02:06 PM 51,200 usbehci.sys
04/03/2009 03:39 AM 34,872 usbfilter.sys
07/13/2009 02:07 PM 343,040 usbhub.sys
07/13/2009 02:06 PM 25,600 usbohci.sys
07/13/2009 02:06 PM 324,608 usbport.sys
07/13/2009 02:38 PM 25,088 usbprint.sys
07/13/2009 02:35 PM 31,744 usbrpm.sys
07/13/2009 02:35 PM 41,984 usbscan.sys
07/13/2009 02:06 PM 89,600 USBSTOR.SYS
07/13/2009 02:06 PM 30,720 usbuhci.sys
07/13/2009 02:07 PM 184,576 usbvideo.sys
07/13/2009 03:45 PM 36,432 vdrvroot.sys
07/13/2009 01:38 PM 29,184 vga.sys
07/13/2009 01:38 PM 29,184 vgapnp.sys
07/13/2009 03:45 PM 217,680 vhdmp.sys
07/13/2009 03:45 PM 17,488 viaide.sys
07/13/2009 01:38 PM 129,024 videoprt.sys
07/13/2009 03:45 PM 71,760 volmgr.sys
07/13/2009 03:45 PM 363,584 volmgrx.sys
07/13/2009 03:45 PM 294,992 volsnap.sys
07/13/2009 03:45 PM 161,872 vsmraid.sys
07/13/2009 02:07 PM 24,576 vwifibus.sys
07/13/2009 02:07 PM 59,904 vwififlt.sys
07/13/2009 02:07 PM 17,920 vwifimp.sys
07/13/2009 02:02 PM 27,776 wacompen.sys
07/13/2009 02:10 PM 88,576 wanarp.sys
07/13/2009 01:37 PM 42,496 watchdog.sys
07/13/2009 03:45 PM 21,056 wd.sys
07/13/2009 03:45 PM 654,928 Wdf01000.sys
07/13/2009 03:45 PM 42,064 WdfLdr.sys
07/13/2009 02:09 PM 12,800 wfplwf.sys
07/13/2009 03:45 PM 22,096 wimmount.sys
07/13/2009 01:31 PM 14,336 wmiacpi.sys
07/13/2009 03:45 PM 16,464 wmilib.sys
07/13/2009 02:10 PM 21,504 ws2ifsl.sys
07/13/2009 02:05 PM 112,128 WUDFPf.sys
07/13/2009 02:06 PM 172,544 WUDFRd.sys
302 File(s) 53,344,563 bytes

Directory of C:\Windows\System32\Drivers\en-US

07/13/2009 07:37 PM <DIR> .
07/13/2009 07:37 PM <DIR> ..
07/13/2009 04:29 PM 11,776 1394ohci.sys.mui
07/13/2009 04:23 PM 9,216 acpi.sys.mui
07/13/2009 04:30 PM 14,848 afd.sys.mui
07/13/2009 04:25 PM 2,560 AGP440.sys.mui
07/13/2009 04:25 PM 2,048 amdide.sys.mui
07/13/2009 04:28 PM 14,336 amdk8.sys.mui
07/13/2009 04:28 PM 14,336 amdppm.sys.mui
07/13/2009 04:29 PM 3,072 ataport.sys.mui
07/13/2009 04:29 PM 3,072 atikmdag.sys.mui
07/13/2009 04:27 PM 7,168 battc.sys.mui
07/13/2009 04:30 PM 25,600 bfe.dll.mui
07/13/2009 04:28 PM 2,560 BrParwdm.sys.mui
07/13/2009 04:25 PM 10,240 BrSerIb.sys.mui
07/13/2009 04:30 PM 10,240 BrSerId.sys.mui
07/13/2009 04:30 PM 2,048 bthenum.sys.mui
07/13/2009 04:27 PM 4,608 bthpan.sys.mui
07/13/2009 04:27 PM 7,680 bthport.sys.mui
07/13/2009 04:30 PM 2,560 BTHUSB.SYS.mui
07/13/2009 04:29 PM 2,048 cdrom.sys.mui
07/13/2009 04:29 PM 2,048 disk.sys.mui
07/13/2009 04:28 PM 2,560 Dot4usb.sys.mui
07/13/2009 04:23 PM 5,120 fltmgr.sys.mui
07/13/2009 04:30 PM 14,336 fvevol.sys.mui
07/13/2009 04:29 PM 2,560 GAGP30KX.SYS.mui
07/13/2009 04:28 PM 4,096 hdaudbus.sys.mui
07/13/2009 04:30 PM 3,072 HdAudio.sys.mui
07/13/2009 04:24 PM 3,072 hidbth.sys.mui
07/13/2009 04:30 PM 32,256 http.sys.mui
07/13/2009 04:29 PM 10,240 i8042prt.sys.mui
07/13/2009 04:28 PM 14,336 intelppm.sys.mui
07/13/2009 04:29 PM 5,632 IPMIDrv.sys.mui
07/13/2009 04:23 PM 3,584 ipnat.sys.mui
07/13/2009 04:30 PM 3,584 isapnp.sys.mui
07/13/2009 04:30 PM 4,096 kbdclass.sys.mui
07/13/2009 04:24 PM 2,560 kbdhid.sys.mui
07/13/2009 04:29 PM 6,144 luafv.sys.mui
07/13/2009 04:28 PM 3,584 modem.sys.mui
07/13/2009 04:26 PM 4,096 mouclass.sys.mui
07/13/2009 04:24 PM 2,560 mouhid.sys.mui
07/13/2009 04:29 PM 2,560 mountmgr.sys.mui
07/13/2009 04:27 PM 26,624 mpio.sys.mui
07/13/2009 04:29 PM 5,632 msdsm.sys.mui
07/13/2009 04:24 PM 3,072 mssmbios.sys.mui
07/13/2009 04:27 PM 2,560 MTConfig.sys.mui
07/13/2009 04:29 PM 35,328 ndis.sys.mui
07/13/2009 04:29 PM 5,632 ndiscap.sys.mui
07/13/2009 04:23 PM 3,072 ndisuio.sys.mui
07/13/2009 04:26 PM 59,904 ntfs.sys.mui
07/13/2009 04:24 PM 2,560 NV_AGP.SYS.mui
07/13/2009 04:23 PM 13,824 nwifi.sys.mui
07/13/2009 04:29 PM 11,776 ohci1394.sys.mui
07/13/2009 04:25 PM 15,360 pacer.sys.mui
07/13/2009 04:29 PM 3,584 parport.sys.mui
07/13/2009 04:29 PM 2,560 partmgr.sys.mui
07/13/2009 04:29 PM 8,192 pci.sys.mui
07/13/2009 04:28 PM 4,096 pcmcia.sys.mui
07/13/2009 04:26 PM 2,560 pnpmem.sys.mui
07/13/2009 04:23 PM 3,584 portcls.sys.mui
07/13/2009 04:29 PM 14,336 processr.sys.mui
07/13/2009 04:30 PM 3,584 pscr.sys.mui
07/13/2009 04:24 PM 2,560 qwavedrv.sys.mui
07/13/2009 04:25 PM 4,608 rdbss.sys.mui
07/13/2009 04:28 PM 3,072 RNDISMP.sys.mui
07/13/2009 04:25 PM 3,072 rndismp6.sys.mui
07/13/2009 04:28 PM 3,072 rndismpx.sys.mui
07/13/2009 04:30 PM 2,560 scfilter.sys.mui
07/13/2009 04:24 PM 3,072 scsiport.sys.mui
07/13/2009 04:30 PM 10,240 serial.sys.mui
07/13/2009 04:29 PM 5,120 sermouse.sys.mui
07/13/2009 04:26 PM 2,560 serscan.sys.mui
07/13/2009 04:25 PM 2,560 srv.sys.mui
07/13/2009 04:28 PM 44,032 tcpip.sys.mui
07/13/2009 04:29 PM 4,096 tpm.sys.mui
07/13/2009 04:24 PM 7,680 tunnel.sys.mui
07/13/2009 04:24 PM 2,560 UAGP35.SYS.mui
07/13/2009 04:23 PM 2,560 ULIAGPKX.SYS.mui
07/13/2009 04:29 PM 3,072 umbus.sys.mui
07/13/2009 04:24 PM 11,776 usbhub.sys.mui
07/13/2009 04:26 PM 24,576 usbport.sys.mui
07/13/2009 04:24 PM 2,048 usbrpm.sys.mui
07/13/2009 04:26 PM 3,584 vdrvroot.sys.mui
07/13/2009 04:29 PM 3,584 vhdmp.sys.mui
07/13/2009 04:23 PM 2,560 volmgrx.sys.mui
07/13/2009 04:28 PM 23,552 volsnap.sys.mui
07/13/2009 04:29 PM 2,048 vwifibus.sys.mui
07/13/2009 04:27 PM 4,096 wacompen.sys.mui
07/13/2009 04:26 PM 2,048 wd.sys.mui
07/13/2009 04:27 PM 2,560 wdf01000.sys.mui
07/13/2009 04:29 PM 2,048 ws2ifsl.sys.mui
89 File(s) 700,928 bytes

Directory of C:\Windows\System32\Drivers\etc

07/13/2009 05:20 PM <DIR> .
07/13/2009 05:20 PM <DIR> ..
06/10/2009 11:00 AM 824 hosts
06/10/2009 11:00 AM 3,683 lmhosts.sam
06/10/2009 11:00 AM 407 networks
06/10/2009 11:00 AM 1,358 protocol
06/10/2009 11:00 AM 17,463 services
5 File(s) 23,735 bytes

Directory of C:\Windows\System32\Drivers\UMDF

11/12/2009 06:06 PM <DIR> .
11/12/2009 06:06 PM <DIR> ..
07/13/2009 07:37 PM <DIR> en-US
07/13/2009 03:41 PM 299,520 WpdFs.dll
1 File(s) 299,520 bytes

Directory of C:\Windows\System32\Drivers\UMDF\en-US

07/13/2009 07:37 PM <DIR> .
07/13/2009 07:37 PM <DIR> ..
07/13/2009 04:24 PM 2,560 WpdMtpDr.dll.mui
07/13/2009 04:26 PM 6,144 WUDFUsbccidDriver.dll.mui
2 File(s) 8,704 bytes

Total Files Listed:
399 File(s) 54,377,450 bytes
14 Dir(s) 97,384,931,328 bytes free

***********************Hidden Drivers********************
Volume in drive C is Acer
Volume Serial Number is 1429-B159

Directory of C:\Windows\System32\Drivers

12/11/2009 05:13 PM 0 Msft_Kernel_NuidFltr_01005.Wdf
10/10/2009 05:56 AM 0 Msft_Kernel_SynTP_01009.Wdf
11/12/2009 06:06 PM 0 Msft_User_WpdFs_01_09_00.Wdf
3 File(s) 0 bytes
0 Dir(s) 97,384,939,520 bytes free

*********************Processes*******************

PROCESS PID PRIO PATH
GoogleUpdate.exe 2384 Normal C:\Users\Franis\AppData\Local\Google\Update\GoogleUpdate.exe
EgisUpdate.exe 2848 Normal C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe
ArcadeDeluxeAgent.exe 3324 Normal C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
pptd40nt.exe 3348 Normal C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
BrMfcWnd.exe 3368 Normal C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
PMVService.exe 3388 Normal C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe
jusched.exe 3444 Normal C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
avgnt.exe 3468 Normal C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
brccMCtl.exe 3516 Normal C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
BrMfcmon.exe 3744 Normal C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe
firefox.exe 3752 Normal C:\Program Files (x86)\Mozilla Firefox\firefox.exe
processes.exe 2460 Normal C:\Users\Franis\Desktop\SpiderKill\SpiderKill\processes.exe

*********************Modules of explorer.exe and svchost.exe*******************

******************************************
EOF

Crush · « **Reply #22 on:** June 24, 2010, 11:22:03 PM »

hi an8el,

Sorry for the delay

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
Accept the License agreement and click on next.
It will, by default, install it to your desktop folder. Click Next.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

Hidden Startup Objects
System Memory
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)[/color]

Leave the rest of the settings as they appear as default.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be neutralized then choose the delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

an8el · « **Reply #23 on:** June 25, 2010, 04:13:53 AM »

(I'm writing you from my Linux OS on another computer.)
Crush, please do not ever feel you need to apologize for making me wait until you have the time to help me. I'm grateful for this help any time you have it to spare.

The scan is running now. Many files are coming up "password protected". These pop up and disappear really fast. Should I be concerned with these?

Started running the scan when I had inserted my USB drives before I understood how to include them in the full scan, which I canceled and restarted to do the full scan. This did allow me to see the results interface of the first cancelled scan and it was a little confusing.

Kapersky did not offer me a .txt file results, but perhaps that did not happen because I cancelled the first hiccup scan before I got both my USB drives inserted.

Guess I will copy and paste the results you requested to another .txt file when the scan finally gets done. (It's been 2 hours so far and it's 2/3rds done.)

The computer got turned off by a power outage, (had been hibernating each time.) When I started the computer this time, a "windows update" downloaded. This was the first time I did not use the wireless internet, and so it was plugged hardwire internet in at startup. Had never seen a "windows update" downloading at startup before, so made me very suspicious. Somehow, the windows updating feature got turned on again by itself because I'd turned all updates off before we started our work here. Wonder if re-initiating this setting in spite of it being turned off is another "charming feature" of this trojan? It also eliminated Avira entirely, so I figured this was a feature of the trojan re-installing itself.

(I'm using purely "safe mode" without networking while scanning.)

This particular trojan is really sneaky and nasty. Am really glad you are helping me with it!!

...OK scan is done now. I'm a little confused. My screen is a little short, so I may not be seeing all the options because I'm in safe mode with limited resolution. I do not see a button that says: Neutralize all.
My options are: Security level: recommended On threat detection: prompt for action... then I can see a button just peeking over the bottom that says "Report" and then "exit." I'm not going to exit yet.

My confusion is that if I click on the "on threat detection: prompt for action" link, it will not return to this screen to allow for a report. So I'm going to click that first, I guess.

an8el · « **Reply #24 on:** June 25, 2010, 05:46:37 AM »

...OK scan is done now. I'm a little confused. My screen is a little short, so I may not be seeing all the options because I'm in safe mode with limited resolution.

My options are: Security level: recommended On threat detection: prompt for action... then I can see two buttons just peeking over the bottom that say "Report" and then "exit."

A little box popped up that prompted me to close the program - twice - I spotted it twice during the three hour scan and once after the scan was done before I had looked at the results. I did not take the invitation. I'm not going to exit yet because I hadn't saved anything - as you warned.

My confusion is that if I click on the "on threat detection: prompt for action" link, it will not return to this screen to allow for a report. So I'm going to click that "report" option first.

That was good, it opened another window in front of the original scan window, which is still there.

I changed the screen resolution so I can see that there are no further options on Kapersky prog below where I couldn't see before.

On the "report" option, I chose "Important events" and scrolled through them, plugging in my external mouse because the touchpad was difficult to use on a list that was so long. I noticed that there is a little radio button at the head of each report. I used that radio button to look at the three hour scan that just completed, (the other two were the scans I interrupted while I was inserting my USB drives.) I didn't see any way to select a "neutralize" button or a "delete" option for any of these files that said "nothing was changed" under the Reason heading.

Then I chose "critical events" and there were only the two other scans listed that I interrupted.

Then when I went back to "Important events" and suddenly, there was nothing listed. The same in "critical events" - nothing listed now when before there were many files.

So I selected "all events." Did not see a way to save the report and was not offered a means to do this. So I used Shift key to highlight everything, and Control "C" to copy it...opened a .txt file in notepad and tried to paste - nothing happened. Tried "edit-paste" and nothing happened. Tried to close notepad to try something else to save the file but notepad window froze on the screen, behind the window of the results of the scan.

At this point the computer froze - all options do not work...except my mouse works fine! But it doesn't allow me to click on anything, just races around the screen looking like it is willing to do something, if it only could.

;o)

I'm just going to leave the computer on in the state it's in for right now, with it frozen until I get your advice. (and hope the electricity doesn't go off, but that's usually an unusual thing.) The computer's clock is not even updating the computer it is so frozen. Rebooting again in safe mode and doing the scan again seems to be the only option.

(I'm writing you about these results from my Linux OS on another computer.)

Before this freeze happened, I did get to scroll through the list and found there were quite a few files under the "reason" heading that said something similar to, " file not changed"

Hope I'm not putting you off with the blow-by-blow detail here, but I'm hoping somewhere in here is the information you might need next - since I can't give you the report.

an8el · « **Reply #25 on:** June 25, 2010, 05:56:44 AM »

After waiting, the clock started working again, got the taskbar back, and am able to select icons on the desktop with the mouse that are not covered up by Kapersky and notepad (but they are still frozen.) Took out the USB drives and noticed that one of them had stopped working and was hot. I'd had trouble with that particular USB drive before and had backed up most of what was on it on the linux box before I did this, so am not concerned.

Perhaps if I wait long enough, Kapersky will recover?

Am going to check to see if I just let the computer stay on, if it will not turn itself off after going into sleep mode for a certain period of time. OK, was able to change the power display to "always on"

.... OK, that's how it is until I hear what you say next, Crush

Crush · « **Reply #26 on:** June 25, 2010, 11:17:45 AM »

Hi again

Quote

The scan is running now. Many files are coming up "password protected". These pop up and disappear really fast. Should I be concerned with these?

Nah.

wow. sounds like you've had some fun! can you please run the scan again? It's important we get a workable log.

an8el · « **Reply #27 on:** June 25, 2010, 04:26:00 PM »

Yeah, I've been having some fun. Could be writing an ebook on the fun I've been having!
Maybe you guys should think about doing that from the info on this site?

OK, I restarted under safemode. Made sure this list was selected: "Disk boot sectors, Computer, Acer c:\ and rootkit This time I skipped including the USB flash drives.)
Learned that the way to get the report after the scan is done is under the tab : "Manual disinfection." I do not have to open up note pad to get that to happen; that is very good because notepad sets off the virus reactions!

Since you indicated it was appropriate, I also selected the feature, "disinfect, delete file if it can't be disinfected." It was not a default on my particular installation of kapersky. I left everything else the way it was by default. Now we'll see what happens in about three hours...

Crush · « **Reply #28 on:** June 25, 2010, 04:32:51 PM »

Quote

Yeah, I've been having some fun. Could be writing an ebook on the fun I've been having!
Maybe you guys should think about doing that from the info on this site?

We could call it the ComputerHope Computer Fixes Encyclopedia. A compendium of all computer related knowledge

Quote

Since you indicated it was appropriate, I also selected the feature, "disinfect, delete file if it can't be disinfected." It was not a default on my particular installation of kapersky. I left everything else the way it was by default. Now we'll see what happens in about three hours...

Sounds great

. I look forward to it. My fingers are crossed for you.

an8el · « **Reply #29 on:** June 25, 2010, 08:27:25 PM »

It appears that we should have started safe mode with networking, instead of just purely "safe mode" without networking. Because in Kapersky, hitting the button under the tab of "manual disinfection" and then doing "step one" which says "gathering system information" - the program needed to go online to get ...something.

So I'm going to skip that. (because I do not have networking, I'm in purely "Safe Mode" ) and I'm going to just hit "open folder". where is says my report is saved to file.
OK, it's a zip file. Then it says "send report" and I can't do that because I'm not online. Supposedly I can't get disinfection script to paste the text in it's little box and click "Execute."

So, I'm just going to copy the zip file to my USB drive - do the "sneaker net" thing and try to open the report on the Linux box here... We'll see if it works. [crossying fingeys]
OK, I was able to open the report that it did spit out - in spite of the fact that internet access was not available.
Appears that 20 files were scanned here and twelve of them are unrecognized processes...but not 12 are listed here:

Perhaps it's useful anyway.
Here's the first section, as requested:

csrss.exe
Script: Quarantine, Delete, BC delete, Terminate   320           ??   error getting file info
Command line:
csrss.exe
Script: Quarantine, Delete, BC delete, Terminate   364           ??   error getting file info
Command line:
c:\program files (x86)\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate   1768   Firefox   ©Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL 2.1 licenses, as applicable.   ??   888.96 kb, rsAh,
created: 11/18/2009 1:09:34 PM,
modified: 5/5/2010 1:44:39 AM
Command line:
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -requestPending -osint -url "http://avptool.virusinfo.info/en/AVPTool_helpdesk.htm"
lsass.exe
Script: Quarantine, Delete, BC delete, Terminate   432           ??   error getting file info
Command line:
lsm.exe
Script: Quarantine, Delete, BC delete, Terminate   440           ??   error getting file info
Command line:
SASCore64.exe
Script: Quarantine, Delete, BC delete, Terminate   924           ??   error getting file info
Command line:
services.exe
Script: Quarantine, Delete, BC delete, Terminate   424           ??   error getting file info
Command line:
smss.exe
Script: Quarantine, Delete, BC delete, Terminate   236           ??   error getting file info
Command line:
winlogon.exe
Script: Quarantine, Delete, BC delete, Terminate   472           ??   error getting file info

Command line: Detected:20, recognized as trusted 12

Finally, here are the selections where I can Quarantine, Delete, BC delete, Terminate each specific file! But do we know what to do without Kapersky not being able to go online to get info about each file? Seems doubtful.

So, because the scan was not started in safe mode WITH NETWORKING, I'm going to do it yet again and I'll post the results here when it's done...now that I know how to work the program.

Good thing I'm a patient person. See you in about three hours again...

Computer Hope Forum

News:

Author Topic: persistent TR/Crypt.Xpack.gen (Read 34600 times)

an8el

Re: persistent TR/Crypt.Xpack.gen

Crush

Re: persistent TR/Crypt.Xpack.gen

an8el

Re: persistent TR/Crypt.Xpack.gen

Crush

Re: persistent TR/Crypt.Xpack.gen

an8el

Re: persistent TR/Crypt.Xpack.gen

Crush

Re: persistent TR/Crypt.Xpack.gen

an8el

Re: persistent TR/Crypt.Xpack.gen

Crush

Re: persistent TR/Crypt.Xpack.gen

an8el

Re: persistent TR/Crypt.Xpack.gen

an8el

Re: persistent TR/Crypt.Xpack.gen

an8el

Re: persistent TR/Crypt.Xpack.gen

Crush

Re: persistent TR/Crypt.Xpack.gen

an8el

Re: persistent TR/Crypt.Xpack.gen

Crush

Re: persistent TR/Crypt.Xpack.gen

an8el

Re: persistent TR/Crypt.Xpack.gen