Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Saturday, November 15, 2008

TR/Crypt.XPACK.Gen or Vundo trojan

Source Thanks, Bil Castner!
Avira has detected this threat "TR/Crypt.XPACK.Gen"
This detection is a perfectly generic detection based on the packer used by the binary file your antivirus found:
http://www.avira.com/en/threats/s... k.gen.html
Avira is not sure what it is either, but finds it suspicious. It may well be Trojan.Agent or some similar Trojan and not Vundo.
Vundo is a nearly ubiquitous very aggressive adware infection.
It leads to random pop-ups, and often DNS redirection on any search.
http://en.wikipedia.org/wiki/Vundo_trojan

If it is a Vundo infection.
The actual detection report is a heuristic one, stating only that a file exists that was packed by a utility that is often used by malware authors.
Click here to download HJTinstall.exe
  • Save HJTinstall.exe to your desktop.
  • Open Notepad > Click on Format > Uncheck Word wrap, if checked.
  • Double-click on the desktop icon for HJTinstall.exe.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis. It will also create a Desktop icon.
Please go to this Folder:
C:\Program Files\Trend Micro\HijackThis
Rename:
HijackThis.exe
-- To --
Trojan.exe

Run Trojan.exe, System scan only, and submit a new log file back to the Forum. Be sure to include the entire log file result in your reply.
-------
:!: Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.

:!: Special Note for Vista: In all that follows, and subsequent sessions, you need to run these utilties "As Administrator" in most cases. Right click the program executable and choose "Run as Administrator". If you do not do this, some of these utilities will fail to work, or fail to work properly. If you have any problems with any of the utilities you are asked to run, check that you ran the application as an Administrator. Some of these utilties will not give you a UAC prompt, they will simply exit without doing anything at all or showing an error message.
Please download ATF Cleaner HERE by Atribune. It does not require any installation.. It is set up to clean Windows 2k, XP & Vista TEMP folders, as well as IE, FireFox and Opera, Temporary Internet Files and Cookies.
  • Double-click ATF-Cleaner.exe to run the program.
    For all browsers:
  • Under Main choose: Select All
  • Click the Empty Selected button.
    Next, if you use Firefox (and some Mozilla-based browsers)
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    Next, if you use the Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
:!: Click Exit on the Main menu to close the program.
Reconfigure Windows Vista to show hidden files:
To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Open the Control Panel menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and exit My Computer.
  • Now your computer is configured to show all hidden files.
Malware Removal Steps
Malware Removal Steps
1. Please download MalwareBytes Anti-malware (MBAM) from one of the following links:
http://www.majorgeeks.com/Malwarebytes_ ... d5756.html
http://www.besttechie.net/tools/mbam-setup.exe
  • Once downloaded, close all programs and Windows on your computer (including this one.)
  • Double-click on the icon on your desktop named Download_mbam-setup.exe. This will start the installation of MBAM onto your computer.
  • When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure you leave both the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware checked. Then click on the Finish button.
  • MBAM will now automatically start and you will see a message stating that you should update the program before performing a scan. As MBAM will automatically update itself after the install, you can press the OK button to close that box and you will now be at the main program.
  • On the Scanner tab, make sure the the Perform quick scan option is selected and then click on the Scan button to start scanning your computer.
  • MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan.
  • When the scan is finished a message box will appear that it has completed scanning successfully. Click OK. Now click Show Results.
  • :!: Make sure all entries have a Checkmark at their far left. If you do not, the program will have done nothing..
  • Click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs' quarantine.
  • When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then do a File, Save and then close the Notepad window. Remember where you saved the log file, as we will want to see it later. If MBA suggests a reboot is necessary, be sure to do so. Otherwise there can be active infectors still on your system that would only be removed finally with the reboot sequence.
2. Download but do not yet run ComboFix©
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download this file -- to your Desktop -- from either of these two sources:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

  • :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • :!: Disconnect from the Internet.
  • :!: Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • Double Click Combo-fix.exe to start the software.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combo-fix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when Combo-Fix appears to be doing nothing, look at your Drive light. If it is flashing, Combo-fix is still at work.
:!: Re-enable your antivirus protection.
3. Run HijackThis again, System scan only, and save the log file.
Please post back to the Forum:
  • Your MBAM log results;
  • The contents of C:\Combofix.txt;
  • Your new HijackThis log.

---------------------------------------------------------
Malwarebytes' Anti-Malware 1.30
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\msliksur (Trojan.DNSChanger)-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msliksurserv (Rootkit.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\Windows\System32\msliksurdns.dll (Rootkit.Agent) -> Delete on reboot.
C:\Windows\System32\drivers\msliksurserv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
---------------------------------
ComboFix 08-10-28.01 - Sabreena 2008-10-28 23:56:21.1 - NTFSx86
---------------------------------
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
C:\Users\Sabreena\AppData\Local\Temp\~DF3477.tmp
---------------------------------
Logfile of Trend Micro HijackThis v2.0.2
===============================
1. Please download the OTMoveIt3 by OldTimer.
With your mouse, highlight and then do a Right-click | Copy of the entire list of file entries in the Code box below:
Code:
:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\ODBC]
[-HKEY_LOCAL_MACHINE\SOFTWARE\msliksur]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\msliksurserv.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\msliksurserv.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msliksurserv]

:files
C:\windows\system32\msliksurcredo.dll
C:\windows\system32\msliksurdns.dll
C:\windows\system32\drivers\msliksurserv.sys
F:\d.com
C:\Users\Sabreena\AppData\Local\Temp\tmp*.tmp /S
C:\Users\Sabreena\AppData\Local\Temp\_*.* /S

:commands
[EmptyTemp]
[start explorer]
  • Click to Run OTMoveIt3 on your Desktop
  • Right click in the "Paste List of Files/Folders to be moved" left panel and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • Click to Run OTMoveIt3 on your Desktop
  • Right click in the "Paste List of Files/Folders to be moved" left panel and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


2. Eset NOD32 scanner
Go here to run an online scannner from ESET: http://www.eset.eu/online-scanner
:!: Vista users: You must right click the IE icon on your Desktop and choose "Run as Administrator".
(Note: You must use Internet Explorer for this scan.)
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Checked, and the option "Scan unwanted applications" is also Checked.
  • Click Scan.
  • Wait for the scan to finish.
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Post back to the Forum the contents of this file.
---------------------------------
Open Acrobat if you have the Full Version installed Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Whether you had the Full Version of Acrobat or not, download and install Adobe Reader 9 and use this as the integrated PDF Reader insider your browser: http://www.adobe.com/products/acrobat/readstep2.html and viewtopic.php?f=48&t=34023&start=0&st=0&sk=t&sd=a
Your Sun Java version is not the most current, Release 1.6.07, please use the Sun Web site to update your version of Java JRE for Windows; instructions can be found here:
viewtopic.php?f=31&t=34354&p=193939#p193939
For updated Java instructions, see:
viewtopic.php?f=26&t=36538&start=0&st=0&sk=t&sd=a

Clean-up & Prevention:
  • For Windows XP (only): Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state.
  • Click Start, then click Run.
    Enter into the command box that opens: combofix /u and then click OK.
    :!: If you renamed this file, use the new name in following this instruction rather than "Combofix.exe".
    Image
    .
    Please double-click OTMoveIt3.exe to run it again.
    1. Click on the CleanUp! button. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
    2. This step removes the files, folders, and shortcuts created by the tools I had you download and run.
  • Run ATF Cleaner Image, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.
  • As Malwarebytes' Anti-Malware was installed, use Add or Remove Programs and uninstall it. If you find any other files or folders created during this cleanup operation, please feel free to delete them.
  • Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
    If I asked you to Disable something like TeaTimer or another malware blocker, please go ahead an re-enable them if you wish.
  • Download and Install Windows Defender by Microsoft (free):
    http://www.microsoft.com/downloads/deta ... F14E605A0D
    .
  • Add behavioral anti-malware protection. Download and install either
    1. PC Tools' ThreatFire (free)
      http://www.threatfire.com/
    2. Comodo BOClean (free):
      comodo.com/boclean/CBO_download.html
  • Download, install, and keep updated Spyware Blaster (free):
    http://www.javacoolsoftware.com/spywareblaster.html
  • Refer to my first set of instructions above, and reconfigure Hidden Files and Folders to your choosing.
    .
  • Please read:
    Should You Use a Registry Cleaner in Windows XP?

    viewtopic.php?t=28099
  • Finally, spend some time reading about how to keep your computer safe on the Internet:
    bleepingcomputer.com/tutoria ... ial82.html
Best wishes.
Bill Castner

Source
Crypt.XPACK.Gen infection
The computer is infected with a virus that appears to be sending out email spam and is spreading itself via Windows Live Messenger. When I inspected one of the suspect files with my virus scanner (avira), it identified it as "TR/Crypt.XPACK.Gen".
UPDATE
A bit of good news - the latest version of Windows Malicious Software removal tools appears to have detected and removed the virus in question. The virus no longer appears in the list of running processes on startup, it is no longer present in the HijackThis log, and the executable file in System32 "mootouluquy.exe" is gone. There are no longer any popups.

There may still be minor problems. For example, a full scan with the Symantec virus checker only takes about three minutes, which seems to be too short. The virus checker may need to be repaired to restore functionality that the virus damaged.


Source
virus tr/crypt.xpack.gen
apagar restaurar sistema
activar ver archivos ocultos
busca y elimina, todo el contenido de esta carpeta:

C:\Documents and Settings\ISABEL\Datos de programa\Microsoft\CryptnetUrlCache\Content
C:\Documents and Settings\JOSE MANUEL\Datos de programa\Microsoft\CryptnetUrlCache\Content
Elimina el contenido de las carpetas Content, No las carpetas en si.
Si no se deja utiliza:
FileASSASSIN
o Killbox
Descarga y Ejecuta el Ccleaner en sus dos opciones,limpiador, para limpiar cookies y temporales de internet.Y registro(no olvides hacer copia de seguridad).
Nuevo analisis con Kaspersky online (ANALIZA MI PC),y nos pegas aqui el reporte que te genere,para analizarlo.
Desactiva las opciones del punto y
No saltes ningun paso
Hacer el scan con kaspersky online
---------------------------------
Normal seria que tu ordenador ya este funcionando normalmente, aunque
hay temporales que aparentemente no elimino, hace una cosa:
Te vas a inicio, ejecutar, escribis %temp% y borras todo lo que encuentres ahi adentro, ya que son los temporales de Internet.
Para optimizar tu pc, vas a descargar:
Advanced WindowsCare v2
Lo vas a ejecutar para optimizar a fondo tu pc, sigiendo lo que te indica su Manual
Bueno eso es para optimizar tu pc.
Tambien te dejo aca unos trucos para que puedas optimizar windows:
*Aumenta el rendimiento de tu sistema Windows
*Trucos para que Windows XP sea mas rápido
Ăĝuşŧïn

No comments: