Sign in to follow this  
Followers 0
francescod

TR/Crypt.Epack.Gen2

5 posts in this topic

hello,

I have recently been infected with TR/Crypt.Epack.Gen2 but my antivirus can not remove it,

i make all this things:

* Download OTL to your desktop.

* Double click on OTL to run it.

* When the window appears, underneath Output at the top change it to Minimal Output.

* Under the Standard Registry box change it to All.

* Under Custom scan's and fixes section paste in the below in bold

netsvcs

%SYSTEMDRIVE%\*.*

%systemroot%\system32\*.dll /lockedfiles

%systemroot%\Tasks\*.job /lockedfiles

%systemroot%\system32\drivers\*.sys /90

%systemroot%\system32\Spool\prtprocs\w32x86\*.dll

* Check the boxes beside LOP Check and Purity Check.

* Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

o When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

o Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

====================

Please download Rootkit Unhooker and save it to your desktop.

* Double-click RKUnhookerLE.exe to run it.

* Click the Report tab, then click Scan

* Check Drivers, Stealth Code, Files, and Code Hooks

* Uncheck the rest, then click OK

* When prompted to Select Disks for Scan, make sure C:\ is checked and click OK

* Wait till the scanner has finished then go File > Save Report

* Save the report somewhere you can find it, typically your desktop. Click Close

* Copy the entire contents of the report and paste it in your next reply.

now these are my reports...

PLEASE HELP ME!

what i have to do now?

thank u all

Extras.Txt

OTL.Txt

Report.txt

Share this post


Link to post
Share on other sites

post-32477-1261866970.gif

Please don't attach the scans / logs, use "copy/paste".

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.

Doing so could make your pc inoperatible and could require a full reinstall of your OS, losing all your programs and data.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

XP Users

Double-click My Computer.

Click the Tools menu, and then click Folder Options.

Click the View tab.

Uncheck "Hide file extensions for known file types."

Under the "Hidden files" folder, select "Show hidden files and folders."

Uncheck "Hide protected operating system files."

Click Apply, and then click OK.

Vista Users

To enable the viewing of hidden and protected system files in Windows Vista please follow these steps:

Close all programs so that you are at your desktop.

Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

Click on the Control Panel menu option.

When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:

Double-click on the Folder Options icon.

Click on the View tab.

If you are in the Control Panel Home view do the following:

Click on the Appearance and Personalization link.

Click on Show Hidden Files or Folders.

Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

Remove the checkmark from the checkbox labeled Hide extensions for known file types.

Remove the checkmark from the checkbox labeled Hide protected operating system files.

Please do not delete anything unless instructed to.

Next:

Please download ATF Cleaner by Atribune.

Download - ATF Cleaner

Share this post


Link to post
Share on other sites

hello

thank u for help

this is my report:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Versione database: 5072

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

08/11/2010 12.52.55

mbam-log-2010-11-08 (12-52-55).txt

Tipo di scansione: Scansione veloce

Elementi esaminati: 153375

Tempo trascorso: 10 minuti, 1 secondi

Processi infetti in memoria: 0

Moduli di memoria infetti: 0

Chiavi di registro infette: 3

Valori di registro infetti: 2

Voci infette nei dati di registro: 3

Cartelle infette: 0

File infetti: 4

Processi infetti in memoria:

(Non sono stati rilevati elementi nocivi)

Moduli di memoria infetti:

(Non sono stati rilevati elementi nocivi)

Chiavi di registro infette:

HKEY_CURRENT_USER\SOFTWARE\65MWRMP54G (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\U36VRSFLG6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Valori di registro infetti:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\65mwrmp54g (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\u36vrsflg6 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Voci infette nei dati di registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Cartelle infette:

(Non sono stati rilevati elementi nocivi)

File infetti:

C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\WINDOWS\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\Dtapoa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\fdanza\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

and now?!

Share this post


Link to post
Share on other sites

Run another MBAM scan, post the results and let me know how it's running.

Share this post


Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.