Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

help with removal of packed.win32.krap.f

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: help with removal of packed.win32.krap.f

Unread postby Bio-Hazard » January 14th, 2009, 9:06 am

tnt77 wrote:I have run Panda anti-root kit and found no infections but running a Panda Activescan 2.0 now - at this point indicates 31 files infected with 25 % of the files scanned. I will probably run Sophos Anti-root after this as well for good measure then -it might be time, I guess, to perhaps give up on my own PC virus repair


Hello!

It worries me that Combofix wont run. Could you post me the results of the Panda active scan? Also what other things have you done?

Combofix will allways create system restore point so we can do a system restore and start again. What would you like to do?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK
Advertisement
Register to Remove

Re: help with removal of packed.win32.krap.f

Unread postby Bio-Hazard » January 16th, 2009, 3:59 am

Hello!

Do you still want to continue?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: help with removal of packed.win32.krap.f

Unread postby tnt77 » January 16th, 2009, 11:48 am

Hello - got side tracked. I am still fighting with this one. I ran the Panda anti-Rootkit and had no infection alerts then as indicated the panada virus scan which advised that i had a number of issues but I was going to have to pay to have then removed. I ran the Sophos anti-rootkit and it identified a number of questionable registry keys but did not allow me to do anything with them (other than see some details). I believe there is an problem between my F-secure and the combo-fix - even when I unload. I had - even when running combo-fix in safe mode had a pop-up advising that shaw (my service provider- who supplies F-secure) secure firewall was running - even though I tried to shut it off.

I at this point have some computer issues but not sure if they are now virus related or scars from such

cheers
tnt77
Regular Member
 
Posts: 16
Joined: December 29th, 2008, 10:54 pm

Re: help with removal of packed.win32.krap.f

Unread postby Bio-Hazard » January 16th, 2009, 11:52 am

Hello!

Thank you for your answer. I would like to make sure you are clean. I can always direct you to an Tech forum if needed.

This is a purely a diagnostic tool, lets see what it comes up with.

OTScanIt2

  • Download OTScanIt2 by Oldtimer to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

      NOTE: You must be logged on to the system with an account that has Administrator privileges to run this program.

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Click the Scan All Users checkbox on the toolbar.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Close Notepad (saving the change if necessry).

NOTE:Use the Add Reply button and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt2 folder and named OTScanIt.txt.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: help with removal of packed.win32.krap.f

Unread postby tnt77 » January 16th, 2009, 12:09 pm

attached scan

thanks
You do not have the required permissions to view the files attached to this post.
tnt77
Regular Member
 
Posts: 16
Joined: December 29th, 2008, 10:54 pm

Re: help with removal of packed.win32.krap.f

Unread postby Bio-Hazard » January 16th, 2009, 12:15 pm

Hello!

It is a big log so it will take me some time research. I will answer you either today or tomorrow.

Regards,

Bio-Hazard
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: help with removal of packed.win32.krap.f

Unread postby tnt77 » January 16th, 2009, 12:28 pm

thanks - I appreciate the help. There is a lot of extraneous stuff as well that requires a clean up !


cheers
tnt77
Regular Member
 
Posts: 16
Joined: December 29th, 2008, 10:54 pm

Re: help with removal of packed.win32.krap.f

Unread postby Bio-Hazard » January 16th, 2009, 2:49 pm

Hello!

Ewido4 is very outdated so i recommend you to uninstall it through ADD/Remove panel.


Delete ComboFix and Clean Up
Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)
Image
Please advise if this step is missed for any reason as it performs some important actions.


ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.


Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.


Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: help with removal of packed.win32.krap.f

Unread postby tnt77 » January 20th, 2009, 12:06 am

I have uninstalled Ewido, deleted combo fix as per instructions and run ATF cleaner and run Kaspersky Online Scan log below and attached is latest Hijack this log. The computer has been running sporadically ie extremely slow - then at normal speed. I tired Malwarebytes scan last night and it took 18.5 hours. I saw nothing in the on line scan that wasn't already quarantined and during the scan F-secure targeted one Kaspersky test file as a virus. I have, though, not seen anything related to the above noted previously quarantined 'packed.win32.krap.f' etc.
You do not have the required permissions to view the files attached to this post.
tnt77
Regular Member
 
Posts: 16
Joined: December 29th, 2008, 10:54 pm

Re: help with removal of packed.win32.krap.f

Unread postby Bio-Hazard » January 20th, 2009, 5:42 am

Hello!

I dont see anything malicious in your logs. I have noticed that you have Symantec entries in your HijackThis log. Have you used Symantec antivirus program before?

Empty this foder: C:\Documents and Settings\T&A\.housecall6.6\Quarantine

I tired Malwarebytes scan last night and it took 18.5 hours.


Did Malwarebytes Antimalware scan find anything?


Remove HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.

Back Up registry with ERUNT

  • Please use the following link and scroll down to ERUNT and download it on to your desktop. HERE
  • Click on the erunt-setup.exe
  • Follow the prompts to install ERUNT
  • Choose language
  • A set up window will pop up. It will ask: Create ERUNT entry in to the Start up folder, answer NO

    Image
  • Backup your registry to the default location

Note: To restore your registry (if needed), go to the folder and start ERDNT.exe


OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
:reg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\Program Files\Kazaa Lite K++\Kazaa.kpp"=-
"C:\Program Files\LimeWire\LimeWire.exe"=-
"C:\Documents and Settings\T&A\Desktop\nancy drew short cuts\BitDownload\BitDownload.exe"=-
:files
C:\Documents and Settings\T&A\Desktop\Kaylee's games\nancy drew short cuts\bigfishgames_p22128766_s1_l1.exe
C:\Combo-Fix
C:\WINDOWS\temp
C:\ComboFix
C:\Program Files\LimeWire
C:\Program Files\Azureus
C:\WINDOWS\system32\CF24175.exe
C:\WINDOWS\system32\CF23029.exe
C:\WINDOWS\system32\CF22085.exe
C:\WINDOWS\system32\CF16448.exe
C:\WINDOWS\system32\CF13676.exe
C:\WINDOWS\system32\CF10714.exe
C:\WINDOWS\system32\CF10280.exe
C:\WINDOWS\system32\CF10149.exe
C:\WINDOWS\system32\CF19462.exe
C:\WINDOWS\system32\CF18568.exe
C:\WINDOWS\gmer.ini
C:\WINDOWS\gmer_uninstall.cmd
C:\WINDOWS\gmer.exe
C:\WINDOWS\gmer.dll
C:\WINDOWS\system32\CF23389.exe
C:\WINDOWS\system32\CF10474.exe
C:\WINDOWS\system32\CF3998.exe
C:\WINDOWS\system32\CF3505.exe
C:\WINDOWS\system32\CF25425.exe
C:\WINDOWS\system32\CF22483.exe
C:\WINDOWS\system32\CF13894.exe
C:\WINDOWS\system32\CF21308.exe
C:\WINDOWS\system32\CF22378.exe
C:\WINDOWS\system32\CF21604.exe
C:\WINDOWS\system32\CF17261.exe
C:\WINDOWS\system32\CF9701.exe
C:\WINDOWS\system32\CF5563.exe
C:\WINDOWS\system32\CF22035.exe
C:\WINDOWS\system32\CF21408.exe
:commands
[EmptyTemp]

  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • OTMoveIt Log
  • A fresh HijackThis Log ( after all the above has been done)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: help with removal of packed.win32.krap.f

Unread postby tnt77 » January 20th, 2009, 9:22 pm

Hi - emptied house calls quarantine
I had, when first got the computer, Norton (symantex ) but when I uninstalled to use FSecure 'pieces' have been left behind including the process NPROTECT.exe - for the recycle bin.
Bizarre occurrence today - when I opened task manager and switched to processes - the top part of the Manager screen disappeared ( the top of box which allows choice tabs, shutdown and min/max size). I tied to close task manger from taskbar by right mouse click and close but would not get the menu option - period
Sorry Malware scan showed 0 issues
removed hijack this entries
backed up registry

OT Move log below : I had an "access violation at address 72058B0 read address of address 270508B0" when ran
new Hijack this posted as attachment


========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\Kazaa Lite K++\Kazaa.kpp deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Program Files\LimeWire\LimeWire.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\\C:\Documents and Settings\T&A\Desktop\nancy drew short cuts\BitDownload\BitDownload.exe deleted successfully.
========== FILES ==========
C:\Documents and Settings\T&A\Desktop\Kaylee's games\nancy drew short cuts\bigfishgames_p22128766_s1_l1.exe moved successfully.
C:\Combo-Fix moved successfully.
C:\WINDOWS\temp\fsaua.tmp moved successfully.
C:\WINDOWS\temp\F-Secure\Anti-Virus moved successfully.
C:\WINDOWS\temp\F-Secure moved successfully.
Folder move failed. C:\WINDOWS\temp scheduled to be moved on reboot.
C:\ComboFix\N_ moved successfully.
C:\ComboFix moved successfully.
C:\Program Files\LimeWire moved successfully.
C:\Program Files\Azureus\plugins\azupdater moved successfully.
C:\Program Files\Azureus\plugins\azplugins moved successfully.
C:\Program Files\Azureus\plugins moved successfully.
C:\Program Files\Azureus moved successfully.
C:\WINDOWS\system32\CF24175.exe moved successfully.
C:\WINDOWS\system32\CF23029.exe moved successfully.
C:\WINDOWS\system32\CF22085.exe moved successfully.
C:\WINDOWS\system32\CF16448.exe moved successfully.
C:\WINDOWS\system32\CF13676.exe moved successfully.
C:\WINDOWS\system32\CF10714.exe moved successfully.
C:\WINDOWS\system32\CF10280.exe moved successfully.
C:\WINDOWS\system32\CF10149.exe moved successfully.
C:\WINDOWS\system32\CF19462.exe moved successfully.
C:\WINDOWS\system32\CF18568.exe moved successfully.
C:\WINDOWS\gmer.ini moved successfully.
C:\WINDOWS\gmer_uninstall.cmd moved successfully.
C:\WINDOWS\gmer.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\gmer.dll
tnt77
Regular Member
 
Posts: 16
Joined: December 29th, 2008, 10:54 pm

Re: help with removal of packed.win32.krap.f

Unread postby Bio-Hazard » January 21st, 2009, 8:29 am

Hello!

Could you please try to run HijackThis again and post a log for me to see.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: help with removal of packed.win32.krap.f

Unread postby tnt77 » January 21st, 2009, 11:21 am

new log attached- sorry if it was missing on last post - when i tired to post reply (with log attached) the system hung with the 'hour glass' for about 15 minutes then showed that reply had been been post - I didn't double check to see if log went through
You do not have the required permissions to view the files attached to this post.
tnt77
Regular Member
 
Posts: 16
Joined: December 29th, 2008, 10:54 pm

Re: help with removal of packed.win32.krap.f

Unread postby Bio-Hazard » January 22nd, 2009, 6:15 pm

Hello!

I dont see any malware in your logs. I am going to remove some undeed stuff. What are your exact problems?


Delete Bad Services

  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

    Code: Select all
    @echo off
    sc stop NProtectService
    sc stop SNDSrvc
    sc delete NProtectService
    sc delete SNDSrvc
    

  • Make sure there are NO blank lines before @echo off
  • Make sure there IS one blank line at the end of the file.
  • Go to File > Save As
  • Save File name as Fix.bat
  • Change Save as Type to All Files and save the file to your desktop.
  • Close Notepad
  • Double-click Fix.bat on your Desktop

OTMoveIt3

  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
:files
C:\Program Files\Common Files\Symantec Shared
C:\Program Files\Norton AntiVirus
C:\WINDOWS\system32\CF23389.exe
C:\WINDOWS\system32\CF10474.exe
C:\WINDOWS\system32\CF3998.exe
C:\WINDOWS\system32\CF3505.exe
C:\WINDOWS\system32\CF25425.exe
C:\WINDOWS\system32\CF22483.exe
C:\WINDOWS\system32\CF13894.exe
C:\WINDOWS\system32\CF21308.exe
C:\WINDOWS\system32\CF22378.exe
C:\WINDOWS\system32\CF21604.exe
C:\WINDOWS\system32\CF17261.exe
C:\WINDOWS\system32\CF9701.exe
C:\WINDOWS\system32\CF5563.exe
C:\WINDOWS\system32\CF22035.exe
C:\WINDOWS\system32\CF21408.exe

:commands
[EmptyTemp]

  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • OTMoveIt Log
  • A fresh HijackThis Log ( after all the above has been done)
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: help with removal of packed.win32.krap.f

Unread postby tnt77 » January 23rd, 2009, 1:51 am

no real issues since yesterdays issue with task manager

new logs attached

thanks
You do not have the required permissions to view the files attached to this post.
tnt77
Regular Member
 
Posts: 16
Joined: December 29th, 2008, 10:54 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 69 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware