How should I deal with tr/crypt.nspm.gen?

Discussion in 'malware problems & news' started by coldplay, Mar 30, 2007.

Thread Status:
Not open for further replies.
  1. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    I got infected with "tr/crypt.nspm.gen".
    I deleted it with antivir but it infects my machine again as soon as I restart my PC.
    I deleted it with avg as and it also reinfect my pc after restart.
    And it gets worse, my PC now has 10 different virus according to antivir and antivir pop up infection widonw constantly which making me can not work.

    I did those things already:
    patch windows
    turn off system restore
    run antivir in safe mod
    run avg as in safe mod
    ------

    Yet tr/crypt.nspm.gen and its variants still keep coming

    is there any solution to kill thie virus/trojan for good ? thank you in advance.

    -----------updates:

    infected files are:

    c:\windows\system32\7607EF85.exe
    c:\windows\system32\499E6CF2.dll

    antivir category them as "TR/Crypt.NSPM.Gen"
    antivir is able to kill these 2 files in safemode but they show up again whenver I restart PC in normal windows.
    Also , there is a file in IE temp "wow0331[1].exe" get detected by antivir on every start of windows.
     
    Last edited: Mar 31, 2007
  2. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    TR/Crypt.NSPM.Gen is a generic detection from AVIRA, I can't find any particular disinfection instructions for this malware. By which name does AVG detect this malware?
     
  3. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    avg calls it "onlinegame..." something
    webeoot spy sweeper report nothing
    mcafee stinger reports nothing

    antivir PE has killed some "exes"(wow.exe, wt.exe, etc) brought to my pc by this virus but that didnt stop TR/Crypt.NSPM.Gen and its "brothers" keep triggering antivir's popup window
     
    Last edited: Mar 30, 2007
  4. btman

    btman Registered Member

    Joined:
    Feb 11, 2006
    Posts:
    576
  5. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You should try disabling System Restore and running CCleaner prior to running the AV/AT/AS in safe mode.
    If this fails, then post a Hijackthis log in a dedicated forum.
     
  6. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    If nothing else, AVG's trojan malware names are only slightly less cryptic and unhelpful than AntiVir's.

    It sounds like your system is infected by an undetected dropper or downloader that is constantly recreating the trojans as you kill them. Reboot in Safe Mode, then run one of the more reputable spyware scanners (AVG Antispy, SUPERAntiSpy).
     
  7. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
  8. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    SUPERAntiSpyware detected nothing harmful:oops:
     
  9. ASpace

    ASpace Guest

    AVIRA antivirus has official forum . If you post there you will get direct support from them
    http://forum.avira.de

    And... give more details there , please . Also write the path of the infection.
     
  10. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    Yeah, I did make a post over there, too:D

    infections are in C:/.../system32/xxxx.exe and something in internet temp folder.
     
  11. ASpace

    ASpace Guest

    This means
    C:\Windows\system32\filename

    If you write the full name of all infected files I can write you instructions to manually get rid of them . :thumb:
     
  12. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    Thank you very much, I dont exactly remember the file name and I can't get it right now. I will post infected file name tomorrow.

    C:\Windows\system32\76EF00GM.exe appears most often and stubborn. it pops up right after you put in antivir's quarantine
     
  13. ASpace

    ASpace Guest

    1. Download The Avenger
    http://swandog46.geekstogo.com/avenger.exe

    The Avenger is a full-scriptable, kernel-level driver designed to remove highly persistent files and registry keys/values protected by entrenched malware. Basically this means that The Avenger is a program to which you give commands to execute (the script) consisting of files to delete, etc., which would otherwise be hard to delete because they were protected or “in use” by malicious software.More about The Avenger http://swandog46.geekstogo.com/avengernotes.htm

    2. Download this file

    3. Run the program avenger.exe

    4. Choose "Load Script From File"

    5. Browse to find the file/the script I gave you (mkill.txt) , press the Glass icon to see the script and when you are ready ...

    6. Press on the traffic light icon.Confirm

    Now , your computer will boot, and The Avenger will run the script file before the malware.After restart the malware files will be gone . The Avenger will inform you with a log text file you'll see after you reboot
     
  14. ASpace

    ASpace Guest

    I sent you a PM about another malicious entry
     
  15. C.S.J

    C.S.J Massive Poster

    Joined:
    Oct 16, 2006
    Posts:
    5,029
    Location:
    this forum is biased!
    you could always try drwebs cureit, its free and not needed to be installed, worth a shot right?
     
  16. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    just tried, unfortunately, it detected nothing
     
  17. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    infected files are:

    c:\windows\system32\7607EF85.exe
    c:\windows\system32\499E6CF2.dll

    antivir category them as "TR/Crypt.NSPM.Gen"
    antivir is able to kill these 2 files in safemode but they show up again whenver I restart PC in normal windows.
    Also , there is a file in IE temp "wow0331[1].exe" get detected by antivir on every start of windows.
     
  18. ASpace

    ASpace Guest

    Run the Avenger part again . I modified the file for you.
    Also do what I suggested in addition
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have heard a lot of praise for kaspersky cleaning ability. AVS based on KAV is free. I am not sure but it might help.
     
  20. coldplay

    coldplay Registered Member

    Joined:
    Nov 12, 2006
    Posts:
    191
    thank you to all of you. I think my problem is solved and infections are removed.

    I'd recommend the software I used but I dont want to be taken as spammer or advertiser. send me a pm if you like to know.

    Admin. , if you think this thread has no value to further discuss, please fell free to close it, thank you.
     
    Last edited: Mar 31, 2007
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Should I take it as spam?
     
  22. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I believe you are/were infected with the "OnlineGames" Trojan. This trojan steals passwords for a specific online game (usually Lineage II or World of Warcraft) and sends them to a remote server. There are many variants for this type of trojan, but you can see if the instructions below help you:

    http://www.k7computing.com/virusdetails.asp?virusid=46192
    http://click2clean.e-games.com.my/v3_info_view.asp?seq=6895&key=

    I hope this helps, and if you play Lineage II or World of Warcraft, I think it would be best to inform the authorities that you have been infected with this trojan and your user ID and password may be compromised.

    If you can send me a copy of the infected files, I will try to find out more. :)
     
  23. mrlisten

    mrlisten Registered Member

    Joined:
    Jul 26, 2007
    Posts:
    1
    i got the same problem that you had, and i'm very interested in how you solved it. sadly pm appearently doesn't work atm, so please could you post how you got rid of TR/crypt.NSPM.gen in here?
     
  24. ASpace

    ASpace Guest

  25. Sixus

    Sixus Registered Member

    Joined:
    Jan 3, 2008
    Posts:
    1
    LF ColdPlay: How should I deal with tr/crypt.nspm.gen?

    I´m looking for ColdPlay, ´cuz I´m also infected with TR/Crypt.nspm.gen and he say to send a private message to know what did he do to killed. But the private message has been disable. Plz, I really want to kick that trojan out my PC.
    Help:'(
     
Loading...
Thread Status:
Not open for further replies.