Help !! - TR/Crypt.XPACK.gen

Sep 6, 2009

Hello MG's Malware Techs,

Ouch !! Got bit by a couple of nasty trojans and they keep repeating themselves. No matter how many times I send them to quarantine, or hunt them down in the C:/Owner/Local Settings/temp file and delete them, they come back. AVIRA said they were 'locked'. I don't know how bad the damage is, or if ComboFix cleaned it up some, but I worry if it is real embedded.
I use one anti-virus app - AVIRA Free Ed. - and it's scan keeps catching them and sending them to quarantine. I use one firewall: Sygate. I might have gotten this from an email (been getting a bunch of porny junk ones, but never opened them); I delete them immediately.
I also might have gotten it from P2P file sharing - except the 'temp' and 'new completed' files are on a second 'slave' internal hard drive, and are also partitioned off from the rest of the bulky D:/ drive 'slave' library, and far from the main hard drive - so how could they have 'jumped' onto my C:/ drive ??

The Trojans are:
TR/Crypt.XPACK.gen

& TR/Dropper.gen

Ran Super Anti-Spyware Free Ed. - log is attached.
Ran MalwareByte's Free Ed. - log is attached.
Ran ComboFix from desktop, rebooted, etc - log is attached.
Ran RootRepeal - here is the log attached.
......finally......here is the MGLogs
in is the zip file attached.

Also:

AVIRA Scan LOG - The only one that caught it.

Funny thing: Avira Anti-Virus was the first and apparently only one that caught the trojans. I don't know where the source is which keeps generating them as soon as I delete them, but it must be hidden in there somewhere. I deleted two suspicious partial 'temp' files from the P2P incoming folder - but the trojan is still buried in the system somewhere causing it to recurr. When the AVIRA scan ended it gave me the warning and asked If I want to delete, quarantine, etc.......but it failed to do it. Then pops a window asking if I want to delete the 'locked' file upon reboot. I check YES. Ran ComboFix and then rebooted.....

Start > Run is set to 'Normal Start-up', so it isn't switching itself to 'Selective Start-up', like it has in the past. Once clean, I will have to purge all past restore points, but will wait until you say the system is clean again before I do that operation.

Thanks again for any help you can offer. I do much appreciate your site.

-scottportraits

 

Sep 10, 2009

I know, your attachment system only allows so many bytes and I was over the limit. Here's those logs:

Also, When I ran my 'Spyware Terminator, Free Ed.' scan the AVIRA Anti-Virus popped up continuously with these trojans that I named earlier. It keeps putting them in the C:/Documents&Settings/Owner/LocalSettings/temp folder. No matter how many times I delete these goofy numbered files they keep coming back, apparently generated by something hidden somewhere else.
I had to shut down AVIRA anti-virus just to complete the Spyware Terminator scan. Those Avira pop-ups suggest something is still in the system spawning this trojan.

Here's 'RootRepeal' and 'MalwareByte's' logs.
Sorry I failed to include them.

-scottportraits

 

Sep 10, 2009 4.45 am est

Here's a tiny part of the AVIRA log when the Trojan first appeared:

Avira AntiVir Personal
Report file date: 2009-09-06 11:40

Scanning for 1684804 virus strains and unwanted programs.


Beginning disinfection:
C:\Documents and Settings\Owner\Local Settings\temp\
C:\Documents and Settings\Owner\Local Settings\temp\clamav-67903bebf2d715b78fd78f5a87450b87.00000a44.clamtmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[WARNING] Error in ARK library
[NOTE] The file is scheduled for deleting after reboot.


End of the scan: 2009-09-06 14:30
Used time: 2:45:20 Hour(s)

The scan has been done completely.

6936 Scanned directories
457325 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
31 Files cannot be scanned
457293 Files not concerned
8794 Archives were scanned
78 Warnings
70 Notes
53279 Objects were scanned with rootkit scan
0 Hidden objects were found


The source file could not be found, and the ARK deal did not delete the hidden source file upon re-boot.

The whole AVIRA log is too big to fit as an attachment.

Anything else you need please feel free to ask. I'll do anything !! I also ran A-Squared Free and Kaspersky Free online scan, but none picked it up.... The source file is still in their hiding and generating those darn .clamtmp files, which it puts in the C:/Documents&Settings/Owner/LocalSettings/temp folder.

Tell me what to do next Major Chas:major, and I will obey your orders without question.

Thanks, man

- scottportraits

 

Sep 11, 2009

I'm still getting this trojan and another one called 'dropper'.....when I run a Spyware Terminator scan. If Avira anti-virus is enabled, the Spyware Terminator scan causes an Avira window to pop, and the trojan is sent to the temp file in C:/Owner.
I have saved them in the quarantine folder. But they are the symptom, not the cause....I still don't know what is causing them, or where it is. Is it a rootkit ?

Is there an anti-rootkit or rootkit fixer tool out there I should be running ??

Thanks Major Chas:major

-scottportraits

p.s. - Do I get promoted to corporal after this ?

 

Sep 17, 2009 3pm est

Hi Chaslang:major,

Uninstalled Spyware Terminator like you suggested, so I will have to rely on SpyBot S&D and SpywareBlaster; they don't provide 'realtime protection' like SpywareTerminator, but I can't have conflicting apps running that interfere with the anti-virus program, AVIRA, can I? :confused

For the last few days my AVIRA anti-virus manual updates are failing....can't seem to get it to download and install the latest updates. It just freezes up while 'scanning for new updates' and won't proceed.:cry

I still have ComboFix on the desktop. Aren't we supposed to run a "KILLALL" deal, or something ??:dood

Lastly, there is a very suspicious file on my second internal 'slave' hard drive, where I put newly completed files from P2P file sharing. It will not delete. It has a long gibberish name....:crap"be21685bd8e8f8550fa22fcb45d68":crap, and, like I said, it will not delete - says it's write protected or in use. Inside it are two folders named "AMD64" and "i386".

I never put it there, and can't send it to the trash. Isn't there a way to delete it in safe-mode....or is there an app to yank out ones that are 'stuck' like this ?:ban

So, should I run a ComboFix KILLALL and finish with ComboFix? And how do I delete this crazy-looking file that found a home embedded in my newly finished downloads from eMule ?

Thanks for all the help, it is much appreciated. Some of my incoming emails are being decoded in some gibberish, they open and read with weird symbols:banghead in the body copy.

Sincerely yours,

-scottportraits

 

Tuesday Sep 22, 2009 3.30pm est

Hello Chaslang,

Took all your advice, and my PC is now clean and near-perfect (for a Celeron), anyway.

I reinstalled Spyware Terminator, but did NOT activate the Clam A/V option, nor the auto update function, nor that awful Crawler toolbar. So, between the three: Spybot (without Teatimer, but with S&D Helper), SpywareBlaster, and 'realtime protection' from Spyware Terminator I am ready to rock and roll.

Next, as for AVIRA A/V, I went to their support forum Sunday and found others were having the same difficulty. They provided a link to download a manual update file, burn it to a CD-R, and install from the external CD drive. Today, as I got your email, I also got one from AVIRA telling big news of a new 'engine update notification', a new version number, and now AVIRA Free Ed. is updated and will download updates manually without any fuss. Others were having the same trouble, so it had nothing to do with any malware or damage in my rig. No mention of any temporary license renewal, but I have the freeware so I just get a pop-up every time I manually update advising me to buy their whole package.

Moving right along, we did a 'KILLALL' dealie once before several months ago, but I guess it's not the way to go about it this time, to eliminate the desktop ComboFix icon, or remove the files and logs. Went to Start > Run > "%userprofile%\Desktop\combofix" /u .....and that did the trick; wiped it off the desktop (and elsewhere) - but I had to disable AVIRA anti-virus for the moment we did that operation.

So that gibberish file I was concerned about (with AMD64 and i386 inside) is a "Windows Update"....I just wonder why it wound up on slave drive 'D' and not on master drive 'C' in the C:/Windows file. Whatever.....ours is not to reason why, ours is just to take it all like a man....and keep on going.....

Went to C:/MGTools folder and hit the 'clean.bat' file which wiped out all traces of MGTools and the original zip file. Also, it must have deleted HiJackThis, if we were using it, (must have been), because it didn't show up on my add/remove program list after that. It's just not there now.

Ran CCleaner and deleted all temp files and extraneous registry entries.

Finally, went to My Computer, right clicked, went to properties, and turned OFF system restore on all drives. Then went to Start > Accessories > Disk Cleanup > and purged all system restore points. Re-booted, turned system restore back on, and created a new restore point, named it 'Post Malware Removal'.

I guess that's about it. If there's anything I missed let me know. I appreciate this site and it's moderators and technicians more than you can ever know. You are all pros and very good teachers, too.

Best wishes, and many, many thanks,

-scottportraits

 

My PC seems fine now - she is 'ship-shape'. It's nice having a clean rig that responds well to your commands.
Thanks again for all the help.

This topic is now closed.