Stuck with TR/Crypt.XPACK.Gen Trojan! Please help me!

OnePiece92 · Nov 1, 2008

Yesterday, when I was playing Guild Wars, my computer got all slow, and I wondered what was up, so I minimized the window, and noticed Norton Security Scan was running in the background, and that it had found four viruses. So I quickly downloaded Avira AntiVir, and it said that the virus I had was the Crypt.XPACK.Gen Trojan. So, I Googled it, found a solution posted on the MajorGeeks forums and tried it. It didn't work though, so I thought I'd post my own thread. Anyway, first I tried a couple of solutions, then I finished all the steps on that READ ME FIRST thread, and... well, I still have a problem.

Here are the first three logs required:

OnePiece92 · Nov 1, 2008

Stuck with TR/Crypt.XPACK.Gen Trojan! Please help me! (PART 2)

And here is the last required log:

TimW · Nov 3, 2008

Please tell me exactly what problems you are having.

In the meantime, use windows explorer to find and delete:
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\SV

OnePiece92 · Nov 4, 2008

TimW said: ↑

Please tell me exactly what problems you are having.

In the meantime, use windows explorer to find and delete:
C:\WINDOWS\svchost.exe
C:\WINDOWS\system32\SV
Click to expand...

Well, I notice my computer is a lot slower than usual... And also I'm afraid to access internet banks and such, seeing as it is a trojan...
Part from that, my Avira AntiVir pops up every 10 seconds warning me about the virus.

And I can't think of any other problems at the moment.

Oh, and I can't delete C:\Windows\svchost.exe for some reason :/

TimW · Nov 4, 2008

Download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the "Input script here:"
part of the window:

Files to delete:
C:\WINDOWS\svchost.exe
Click to expand...

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

OnePiece92 · Nov 4, 2008

Hey again!
Well, the Avenger didn't seem to work. I did as you instructed, and it deleted the file as it should do. But when I restarted the computer, the first thing that popped up was the Avira AntiVir warning about C:\Windows\svchost.exe
Well, actually, before that, a warning about C:\Avenger\svchost.exe popped up, if that is of any importance.

Well, here are the logs though

TimW · Nov 4, 2008

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished).

Now re-run Avenger from my previous post.

Next I would like you to log into each user account on your computer and run both SAS and MBAM on each account. If it finds anything, attach those logs with the user account.

OnePiece92 · Nov 4, 2008

TimW said: ↑

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished).

Now re-run Avenger from my previous post.

Next I would like you to log into each user account on your computer and run both SAS and MBAM on each account. If it finds anything, attach those logs with the user account.
Click to expand...

Well, I'll start with the Avenger part. Still didn't work :/ It just came back... again

And about the SAS and MBAM... They did almost the same... MBAM seemed to have neutralized two malware programs on my computer, but there seems to be one left... And SAS removed tons of tracker cookies on my sister's user account.
Anyway, I'll start with the SAS logs.
I'll call them SAS_1 and SAS_2, though I have more than two different SAS logs. I have four user accounts on this computer, but I'll only include the first and the second, since the third and fourth both looked exactly like the second.
Here they are:

OnePiece92 · Nov 4, 2008

For the MBAM-logs, I have chosen three of them, naming them MBAM_1, MBAM_2 and MBAM_3. MBAM_1 was done first and 3 was done last. The third user account had the exact same log as the second (MBAM_2) so I didn't include that log.

Anyway, here are they:

OnePiece92 · Nov 4, 2008

Just thought of something. Is it necessary for me to run SAS and MBAM on the Admin account to? I have never ever used it, part from when creating my own account and doing the CCleaner thing...

TimW · Nov 4, 2008

Yes, it is neccesary to run it on the administrator account...but you have to make sure you have it removal all that it finds! The logs you attached indicate that no action was taken.

OnePiece92 · Nov 5, 2008

Okay, I'll do it over when I get back from school today And I'll be sure to do it on the admin account too.

Btw, I think those logs indicated that I didn't take any action, because I saved the logs before taking action xD Stupid of me, really. Just wasn't sure I'd be able to find the MBAM logs afterwards. On the SAS logs, though... They must have indicated that I at least tried to remove the files, didn't they?

OnePiece92 · Nov 5, 2008

Did the whole process over again... Now there are two sorts of logs. As before, I'll start with the SAS logs. I call them SAS_Admin and SAS_Other for the simple reason that the two looked different (the Other meaning the other user accounts on this comp, of course).

Here they are!

OnePiece92 · Nov 5, 2008

And then there are the MBAM logs. MBAM_Admin & MBAM_Other for the same reason as the SAS logs'.

Here ya go:

TimW · Nov 5, 2008

The admin logs are clean.....however the "other" is still showing the trojan...so on that account, run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.

OnePiece92 · Nov 6, 2008

Hmm.... I suppose you are talking about using the MGtools on the "other accounts"? I didn't really understand at first... Anyway. I'm not going to be able to be at my computer for maybe a week. I might be able to check on it in two days, but not before then. But when I get back, I'll just run the MGtools on all "other" accounts, seeing as there are four. Or do I only need to run it on one account? Because then I could do it right away... Hey, I'll send you the MGtools log for my main account, one of the "other", right away!
I just love it when I come up with ideas while typing...

TimW · Nov 6, 2008

You gave me two MBAM logs...one on the admin account and the other log is the account I want you to run it on....i will look at the log you attached as soon as I can.

OnePiece92 · Nov 16, 2008

Hey, have you taken a look on the log yet? I'm starting to get kinda worried that you've dissed me here

TimW · Nov 16, 2008

Ah....you are back...sorry.

Download Blacklight Beta.

* Download blbeta.exe and save it to the Desktop.
* Once saved... double click blbeta.exe to install the program.
* Click accept agreement and Click scan
This app too may fire off a warning from antivirus. Let the driver load.
Wait for it to finish.
* If it displays any items...don't do anything with them yet. Just hit exit (close)
* It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

OnePiece92 · Nov 17, 2008

Well, when it was finished, it said "No items found"... But just in case it was refferring to something else, here's the log for you

TimW · Nov 17, 2008

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Follow the Instruction Here for installation.

Accept the License Agreement.

Once the ActiveX installs,Click Full System Scan

Once the download completes,the scan will begin automatically.

The scan will take some time to finish,so please be patient.

When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply.

OnePiece92 · Nov 17, 2008

Well...
I tried running that scanner... First of all, apparently, I am not authorized to install that activeX controll... But I can still do it, somehow... But when I run the scanner, it shuts down with an error called "ID: 12". I searched for it on the homepage, and it seems to be an error that says the scanner can't access certain files. Sounds like it has something to do with the not being authorized thing...

So I Googled for help with the new activeX problem, but it seems there's nothing I can do about it. I have restored all internet settings to default, I have made sure Java and ActiveX are both enabled, and I AM an administrator...

Got any ideas?

TimW · Nov 17, 2008

Let's try this one:

Go to Bitscan : agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

Have you tried again to manually delete:
C:\Windows\svchost.exe?

OnePiece92 · Nov 18, 2008

Well, that scanner found six files, actually. Files or programs or whatever
Anyway, here's the log in .txt. Hope it works

And yes, I have tried to manually delete the svchost.exe. Several times. With Safe Mode, in the first Admin account and with internet plugged out, if that'd help somehow. I'm certainly no expert.

TimW · Nov 18, 2008

Well then...let's try again..

We need to use ComboFix to remove a bunch of malware files.

* Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
* Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
Code:
KILLALL::

File::
C:\WINDOWS\system32\wowformf802_173.dll
C:\WINDOWS\svchost.exe 			 		
* Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
* You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
If it asks you to overide the prvevious file with the same name, click YES.
* Now use your mouse to drag CFscript.txt on top of ComboFix.exe
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Combo.

OnePiece92 · Nov 18, 2008

Here are the two logs! This feels like a success, since the antivirus hasn't given the usual warning about a bad svchost.exe yet. It always gives me two warnings at startup. Niice.

But, I'm no expert, you are
So, here are the logs for ya!

And even if it isn't clean yet, thanks alot.

OnePiece92 · Nov 19, 2008

Did a full system scan with my Avira AntiVir... Ehm. It found 61 files in total xD
Although most of them were the same file with different names, I think. I deleted one file, ignored two, and sent the rest to quarantine (Didn't really know what to do, if I ruined anything, I'm really sorry).

Anyway, I can attach a log for you. Take a look at it if you'd like, but I don't think it'll tell you anything you didn't know yet.

TimW · Nov 19, 2008

Sweet.....the files for avira only found what was in quarantined files and in the system restore files....which can only be removed by toggling system restore.

If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Click to expand...

OnePiece92 · Nov 20, 2008

AAH! Seems to work great again! Thank you, TimW! Thanks alot, really! You're the best!
Could never have done it without your help, I am forever in your debt

Now that this virus is taken care of, I wish you all the best!
Thanks again!
Simon

TimW · Nov 20, 2008

You are most welcome....safe surfing.

Stuck with TR/Crypt.XPACK.Gen Trojan! Please help me!

OnePiece92 Private E-2

Attached Files:

OnePiece92 Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OnePiece92 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OnePiece92 Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OnePiece92 Private E-2

Attached Files:

OnePiece92 Private E-2

Attached Files:

OnePiece92 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OnePiece92 Private E-2

OnePiece92 Private E-2

Attached Files:

OnePiece92 Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OnePiece92 Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OnePiece92 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OnePiece92 Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OnePiece92 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OnePiece92 Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OnePiece92 Private E-2

Attached Files:

OnePiece92 Private E-2

Attached Files:

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

OnePiece92 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member