TR/Crypt.XPACK.Gen Trojan

wendybrendy · Feb 4, 2009

I searched the forums on this and found the READ ME steps to possibly take care of this trojan, which would rename itself when my virus program would quarantine or delete them. But after performing all the steps required in the READ ME steps (which I have all logs for each scan), I just arrived home and there was another virus, malware notification on my screen, C:\System Volume Information\...A0218629.com. This looks like the same thing but just changed its name again, original ones were all under system files but A0214162.dll, A0214198.exe, A0214254.exe,
A0214161.exe,A0214278.dll, A0214358.dll. The main difference here is that the original ones were either .dll or .exe, now this one is .com. Can anyone help with this, I have been working on this for 5 straight days. The notifications are not as frequent as they were but I want to be done with this before I pull my hair out.

TimW · Feb 4, 2009

First off, no program will remove infected system restore files. They can only be removed by toggling system restore.

If these are the only files being reported, then you can go ahead and do that, If not, then you need to attach the logs from the Read and Run First and wait until we can get to checking them.

wendybrendy · Feb 4, 2009

Thank you very much, Do you think I should run any of the software again? When I was running the last step, MGTools, the first notification message came up. Then I left for work and came back another one had appeared while I was gone. Can you tell me what you mean by toggling system restore? I am not a beginner, but I am not an expert and have not heard that phrase before.

TimW · Feb 4, 2009

Again, I caution you about toggling system restore unless you are sure you are clean. That means that your AV program and SAS as well as MBAM come up clean.

To Disable System Restore ( see Disable And Enable System Restore).

wendybrendy · Feb 4, 2009

I will run each again and let you know if it comes up clean, or attach the logs if not. I am at my wits end with this thing. Again, thanks so much

wendybrendy · Feb 5, 2009

Hey Tim,
I have re-ran SAS, Spybot, Malwarebytes, Combofix and MGTOOLS and SAS I believe found 2 Rogue Systemguard 2008 on my computer. That is the progam that mysteriously appeared on my computer before I started recieving all the notifications concerning TR/Cyrpt.XPACK.Gen. My daughter had been on the computer and I have no clue where she was surfing at to get this. I have copy and pasted, SAS log and am attaching the rest to make sure that this is taken care of. I have not recieved any notifications since I re-ran all the tools, so I hope it is taken care of. Take a look and see what you see and let me know of any advice you might have. Also, I have Adaware as my spyware/malware program and Avira Antivirus program. Are these sufficient or do I need to keep the ones that were recommended to fix my computer, any help would be greatly appreciated. Again thank you for helping me keep my sanity....
Brenda

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/04/2009 at 09:52 PM

Application Version : 4.25.1012

Core Rules Database Version : 3744
Trace Rules Database Version: 1712

Scan type : Quick Scan
Total Scan Time : 00:38:11

Memory items scanned : 483
Memory threats detected : 0
Registry items scanned : 506
Registry threats detected : 2
File items scanned : 7675
File threats detected : 0

Rogue.SystemGuard2009
HKLM\Software\System Guard 2009
HKLM\Software\System Guard 2009\Lic

TimW · Feb 5, 2009

According to your logs, your system is clean. Do read the last link:

If you are not having any other malware problems, it is time to do our final steps:

We recommed you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real time protection. They are useful as backup scanners. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.

If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)

Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required

"%userprofile%\Desktop\combofix" /u

Notes: The space between the combofix" and the /u, it must be there.

This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.

Delete the C:\combofix folder from combofix (if it exists)

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip

If you are running Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

TR/Crypt.XPACK.Gen Trojan

wendybrendy Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

wendybrendy Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

wendybrendy Private E-2

wendybrendy Private E-2

Attached Files:

mbam-log-2009-02-04 (14-43-52).txt

MGlogs.zip

ComboFix.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member