Trojan Crypt.XPack.Gen Infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by melm, Dec 19, 2009.

  1. melm

    melm Private First Class

    After installing and running Avira the Trojan Crypt.XPACK was discovered. I attempted to clean with Avira, but it returned after reboot, and toggling system restore. It attempted to hijack Mozilla FireFox, but SpySweeper a stop to that. A-squared Anti-Malware also halted it and quarantined the file. Which showed up in a Comodo Temp file. After deletion and cleaning, and rebooting, and re-scanning, it came back. Did a complete recovery to "out-of-box state". Installed SpySweeper with a disk, then went back to MG site to reinstall SAS, MBAM, Avira, a-squared Anti-Malware, and SPybot S&D. I downloaded IE8 from Microsoft, and JAVA from their sites. I did not go anywhere else, or download from another site. The next Avira scan showed this:

    Starting the file scan:

    Begin scan in 'C:\' <SQ004864P05>
    C:\hiberfil.sys
    [WARNING] The file could not be opened!
    [NOTE] This file is a Windows system file.
    [NOTE] This file cannot be opened for scanning.
    C:\pagefile.sys
    [WARNING] The file could not be opened!
    [NOTE] This file is a Windows system file.
    [NOTE] This file cannot be opened for scanning.
    C:\Documents and Settings\Satellite Pro\Local Settings\Temp\is-PVHLG.tmp\askBarSetup.exe
    [DETECTION] Contains recognition pattern of the APPL/AdInstaller.E application
    C:\System Volume Information\_restore{E6281E8D-5BCF-412A-8532-C7FE9ECF653A}\RP5\A0001706.exe
    [0] Archive type: NSIS
    --> ProgramFilesDir/uninst.exe
    [WARNING] No further files can be extracted from this archive. The archive will be closed
    [WARNING] No further files can be extracted from this archive. The archive will be closed
    C:\System Volume Information\_restore{E6281E8D-5BCF-412A-8532-C7FE9ECF653A}\RP6\A0001908.exe
    [0] Archive type: NSIS
    --> [UnknownDir]/NPSWF32_FlashUtil.exe
    [WARNING] No further files can be extracted from this archive. The archive will be closed
    [WARNING] No further files can be extracted from this archive. The archive will be closed
    C:\WINDOWS\system32\SsiEfr.exe
    [WARNING] The file could not be opened!
    C:\WINDOWS\system32\wrLZMA.dll
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [WARNING] The file could not be opened!

    Beginning disinfection:
    C:\Documents and Settings\Satellite Pro\Local Settings\Temp\is-PVHLG.tmp\askBarSetup.exe
    [DETECTION] Contains recognition pattern of the APPL/AdInstaller.E application
    [NOTE] The file was moved to '4b97ee90.qua'!
    C:\WINDOWS\system32\wrLZMA.dll
    [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
    [WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
    [WARNING] The source file could not be found.
    [NOTE] Attempting to perform action using the ARK library.
    [NOTE] The file was moved to '4b78ee8f.qua'!


    End of the scan: Saturday, December 19, 2009 10:15
    Used time: 15:34 Minute(s)

    The scan has been done completely.

    I have attached the files from Read & Run Me First.

    Your help is greatly appreciated.

    Melissa
     

    Attached Files:

    melm, Dec 19, 2009
    #1
  2. melm

    melm Private First Class

    Here is the MGtools log file.
     

    Attached Files:

    melm, Dec 19, 2009
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs are clean. C:\WINDOWS\system32\wrLZMA.dll is just part of SpySweeper.


    To remove any junk in System Volume Information which is System Restore, you need to toggle System Restore to disabled and then enbled.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    5. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Go to add/remove programs and uninstall HijackThis.
    7. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Dec 21, 2009
    #3
  4. melm

    melm Private First Class

    Thank you for your response, and help with this issue.

    I really appreciate your telling me that:

    "C:\WINDOWS\system32\wrLZMA.dll is just part of SpySweeper."

    I was getting paranoid. After the second recovery, I was convinced everything was clean. Then Avira reported the same infection. The same thing happened with my Vista system on my HP laptop. Only the person helping me didn't respond to my last question, involving the SpySweeper file.

    I have read the "How to Protect yourself from malware!" in the past. I have paid for MBAM and run SAS, CCleaner, SpySweeper on a regular basis. Until recently I had Trend Micro Internet Security installed and can still use it, but I was trying out other programs.

    I really would like to know your opinion of Trend Micro, and Avira. Which would you prefer that I keep on my system.

    Melissa
     
    melm, Dec 21, 2009
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    I would not recommend having the protection from both MBAM and SpySweeper enabled. And note SpySweeper can be a serious resource hog.

    It you are going to use a security suite, you would have to uninstall SpySweeper and also not use the active protection of MBAM since it they can conflict and put too much drain on system resource. Avira would work just fine and note it also has built-in antivirus protection. You could use Avira and MBAM together. I think they would work well. Spy Sweeper has been removed as one of my favorites for about 3 years now since they became to resource hungry and just not as effective as the used to be. Also their logs are almost totally useless and they never attempt to address this in 4 to 5 years.

    A-squared is another item I would remove since it has a service running full time and it provides no protection and has serious false detection issues.
     
    chaslang, Dec 22, 2009
    #5

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds