Can't Get Rid Of Trojan Tr/crypt.xpack.gen

[bellringr]

As I sit here in my fourth hour of trying to rid myself of these trojans, I am about to give up.

 

Last night, I suspect that a Flash "upgrade" was not what it said and I ended up with at least three trojans. My Avira caught them and I quarantined all seven things it brought to my attention. I then ran Ad Aware and it noted two registry changes and a bunch of tracking cookies and other less important items. I quarantined them all.

 

I then ran Avira several more times, but there are two .tmp files in my C:\ folder that won't go away. If they get quarantined, they just come back with new names. For example, ARKa and ARKb became ARKc and ARKd.

 

I also ran Spybot and it caught another registry change which turned off my Windows anti virus. I had tried to turn it back on, but it wouldn't.

 

I decided to just go back to a restore point from several days ago, but my computer doesn't seem to want to actually do a restore. I go to System Restore, choose the day and point, click next, make sure all programs and closed, click the final Next, and....nothing. It literally does nothing. No errors, no churning or running, nada. Tried it in safe mode, same result.

 

So, I can't restore, and I can't seem to get rid of this thing. Can someone please help? I've exhausted all my know-how and haven't seen anything else useful online.

 

Thank you!!

[stevesh]

Have you gone to Start - Run - msconfig and clicked the Startup tab to see if there's anything running on start up that's reloading the virus? I've had that happen. You'll have to look at each entry to figure out what it is, but most are obvious and you can Google the name of the exe file on the rest.

[Madmanmcp]

Sounds like you are compounding your problem by using different programs which are used for different types of problems. You need to concentrate on one issue at a time, fix it and then move on to the next.

 

Start with your Antivirus.

 

I then ran Avira several more times, but there are two .tmp files in my C:\ folder that won't go away. If they get quarantined, they just come back with new names. For example, ARKa and ARKb became ARKc and ARKd.

 

Virus writers used different tricks to hide or reinstall or prevent themselves from being removed. They run in the background under familiar names. They make a copy of them selves and rename the files in random characters or increment letters. They start at boot in the startup or from the registry. They replace valid Windows program names to appear valid...

 

Sad to say that sometimes the only option left is to wipe the HD clean and start from the beginning. This is usually the quickest and easiest solution.

 

The steps I take are.

Disconnect the PC from the Internet.

reboot into safe mode.

I run MSCONFIG and remove all the garbage from STARTUP, only leave checks in things you need.

I run AntiVirus. Don't quarantined, delete them...why keep them?

reboot into safe mode and rerun Antivirus.

Boot into normal Windows and run AntiVirus. If all is clear move on to next program and repeat these steps.

 

Research the virus you have sometimes there are special steps needed to remove them, like editing the registry and manually deleting files.

 

If you are still having problems and tired of fighting it go to my original suggestion and start clean. Backup your data files and mail and whatever settings you need and start over.

[TCH-Bruce]

I would also try running Spybot Search & Destroy as well as Malwarebytes Anti-Malware.

[Madmanmcp]

see if any of this helps

 

h_tp://forums.majorgeeks.com/showthread.php?t=156830

[SteveW]

Different AV companies call the same malware by different names, so it's not surprising that when I searched for xpack a lot of the results contained references to Avira, since they're the ones that use that name for it. However, a lot of those results also were complaints that Avira wasn't able to remove the threat. The Wikipedia article about Avira that I looked at mentioned that it rated poorly on threat removal.

 

It looks like Trend Micro calls this malware WORM_BAGLE, i.e. the Bagle Worm.

 

The next to worst thing that can happen with a malware infection is that you may have to wipe the system clean, reinstall Windows, and start from scratch.

 

The worst thing that can happen is if the malware renders the computer unusable before you even get the chance to save your files before you wipe the system clean, reinstall Windows, etc.

 

I think what I'd do in this situation is:

 

1) If you already have backups (such as on CD or DVD) of all your personal (non-system) files on your computer, leave those alone; don't touch them. Even if they're old versions of your files, at least they're uninfected.

 

2) Make a complete new backup set. There's some risk this set will be infected. Can't be avoided. You can scan these files later with your new AV program.

 

3) Buy and run a top-tier antivirus program. Not a free one. Norton, Trend Micro, one of the big ones.

 

There is a common factor to many of the forum posts I see from people battling infections: they were using free AV programs such as AVG or Avira, so I don't think much of free AV programs.

 

Even in the unlikely event that Norton, or whatever you select, proves unable to clean the system because too much damage was done before the AV was installed, the $50 you spend will better protect you in the future.

 

Here is a page at Symantec about one of the Bagle variants (which it calls Beagle):

hxxp://www.symantec.com/security_response/writeup.jsp?docid=2004-071912-1847-99&tabid=2

 

It likely isn't the variant you have, but it gives some idea of the sophistication you are up against and what locations you may need to look to find the bad programs, registry keys, etc. if you continue to try to fix the problem manually.

Edited January 13, 2009 by SteveW

[Madmanmcp]

There is a common factor to many of the forum posts I see from people battling infections: they were using free AV programs such as AVG or Avira, so I don't think much of free AV programs.

 

Sorry but I'll need to disagree here. AVG has been one of the top ranked AV programs for some time and is used by a lot of folks for that reason. Its even ranked higher than "the big ones" you mention. So lumping it into a group just because its free is wrong.

[TCH-Bruce]

I agree with Bob, there is nothing wrong with AVG, Avast and several other free anti-virus solutions. I personally use Avast.

[JTD]

The best advice is ALWAYS SCAN ALL downloads before you install them and only go to the site that puts out the software, IE. Adobe,Java etc etc. Second I personally use Avast,and Spybot search and destroy ALL FREE. The only paid program I have is outpost firewall and that is because good FREE programs are limited for a 64 bit vista system. And may I add that with what I run i have not had a case of a virus or spyware in so long I cannot even remember when the last one was. Now on a personal note I would not use Norton if they gave it to me for free and paid ME to use it.

[TCH-Thomas]

Here´s another removal tool for this:

scanforfree.com/06/tr.crypt.xpack.gen-removal.html

 

Don´t know if it works since I haven´t tried it but worth a shot.

[bellringr]

JTD - I know, it was stupid on my part. I'm usually very careful, but this one got by me.

 

Somehow, some way, those reproducing files seem to be gone, and Avira has given me a clean bill of health. I did have a time getting my Security Center to turn back on as the little nasty worm/trojan had deactivated it. Doing a run - services.msc got that back up. Darn thing also wiped all my prior restore points (not that I was able to use them anyway).

 

I ran SpyBot a couple of times, and the only thing it found was that my registry had been changed to turn off the Security Center.

 

I'm currently installing Avast just as a backup check.

 

I always worry that there is something still lurking out there that isn't being caught, and that my passwords will be compromised. I guess there's nothing else to do but keep running my anti spy, mal, and adware programs as I have been.

 

Thanks for all of your advice! It's such a benefit to be able to come here and find so many friendly people willing to help.

[TCH-Bruce]

I still recommend running Malwarebytes' Anti-Malware program. It catches a lot of things an anti-virus program will not.

[bellringr]

Thanks for the reminder - I saw that above and then forgot. Running it now.

 

Avast caught a couple of things in my drivers folder that nothing else had.

Edited January 13, 2009 by bellringr

[SteveW]

Sorry but I'll need to disagree here. AVG has been one of the top ranked AV programs for some time and is used by a lot of folks for that reason. Its even ranked higher than "the big ones" you mention. So lumping it into a group just because its free is wrong.

To clarify, and make matters even worse (for me), I was actually lumping Avira in with the free one I had the more serious reservations about: AVG. It was during a few weeks last summer when I ran across the flurry of forum posts. After reading so many reports of infection from AVG users, I'd start reading a new post from someone who's PC got infected, and predict they were using AVG, and they usually were. Yes, there's more than one possibility as the reason for this. If AVG has 80% of the market, you'd assume the volume of complaints would be proportionately high. Problem was, no other AV had so many failures during that period (of the random selection of posts I viewed). However it may rate usually, AVG was falling down during that period, which definitely affected my perception of it. And there always seem to be posts from people using other free AV. But viruses getting past the big name programs seems, to me at least, based on the forum posts I've seen, to be less common.

 

The only free antimalware program I had good trust in was LavaSoft AdAware, which however wasn't for viruses.

 

The two "big ones" I mentioned were merely the ones I've used and considered good. It bugs me that Trend Micro has basically fallen off the radar of those who test AV and don't bother to test it anymore, though it doesn't seem to bother Trend that much.

 

Something I saw once, maybe from a Trend spokesperson, about AV rankings has stuck with me, which is that AV testers tend to use a zoo of viruses, some of which are ancient, no longer in the wild, and aren't current threats. An AV program can be optimised to rank well against the zoo and yet fail to do well with heuristic methods against more real and emerging current threats. In addition, protecting against thousands of non-real threats can make a program unnecessarily bigger and slower. That discussion no doubt influenced my decision to base my personal "ratings" on the experiences I see real people having with their AV, and I tend to take ratings and rankings with some grains of salt.

 

Someone's AV decision would also be based on the value (real and perceived) of what's on their PC. If someone basically just browses the web, doesn't save anything important, and doesn't mind the risk that occasionally they might lose everything and have to start fresh, AV might be less important to them. As the cost, or time required, for a system restoration goes up, so does the value of good AV protection. It's true I don't trust free ones as much as the paid, but I'm perfectly happy to agree to disagree on that. One thing I like about the paid ones is that those companies tend to have active and respected research departments that work on new methods of detection. In addition to having had good experiences with paid products, I get some satisfaction from supporting that research.

 

One thing that I do consider important, when protection is important at all, is real-time protection. Finding an infection with a manual scan after it's already gotten in doesn't make much sense to me.

 

Good links to resources in this thread, like the MalwareBytes, and the scanforfree link that specifically addresses the TR/Crypt.xpack.gen.

[Madmanmcp]

It was during a few weeks last summer when I ran across the flurry of forum posts. After reading so many reports of infection from AVG users, I'd start reading a new post from someone who's PC got infected, and predict they were using AVG, and they usually were.

 

Ok, I understand your reason but why continue to hate it when it maybe alright now. Everyone has a slump or a bad day/period and it would not be fair to only judge them because of that period. A homerun hitter has these sometimes and I wouldn't put them on the bench forever because they went 3 weeks without a homerun.

 

I remember a couple years ago McAfee had one of these "problems" where and update to the signature file was corrupt and pushed out to the public and to fix it you had to manually download the old signature and load it. The problem was that everyone didn't read this fix or hear about it and there were lots of complaints and problems...until the next signature file came out a couple weeks later.

 

This sort of thing happens to a lot of companies and I don't think you should judge on one misstep. Alot of folks use AVG, I don't but I wanted to give the other side of the issue.

[bellringr]

I stopped using AVG when I scanned a download, it told me it was clean, and it actually wasn't. On top of that, the trojan that was hidden in it was a fairly common one that shouldn't have been hard to find.

 

Studies I read (can't vouch for their accuracy) showed that Avira was better at preventing infection so I switched, and I have been pretty happy with them overall. I really couldn't say whether the pay ones are better in general or not. My old McAfee never did a darn thing for me except waste my money.

 

I ran the malwarebytes and found 12 additional issues - thanks Bruce!

 

I think (knock on wood) that my system is clean now.

Edited January 14, 2009 by bellringr

[SteveW]

This sort of thing happens to a lot of companies

True, and some of the missteps have been even more embarrassing than the McAfee one.

 

Any antivirus at all is better than none, which is what a lot of people have.

 

Now on a personal note I would not use Norton if they gave it to me for free and paid ME to use it.

That was the prevailing opinion at my renewal time for Norton in 2006. A couple hundred negative customer reviews at Amazon, some saying things like, "This is worse than a virus" are why I have experience with two paid programs. But I give them credit for gradually redeeming themselves. Either that or the fear has worn off with time.

 

That's way off topic. Just felt like mentioning it.

Edited January 14, 2009 by SteveW

[Madmanmcp]

That was the prevailing opinion at my renewal time for Norton in 2006.

 

Well this is where I agree with you, every box that crosses my desk I remove Nortons if its there. This is not because of one bad period, I've had several first hand experiences where one of their programs has trashed a computer. The only program of theirs I use is Ghost.

[TCH-Bruce]

If someone basically just browses the web, doesn't save anything important, and doesn't mind the risk that occasionally they might lose everything and have to start fresh, AV might be less important to them. As the cost, or time required, for a system restoration goes up, so does the value of good AV protection.

To use that analogy why run an AV program at all? The biggest problem I see with people and their AV choice is they don't keep it updated. Not updating it is the same as not having it on there at all.

 

 

I ran the malwarebytes and found 12 additional issues - thanks Bruce!

Glad it helped.

[Madmanmcp]

The biggest problem I see with people and their AV choice is they don't keep it updated.

 

What I find on most of the PC's I work on is that the owners don't know what they are supposed to do. They buy a PC and it came with an AV pre-installed and they are given nag screens every so often to subscribe or purchase the program. They click the don't ask again button and forget about it.

 

Two years down the road they ask me how they could be infected, they have so an so running...Now this is not as bad as it used to be, but it still happens.

 

I usually don't care which AV program they use and don't recommend any specific one. But I do tell folks to get one and if they have one keep it updated. Having one is better than not having one