TR/Crypt.XPACK.Gen [Trojan] and Avira's Response

[Tatterdemalion]

Hi

I am running a Windows XP Professional laptop with Avira Free Anti Virus. The real-time protection element of this software has detected 'TR/Crypt.XPACK.Gen [trojan]'.

It highlighted it initially as a .dll file in my e.mail program. It said it was called "sqlite.dll" and asked if I would like to remove it.

I said YES.

It said it had deleted the rogue file.

I then checked the location of sqlite file. It was NOT there. What WAS there was a file called "sqlite3" with a "3". I ran the virus checker on that and it said it was O.K. so I assume it is a legitimate file.

I looked in my Avira log and found THREE events flagged up as DETECTIONS.

The one for the file that had infiltrated my e.mail program said its response was to "Deny access".

After that were two events which look to be the same but, worryingly, say the program response is to
"Allow access". I will quote --->

EVENT 2

11/06/2014 16:41 [Real-Time Protection] Malware found
      Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
      detected in file 'C:\WINDOWS\system32\dwwin.exe.
      Action performed: Allow access

EVENT 3

11/06/2014 16:41 [Real-Time Protection] Malware found
      Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
      detected in file 'C:\WINDOWS\system32\dwwin.exe.
      Action performed: Allow access

Please advise as to whether I need to take action.

Thanks for your expertise...

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download AdwCleaner by Xplode onto your Desktop.

Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.



If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.



AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.



AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• It should update automatically if the computer is connected to the internet.
• Click on Threat Scan and click on Scan Now.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete make sure all the infections have "quarantine" selected in the Action box.
  
• Click on "Quarantine All" You may be asked to Restart your computer to completely remove the infections.
  
• When disinfection is completed you can click on "Copy to Clipboard".
  
• Paste the log in you next reply (CTRL+ V)

*************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.

[Tatterdemalion]

Thank you very much for your reply. I have downloaded the three applications that you indicated but - so far - only begun to run the first one - AdwCleaner.

I ran the scan and nothing was found in Services, Folders, Files, Shortcuts or Internet Explorer.

Firefox shows two files ending .js

Chrome has four lines of information in User Data\Default\preferences.

There aren't any check boxes in the tabs referring to the browsers.

I have 12 results in Registry. They are all "Keys" and all have their "Key" boxes checked ready for me to agree to "Clean" them.

As I don't know what any of these items actually ARE, how I acquired them or if it is OK to allow them to be removed, I will attempt to re-present the list (with as few typos as possible (!))

HKLM\SOFTWARE\Classes\AppID\secman.DLL
HKLM\SOFTWARE\Classes\S
HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager
HKLM\SOFTWARE\Classes\secman.OutlookSecurityManager.1
HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}
HKLM\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
HKLM\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
HKCU\Software\Myfree Codec
HKLM\Software\Myfree Codec

Please let me know if I should agree to "Clean" (I assume this means "Delete") all of these.

Thanks.

[SuperDave]

Yes, clean and post the other logs.

[Tatterdemalion]

Hi

Thank you for helping me.

When I returned to the compromised computer this morning to run the "Clean" process I found the screen had turned black and the machine would not respond. I tried connecting a mouse to see if that would wake it up but the USB peripheral was not detected. I tried pressing FN & F4 key combinations to activate the screen with no success. I tried lowering the laptop lid in the hope of resting the PC in order to revive it by raising it afterwards. I tried disconnecting wired internet by physically removing the ethernet cable.

None of these procedures helped so I switched the computer off.

My first re-boot did not load in the trackpad control. This often happens on this computer which is a Lenovo ThinkPad T61. I re-booted a second time and the trackpad cursor control worked as it should.

Loading personal settings took a long time and I think my external F drive was looked at a lot. That is where the FIRST of the virus instances was said to be. The one that was CLEARLY reported to me and that I was prompted to delete. I only knew about the two other occurrences by looking at Avira's logs.

When the Desktop had fully loaded the Program Icons for the three applications you suggested I should download were NEATLY ordered. When I had left the machine, those had been positioned in a higgledy piggledy manner. I don't know if it is indicative of anything that they had been tidied up.

I ran the AdwCleaner program's scan again and it returned identical results to those revealed previously. I pressed "Clean" but was immediately met with a cascade of failures all piling up on top of each other. Most of these were boxes asking me if I wanted to send Error Reports. Initially I think these were items from my Task Bar. From the top to the bottom of the first swathe were :

EEventManager (Don't know what that is)
Kies (Samsung Mobile Phone Software)
Secunia PS1 (Program Version Checker/Updater)
Volume Panel (Creative Labs Soundcard volume control)
Synaptics TouchPad Enhancement (Touchpad)

DLL Module Loader (Don't know)
adwcleaner_3.212

Next I saw :

"To help protect your computer, Windows has closed this program CTF Loader Microsoft Corporation
CTF Loader has encountered a problem and needs to close."

and

"DLG.exe has encountered a problem"

Then further programs were cited sometimes repeatedly.

CTF Loader
Canon My Printer
Microsoft Works Calendar Reminder
CNSG
Spotify
CNSEPDT.EXE
Microsoft Works Calendar
Kies Tray Agent

I think it was at 06:25 that I found I could not close the KiesTray Agent Error report box.

Previously I had been able to manually shut boxes as I moved down that extensive initial pile. I think SOME were closing on their own which is why I didn't have time to copy down
the "CNSG" program.

With the KiesTray Agent Error report box unclosable, I could see there was another Error Report box underneath it and the AdwCleaner program right at the bottom.

I pressed CTRL-ALT-DEL to access Task Manager. I randomly chose to stop Nitro PDF Reader and then saw

"Data Execution Prevention - To help protect your computer Windows has closed this program Run a DLL as an App.
Run a DLL as an App has encountered a problem."

Looking at a REAL non-computer clock I saw that the time was actually 06:37 and NOT 06:25 and realised my computer must have frozen at that earlier time.

Trying to move the Windows Task Manager box around the screen resulted in me getting a trail of dozens of instances. They may not actually have been SEPARATE. It might be a graphical trail where the screen is not being updated properly.

I tried closing my Wacom Pen Tablet driver from the list of active processes because it was something I recognised the name of and I hoped I would be able to get all the boxes from in front of the AdwCleaner program to try to run it again.

Stopping the tablet driver didn't let me get back to AdwCleaner and I had a screen full of TaskManager boxes and a computer "stuck" at 06:25 so I came here and began typing this message.

In the time it took me to type this, my screensaver began running on the infected computer. When I touched it my white cursor was visible and moveable but I couldn't get the proper computer image to return. Under the cursor, the screen was just black.

Eventually I switched the PC off by long pressing the power button.

Please advise.

ADDITIONAL INFORMATION :

Last night - before coming here - I ran a Search for all instances of "dwwin" and got these results -->

DWWIN C:\I386\DRW 159KB Application 04/08/2004 13:00

DWWIN.EXE-30875ADC.pf C:WINDOWS\Prefetch 68k PF File 11/06/2014 16:42

dwwin C:\WINDOWS\system32 176KB Application 14/04/2008 01:12

dwwin C:\WINDOWS\ServicePackFiles\i386 176KB Application 14/04/2008 01:12

The second entry's time stamp corresponds with when Avira detected and alerted me to a problem.

[SuperDave]

Please do this even if you don't have your OS disk and tell me what happens.
Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue  progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

[Tatterdemalion]

Hi

My computer is a Lenovo ThinkPad T61. They are a bit strange in that the operating system is provided on a shielded compartment. I'm not sure if you are meant to access recovery using the BLUE BUTTON. I might then need recovery disks that I generated a couple of years ago and that can only be made ONCE. I do not know where mine are. I can't find an original Windows XP CD. I *do* have something called a "Product Recovery CD-ROM" that came with a Desktop PC. It says it is for the software that was pre-installed on THAT machine. I don't know what will happen if I follow your instructions given that I have a Lenovo that is a bit non-standard and a Recovery disk not a full independent CD.

Please advise. I'm scared if I put the Evesham Micros CD recovery disk into my Lenovo and let it loose I may find myself in a worse situation.

ADDITIONAL INFORMATION : I have just found the CD that came with my other Windows XP desktop machine. That too is only a "Recovery CD-ROM".

[SuperDave]

Please run SFC without any disk in the drive. If there are corrupt or missing files, it will ask for the disk.

[Tatterdemalion]

Hi

I ran SFC and watched the blue progress bar all the way to completion. At 100% the box vanished with no comment or request.

[SuperDave]

Is the computer still acting up?

[Tatterdemalion]

Thank you for your help...

I haven't tried to run Adwarecleaner again yet or any of the other software that you suggested. Firefox will "get stuck" after a few hours of usage. THAT has been happening for months. I thought it might just be because that browser seems to constantly rack up more and more RAM usage over time. It frequently complains of a plug-in not responding. I use YouTube a lot and wonder if it is to do with adverts being loaded in - especially as so many of the clips now require ad's to run before and sometimes at set points during videos now.

I usually have to shut Firefox with Task Manager and then plugin.exe as well.

Oh ! When I did this last night - I CTRL-ALT-DELed for the Task Manager ONCE but about FIVE instances appeared on the tsak bar.

Before I set the Task Manager process list to order by RAM usage, something called EEventManager was at the top.

[SuperDave]

Firefox will "get stuck" after a few hours of usage. THAT has been happening for months. I thought it might just be because that browser seems to constantly rack up more and more RAM usage over time. It frequently complains of a plug-in not responding. I use YouTube a lot and wonder if it is to do with adverts being loaded in - especially as so many of the clips now require ad's to run before and sometimes at set points during videos now.

You could try resetting FF to its default. If that doesn't do anything, uninstall and re-install it.

Before I set the Task Manager process list to order by RAM usage, something called EEventManager was at the top.

This has something to do with an Epson printer.

[Tatterdemalion]

Thank you. I have an Epson scanner so that probably explains the EEventManager. Should I not be trying to run the Adwcleaner program again ?

[SuperDave]

I use Adblock plus to eliminate those annoying ads especially on YouTube.
What other pop-ups are you receiving now?

[Tatterdemalion]

My situation was  that I got a real-time virus/trojan detection from Avira. It said it had deleted one file and labelled it with "Deny access".

When I looked in Avira's "Events" it showed two further instances of the named Trojan like this -->

EVENT 2

11/06/2014 16:41 [Real-Time Protection] Malware found
      Virus or unwanted program 'TR/Crypt.XPACK.Gen2 [trojan]'
      detected in file 'C:\WINDOWS\system32\dwwin.exe.
      Action performed: Allow access

EVENT 3

11/06/2014 16:41 [Real-Time Protection] Malware found
      Virus or unwanted program 'TR/Crypt.XPACK.Gen [trojan]'
      detected in file 'C:\WINDOWS\system32\dwwin.exe.
      Action performed: Allow access

I am concerned that they say "*Allow* access".

When I Googled the Trojan it looked like it might be a Keylogger disguised as Dr Windows.

After the infection I came here for assistance and tried to run the Adwcleaner software that you suggested should be my first action.

When that program threw up so many Error screens and didn't appear to run properly, I thought that might be confirmation that my dwwin file had been replaced by a bogus application.

I ran the SFC as per your instructions.

The blue bar ran its 100% duration but it never asked for any discs and it never gave me any message about what it had or had not found/done. The graphic just went away after its half hour procedure.

Should I be running the three software applications you named ?

Will they now work properly if Windows has replaced dwwin with the legitimate version.

Perhaps I should do another search for dwwin.exe and see what the sizes are again.

Should it be displayed in lowercase letters if it is genuine ?