Jump to content

Trojan crypt XPACK gen7


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello. I'm new here. I live on GMT+7 area. Just recently I'm becoming more aware of cyber security and have always had suspicion over my seemingly dormant adaware antivirus. So I decided to install Avira and Adguard to better secure my laptop. When I scanned my laptop, Avira detected this trojan.

Also, Avira keeps on detecting "suspicious patterns" and blocking host files from time to time (these host files aren't specified, except the trojan), are these activities is something for me to be alerted? Or is Avira just overreacting like smart screen usually do?

Please help.

I already used MB premium to scan and clean 2 malwares in my system beforehand.

I will upload the Farbar scan results in a few hours, hopefully, after this one's Avira's Luke Firewalker's finished. Idk what's taking it so long.

Link to post
Share on other sites

  • Root Admin

Hello @blackleather7

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

Link to post
Share on other sites

Hello Blackleather7.   My name is Maurice.  My name is Maurice. I am filling in for Advancedsetup until he returns.

Thank you for the FRST reports.

The reports show that Windows reports, there are 2 active installed Antivirus programs .....which can lead to deadlocks at the worst time.

They show   Adaware antivirus  plus Avast Antivirus.

To prevent deadlocks, pick one of them to keep.  Uninstall the other one  & then Restart Windows.

Please confirm that for us.

 

NEXT

This should only take something less than 15 minutes.

Now a fresh new scan with Malwarebytes for Windows.

In Malwarebytes for Windows program, we want to do a special scan.
 Click Settings ( gear icon) at the top right of Malwarebytes window. We want to see the SETTINGS window.  Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for 

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color . Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.d04ef98c885b4f44f51bfe735922fba7.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine.jpg.8639e1dfc2301bc6d60a8cfb3c339241.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Link to post
Share on other sites

Thank you for the FRST reports.

Please do not be using other apps or web browsers during these next procedures. Only use web browser for purpose to get to this forum.

[    1    ]

As a next basic step, Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[    2    ]

We will use FRST64.exe  on Downloads folderr to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Blackleather7  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.  It will rebuild the Winsock.  

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome,  and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  C drive user Download  folder   

Fixlist.txt

 


Start the Windows Explorer and then, to the Downloads   folder.


RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

  • IF you get a block message from Windows about this tool......

click line More info information on that screen
and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.    We will do more after this.  Persistence & patience are called for here.

Cheers.

Link to post
Share on other sites

Thank you.

I would suggest a free scan with the ESET Online Scanner.  This will be another check for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.

 

  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else.

  • When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”.
  • Click The blue Save scan log to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom).

Press Continue when all done. You should click to off the offer for “periodic scanning”.

Please make sure you attach the log report.

Link to post
Share on other sites

The ESET  found & removed several  potentially unwanted applications.

This is a special tool to check your pc for viruses, trojans & other malware.

Download Sophos Free Virus Removal Tool    and save it to your desktop.

  • If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
  • Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...

 

Double click the icon and select Run

Click Next

Select I accept the terms in this license agreement, then click Next twice

Click Install

Click Finish to launch the program

  • Once the virus database has been updated click Start Scanning

If any threats are found click Details, then View log file... (bottom left hand corner)

 

Attach the results in your reply

  • Close the Notepad document, close the Threat Details screen, then click Start cleanup

Click Exit to close the program

 

If no threats were found please confirm that result....

  • The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.

Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

 

Saved logs are found under this sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs 

Let me know what Sophos reports.

Link to post
Share on other sites

You wre looking in the wrong folder.  It is NOT under "Program Files"  !!!!

It will be under C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

Not real sure if you told me that you were doing a second run with Sophos Virus Removal tool.

BUT.  When the run has completed.  Just insure that the File Explorer was newly started.   That you go ( anew) to sub-folder: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs     

Look for the sub-folder Logs

in that sub-folder look for file named SophosVirusRemovalTool.log

It seems to me that your screen-grab may not be showing all folders.  Click once on the column headed "Name"  & repeat a second time.

Make sure the window is in full screen.   You need to be looking for the LOGS  sub-folder.

.

If you find the log, then fine , attach that file with your reply.

If the scan has completed & you still cant find the log, lets just stop & put this aside.

Edited by Maurice Naggar
Link to post
Share on other sites

I am happy to read that the 2nd run of Spophos found nothing.  Now to uninstall Sophos tool.

1. Press & hold  the Windows key on keyboard & then tap the R key   to open the Run box-windoww.
2. Type 

appwiz.cpl 

and tap Enter.
The Programs and Features window will appear.

Locate "Sophos virus removal" on the list.   Click the line once with your mouse pointer.

Now do a RIGHT-click on it  and then select Uninstall.    and follow thru to have it uninstalled.

When done, close the window for Programs and Features.

.

Next

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

 

Let me know the result of this.    This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

 

Link to post
Share on other sites

Yes the Safety scanner completed the run faster than Sophos. It detected 7 infected files but resolved 2 of them.

This was one week ago I think, I uninstalled Avira the moment I found out that Avira has a bug with its real time scanner (this was addressed in Avira's forum since May but I guess it hasn't been fixed) so I replaced it with Avast antivirus. Before I uninstalled Avira, it detected the crypt xpack gen 7 trojan and has locked suspicious files/activities. This caused me to unable to download files from my browser directly since then.

I hope your weekend goes well too. Thank you.

Link to post
Share on other sites

Hello.  You are reporting that you have switched antivirus apps.  One needs to be aware that switching from one A-V to another requires planning & follow up.  Take a few minutes to do the following.

A.  Get / save / and then run the Avira cleaner tool -   Avira RegistryCleaner: http://www.avira.com/en/downloads#tools

Next:

1. Restart Windows to Safe mode.  If you need a guide then see this link

2. Make sure that your folder options are set as follows.
Click: Start → Control Panel → Folder Options → View → Show Hidden Files and Folders → OK


3. Delete the following folders if they exist:
 C:\Program Files\Avira
 C:\ProgramData\Avira
 C:\Documents and Settings\All Users\Application Data\Avira

When all done, Restart Windows back to normal mode.

Link to post
Share on other sites

Alright. So we had you run a few security scans: MS Safety Scanner, ESET Online scanner, Sophos virus removal tool.

This pc should be in much better state.

I would urge getting a readout report as to update status of some key apps.

Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

and save the tool on the desktop.

  • If Windows's  SmartScreen block that with a message-window, then

Click on the MORE INFO spot and over-ride that and allow it to proceed.

This tool is safe.   Smartscreen is overly sensitive.

  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.

You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

Thank you.  The following are from that report.

Web Companion v.4.6.1974.3869 [b]Warning! Browser's toolbar.[/b] It can slow down the working of your browser and have violation privacy problems.

Avast Free Antivirus v.21.5.2470 Warning! Download Update

Microsoft 365 Apps for enterprise - en-us v.16.0.14131.20332 Warning! Download Update
How Install Office updates?

Evernote 10.17.6 v.10.17.6 Warning! Download Update
 
WinRAR 5.91 (64-bit) v.5.91.0 Warning! Download Update
 
Zoom v.5.7.1 (543) Warning! Download Update

Telegram Desktop version 2.8.11 v.2.8.11 Warning! Download Update
 
BitTorrent v.7.10.5.46011 Warning! Ad-supported P2P-client.
 
HandBrake 1.3.3 v.1.3.3 Warning! Download Update
 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.