TR/Crypt.XPACK.Gen2 & Gen3 Repeated Re-infections

[Gorenth]

Probable breakthrough:

It finally dawned on me to examine the infected file more closely. When I looked at the file properties, the Version tab reported the file to be the application "Enosoft DV Processor"! How weird!

I have that app installed, but it's certainly not in my startup list! I have a tool that displays the entire startup list including "hidden" startups (I'll attach a screenshot if you wish), but it's just not there. How it keeps ending up as a .tmp file in C:\WINDOWS\Temp and was replicating itself up to 26 times per scan is very bizarre!

What I'll do now is use Revo Pro to uninstall the Enosft DV Processor and all traces completely, and see if the infections stop. I'll report back on this.

[Gorenth]

Well, I uninstalled the Enosoft DV Processor and rebooted, but the infections remain.

So I looked around in the C:\Windows\Temp folder and found several other infected files that, when the file properties->Version tab is examined, they were also revealed as application files with .tmp extensions. There are many identical files which are .tmp copies of "Adobe Updater" and the "A43 File Management Utility".

When I look at the installed app list in Revo Uninstaller Pro and add/remove programs, neither appear by those names (i.e., they don't appear to be installed on that computer, at least according to those names). I've attached a zip file containing a text file showing details about all the Adobe applications installed on that computer.

Obviously, there is a very real and very dangerous infection! These are definitely not the result of false positives.

I'm more worried now than ever!

[Blade81]

Hi,

Disable Antivir for the following operation.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Does Antivir still alert after that operation?

[Gorenth]

Those actions made no difference; all the symptoms remain unchanged. Surely you didn't expect things to be that easy in such a complex case. By the way, I already had a task that empties all the temp directories and browser cache and the like every shutdown.

This is clearly a very sophisticated piece of malware, and it's been quite some time since I've been able to use the infected computer safely. I've noticed that several other malware removal threads seem to show more aggressive actions and more than one step at a time. May I respectfully ask if you would please try to provide more than one step per iteration when possible? Perhaps some of your colleagues might throw in ideas, too?

I'm an experienced user, so if you want me to do some registry editing or follow other more complex instructions, just ask.

Thanks!

[Blade81]

Hi,

I've asked some of my colleagues for their opinions and they also think Antivir may be barking a wrong tree there. Let's think about situation where Antivir is flagging some update and quarantines related file. Update is tried again causing Antivir flag item again.

Please upload some of those files that Antivir is alerting about to this website. Kindly include a link to this topic in the message.

[Blade81]

Hi,

I got the file you sent. Seems to be ok. There's a similar topic at Avira forum. I recommend you create a topic and ask there what's causing those alerts.

[Gorenth]

Hi,

I've asked some of my colleagues for their opinions and they also think Antivir may be barking a wrong tree there. Let's think about situation where Antivir is flagging some update and quarantines related file. Update is tried again causing Antivir flag item again.

Thank you very kindly for that. However, I'm afraid I don't follow you. What kind of "update" are you referring to there? An update to some application? Or an anti-malware update?

Let me explain: Ever since I posted my OP in this thread, the only time I allow any updates at all on the infected computer -- in fact the only time I connect the problem computer to the Internet or any other network -- is to either update malware definitions, download a new malware tool, or upload an infected file to one of the sites you requested. Even then, I only connect just barely long enough to perform that specific task, whereupon I disconnect immediately, either by disconnecting the cable or disabling Internet access with ZoneAlarm Pro (and I don't connect flash drives or floppies or other media, either). I post these messages from a different computer that's not infected.

Therefore, there is absolutely no chance that any applications are being updated: Not any Adobe products, not the A43 File Management Utility (which is a DOS app that has been out of production for years), and certainly not the Ensoft DV processor, even though they are the most common files to end up infected and named xxx.tmp in the C:\Windows\Temp directory.

I understand perfectly well that false positive malware reports are not particularly rare. But I can conceive of no false positive scenario in which a non-networked computer ends up with as many as 25 copies of the exact same application -- either Adobe Updater, A43 File Utility, or Enosoft DV Processor -- renamed xxx.tmp in the Windows Temp directory, infected or otherwise! Why does this happen to no other apps? Why so many exact copies of the same 3 files?

What possible false positive scenario can logically explain all that? I was a systems programmer for many years, and I certainly can't think of one.

Recall that the Windows Temp directory is completely erased every boot, and I don't have to do anything -- I launch no application or control panel or anything else -- before Avira reports these bizarre files are infected.

Recall that VirusTotal ALSO reported these files to be infected, and also recall that Avira has reported four different infections of .tmp files in the same directory (see my OP):

TR/Crypt.XPACK.Gen2 Trojan
TR/Crypt.XPACK.Gen3 Trojan
TR/ATRAPS.Gen Trojan
TR/Dropper.Gen Trojan

It seems to me that the most logical explanation is that my computer is infected with some new piece of malware, as opposed to a false positive. They have to be seen first by someone before anti-malware tools can design a tool to detect and counteract them, right?

Please upload some of those files that Antivir is alerting about to this website. Kindly include a link to this topic in the message.

I have done so, but I strongly feel that is entirely pointless! It clearly is not the infected .tmp files that are the main issue: It is whatever is creating those .tmp files that's the REAL infection!

Thank you for all your efforts so far!

[Blade81]

Please take a look at the Avira forum topic linked in my previous post.

[Gorenth]

Well, first things first: Thank you, Blade81, for your time and assistance. It was very kind of you to donate your time and expertise to helping out some stranger!

That being said and truly meant, I can't say I'm comfortable with the result. Yes, Avira and many Avira users undeniably assert that these reports were false positives, and as such, the evidence is overwhelmingly against me. There's no way I can prove otherwise.

But unlike the other Avira users, who say that Avira was the only anti-malware tool to report these infections, I found that three independent tools agreed that at least one of my four different infections were genuine (Avira, VirusTotal, and Vipre-Rescue). Furthermore, I simply cannot wrap my mind around the concept that the creation of as many as about 100 identical copies of three and only three very weird applications named "Temp<xxx>.tmp" is a perfectly normal, everyday occurrence that I should just blithely ignore for peace of mind.

And now, after my first full day with the quasi-infected computer online, 3 separate times now this computer has hung up and needed to be restarted.

Yes, that really could all be coincidence. And no, I have no concrete evidence otherwise. As such, it would be unjust of me to ask for more of your time, unless and until I have something concrete, so I will simply wish you well and thank you most sincerely once more.

[Blade81]

You're welcome

If this issue still puzzles your mind I recommend to create a topic at Avira forum.