Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent and TR/Crypt.XPACK


  • Please log in to reply
13 replies to this topic

#1 Heroic Robb

Heroic Robb

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 27 August 2012 - 11:43 AM

I happened to run SuperAntiSpyware this morning and found out that it detected Trojan.Agent/Gen-Kryptik. I ran a quick scan of that, then did a full scan with rescue mode enabled. I don't have the log for those scans. I rebooted my computer once and it had trouble, but the second time it didn't.

Later while looking for help on the internet, I see others had the same issue with SuperAntiSpyware. I decide to run Avira Antivir and I found one detection.

Question is do I delete this file (TR/Crypt.XPACK.Gen) because I need to get a log and I don't know what to do next.

BC AdBot (Login to Remove)

 


#2 roelof1967

roelof1967

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 27 August 2012 - 11:45 AM

Hello,

Where does Avira found the infection?
Can I see the Avira log ?


Roelof

#3 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:29 AM

Posted 27 August 2012 - 11:46 AM

Lets run other scans to check if system is infected


Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#4 Heroic Robb

Heroic Robb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 27 August 2012 - 11:49 AM

Hello,

Where does Avira found the infection?
Can I see the Avira log ?


Roelof

The address of infection for TR/Crypt.XPACK.Gen is

C:\Documents and Settings\User\Application Data\SuperAntiSpyware.com\SUPERAntiSpyware\Quarantine\quarantine.db

#5 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:29 AM

Posted 27 August 2012 - 11:52 AM

Thats definitely a false positive.There is an issue with latest update from superantispyware.

Edited by narenxp, 27 August 2012 - 11:52 AM.


#6 roelof1967

roelof1967

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 27 August 2012 - 11:55 AM

Oke, that's not a problem.
Super Antispyware has put a file in quaratine so the file is not a problem anymore.
So your system is not infected.

If you want to delete that file , what I not advise because we don't know if the file is really infected, I can give you advise how to do that.

Roelof

#7 Heroic Robb

Heroic Robb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 27 August 2012 - 11:56 AM

Thats definitely a false positive.There is an issue with latest update from superantispyware.

Thank you very much narenxp! Just one thing; what is "C:\Documents and Settings\User\Application Data\SuperAntiSpyware.com\SUPERAntiSpyware\Quarantine\quarantine.db"?

Edit: should I quarantine/repair this file name or leave alone?

Edited by Heroic Robb, 27 August 2012 - 11:59 AM.


#8 roelof1967

roelof1967

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 27 August 2012 - 11:58 AM

Quartine.db is the place where Super Antispyware is putting the files which Super Antispyware is thinking the file is infected.

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:29 AM

Posted 27 August 2012 - 12:00 PM

The quarantine database contains information about the quarantined files and attachments.

Avira is detecting superantispyware quarantine database as Trojan because of BUG in latest update of superantispyware.

Edited by narenxp, 27 August 2012 - 12:01 PM.


#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:03:29 AM

Posted 27 August 2012 - 12:02 PM

Edit: should I quarantine/repair this file name or leave alone?


For now,ignore it.If you still gets pop up,uninstall superantispyware temporarily unless a update comes from SAS.

#11 Heroic Robb

Heroic Robb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 27 August 2012 - 12:04 PM

Here is the Avira AntiVir log of my scan.



Avira AntiVir Personal
Report file date: Monday, August 27, 2012 10:42

Scanning for 4173099 virus strains and unwanted programs.

Licensee : Avira Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ESPHASUS

Version information:
BUILD.DAT : 9.0.0.429 21701 Bytes 10/6/2010 10:04:00
AVSCAN.EXE : 9.0.3.10 466689 Bytes 11/19/2009 15:18:16
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 15:18:16
VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 21:50:10
VBASE002.VDF : 7.11.19.170 14374912 Bytes 12/20/2011 18:51:53
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2/1/2012 22:07:52
VBASE004.VDF : 7.11.26.44 4329472 Bytes 3/28/2012 22:15:55
VBASE005.VDF : 7.11.34.116 4034048 Bytes 6/29/2012 14:59:35
VBASE006.VDF : 7.11.34.117 2048 Bytes 6/29/2012 14:59:35
VBASE007.VDF : 7.11.34.118 2048 Bytes 6/29/2012 14:59:35
VBASE008.VDF : 7.11.34.119 2048 Bytes 6/29/2012 14:59:35
VBASE009.VDF : 7.11.34.120 2048 Bytes 6/29/2012 14:59:35
VBASE010.VDF : 7.11.34.121 2048 Bytes 6/29/2012 14:59:35
VBASE011.VDF : 7.11.34.122 2048 Bytes 6/29/2012 14:59:35
VBASE012.VDF : 7.11.34.123 2048 Bytes 6/29/2012 14:59:35
VBASE013.VDF : 7.11.34.124 2048 Bytes 6/29/2012 14:59:35
VBASE014.VDF : 7.11.38.18 2554880 Bytes 7/30/2012 15:22:54
VBASE015.VDF : 7.11.38.70 556032 Bytes 7/31/2012 15:22:56
VBASE016.VDF : 7.11.38.143 171008 Bytes 8/2/2012 15:22:22
VBASE017.VDF : 7.11.38.221 178176 Bytes 8/6/2012 15:41:30
VBASE018.VDF : 7.11.39.37 168448 Bytes 8/8/2012 14:45:15
VBASE019.VDF : 7.11.39.89 131072 Bytes 8/9/2012 15:40:28
VBASE020.VDF : 7.11.39.145 142336 Bytes 8/11/2012 15:41:34
VBASE021.VDF : 7.11.39.207 165888 Bytes 8/14/2012 15:41:49
VBASE022.VDF : 7.11.40.9 156160 Bytes 8/16/2012 15:42:01
VBASE023.VDF : 7.11.40.49 133120 Bytes 8/17/2012 15:42:00
VBASE024.VDF : 7.11.40.95 156160 Bytes 8/20/2012 15:42:05
VBASE025.VDF : 7.11.40.155 181760 Bytes 8/22/2012 16:04:38
VBASE026.VDF : 7.11.40.205 203264 Bytes 8/23/2012 15:43:35
VBASE027.VDF : 7.11.40.206 2048 Bytes 8/23/2012 15:43:35
VBASE028.VDF : 7.11.40.207 2048 Bytes 8/23/2012 15:43:35
VBASE029.VDF : 7.11.40.208 2048 Bytes 8/23/2012 15:43:35
VBASE030.VDF : 7.11.40.209 2048 Bytes 8/23/2012 15:43:37
VBASE031.VDF : 7.11.41.26 185344 Bytes 8/27/2012 15:41:40
Engineversion : 8.2.10.146
AEVDF.DLL : 8.1.2.10 102772 Bytes 7/10/2012 12:44:09
AESCRIPT.DLL : 8.1.4.46 455034 Bytes 8/24/2012 15:45:54
AESCN.DLL : 8.1.8.2 131444 Bytes 1/27/2012 01:02:52
AESBX.DLL : 8.2.5.12 606578 Bytes 6/14/2012 14:40:43
AERDL.DLL : 8.1.9.15 639348 Bytes 9/8/2011 23:25:32
AEPACK.DLL : 8.3.0.32 811382 Bytes 8/24/2012 15:45:46
AEOFFICE.DLL : 8.1.2.42 201083 Bytes 7/19/2012 15:04:23
AEHEUR.DLL : 8.1.4.92 5177718 Bytes 8/24/2012 15:45:20
AEHELP.DLL : 8.1.23.2 258422 Bytes 6/28/2012 13:05:03
AEGEN.DLL : 8.1.5.36 434549 Bytes 8/24/2012 15:43:45
AEEXP.DLL : 8.1.0.80 86389 Bytes 8/24/2012 15:45:55
AEEMU.DLL : 8.1.3.2 393587 Bytes 7/10/2012 12:44:05
AECORE.DLL : 8.1.27.4 201078 Bytes 8/7/2012 15:14:21
AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 19:54:17
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.3.0 44289 Bytes 9/9/2009 00:22:48
AVREP.DLL : 10.0.0.9 174120 Bytes 3/5/2011 00:23:30
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 4/29/2009 13:11:30
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 6/10/2009 00:29:19
RCTEXT.DLL : 9.0.73.0 86785 Bytes 11/19/2009 15:18:15

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: delete
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Optimised scan......................: on
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, August 27, 2012 10:42

Starting search for hidden objects.
'52123' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'hpswp_clipbook.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'taskmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'LSSrvc.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'SASCORE.EXE' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'Amoumain.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '66' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\quarantine.db
[0] Archive type: ZIP
--> data
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan

Beginning disinfection:
C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\quarantine.db
[WARNING] The file was ignored!


End of the scan: Monday, August 27, 2012 12:03
Used time: 49:28 Minute(s)

The scan has been done completely.

7613 Scanned directories
459830 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
459827 Files not concerned
4507 Archives were scanned
3 Warnings
2 Notes
52123 Objects were scanned with rootkit scan
0 Hidden objects were found

#12 roelof1967

roelof1967

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 27 August 2012 - 12:08 PM

Like Narenxp and I said this is a error of Super Antispyware.
So your computer is not infected and you don't have to do anything.

This is a problem that one scanner finds the quarantine of another scanner infected.

Roelof

#13 Heroic Robb

Heroic Robb
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 27 August 2012 - 12:10 PM

Thanks Guys!

#14 roelof1967

roelof1967

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:09:29 AM

Posted 27 August 2012 - 12:11 PM

Your welcome.

Roelof




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users