Trojan-TR/Crypt.XPACK.Gen

Date of registration:
Apr 4th 2008

Friday, April 4th 2008, 12:18pm

Hi

First post.

For the last 3- 4 days when file -flt1chk4.dll is accessed by Avira it reports that this file is a trojan - TR/Crypt.XPACK.Gen. This file resides in Windows\System32 folder.

This file has been on my computer for ages and is related to Flight 1 software wrapper which is used when installing Flight1 flight simulator software.

I have placed that file in exception areas of guard and scanner.
.
Have submitted file for evaluation by Avira approx 2 days ago.

This has to be a false positive also as appears to be the concensus in thread below, titled (Trojan TR/Crypt.XPACK.Gen : False positive ?)

Could Avira advise when they are going to fix this problem as it appears it is something they created around 30 March.

I am using AntiVir Personal Edition Premium version 7.06.00.308 updated as of today.

Your assistance/advice would be appreciated.

Regards

noels7

Radu Gheorghe

Avira GmbH

Date of registration:
May 22nd 2006

Version: AntiVir Personal Unix/Linux

Location: Bucharest

2

Friday, April 4th 2008, 12:59pm

RE: Trojan-TR/Crypt.XPACK.Gen

Hello and welcome,

Since this is a generic detection, this might not be the same problem as in the other thread.

You should receive an answer soon from our Virus Lab with the results. If you don't, please post here the file/incident number or just try again.

Best regards,
Radu

Radu Gheorghe
Avira GmbH

noels7

Date of registration:
Apr 4th 2008

3

Friday, April 4th 2008, 3:10pm

Thanks for your reply Radu.

Will await a response from your Virus Lab and see if they can help with a solution.

Regards

noels7

Radu Gheorghe

Avira GmbH

Date of registration:
May 22nd 2006

Version: AntiVir Personal Unix/Linux

Location: Bucharest

4

Friday, April 4th 2008, 3:20pm

You're welcome. Please write here if the problem persists.

Best regards,
Radu

Radu Gheorghe
Avira GmbH

noels7

Date of registration:
Apr 4th 2008

5

Saturday, April 5th 2008, 12:23am

RE: Trojan-TR/Crypt.XPACK.Gen

Radu

I have received the following report from Virus Lab.

"Thank you for your email to Avira's virus lab.
Tracking number: INC00135970.

A listing of files alongside their results can be found below:

File ID
Filename
Size (Byte)
Result
3808833
flt1chk4.dll
145 KB
MALWARE

Please find a detailed report concerning each individual sample below:

Filename
Result
flt1chk4.dll
MALWARE

The file 'flt1chk4.dll' has been determined to be 'MALWARE'. Our analysts named the threat TR/Crypt.XPACK.Gen. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.This malware is detected by a special detection routine from the engine module."

While I appreciate that Avira has determined that flt1chk4.dll is malware AVGAnti-spyware, Comodo BoClean and AntiVir have for 3+ months considered this file as clean. It is obviously a false positive as nothing has changed on my computer in the last week except Avira must have changed the parameters of its detection engine.

I am not comfortable with having genuine files listed as exemptions as it tends to defeat the purpose.

The problem appears to have started around 30-31 March and several postings below mine (although they are different examples ) tend to support the notion that the problem resides within Avira's detection engine.

Is it possible that Avira can correct this problem?.

Your assistance would again be appreciated.

Regards

noels7

This post has been edited 1 times, last edit by "noels7" (Apr 5th 2008, 12:28am)

SteveSstrat335

Moderator

Date of registration:
Feb 18th 2006

Version: AntiVir Personal
AntiVir Personal Unix/Linux
Avira Prem. Security Suite

Operating System: XP SP3, Vista SP1, Kubuntu 9.04 and a heavily modified puppy on a stick!

Location: UK

6

Saturday, April 5th 2008, 12:37am

Hello,

Can you confirm that when you submitted the file, that you used the "Suspected False Positive (Not Malware)" option in the File Type Drop Down Box? This is important in determining the status of a Suspected False Positive.

If you didn't, or are not sure, then please send it again using this option.

Cheers,

Steve

A little gift for the SPAM bots

noels7

Date of registration:
Apr 4th 2008

7

Saturday, April 5th 2008, 12:44am

Steve

I am positive that that I selected "Suspected False Positive (Not Malware)" option.
Just to be sure I will submit again and confirm result on reply from Avira.

Regards

noels7

This post has been edited 1 times, last edit by "noels7" (Apr 5th 2008, 12:49am)

Radu Gheorghe

Avira GmbH

Date of registration:
May 22nd 2006

Version: AntiVir Personal Unix/Linux

Location: Bucharest

8

Monday, April 7th 2008, 8:34am

Hello noels7,

Please tell us why do you think this is not a malware. Because you say:

Quoted

While I appreciate that Avira has determined that flt1chk4.dll is malware

From this, I believe this file isn't clean.

Best regards,
Radu

Radu Gheorghe
Avira GmbH

noels7

Date of registration:
Apr 4th 2008

9

Monday, April 7th 2008, 11:16am

Radu

Thanks for your reply.

Did you read my post and please don't selectively quote me. Read the whole paragraph.

I am not an expert in determining what is and what is not malware. All I know is that for 3 months Avira said that this file was clean then all of a sudden it becomes malware. The said file has been in existence for some years and on my computer since November 2007 and I would be surprised if I was the only Avira user who had installed Flight1 software.

For example when I re- installed Flight One Software - Ground Environment X USA-Canada on 15 March that file determined that I was the legitimate owner of that software. Avira didn't consider it malware, hence my statement/query that Avira must have changed the parameters/protocols of its detection engine around 30-31March.

So I presume your solution is to leave the file in the exception areas of Guard and Scanner of Avira indefinitely.

Regards

noels7

Radu Gheorghe

Avira GmbH

Date of registration:
May 22nd 2006

Version: AntiVir Personal Unix/Linux

Location: Bucharest

10

Monday, April 7th 2008, 12:23pm

Hello noels7,

I read your whole post, I just didn't know what you actually think about this file. If it's a false positive or not.

The file is currently being reanalyzed. You should receive an Email if the status will change.

EDIT: Indeed, it is a false positive, and will be fixed with one of the next VDF updates. You should get an Email about this, also.

Best regards,
Radu

Radu Gheorghe
Avira GmbH

This post has been edited 1 times, last edit by "Radu Gheorghe" (Apr 7th 2008, 12:30pm)

noels7

Date of registration:
Apr 4th 2008

11

Monday, April 7th 2008, 12:43pm

Radu

Again thanks for your reply.

I shall await the reanalysis results.

I should also apologize as my comments in my previous post were rather strong and probably offensive. My apologies.

As I am typing I have just received :

Dear Sir or Madam,

Thank you for your email to Avira's virus lab.
Tracking number: INC00136083.

A listing of files alongside their results can be found below:
File ID Filename Size (Byte) Result
3808833 flt1chk4.dll 145 KB FALSE POSITIVE

Please find a detailed report concerning each individual sample below:

Filename Result
flt1chk4.dll FALSE POSITIVE
The file 'flt1chk4.dll' has been determined to be 'FALSE POSITIVE'.In particular this means that this file is not malicious but a false alarm.Detection will be removed from our virus definition file (VDF) with one of the next updates.

Problem appears resolved. Will look forward to VDF that cures the problem.

Again thank you for your help and assistance. Appreciated.

Regards

noels7

Radu Gheorghe

Avira GmbH

Date of registration:
May 22nd 2006

Version: AntiVir Personal Unix/Linux

Location: Bucharest

12

Monday, April 7th 2008, 1:26pm

You're welcome, noels7. Please keep us posted if you have any more problems.

I didn't find your previous post offensive at all. It's OK to have different opinions. It's not OK to use offensive language, but it really wasn't the case.

Best regards,
Radu

Radu Gheorghe
Avira GmbH

shahzad326744

Date of registration:
Apr 7th 2008

Location: India

13

Monday, April 7th 2008, 4:24pm

TR/Crypt.XPACK.Gen

Even I've been getting the msg regarding TR/Crypt.XPACK.Gen
But its showing a file called vtUnnmMG.dll. I dont know to which program it is assosciated. It resides in the system 32 folder in mine too.
Its causing a problem because the detection keeps coming whenever i open any application. Please resolve the problem as soon as possible

SteveSstrat335

Moderator

Date of registration:
Feb 18th 2006

Version: AntiVir Personal
AntiVir Personal Unix/Linux
Avira Prem. Security Suite

Operating System: XP SP3, Vista SP1, Kubuntu 9.04 and a heavily modified puppy on a stick!

Location: UK

14

Monday, April 7th 2008, 11:53pm

RE: TR/Crypt.XPACK.Gen

Hello shahzad326744,

Can you please send the file "vtUnnmMG.dll" to Avira here, marked as "Suspected False Positive (Not Malware)" in the file type drop down box.

Cheers,

Steve

A little gift for the SPAM bots

uspace

Date of registration:
Apr 8th 2008

15

Tuesday, April 8th 2008, 8:21am

RE: TR/Crypt.XPACK.Gen

Hi, I do have the same indicated virus in the flight1 file like noels7. I installed the software the day before yesterday ... I still get the notification by avira that the file is a virus. What is to do now ... ? tnx for your infos

Radu Gheorghe

Avira GmbH

Date of registration:
May 22nd 2006

Version: AntiVir Personal Unix/Linux

Location: Bucharest

16

Tuesday, April 8th 2008, 8:46am

RE: TR/Crypt.XPACK.Gen

Hello and welcome,

Since you get the detection in the same file, then it should be the same false positive. You should keep your AntiVir up to date, and if the FP isn't already fixed, it will be fixed very soon. In the meantime, you can add the file to your exceptions list.

Best regards,
Radu

Radu Gheorghe
Avira GmbH

uspace

Date of registration:
Apr 8th 2008

17

Tuesday, April 8th 2008, 8:57am

RE: TR/Crypt.XPACK.Gen

tnx for your answer.

(just for your information: there are two threads on www.simforums.com with this subject:

http://www.simforums.com/forums/forum_po…t%2EXPACK%2EGen

http://www.simforums.com/forums/forum_posts.asp?TID=25894

the second was started by me ... they told me to uninstall the avira software and to turn off defender, and all the security things to pass the installation problems?! I did it and then there was the virus ....)

grts and tnx

uspace

Date of registration:
Apr 8th 2008

18

Tuesday, April 8th 2008, 1:35pm

RE: TR/Crypt.XPACK.Gen

the actual avira update solved all the problem ... :-) tnx to all for the support!

JerryR

Date of registration:
Apr 21st 2008

19

Monday, April 21st 2008, 4:30am

TR/Crypt.XPACK.Gen

This is definitely a trojan!!! The executible is pybqnkpc.exe. Each time you restart your machine, a new dll file is created in the windows\system32 directory. The following are examples:
yayywVpn.dll
ddcAqqqR.dll
tuvSlllb.dll
awtUmlKc.dll
byXRllxw.dll
rqRKBqNG.dll
urqRLbxW.dll
yayaXPii.dll
wvUoNDtT.dll
etc. etc. etc.
The ,exe files shows TR/Crypt.XPACK.gen, engine 8.01.00.32 and all of the other files show TR/Vundo.Gen also with an engine ver of 8.01.00.32. The trojan also creates a css4 file in the folder C:\dociments and settings\"user"\Temporary Internet Files\Content.IE5\with a different subdirectory each time. Deleting the .exe, the css file and the other files has not stopped the trojan from re-activating each time the machine is started. HELP!!

jakki1507

Date of registration:
Apr 21st 2008

20

Monday, April 21st 2008, 7:21pm

Help Me 2!!!!!

I THINK I HAVE GOT THE EXACT SAME THING, MY PC WILL NOT RUN VERY WELL AT ALL IN NORMAL MODE SO I KEEP HAVING TO BOOT IN SAFE MODE. I HAVE TRIED THE DISABLING SYSTEM RESTORE N RUNNING SCANS BUT EVERY TIME I REBOOT IN NORMAL MODE THE VIRUS IS FLASHING BACK UP AND NOTHING IS MAKING IT GO AWAY..PLEASE PLEASE HELP AS I AM NOT VERY GOOD WITH COMPUTERS

THE VIRUS INFO ON THE VIRA SCAN IS SHOWING TR/VUNDO.GEN

Avira Support Forum