CryptExe, Win32.worm.autorun, Win32.bifrose.au

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by thegoldenvision, May 2, 2008.

  1. thegoldenvision

    thegoldenvision Private E-2

    Hi, I'll try to be clear and concise, but I'm not an expert with computers and I may over-explain things, or not mention other obvious things.

    A few days ago I plugged my pendrive into computer at work and was told by AVG (which they have running there) that the pen contained a 'general trojan' whcih AVG gave me the option to eliminiate, and I did.

    This obviously made me wonder if I had a problem with my own computer. I did a bit of googling about pendrives and trojans and discovered one tell-tale sign is bening unable to remove the pen safely through windows as a program is still writing to it. Anyway I messed around plugging unplugging my pen and found that yes I did have problems safely disconnecting. Also when i tried to open it (double click) through My Computer, rather than opening the removable disk drive I got a 'choose what program you want to use to open this file' box. Right click and 'open' would open the pen no-problem. Took pen back to work and got same message from AVG, eliminitated the trojan again!

    Now, I have Norton internet security (CONFESSION subscription expred approx 4 months ago, havent renewed). I ran a full scan - came back with nothing. I also have Spybot and ad-aware installed and I updated them and ran full scans.

    Ad-aware detected Win32.worm.autorun in C/System Volume Information witha a very long filename which began _restore and finished A0049223.exe - Adaware removed this for me

    Sybot detected win32.bifrose.au , which it also fixed for me.

    NB spybot each time I run a scan gives two errors during the scan "there were problems in the include file C:\ProgramFiles\Spybot-search destroy\includes\trojans.sbi see error log for details" and also later in its scan pops up the same message but in relation to Includes\TrojansC.sbi .

    Also I did notice that this bifrose thing actually reappeared two days later when I scanned again, again with spybot, but i 'fixed' it again, and it has been quite a few days since now and ive done several scans and it hasnt reappeared again

    And IN THE MEANTIME i have also downloaded AVG myself (as this was the program that detected the problem with the pen at work) and have been scanning with that.

    AVG turned up various things (40 files!!), all of which it send to the Vault

    fsgmt.dll (Win32/CryptExe.a)
    fsgmt.dll.tmp (win\system32\secpol.exe.tmp
    NewServer[1].dll
    NewServer[2].dll
    c6jmqkdv.exe in docs and settings local settings temp
    and really long list of other files all with with long similar names and and all in C:\System\Volume information\_restore etc etc

    I've since realised that the vault I think is to keep files for a few days to see if your system runs ok without them before you elimintate but I didnt know this and immediately deleted them all. Oops. It has now been 24 hours and my computer is working ok so far though.

    I sacanned immediately again with AGV it turned up nothing.

    this morning i scanned again with AGV and it turned up 1 threat in :\System\Volume information\_restore etc etc with it also described as CryptExe
    This one file is currently sitting in the vault

    So my question basically is what should I do?

    By the way my computer is running normally, not noticeable slower or any pop ups or anything. the only thing i would mention (no idea if it is conected) is on start up sometimes it takes a few seconds for the icons to appear on the desktop (but my desktop is currently very full of icons, maybe this is the reason)

    Oh and one final thing on shutdown (after shutdown JUST before computer turns itself off) recently iv had sometimes messages which are too long and disapear too quickly to note them down but are about "memory could not be 'read' " but this is going back to before i was aware of the problem with my pen and to be honest the last few days I havent had one of those messages.

    oh and since the second removal of the trojan from my Pen drive ive had the pen in and out of my computer several times and theres now no longer a problem with safely disconnecting it or opening it by double clicking in My Computer.

    Phew, I didnt manage to keep it short, I hope someone can make sense of this

    Thanks so much for your time if you do.
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member


MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds