Avast can't pick up virus (crypt.exe). What to do?

Hi guys,

I have Avast 4.8 home with the latest iAVS running. I’ve performed a thorough scan of all hard drives & have also done a on-start-up scan. It hasn’t picked up any viruses.

But when I insert an empty CF card into my computer, a file called crypt.exe and an autorun.inf files got copied onto it. I guess that this is a virus trying to spread itself.

I’ve never had a situation that Avast would not be able to identify and clean a virus. What can I do to clean my machine (short of reinstalling my XP SP3)?

Thanks in advance for your help

Luben

Hi luben,

You could check the files in question against virustotal.com, upload there and give us the results.
Consider this info on crypt.exe: http://www.threatexpert.com/files/crypt.exe.html

If you should have an autorun issue, you could use this, Flash Drive Disinfector,
Download Flash_Disinfector.exe by sUBs from > http://www.techsupportforum.com/sectools/sUBs/Flash_Disinfector.exe < and save it to your desktop.

* Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
* The utility may ask you to insert your flash drive and/or other removable drives including 
   your mobile phone. Please do so and allow the utility to clean up those drives as well.
* Wait until it has finished scanning and then exit the program.
* Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don’t delete this folder…it will help protect your drives from future infection.

Also see this link for more information on Flash Disinfector, http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs/

You could also perform a additional scan with stinger.exe: Free worm removal tool; McAfee Avert Stinger: http://vil.nai.com/vil/stinger/ Use the latest online version of it, you can use it alongside your resident avast av-solution,

polonus

Hi there Polonus,

Thanks a lot for your swift and helpful response. I uploaded the file to the Virustotal site you recommended and got this result:

http://www.pbase.com/luben/image/113493913/original.jpg

What should I do next to clean my PC?

Thanks in advance

Luben

You can try sending the file to ALWIL.

I’d love to Donovan, but the Virus report link on the Avast website does not appear to work properly:

http://www.avast.com/%REPORT%

Luben

Try moving the file to the chest then sending it to alwil.

Hi luben,

It still could be a false positive. Also send it here: http://anubis.iseclab.org/?action=home
Report the results here. As crypt.exe can be a FP, like to hear the verdict of the Vienna university scanner,

polonus

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Given that it appears to be associated with autorun.inf, I would say it is highly suspect.

There is also the http://camas.comodo.com/cgi-bin/submit scanner too.

Hi DavidR,

I did a very extensive survey online for crypt.exe and this has lead me to believe rather strongly we have a false positive here. If not I am not going to eat my hat, but I will fast for a day at least.
Very curious after the anubis results. What is your view on the matter? Oh, I see you have given that above, well in that case we have a secondary infection of crypt.exe through the auto-run infector,

Damian

Well there are some that may just be using a legit file to encrypt folders, etc. autorun.inf could launch an application, which in turn could use crypt.ext to encrypt folders/partitions, etc. Something along the ransomware attack (speculation though) ???