I may have found a new virus. It is a kind of rootkit : the file and the Run key does not appears in windows API. I did seen it with Sysinternals tools, procesxp and rootikit revealer. Then i’ve been able to delete it, but I made a copy of it.
I checked the file with Avast, TrendMicro on-line scanner and Antivir on another computer : the file is not detected as virus. This is what surprised me.
But it is clearly one, as it opens IE windows displaying ads (mostly porn and casinos).
to send correctly ( so av filter doesnt delete it) you must zip it and apply password (virus) and send to virus@avast.com with an explanation or reference to this thread.
good luck
Before sending the file to virus[at]avast[dot]com (like Cloussau said) you may want to upload the file to VirusTotal to see if other AVs detect the file a virus If the file is detected and send it to Alwil.
Although if the file is a rootkit I doubt that it will be added to the VPS, because avast! still cannot detect rootkits
The virustotal server is in “high payload” so i sent it by mail with hidden copy to virustotal and avast, the whole thing in a password protected zip file.
Plus, the binary is in the queue for testing, as i’m curious.
The file is not new. It was seen only by AVG (Win32/CryptExe) and Panda (Adware/NaviPromo) and look suspicious to CAT-QuickHeal ( (Suspicious) - DNAScan).