I know its from the [Cryp] side and all, but this thing is becoming a major pain. I’ve tried every action in avast on it and its still here + now its spread to my external HD. Does anybody have any advice for getting rid of it? So far what I’ve found is that it places a file (C:\i8.com) and then locks me out of directly accessing my C:\ drive (though I can access it by going to, for example, C:\program files\world of warcraft\ and then pressing the ‘up one level’ button.
Any help would be greatly appreciated.
(Ps: I know its not really from the [Cryp] side, lulz ;D)
There is a kind of solution preventing autorunf.inf spreading but in your case the main problem is that this solution is for healthy PC only. It’s prevents autorun and restore some Explorer registry keys.
This registry modification doesn’t cure any active malware, probably avmo in your case.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"NoDriveAutoRun"=dword:000000ff
"NoFolderOptions"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
Please download FindAWF to your Desktop from: http://noahdfear.geekstogo.com/FindAWF.exe
Double-click FindAWF.exe to start the tool.
Select “option #1 - Scan for bak folders” by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.
Please post the result of this scan before proceeding.
Maybe, after the suggestion of Polonus, you could try the general cleaning procedure:
Disable System Restore and reenable it after step 3.
Clean your temporary files.
Schedule a boot time scanning with avast with archive scanning turned on.
Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
We’ve have the same problem. If you find the solution, please let us know.
P.S. Ciesze sie ze nie tylko ja mam problem z AuCrypt. W internecie prawie nie ma informacji. Nowe swinstwo, dzis je zlapalam.
Prosze, prosze. Kółko polonijne się tu na forum zebrało…
Well I continue in English as we are an English speaking forum here. DrWeb has three scan modules: Quick Scan, Full Scan and then comes the Third Scan Mode (I do not know how that is called in the Polish version of DrWeb’s CureIt), choose that one and then do the specific disk scans. In the mean time we will have a look at the log and set out a strategy to tackle this malware. Nie martw się, wszystko będzie dobrze!
I’m writing just to tell that I have the same problem (probably caught today and I have no idea where from :/). So I will be also very grateful for any idea how we could fix it !
What I noticed is that although I can’t enter my drives from ‘My Computer’ , there is no problem to do this using Total Commander.
Greetings for people from Poland - mam nadzieje ze rozwiązemy ten problem.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well (D: and external Disk)
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.
The first thing I want you to do is download Deckard’s System Scanner.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - Main.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of Main.txt in your thread in the HijackThis Log Help Forum.
A folder, C:\Deckard, will also open. In it will be another text file, Extra.txt.
Attach Extra.txt to your post.
Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
What Deckard’s System Scanner will do:
* create a new System Restore point in Windows XP and Vista.
* clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
* check some important areas of your system and produce a report for your analyst to review. Deckard's System Scanner automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
When you get the two notepad documents, attach them to your next reply Main.txt & Extra.txt,
After you have run both flashdrive disinfector and DSS, also attach a fresh HJT log.txt,
I think Dr.Web is enough. After that scan & fix I used MKS online and Avast. Nothing more was found.
Any USB device was connected last two days.
I will see tomorrow - infected computers are in my neighbours house. Now I’m going to my house for enjoy Tyskie ;D
I just still don’t now how to fix problem with opening disks.
“Małe piwko, potem kosteczkę czekolady,” I asked around for a solution for you to be able to enter your drives, I’ll post it when it gets to me. And for later: “karaluchy pod poduchy”, do jutra,
Win32:AuCrypt [Cryp] is a generic detection of AutoRun / OnLineGames… you can apply the same disinfection procedures here… and we are working on the detections for more inf files to stop the reinfection after deleting the files found with this gen detection…
Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.
Save and extract its contents to the desktop. It is a folder containing a Batch file, Clean autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the Clean autoruns.bat to run the fix.
If any autoruns are found, the fix will move them to a backup folder.
If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoint(s) key are fixed.
It will produce two files, Part1.txt and Part2.txt , that will show the state before and after the cleaning.
An additional step you could take:
Download: Clear the Cache (freeware) http://www.ccleaner.com/
Once installed, run CCleaner click the Windows [tab]
Select the following options: