Hi, I’m just looking for a little guidance relating to Crypt-FOW [drp]

Avast has recently started detecting .pif and .exe files being created in random subfolders of my D:. The infection being flagged is Crypt-FOW [drp] but I can’t find any info on this infection anywhere.

The files are being created with the same name as their containing folder. I couldn’t find any evil looking processes. Avast scans aren’t picking up anything other than the pif and exe files which the infection is creating. Malware Bytes Anti-Malware isn’t finding anything.

Apart from the new files no other symptoms have developed, but since the infection is a dropper I anticipate I might have (or soon have) other infections.

I’m running Windows 7 64bit.

If anyone can help me find out anything more about this infection or better still, how to get rid of it, that’d be great!

Try a scan with HitmanPro http://www.surfright.nl/en/hitmanpro

No luck. Hitman didn’t find anything either

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en
DrWeb CureIt http://www.freedrweb.com/cureit/?lng=en
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/

seems to be worm - 4th thread down (last entry in post), you will find the def.

hxxp://virusinfo.info/showthread.php?t=62626

avast vps history

1.12.2009 - 091201-0
Win32:Agent-AIGB [Trj], Win32:Alureon-EN [Rtk], Win32:Banker-GJI [Trj], Win32:Banload-GLR [Trj], Win32:Buzus-AEP [Trj], Win32:Crypt-FOR [Trj], Win32:Crypt-FOS [Trj], Win32:Crypt-FOT [Trj], Win32:Crypt-FOU [Trj], Win32:Crypt-FOV [Trj], Win32:Crypt-FOW [Drp], Win32:Cutwail-AD [Trj], Win32:Delf-MZD [Drp], Win32:FakeAV-WN [Trj], Win32:FakeAV-WO [Trj], Win32:FakeAV-WP [Trj], Win32:FakeAV-WQ [Trj], Win32:FakeAV-WR [Trj], Win32:FakeAV-WS [Trj], Win32:FakeAV-WT [Trj], Win32:FakeAV-WU [Trj], Win32:FakeAV-WV [Trj], Win32:FakeAV-WW [Trj], Win32:FakeAV-WX [Trj], Win32:FakeAV-WY [Trj], Win32:FakeAlert-EU [Trj], Win32:FakeAlert-EV [Trj], Win32:FakeAlert-EW [Trj], Win32:FakeAlert-EX [Trj], Win32:Inject-WO [Trj], Win32:Kates-K [Trj], Win32:KeyLogger-ADQ [PUP], Win32:Magistr-AF [Wrm], Win32:Mebroot [Trj], Win32:Small-NDF [Trj], Win32:Small-NDG [Trj], Win32:Tedroo-C [Trj], Win32:VB-NVY [Trj], Win32:VB-NVZ [Trj], Win32:VB-NWA [Trj], Win32:VB-NWB [Trj], Win32:VB-NWC [Trj], Win32:VB-NWD [Trj], Win32:VB-NWE [Drp], Win32:VB-NWF [Drp], Win32:VB-NWG [Drp], Win32:VB-NWH [Drp], Win32:VB-NWI [Drp], Win32:VB-NWJ [Drp], Win32:VB-NWK [Drp], Win32:VB-NWL [Drp], Win32:VB-NWM [Drp], Win32:VB-NWN [Drp], Win32:VB-NWO [Drp], Win32:Veslorn [Trj], Win32:Xilcter [Trj], Win32:Zbot-MJW [Trj], Win32:Zbot-MJX [Trj], Win32:Zbot-MJY [Trj], Win32:Zbot-MJZ [Trj]

Follow Pondus advice, unless he has additional guidance

Will try this when I get home from work. Thanks for the help guys, I’ll let you know if I make any progress

DrWeb found a few things - A FakeAlert variant in my firefox cache, an AdDropper in my hyberfil.sys and a Delf variant in a randomly named folder. All three were successfully deleted. I’ve not had any more random pif and exe files being created in the last 48 hours so possibly problem solved. Is there anything else I should check to make sure?

For a double check run Norman also…

I ran Norman on a complete scan and it found a few more things:

pv.exe (Infected with Ircbot.ANFB.dropper)
Deleted file

dseo12.exe (Infected with Suspicious_Gen.DQSU)
Deleted file

JOCommLib.dll (Infected with W32/Horst.gen33)
Deleted file

HTMPrint.exe (Infected with W32/Obfuscated.G2!genr)
Deleted file

keygen.exe (Infected with Sality.AW)
Deleted file

dBpoweramp-Codec-WavPack.exe (Infected with W32/Malware.EJLS)

dseo12.exe is a windows networking hack so that’s no issue. JOCommLib.dll and HTMPrint.exe are part of the iriver mp3 syncing program and I’ve found a few reports of these being detected so probably false positives. Pv.exe is the process viewer main exe so i guess false positive again as it does some low level OS stuff. The keygen I’m not suprised at but never run them anyway.

The strange thing I found was that I did a complete thorough Avast scan afterwards and the only thing it found was the Norman exe which it reported as being infected with W32.Goblin. Is that normal?!

Cheers

The strange thing I found was that I did a complete thorough Avast scan afterwards and the only thing it found was the Norman exe which it reported as being infected with W32.Goblin. Is that normal?!

well virus programs have a tendency to not like each other, that is why you should not install moore than one DrWeb CureIt and Norman malware cleaner is not installed, so you don`t have to uninstall it. when they have done the job you just drag them over to the recycle bin and empty it The newest updated version is always on the website for download when you need a cleaning

Malwarebytes you keep

Awesome. Thanks guys. I’ll see how things go now. Hopefully all clear!