Dear Avast User Community,

My father’s computer, a Dell running Windows Vista, seemed to be infected by the Dropper Win32:Crypt-IDU. This was just added to the Avast list / update this morning, and this morning we started experiencing the following:

1. A warning bubble saying that more hard drive space is needed (“Hard drive space critical” or something like that). When this bubble is clicked, the Avast warning appears saying that it blocked Win32:Crypt-IDU, which is stored in a TEMP folder, and that it is moved to chest. However, this error continues to repeat. We have plenty (110GB) of hard disk space.

2. All of the files in My Documents have been moved into the Programs folder, so that they are present in the program set from the start menu.

3. When trying to run a full scan with Avast (against my recommendation), a critical system error message appeared and the entire computer restarted.

I have three questions, and would be grateful if anybody can provide some information.

1. Can this computer be saved?

2. How do I save this computer?

3. Where on earth did this virus come from?

Thanks a bunch.

I woke up to this problem this morning. Windows Defender found this FakeSysdef (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:Win32/FakeSysdef) to be the problem. After cleaning it, everything appears to be running normally. (At least, I’m not getting anymore Acast pop-ups and no hard drive space errors.

Follow this guide form our expert malware remover Essexboy and post the log`s here
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and Malwarebytes scan Log )

When you have posted the log`s Essexboy will be notified

1. We’ll try.
2. If you’re on a 32bit system, run a boot time scan with avast.
   You can also run Free Mbam (update it before running): http://www.malwarebytes.org/mbam.php
   Post your Mbam log here.
3. Surfing/USB sticks/clicking on bad links/etc…
   asyn

Hi, I’m wondering if there is anymore information on this. I have the same problem and Avast keeps sending the pop up warning. I have run a full scan with Avast in safe mode, having found 6 items, and subsequently sending them to the chest. I signed in and thought it was okay until this message kept popping up ("Dropper Blocked-No further action is required. Moved to chest). Should I go ahead and also try the boot time scan? I’ve also updated mbam. I’m not sure if that will overload things when I reboot to have the boot time scan and the mbam update.

Or, since Avast is telling me that no further action is required, should I report this as a false positive. I wonder because before the safe mode Avast scan, I had received the critical error/hard drive messages as well, but I am not now.

My best to OnlyHeretoHelpDad and thanks so much in advance for any information.

Welcome to the forum, mazzycooper…!
Run Mbam first and post your log here.
asyn

Thank you so much, Asyn, for the warm welcome and kind advice. After having read about how corrupt USB cables (or is it more the devices attached?) may sometimes be the root of the problem, I disconnected my mp3 player at its cable, as well as my iphone, and rebooted. Once I rebooted, the “Dropper Kicked” alert stopped immediately. It seems, at least for now, that all is running smoothly.

Also, here is the mbam report:

Malwarebytes’ Anti-Malware 1.50
www.malwarebytes.org

Database version: 5264

Windows 6.0.6001 Service Pack 1
Internet Explorer 7.0.6001.18000

12/8/2010 8:30:53 PM
mbam-log-2010-12-08 (20-30-53).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 349191
Time elapsed: 4 hour(s), 53 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 38

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ajyWlxBiFK.exe (Rogue.Agent) → Value: ajyWlxBiFK.exe → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\414202388 (Trojan.SCTool.Gen) → Value: 414202388 → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Users\melissa cooper\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\LCNWVWAX\461-direct[1].exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\O320OCLU\461-direct[1].exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\O320OCLU\461-direct[2].exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\O320OCLU\461-direct[4].exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\windows update.exe (Trojan.Agent) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp59B5.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp5cee.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp60A7.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp60A8.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp666f.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp68e1.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp6A4.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp6da2.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp6e5d.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp6e6d.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmpa591.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp13ed.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp2A1B.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp35bf.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp3d00.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp44DC.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp6FE2.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp70db.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp7628.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp7fc9.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp7ff8.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmp9923.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmpa276.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmpaa90.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmpB20F.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmpB431.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmpD2BB.tmp (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmpe1e5.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmpe262.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmpe35c.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmpecaf.tmp.exe (Trojan.FakeAV) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmpEFF9.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.
c:\Users\melissa cooper\AppData\Local\Temp\tmpFC29.tmp (Trojan.FakeAlert) → Quarantined and deleted successfully.

1. You’re welcome…!
2. Good.
   asyn