win32:Crypt-LUQ [trj]

My most recent complete system scan with Avast found the following:

c:\System Volume Information\catalog.wci\00000002.ps2
Infection: win32:Crypt-LUQ [trj]
Severity: High
Action: Move to Chest
Result: Error: The process cannot access the file because it is being used by another process (32)
When I choose the Action: Delete, I get the message: Action postponed until the next reboot.
I scheduled a Boot-time Scan but it did not solve the problem.

I am running XP SP3

c:\System Volume Information\catalog.wci\00000002.ps2
since it is located in in system restore, just delete your restore points and create new

Object is locked. Filename makes me think of Adware.IETray. Could you also do a full scan with SAS, download here: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Also consider info here: http://f.virscan.org/00000002.ps2.html
I informed essexboy, to have a look here,

polonus

Thanks for your suggestion. I deleted my restore points (XP allows the deletion of all but the most recent). Because of this, the trojan continues to exist. I did turn off System Restore (My Computer>Properties>System Restore>Checked “Turn off System Restore on all drives”). I ran Avast on the folder again but the infection was still there.

Also, the infection is not located in any of the “_restore…” files but in the 00000002.ps2 file. It’s path: c:\System Volume Information\catalog.wci\00000002.ps2. This may or may not make any difference but the infection persists.

I installed and ran SAS in both Normal and Safe Modes:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/11/2012 at 06:31 PM

Application Version : 5.0.1146

Core Rules Database Version : 8324
Trace Rules Database Version: 6136

Scan type : Custom Scan
Total Scan Time : 00:07:11

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 891
Memory threats detected : 0
Registry items scanned : 36754
Registry threats detected : 0
File items scanned : 3780
File threats detected : 0

I also downloaded and ran Stinger. I updated and ran Malwarebytes. Neither found anything - only Avast found it.

After rebooting into Normal mode I ran Avast on the folder and it continues to find the trojan.

Could this be a false positive? I can’t find any mention of “win32:Crypt-LUQ” anywhere that has any meaning.

Any suggestions will be most appreciated.

Thanks for your help.

System Volume Information is system restore on XP

I did turn off System Restore (My Computer>Properties>System Restore>Checked "Turn off System Restore on all drives"). I ran Avast on the folder again but the infection was still there.
did you reboot computer before you turned it on again ?

if still problems follow this guide
http://forum.avast.com/index.php?topic=53253.0

Monitoring

Just wanted to chime in and say I have the same issue.
It came up this past Saturday in my weekly scan. Same virus, file, and location.

Avast was unable to repair or move to chest.

I have also tried MBAM and TrendMicros-Housecall but they did not find this virus.

Running Windows 7 Pro, 64bit

Hope this helps,
Tate-r

If you have problems create a new topic and follow the guide posted in reply #4

http://www.threatexpert.com/report.aspx?md5=9360edbe3ad23ca85cf782d04dfd101a

From: http://forum.avast.com/index.php?topic=53253.0

I updated Malwarebytes and ran it as instructed. It found nothing.

I then downloaded OTL to my Desktop and ran it exactly as instructed.

I have attached the OTL.txt file.

From: http://forum.avast.com/index.php?topic=53253.0

I downloaded aswMBR.exe (4.5mb not 1.8mb) to my Desktop and ran it exactly as instructed.

Attached is the aswMBR.txt file.

The log looks clean - I will reset the restore points, if you could do a quick Avast scan to see if it is still detected afterwards

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files ipconfig /flushdns /c

:Commands
[emptytemp]
[CLEARALLRESTOREPOINTS]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

I ran OTL as instructed.

Attached is the log file.

I ran Avast on the System Volume Information folder and the trojan is still present.

Based on that then I would think we are looking at a false positive here

As OTL deleted all the old restore points prior to creating the new one

And there was no indication of malware on the last logs

Thank you very much for all your help. Your coaching was of great help to my own knowledge base. It’s good to know that you have my back.

I followed instructions from old topic: Win32:Agent-OLD [Trj] on this forum January 02, 2008.I had same problem
c:\System Volume Information\catalog.wci\00000002.ps2 Infection: win32:Crypt-LUQ [trj]. Use ComboFix and after delete manually 00000002.ps2. Use rootkitbuster trend micro I had some threads found.My computer was very slow for past week and hard disk was working when left alone. Avast detected 00000002.ps2 on 03-10-12 now computer is fast as new.

I had the same issue on two different XP SP3 machines (no trace of the issue on Windows7 machine).
c:\System Volume Information\catalog.wci\0000002.ps2 - Threat: Win32:Crypt-LUQ [trj]

And I did not understand why Avast was not removing the problem until I came across this thread.

While reading this thread, I tried this sequence to remove the problem:

  1. Turn off System Restore (Start – Accessories – System Tools – System Restore – Checked “Turn off System Restore on all drives”
  2. Configured Avast Boot-time scan to scan folder c:\System Volume Information
  3. Rebooted
  4. Avast Boottime Scan started
  5. Problem was detected
  6. Problem can now be deleted in the view log
  7. Rescanned to verify (problem gone)
  8. Turned on System Restore again

And neither Malwarebytes or SuperAntiSpyware detected the issue.

Thanks :slight_smile:

So I tried following this sequence and although that stupid 0000000.ps2 file is there (again) - the boot time scan of c:\system volume information did NOT detect the threat - even though my last full scan of the system or a direct scan of the file shows it as a threat. This makes no sense to me. What is generating this file and why is it so HUGE.

Are you linked to a games console ?