win32:crypto

[gardelvis]

I've recently discovered that I have a WIN32:CRYPTO virus.What do I have to do to remove it ? ( If it´s possible )
My PC has a dual boot system with WIN XP Professional Edition And Windows 98 First Release ( partition C: drive for win xp and partition d: drive for Win98 ). Please I´d be very gratefull to anyone that can help me. Thanks

[raman]

Where does Avast find that Virus(in which file/folder)? Sounds like a false alarm

[gardelvis]

I first detected that my antitrojan tds3 were compresed by aspack. then i downlaoded the databases from alwil and it reported a win32:blaster -C in the swapfile. Then I passed again the avast 4 and it reported Win32:crypto
The fact is that when I'm connected to Internet all the dlls change their crc because of the encrypting-desencrypting algorithm of Crypto. I'm sure that I've got it in my XP system because it duplicates all the dlls. Thanks for your answer but I'm very sad about this. I downloaded the free tool from symantec to remove the win32:blaster-C and it coudn't find anything and this is because of the encryption algorithm that uses the CRypto
Do you know something else about this ?

[pk]

I'm sure that I've got it in my XP system because it duplicates all the dlls.

Duplicate all the dlls ? Crypto virus doesn't duplicate any DLLs, it just encrypts them; You will do the best if you try to find this registry key: SOFTWARE\Microsoft\Cryptography\UserKeys\Prizzy/29A because about two months ago, someone wrote about Crypto false alarm to this forum. If some DLLs files were infected with the virus, it's not possible to clean them.

But as I said: it could be avast's false alarm:
(http://www.avast.com/forum/index.php?board=2;action=display;threadid=924;start=msg4974#msg4974)

[gardelvis]

 After some searching on the Web , My system Win 98 satandard edition crashed and I had to reinstalled it.
After the reinstallation I reinstalled TDS·3 on my pc and avast 4 home edition reports its compressed by ASpack.
I have a dual boot system with WinXP and WIN98. Thanks for your answer but I´m convinced I've got some kind of worm or trojan on my PC. Thanks and Happy New Year

[kareld]

Hi gardelvis,
1) The Aspack is an executable wrapper. That's a program that compresses an executable file and adds a short code to it that uncompresses the executable file (=program) on execution. There is nothing bad on it. Avast just reports when scanning the packed file.
2) The Blaster-C in the swapfile has no meaning. The swapfile is the "virtual memory", the place where the pieces of memory are temporarily moved when physical memory is needed. It's quite probable that the virus found there is a piece of Avast's virus database. Avast normally doesn't scan swapfiles, but on a dual-boot systems it recognizes just the swapfile of the Windows in use, not the swapfile of the inactive Windows copy. Forget the Blaster and don't scan swapfile again (put it to the Avast's scanning exceptions list).
3) If you have a file signed by Avast as infected with the Crypto virus, please send it to us (virus at asw dot cz).

Happy New Year

[Aulin]

Hello,  avast! 4.1 home edition found the following:
Sign of "Win32:Crypto" has been found in "C:\WINNT\MEMORY.DMP" file.  
I'm looking into removing it w/o backups available

[raman]

Simply delete that file! It is a false alarm.