Author Topic: Win32:Crypto & Win32:Blaster-C  (Read 7574 times)

0 Members and 1 Guest are viewing this topic.

Shazzamara

  • Guest
Win32:Crypto & Win32:Blaster-C
« on: February 10, 2004, 04:25:08 AM »
Could any one plz tell me how to get rid of Win32:Crypto & Win32:Blaster-C from my pc. I have put the virus and Trojan in the virus chest and have also over written the files several times as they keep reappearing in different directories. The software I have used besides avast is Evidence Eliminator but nothing seems to help. Is there an fixes or do I have to re format my PC? Any information would be appreciated.
Thanks
Shazzamara

whocares

  • Guest
Re:Win32:Crypto & Win32:Blaster-C
« Reply #1 on: February 10, 2004, 08:55:09 AM »
Hi Shazzamara,
please tell us which Win you have, and where exactly the infected files were found (full path and filename, see avast'S report/log-file)

Blaster can be removed by avast's cleaner:
http://www.avast.com/i_idt_171.html

but it's important that you apply ALL Windowsupdates, or it will again reappear over the net


Here's some info/removal instructions on crypto:
http://www.virusbtn.com/resources/vgrep/vgrep.cgi?terms=win32%3ACRYPTO&product=1

sound a bit tricky, we need to know where it was found/if it's active..
 ;)

whocares

  • Guest
Re:Win32:Crypto & Win32:Blaster-C
« Reply #2 on: February 10, 2004, 09:04:04 AM »
Crypto:

check the file with Onlinescanners from Trend and KAV (see below; pause avast's resident shield first; be sure to reenable it afterwards..)  -> to confirm infection/rule out false alarm, as crypto is not supposed to be wildly spread.. maybe you're lucky..

and best DON'T reboot the PC, if you have not already done so since avast alerted you to the crypto virus ;)
« Last Edit: February 10, 2004, 09:35:41 AM by whocares »

whocares

  • Guest
Re:Win32:Crypto & Win32:Blaster-C
« Reply #3 on: February 10, 2004, 10:09:39 AM »
"If you have a file signed by Avast as infected with the Crypto virus, please send it to avast  (virus at asw dot cz)."

If you or I had used the board search ...: :P

there sure have been lots of postings, where crypto is a false alarm, but nonetheless, post the filepath and name of the allegedly crypto-infected file
 ;)

Shazzamara

  • Guest
Re:Win32:Crypto & Win32:Blaster-C
« Reply #4 on: February 11, 2004, 07:38:28 AM »
 ;D Thank you Whocares for responding to my posting and I am sorry for my delay in answering because of the time difference from Australia.

My op is Win 98 (yes I know I am defiantly behind tec times  :-\ ) Thank you so much for the sites that you posted I will defiantly check them out after this posting.  Theses are the copies of the file that I have saved, as for the logged files they have all disappeared... maybe Evidence Eliminator deleted them  ???

Virus Description: Win32:Crypto
FileID: 0000000014  Program cannot copy the following file: C:\WINDOWS\TEMP\aswC350.TMP\14.CSP (Original filename: PAGEFILS.CSP )
Move files to temporary folder: C:\WINDOWS\TEMP\asw9245.TMP
FileID: 0000000009  Original file name: C:\WINDOWS\SYSTEM\wsock32.dll  New folder: C:\WINDOWS\TEMP\asw9245.TMP\9.dll

I always kept every thing on my system up-dated and I have also ran the windows up dates again and it says all is fine and there are no updates are needed. I also ran house-call several times and on the last time I took your advice on disabling my avast but it comes out clean?.

I have also we re booted my PC, and some strange things have happen.  I don't have avast screen saver enable but it comes right across my screen when I am working on the PC, and it has a habit of moving to where ever I am typing  :o  Very annoying!!!

Thank you once again for your advice, as I have ran out of options to try. I know my operating system very well and usually fix any problems I usually have. But this one leaves me scratching my head..  ::)

Take care  :)
Shazza

whocares

  • Guest
Re:Win32:Crypto & Win32:Blaster-C
« Reply #5 on: February 11, 2004, 11:20:54 AM »
Virus Description: Win32:Crypto
FileID: 0000000014  Program cannot copy the following file: C:\WINDOWS\TEMP\aswC350.TMP\14.CSP (Original filename: PAGEFILS.CSP )
Move files to temporary folder: C:\WINDOWS\TEMP\asw9245.TMP
FileID: 0000000009  Original file name: C:\WINDOWS\SYSTEM\wsock32.dll  New folder: C:\WINDOWS\TEMP\asw9245.TMP\9.dll

Hi Shazza,

let me make an educated guess:
1)
the wsock32.dll is in the chest, but not in the "infected files" part, rather in the "system" or "all chest files" part ?
if so: it is only a backup made by avast
if, however avast detected crypto in it, you should send it in..

2) the PAGEFILS.CSP is where crypto was found ? false alarm (avast finds its own virus signatures in this memory(swap)file) and I suppose it's too large to send it in by Email?

Does a complete thourough scan with avast yield any virus warnings now ?

 ;)

Shazzamara

  • Guest
Re:Win32:Crypto & Win32:Blaster-C
« Reply #6 on: February 12, 2004, 04:35:11 AM »
Hi Whocares,

Thanks again for your reply, and yes your educated guess is correct.

(1) I have wsock32.dll, kernel32.dll and command.com in my (Avast) system files entries. Is this normal? I know what wsock32.dll, kernel32.dll  are but I have no idea what command.com is? Is that related to the normal command???

(2) Yes the PAGEFILS.CSP is where crypto was found and it was to large to send via e-mail.

One of the last scan came up with a corrupted file Jet623.tmp then my PC re booted with no warning... I ran a search on my PC and there are many Jet***.temp in my windows temp folder and I have tried to delete them (also delete on next boot up) and get the error of access denied.

The last full scan (Avast) and also the aswclnr.exe(CleanerPack) that I have done came out clean... so fingers crossed..

Take care
Shazza

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11865
    • AVAST Software
Re:Win32:Crypto & Win32:Blaster-C
« Reply #7 on: February 12, 2004, 09:35:45 AM »
command.com is the same command.com as it always used to be - since the old DOS until Windows ME. I don't know what the "normal command" should be, but I think there is only one command.com in the system. (The fact that it's EXE file, actually, is another thing; but it was always called .com).

The JetNNN.tmp files are temporary files of Microsoft Jet drivers (utilized by avast! as well). There are usually 2 files in the TEMP folder locked (in used when avast! is running), the rest of them should be possible to delete.
Btw, if there are more and more JetNNN.tmp files in your TEMP folder, you may try to update to the latest MDAC (downloadable from Microsoft) - it may help.

Shazzamara

  • Guest
Re:Win32:Crypto & Win32:Blaster-C
« Reply #8 on: February 13, 2004, 04:11:12 AM »
Thanks Ignor, for the information and suggestion as it has been a big help.

I will defiantly try the update that you have suggested.

Have a good one  :)