# CryptExe, Win32.worm.autorun, Win32.bifrose.au



## thegoldenvision (May 2, 2008)

Hi, I'll try to be clear and concise, but I'm not an expert with computers and I may over-explain things, or not mention other obvious things.

A few days ago I plugged my pendrive into computer at work and was told by AVG (which they have running there) that the pen contained a 'general trojan' whcih AVG gave me the option to eliminiate, and I did.

This obviously made me wonder if I had a problem with my own computer. I did a bit of googling about pendrives and trojans and discovered one tell-tale sign is bening unable to remove the pen safely through windows as a program is still writing to it. Anyway I messed around plugging unplugging my pen and found that yes I did have problems safely disconnecting. Also when i tried to open it (double click) through My Computer, rather than opening the removable disk drive I got a 'choose what program you want to use to open this file' box. Right click and 'open' would open the pen no-problem. Took pen back to work and got same message from AVG, eliminitated the trojan again!

Now, I have Norton internet security (CONFESSION subscription expred approx 4 months ago, havent renewed). I ran a full scan - came back with nothing. I also have Spybot and ad-aware installed and I updated them and ran full scans.

Ad-aware detected Win32.worm.autorun in C/System Volume Information witha a very long filename which began _restore and finished A0049223.exe - Adaware removed this for me

Sybot detected win32.bifrose.au , which it also fixed for me.

NB spybot each time I run a scan gives two errors during the scan "there were problems in the include file C:\ProgramFiles\Spybot-search destroy\includes\trojans.sbi see error log for details" and also later in its scan pops up the same message but in relation to Includes\TrojansC.sbi .

Also I did notice that this bifrose thing actually reappeared two days later when I scanned again, again with spybot, but i 'fixed' it again, and it has been quite a few days since now and ive done several scans and it hasnt reappeared again

And IN THE MEANTIME i have also downloaded AVG myself (as this was the program that detected the problem with the pen at work) and have been scanning with that.

AVG turned up various things (40 files!!), all of which it send to the Vault

fsgmt.dll (Win32/CryptExe.a)
fsgmt.dll.tmp (win\system32\secpol.exe.tmp
NewServer[1].dll
NewServer[2].dll
c6jmqkdv.exe in docs and settings local settings temp
and really long list of other files all with with long similar names and and all in C:\System\Volume information\_restore etc etc

I've since realised that the vault I think is to keep files for a few days to see if your system runs ok without them before you elimintate but I didnt know this and immediately deleted them all. Oops. It has now been 24 hours and my computer is working ok so far though.

I sacanned immediately again with AGV it turned up nothing.

this morning i scanned again with AGV and it turned up 1 threat in :\System\Volume information\_restore etc etc with it also described as CryptExe
This one file is currently sitting in the vault

So my question basically is what should I do?

By the way my computer is running normally, not noticeable slower or any pop ups or anything. the only thing i would mention (no idea if it is conected) is on start up sometimes it takes a few seconds for the icons to appear on the desktop (but my desktop is currently very full of icons, maybe this is the reason)

Oh and one final thing on shutdown (after shutdown JUST before computer turns itself off) recently iv had sometimes messages which are too long and disapear too quickly to note them down but are about "memory could not be 'read' " but this is going back to before i was aware of the problem with my pen and to be honest the last few days I havent had one of those messages.

oh and since the second removal of the trojan from my Pen drive ive had the pen in and out of my computer several times and theres now no longer a problem with safely disconnecting it or opening it by double clicking in My Computer.

Phew, I didnt manage to keep it short, I hope someone can make sense of this

Thanks so much in advance for your time.


----------



## Ried (Jan 11, 2005)

Hello thegoldenvision and welcome to TSF,

Thank you for the detailed explanation, I know that took a lot of time to prepare. :smile:

You have some serious infections on this system that commercial tools do not always remove completely. Even though you no longer have any outward signs, I _*highly recommend *_you follow the instructions in our sticky topic * IMPORTANT - Read This Before Posting For Malware Removal Help* 

If you have any difficulty with any of the steps, move on to the next one.
Be sure to reach Step 5 and post the requested logs.

To keep all this information together, please post those logs here in this thread. Once you've posted them, I'll then move this thread to HijackThis Log Help section of the forum and we'll continue there.


----------

