On Friday night, Trend Micro OfficeScan detected several viruses on my machine: It "quarantined" TROJ_VIRANTIX.BF, PAK_Generic.001, TROJ_AGENT.AVUI, and Mal_FakeAV-9. It also detected Cryp_Vundo-24, but that "passed a potential security risk." TROJ_FAKEAVAL.LF, Mal_FakeAV-9 and Cryp_Vundo-24 were still detected several times after the initial incident. Please see the log at the end of this post. Here are the effects (that I know about): 1.) I was getting a nag to do something with a fake "antivirus or antispyware program." I deleted C:\blyuwrjl.exe (I think) to resolve that issue. 2.) Every time a program is executed, I get the message: "The application or DLL C:/WINDOWS/System32/nizmoyo.dll is not a valid windows image." 3.) I am unable to scan with Malwarebytes, Spybot, or Ad-aware. The programs exit after a few seconds. 4.) I am redirected to antispyware sites when I try to use Internet explorer. (I'm temporarily using firefox). 5.) An "Iexplore.exe" process is running even though an IE window is not open. I kill it but it restarts after a while. Renaming mbam.exe enabled me get into Malwarebytes. However it still exits, a few seconds after the scan starts. I tried renaming the program to winlogon.exe but that did not resolve the issue. Safe mode also did not help. I have been up for almost 24 hours trying to resolve this... Eventually, I gave up trying to run mb from the infected machine. I slaved the drive in another machine and scanned w Malware bytes. It quarantined Trojan.Dropper ( 6 cases) and Rogue.Agent (2 cases). I pasted the log at the end of this post. I put the drive back in the original machine and booted off of it. The machine is apparently still infected. I have all 3 issues listed above and I am still unable to run a mb scan when I boot off of the drive. I tried to run HijackThis (Nothing happens). Renaming the exe did not help. I would be very grateful if anyone can assist me. I hope I can resolve it instead of formatting. Trend Micro Log (Sorry, the format in the log file is in this format): 20090828<;>1929<;>TROJ_VIRANTIX.BF<;>1<;>1<;>0<;>C:\WINDOWS\system32\dllcache\figaro.sys<;> 20090828<;>1929<;>PAK_Generic.001<;>1<;>1<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\PV68NP9A\zjjaof[1].htm<;> 20090828<;>1929<;>TROJ_AGENT.AVUI<;>1<;>1<;>0<;>C:\WINDOWS\system32\tajf83ikdmf.dll<;> 20090828<;>1929<;>Cryp_Vundo-24<;>25<;>1<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\DGGXX6I7\ekyymmqe[1].htm<;> 20090828<;>1929<;>Cryp_Vundo-24<;>25<;>1<;>0<;>C:\blyuwrjl.exe<;> 20090828<;>1929<;>PAK_Generic.001<;>1<;>1<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\2DT5BX43\clzqdervli[1].htm<;> 20090828<;>1929<;>Mal_FakeAV-9<;>81<;>1<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\6XN53SIW\Install[1].exe<;> 20090828<;>1929<;>Mal_FakeAV-9<;>10<;>1<;>0<;>C:\WINDOWS\system32\wisdstr.exe<;> 20090828<;>1929<;>Cryp_Vundo-24<;>25<;>1<;>0<;>C:\blyuwrjl.exe<;> 20090828<;>1929<;>Mal_FakeAV-9<;>81<;>1<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\2DT5BX43\Install[1].exe<;> 20090828<;>1929<;>Mal_FakeAV-9<;>10<;>1<;>0<;>C:\WINDOWS\system32\wisdstr.exe<;> 20090828<;>1929<;>Cryp_Vundo-24<;>25<;>1<;>0<;>C:\blyuwrjl.exe<;> 20090828<;>1929<;>Cryp_Vundo-24<;>25<;>1<;>0<;>C:\blyuwrjl.exe<;> 20090828<;>1929<;>Cryp_Vundo-24<;>25<;>1<;>0<;>C:\blyuwrjl.exe<;> 20090828<;>1929<;>Mal_FakeAV-9<;>81<;>1<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\DGGXX6I7\Install[1].exe<;> 20090828<;>1929<;>Mal_FakeAV-9<;>10<;>1<;>0<;>C:\WINDOWS\system32\wisdstr.exe<;> 20090828<;>2039<;>Cryp_Vundo-24<;>4<;>0<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\DGGXX6I7\ekyymmqe[1].HTM<;> 20090828<;>2125<;>TROJ_FAKEAVAL.LF<;>1<;>0<;>0<;>C:\WINDOWS\system32\resdll.DLL<;> 20090828<;>2125<;>Mal_FakeAV-9<;>10<;>0<;>0<;>C:\WINDOWS\system32\wisdstr.EXE<;> 20090828<;>2126<;>Cryp_Vundo-24<;>4<;>0<;>0<;>C:\blyuwrjl.EXE<;> Malware Bytes Scan (when slaving the drive in another machine) D:\Documents and Settings\troy_b1\Local Settings\Temp\UAC7a25.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. D:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\6XN53SIW\xdqrivm[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully. D:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\6XN53SIW\zwjkbb[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully. D:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\DGGXX6I7\agqqerbspt[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully. D:\emxtqjit.exe (Trojan.Dropper) -> Quarantined and deleted successfully. D:\fyblb.exe (Trojan.Dropper) -> Quarantined and deleted successfully. D:\WINDOWS\system32\UACtappamdibg.dll (Rogue.Agent) -> Quarantined and deleted successfully. D:\WINDOWS\Temp\UAC8f0d.tmp (Rogue.Agent) -> Quarantined and deleted successfully.
