Jump to content

Cryp_Vundo-24 and others - Can't run mb scan or HJT


Recommended Posts

On Friday night, Trend Micro OfficeScan detected several viruses on my machine: It "quarantined" TROJ_VIRANTIX.BF, PAK_Generic.001, TROJ_AGENT.AVUI, and Mal_FakeAV-9. It also detected Cryp_Vundo-24, but that "passed a potential security risk."

TROJ_FAKEAVAL.LF, Mal_FakeAV-9 and Cryp_Vundo-24 were still detected several times after the initial incident. Please see the log at the end of this post.

Here are the effects (that I know about):

1.) I was getting a nag to do something with a fake "antivirus or antispyware program." I deleted C:\blyuwrjl.exe (I think) to resolve that issue.

2.) Every time a program is executed, I get the message: "The application or DLL C:/WINDOWS/System32/nizmoyo.dll is not a valid windows image."

3.) I am unable to scan with Malwarebytes, Spybot, or Ad-aware. The programs exit after a few seconds.

4.) I am redirected to antispyware sites when I try to use Internet explorer. (I'm temporarily using firefox).

5.) An "Iexplore.exe" process is running even though an IE window is not open. I kill it but it restarts after a while.

Renaming mbam.exe enabled me get into Malwarebytes. However it still exits, a few seconds after the scan starts. I tried renaming the program to winlogon.exe but that did not resolve the issue. Safe mode also did not help.

I have been up for almost 24 hours trying to resolve this... Eventually, I gave up trying to run mb from the infected machine. I slaved the drive in another machine and scanned w Malware bytes. It quarantined Trojan.Dropper ( 6 cases) and Rogue.Agent (2 cases). I pasted the log at the end of this post.

I put the drive back in the original machine and booted off of it. The machine is apparently still infected. I have all 3 issues listed above and I am still unable to run a mb scan when I boot off of the drive.

I tried to run HijackThis (Nothing happens). Renaming the exe did not help. I would be very grateful if anyone can assist me. I hope I can resolve

it instead of formatting.

Trend Micro Log (Sorry, the format in the log file is in this format):

20090828<;>1929<;>TROJ_VIRANTIX.BF<;>1<;>1<;>0<;>C:\WINDOWS\system32\dllcache\figaro.sys<;>

20090828<;>1929<;>PAK_Generic.001<;>1<;>1<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\PV68NP9A\zjjaof[1].htm<;>

20090828<;>1929<;>TROJ_AGENT.AVUI<;>1<;>1<;>0<;>C:\WINDOWS\system32\tajf83ikdmf.dll<;>

20090828<;>1929<;>Cryp_Vundo-24<;>25<;>1<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\DGGXX6I7\ekyymmqe[1].htm<;>

20090828<;>1929<;>Cryp_Vundo-24<;>25<;>1<;>0<;>C:\blyuwrjl.exe<;>

20090828<;>1929<;>PAK_Generic.001<;>1<;>1<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\2DT5BX43\clzqdervli[1].htm<;>

20090828<;>1929<;>Mal_FakeAV-9<;>81<;>1<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\6XN53SIW\Install[1].exe<;>

20090828<;>1929<;>Mal_FakeAV-9<;>10<;>1<;>0<;>C:\WINDOWS\system32\wisdstr.exe<;>

20090828<;>1929<;>Cryp_Vundo-24<;>25<;>1<;>0<;>C:\blyuwrjl.exe<;>

20090828<;>1929<;>Mal_FakeAV-9<;>81<;>1<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\2DT5BX43\Install[1].exe<;>

20090828<;>1929<;>Mal_FakeAV-9<;>10<;>1<;>0<;>C:\WINDOWS\system32\wisdstr.exe<;>

20090828<;>1929<;>Cryp_Vundo-24<;>25<;>1<;>0<;>C:\blyuwrjl.exe<;>

20090828<;>1929<;>Cryp_Vundo-24<;>25<;>1<;>0<;>C:\blyuwrjl.exe<;>

20090828<;>1929<;>Cryp_Vundo-24<;>25<;>1<;>0<;>C:\blyuwrjl.exe<;>

20090828<;>1929<;>Mal_FakeAV-9<;>81<;>1<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\DGGXX6I7\Install[1].exe<;>

20090828<;>1929<;>Mal_FakeAV-9<;>10<;>1<;>0<;>C:\WINDOWS\system32\wisdstr.exe<;>

20090828<;>2039<;>Cryp_Vundo-24<;>4<;>0<;>0<;>C:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\DGGXX6I7\ekyymmqe[1].HTM<;>

20090828<;>2125<;>TROJ_FAKEAVAL.LF<;>1<;>0<;>0<;>C:\WINDOWS\system32\resdll.DLL<;>

20090828<;>2125<;>Mal_FakeAV-9<;>10<;>0<;>0<;>C:\WINDOWS\system32\wisdstr.EXE<;>

20090828<;>2126<;>Cryp_Vundo-24<;>4<;>0<;>0<;>C:\blyuwrjl.EXE<;>

Malware Bytes Scan (when slaving the drive in another machine)

D:\Documents and Settings\troy_b1\Local Settings\Temp\UAC7a25.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.

D:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\6XN53SIW\xdqrivm[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

D:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\6XN53SIW\zwjkbb[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully.

D:\Documents and Settings\troy_b1\Local Settings\Temporary Internet Files\Content.IE5\DGGXX6I7\agqqerbspt[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

D:\emxtqjit.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

D:\fyblb.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

D:\WINDOWS\system32\UACtappamdibg.dll (Rogue.Agent) -> Quarantined and deleted successfully.

D:\WINDOWS\Temp\UAC8f0d.tmp (Rogue.Agent) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Log file is located at: C:\Documents and Settings\KellyNg\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB918899\KB918899

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB922760\KB922760

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB925454\KB925454

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928090\KB928090

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929338\KB929338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931768\KB931768

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB939653\KB939653

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\temp\temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\occache\occache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Profiles\All Users\Adobe\Webbuy\Webbuy

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\AuthCabs\AuthCabs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch1\ch1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch2\ch2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch3\ch3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch4\ch4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch5\ch5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Gtek\instch_gdql_d_cache\instch_gdql_d_cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Identities\{DFF16927-88E6-4EAA-A097-460B7E65289B}\{DFF16927-88E6-4EAA-A097-460B7E65289B}

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Credentials\S-1-5-21-2414957132-1659341692-3346279671-1003\S-1-5-21-2414957132-1659341692-3346279671-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Desktop\14264c69986c\14264c69986c

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\CD Burning\CD Burning

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-1708537768-616249376-725345543-1003\S-1-5-21-1708537768-616249376-725345543-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Credentials\S-1-5-21-2414957132-1659341692-3346279671-1003\S-1-5-21-2414957132-1659341692-3346279671-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\OFFICE\OFFICE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Musicmatch\Jukebox\Cache\Cache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-04 06:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 20:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

Link to post
Share on other sites

Hi, soloist124 :)

Welcome.

Please follow these steps:

Step 1

Open a command prompt. (Start->Run, type CMD and click OK) At the prompt copy and paste the following and press Enter after each line:

Copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll C:\

Exit

Step 2

Click on Start->Run, copy and paste the following command into the "Run" box (including the quotation marks), and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here in your next reply.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Step 3

1. Please download The Avenger by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:
Files to move:
C:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.