Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryp tap Virus


  • Please log in to reply
22 replies to this topic

#1 Miss S

Miss S

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 05 March 2008 - 05:07 PM

This is my first post and thanks to my daughter :thumbsup: I am getting to meet you all for the first time. I will warn you I am quite illiterate when it comes to computers :flowers:

I have been having problems with this virus for days now :-( I have ran PC cillin, Ad aware, and have used a registry cleaner! I cannot get rid of this Cryp tap virus. Any help would be greatly appreciated. I am about ready to shoot the computer and put it out of it's misery :-) It will let me access the system restore but early on I deleted all of the prior restoration points after receiving an error message telling me to do so. I have it isolated to a single file under System 32/mljgh.dll but it will not delete me delete this file nor isolate it in quarrantine with either PCCillin or SpyWare.

I have tried all of the above even in safe mode.

BC AdBot (Login to Remove)

 


m

#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,214 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:01 PM

Posted 06 March 2008 - 12:13 AM

Hello and welcome follow these instructions and it should be gone.

Please follow the instructions in our Tutorial
How to Remove WinFixer / Virtumonde

Next Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.


Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opers browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt
.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Miss S

Miss S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 07 March 2008 - 08:49 AM

After several attempts at following the directions below the virus remains. I am attaching the log that was requested. Thank you for your continued efforts.
And FWIW my daughter is never allowed to touch a PC EVER AGAIN IN HER LIFE!!!!!!!!!.....lol


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/06/2008 at 11:49 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 02:10:00

Memory items scanned : 161
Memory threats detected : 1
Registry items scanned : 5096
Registry threats detected : 5
File items scanned : 122065
File threats detected : 12

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\MLJGH.DLL
C:\WINDOWS\SYSTEM32\MLJGH.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{2D81C4A9-1091-498E-839B-6E893893D6C3}
HKCR\CLSID\{2D81C4A9-1091-498E-839B-6E893893D6C3}
HKCR\CLSID\{2D81C4A9-1091-498E-839B-6E893893D6C3}\InprocServer32
HKCR\CLSID\{2D81C4A9-1091-498E-839B-6E893893D6C3}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D81C4A9-1091-498E-839B-6E893893D6C3}

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ADA5B340-21D7-4854-9130-DD90D82BBE80}\RP877\A0084289.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ADA5B340-21D7-4854-9130-DD90D82BBE80}\RP877\A0084290.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ADA5B340-21D7-4854-9130-DD90D82BBE80}\RP877\A0084291.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ADA5B340-21D7-4854-9130-DD90D82BBE80}\RP877\A0084292.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ADA5B340-21D7-4854-9130-DD90D82BBE80}\RP877\A0084293.DLL

Trojan.Unclassified/Out-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ADA5B340-21D7-4854-9130-DD90D82BBE80}\RP877\A0084294.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ADA5B340-21D7-4854-9130-DD90D82BBE80}\RP877\A0084295.DLL

Adware.Mirar/NetNucleus
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ADA5B340-21D7-4854-9130-DD90D82BBE80}\RP877\A0084299.DLL

Trojan.NewDotNet-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{ADA5B340-21D7-4854-9130-DD90D82BBE80}\RP877\A0084300.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\HGJLM.INI
C:\WINDOWS\SYSTEM32\HGJLM.INI2

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 PM

Posted 07 March 2008 - 09:38 AM

You did not follow all of boopme's instructions which require you to use Vundofix.

Please print out and follow the instructions for using "Vundofix". -- If using Windows Vista be sure to Run As Administrator.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the 'Fix Vundo' button.
  • After running VundoFix, a text file named vundofix.txt will automatically be saved to the root of the system drive, usually at C:\vundofix.txt.
  • Please copy & paste the contents of that text file into your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Miss S

Miss S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 07 March 2008 - 02:46 PM

I am running XP and I had run Vundo I just didn't send the log. Attached is the log, it says nothing found yet the pop ups comtinue and PC cyllin still identifies a folder where the bug is located, I just cannot figure out how to delete the file. (it says the file is in use by another program)


Scan started at 8:47:04 AM 3/7/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V7.0.1

Scan started at 9:43:02 AM 3/7/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V7.0.1

Scan started at 1:28:45 PM 3/7/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 PM

Posted 07 March 2008 - 05:07 PM

What is the specific name of the file and where is it located (full file path) at on your system?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Miss S

Miss S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 08 March 2008 - 08:25 AM

well now there seem to be 2 files that will not clear. paths are as follows.

C://windows\system32\ mljgh.dll
C://windows\system32\ sulilqpg.dll

the virus name is cryp_tap-2

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 PM

Posted 08 March 2008 - 10:10 AM

We are going to run Vundofix again, but change the instructions slightly.
  • Double-click VundoFix.exe to run the program.
  • In the center grey window (open space), right-click and select "Add More Files?" from the menu that comes up.
  • An Explorer window will open. Locate (browse to) the files listed below and select Open"

C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\sulilqpg.dll

  • If there is more than one file listed, repeat the process until all the files listed are added.
  • If you are unable to find one of the files listed, manually type in the complete path and file name and select "Open"
  • Right-click in the open window and select "Select all" (or manualy add check marks) in the boxes preceeeding the file names.
  • With the boxes all checked select "Fix Vundo" - Do Not Select "Scan for Vundo"
  • You will receive a prompt asking "Are you sure you want to remove these files?", click Yes.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt to reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Miss S

Miss S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 08 March 2008 - 12:24 PM

I really appreciate all of this help. I will go and try it now and let you know. Thanks again!

#10 Miss S

Miss S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 08 March 2008 - 01:08 PM

posting the log after running per previous instructions.






VundoFix V7.0.1

Scan started at 8:40:27 PM 3/6/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V7.0.1

Scan started at 9:27:45 PM 3/6/2008

Listing files found while scanning....


Beginning removal...

VundoFix V7.0.1

Scan started at 8:47:04 AM 3/7/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V7.0.1

Scan started at 9:43:02 AM 3/7/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V7.0.1

Scan started at 1:28:45 PM 3/7/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\mljgh.dll
C:\WINDOWS\SYSTEM32\mljgh.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\sulilqpg.dll
C:\WINDOWS\SYSTEM32\sulilqpg.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\sulilqpg.dll
C:\WINDOWS\SYSTEM32\sulilqpg.dll Has been deleted!

Performing Repairs to the registry.
Done!

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 PM

Posted 08 March 2008 - 05:38 PM

How is you computer running now? Any more reports/signs of infection?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Miss S

Miss S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 09 March 2008 - 08:34 AM

It is running much faster now :-) I am still getting three error messages though upon start up of the computer. Two of the messages are labeled "RUNDLL" and have a large red "X" in the upper left hand corner. One says "Error loading C:\Windows\System32\sulilqpg.dll". This link is the same one that Super spyware said was a virus and deleted. The other is the exact same message but ends in "dsnvgaqf.dll". The third error message is labeled "RegSvr32" and has a yellow triangle with an exclamation point in the top left hand corner. It reads " Load library ( C:\Documents and Settings\All Users.Windows\Application Data\klqlmtar.dll") failed-The specified module could not be found".

In other weird news I have a file that every time I try to open it, I get the following error message that is labeled "Documents and Settings" and has a red "X" in the corner:

"C:\Documents and Settings\Dakotah is not accessible. Access is denied".

I am using the admin screen and it says the file is empty but it will not allow me to delete it. All Spy ware, Vundo and PC Cillin says I have no infections. Any ideas?

Thanks,
Miss S

#13 Miss S

Miss S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 09 March 2008 - 08:36 AM

P.S. I have searched the computer for any of the links above and according to my search engine they no longer exist.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:01 PM

Posted 09 March 2008 - 08:46 AM

Its not unusual to receive such an error after using specialized fix tools.

RunDLL32.exe is a legit Windows file that loads .dll files which too can be legit or malware related. The RunDLL "Error loading..."..."specific module could not be found" message usually occurs when the .dll file(s) that was set to run at startup has been deleted and it becomes an orphaned registry entry. Windows is trying to load this file(s) but cannot locate it since the file was removed during an anti-virus or anti-malware scan. However, the associated registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • Right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Miss S

Miss S
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:05:01 PM

Posted 09 March 2008 - 09:15 AM

Is this also what is causing the "access denied" to the "Dakotah" file?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users