Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trendmicro Found Cryp-tap-2 Infections; Can't Remove


  • Please log in to reply
6 replies to this topic

#1 Chat Noir

Chat Noir

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 15 March 2008 - 07:08 PM

Hello,

My computer has been very slow for 5-6 days and I've received several pop-up ads while using IE. Some ads direct me to random adresses (ebay and fubar usually) and others direct me to download spyware/adware removal (all of which I cancel out of).

My system is Windows XP 200 2 SP2, and I have Windows Defender installed which does not find anything. McAfee has detected the following trojans or unwanted programs: Vundo, Adware-MediaTickets, Generic.dx, Adware-Purity Scan, Downloader-BCF and Downloader.gen.a. All were quarantined or removed. Otherwise it does not find anything during recent scans. I ran trendmicro's online scan today and it detected 12 infections of CRYP-Tap-2 and 1 infection of Adware_Best-offer. When I try to clean the infections with trend micro, it only cleans 4 CRYP-TAP-2 infections and then I get the message that IE needs to close.

I tried system restore to system checkpoint in December and when the computer restarts I get the message that "Restoration Incomplete: No changes have been made."

No new programs were installed or downloaded. My McAfee subscription renewal lapsed for a few weeks but is now renewed.

Any help would be appreciatted!

Thanks,
CN

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:21 AM

Posted 16 March 2008 - 12:41 AM

Hello Chat Noir and welcome to BC :flowers:

Thank you for the excellent description. It will take several steps to disinfect your computer. Let's start with the Vundo infection. Please follow the steps in this guide. If you have any problems or questions as you go through the guide, please post them as reply to this thread. When you have completed the guide, please post the VundoFix log as a reply. You will find it here: C:\VundoFix.txt

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#3 Chat Noir

Chat Noir
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 17 March 2008 - 11:19 AM

Hi Orange Blossom,

Thanks for your reply. I downloaded the Vundo fix and followed the steps in the guide. Here is the Vundo fix log:

C:\windows\SYSTEM32\qpqss.ini
C:\windows\SYSTEM32\qpqss.ini2
C:\windows\SYSTEM32\ssqpq.dll

I selected fix Vundo. My desktop did not go blank as mentioned in the guide but I was prompted to root the computer.

When the computer was retarted, I tried IE and received a C++ runtime error with RealPlayer.exe (sorry I wrote down the exact wording and location but left at home). I clicked okay to this error. IE loaded my homepage but I immediately received a pop-up ad.

Should I download the Virtumundo Begone now?

Thank you!
Chat Noir

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,112 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:21 AM

Posted 17 March 2008 - 03:03 PM

Hell Chat Noir,

Here is the Vundo fix log:

C:\windows\SYSTEM32\qpqss.ini
C:\windows\SYSTEM32\qpqss.ini2
C:\windows\SYSTEM32\ssqpq.dll


This is not the entire log. Can you please post the entire log? It should look something like this:


VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 1:47:34 PM 2/16/2008

Listing files found while scanning....

C:\WINDOWS\system32\caqbxmfl.exe
C:\WINDOWS\system32\xkhjwlqy.dll
C:\windows\system32\xkhjwlqy.dllbox

Beginning removal...

Attempting to delete C:\WINDOWS\system32\caqbxmfl.exe
C:\WINDOWS\system32\caqbxmfl.exe Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\xkhjwlqy.dll
C:\WINDOWS\system32\xkhjwlqy.dll Could not be deleted.

Attempting to delete C:\windows\system32\xkhjwlqy.dllbox
C:\windows\system32\xkhjwlqy.dllbox Has been deleted!

Performing Repairs to the registry.
Done!


Orange Blossom :thumbsup:

Edited by Orange Blossom, 17 March 2008 - 03:04 PM.
Add greeting

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:21 AM

Posted 17 March 2008 - 04:44 PM

The VundoBeGone tool has not been updated in awhile and may not be safe to use

Although this tool has not been updated, it still is effective against older variants of vundo and safe to use as an alternative if there is a problem running VundoFix. While there may be ways of stopping the file from running, this will do nothing to clean the infection and more powerful tools may be needed than we use in this forum. Some applications that were infected may even have to be reinstalled.

Please see the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Chat Noir

Chat Noir
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:02:21 AM

Posted 18 March 2008 - 08:11 PM

Hi Orange Blossom,

Here is the correct Vundofix log:


VundoFix V7.0.3

Scan started at 7:47:42 AM 3/16/2008

Listing files found while scanning....

C:\windows\SYSTEM32\qpqss.ini
C:\windows\SYSTEM32\qpqss.ini2
C:\windows\SYSTEM32\ssqpq.dll

Beginning removal...

Attempting to delete C:\windows\SYSTEM32\qpqss.ini
C:\windows\SYSTEM32\qpqss.ini Has been deleted!

Attempting to delete C:\windows\SYSTEM32\qpqss.ini2
C:\windows\SYSTEM32\qpqss.ini2 Has been deleted!

Attempting to delete C:\windows\SYSTEM32\ssqpq.dll
C:\windows\SYSTEM32\ssqpq.dll Has been deleted!

Performing Repairs to the registry.
Done!

I guess my next step is posting a HJT log in the appropriate forum (per quietman's suggestion)?

Thank you,
Nicole

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:21 AM

Posted 18 March 2008 - 09:36 PM

Your infection will require the tools of the HiJack forum please follow Q7's instructions.

Edited by boopme, 18 March 2008 - 09:37 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users