Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Cryp Tap-2 Infection

  • This topic is locked This topic is locked
5 replies to this topic

#1 IndyBlue


  • Members
  • 4 posts
  • Gender:Male
  • Location:Indianapolis
  • Local time:08:38 AM

Posted 01 April 2008 - 09:14 PM

I'm reciving notifications from my Trend Micro Antivirus that I am infected with Cryp Tap-2

The message from Trend reads as follows:

Real-time Scan
Trend Micro Antivrius had detected a virus or spyware and preformed a scan action (spyware names have the prefix "SPYW_").

Infected file: C:\Windows\system32\pmkhf.dll

Virus name: Cryp Tap-2

User name: Christopher

Scan action result: Unable to clean or quarantine the infected file.

Note: If the Search for and clean Trojans function is enabled and is executed after scanning, you can click Next to view final scan result information.

There is a 1/10 note at the bottom, and all 10 have the exact same message and .dll

The computer is running Vista Ultimate, and I have all windows recommended updates installed.

I have updated and run Trend Micro, which finds nothing. Adaware, which finds some tracking cookies, but nothing large, and AVG antispyware, which finds nothing.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,565 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:07:38 AM

Posted 01 April 2008 - 09:34 PM

Hello and welcome. The fix for this is thru the HiJackThis forum and tools.
Please follow the instructions in this BC Tutorial... Preparation Guide For Use Before Posting A Hijackthis Log

As a Vista user, be sure to Run As Administrator. If you cannot perform a step just move on till you create a log.
Post the newly created,full log into this Forum, HijackThis Logs and Malware Removal, NOT in this thread please.

If you have any questions about the process ask those here.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,072 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:38 AM

Posted 02 April 2008 - 10:45 AM

Since you have not posted a hijackthis log, let's try this first.

Please print out and follow the instructions for using "Vundofix". -- If using Windows Vista be sure to Run As Administrator.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the 'Fix Vundo' button.
  • After running VundoFix, a text file named vundofix.txt will automatically be saved to the root of the system drive, usually at C:\vundofix.txt.
  • Please copy & paste the contents of that text file into your next reply.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 IndyBlue

  • Topic Starter

  • Members
  • 4 posts
  • Gender:Male
  • Location:Indianapolis
  • Local time:08:38 AM

Posted 02 April 2008 - 09:15 PM

Thank you for the suggestions.

Some lockups and work prevented me from posting a HJT log yesterday, but I am running some of the programs suggested and will post logs as soon as possible.


#5 IndyBlue

  • Topic Starter

  • Members
  • 4 posts
  • Gender:Male
  • Location:Indianapolis
  • Local time:08:38 AM

Posted 02 April 2008 - 09:52 PM

VundoFix found nothing, and here is the log from Malwarebytes.


Malwarebytes' Anti-Malware 1.10
Database version: 586

Scan type: Quick Scan
Objects scanned: 295575
Time elapsed: 43 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 15
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\pmkhf.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80c8f6d2-29ef-4962-870e-f44aa6001781} (Trojan.Vundo) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{80c8f6d2-29ef-4962-870e-f44aa6001781} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3feca576-7ad2-4e11-a6ad-6b59d4fb5db9} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM4f931bb0 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmkhf.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\pmkhf.dll -> No action taken.

Folders Infected:
C:\Program Files\InetGet2 (Trojan.Downloader) -> No action taken.

Files Infected:
C:\Windows\System32\pmkhf.dll (Trojan.Vundo) -> No action taken.
C:\Windows\System32\fhkmp.ini (Trojan.Vundo) -> No action taken.
C:\Windows\System32\fhkmp.ini2 (Trojan.Vundo) -> No action taken.
C:\Users\Christopher\AppData\Local\Temp\sthuqlbe.dll (Trojan.Vundo) -> No action taken.
C:\Users\Christopher\Local Settings\Temporary Internet Files\Content.IE5\6TDCH7SZ\ptch[1] (Trojan.Vundo) -> No action taken.
C:\Users\Christopher\Local Settings\Temporary Internet Files\Content.IE5\96G1EG2H\718f466754402ac597de014577627f96[1].zip (Trojan.Downloader) -> No action taken.
C:\Users\Christopher\Local Settings\Temporary Internet Files\Content.IE5\96G1EG2H\ptch[1] (Trojan.Vundo) -> No action taken.

#6 TMacK


  • Members
  • 4,672 posts
  • Gender:Male
  • Location:B.C. Canada
  • Local time:05:38 AM

Posted 02 April 2008 - 10:18 PM

Hello IndyBlue,

Now that you have an open HJT log posted in the HijackThis Logs and Malware Removal forum, you shouldn't make any changes to your system.
Doing so, could change the results of the posted log, making it difficult to properly clean your system.

At this point, the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

This topic will now be closed.
If you have any questions, feel free to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users