Author Topic: Infected by win32:junkpoly [cryp] (Read 7391 times)

Stony · « **on:** February 12, 2009, 03:58:43 PM »

Lastnight after installin Daemon tools, i noticed i have 5 new icons (shortcuts) on my desktop. i did not open ANY of these knowing it had to be some form of spy/ad-ware, so i just deleted them. INSTANT BSOD!

Upon reboot i noticed the logon screen had changed so i did not type in my password just hit enter to continue. the desktop loaded and within seconds "services.exe failed to load" or was shut down by something, then userinit logon application followed. since, i cannot use certin applications such as mIRC. and cannot access the registry. even user profiles won't launch.

i ran Avast and it came back with 9 instances of "win32:junkpoly [cryp]"

Windows\$NtUninstallKB952069_wm9$\logagent.exe
Windows\TEMP\BN1.tmp
Windows\system32\dllcache\asr_pfu.exe
Windows\system32\dllcache\bootok.exe
Windows\system32\dllcache\cplexe.exe
Windows\system32\dllcache\drwtsn32.exe
Windows\system32\dllcache\EXCH_regtrace.exe
Windows\system32\dllcache\finger.exe
Windows\system32\dllcache\FLTmc.exe

i deleted all of these and they came back, i put them all in the virus chest, and they came back!?!?

after googling myself into a frenzy i went into a java IRC room and a friend pointed me here.

the following is a copy of the hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:14:29 PM, on 2/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\System32\reader_s.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\Stony\reader_s.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Stony\Desktop\Downloads\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\Stony\reader_s.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [vxsdgeaz.exe] C:\WINDOWS\vxsdgeaz.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\Stony\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [vxsdgeaz.exe] C:\WINDOWS\vxsdgeaz.exe (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1234453938265
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4412 bytes

i hope this will help you help me. and hope to hear back soon.

guestolo · « **Reply #1 on:** February 12, 2009, 07:19:02 PM »

Not sure if the news will be good, some legit files on your computer may be infected
But let's please try the following

Temporarily disable Avast protections so it won't interfere with this next scanner
Right click on the Avast icon by the clock and Stop on access protection
Ok the prompt

Download the latest version of [color=\"blue\"]Kaspersky Virus Removal Tool[/color][/b] and save it to your Desktop

Close all other applications and double-click and run the installer.
When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
In the Scan window click the Reports button and select Save to file.
Name the report AVPT.txt, and save it to the Desktop.
Close AVPTool.
You will be prompted if you want to uninstall the program; click Yes.
You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
Post the report you saved in your next reply.

Also, include a fresh Hijackthis log

Stony · « **Reply #2 on:** February 13, 2009, 07:55:12 PM »

Well if at first you don't succeed. i tried this. as i got to the part of saving the .txt to the desktop. explorer.exe was shut down never to be seen again.

I formatted the system and all was well, then i plugged one of my flash drives in to install a program i had stored on it and back comes the junkpoly. so i format the flash drive. take the memory out of the PC, remove the cmos battery, leave it all set for awhile, put it all back together, install, everything goes good, avast is not finding anything, i turn on the external drive and install a program i had on it, POOF junkpoly is back. so it looks like i'll be formatting the external, looseing 80+GBs of music. and a complete 70GB backup of some very important stuff, and trying again. hopefully, this is the final round with this junkpoly. if not i will keep you posted.

The Kaspersky Virus Removal Tool found 768 infected files. if that helps anything.

And here is the latest hijack this file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:16 PM, on 2/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1234569226687
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3503 bytes

Stony · « **Reply #3 on:** February 14, 2009, 10:49:17 PM »

well, good news bad news.

I got rid of the junkpoly. (goodnews)

I had to format everything to do it. (badnews)

i was able to save 1 folder out of everything i had. thanfully i was able to save my itunes music folder.

i thank you for your help!

guestolo · « **Reply #4 on:** February 15, 2009, 12:00:47 AM »

You had a nasty infection, you probably went the best route, I'm really curious where you downloaded Daemon tools at
Not that I want you visiting the site again, but ONLY get it from the developers website would be the safest

Just out of curiousity, besides Avast, what other security software do you have installed on your computer?
Would you mind posting the following to ensure everything is up to date
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

JunkPolyKiller · « **Reply #5 on:** September 13, 2009, 05:37:14 AM »

How I got rid of Junkpoly Win32:JunkPoly [Cryp].

I backed up all my important documents onto a USB stick.

But DO NOT back up any .exe files as they are likely to be infected. As soon as you run these junkpoly will come straight back.

Full format of the hard drive.

Copy files back onto PC after fresh install.

guestolo · « **Reply #6 on:** September 13, 2009, 10:38:55 AM »

As this is an old topic, I'll lock it

TheTechGuide Forum

News:

Author Topic: Infected by win32:junkpoly [cryp] (Read 7391 times)

Stony

Infected by win32:junkpoly [cryp]

guestolo

Infected by win32:junkpoly [cryp]

Stony

Infected by win32:junkpoly [cryp]

Stony

Infected by win32:junkpoly [cryp]

guestolo

Infected by win32:junkpoly [cryp]

JunkPolyKiller

Infected by win32:junkpoly [cryp]

guestolo

Infected by win32:junkpoly [cryp]