Can you please check my computer's logs?

[Marishel]

Hi! I'm having some problems with my computer. I got infected with the Win32/Heur virus and Trojan Horse Crypt.FQT a couple of days ago. After going through several tips suggested by users who were previously infected by the same malware, I did another scan using my anti-virus and anti-malware to check if there's still any problems. All the results came back negative for the first three days or so. However, my computer's still acting a bit weird so I suspected that there might still be something wrong. I ran an AV scan, and true enough, the same folders that contained the malware were back again. Earlier this day I scanned my computer and manually deleted the files. Now, the infected folders are nowhere to be found again, but there's probably a good chance that they're still out there.

I want to provide a log of the scans that showed the infections found but I've ran so many scans since then that I think the previous ones have been overridden until the only logs left were the ones that didn't detect anything. If it helps, I found the malware in question in C:\Documents and Settings\Tomoe Yukishiro\Local Settings\temp. The folder was named E_N4. I found two other ones in C:\WINDOWS\system32, one named B5E4BA and the other named after a combination of letters and numbers I can no longer remember.

I have scanned my computer and tried to remove the infections using AVG, Spybot, SAS, and MBAM, but although they were supposedly able to delete/remove the infections, they just came back after some time. I've ran the scans in both normal and safe mode a couple of times, but same results. I used unlocker to manually delete the infected files but still the same results although doing it manually seems to be more effective as the infections 'disappear' for a while as opposed to when I just click on the 'remove infections' button wherein the infected files would pop up right after I rebooted my computer.

I have no access to a Windows install disc as I only purchased my computer second hand from a former acquaintance and I can no longer remember if he gave me one.

By the way, here's the DDS log:


DDS (Ver_09-10-26.01) - NTFSx86
Run by Tomoe Yukishiro at 13:23:46.46 on Fri 11/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.759.214 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Documents and Settings\Tomoe Yukishiro\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uSearch Page =
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yie8
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
mSearchAssistant =
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [C7989A] c:\windows\system32\96992e\C7989A.EXE
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\tomoey~1\startm~1\programs\startup\c7989a.lnk - c:\windows\system32\96992e\C7989A.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Bejeweled%202/Images/stg_drm.ocx
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1225720903125
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1230991486796
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\text twist\images\armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\tomoey~1\applic~1\mozilla\firefox\profiles\08wost1e.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-4 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-12-4 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-10-12 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 74480]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 7408]

=============== Created Last 30 ================

2009-10-24 15:08:37 0 d-----w- c:\program files\Trend Micro
2009-10-24 12:59:08 0 dc-h--w- C:\$AVG8.VAULT$
2009-10-23 20:24:16 0 d-----w- c:\windows\system32\wbem\Repository
2009-10-23 18:50:56 0 dc----w- C:\cmdcons
2009-10-23 06:39:22 0 d-----w- c:\docume~1\tomoey~1\applic~1\Malwarebytes
2009-10-23 06:39:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-22 11:41:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-22 11:41:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-22 11:41:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-22 11:32:02 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-10-22 11:31:54 0 d-----w- c:\program files\SUPERAntiSpyware
2009-10-22 11:31:54 0 d-----w- c:\docume~1\tomoey~1\applic~1\SUPERAntiSpyware.com
2009-10-22 11:31:24 0 d-----w- c:\program files\common files\Wise Installation Wizard
2009-10-22 1112 0 d-----w- c:\program files\CCleaner
2009-10-20 12:01:02 0 d--h--w- c:\windows\system32\8DD480
2009-10-20 12:01:02 0 d--h--w- c:\windows\system32\6598FC

==================== Find3M ====================

2009-09-11 14:33:52 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 19:34:38 116839 ----a-w- c:\windows\hpqins00.dat
2009-08-31 12:37:32 157399 ----a-w- c:\windows\hpoins28.dat
2009-08-29 08:08:21 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-15 07:09:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2004-06-01 07:03:19 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-02-25 05:40:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022420090225\index.dat

============= FINISH: 13:25:01.45 ===============

[tetonbob]

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

You can get help on disabling your protection programs here

Please include the C:\ComboFix.txt in your next reply for further review.

[Marishel]

Thank you for responding to my question. I'm afraid I might encounter a problem with combofix though. I went through similar steps in your malware removal process before and got to the part where I have to download and run combofix. I was able to download it just fine but it downloaded the microsoft recovery tool with it as well. I guess that might be important in backing up my files, but my problem is the microsoft recovery program asked me to activate my copy of windows by entering the serial key. I purchased this computer second hand from a former acquaintance and although I guess he must've had it before, he didn't mention anything about a serial key. The error message also told me that the serial key associated with my pc has already been used a couple of times in the past even before I entered any digit. There was a link for activating the copy of windows online so I tried to go to the site to see if there's a way to get a serial key but my computer just went blank and everything disappeared until all was left was a blue screen and a prompt asking me to activate my copy but I can no longer find any option on how to do it (sorry if i must've missed or confused some details for something else. it happened a week or two ago and I can't remember much anymore). All it allows me to do is to log in and log out which doesn't do much. I found a way to restore my computer back to how it was but now i'm worried that i might run into the same problem if i tried to run combofix and i might not be able to use my computer at all this time should it keep me from accessing my pc until i've provided the serial key. I don't mean to sound impudent or something but is there any other option that i could try or is it possible to run combofix without downloading the microsoft recovery tool?

[tetonbob]

I'm not sure what method you used, but I've run this tool thousands of times and never encountered such a thing. ComboFix downloads and installs the Recovery Console as part of it's routine.

However, if this is not a legal version of Windows, my help must stop here.

Quote:

I found a way to restore my computer back to how it was

What did you do here? If you invoked an onboard recovery partition (do not confuse this with the Windows Recovery Console), the machine is likely back to factory state, and there should be no infection.

[Marishel]

I see. As far as I know, the copy is a legal version. My only problem is I'm not sure how to get the serial key and if I can still use it if I did manage to locate it. I'll try it again though and see if I can get through it this time.

I pressed the last known good configuration settings and enabled system restore which I previously disabled while trying to remove the malware.

[tetonbob]

Let me know the current state of the machine.

Contrary to old knowledge still being passed out across the internet, disabling System Restore before performing any malware removal is a bad idea. A potentially "dirty" restore point as a fallback position is better than none at all.

[Marishel]

The same thing happened. It got blocked and I was only able to use the computer in safe mode. I remembered something while tinkering with my computer though. My computer got infected with a virus a couple of months after I bought it (about two years ago) so I brought it to a computer shop to have it fixed. They reformatted my pc and asked me if I had the cd/installer. Since I said no, I guess they just installed an unlicensed copy of windows on my machine.

Sorry to have realized it this late. It must have caused you unnecessary trouble but thanks for taking the time to assist me. I'll try to check the mall for a licensed copy of windows now.

[tetonbob]

Hi -

As you may have been a victim of software piracy, there is a direct number you can call before you head to the mall. It may save you some bucks, it may not. I believe you're in the Phillipines?

The direct number there is

632 860 8989

If you're in the US

866 530 6599

[Marishel]

I am. Thanks for the extra information and for assisting me!