Win32/cryptexe virus always coming back, even after i deleted them

[hydezt]

Dear techspot,

I have done all in your preliminary removal thread, except step 3 (because it won't start in my computer for unknown reason).

My problem is avg keeps finding win32/cryptexe virus in file c:\msets.exe, and in some folder in windows (i forgot, but the file name is helper.exe). Everytime i found those file, i always deleted it, but soon after i connect to the internet, the files keep coming back (the same file, the same folder).

Also, my avg antirootkit found nothing. I'll attach the hijack, avg antispyware, and combofix log below.

Thank you.

 

[momok]

Hi hydezt and welcome to techspot =)

Why is your Windows not patched to latest SP 2?

You may wish to copy and paste these instructions on notepad for easier reference later.

1. Boot into safe mode under your normal user name. See how HERE
   
2. Next turn on "Show all files and folders, including hidden and system". See how HERE
   
   
3. Go to start > run and type services.msc. Press the enter key.
   Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.
   
   Process Startup Items
   
   
4. Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:
   
   svshost.exe
   
   
5. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   
   O2 - BHO: (no name) - {DB35C569-5624-4CFC-8043-E5139F55A073} - (no file)
   O23 - Service: Process Startup Items - Unknown owner - C:\WINDOWS\system32\svshost.exe
   
   Close HJT.
   
   
6. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   

   File::
   C:\WINDOWS\system32\drivers\qyiedlwdvxdm.sys
   C:\WINDOWS\system32\drivers\ojqihxlnwsdh.sys
   C:\WINDOWS\system32\drivers\nlweefonjjlp.sys
   C:\msms32.exe
   C:\msets.exe
   C:\FOUND.005
   C:\FOUND.004
   C:\WINDOWS\system32\setup_56244.exe
   C:\WINDOWS\system32\setup_04727.exe
   C:\WINDOWS\system32\svshost.exe
   C:\WINDOWS\system32\i
   C:\WINDOWS\CDEC45ASIA.ini
   C:\FOUND.003
   C:\WINDOWS\system32\TFTP1240
   C:\FOUND.002
   C:\FOUND.001
   C:\WINDOWS\system32\Trendex.dat
   Folder::
   C:\WINDOWS\sdir

7. Save this as CFScript on the desktop.
8. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
9. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
   
   
10. Reboot into normal mode and rehide your protected OS files.

Thereafter, please post a fresh HJT log from normal mode as well as the ComboFix log from above as attachments into this thread. Do not copy and paste the logs.

Also, I'd like you to check this folder C:\SmartAssitant and tell me what is its contents.


Regards,
momok =)

This thread is for the use of hydezt only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hydezt]

Hi momok, thank you for guiding me.

Hi hydezt and welcome to techspot =)

Why is your Windows not patched to latest SP 2?

Actually, i've downloaded SP 2 from microsoft's website, but when i tried to install them, it said that my licence code is not valid. So it won't start patching my windows XP. Did having SP 1 have something to do with my problem?

About Smart Assistant, it's a calendar tool. I've uninstalled it and deleted it's folder before i'm reading your reply.

Btw, i looked at folder "C:\Windows\sdir" and it disappeared! Wow! Thanks a lot bro. Also, my internet sent & recieved bytes now is not mysteriously increased like a couple hours ago. You guys are doing great work here helping people.

 

[momok]

Hi,

The problem is your HijackThis log does not even show SP1. I am not sure why you recieve such an error. Are you using genuine windows? If you are then you could try contacting your vendor or Microsoft tech support.

Your logs look clean now.

1. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
   
   
2. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
3. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
momok =)

This thread is for the use of hydezt only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[hydezt]

New Problem : My laptop is running very slowly; adware suspected

Hi there,
Thank you for the last guide on my desktop computer. I got another issue now. For the last months my laptop is running very slowly, especially at startup and shutdown.

I suspected spyware or adware problem, because it hadn't any protection (just windows xp's built-in firewall and avg antivirus). (EDIT: but now i've installed avg anti-spyware and all of your tools)

Below i'll attach the logs. And also, avg anti rootkit didn't find anything.

Thank you very much.

 

[momok]

Hi,

1. Have HijackThis fix these entries:
   R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = infojawa
   O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)
   
   Close HJT.
   
   
2. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   

   File::
   C:\WINDOWS\system32\dllrun32.exe
   C:\WINDOWS\system32\7666AFDAFD.sys
   C:\WINDOWS\system32\dllcache32.exe
   Registry::
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71b350e4-a491-11dc-aa6b-000fb0936874}]
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71b350e6-a491-11dc-aa6b-000fb0936874}]
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7344e66e-9e49-11dc-aa61-000fb0936874}]
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7edd5524-3ac2-11db-a73a-000fb0936874}]
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{930a02f3-60f2-11dc-a9e3-000fb0936874}]
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5cba8e0-89cc-11dc-aa4b-000fb0936874}]
   [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fbe90ea9-f456-11db-a8e5-000fb0936874}]

3. Save this as CFScript on the desktop.
4. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
5. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


Regards,
momok =)

This thread is for the use of hydezt only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.