Win32;crypt _HQJ DRP , after microsooft thinkpoint virus.

Viruses and worms
1

After using mbam to get thinkpoint virus off. Avast keeps popping up with the said win32 virus. Ive ran mbam 3x. and it still pops up. Ive attached my logs. thanks in advance. i know very little about dealing with this stuff.

2

your Malwarebytes log say “NO ACTION TAKEN” ???
did you click the REMOVE SELECTED button after the scan to quarantine the infections ?

if not, update MBAM, scan again, when finish click the REMOVE SELECTED button
post new log…is your problem gone ?

3

if you still have problems try running these
download and save to desktop, and run from there
they are not installed so when done you just drag the programs to the recycle bin

Dr.Web CureIt http://www.freedrweb.com/cureit/?lng=en
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/?lng=en
Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en

4

sorry, I think i just posted the wrong one. Heres the one from this morning. seem likes each time there are more and more virus’ popping up. so again no fix yet. im getting alot of iexplorer.exe virus’

5

Essexboy have been notified, he usually enters the forum late UK time

6

Unfortunately your main OTL log was in unicode and not ANSI, Could you re-run it and ensure that the coding is correct

Meanwhile

Go to start > All Programs > Accessories
Right Click Command Prompt and select run as administrator
When the prompt opens type the following bolded text and press enter

sfc /scannow (Note: There is a space between sfc and /scannow)

On completion reboot

7

im so sorry about that. I should’ve read into what I needed to do more clearly! Ill do that right now and repost

8

OK my first go at one of these - I may need to remove one element using a registry fix, but lets see if the latest OTL mod gets it ;D The fix is large so I have attached it at the end as a text file

Run OTL

[*]Download the attached fix.txt to your desktop
[*]Click the Run Fix button at the top
[*]A dialogue box will pop up asking for the location - select the file on your desktop
[*]Click run fix again
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.

9

glad i could provide you with some new stuff ;D. Thank you so much for your help. im starting to do all this right now! ill repost asap

10

Aye this has a long and complex run key, specifically designed to foil malware cleaners. If OTL fails I will have to rebuild the complete run key to get rid of it ;D

I am off to bed now- will look in in the morning

11

ok i tried running that fix.txt and it froze my cpu.should I run otl with the fix file again? i attached the log i found from the otl file! and heres the tdss log.
the otl1.txt file i attached here is from the rerun of the otl after it froze.
i also sent you a superantispyware log. sorry if its over kill

12

The freeeze was a buffer overrun caused by trying to delete the run key (as designed by the malware makers)

SAS got lots of cookies and the files I had already quarantined ;D

So lets rebuild the run key

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Reg [-HKLM\Software\Microsoft\Windows\CurrentVersion\Run] [HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "avast!"="C:\Program Files\Alwil Software\Avast4\ashDisp.exe" "DivXUpdate"="C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" "DVDAgent"="c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" "HP Health Check Scheduler"="c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" "hpsysdrv"="c:\hp\support\hpsysdrv.exe" "KBD"="C:\Program Files (x86)\Hewlett-Packard\KBD\KbdStub.exe" "TSMAgent"="c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [-HKCU\Software\Microsoft\Windows\CurrentVersion\Run] [HKCU\Software\Microsoft\Windows\CurrentVersion\Run] "SansaDispatch"="C:\Users\Rick\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" "SpybotSD TeaTimer"="C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe" "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

13

Here you go good sir!

14

Now that looks better - what are your current problems ?

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL [2010/11/17 19:37:26 | 000,000,518 | ---- | M] () -- C:\Users\Rick\AppData\Local\uyoveler.dll

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

THEN

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

15

All the trojan pop ups have stopped. Only thing wrong is a message i get from HP photosmart essential saying it cant find necesary files. Essexboy Thank you so very much for all of your help. You truly saved my ARSE. heres the MBAM file i got after the scan.

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 5157

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

11/20/2010 2:06:25 PM
mbam-log-2010-11-20 (14-06-25).txt

Scan type: Quick scan
Objects scanned: 150004
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

16

What file is it looking for - as the rewrite of your run keys may have missed an extra command that was not visible

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System and Maintenance
[*]Select System
[*]On the left select Advance System Settings and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]Go back to the System and Maintenance page
[*]Select Performance Information and Tools
[*]On the left select Open Disk Cleanup
[*]Select Files from all users and accept the warning if you get one
[*]In the drop down box select your main drive i.e. C
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[]Select Delete

You are now done

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave:

17

Again thank you so much for your help! One question. Im using the free addition of avast, any recommendations of what i should buy?

18

I use the AIS and find it excellent, no problems on windows 7 64bit - there is a good deal on at the moment I believe.