TechSpot

AVG finding virus win32 heur

By kinkie_kitty1
May 29, 2008
Topic Status:
Not open for further replies.
  1. Hi, I can't seem to get rid of this win32 heur virus. AVG 8 keeps detecting a threat, first I couldn't turn on my automatic updates, I ran a combofix, and it fixed that problem. but the problem of the 'threat' is still being detected by AVG. it said it was my uniblue spyeraser, so I uninstalled it, which did nothing. Ran virus detector in safe mode- it did nothing. I need help removing this please!
    Copy of Virus Vault

    Resident Shield detection
    Infection;"Object";"Result";"Detection time";"Object Type";"Process"
    Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP411\A0058563.dll";"Moved to Virus Vault";"5/29/2008, 8:19:57 AM";"file";"C:\WINDOWS\System32\svchost.exe"
    Virus found Win32/Heur;"C:\system volume information\_restore{97b25540-b35d-443e-bb0e-ff34b8745f05}\rp406\a0058310.dll";"Moved to Virus Vault";"5/29/2008, 6:34:03 AM";"file";"C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe"
    Potentially harmful program Fake_AntiSpyware.TS;"C:\DOCUME~1\Karen\LOCALS~1\Temp\7zS10.tmp\SpywareRemover\TCL.dll";"Added to PUP exceptions";"5/29/2008, 6:04:59 AM";"file";"C:\WINDOWS\system32\msiexec.exe"
    Potentially harmful program Fake_AntiSpyware.TS;"C:\DOCUME~1\Karen\LOCALS~1\Temp\7zS5.tmp\SpywareRemover\TCL.dll";"Moved to Virus Vault";"5/29/2008, 6:03:08 AM";"file";"C:\WINDOWS\system32\msiexec.exe"
    Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP406\A0058310.dll";"Infected";"5/29/2008, 5:09:09 AM";"file";"C:\WINDOWS\System32\svchost.exe"
    Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP406\A0058310.dll";"Infected";"5/29/2008, 4:15:44 AM";"file";"C:\WINDOWS\System32\svchost.exe"
    Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP406\A0058310.dll";"Infected";"5/29/2008, 3:55:56 AM";"file";"C:\WINDOWS\System32\svchost.exe"
    Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP404\A0058167.dll";"Moved to Virus Vault";"5/29/2008, 1:58:42 AM";"file";"C:\WINDOWS\System32\svchost.exe"
    Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP404\A0058167.dll";"Infected";"5/28/2008, 9:09:48 PM";"file";"C:\WINDOWS\System32\svchost.exe"
    Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP404\A0058166.dll";"Moved to Virus Vault";"5/28/2008, 8:03:30 PM";"file";"C:\WINDOWS\System32\svchost.exe"
    Virus found Win32/Heur;"C:\WINDOWS\system32\fccbCRHw.dll";"Moved to Virus Vault";"5/28/2008, 5:56:47 PM";"file";"C:\WINDOWS\system32\winlogon.exe"
    Virus found Win32/Heur;"C:\WINDOWS\system32\fccbCRHw.dll";"Moved to Virus Vault";"5/28/2008, 5:56:47 PM";"file";"C:\WINDOWS\Explorer.EXE"
    Virus found Win32/Heur;"C:\WINDOWS\system32\fccbCRHw.dll";"Infected";"5/28/2008, 5:25:16 PM";"file";"C:\WINDOWS\system32\winlogon.exe"
    Virus found Win32/Heur;"C:\WINDOWS\system32\fccbCRHw.dll";"Infected";"5/28/2008, 5:24:46 PM";"file";"C:\WINDOWS\system32\winlogon.exe"
    Virus found Win32/Heur;"C:\WINDOWS\SYSTEM32\RGWHWDFT.DLL";"Infected";"5/28/2008, 5:14:40 PM";"file";""
    Virus found Win32/Heur;"C:\WINDOWS\SYSTEM32\RGWHWDFT.DLL";"Infected";"5/28/2008, 5:14:39 PM";"file";""
    Virus found Win32/Heur;"C:\WINDOWS\system32\yayyAPIX.dll";"Infected";"5/28/2008, 4:56:56 PM";"file";"C:\PROGRA~1\MOZILL~1\FIREFOX.EXE"
    Virus found Win32/Heur;"C:\WINDOWS\SYSTEM32\RGWHWDFT.DLL";"Infected";"5/28/2008, 4:56:24 PM";"file";""
    Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP404\A0058167.dll";"Moved to Virus Vault";"5/28/2008, 11:54:18 PM";"file";"C:\WINDOWS\System32\svchost.exe"
    Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP404\A0058167.dll";"Moved to Virus Vault";"5/28/2008, 10:54:18 PM";"file";"C:\WINDOWS\System32\svchost.exe"
    Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP404\A0058167.dll";"Moved to Virus Vault";"5/28/2008, 10:42:18 PM";"file";"C:\WINDOWS\System32\svchost.exe"
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    AVG is getting ridiculous, it detects a number of the tools that we use as malicious. There are bad entries in the above log, but this is one of the downsides to the new AVG -> from their site

    " An "ActiveX Compatibility" registry key is a result of the "Immunize" function included in some anti-spyware programs (e.g.: "Spybot search & destroy", "Spyware blaster",...)

    The key contains the same registry entries as the actual threats, thus preventing them from working correctly. Some anti-spyware programs use this method to prevent launching of the malware. Unfortunately, these parts are still detected by AVG signatures and that is why AVG marks them as infected.

    To assure protection provided by AVG against these threats, it is not possible to remove such signatures from AVG virus bases.
    Because of this, "Immunize" function included in above mentioned softwares is NOT compatible with AVG products."

    -------------------------------------------------------------

    Can you attach your combofix log here.

    Click reply
    Click the arrow next to the paperclip icon above your reply
    Navigate to C:\Combofix.txt and upload it here
  3. kinkie_kitty1

    kinkie_kitty1 TS Rookie Topic Starter

    Combofix txt.

    Attached Files:

  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    I need a Hijackthis log as well, we are probably going to delete a 020

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  5. kinkie_kitty1

    kinkie_kitty1 TS Rookie Topic Starter

    Okay. I also ran another virus scan and it found a vundo virus. AVG says it removed and healed it though, so I guess that is okay?

    Attached Files:

  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    1) Malwarebytes' Anti-Malware
    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Close MBAM till later in safe mode

    -------------------------------------------------------------------------------------
    2)Print out or copy and paste into notepad and save it to your desktop to have while in safe mode

    Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

    O2 - BHO: (no name) - {129FA2A1-408C-4824-83A4-5001581FD01E} - (no file)
    O4 - HKLM\..\Run: [LayoutM] KLayMgr.exe
    O20 - Winlogon Notify: fccbCRHw - fccbCRHw.dll (file missing)

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

    FileASSASSIN
    • Launch Malwarebytes' Anti-Malware
    • Select the More Tools Tab
    • Under FileASSASSIN select Run Tool
    • Navigate to C:\WINDOWS\system32\KLayMgr.exe
    • Press Open


    Malwarebytes' Anti-Malware
    • Launch MBAM
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please attach this log with your reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt


    After that, Reboot, and post a new HijackThis log with MBAM log here in a reply
  7. kinkie_kitty1

    kinkie_kitty1 TS Rookie Topic Starter

    Took a while for the scan to complete but I got the results. And removed 4 infections

    I also now don't have any icons in my system tray- except for time, volume and MSN messenger....used to have a few more than that AVG, Calendar, and have a few more processes running, used to run around 40, now I am up to 47.

    And AVG just detected the threat again.

    Attached Files:

  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    When we uninstall combofix that should go back to normal.

    Just to be safe lets run Vundofix then an online scan to see if I am missing anything.


    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please attach the C:\vundofix.txt and a new HiJackThis log.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    ------------------------------------------------------

    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply

    ------------------------------

    Attach both logs for me and we can go from there
  9. kinkie_kitty1

    kinkie_kitty1 TS Rookie Topic Starter

    vundo was not found, still trying to update kaspersky though

    Okay, here are my results

    sorry. almost forgot this one

    Attached Files:

  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    The only signs of it are in your restore points and combofix quarantine.

    The kaspersky also showed Nero 8. Which depending how you got that program could just be a false positive or it could infact be infected. So I will list this as an optional removal. To remove it go to add/remove programs and uninstall Nero 8

    Then Delete the following folders:
    C:\Documents and Settings\Karen\My Documents\Karen\Downloads\Nero 8
    C:\Program Files\Nero 8


    ----------------------------------------

    I will post the clean up instructions for you when I get home from work.
  11. kinkie_kitty1

    kinkie_kitty1 TS Rookie Topic Starter

    K. I thought I saw Nero in there as a virus. Its gone now.
     
  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    --------------------------------------------------------------------

    OTCleanit! by Oldtimer
    • Download OTCleanIt
    • Click the CleanUp! button.
      • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).

    --------------------------------------------------------------------

    Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
    1. Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View

        tab.
      • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check "Display content of system folders"
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK

      clear system restore points

      • This is a good time to clear your existing system restore points and establish a new clean restore point:
        • Go to Start > All Programs > Accessories > System Tools > System Restore
        • Select Create a restore point, and Ok it.
        • Next, go to Start > Run and type in cleanmgr
        • Select the More options tab
        • Choose the option to clean up system restore and OK it.
        This will remove all restore points except the new one you just created.

    2. Make your Internet Explorer more secure - This can be done by following these simple

      instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialize and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    3. Use an AntiVirus Software - It is very important that your computer has an anti-virus

      software running on your machine. This alone can save you a lot of trouble with malware in the future.

      See this link for a listing of some online & their stand-alone antivirus programs:

      Virus, Spyware, and Malware Protection and

      Removal Resources


    4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software

      at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to

      catch any of the new variants that may come out.

    5. Use a Firewall - I can not stress how important it is that you use a Firewall on your

      computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this

      and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your

      risk greatly.

      For a tutorial on Firewalls and a listing of some available ones see the link below:

      Understanding and Using Firewalls



    6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit

      http://www.windowsupdate.com regularly. This will ensure your

      computer has always the latest security updates available installed on your computer. If there are new updates to

      install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

    7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with

      its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus

      protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

      A tutorial on installing & using this product can be found here:

      Using Spybot - Search & Destroy to remove

      Spyware , Malware, and Hijackers


    8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with

      program on a regular basis just as you would an antivirus software in conjunction with Spybot.

      A tutorial on installing & using this product can be found here:

      Using Ad-aware to remove Spyware, Malware, &

      Hijackers from Your Computer


    9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into

      your Internet Explorer settings that will protect you from running and downloading known malicious programs.

      A tutorial on installing & using this product can be found here:

      Using SpywareBlaster to protect your computer

      from Spyware and Malware


    10. Update all these programs regularly - Make sure you update all the programs I have listed

      regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
    Follow this list and your potential for being infected again will reduce dramatically.

    here are some additional utilities that will enhance your safety

    • IE/Spyad <=

      IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair

      attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you

      will still be able to connect to the sites.
    • MVPS Hosts file <= The

      MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents

      your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
    • Google Toolbar <= Get the free

      google toolbar to help stop pop up windows.
    • Winpatrol <= Download and install

      the free version of Winpatrol. a tutorial for this product is located here:

      Using Winpatrol to protect your computer from malicious

      software
  13. kinkie_kitty1

    kinkie_kitty1 TS Rookie Topic Starter

    THANK YOU!!!:wave:
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Your very welcome

    BD
  15. lovekeeshonds

    lovekeeshonds TS Rookie

    Magnificent walk-thru.
    I was able to recover a client's computer, which was in total meltdown. It would not even go into safe mode, nor could I boot from the DVD drive. The computer had win32/heur and Vundo. All better! Thanks to both BD for his clear explanations and to KK1, who explained her problem quite intelligently!
    Keltie
  16. calishark

    calishark TS Rookie

    Please Help

    BD, good day.
    I have tried to follow these instructions but my "hijackthis" log file is different as the specified "O4" file is missing. Can you help? I have attached a copy of my hijackthis log file.
  17. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    I can now be found HERE
  18. dellaptop

    dellaptop TS Rookie

    win32 heur threat

    I am using the latest vga 8 and tried to cure win 32 heur virus but without success and attached a log file of hijack utility if some one can get me a help before I start formatting my laptop which I don't want to do it at this stage...

    Thank you
  19. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    It's crazy this thread got almost as many views as some of the stickies
  20. pascaleledumbo

    pascaleledumbo TS Rookie Posts: 25

    Hi!

    I might have the same problem. Should I just run it like your walkthrough or you would need to see my hijacklog too??

    Thanks a lot..I've been goin crazy with 2 of my laptop infected with this virus...
  21. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Yes each infection can come along with its own set of nasties. So you will most likely have different entries to deal with. Run through this 8 step preliminary removal thread and post your logs in a new thread.

    Regards,

    BD
  22. HughMcB

    HughMcB TS Rookie Posts: 16

    Blind Dragon, like many people my computer seems to have picked up this particular virus (Win32 Heur), I've tried following your 8-steps but so far I cannot get the Malwarebytes' Anti-Malware to open and the SUPERAntiSpyware Free Edition says the application has won't update and prompts to check the firewall but I've looked in there and it's not blocking it. Can you help as I'm very stuck right now? Also can you suggest a good firewall as the links to Comodo Firewall Pro ZoneAlarm Free appear to not be working right now? Thank you very much in advance.
  23. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    Hugh,

    Try holding down the windows key and pressing R -> then type cmd -> press enter (if vista go to start -> all programs -> accessories -> right click on command prompt and run as administrator)

    From the command prompt type ipconfig /flushdns

    type exit and press enter

    ============================

    1. Shut down your computer, and any other computer connected to your router.

    2. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds. Unplug the router. Wait sixty seconds. Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.

    3. Connect again to the router. The turn the router back on. When it stabilizes, reboot your workstation and try to aceess the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.

    ===============================

    If you need my help I can now be found HERE
  24. A1955Harley

    A1955Harley TS Rookie

    I started getting the w32/heur messages a couple days ago. I immediately disconnected my computer from the net connection to be sure it did not start broadcasting information.
    The first message was showing two file both exe file with the w32/heur message. I placed them in the virus vault. I reloaded one of the programs, a short time later another program exe showed the same message. A short time after that I got a message showing two files with the vundo virus. I then shut the machine down fire up one of my other computers and started looking for help. I found some information on the vundo virus and did a check for it. It does not appear that it is on the computer. I am running AVG8.5. I need some good direction on what to do next? I have not started the computer since??? Any help would be appreciated.
  25. A1955Harley

    A1955Harley TS Rookie

    I found a web site claiming the w32/heur is the result of a broken registry???
    They had a piece of software that is supposed to fix the problem. Anyone have any ideas on this?
    Here is the web site
    dllnerd.com/dll-2.php?seed=Win32-Heur&gclid=CP7Bwovav5oCFQIWFQodiWiDsg
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.