TechSpot

AVG finding virus win32 heur

By kinkie_kitty1
May 29, 2008
Topic Status:
Not open for further replies.
  1. Blind Dragon

    Blind Dragon TS Evangelist Posts: 4,048

    That should do it :grinthumb
  2. Susieq07

    Susieq07 TS Rookie

    win32 Heur virus- detected through AVG

    Hello I feel like I am joining the bandwagon but have similar problems to above. Have loaded Hijack This and attached scan report. Have also downloaded Malwarebytes anti malware but not exactly sure what to do next.
  3. nikoro7

    nikoro7 TS Rookie

    win32/heur!

    hi there, my laptop has been infected with the same damn virus, win32/heur!! AND EVERDAY avg keeps detecting and removing the threats, only 4 files ( the same files everyday) and after rebbot, i still can find these 4 files again!!! done much but with no avail.. so here is my HJ log (1st one) ....
    please help me!!!
    thx:)

    nik
  4. minglao

    minglao TS Rookie

    infected by win32 heur!

    hello, i can see from the posts that i am in the same situation here too! pc been infected with that virus! can somebody please help me??

    thank you very much
  5. Hole9yard

    Hole9yard TS Rookie

    you have to make your own post to get help
  6. Fishman35

    Fishman35 TS Rookie

    I fought this little monster last night. Here is how I beat it.

    I have a friend who called me over for pop ups and lockups on his Dell Inspiron desktop running Vista Home Premium. I went there with the old standards, HihackThis, CWShredder, MalwareBytes, combofix, vundofix, etc. I thought 30 minutes and I would be out. But this was no script kitty sissy drop loader, as I would soon find out.

    When I arrived, I saw some of the usually malware suspects, Registry Mechanic, SpyDoctor, etc. I removed them and ran CCleaner to get the simple junk out of the way. Each time IE or FireFox was opened, AVG would find a Win32/Huer with a c:\windows\system32\esqullmbxxxwlmxskyrfxoorreqtpqsqpf.dll as the affected file, (this name would very each time). Doing a search for it in Windows would yield no results with hidden files shown. Running AVG or MalwareBytes in normal mode would hard-lock the system. Running ACG in Safe Mode would not pick anything up, and MalwareBytes detected the same file, but under a different infection name, and would lock up again. So knowing where these two files lived, I went to Vista RE command prompt, searched for the files in the system32, and deleted them. I figured I did not get the loader, so I rebooted and sure enough, the 2 dll files reloaded. I tried to track the file through process tracing, but completely stealth.

    This is where it got furry.

    After the 2nd reboot, I received the message at the desktop that “Windows security processor reported a system file mismatch”, reducing Windows functionality to where explorer would not start. I used the “get more information” link for the validation site to restart explorer.exe from the URL line, and left the functionality error up so the system would not reboot. I opened a command prompt and ran the cscript c:\system32\slmgr.vbs /ilc c:\System32\licensing\ppdlic\Security-Licensing-SLC-ppdlic.xrm-ms to force the product key entry to come back at the next reboot. Once rebooted, I entered the Dell provided product key and fixed that problem. Then I pulled out the big guns.


    I ran Rootkit Repeal and Rootkit revealer to track the hidden loader. Rootkit Revealer found no stealth processes, but Rootkit Repeal found the loader under the stealth section. It was hidden in the c:\windows\system32\drivers folder. It had the same esqulbrxxx**** name, but was a .sys file. I went back into RE command prompt, navigated to the directory and got it, along with the 2 dll files it was creating. Rebooted 25 times, ran scans, all clear.

    Basically, the loader and the files it creates can only be seen outside of the Windows environment. Just boot to the Vista DVD, choose repair my computer, click on Command Prompt. Type c: and press <Enter>. Then type cd \windows\system32\drivers and press <Enter>. Now type dir *esqu*.sys and press <Enter>. It will show the loader file by itself. Now type del filename you found and press <enter>. Now type cd.. and press <enter>. At the c:\windows\system32 prompt, type dir *esqu*.dll and press <enter>. Follow the same stpe above to delete the two dll files you just found that were created by this loader. Reboot and you should be golden.
  7. hpum

    hpum TS Rookie

    AVG detected Trojans yesterday and today Viruses or both

    :dead: The day before yesterday and yesterday my AVG 8.5 resident shield kept detecting the Trojan Horse Vundu.JB then today muliple detection of Virus win32/Heur and Virus win32/Virut.

    I want to do the 8 steps described and recommended for virus removal but I cannot update my AVG 8.5 and the anti-virus itseld seems to be not responding and even crashing to desktop.

    Kindly guide me through the steps.

    I'm connected to a domain server.

    Thank you
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.