TechSpot

AVG finds win32/heur virus

By milkcreamsugar
Dec 10, 2009
  1. Hi there. I just got hit with this random virus. It might be the reason why my computer becoming laggy all of sudden.

    AVG detected it in this location: C:\System Volume Information\_restore{FE322AB9-9A2C-46E3-8346-A6A45CA114CF}\RP316A0081383.dll

    Any help to remove it would be appreciated. Thank you.


    View attachment 54456
     
  2. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

  3. milkcreamsugar

    milkcreamsugar TS Rookie Topic Starter

    man, that was lengthy...and only the preliminary...lol

    let see how it is now...
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    This one is much quicker ;)

    Combofix:
    • Download [​IMG]Combofix to your desktop.
    • Disable your Antivirus (as Combofix will remove any found malwares)
    • Double click ComboFix & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here
    Also restart and then provide a fresh HJT Scan log
     
  5. milkcreamsugar

    milkcreamsugar TS Rookie Topic Starter

    :) not as bad as i thought. :D
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    I'm not sure what's going on with Shockwave, but this entry is not normal:

    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US;_rv:1.9.0.15)_Gecko/2009101601_Firefox/3.0.15" -"http://online.gamesgames.com/gameshell/app/gameshell.aspx?carrier=-1&channel=110445270&code=115050913&device=-1&lc=en&origin=pgame_ol_u&refid=&room=44103aea-582a-402b-bdd9-e353d8655cf1&ui=yWX74kGdpFOjzliwrzvefZdSwUU%3D&un=DA%3DYgjCbPcgRr9EH6OxLNOtbH94pvMdtF+dwR25zozvYJPtlxTbVosGYJjpWuLtWIKaDndLOQ0SksllC4rTYl9jgA%3D%3D%26SD%3DOHaczY+CKzkRs3XckYrmoXesS/RByfVg8eqQ8J0A7z9YJrUDzKODayeDaup6YFlp%26LT%3D1%26CL%3DU%26TO%3D1260188798%26A%3DfVRM5UnkarUBeJycSZ3Yb5KlPK8%3D%26SA%3DfVRM5UnkarUBeJycSZ3Yb5KlPK8%3D&ux=691188431"

    This is third similar entry in the logs I've seen in 2 day. With a Win32Heur find by AVG, might be a good idea to check for Virut:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe


    I'd like to see that log when finished.
     
  7. milkcreamsugar

    milkcreamsugar TS Rookie Topic Starter

    VirSCAN.org Scanned Report :
    Scanned time : 2009/12/11 14:56:23 (CST)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 26112 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : a93aee1928a9d7ce3e16d24ec7380f89
    SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
    Online report : http://virscan.org/report/3317abd7493200231f83844d327081c7.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091211200223 2009-12-11 4.06 -
    AhnLab V3 2009.12.12.00 2009.12.12 2009-12-12 0.96 -
    AntiVir 8.2.1.108 7.10.1.219 2009-12-11 0.41 -
    Antiy 2.0.18 20091211.3462203 2009-12-11 0.12 -
    Arcavir 2009 200912111220 2009-12-11 0.03 -
    Authentium 5.1.1 200912111758 2009-12-11 1.23 -
    AVAST! 4.7.4 091211-0 2009-12-11 0.01 -
    AVG 8.5.288 270.14.103/2558 2009-12-11 0.31 -
    BitDefender 7.81008.4716284 7.29403 2009-12-12 4.21 -
    CA (VET) 35.1.0 7169 2009-12-10 7.85 -
    ClamAV 0.95.2 10151 2009-12-11 0.01 -
    Comodo 3.13 3208 2009-12-11 0.93 -
    CP Secure 1.3.0.5 2009.12.12 2009-12-12 0.04 -
    Dr.Web 4.44.0.9170 2009.12.11 2009-12-11 7.63 -
    F-Prot 4.4.4.56 20091211 2009-12-11 1.22 -
    F-Secure 7.02.73807 2009.12.11.15 2009-12-11 0.14 -
    Fortinet 11.256- 11.256 2009-12-11 0.20 -
    GData 19.9255/19.619 20091211 2009-12-11 6.02 -
    ViRobot 20091211 2009.12.11 2009-12-11 0.42 -
    Ikarus T3.1.01.74 2009.12.11.74741 2009-12-11 4.19 -
    JiangMin 13.0.900 2009.12.11 2009-12-11 4.29 -
    Kaspersky 5.5.10 2009.12.11 2009-12-11 0.11 -
    KingSoft 2009.2.5.15 2009.12.11.20 2009-12-11 0.54 -
    McAfee 5.3.00 5829 2009-12-11 3.31 -
    Microsoft 1.5302 2009.12.11 2009-12-11 6.32 -
    Norman 6.01.09 6.01.00 2009-12-11 4.01 -
    Panda 9.05.01 2009.12.11 2009-12-11 1.94 -
    Trend Micro 9.000-1003 6.686.04 2009-12-12 0.03 -
    Quick Heal 10.00 2009.12.11 2009-12-11 1.25 -
    Rising 20.0 22.25.04.07 2009-12-11 0.98 -
    Sophos 3.02.0 4.48 2009-12-12 2.77 -
    Sunbelt 3.9.2386.2 5556 2009-12-11 1.98 -
    Symantec 1.3.0.24 20091211.002 2009-12-11 0.05 -
    nProtect 20091210.02 6560411 2009-12-10 3.86 -
    The Hacker 6.5.0.2 v00091 2009-12-11 0.79 -
    VBA32 3.12.12.0 20091210.1626 2009-12-10 2.32 -
    VirusBuster 4.5.11.10 10.116.2/2012053 2009-12-11 2.37 -
     
  8. milkcreamsugar

    milkcreamsugar TS Rookie Topic Starter

    i can't seem to copy the logs in these replies...? too large?

    however all file paths i scanned says that there is no male ware detected.


    is there anything else i need to complete? is the virus gone?
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No, this does not mean the virus is gone. It was checking for something very specific. Can you give me the rest of the virus log from above for the other processes>
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe

    -------------------------
    Then do this:
    Flash player is known for leaving behind old insecure files. It is better to clean out the entire entry, uninstall, then reinstall:

    • Download the Flash Player Uninstaller and save it to your desktop.
      Choose the Flash Player Uninstaller for you browser: http://www.adobe.com/shockwave/download/alternates/ Don't run yet.

    • Please reopen HijackThis to 'do system scan only'. Check the following processes if found:

      O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US;_rv:1.9.0.15)_Gecko/2009101601_Firefox/3.0.15" -"http://online.gamesgames.com/gameshell/app/gameshell.aspx?carrier=-1&channel=110445270&code=115050913&device=-1&lc=en&origin=pgame_ol_u&refid=&room=44103aea-582a-402b-bdd9-e353d8655cf1&ui=yWX74kGdpFOjzliwrzvefZdSwUU%3D&un=DA%3DYgjCbPcgRr9EH6OxLNOtbH94pvMdtF+dwR25zozvYJPtlxTbVosGYJjpWuLtWIKaDndLOQ0SksllC4rTYl9jgA%3D%3D%26SD%3DOHaczY+CKzkRs3XckYrmoXesS/RByfVg8eqQ8J0A7z9YJrUDzKODayeDaup6YFlp%26LT%3D1%26CL%3DU%26TO%3D1260188798%26A%3DfVRM5UnkarUBeJycSZ3Yb5KlPK8%3D%26SA%3DfVRM5UnkarUBeJycSZ3Yb5KlPK8%3D&ux=691188431"


    • Close all Windows except HijackThis and click "Fix Checked."

    • Boot into Safe Mode
      [o] Restart your computer and start pressing the F8 key on your keyboard.
      [o] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Double-click the Flash Player Uninstaller setup on the desktop and run the uninstaller program.
    • Reboot your computer to complete the uninstall.

    • Download latest version of Flash Player HERE and save to the desktop.
    • . Double click the setup and run to install. Reboot when through.
    • Once the new version is installed, follow the directions to disable the auto-updater.
      [1] Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
      Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
      [2] Windows: Right click the Shockwave movie.
      [3] From the drop down menu choose "Properties".
      [4] Uncheck the box next to "Automatic Update Service" to disable the auto update feature.
    Then run online AV scanner:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Follow with new scan from HijackThis.

    Attach logs for the Eset scanner and new HJT.
     
  10. milkcreamsugar

    milkcreamsugar TS Rookie Topic Starter

    VirSCAN.org Scanned Report :
    Scanned time : 2009/12/12 10:09:56 (CST)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 14336 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
    SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
    Online report : http://virscan.org/report/43a521a850ccb8343cedfbc3d5629f30.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091212050408 2009-12-12 5.58 -
    AhnLab V3 2009.12.13.00 2009.12.13 2009-12-13 2.17 -
    AntiVir 8.2.1.108 7.10.1.219 2009-12-11 0.53 -
    Antiy 2.0.18 20091211.3462203 2009-12-11 0.28 -
    Arcavir 2009 200912112021 2009-12-11 0.03 -
    Authentium 5.1.1 200912112246 2009-12-11 2.22 -
    AVAST! 4.7.4 091212-0 2009-12-12 0.01 -
    AVG 8.5.288 270.14.104/2560 2009-12-12 0.35 -
    BitDefender 7.81008.4720336 7.29417 2009-12-12 4.23 -
    CA (VET) 35.1.0 7170 2009-12-10 36.11 -
    ClamAV 0.95.2 10155 2009-12-12 0.10 -
    Comodo 3.13 3217 2009-12-12 2.19 -
    CP Secure 1.3.0.5 2009.12.12 2009-12-12 0.04 -
    Dr.Web 4.44.0.9170 2009.12.12 2009-12-12 21.80 -
    F-Prot 4.4.4.56 20091211 2009-12-11 3.01 -
    F-Secure 7.02.73807 2009.12.12.02 2009-12-12 0.23 -
    Fortinet 11.259- 11.259 2009-12-12 0.58 -
    GData 19.9267/19.620 20091212 2009-12-12 17.85 -
    ViRobot 20091212 2009.12.12 2009-12-12 4.88 -
    Ikarus T3.1.01.74 2009.12.12.74745 2009-12-12 4.25 -
    JiangMin 13.0.900 2009.12.12 2009-12-12 40.14 -
    Kaspersky 5.5.10 2009.12.12 2009-12-12 0.07 -
    KingSoft 2009.2.5.15 2009.12.12.20 2009-12-12 40.14 -
    McAfee 5.3.00 5829 2009-12-11 3.39 -
    Microsoft 1.5302 2009.12.12 2009-12-12 40.14 -
    Norman 6.01.09 6.01.00 2009-12-12 4.00 -
    Panda 9.05.01 2009.12.12 2009-12-12 40.13 -
    Trend Micro 9.000-1003 6.688.02 2009-12-12 0.03 -
    Quick Heal 10.00 2009.12.12 2009-12-12 40.13 -
    Rising 20.0 22.25.05.04 2009-12-12 40.13 -
    Sophos 3.02.0 4.48 2009-12-12 2.76 -
    Sunbelt 3.9.2386.2 5557 2009-12-11 40.12 -
    Symantec 1.3.0.24 20091211.002 2009-12-11 0.05 -
    nProtect 20091210.02 6563203 2009-12-10 40.13 -
    The Hacker 6.5.0.2 v00011 2009-09-18 40.13 -
    VBA32 3.12.12.0 20091211.2059 2009-12-11 2.56 -
    VirusBuster 4.5.11.10 10.116.3/2014358 2009-12-12 2.58 -
     
  11. milkcreamsugar

    milkcreamsugar TS Rookie Topic Starter

    the logs from the virscan.org the moderators are verifying it but i don't know if it will go through because i tried sending the log yesterday but it seems like the moderator didn't approve it. So it didn't go through.

    Here are the other logs.
     
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Let's remove the Eset entry:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\Program Files\Zylom Games\Nanny Mania 2 Deluxe\Nanny2.exe
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ---------------------------------------

    Flash player is known for leaving behind old insecure files. It is better to clean out the entire entry, uninstall, then reinstall:

    • Download the Flash Player Uninstaller and save it to your desktop.
      Choose the Flash Player Uninstaller for you browser: http://www.adobe.com/shockwave/download/alternates/ Don't run yet.

    • Please reopen HijackThis to 'do system scan only'. Check the following processes if found:

      O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US;_rv:1.9.1.5)_Gecko/20091102_Firefox/3.5.5" -"http://www.adobe.com/shockwave/welcome/"

    • Close all Windows except HijackThis and click "Fix Checked."
    • Boot into Safe Mode
      [o] Restart your computer and start pressing the F8 key on your keyboard.
      [o] Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    • Double-click the Flash Player Uninstaller setup on the desktop and run the uninstaller program.
    • Reboot your computer to complete the uninstall.
    • Download latest version of Flash Player HERE and save to the desktop.
    • . Double click the setup and run to install. Reboot when through.
    • Once the new version is installed, follow the directions to disable the auto-updater.
      [1] Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
      Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
      [2] Windows: Right click the Shockwave movie.
      [3] From the drop down menu choose "Properties".
      [4] Uncheck the box next to "Automatic Update Service" to disable the auto update feature.

    Rescan with HijackThis once more. Advise of any system problems. Leave new log in next reply.
     
  13. milkcreamsugar

    milkcreamsugar TS Rookie Topic Starter

    i totally screwed up at the flash player part. i accidentally hit uninstall before making a hijack this scan. Did not see the

    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US;_rv:1.9.1.5)_Gecko/20091102_Firefox/3.5.5" -"http://www.adobe.com/shockwave/welcome/"

    when i did a scan after clicking on the uninstaller. But continue to proceed on installing the latest player.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I am a bit blown away with the logs from OTMoveIt sonce I only gave one file to remove. I neeed you to back up:

    Please delete the Combofix log on your desktop. Then rerun Combofix and give me the new Report.

    Then delete the Eset scan log. Update and rescan with the Eset online scanner. Give me the new log.

    How far did you get with the Shockwave Updater? Did you rum the uninstaller? Did you go on with the directions that followed to install as follows:
    • Download latest version of Flash Player HERE and save to the desktop.
    • . Double click the setup and run to install. Reboot when through.
    • . Once the new version is installed, follow the directions to disable the auto-updater.
    • Navigate to the Shockwave Welcome page:http://www.adobe.com/shockwave/welcome/
      Note: The context menu can be accessed from any Shockwave movie if the context menu has been enabled by the author, but this URL was provided to simplify the process.
    • Windows: Right click the Shockwave movie.
    • From the drop down menu choose "Properties".
    • Uncheck the box next to "Automatic Update Service" to disable the auto update feature.
     
  15. milkcreamsugar

    milkcreamsugar TS Rookie Topic Starter

    yes i did all the steps for flash player. blown away? bad thing? oh no...
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Oh my goodness- I have surely put you through the paces! Not to worry though- it was worth it! You had many temp files cleaned out- that's a good thing.

    The Trojan you had was associated with NannyMania. This is a game download site with association to shockwave. It you can live without the site, I suggest you uninstall is in Add/Remove Programs, then delete the Programs folder using Windows Explorer.

    I looked through that large shockwave updater entry you removed and it contained "online games." That could have been the source.

    I have another person in a similar situation- got Trojan on a game download site, but wanted to keep the site since family member used it. Just be aware that it can be a source of malware. Looks like you used it to download here:

    2009-12-08 20:21 -------- d-----w- c:\documents and settings\All Users\Application Data\NannyMania

    Are you still having any of the malware associated problems?
     
  17. milkcreamsugar

    milkcreamsugar TS Rookie Topic Starter

    It is okay. Quite lengthy but as long as my computer is in good terms. Can't rest much if there is something bad lurking in my computer.
    I always uninstall the program after i done finish playing with them. I'll be more careful for now on.

    I don't think i have any other problems. The win32/heur is gone right? So, so far so good. :D

    THANK YOU SO MUCH~~ :) :) for everything.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    You're welcome! Let's remove the cleaning tools and old restore points:

    Remove all of the tools we used and the files and folders they created

    Uninstall ComboFix.exe And all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.

    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.
    ----------------------------------
    Please follow these simple steps to keep your computer clean and secure:
    1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

    System Restore Guide


    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently.
      You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    3.Make Internet Explorer safer. Follow the suggestions HERE
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
    6.Use a good, bi-directional firewall(one software firewall)
    [*]See Understanding and Using Firewalls including links to download a firewall.

    7.Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.