[Closed] Win32/Heur on laptop with no internet connection

[Robn]

Was reading the initial 8 steps and already have questions.

1. It says 'do not make any changes' - but I already did before finding this forum.
History: Computer has been on line before but not for several months. It has AVG on it but obviously not current. I had some photos digitized and when I put the CD in my off line computer (Acer) it got infected.
AVG said it had win32/Heur and it was finding more copies at an accelerating pace. I shut the machine off. A 'friend' said he was sure it was a false positive - as did the photo shop when I took the CD back. The friend took the files back out of the vault. Next time I turned the machine on it was worse than before. So i started researching.

Due to the results of my initial research, I downloaded Avira 2011, and that 2 minute trojan remover (which turned out to be useless since I wasn't using it on line) onto this computer, along with Windows Malware remover ( which I already had on this computer although not the latest version), then moved all three to an empty thumb drive, then took the thumb drive to the Acer.
All the while that Avira was loading, AVG was complaining about infections faster and faster. Avira came up with one report that said 2 problems. Another that said 58. Oh - maybe one was referring to number of viruses and the other infected files? The quarantining wasn't working so I shut it off until I could do more thorough research and luckily found this place which looks like the real mcCoy.

2. "if you are running any Registry editing program". Not sure what this is. I do (I think) have a registry cleaning program but don't know if it is running in the background or not. Is cleaning the same as editing?

3. How should the 8 steps be modified for an offline machine? And does it make a difference if it is all done in one session or the machine is shut off and rebooted or put in standby? It seemed like the virus was making less head way initially but increasing exponentially. So shutting it off seemed to slow down the damage.

It is one AM where I am, so I'm going to bed and will read your answer in a day.
Thanks much for this service, I was getting rather cynical about the lack of personal help and then I find you! My faith in humanity is restored. Robn

 

[Bobbye]

Welcome to TechSpot!

(Image courtesy animationplayhouse.com)

Sometimes, friends mean well but get users in a lot of trouble! A find of Win32/Heur by AVG is frequently a sign of a more serious malware infection. Unfortunately, what you are describing sounds very much like Virut. It sounds like all the infected executable files are doing their thing.

I need you to connect to the internet just long enough to run the following:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org free on-line scan service
• Copy and paste each of the following file paths into the "Suspicious files to scan" box on the top of the page, one at a time:
  
  c:\windows\system32\userinit.exe
  
  c:\windows\explorer.exe
  
  c:\window\system32\svchost.exe
  
  
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.
It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

Good explanation here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


Change all of your passwords and monitor any online transactions.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.

• Backup all your documents and important items only.
• DON'T backup any executable files (,exe .scr .html or .htm)
• DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files

But let's check to make sure: If it is Virut, I will recommend the reformat/reinstall immediately so as not to danger the system any further and compromise your information.

 

[Robn]

no to connecting now

Thanks for the welcome and willingness to help.

However, connecting to the internet, even briefly, is not a good idea.

1. Since it has NOT been connected to the internet, the backdoor issue is currently moot and I would rather not expose it and then have to deal with all the password issues, etc. Monitoring is not an option since I will be away from access for several weeks.

I don't want either the risk of picking up more malware or having data stolen.

2. The infected machine is a backup I can do without for now.

3. It is not getting sicker while off.

4. Maybe a cure can be found while it is off?

5. It would take a lot of time and research to figure out how to connect and probably cost money I can't afford. (I'm visiting a foreign country. This machine connects via a modem but the modem won't work on the other one - long story)


So, if I won't connect to the internet, then I gather you recommend a reformat?
Robn

 

[Bobbye]

4. Maybe a cure can be found while it is off?

Dream on! It doesn't happen like that!

So, if I won't connect to the internet, then I gather you recommend a reformat?

Yes, you will have to assume the worse- the damage has been done.

You can try doing a scan with AVG paste the log into your next reply. I may or may not get more information. You won't be able to update, but scan should work

I would still encourage you to change all the passwords.

 

[Robn]

passwords

Unable to deal with this now. It will have to wait a couple of months. But please explain why I should go to the hassle of changing all the passwords when I have not been on line?
Robn

 

[Bobbye]

Because even though you may not be on line, if your system has been comprosed and passwords stolen, someone has access to everything you have a passweord for and they don't need for you to be online.

Since this isn't something you want to do, I'm closing the thread.