Help with removing Win32/Heur virus

By IVZ86
Jun 24, 2009
Topic Status:
Not open for further replies.
  1. Hey hows it going?
    My avg recently have been picking up files after files being affected by the win32/heur. It even says that my notepad.exe is infected, and a whole heap of other system files.

    I am at the moment in the process of doing the 8steps removal thing from the other thread. I will attach the 3 txt files once i have completed all 8 steps.

    I am hoping that i can clear this problem and not have to reformat :(
  2. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    OK i have completed the 8steps and here are the log files

    I havent tried rescannin the computer with AVG etc yet so i dont know if it has cleaned it. My computer now runs different, alot of program are corrupted and would not load, and things are changed. Also when my computer reboots, it doesnt boot up properly. I have to hold down ctrl+shift+esc to get to the task manager and start explorer.exe through the new task so my computer loads to the desktop.

    Also i tried to go on the net with it. AVG picks up a "jl.chura.pl/rc/" threat everytime i load up firefox. What now? can someone please give me abit of help? its giving me the s@#$*. Also, certain pages wont load. Such as the AVG site, and some other anti virus sites. But works on another computer.

    Here are the logs, hope you guys can help me out. Thanks

    Attached Files:

  3. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    Still need abit of assistance. Can someone check up whether my computer is right, or provide any point of direction and help?
  4. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    Can someone possibly check the log files? and give me a bit of assistance?
  5. ChrisDown

    ChrisDown Newcomer, in training Posts: 125

    Hey there! I'm sorry that your thread has not received the activity that you were expecting.

    Could you please download ComboFix from here, rename it to a few random letters (to stop malware noticing it), and then run it? The log that ComboFix produces should give more of an idea of what is going on, and ComboFix may even be able to remove more of the offending malware (if it is still there).

    Please do not click on the ComboFix window itself -- the program has been known to stall on occasions if you do this.

    After you're done, please upload the log. Thanks. :)
  6. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    ill do that as soon as i can. Thanks for the reply
  7. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    Sorry havent been on for a while. Been busy with work all weekend.

    I tried to run combofix but its says i need to download a new copy everytime i try to run it, combofix wont work, it states that it is infected with the VIRUT virus. Any ideas?
  8. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    Im still stuck with this, i havent been able to use my computer for a week now....Can someone possibly please help or point of direction ?
  9. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    .......bump
  10. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    Chrisdown? your help again?
  11. tystanwick

    tystanwick Newcomer, in training Posts: 29

    What does your system time say? If your PC's date is not set properly, combofix will only run in reduced functionality mode or will not run at all. Also, when you saved combofix to your PC did you rename it to something with a .com at the end of it? (ex. 123.com) If you didn't, you should.
  12. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    My pc's date? It hasnt changed, date is exactly the same date as the day im in. So your sayin that i should run combofix in save mode?

    I downloaded combofix on the computer i am using now and transferred it to my infected computer on a usb drive. Once copied, i renamed it to asd.exe. When i open it, it says combofix can not run, because computer is infected with the VIRUT virus and states that a new copied should be downloaded from www.bleepin........ etc.
  13. tystanwick

    tystanwick Newcomer, in training Posts: 29

    You may have a virus thats affecting all of your .exe's. That why I said you should change combofix to read 123.COM

    You can try to run combofix from safemode, but it is designed to be run from a normal startup.

    Basically: On your non-infected PC. Download combofix again, when it asks you where to save it, point it to your flash drive and rename it to 123.com BEFORE you hit save. Now copy 123.com to the infected machine and try to run it.
     
  14. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    Alrite sweet, ill give that ago and post back as soon as possible
  15. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    Ok i did what you told me, but it still gives me the same alert msg, and wont left combofix run. It says the following:-

    !! ALERT !! it is not safe to continue. The contents of the combofix package have been compromised. Please download a fresh copy from
    www.bleepingcomputer.com/combofix/how-to-use-combofix

    Note: You may be infected with a file patching virus "Virut"

    that then it deletes itself. Any ideas??
  16. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    help again tystanwick? or chrisdown?
  17. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    ......Bump
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    IVZ, you posted 4 times a week ago wanting someone to answer. Sometimes the helpers are very busy and it takes a while- we try to get the 'first come/first served'. Sometimes a member falls through the cracks.

    you actually hurt yourself by posting the 4 times- sometimes we look at the number pf replies on a thread and seeing 4, think a helper has started. Then someone finally picked it up but YOU were too busy to follow the instructions.

    I'm going to help you now and I expect you to follow through in a timely manner!

    Your system has been badly infected with multiple malware- one is a Backdoor Trojan. I advise you to change all your passwords and monitor online banking if you have an account set up.

    You also have a DNS Changer which will require that the router be reset. And if I do find that you have a Virut infection, I will recommend a reformat/reinstamm.
    You have WAY too much starting on boot and running in the background. This makes you more vulnerable and also slows you down. I will address this at the end of cleaning.

    Please reopen HijackThis to 'do system scan only' and CHECK all of the follow, if present. Do Not click on 'Fix Checked' until the list is complete:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
    O2 - BHO: (no name) - {EBE68C84-7471-4100-A578-EA594ADC0FE8} - (no file)
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
    O20 - Winlogon Notify: tuvTnnKe - tuvTnnKe.dll (file missing)

    Please close all Windows except HijackThis and click on 'Fix Checked.'[/B]

    This is only a beginning. I have to be out for about 2 hours and will resume when I return. In the meantime, Please run a full system scan with AVG. Save the log and include it in your next reply.

    IF you Are infected with Virut, the bottom line will be to reformat. But I'll help you with Combo fix when I return.

    Please don't install, uninstall, update or delete in the meantime, with the exception of the HighJack This entries.
    Rescan with HJT AFTER the AVG scan and include new log as well as AVG log.
  19. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    Hey Bobbye, sorry for my stupidity. Just that i got a lil stressed with this whole thing.
    Im a night shift worker and I just got home from work. So im now gonna do what you instructed me to do.

    A few days ago, i uninstalled AVG. And installed the avast antivirus one instead, and updated it. Is that ok?

    I will presume scanning my computer with Avast.

    Also, you know anything about "jl.chura.pl/rc/". When i had avg, everytime i load up firefox it would pick this infection up. And i searched it up on the net, and i tried what a few of the other forum threads said about it. I now resetted my internet explorer, uninstalled firefox. And havent tried getting on the net with my computer yet. I have been using my brothers computer.
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You're not clear on what you see for jl.chura.pl/rc, but when I pout it in the search box, Firefox reports it as an 'attack site' and don't load it. Firefox was using one of it's security features and preventing you from loading a site known to infect your computer.

    It's a big red box reporting "Attack Site." It's not an infection- it's a warning. Suggest you reinstall Firefox when we're finished and not try to access this site, whatever it it. I should be able to tell more after I get the AV scan. I think Avast or Avira is a bit better than AVG.
  21. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    the jl.chura.pl/rc warning i get it from AVG everytime i loaded up firefox when i started getting these win32/heur warnings. It gets embedded in one of the firefox files, so everytime you load up firefox it'll try load up that site in the background or something. Thats what i have read from searching threads. I have to go in to one of the firefox folders and open a file through notepad and delete a "jl.chura.pl/rc" entry thats been embedded in the coding and save the file. But everytime i do it, it reappears again. So at the moment, i resetted internet explorer and dont have firefox on my computer.

    The system scan is still going, its been left on overnight. I have to go to work now, so ill place the log here as soon as it finishes. And redo the HJT log.

    Thanks for your help bobbye.
  22. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    Sorry about the delay bobbye. But here are the log files for my avast scan and HJT
    There are few entries when scanned by HJT that came up with file missing, after i ticked them and click fixed checked. They still reappear.

    But here they are, the avast scan seems to not pick up any virut infections. I guess thats a good sign?

    Ok the avast log wont upload, apparently the file is too big. So i uploaded it to fileden.
    Here is the link to it
    http://www.fileden.com/getfile.php?...eden.com/files/2006/10/2/255544/Avast Log.txt
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Any time an AV log s too big to download you know you're in trouble: I'm not sure what to make of that log though. It's saying there is malware in everything!

    Main entries are :
    "HTML:IFrame-HO [Trj]"
    It was in an html formatted email message that was downloaded. IFrame is an HTML element. You would not see it directly(and should be highly careful about trying to open an html email file that contains one. You would want to open it in notepad rather than an application that will try to run the page(browser, email program, etc).

    "Win32:JunkPoly [Cryp]"
    [​IMG]

    I need you to do an online AV scan:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Please reopen Hijach This to "do system scan only
    Check the following entries if present: Note> do not click on Fix checked until you have completer the checking.
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

    CLose all Window except HijackThis and click on "Fix Checked"

    Follow with new scan for HijackThis. attach new log.

    A comment: You have an enormous number of unnecessary processes starting on boot. That means they are also running in the background. Processes for multiple music players, CD/DVD writing software, camera, 'convenience items' like a tray icon- all of these unnecessary startups will slow you down at some point.

    We'll see what the online AV scan shows up and go from there.

    Specifically, tell me what system problems remain.
  24. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    Ok ill do that straight away. See how it go. Thanks bobbye.

    That "HTML:IFrame-HO [Trj]" only just started after i updated the virus database on the avast.

    I did a previous scan before with avast and never picked it up. And i havent been on the net to surf webpage with the infected computer since. So i dont know why it is picking up every single html on my computer as "HTML:IFrame-HO [Trj]", avg never picked it up.
  25. IVZ86

    IVZ86 Newcomer, in training Topic Starter Posts: 31

    Ok i tried running that website. It wont let me run. Any antivirus scan websites wont work. Where as every other one is fine like google etc. When i tried running, avast picked up id12.exe as a Win32:JunkPoly [Cryp]

    When i was running, IExplorer, a few applications started terminating itself. Also the short cuts on my quick launch bar, such as show desktop and windows media player is gone now. So i dont know whats going on
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.