TechSpot

Please help with Win32 Heur Virus

By HughMcB
May 2, 2009
  1. Blind Dragon (or other moderator), I have taken the steps advised and have downloaded/updated the relevant programs, however Malwarebytes' Anti-Malware will still not open for me? Thank you! I am using a Vista operating system.
     
  2. touch

    touch TS Rookie Posts: 978

    Hello HughMcB

    Please attach log´s from hijackthis and Superantispyware
     
  3. HughMcB

    HughMcB TS Rookie Topic Starter Posts: 16

  4. touch

    touch TS Rookie Posts: 978

    Remove/uninstall from "Programs and Features" in controlpanel:
    AVG8

    We´ll try malwarebyte, slightly different -

    Download malwarebyte
    http://www.download.com/Malwarebyte...4-10804572.html?tag=mncol;pop&cdlPid=10878968

    Save the file as setup.exe

    Run the setup.exe file
    When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.

    If automatic update fail, download the manual update ->
    http://www.gt500.org/malwarebytes/mbam-rules.exe

    Go into the Malware folder in through Program Files
    Rename the mbam.exe to 123.exe and run it.
    Do a full computer scan

    Check all and remove/fix/delete them.

    Restart your computer and post the log
     
  5. HughMcB

    HughMcB TS Rookie Topic Starter Posts: 16

  6. touch

    touch TS Rookie Posts: 978

  7. HughMcB

    HughMcB TS Rookie Topic Starter Posts: 16

    Ok so here are the logs from those scans, View attachment 47777 , View attachment 47778 , View attachment 47779 , View attachment 47780 .

    Now when I access the internet these warnings still seem to pop up from Avira AntiVir
    Virus or unwanted program 'TR/Dldr.Agent.brpo [trojan]'
    detected in file 'C:\Windows\System32\gxvxcswochrtppbaxvcvneedxnxqutthenmsk.dll.
    Action performed: Move file to quarantine


    See also Comodo Antivirus Logfile for further information.
    View attachment 47781

    Thank you again!
     
  8. touch

    touch TS Rookie Posts: 978

    I was not aware that it was comodo antivirus you had - my bad.
    It means you still have two antivirus programs running.

    I´ll therefore suggest you remove Avira or Comodo from "Programs and Features" in controlpanel.

    Please download Combofix:
    http://subs.geekstogo.com/ComboFix.exe
    And save to the desktop.

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  9. HughMcB

    HughMcB TS Rookie Topic Starter Posts: 16

    Ok so I uninstalled Avira and ran the steps you provided. I dragged the CFScript.txt file into ComboFix.exe, Comodo then detected this threat C:\32788R22FWJFW\hidec.exe which I first tried to quarantine . As ComboFix.exe was nearly complete it displayed an error message (three times) Windows cannot find file 32788R22FWJFW\hidec.exe

    Also Comodo detected (after the other process had completed) that a file gsar.cfexe in location C:\32788R22FWJFW was trying to get permission to execute.

    Long story short, I couldn't get it to complete and therefore no logfile!
     
  10. touch

    touch TS Rookie Posts: 978

  11. HughMcB

    HughMcB TS Rookie Topic Starter Posts: 16

     
  12. touch

    touch TS Rookie Posts: 978

    Please download http://swandog46.geekstogo.com/avenger2/download.php
    by Swandog46 to your Desktop.
    Click on Avenger.zip to open the file
    Extract avenger2.exe to your desktop

    Start Avenger


    Copy/Paste all the text in the above quote box into the main window
    Click Execute

    The Avenger will automatically do the following:
    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)

    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions.

    This log file will be located at C:\avenger.txt

    Attach C:\avenger.txt in next reply, and tell how things are running ?
     
  13. HughMcB

    HughMcB TS Rookie Topic Starter Posts: 16

    Ok so this is the avenger logfile, View attachment 47842

    Once the computer starts, Comodo quickly picks up this threat and sends me a warning message for this file.
    C:\Windows\System32\gxvxcswochrtppbaxvcvneedxnxqutthenmsk.dll
    Unclassified Malware@15429841
     
  14. touch

    touch TS Rookie Posts: 978

    Looks like we need combofix to run. Uninstall the version you have - >

    Click START then RUN
    Now type Combofix /u in the runbox and click OK.
    Note the space between the X and the /U, it needs to be there.
    When shown the disclaimer, Select "2"

    Reboot

    Please download newest version of Combofix:
    http://subs.geekstogo.com/ComboFix.exe

    And save to the desktop.

    Close all other browser windows.

    Please connect all your external hard drive/flash drive before running Combofix, if you have any

    Double-click on the combofix icon found on your desktop.

    Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
     
  15. HughMcB

    HughMcB TS Rookie Topic Starter Posts: 16

    Windows won't execute Combofix /u, when entered in Run it gives message that it cannot find "Combofix". What next? :(

    I'm getting pretty disheartened here by all this, is reformatting an option?
     
  16. touch

    touch TS Rookie Posts: 978

    Not yet.

    Download http://gmer.net/gmer.zip
    and save to your desktop.
    Unzip/extract the file to its own folder.
    When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
    Double-click on Gmer.exe to start the program.
    Allow the gmer.sys driver to load if asked.

    If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
    Click the >>> tab
    Now Click on Settings, then check the first five settings:
    System Protection and Tracing
    Processes
    Save created processes to the log
    Drivers

    Save loaded drivers to the log

    You will be prompted to restart your computer. Please do so.
    After the reboot, run Gmer again and click on the Rootkit tab.

    Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
    Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
    Click on the Scan and wait for the scan to finish.

    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.

    When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
    If GMER doesn't work in Normal Mode try running it in Safe Mode

    Important!:
    Please do not select the Show all checkbox during the scan..

    Attach the GMER log.
     
  17. HughMcB

    HughMcB TS Rookie Topic Starter Posts: 16

    Ok so after many attempts I finally got the Combofix to work (I had to uninstall Comodo as it appeared to be hindering the process and reinstall Avira).

    Ok so I ran Combofix and attached is the log. Please note that I had to run twice as the first time it the computer shut down. I think that it has rectified some of the problems but don't yet know if it's all good yet?! Please advise! Thanks for all your help! :)

    View attachment 47899
     
  18. touch

    touch TS Rookie Posts: 978

    You have done a good job :)

    And finally you got rid of
    C:\Windows\System32\gxvxcswochrtppbaxvcvneedxnxqutthenmsk.dll.

    BTW. The filename are not easy to pronounce ;)

    How are things running now ?
     
  19. HughMcB

    HughMcB TS Rookie Topic Starter Posts: 16

    Ya so far everything seems to be fine, if I've any further problems I'll be sure to contact you. :D

    Thank you, you guys really provide a great service here and are very much needed by the general public.Keep up the good work!!!!!!

    :grinthumb :grinthumb :grinthumb
     
  20. touch

    touch TS Rookie Posts: 978

    Sounds good, and we will :)

    Now your computer problems are solved, it is time for the clean-up procedure
    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.

    Please download OTCleanIt
    Save it to desktop.
    This will remove all the tools we used to clean your computer.
    Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
    When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
    Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

    To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
    How did I get infected in the first place

    Keep safe :wave:
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.