Inactive Removing Heur/Win32

Status
Not open for further replies.

DrewG

Posts: 9   +0
Hi guys.

This virus has been killing my computer and every time I feel like I've made a development, it just keeps on popping up. I've run searches with Kaspersky (which gives me an option to quarantine/delete the many instances of it but never really does either) and Spyware Doctor. They find things but cannot permanently get rid of it. Vista installation disc and system repair also can't do anything.

Don't recommend Malware Bytes because I can't open the installation file even with renaming the .exe...also, I can't get into the registry so don't recommend going there.

If this helps, at one point the computer was unable to start in Vista. Error code was 0xc0000098 and the corrupt or missing file was Windows/system32/Drivers/ccrwnv.sys. That ccrwnv file is the same one that Kaspersky usually singles out during its scans.

Any help with this would be unbelievable. More than anything I just want to be able to back up my music/pictures/documents, I don't really mind re-installing Vista (although not having to do so would be optimal).
 
Drew, the chances are good that the malware infection goes deeper than Win32/Heur. Please see if you can run this online scan:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I will know the extent better after reviewing this log. Depending on what this is, you will have to be very careful in what you can safely backup.
 
Tried doing that but keep getting UNEXPECTED ERROR 2003 when downloading the virus signature database. Will keep trying.
 
Here:


C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application
C:\Users\Drew\Downloads\Tuneup Media 1.1.9 ( Itunes plugin )\TuneUpApp+2_Trainer.exe Win32/HackTool.CheatEngine.AB application
C:\Users\Public\Documents\Server\hlp.dat Win32/Bamital.EK trojan
C:\Windows\Temp\TMP116C.tmp a variant of Win32/Adware.FakeAntiSpy.M application
C:\Windows\Temp\TMP3536.tmp a variant of Win32/Adware.FakeAntiSpy.M application
C:\Windows\Temp\TMP3A02.tmp a variant of Win32/Adware.FakeAntiSpy.M application
C:\Windows\Temp\TMP5C53.tmp Win32/TrojanDownloader.Agent.QIB trojan
C:\Windows\Temp\TMP6EA6.tmp Win32/TrojanDownloader.Agent.QIB trojan
C:\Windows\Temp\TMP9910.tmp a variant of Win32/Adware.FakeAntiSpy.M application
C:\Windows\Temp\TMPA968.tmp Win32/TrojanDownloader.Agent.QIB trojan
C:\Windows\Temp\TMPC61F.tmp a variant of Win32/Adware.FakeAntiSpy.M application
C:\Windows\Temp\TMPEF54.tmp a variant of Win32/Adware.FakeAntiSpy.M application
C:\Windows\Temp\TMPF85C.tmp Win32/TrojanDownloader.Agent.QIB trojan

---------------------------------------------------

And here:

# antistealth_checked=true
# utc_time=2010-11-02 06:33:01
# local_time=2010-11-02 02:33:01 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=6.0.6000 NT
# compatibility_mode=769 16774142 100 100 0 224078467 0 0
# compatibility_mode=1280 16777195 100 0 197520 197520 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 6721000 125326485 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=154828
# found=14
# cleaned=0
# scan_time=3868
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Users\Drew\Downloads\Tuneup Media 1.1.9 ( Itunes plugin )\TuneUpApp+2_Trainer.exe Win32/HackTool.CheatEngine.AB application 00000000000000000000000000000000 I
C:\Users\Public\Documents\Server\hlp.dat Win32/Bamital.EK trojan 00000000000000000000000000000000 I
C:\Windows\Temp\TMP116C.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\Windows\Temp\TMP3536.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\Windows\Temp\TMP3A02.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\Windows\Temp\TMP5C53.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
C:\Windows\Temp\TMP6EA6.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
C:\Windows\Temp\TMP9910.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\Windows\Temp\TMPA968.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
C:\Windows\Temp\TMPC61F.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\Windows\Temp\TMPEF54.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\Windows\Temp\TMPF85C.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
 
Believe it or not, these results are good news! It means there is a better chance the system can be cleaned, whereas if it had been Virut, Ramnit or one of the other files infectors, cleaning would not be an option.
==============================================
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code:
    :Processes	
    
    :Files  
    C:\Program Files\AIM\Sysfiles\WxBug.EXE 
    C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll 
    C:\Users\Drew\Downloads\Tuneup Media 1.1.9 ( Itunes plugin )\TuneUpApp+2_Trainer.exe 
    C:\Users\Public\Documents\Server\hlp.dat 
    C:\Windows\Temp\TMP116C.tmp 
    C:\Windows\Temp\TMP3536.tmp 
    C:\Windows\Temp\TMP3A02.tmp 
    C:\Windows\Temp\TMP5C53.tmp 
    C:\Windows\Temp\TMP6EA6.tmp 
    C:\Windows\Temp\TMP9910.tmp 
    C:\Windows\Temp\TMPA968.tmp 
    C:\Windows\Temp\TMPC61F.tmp 
    C:\Windows\Temp\TMPEF54.tmp 
    C:\Windows\Temp\TMPF85C.tmp 
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========================================
Since you had a problem with Malwarebytes, download randmbam.exe

It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already. Please check our directions for Malwarebytes in the Preliminary Virus and Malware Removal thread HEREhttps://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ and try the scan again.

Please include the DDS scan and leave the 2 logs for review.

Summary of above:
Run OTMoveIt with the Eset entries
Run randmbam.exe
Retry Mbam scan
Run DDS from link.
=======================================
Then download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=====================================
Include all logs in next reply. Use multiple posts if needed.

I can't get into the registry so don't recommend going there.
No problem- I am telling you t stay out of the Registry!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
I cannot get that .exe to open, even with running it as administrator...

Message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. Keep in mind I am running in safe mode with networking.
 
Please run the Eset scan again, but with this change:
Make sure that the option "Remove found threats" is Checked, and the option "Scan unwanted applications" is checked.

Just the scan, not the script/
=============================================
  • Download the file TDSSKiller.zip and extract it (use archiver, for example, WInZip) into a folder on the infected (or potentially infected) PC.
  • Double click TDSSKiller.exe to start the scan
  • Wait for the scan and disinfection process to be over.
    [o] The utility outputs a list of detected objects with description.
    [o]The utility automatically selects an action (Cure or Delete) for malicious objects.
    [o]The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
  • The default quarantine folder is in the system disk root folder, e.g.:C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.

It is necessary to reboot the PC after the disinfection is over.
 
Just did both...removed 13 threats with ESET and then with TDSS I was finally able to quarantine that ccrwnv.sys bugger that seemed to be the big part of the virus.

I'm about to reboot -- do you need me to do anything else? I don't want to jinx it but I think that procedure just now did the trick...
 
From TDS:

[InfectedObject]
Verdict: Locked service

[InfectedObject]
Type: Service
Name: ccrwnv
Type: Kernel driver (0x1)
Start: Boot (0x0)
Suspicious states: Locked service; Locked file;

[InfectedFile]
Type: Raw image
Src: C:\Windows\system32\drivers\ccrwnv.sys
md5: 3d5b58a2b41f54e6c44d06ab23f747b2

-----

EST:


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
esets_scanner_update returned -1 esets_gle=1
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=275614e98322ff4697e6a98b91d2e44f
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-11-02 06:33:01
# local_time=2010-11-02 02:33:01 (-0500, Eastern Daylight Time)
# country="United States"
# lang=9
# osver=6.0.6000 NT
# compatibility_mode=769 16774142 100 100 0 224078467 0 0
# compatibility_mode=1280 16777195 100 0 197520 197520 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 6721000 125326485 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=154828
# found=14
# cleaned=0
# scan_time=3868
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Users\Drew\Downloads\Tuneup Media 1.1.9 ( Itunes plugin )\TuneUpApp+2_Trainer.exe Win32/HackTool.CheatEngine.AB application 00000000000000000000000000000000 I
C:\Users\Public\Documents\Server\hlp.dat Win32/Bamital.EK trojan 00000000000000000000000000000000 I
C:\Windows\Temp\TMP116C.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\Windows\Temp\TMP3536.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\Windows\Temp\TMP3A02.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\Windows\Temp\TMP5C53.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
C:\Windows\Temp\TMP6EA6.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
C:\Windows\Temp\TMP9910.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\Windows\Temp\TMPA968.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
C:\Windows\Temp\TMPC61F.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\Windows\Temp\TMPEF54.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
C:\Windows\Temp\TMPF85C.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=275614e98322ff4697e6a98b91d2e44f
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-09 12:33:58
# local_time=2010-11-08 07:33:58 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=6.0.6000 NT
# compatibility_mode=769 16774142 100 93 0 224616457 0 0
# compatibility_mode=1280 16777191 100 0 735510 735510 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 7258990 125864475 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=152938
# found=13
# cleaned=13
# scan_time=5936
C:\$Recycle.Bin\S-1-5-21-1336202196-3040049380-887799316-1000\$REUHKRO\hlp.dat Win32/Bamital.EK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Temp\TMP116C.tmp a variant of Win32/Adware.FakeAntiSpy.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Temp\TMP3536.tmp a variant of Win32/Adware.FakeAntiSpy.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Temp\TMP3A02.tmp a variant of Win32/Adware.FakeAntiSpy.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Temp\TMP5C53.tmp Win32/TrojanDownloader.Agent.QIB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Temp\TMP6EA6.tmp Win32/TrojanDownloader.Agent.QIB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Temp\TMP9910.tmp a variant of Win32/Adware.FakeAntiSpy.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Temp\TMPA968.tmp Win32/TrojanDownloader.Agent.QIB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Temp\TMPC61F.tmp a variant of Win32/Adware.FakeAntiSpy.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Temp\TMPEF54.tmp a variant of Win32/Adware.FakeAntiSpy.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Windows\Temp\TMPF85C.tmp Win32/TrojanDownloader.Agent.QIB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
 
My internet provider is now giving me a page from time to time that says they know the network is infected and are slowing down the service. Is there a lot more to be done? I feel bad for my roommates who are dealing with the terribly slow internet because of me and am feeling inclined to just re-install Windows..
 
I don't understand what you mean by the ISP service. What kind of page is telling you the network is infected and service is being slowed. Is their network infected??? Big difference.
 
Status
Not open for further replies.
Back