TechSpot

Removing Heur/Win32

By DrewG
Nov 2, 2010
  1. Hi guys.

    This virus has been killing my computer and every time I feel like I've made a development, it just keeps on popping up. I've run searches with Kaspersky (which gives me an option to quarantine/delete the many instances of it but never really does either) and Spyware Doctor. They find things but cannot permanently get rid of it. Vista installation disc and system repair also can't do anything.

    Don't recommend Malware Bytes because I can't open the installation file even with renaming the .exe...also, I can't get into the registry so don't recommend going there.

    If this helps, at one point the computer was unable to start in Vista. Error code was 0xc0000098 and the corrupt or missing file was Windows/system32/Drivers/ccrwnv.sys. That ccrwnv file is the same one that Kaspersky usually singles out during its scans.

    Any help with this would be unbelievable. More than anything I just want to be able to back up my music/pictures/documents, I don't really mind re-installing Vista (although not having to do so would be optimal).
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Drew, the chances are good that the malware infection goes deeper than Win32/Heur. Please see if you can run this online scan:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    I will know the extent better after reviewing this log. Depending on what this is, you will have to be very careful in what you can safely backup.
     
  3. DrewG

    DrewG TS Rookie Topic Starter

    Tried doing that but keep getting UNEXPECTED ERROR 2003 when downloading the virus signature database. Will keep trying.
     
  4. DrewG

    DrewG TS Rookie Topic Starter

    Here:


    C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application
    C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application
    C:\Users\Drew\Downloads\Tuneup Media 1.1.9 ( Itunes plugin )\TuneUpApp+2_Trainer.exe Win32/HackTool.CheatEngine.AB application
    C:\Users\Public\Documents\Server\hlp.dat Win32/Bamital.EK trojan
    C:\Windows\Temp\TMP116C.tmp a variant of Win32/Adware.FakeAntiSpy.M application
    C:\Windows\Temp\TMP3536.tmp a variant of Win32/Adware.FakeAntiSpy.M application
    C:\Windows\Temp\TMP3A02.tmp a variant of Win32/Adware.FakeAntiSpy.M application
    C:\Windows\Temp\TMP5C53.tmp Win32/TrojanDownloader.Agent.QIB trojan
    C:\Windows\Temp\TMP6EA6.tmp Win32/TrojanDownloader.Agent.QIB trojan
    C:\Windows\Temp\TMP9910.tmp a variant of Win32/Adware.FakeAntiSpy.M application
    C:\Windows\Temp\TMPA968.tmp Win32/TrojanDownloader.Agent.QIB trojan
    C:\Windows\Temp\TMPC61F.tmp a variant of Win32/Adware.FakeAntiSpy.M application
    C:\Windows\Temp\TMPEF54.tmp a variant of Win32/Adware.FakeAntiSpy.M application
    C:\Windows\Temp\TMPF85C.tmp Win32/TrojanDownloader.Agent.QIB trojan

    ---------------------------------------------------

    And here:

    # antistealth_checked=true
    # utc_time=2010-11-02 06:33:01
    # local_time=2010-11-02 02:33:01 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=6.0.6000 NT
    # compatibility_mode=769 16774142 100 100 0 224078467 0 0
    # compatibility_mode=1280 16777195 100 0 197520 197520 0 0
    # compatibility_mode=2560 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776574 100 100 6721000 125326485 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=154828
    # found=14
    # cleaned=0
    # scan_time=3868
    C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000 I
    C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000 I
    C:\Users\Drew\Downloads\Tuneup Media 1.1.9 ( Itunes plugin )\TuneUpApp+2_Trainer.exe Win32/HackTool.CheatEngine.AB application 00000000000000000000000000000000 I
    C:\Users\Public\Documents\Server\hlp.dat Win32/Bamital.EK trojan 00000000000000000000000000000000 I
    C:\Windows\Temp\TMP116C.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
    C:\Windows\Temp\TMP3536.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
    C:\Windows\Temp\TMP3A02.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
    C:\Windows\Temp\TMP5C53.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
    C:\Windows\Temp\TMP6EA6.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
    C:\Windows\Temp\TMP9910.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
    C:\Windows\Temp\TMPA968.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
    C:\Windows\Temp\TMPC61F.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
    C:\Windows\Temp\TMPEF54.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
    C:\Windows\Temp\TMPF85C.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Believe it or not, these results are good news! It means there is a better chance the system can be cleaned, whereas if it had been Virut, Ramnit or one of the other files infectors, cleaning would not be an option.
    ==============================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Files  
      C:\Program Files\AIM\Sysfiles\WxBug.EXE 
      C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll 
      C:\Users\Drew\Downloads\Tuneup Media 1.1.9 ( Itunes plugin )\TuneUpApp+2_Trainer.exe 
      C:\Users\Public\Documents\Server\hlp.dat 
      C:\Windows\Temp\TMP116C.tmp 
      C:\Windows\Temp\TMP3536.tmp 
      C:\Windows\Temp\TMP3A02.tmp 
      C:\Windows\Temp\TMP5C53.tmp 
      C:\Windows\Temp\TMP6EA6.tmp 
      C:\Windows\Temp\TMP9910.tmp 
      C:\Windows\Temp\TMPA968.tmp 
      C:\Windows\Temp\TMPC61F.tmp 
      C:\Windows\Temp\TMPEF54.tmp 
      C:\Windows\Temp\TMPF85C.tmp 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ========================================
    Since you had a problem with Malwarebytes, download randmbam.exe

    It will try to create random names and shortcuts for Malwarebytes Anti Malware(MBAM) if you have it installed already. Please check our directions for Malwarebytes in the Preliminary Virus and Malware Removal thread HERE and try the scan again.

    Please include the DDS scan and leave the 2 logs for review.

    Summary of above:
    Run OTMoveIt with the Eset entries
    Run randmbam.exe
    Retry Mbam scan
    Run DDS from link.
    =======================================
    Then download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    =====================================
    Include all logs in next reply. Use multiple posts if needed.

    No problem- I am telling you t stay out of the Registry!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  6. DrewG

    DrewG TS Rookie Topic Starter

    I cannot get that .exe to open, even with running it as administrator...

    Message: "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. Keep in mind I am running in safe mode with networking.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    What are you referring to here?
     
  8. DrewG

    DrewG TS Rookie Topic Starter

    OTM, the first .exe/program you are asking me to download.

    Oddly, my internet is strangely running 1,000x better today...
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Try is again please. Remove it, download again, then use the script and run.
     
  10. DrewG

    DrewG TS Rookie Topic Starter

    Trying every which way...not opening.
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run the Eset scan again, but with this change:
    Make sure that the option "Remove found threats" is Checked, and the option "Scan unwanted applications" is checked.

    Just the scan, not the script/
    =============================================
    • Download the file TDSSKiller.zip and extract it (use archiver, for example, WInZip) into a folder on the infected (or potentially infected) PC.
    • Double click TDSSKiller.exe to start the scan
    • Wait for the scan and disinfection process to be over.
      [o] The utility outputs a list of detected objects with description.
      [o]The utility automatically selects an action (Cure or Delete) for malicious objects.
      [o]The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
    • The default quarantine folder is in the system disk root folder, e.g.:C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.

    It is necessary to reboot the PC after the disinfection is over.
     
  12. DrewG

    DrewG TS Rookie Topic Starter

    Just did both...removed 13 threats with ESET and then with TDSS I was finally able to quarantine that ccrwnv.sys bugger that seemed to be the big part of the virus.

    I'm about to reboot -- do you need me to do anything else? I don't want to jinx it but I think that procedure just now did the trick...
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I need both of these logs please.
     
  14. DrewG

    DrewG TS Rookie Topic Starter

    From TDS:

    [InfectedObject]
    Verdict: Locked service

    [InfectedObject]
    Type: Service
    Name: ccrwnv
    Type: Kernel driver (0x1)
    Start: Boot (0x0)
    Suspicious states: Locked service; Locked file;

    [InfectedFile]
    Type: Raw image
    Src: C:\Windows\system32\drivers\ccrwnv.sys
    md5: 3d5b58a2b41f54e6c44d06ab23f747b2

    -----

    EST:


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    esets_scanner_update returned -1 esets_gle=1
    # version=7
    # iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=275614e98322ff4697e6a98b91d2e44f
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=true
    # antistealth_checked=true
    # utc_time=2010-11-02 06:33:01
    # local_time=2010-11-02 02:33:01 (-0500, Eastern Daylight Time)
    # country="United States"
    # lang=9
    # osver=6.0.6000 NT
    # compatibility_mode=769 16774142 100 100 0 224078467 0 0
    # compatibility_mode=1280 16777195 100 0 197520 197520 0 0
    # compatibility_mode=2560 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776574 100 100 6721000 125326485 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=154828
    # found=14
    # cleaned=0
    # scan_time=3868
    C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000 I
    C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application 00000000000000000000000000000000 I
    C:\Users\Drew\Downloads\Tuneup Media 1.1.9 ( Itunes plugin )\TuneUpApp+2_Trainer.exe Win32/HackTool.CheatEngine.AB application 00000000000000000000000000000000 I
    C:\Users\Public\Documents\Server\hlp.dat Win32/Bamital.EK trojan 00000000000000000000000000000000 I
    C:\Windows\Temp\TMP116C.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
    C:\Windows\Temp\TMP3536.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
    C:\Windows\Temp\TMP3A02.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
    C:\Windows\Temp\TMP5C53.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
    C:\Windows\Temp\TMP6EA6.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
    C:\Windows\Temp\TMP9910.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
    C:\Windows\Temp\TMPA968.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
    C:\Windows\Temp\TMPC61F.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
    C:\Windows\Temp\TMPEF54.tmp a variant of Win32/Adware.FakeAntiSpy.M application 00000000000000000000000000000000 I
    C:\Windows\Temp\TMPF85C.tmp Win32/TrojanDownloader.Agent.QIB trojan 00000000000000000000000000000000 I
    # version=7
    # iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=275614e98322ff4697e6a98b91d2e44f
    # end=finished
    # remove_checked=true
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-11-09 12:33:58
    # local_time=2010-11-08 07:33:58 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=6.0.6000 NT
    # compatibility_mode=769 16774142 100 93 0 224616457 0 0
    # compatibility_mode=1280 16777191 100 0 735510 735510 0 0
    # compatibility_mode=2560 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776574 100 100 7258990 125864475 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=152938
    # found=13
    # cleaned=13
    # scan_time=5936
    C:\$Recycle.Bin\S-1-5-21-1336202196-3040049380-887799316-1000\$REUHKRO\hlp.dat Win32/Bamital.EK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application (deleted - quarantined) 00000000000000000000000000000000 C
    C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll Win32/Adware.WBug.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Windows\Temp\TMP116C.tmp a variant of Win32/Adware.FakeAntiSpy.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Windows\Temp\TMP3536.tmp a variant of Win32/Adware.FakeAntiSpy.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Windows\Temp\TMP3A02.tmp a variant of Win32/Adware.FakeAntiSpy.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Windows\Temp\TMP5C53.tmp Win32/TrojanDownloader.Agent.QIB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Windows\Temp\TMP6EA6.tmp Win32/TrojanDownloader.Agent.QIB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Windows\Temp\TMP9910.tmp a variant of Win32/Adware.FakeAntiSpy.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Windows\Temp\TMPA968.tmp Win32/TrojanDownloader.Agent.QIB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Windows\Temp\TMPC61F.tmp a variant of Win32/Adware.FakeAntiSpy.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Windows\Temp\TMPEF54.tmp a variant of Win32/Adware.FakeAntiSpy.M application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
    C:\Windows\Temp\TMPF85C.tmp Win32/TrojanDownloader.Agent.QIB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
     
  15. DrewG

    DrewG TS Rookie Topic Starter

    My internet provider is now giving me a page from time to time that says they know the network is infected and are slowing down the service. Is there a lot more to be done? I feel bad for my roommates who are dealing with the terribly slow internet because of me and am feeling inclined to just re-install Windows..
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I don't understand what you mean by the ISP service. What kind of page is telling you the network is infected and service is being slowed. Is their network infected??? Big difference.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Closed due to inactivity. Please PM your helper if you want the thread reopened.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...