Win32/heur and locked files

[BecJoyErk]

I've never used a forum before, but am thankful to find such useful info here since I am teaching in Africa & far from the help of my techie friends at home!

Before TechSpot's 8 Step Removal Instructions...
I am running AVG free on my computer, so when I first encountered the scans saying my computer was infected with Win32/heur, I read through the AVG advice on how to clean an infected computer. This included scanning with AVG, Spybot S&D, and MalwareBytes in safemode. During these scans, I discovered that AVG could not scan about 20 files in the System32 section of my computer because they were "locked". I also turned off my System Restore, since it the instructions said this would erase shadow copies that would reproduce if the scans were done in System Restore mode. After all these scans, I still am coming up with the Win32/heur virus in my AVG scans. Since AVG does not have a description of this virus (although it's listed) in their Virus Database, I decided to look for further help.

When I found the TechSpot posts regarding Win32/heur, I realized I would need to go through the 8 Step Removal Process, so I am attaching the requested logs. I am also attaching logs from the AVG scans (the safemode scan was May 16).

I think I picked up the virus through my USB flash drive. When I came home from the camera shop after printing some pix, my AVG alerted me to an Autorun virus it found on my USB flash drive. After cleaning this off my flash drive (which AVG couldn't do - I had to do it at work with NOD32 Antivirus 4), I did a total scan and started finding Win32/heur infections on my laptop.

My computer is a Dell Laptop and I am running Windows XP. My internet connection at home is through a mobile modem (Huawei), and at work I can connect via LAN cable through a secure proxy server that connects via sattelite.

Many thanks in advance for your help!!!

 

[touch]

Hello BecJoyErk

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

 

[BecJoyErk]

2 Questions b/f ComboFix

Thank you. I will try this as soon as I get home tonight as I do not have my computer at work today.

Two questions -
1.
When I try to plug in my external hard drive, I get a message saying that there is a power overload on the port (even though I backed up from the same port last summer) and that I need to reset the port in order to be able to use it in the future. I also get this message when i try to plug in my port splitter. I have been getting this message since before the virus problems surfaced.

2.
Should I also plug in my external CD/DVD burner (which is currently only allowing me to read CD/DVDs or burn music through iTunes, but not copy pictures). I do not have an internal CD drive.

 

[touch]

1. question - Is it a Dell computer you have ? If it isn´t can it be defective external hard drive.

2. question - No need to plug in CD/DVD burner

So, just connect your USB flash drive

 

[BecJoyErk]

Yes, it is a Dell computer. OK, I won't connect the CD/DVD burner in while doing Combo Fix.

 

[touch]

Ok.

Then i´ll suggest you download this Dell Patch:
http://search.dell.com/results.aspx?s=dhs&c=us&l=en&cs=19&k=R89758.exe&cat=sup&x=5&y=8

I know it´s old and for SP2, but i think it is worth a try, to see if it can solve your power overload problems.

 

[BecJoyErk]

Combofix Log

Touch,
Here is the ComboFix log I just ran on my computer.

My flash drive was connected to drive E:
My mobile modem was connected to drive D:
(although I didn't see anything about those drives in the log).

Question -
Should I turn back on System Restore? One of the virus removal processes (I think it was the AVG steps, not the TechSpot ones) had me disable System Restore because it Win32/Heur apparently cannot be eradicated with it on. That list also said to turn it back on when the machine is clean. I have done a lot more scanning, but still come up with the virus, so System Restore is still turned off on my machine. Should I keep it off? I noticed that one step in the ComboFix program was to establish a new System Restore point.

Thanks again for all your help!
Bec

 

[BecJoyErk]

One More Question:
Should I let my AVG do a complete scan of my computer again tonight?
I have not done one since the log I attached from May 17 since it seems to keep finding more Win32/heur viruses, asks me to reboot, and never really deletes anything.

 

[touch]

I´ll suggest you remove AVG8 completely, as their products are apparently not good enough to clean a computer.
Run AVG Antivirus Removal Tool:
AVGRemove Tool

Reboot.

Install Avira Free AntiVirus, from here ->
Avira
Or: Avast

Install, update the antivirus program you have chosen. Run a complete scan.

Then open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
Folder::
c:\windows\system32\024062
c:\windows\system32\34C267
c:\windows\system32\78C101
c:\windows\system32\F49588
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"E04959"=-

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[BecJoyErk]

New Combo Fix log (after Avira scan)

I uninstalled AVG, and installed Avira. After updating it, I ran it and of course it is still finding Win32/heur. With Avira, should I choose "delete" or "quarrentine" when it alerts me to a threat?

I just finished the ComboFix script and am attaching the log file.

 

[BecJoyErk]

I rescanned with Avira after running the ComboFix script. Avira did not find any viruses!!! Should I now turn on System Restore? Is there anything else I should re-run just to make sure everything is really clean?

 

[touch]

We´re almost there, and you can turn on System Restore again.

Viewpoint is considered foistware and is not needed on your computer.

Download and unzip to own folder on Desktop - http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip

Run ViewpointKiller.exe

Reboot.

Attach new hijackthis log, and tell how things are running ?