Win32/heur and locked files

By BecJoyErk
May 17, 2009
Topic Status:
Not open for further replies.
  1. I've never used a forum before, but am thankful to find such useful info here since I am teaching in Africa & far from the help of my techie friends at home!

    Before TechSpot's 8 Step Removal Instructions...
    I am running AVG free on my computer, so when I first encountered the scans saying my computer was infected with Win32/heur, I read through the AVG advice on how to clean an infected computer. This included scanning with AVG, Spybot S&D, and MalwareBytes in safemode. During these scans, I discovered that AVG could not scan about 20 files in the System32 section of my computer because they were "locked". I also turned off my System Restore, since it the instructions said this would erase shadow copies that would reproduce if the scans were done in System Restore mode. After all these scans, I still am coming up with the Win32/heur virus in my AVG scans. Since AVG does not have a description of this virus (although it's listed) in their Virus Database, I decided to look for further help.

    When I found the TechSpot posts regarding Win32/heur, I realized I would need to go through the 8 Step Removal Process, so I am attaching the requested logs. I am also attaching logs from the AVG scans (the safemode scan was May 16).

    I think I picked up the virus through my USB flash drive. When I came home from the camera shop after printing some pix, my AVG alerted me to an Autorun virus it found on my USB flash drive. After cleaning this off my flash drive (which AVG couldn't do - I had to do it at work with NOD32 Antivirus 4), I did a total scan and started finding Win32/heur infections on my laptop.

    My computer is a Dell Laptop and I am running Windows XP. My internet connection at home is through a mobile modem (Huawei), and at work I can connect via LAN cable through a secure proxy server that connects via sattelite.

    Many thanks in advance for your help!!!
  2. touch

    touch Newcomer, in training Posts: 978

    Hello BecJoyErk

    Please download Combofix:
    http://subs.geekstogo.com/ComboFix.exe

    And save to the desktop.

    Close all other browser windows.

    Please connect all your external hard drive/flash drive before running Combofix, if you have any

    Double-click on the combofix icon found on your desktop.

    Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
  3. BecJoyErk

    BecJoyErk Newcomer, in training Topic Starter

    2 Questions b/f ComboFix

    Thank you. I will try this as soon as I get home tonight as I do not have my computer at work today.

    Two questions -
    1.
    When I try to plug in my external hard drive, I get a message saying that there is a power overload on the port (even though I backed up from the same port last summer) and that I need to reset the port in order to be able to use it in the future. I also get this message when i try to plug in my port splitter. I have been getting this message since before the virus problems surfaced.

    2.
    Should I also plug in my external CD/DVD burner (which is currently only allowing me to read CD/DVDs or burn music through iTunes, but not copy pictures). I do not have an internal CD drive.
  4. touch

    touch Newcomer, in training Posts: 978

    1. question - Is it a Dell computer you have ? If it isn´t can it be defective external hard drive.

    2. question - No need to plug in CD/DVD burner

    So, just connect your USB flash drive
  5. BecJoyErk

    BecJoyErk Newcomer, in training Topic Starter

    Yes, it is a Dell computer. OK, I won't connect the CD/DVD burner in while doing Combo Fix.
  6. touch

    touch Newcomer, in training Posts: 978

  7. BecJoyErk

    BecJoyErk Newcomer, in training Topic Starter

    Combofix Log

    Touch,
    Here is the ComboFix log I just ran on my computer.

    My flash drive was connected to drive E:
    My mobile modem was connected to drive D:
    (although I didn't see anything about those drives in the log).

    Question -
    Should I turn back on System Restore? One of the virus removal processes (I think it was the AVG steps, not the TechSpot ones) had me disable System Restore because it Win32/Heur apparently cannot be eradicated with it on. That list also said to turn it back on when the machine is clean. I have done a lot more scanning, but still come up with the virus, so System Restore is still turned off on my machine. Should I keep it off? I noticed that one step in the ComboFix program was to establish a new System Restore point.

    Thanks again for all your help!
    Bec
  8. BecJoyErk

    BecJoyErk Newcomer, in training Topic Starter

    One More Question:
    Should I let my AVG do a complete scan of my computer again tonight?
    I have not done one since the log I attached from May 17 since it seems to keep finding more Win32/heur viruses, asks me to reboot, and never really deletes anything.
  9. touch

    touch Newcomer, in training Posts: 978

    I´ll suggest you remove AVG8 completely, as their products are apparently not good enough to clean a computer.
    Run AVG Antivirus Removal Tool:
    AVGRemove Tool

    Reboot.

    Install Avira Free AntiVirus, from here ->
    Avira
    Or: Avast

    Install, update the antivirus program you have chosen. Run a complete scan.

    Then open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://www.fromsej.saknet.dk/billeder/cfscript.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

    Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  10. BecJoyErk

    BecJoyErk Newcomer, in training Topic Starter

    New Combo Fix log (after Avira scan)

    I uninstalled AVG, and installed Avira. After updating it, I ran it and of course it is still finding Win32/heur. With Avira, should I choose "delete" or "quarrentine" when it alerts me to a threat?

    I just finished the ComboFix script and am attaching the log file.
  11. BecJoyErk

    BecJoyErk Newcomer, in training Topic Starter

    I rescanned with Avira after running the ComboFix script. Avira did not find any viruses!!! Should I now turn on System Restore? Is there anything else I should re-run just to make sure everything is really clean?
  12. touch

    touch Newcomer, in training Posts: 978

    We´re almost there, and you can turn on System Restore again.

    Viewpoint is considered foistware and is not needed on your computer.

    Download and unzip to own folder on Desktop - http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip

    Run ViewpointKiller.exe

    Reboot.

    Attach new hijackthis log, and tell how things are running ?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.