Win32/Heur Infection

DonovanP · Jan 6, 2010

Hi there..

Just found this in my AVG scan and when AVG move it to vault and delete it its back when I restart.Intern browsing is very very slow.Same with PC..

Help me to remove it please.Here is my HJT log so long!

Thanks

Bobbye · Jan 6, 2010

Donovan, we can't clean a system wuth only HijackThus. But I'd like you to do a special scan, give me the results and them I'll instruct you on what's next:

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
- c:\windows\system32\userinit.exe
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe

Leave the log from that scan in your next reply.

DonovanP · Jan 7, 2010

First file

VirSCAN.org Scanned Report :
Scanned time : 2010/01/07 18:36:33 (SAST)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
Online report : http://virscan.org/report/a9ded470beae7637146da11e094363bc.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100107184336 2010-01-07 8.13 -
AhnLab V3 2010.01.08.00 2010.01.08 2010-01-08 1.12 -
AntiVir 8.2.1.130 7.10.2.141 2010-01-07 0.42 -
Antiy 2.0.18 20100107.3607485 2010-01-07 0.12 -
Arcavir 2009 201001061546 2010-01-06 0.03 -
Authentium 5.1.1 201001071455 2010-01-07 1.25 -
AVAST! 4.7.4 100107-0 2010-01-07 0.01 -
AVG 8.5.288 270.14.129/2605 2010-01-07 0.30 -
BitDefender 7.81008.4835364 7.29766 2010-01-07 4.12 -
CA (VET) 35.1.0 7218 2010-01-05 9.14 -
ClamAV 0.95.2 10265 2010-01-07 0.01 -
Comodo 3.13.579 3409 2010-01-07 0.89 -
CP Secure 1.3.0.5 2010.01.07 2010-01-07 0.04 -
Dr.Web 4.44.0.9170 2010.01.07 2010-01-07 8.31 -
F-Prot 4.4.4.56 20100107 2010-01-07 1.26 -
F-Secure 7.02.73807 2010.01.07.15 2010-01-07 9.37 -
Fortinet 11.346- 11.346 2010-01-07 0.24 -
GData 19.9814/19.662 20100107 2010-01-07 5.97 -
ViRobot 20100107 2010.01.07 2010-01-07 0.43 -
Ikarus T3.1.01.80 2010.01.07.74907 2010-01-07 4.16 -
JiangMin 13.0.900 2010.01.02 2010-01-02 4.48 -
Kaspersky 5.5.10 2010.01.07 2010-01-07 0.11 -
KingSoft 2009.2.5.15 2010.1.7.14 2010-01-07 0.53 -
McAfee 5.3.00 5853 2010-01-06 3.31 -
Microsoft 1.5302 2010.01.07 2010-01-07 6.79 -
Norman 6.01.09 6.01.00 2010-01-07 4.01 -
Panda 9.05.01 2010.01.07 2010-01-07 4.09 -
Trend Micro 9.000-1003 6.752.01 2010-01-07 0.03 -
Quick Heal 10.00 2010.01.05 2010-01-05 1.44 -
Rising 20.0 22.29.03.04 2010-01-07 1.09 -
Sophos 3.03.0 4.49 2010-01-07 2.92 -
Sunbelt 3.9.2388.2 5604 2010-01-06 2.61 -
Symantec 1.3.0.24 20100102.020 2010-01-02 0.05 -
nProtect 20100107.01 6809136 2010-01-07 4.49 -
The Hacker 6.5.0.3 v00138 2010-01-07 0.99 -
VBA32 3.12.12.1 20100106.1141 2010-01-06 2.41 -
VirusBuster 4.5.11.10 10.118.23/2027701 2010-01-07 2.35 -

Second file
VirSCAN.org Scanned Report :
Scanned time : 2010/01/07 18:48:52 (SAST)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 1033728 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 12896823fb95bfb3dc9b46bcaedc9923
SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
Online report : http://virscan.org/report/aa13a09938f2147f1a3580e629d37451.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100107184336 2010-01-07 4.80 -
AhnLab V3 2010.01.08.00 2010.01.08 2010-01-08 1.79 -
AntiVir 8.2.1.130 7.10.2.141 2010-01-07 0.50 -
Antiy 2.0.18 20100107.3607485 2010-01-07 0.12 -
Arcavir 2009 201001061546 2010-01-06 0.07 -
Authentium 5.1.1 201001071455 2010-01-07 2.27 -
AVAST! 4.7.4 100107-0 2010-01-07 0.05 -
AVG 8.5.288 270.14.129/2605 2010-01-07 0.31 -
BitDefender 7.81008.4835364 7.29766 2010-01-07 4.12 -
CA (VET) 35.1.0 7218 2010-01-05 7.50 -
ClamAV 0.95.2 10265 2010-01-07 0.16 -
Comodo 3.13.579 3409 2010-01-07 0.91 -
CP Secure 1.3.0.5 2010.01.07 2010-01-07 0.12 -
Dr.Web 4.44.0.9170 2010.01.07 2010-01-07 8.62 -
F-Prot 4.4.4.56 20100107 2010-01-07 2.18 -
F-Secure 7.02.73807 2010.01.07.15 2010-01-07 2.84 -
Fortinet 11.346- 11.346 2010-01-07 0.43 -
GData 19.9815/19.662 20100107 2010-01-07 6.33 -
ViRobot 20100107 2010.01.07 2010-01-07 0.54 -
Ikarus T3.1.01.80 2010.01.07.74907 2010-01-07 4.17 -
JiangMin 13.0.900 2010.01.02 2010-01-02 8.77 -
Kaspersky 5.5.10 2010.01.07 2010-01-07 0.09 -
KingSoft 2009.2.5.15 2010.1.7.14 2010-01-07 0.61 -
McAfee 5.3.00 5853 2010-01-06 3.70 -
Microsoft 1.5302 2010.01.07 2010-01-07 7.99 -
Norman 6.01.09 6.01.00 2010-01-07 4.00 -
Panda 9.05.01 2010.01.07 2010-01-07 3.96 -
Trend Micro 9.000-1003 6.752.01 2010-01-07 0.04 -
Quick Heal 10.00 2010.01.05 2010-01-05 2.07 -
Rising 20.0 22.29.03.04 2010-01-07 1.31 -
Sophos 3.03.0 4.49 2010-01-07 2.91 -
Sunbelt 3.9.2388.2 5604 2010-01-06 3.76 -
Symantec 1.3.0.24 20100102.020 2010-01-02 0.11 -
nProtect 20100107.01 6809136 2010-01-07 4.46 -
The Hacker 6.5.0.3 v00138 2010-01-07 0.72 -
VBA32 3.12.12.1 20100106.1141 2010-01-06 4.44 -
VirusBuster 4.5.11.10 10.118.23/2027701 2010-01-07 2.82 -

3rd file
VirSCAN.org Scanned Report :
Scanned time : 2010/01/07 18:54:03 (SAST)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
Online report : http://virscan.org/report/0726649b331e9234dcee495781f44bd8.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100107184336 2010-01-07 4.47 -
AhnLab V3 2010.01.08.00 2010.01.08 2010-01-08 2.19 -
AntiVir 8.2.1.130 7.10.2.141 2010-01-07 0.13 -
Antiy 2.0.18 20100107.3607485 2010-01-07 0.12 -
Arcavir 2009 201001061546 2010-01-06 0.03 -
Authentium 5.1.1 201001071455 2010-01-07 1.27 -
AVAST! 4.7.4 100107-0 2010-01-07 0.00 -
AVG 8.5.288 270.14.129/2605 2010-01-07 0.31 -
BitDefender 7.81008.4835364 7.29766 2010-01-07 4.72 -
CA (VET) 35.1.0 7218 2010-01-05 13.45 -
ClamAV 0.95.2 10265 2010-01-07 0.01 -
Comodo 3.13.579 3409 2010-01-07 1.25 -
CP Secure 1.3.0.5 2010.01.07 2010-01-07 0.04 -
Dr.Web 4.44.0.9170 2010.01.07 2010-01-07 8.31 -
F-Prot 4.4.4.56 20100107 2010-01-07 1.24 -
F-Secure 7.02.73807 2010.01.07.15 2010-01-07 0.10 -
Fortinet 11.346- 11.346 2010-01-07 0.31 -
GData 19.9815/19.662 20100107 2010-01-07 6.36 -
ViRobot 20100107 2010.01.07 2010-01-07 1.24 -
Ikarus T3.1.01.80 2010.01.07.74907 2010-01-07 4.16 -
JiangMin 13.0.900 2010.01.02 2010-01-02 5.59 -
Kaspersky 5.5.10 2010.01.07 2010-01-07 0.07 -
KingSoft 2009.2.5.15 2010.1.7.14 2010-01-07 0.58 -
McAfee 5.3.00 5853 2010-01-06 3.32 -
Microsoft 1.5302 2010.01.07 2010-01-07 8.21 -
Norman 6.01.09 6.01.00 2010-01-07 4.01 -
Panda 9.05.01 2010.01.07 2010-01-07 1.79 -
Trend Micro 9.000-1003 6.752.01 2010-01-07 0.03 -
Quick Heal 10.00 2010.01.05 2010-01-05 1.28 -
Rising 20.0 22.29.03.04 2010-01-07 0.99 -
Sophos 3.03.0 4.49 2010-01-07 2.94 -
Sunbelt 3.9.2388.2 5604 2010-01-06 2.27 -
Symantec 1.3.0.24 20100102.020 2010-01-02 0.05 -
nProtect 20100107.01 6809136 2010-01-07 4.04 -
The Hacker 6.5.0.3 v00138 2010-01-07 0.85 -
VBA32 3.12.12.1 20100106.1141 2010-01-06 2.32 -
VirusBuster 4.5.11.10 10.118.23/2027701 2010-01-07 2.37 -

Bobbye · Jan 8, 2010

Okay, that is good news. IT was a scan for a particularly bad infection that doesn't go away. Now I'm going to send you to do the steps HERE.

Attach all 3 logs for review when finished.

DonovanP · Jan 9, 2010

Here you go!

Bobbye · Jan 10, 2010

Okay, I wasn't far off: Superantispyware shows Virut in the System Restore points plus malware that is packed and encrypted, 2 other infected .exe files and an 'auto-patcher' added by the W32/Agent-GGH backdoor worm. None of this is good. Virut doesn't just go away because a couple of files have been removed.

Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.
It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

Good explanation here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Change all of your passwords and monitor any online transactions.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.

[*] Backup all your documents and important items only.
[*] DON'T backup any executable files (,exe .scr .html or .htm)
[*] DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files

You will find excellent reformat/reinstall instructions heere:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

I'm sorry the news isn't better. Rather than play around trying to remove a file here and there, while other files are getting infected, it is better to go ahead with the reinstall/reformat at the beginning.

DonovanP · Jan 10, 2010

Oooh man thats not good.So how do I back everything up?The virus is on my external HD as well and all my music and vids and photo's is on there?

I can get my friend to do the format and re-install windows for me.This suck bad.

My laptop has the exact same virus..Ooooh man not good.

Let me know what to do about back up!

Bobbye · Jan 12, 2010

Virut either spread through the network or maybe a flash drive. Backup information is in Post #6.

Sorry it's not better news but better you handle it now before infecting any more files.

Win32/Heur Infection

DonovanP

Attachments

Bobbye

Posts: 16,313 +36

DonovanP

Bobbye

Posts: 16,313 +36

DonovanP

Attachments

Bobbye

Posts: 16,313 +36

DonovanP

Bobbye

Posts: 16,313 +36

Similar threads

Latest posts