Win32/Heur Infection

By DonovanP
Jan 6, 2010
Topic Status:
Not open for further replies.
  1. Hi there..

    Just found this in my AVG scan and when AVG move it to vault and delete it its back when I restart.Intern browsing is very very slow.Same with PC..

    Help me to remove it please.Here is my HJT log so long!

    Thanks

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Donovan, we can't clean a system wuth only HijackThus. But I'd like you to do a special scan, give me the results and them I'll instruct you on what's next:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe


    Leave the log from that scan in your next reply.
  3. DonovanP

    DonovanP Newcomer, in training Topic Starter

    First file

    VirSCAN.org Scanned Report :
    Scanned time : 2010/01/07 18:36:33 (SAST)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 26112 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : a93aee1928a9d7ce3e16d24ec7380f89
    SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
    Online report : http://virscan.org/report/a9ded470beae7637146da11e094363bc.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100107184336 2010-01-07 8.13 -
    AhnLab V3 2010.01.08.00 2010.01.08 2010-01-08 1.12 -
    AntiVir 8.2.1.130 7.10.2.141 2010-01-07 0.42 -
    Antiy 2.0.18 20100107.3607485 2010-01-07 0.12 -
    Arcavir 2009 201001061546 2010-01-06 0.03 -
    Authentium 5.1.1 201001071455 2010-01-07 1.25 -
    AVAST! 4.7.4 100107-0 2010-01-07 0.01 -
    AVG 8.5.288 270.14.129/2605 2010-01-07 0.30 -
    BitDefender 7.81008.4835364 7.29766 2010-01-07 4.12 -
    CA (VET) 35.1.0 7218 2010-01-05 9.14 -
    ClamAV 0.95.2 10265 2010-01-07 0.01 -
    Comodo 3.13.579 3409 2010-01-07 0.89 -
    CP Secure 1.3.0.5 2010.01.07 2010-01-07 0.04 -
    Dr.Web 4.44.0.9170 2010.01.07 2010-01-07 8.31 -
    F-Prot 4.4.4.56 20100107 2010-01-07 1.26 -
    F-Secure 7.02.73807 2010.01.07.15 2010-01-07 9.37 -
    Fortinet 11.346- 11.346 2010-01-07 0.24 -
    GData 19.9814/19.662 20100107 2010-01-07 5.97 -
    ViRobot 20100107 2010.01.07 2010-01-07 0.43 -
    Ikarus T3.1.01.80 2010.01.07.74907 2010-01-07 4.16 -
    JiangMin 13.0.900 2010.01.02 2010-01-02 4.48 -
    Kaspersky 5.5.10 2010.01.07 2010-01-07 0.11 -
    KingSoft 2009.2.5.15 2010.1.7.14 2010-01-07 0.53 -
    McAfee 5.3.00 5853 2010-01-06 3.31 -
    Microsoft 1.5302 2010.01.07 2010-01-07 6.79 -
    Norman 6.01.09 6.01.00 2010-01-07 4.01 -
    Panda 9.05.01 2010.01.07 2010-01-07 4.09 -
    Trend Micro 9.000-1003 6.752.01 2010-01-07 0.03 -
    Quick Heal 10.00 2010.01.05 2010-01-05 1.44 -
    Rising 20.0 22.29.03.04 2010-01-07 1.09 -
    Sophos 3.03.0 4.49 2010-01-07 2.92 -
    Sunbelt 3.9.2388.2 5604 2010-01-06 2.61 -
    Symantec 1.3.0.24 20100102.020 2010-01-02 0.05 -
    nProtect 20100107.01 6809136 2010-01-07 4.49 -
    The Hacker 6.5.0.3 v00138 2010-01-07 0.99 -
    VBA32 3.12.12.1 20100106.1141 2010-01-06 2.41 -
    VirusBuster 4.5.11.10 10.118.23/2027701 2010-01-07 2.35 -


    Second file
    VirSCAN.org Scanned Report :
    Scanned time : 2010/01/07 18:48:52 (SAST)
    Scanner results: Scanners did not find malware!
    File Name : explorer.exe
    File Size : 1033728 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 12896823fb95bfb3dc9b46bcaedc9923
    SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
    Online report : http://virscan.org/report/aa13a09938f2147f1a3580e629d37451.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100107184336 2010-01-07 4.80 -
    AhnLab V3 2010.01.08.00 2010.01.08 2010-01-08 1.79 -
    AntiVir 8.2.1.130 7.10.2.141 2010-01-07 0.50 -
    Antiy 2.0.18 20100107.3607485 2010-01-07 0.12 -
    Arcavir 2009 201001061546 2010-01-06 0.07 -
    Authentium 5.1.1 201001071455 2010-01-07 2.27 -
    AVAST! 4.7.4 100107-0 2010-01-07 0.05 -
    AVG 8.5.288 270.14.129/2605 2010-01-07 0.31 -
    BitDefender 7.81008.4835364 7.29766 2010-01-07 4.12 -
    CA (VET) 35.1.0 7218 2010-01-05 7.50 -
    ClamAV 0.95.2 10265 2010-01-07 0.16 -
    Comodo 3.13.579 3409 2010-01-07 0.91 -
    CP Secure 1.3.0.5 2010.01.07 2010-01-07 0.12 -
    Dr.Web 4.44.0.9170 2010.01.07 2010-01-07 8.62 -
    F-Prot 4.4.4.56 20100107 2010-01-07 2.18 -
    F-Secure 7.02.73807 2010.01.07.15 2010-01-07 2.84 -
    Fortinet 11.346- 11.346 2010-01-07 0.43 -
    GData 19.9815/19.662 20100107 2010-01-07 6.33 -
    ViRobot 20100107 2010.01.07 2010-01-07 0.54 -
    Ikarus T3.1.01.80 2010.01.07.74907 2010-01-07 4.17 -
    JiangMin 13.0.900 2010.01.02 2010-01-02 8.77 -
    Kaspersky 5.5.10 2010.01.07 2010-01-07 0.09 -
    KingSoft 2009.2.5.15 2010.1.7.14 2010-01-07 0.61 -
    McAfee 5.3.00 5853 2010-01-06 3.70 -
    Microsoft 1.5302 2010.01.07 2010-01-07 7.99 -
    Norman 6.01.09 6.01.00 2010-01-07 4.00 -
    Panda 9.05.01 2010.01.07 2010-01-07 3.96 -
    Trend Micro 9.000-1003 6.752.01 2010-01-07 0.04 -
    Quick Heal 10.00 2010.01.05 2010-01-05 2.07 -
    Rising 20.0 22.29.03.04 2010-01-07 1.31 -
    Sophos 3.03.0 4.49 2010-01-07 2.91 -
    Sunbelt 3.9.2388.2 5604 2010-01-06 3.76 -
    Symantec 1.3.0.24 20100102.020 2010-01-02 0.11 -
    nProtect 20100107.01 6809136 2010-01-07 4.46 -
    The Hacker 6.5.0.3 v00138 2010-01-07 0.72 -
    VBA32 3.12.12.1 20100106.1141 2010-01-06 4.44 -
    VirusBuster 4.5.11.10 10.118.23/2027701 2010-01-07 2.82 -

    3rd file
    VirSCAN.org Scanned Report :
    Scanned time : 2010/01/07 18:54:03 (SAST)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 14336 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
    SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
    Online report : http://virscan.org/report/0726649b331e9234dcee495781f44bd8.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100107184336 2010-01-07 4.47 -
    AhnLab V3 2010.01.08.00 2010.01.08 2010-01-08 2.19 -
    AntiVir 8.2.1.130 7.10.2.141 2010-01-07 0.13 -
    Antiy 2.0.18 20100107.3607485 2010-01-07 0.12 -
    Arcavir 2009 201001061546 2010-01-06 0.03 -
    Authentium 5.1.1 201001071455 2010-01-07 1.27 -
    AVAST! 4.7.4 100107-0 2010-01-07 0.00 -
    AVG 8.5.288 270.14.129/2605 2010-01-07 0.31 -
    BitDefender 7.81008.4835364 7.29766 2010-01-07 4.72 -
    CA (VET) 35.1.0 7218 2010-01-05 13.45 -
    ClamAV 0.95.2 10265 2010-01-07 0.01 -
    Comodo 3.13.579 3409 2010-01-07 1.25 -
    CP Secure 1.3.0.5 2010.01.07 2010-01-07 0.04 -
    Dr.Web 4.44.0.9170 2010.01.07 2010-01-07 8.31 -
    F-Prot 4.4.4.56 20100107 2010-01-07 1.24 -
    F-Secure 7.02.73807 2010.01.07.15 2010-01-07 0.10 -
    Fortinet 11.346- 11.346 2010-01-07 0.31 -
    GData 19.9815/19.662 20100107 2010-01-07 6.36 -
    ViRobot 20100107 2010.01.07 2010-01-07 1.24 -
    Ikarus T3.1.01.80 2010.01.07.74907 2010-01-07 4.16 -
    JiangMin 13.0.900 2010.01.02 2010-01-02 5.59 -
    Kaspersky 5.5.10 2010.01.07 2010-01-07 0.07 -
    KingSoft 2009.2.5.15 2010.1.7.14 2010-01-07 0.58 -
    McAfee 5.3.00 5853 2010-01-06 3.32 -
    Microsoft 1.5302 2010.01.07 2010-01-07 8.21 -
    Norman 6.01.09 6.01.00 2010-01-07 4.01 -
    Panda 9.05.01 2010.01.07 2010-01-07 1.79 -
    Trend Micro 9.000-1003 6.752.01 2010-01-07 0.03 -
    Quick Heal 10.00 2010.01.05 2010-01-05 1.28 -
    Rising 20.0 22.29.03.04 2010-01-07 0.99 -
    Sophos 3.03.0 4.49 2010-01-07 2.94 -
    Sunbelt 3.9.2388.2 5604 2010-01-06 2.27 -
    Symantec 1.3.0.24 20100102.020 2010-01-02 0.05 -
    nProtect 20100107.01 6809136 2010-01-07 4.04 -
    The Hacker 6.5.0.3 v00138 2010-01-07 0.85 -
    VBA32 3.12.12.1 20100106.1141 2010-01-06 2.32 -
    VirusBuster 4.5.11.10 10.118.23/2027701 2010-01-07 2.37 -
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, that is good news. IT was a scan for a particularly bad infection that doesn't go away. Now I'm going to send you to do the steps HERE.

    Attach all 3 logs for review when finished.
  5. DonovanP

    DonovanP Newcomer, in training Topic Starter

    Here you go!

    Attached Files:

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, I wasn't far off: Superantispyware shows Virut in the System Restore points plus malware that is packed and encrypted, 2 other infected .exe files and an 'auto-patcher' added by the W32/Agent-GGH backdoor worm. None of this is good. Virut doesn't just go away because a couple of files have been removed.

    Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.
    It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker


    Good explanation here:
    http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


    Change all of your passwords and monitor any online transactions.

    Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.

    • [*] Backup all your documents and important items only.
      [*] DON'T backup any executable files (,exe .scr .html or .htm)
      [*] DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files


    You will find excellent reformat/reinstall instructions heere:
    http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

    I'm sorry the news isn't better. Rather than play around trying to remove a file here and there, while other files are getting infected, it is better to go ahead with the reinstall/reformat at the beginning.
  7. DonovanP

    DonovanP Newcomer, in training Topic Starter

    Oooh man thats not good.So how do I back everything up?The virus is on my external HD as well and all my music and vids and photo's is on there?

    I can get my friend to do the format and re-install windows for me.This suck bad.

    My laptop has the exact same virus..Ooooh man not good.

    Let me know what to do about back up!
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Virut either spread through the network or maybe a flash drive. Backup information is in Post #6.

    Sorry it's not better news but better you handle it now before infecting any more files.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.