TechSpot

Win32/Heur problem

By Ledah
Feb 19, 2009
  1. I have tried to do the 8 steps but I couldn't do all of them because somehow the drivers for the internet adapters are missing, it's my brothers computer that has the malware and I'm trying to get rid of it. I also have an external hard drive and he copied files to it and the malware is also on that too.

    I was only able to use the ccleaner, mbam and SAS. Mbam was able to get rid of some of it but it kept attaching itself to other .exes but when I scanned again they don't show up. The computer has AVG and when I open a process a pop up shows that a .exe is infected with win32/heur.

    I downloaded Avira with another computer and put the setup on a flash drive and when I try installing it in safe mode a message comes up that the setup has been changed and it could be due to a virus.
     
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    Another run indicated!
    OK there were found/removed items in both MBAM and SAS so we need to run again as the first run likely exposed things that were not even seen the first time.

    So another run Quick Scan will likely find more. So UPDATE run both again.

    Then only after above has been run and logs attached do the below..

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    =========================================
    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike
     
  3. Ledah

    Ledah TS Rookie Topic Starter Posts: 21

    I ran mbam and sas but they weren't able to find anything. I also couldn't update it because the internet adapter drivers are missing.
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Ouch! Nasties!

    Run combofix again attach new log to confirm no more found.

    No wonder you have no Internet!

    Mike
     
  5. Ledah

    Ledah TS Rookie Topic Starter Posts: 21

    I ran combofix again.
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    OK not good we duplicated that time so second run did not fix.

    You are doing great hang in there and we will fix this thing!

    Download RootRepeal http://rootrepeal.googlepages.com/RootRepeal.rar

    Make Folder on your Desktop name it RRepeal. Move the rar file there and extract.

    Enter folder double click RootRepeal.exe.
    Click the Report tab, then click Scan

    It will ask what to include in the scan.

    Check the following
    Drivers
    Files
    Processes
    SSDT
    Stealth Objects
    Hidden Services
    Then click OK

    It will ask which drive to scan.

    Check C: (or your windows drive, if not C)
    Click OK
    The scan will begin will take a while.

    When scan completes, click Save Report .

    Name the log RRepeal.txt save it to your Documents folder (it should default there). Post it back.

    Then

    Get Nod32

    Download http://finalbuilds.edskes.net/nod32.htm
    If the above link if it fails go to http://home.hccnet.nl/h.edskes/mirror.htm

    Slide down near bottom of page find nod32, to the right will be 3 Mirrors marked Online try each one of them will work.
    Boot to,Safe mode only to run.

    Before Scanning click Setup and click all boxes under Scan typically only System memory is not checked. So check it. Then click logging, Then Scan and clean.

    It is very thorough and may detect some other malware cleaners as a threat so if it seems to point say SpyBot then click Leave.
    If you have doubt about and issue then Quarintine it and it can be restored.

    Depending on CPU and HD speed and the fact we are in (Safe Mode slower also) it could take a while.

    Mike

    EDIT: Don't do anything drastic like others sometimes do and begin formatting etc without discussing it with me. We go thu the steps we fix it. i will know if it takes formatting and reinstalling! OK?
     
  7. Ledah

    Ledah TS Rookie Topic Starter Posts: 21

    I used the RRepeal tool.

    I used Nod32 and almost every .exe was infected, I clicked clean but some were not able to be cleaned so I clicked leave. I'm now scanning it a second time.

    Don't worry I haven't decided to format it.
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  9. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Ledah

    I agree with removing AVG and installing Avira but reverse the order.

    Install Avira first then uninstall AVG, that way you will not be without a virus scanner at any time.

    With your bad infection uninstalling first will leave you totally with out a virus scanner and at computer speed a lot can happen.

    Its like I said once before. If I leave the gate open unattended for five minutes the vicious Pit Bulls will not have time to attack and kill some one.

    Ok get me a Status report on the NOD32.

    Mike
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Hmm you could download Avira first
    Then uninstall AVG, then go offline, then install Avira
    Then go online, and immediately update Avira
    I'm not so sure on having 2 AntiViruses at the same time, even for 5 mins
    Actually Antiviruses like Kaspersky (as an example) won't even install with AVG still around
     
  11. Ledah

    Ledah TS Rookie Topic Starter Posts: 21

    I tried installing Avira in safe mode but it doesn't let me. So I tried to install in normal mode but I got a message about DEP and only the wallpaper is showing. I opened task manager and installed it but DEP stops 'run a dll as an app' from running.

    It got installed and I used task manager to open Avira but I can't update. I ran a full scan, it found some malware and I quarantined them.

    How do I save the status report for nod32?

    Also there was some infections in my external hard drive, I've deleted the .exes with the infections would my external hard drive still be infected?
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You may need to do an online Antivirus scan first


    Run Kaspersky Online AV Scanner

    In order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  13. Ledah

    Ledah TS Rookie Topic Starter Posts: 21

    I can't connect to the internet with the infected computer because the drivers for the network adapters are missing theres a yellow exclamation mark beside all of them.
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    That's what I get for jumping into a thread, without reading everything :blush:
     
  15. mflynn

    mflynn TS Rookie Posts: 2,655

    I noticed the log function in nod is broke for some reason.

    Post the Avira log.

    Since Avira has removed several then we may can now finish with the following steps.

    Update and run MBAM and SAS Quick scan. Reboot and run ComboFix again.

    Then we will take specific steps to get reconnected to the Internet!

    Mike
     
  16. Ledah

    Ledah TS Rookie Topic Starter Posts: 21

    Mbam and SAS still didn't find anything.
     
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    Go into device mgr and rt click all devices with a yellow Exclamation point(!) and click uninstall. If there is an Other or Unknown devices open and uninstall these also.

    Reboot and they should reinstall

    Then,,

    --------------------------------------------------------------------------------------------------------
    Boot to Safe Mode.
    Update then run SuperAntiSpyware

    Then Click Preferences
    then click Repairs

    Then counting down from top do the following entries

    Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

    Reboot attach a new HJT log and get me a Status report on the computer and the issues you posted!
    ----------------------------------------------------------------------------------------------------------------------

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    First since you are doing this from another computer
    Start-Run
    type
    notepad.exe
    then paste to a file you can copy for use on the other computer.

    On the other computer copy the notepad document and do the below.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del  tdss*.* /f /q /s
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
    del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
    del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del c:\WINDOWS\system32\ieupdates.exe /f /q
    del c:\WINDOWS\system32\scui.cpl /f /q
    del c:\WINDOWS\system32\winsrc.dll /f /q
    
    attrib -h -s -r c:\program files\xwdxqu.txt
    attrib -h -s -r c:\windows\x
    attrib -h -s -r c:\windows\SxsCaPendDel
    
    del c:\program files\xwdxqu.txt  /f /q
    del c:\windows\x  /f /q
    del c:\windows\SxsCaPendDel  /f /q
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    :: rootkit gaopdxserv
    attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
    attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop gaopdxserv.sys.sys
    sc delete gaopdxserv.sys.sys
    
    del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
    del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop WinSvchostManager
    sc delete WinSvchostManager
    
    sc stop ntndis
    sc delete ntndis
    
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    del  /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
    del  /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    sc stop u_lehj
    sc delete u_lehj
    
    attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
    del  /f /q "c:\program files\Common Files\System\u_lehj32.dll"
    
    attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
    attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"
    
    del  /f /q "C:\WINDOWS\system32\svcprs32.exe"
    del  /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    del  /f /q "C:\WINDOWS\system32\mdmcls32.exe"
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    This should run and exit!

    It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

    Reboot

    Then
    ------------------------------------------------------------------------------------------------------
    Download XP TCP/IP Repair (Netrepair.exe) http://www.xp-smoker.com/freeware.html
    Install (check place shortcut on desktop).

    Then run and first click Reset TCP/IP it may or may not require a reboot here if it does not require a reboot then click the Repair Winsock and approve all to fix/repair and it will then require a reboot for sure. Reboot recheck for internet.

    If the first Repair Reset TCP/IP does require a reboot the as soon as it comes back up the run the second Reset Winsock!

    Reboot

    Hopefully this will get us back on the Internet..

    Mike
     
  18. Ledah

    Ledah TS Rookie Topic Starter Posts: 21

    Uninstalling the devices with the yellow exclamation mark didn't work. I get a message saying 'failed to uninstall the device. The device may be require to boot the computer.' There was 2 devices under network adapters that I was able to uninstall but after rebooting they came back and still had the yellow exclamation mark beside them.

    The computer isn't able to boot on normal mode anymore because DEP stops it, I can only run it on safe mode.

    I tried everything else that you posted and it still doesn't work.
     
  19. mflynn

    mflynn TS Rookie Posts: 2,655

    COMBOFIX-Script
    Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
    Code:
    KillAll::
    
    FCopy::
    C:\WINDOWS\system32\dllcache\userinit.exe | C:\WINDOWS\system32\userinit.exe
    C:\WINDOWS\system32\dllcache\explorer.exe | C:\WINDOWS\explorer.exe
    Then drag this script and drop on top of ComboFix.

    ComboFix will now run a scan on your system.

    It may reboot your system when it finishes. This is normal.

    When finished, it will create a log. Attach the log back.

    Mike
     
  20. Ledah

    Ledah TS Rookie Topic Starter Posts: 21

    Is the script suppose to copy files from the ServicePackFiles folder because when I checked the computer it doesn't have the ServicePackFiles folder but it has i386 folder under c:\windows\i386 and the files in it end with .ex_

    Should I take out the ServicePackFiles in the script and try again?
     
  21. mflynn

    mflynn TS Rookie Posts: 2,655

    No! They will have to be located or expanded.

    I have to go to Post Office be for 5:00 I will post back as soon as i get back.

    Mike
     
  22. Ledah

    Ledah TS Rookie Topic Starter Posts: 21

    Ok, I haven't done anything else other than what you have told me.
     
  23. mflynn

    mflynn TS Rookie Posts: 2,655

    We are going to search for backups of these files so do below.

    Left Drag mouse and Copy for Pasting all text in the box below.
    Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt.
    Code:
    @echo off
    cd\
    attrib /s userinit.exe >"%USERPROFILE%"\Desktop\userinit.txt
    dir /s userinit.exe >>"%USERPROFILE%"\Desktop\userinit.txt
    echo ----------------------------------------------------------------------------------------------------
    attrib /s explorer.exe >>"%USERPROFILE%"\Desktop\userinit.txt
    dir /s explorer.exe >>"%USERPROFILE%"\Desktop\userinit.txt
    exit
    exit
    
    Now post the userinit.txt from the new icon on the desktop back to the thread.
     
  24. Ledah

    Ledah TS Rookie Topic Starter Posts: 21

    If the dllcache folder has the backup, nod32 showed that those files were also infected and couldn't be cleaned.
     
  25. mflynn

    mflynn TS Rookie Posts: 2,655

    Ok do Post #19 Combo script again. I have edited the script.

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...