Win32/Heur trouble

[edwells]

Hi everyone, I'm a newbie to virus removal so be gentle

I installed AVG on my housemates laptop a month or so ago, and as of the other day he's getting the message virus found win32/heur its on the file userinit.exe

I've read a few things about this, so I installed malwarebytes on his laptop. This found a few files but didn't help with the heur virus. Can anybody help on this please? I've posted the log file MB created after the scan.

Many thanks

Ed

 

[Spyder_1386]

Hi edwells

Please follow the 8-step virus removal tool here .... https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/ and post your logs again.

Spyder_1386

 

[edwells]

Thansk spyder, sorry about that. I should have checked first. I'll get right on it

 

[Bobbye]

Spyder steered you right! We need all 3 logs.

But I wanted to caution you: You have/had both a Trojan Downloaded and Trojan Backdoor on the system. And the malware also got in the restore points. So Caution: Do NOT use System Restore. You helper will have you remove the old restore points and set a clean one when the system is clean.

Change your passwords- now.

And in Step 1 of the Virus and Malware Removal thread, not the recommendations to use Avira or Avast. One of those would be in your best interest rather than AVG.

 

[edwells]

Thanks again guys.

Ok, I installed avira instead of AVG and then followed the 8 steps.
Here are my logs, hopefully they'll be some help

Thanks
Ed

 

[Bobbye]

Ed, please run the Norton Removal Tool:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

You have the Symantec/Norton Security Suite loading at startup:

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Update Adobe: Most current version: Adobe Reader 9.1

Your Adobe Reader is out of date. Vulnerabilities can be exploited. Click here to download the latest version : https://www.techspot.com/downloads/345-adobe-reader.html
OR
Install the FoxIt Reader: this does the same thing as Adobe, but doesn’t have the bloat: http://www.foxitsoftware.com/pdf/rd_intro.php.

Uninstall the earlier version of the Adobe Reader in Add/Remove Programs in the Control Panel

Maybe one of your housemates installed this, but you should NOT run 2 AV programs.

EDIT: I need to get someone to write code to make sure the Trojan is gone from the System32 userinit file.

 

[touch]

After you have done what Bobbye suggest, download combofix, it will replace the infected userinit file.

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any


Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Attach that file in your next reply

 

[edwells]

Thanks again guys. I'll try these when I get home from work tonight. I had absolutely no idea Norton was even on there as he always told me he'd never even had an AV program before!!

I know what trouble Norton can be to remove, so thank you very much for the link. I've had real problems with this before, so that site is definitely getting favourited!

 

[edwells]

Ok, I removed norton and updated my acrobat (thanks Bobbye)
and also ran combifix, although it creates the logfile as an empty text document, is this normal?
Do I need to rerun the 8 steps.

Thanks again

Ed

 

[edwells]

Ok, I ran combifix again and this time it did create a log.

Here it is

Thanks
Ed

 

[Bobbye]

Thank you touch.

I'm not sure where that ComboFix report came from. In the section headed Files Created from 2009-03-17 to 2009-04-17, the file date span is only 1/31/09 to 2/14/09, with 2 entries on 4/6/09 for Mbam. That means this is not a current log.

The mbam log is from 12/02/2009 23:29:55
The HijackThis log is current at Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:50:34 PM, on 2009-04-14

So the only current log is the HJ one. You need to update Malwarebytes, SuperAntispyware and ComboFix and rescan, then follow with a new HJ log. Attach all logs and reports. I should have caught this but didn't.

Also, please do a full system scan with Avira. IF it finds anything, please include the scan.

Are there any problem with the system now?

 

[edwells]

Well it seems to be running a bit faster. There's no message coming up re: Win32/heur, although that was with AVG.

I'll perform all the scans again and get back to you!

It's going to be a long old night

Thanks
Ed