Win32/Heur trouble

By edwells
Apr 14, 2009
  1. Hi everyone, I'm a newbie to virus removal so be gentle :)

    I installed AVG on my housemates laptop a month or so ago, and as of the other day he's getting the message virus found win32/heur its on the file userinit.exe

    I've read a few things about this, so I installed malwarebytes on his laptop. This found a few files but didn't help with the heur virus. Can anybody help on this please? I've posted the log file MB created after the scan.

    Many thanks

  2. Spyder_1386

    Spyder_1386 TS Rookie Posts: 498

  3. edwells

    edwells TS Rookie Topic Starter

    Thansk spyder, sorry about that. I should have checked first. I'll get right on it
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Spyder steered you right! We need all 3 logs.

    But I wanted to caution you: You have/had both a Trojan Downloaded and Trojan Backdoor on the system. And the malware also got in the restore points. So Caution: Do NOT use System Restore. You helper will have you remove the old restore points and set a clean one when the system is clean.

    Change your passwords- now.

    And in Step 1 of the Virus and Malware Removal thread, not the recommendations to use Avira or Avast. One of those would be in your best interest rather than AVG.
  5. edwells

    edwells TS Rookie Topic Starter

    Thanks again guys.

    Ok, I installed avira instead of AVG and then followed the 8 steps.
    Here are my logs, hopefully they'll be some help

  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Ed, please run the Norton Removal Tool:

    You have the Symantec/Norton Security Suite loading at startup:
    Update Adobe: Most current version: Adobe Reader 9.1
    Maybe one of your housemates installed this, but you should NOT run 2 AV programs.

    EDIT: I need to get someone to write code to make sure the Trojan is gone from the System32 userinit file.
  7. touch

    touch TS Rookie Posts: 978

    After you have done what Bobbye suggest, download combofix, it will replace the infected userinit file.

    Please download Combofix:

    And save to the desktop.

    Close all other browser windows.

    Please connect all your external hard drive/flash drive before running Combofix, if you have any

    Double-click on the combofix icon found on your desktop.

    Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

    When finished, it will produce a logfile located at C:\combofix.txt.

    Attach that file in your next reply
  8. edwells

    edwells TS Rookie Topic Starter

    Thanks again guys. I'll try these when I get home from work tonight. I had absolutely no idea Norton was even on there as he always told me he'd never even had an AV program before!!

    I know what trouble Norton can be to remove, so thank you very much for the link. I've had real problems with this before, so that site is definitely getting favourited!
  9. edwells

    edwells TS Rookie Topic Starter

    Ok, I removed norton and updated my acrobat (thanks Bobbye)
    and also ran combifix, although it creates the logfile as an empty text document, is this normal?
    Do I need to rerun the 8 steps.

    Thanks again

  10. edwells

    edwells TS Rookie Topic Starter

    Ok, I ran combifix again and this time it did create a log.

    Here it is

  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thank you touch.

    I'm not sure where that ComboFix report came from. In the section headed Files Created from 2009-03-17 to 2009-04-17, the file date span is only 1/31/09 to 2/14/09, with 2 entries on 4/6/09 for Mbam. That means this is not a current log.

    The mbam log is from 12/02/2009 23:29:55
    The HijackThis log is current at Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:50:34 PM, on 2009-04-14

    So the only current log is the HJ one. You need to update Malwarebytes, SuperAntispyware and ComboFix and rescan, then follow with a new HJ log. Attach all logs and reports. I should have caught this but didn't.

    Also, please do a full system scan with Avira. IF it finds anything, please include the scan.

    Are there any problem with the system now?
  12. edwells

    edwells TS Rookie Topic Starter

    Well it seems to be running a bit faster. There's no message coming up re: Win32/heur, although that was with AVG.

    I'll perform all the scans again and get back to you!

    It's going to be a long old night :)

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...