Win32/Heur Virus - Need help to remove

By s4118558
Nov 22, 2009
Topic Status:
Not open for further replies.
  1. Hi there, unfortunately I have picked up the crippling Win32/Heur virus after downloading a torrent off the internet.

    I have AVG free 8.5 and it keeps on picking up the virus, but won't let me get rid of it because it says that the files are "white-listed" and should not be removed. I also ran Spybot which picked up a few trojan horse entries and was able to delete them, but every time I run it again, it keeps picking them up.

    I am unsure as to what my next step is to remove the virus. I have downloaded and run MBAM & SAS which are now picking up like 22 entries! I've tried to delete them, but the system won't let me, again for the same reason.

    Attached are the logfiles.

    Thanks.
  2. s4118558

    s4118558 Newcomer, in training Topic Starter

    Just realised that I did the logs in the wrong order....re-done the scans which are still picking up a few things - updated logs attached.

    This is a really frustrating virus and any help would be great.

    Thanks
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Thanks you for resubmitting the logs. Unfortunately you did not check the line in Malwarebytes that says to remove what it finds, so the malware shows No action taken.

    Before repeating that, please do the following:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe

    Unfortunately we are frequently seeing a Virus infection with Win32Heur, so we need to check for that first:
    Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

    Please include the results in your next reply.
  4. s4118558

    s4118558 Newcomer, in training Topic Starter

    Here are the results from: c:\windows\system32\userinit.exe

    VirSCAN.org Scanned Report :
    Scanned time : 2009/11/26 08:27:05 (EST)
    Scanner results: 68% Scanner(s) (25/37) found malware!
    File Name : userinit.exe
    File Size : 46080 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 4002c313adf0794221b80d6b012a682a
    SHA1 : 33842f5b0c1f5e93ae371c3db051c137a8e0d123
    Online report : http://virscan.org/report/2d4c8e1fdd904e33e80bf3d285f942d0.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091126033123 2009-11-26 4.07 Gen.Malware!IK
    AhnLab V3 2009.11.26.00 2009.11.26 2009-11-26 0.98 Win32/Virut.F
    AntiVir 8.2.1.78 7.10.1.106 2009-11-25 0.14 W32/Virut.Gen
    Antiy 2.0.18 20091125.3312390 2009-11-25 0.12 -
    Arcavir 2009 200911251307 2009-11-25 0.04 -
    Authentium 5.1.1 200911251913 2009-11-25 1.22 W32/Virut.AI!Generic (Heuristic)
    AVAST! 4.7.4 091125-1 2009-11-25 0.01 Win32:Vitro
    AVG 8.5.288 270.14.83/2526 2009-11-26 0.54 Win32/Virut
    BitDefender 7.81008.4603165 7.29139 2009-11-26 3.90 Win32.Virtob.Gen.12
    CA (VET) 35.1.0 7141 2009-11-24 5.89 -
    ClamAV 0.95.2 10070 2009-11-26 0.01 -
    Comodo 3.12 3036 2009-11-25 0.86 -
    CP Secure 1.3.0.5 2009.11.26 2009-11-26 0.05 -
    Dr.Web 4.44.0.9170 2009.11.25 2009-11-25 7.21 Win32.Virut.56
    F-Prot 4.4.4.56 20091125 2009-11-25 1.23 Possible W32/Virut.AI!Generic
    F-Secure 7.02.73807 2009.11.25.14 2009-11-25 9.17 Virus.Win32.Virut.ce [AVP]
    Fortinet 11.93- 11.93 2009-11-25 0.15 -
    GData 19.9000/19.585 20091125 2009-11-25 6.93 Virus.Win32.Virut.ce [Engine:A]
    ViRobot 20091125 2009.11.25 2009-11-25 0.41 -
    Ikarus T3.1.01.74 2009.11.25.74594 2009-11-25 4.09 Gen.Malware
    JiangMin 11.0.800 2009.11.25 2009-11-25 4.97 -
    Kaspersky 5.5.10 2009.11.25 2009-11-25 0.07 Virus.Win32.Virut.ce
    KingSoft 2009.2.5.15 2009.11.25.20 2009-11-25 0.54 Win32.Virut.cr.61440
    McAfee 5.3.00 5813 2009-11-25 3.41 W32/Virut.n.gen
    Microsoft 1.5302 2009.11.24 2009-11-24 6.67 Virus:Win32/Virut.gen!O
    Norman 6.01.09 6.01.00 2009-11-25 4.00 W32/Virut.FN
    Panda 9.05.01 2009.11.25 2009-11-25 1.86 W32/Sality.AO
    Trend Micro 9.000-1003 6.652.03 2009-11-25 0.04 PE_VIRUX.I
    Quick Heal 10.00 2009.11.25 2009-11-25 1.58 W32.Virut.G
    Rising 20.0 22.23.02.09 2009-11-25 1.18 Win32.Virut.cl
    Sophos 3.01.0 4.47 2009-11-26 3.02 W32/Scribble-B
    Sunbelt 5518 5518 2009-11-18 2.78 Virus.Win32.Virut.ce (v)
    Symantec 1.3.0.24 20091125.004 2009-11-25 0.11 W32.Virut.CF
    nProtect 20091125.01 6330100 2009-11-25 5.06 -
    The Hacker 6.5.0.2 v00078 2009-11-25 1.00 -
    VBA32 3.12.12.0 20091124.2139 2009-11-24 2.12 Virus.Win32.Virut.X7
    VirusBuster 4.5.11.10 10.113.29/2005008 2009-11-25 3.08 -

    Here are the results from: C:\WINDOWS\explorer.exe

    VirSCAN.org Scanned Report :
    Scanned time : 2009/11/26 08:34:34 (EST)
    Scanner results: 68% Scanner(s) (25/37) found malware!
    File Name : explorer.exe
    File Size : 1053184 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 49f7207c20401dc18a888f60cdafeb81
    SHA1 : ac3d8906b945c1efc7549cff79497d88259f2bfd
    Online report : http://virscan.org/report/1d9a43095deba8342ece41ac64a1cb02.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20091126033123 2009-11-26 4.22 Trojan.Win32.Patched!IK
    AhnLab V3 2009.11.26.00 2009.11.26 2009-11-26 0.92 Win32/Virut.F
    AntiVir 8.2.1.78 7.10.1.106 2009-11-25 0.50 W32/Virut.Gen
    Antiy 2.0.18 20091125.3312390 2009-11-25 0.12 -
    Arcavir 2009 200911251307 2009-11-25 0.06 -
    Authentium 5.1.1 200911251913 2009-11-25 1.24 W32/Virut.AI!Generic (Heuristic)
    AVAST! 4.7.4 091125-1 2009-11-25 0.05 Win32:Vitro
    AVG 8.5.288 270.14.83/2526 2009-11-26 0.45 Win32/Virut
    BitDefender 7.81008.4603165 7.29139 2009-11-26 3.92 Win32.Virtob.Gen.12
    CA (VET) 35.1.0 7141 2009-11-24 7.35 -
    ClamAV 0.95.2 10070 2009-11-26 0.17 -
    Comodo 3.12 3036 2009-11-25 1.13 -
    CP Secure 1.3.0.5 2009.11.26 2009-11-26 0.40 -
    Dr.Web 4.44.0.9170 2009.11.25 2009-11-25 7.23 Win32.Virut.56
    F-Prot 4.4.4.56 20091125 2009-11-25 1.23 Possible W32/Virut.AI!Generic
    F-Secure 7.02.73807 2009.11.25.14 2009-11-25 0.12 Virus.Win32.Virut.ce [AVP]
    Fortinet 11.93- 11.93 2009-11-25 0.14 -
    GData 19.9000/19.585 20091125 2009-11-25 5.60 Virus.Win32.Virut.ce [Engine:A]
    ViRobot 20091125 2009.11.25 2009-11-25 0.41 -
    Ikarus T3.1.01.74 2009.11.25.74594 2009-11-25 4.20 Trojan.Win32.Patched
    JiangMin 11.0.800 2009.11.25 2009-11-25 4.15 -
    Kaspersky 5.5.10 2009.11.25 2009-11-25 0.07 Virus.Win32.Virut.ce
    KingSoft 2009.2.5.15 2009.11.25.20 2009-11-25 0.53 Win32.Virut.cr.61440
    McAfee 5.3.00 5813 2009-11-25 3.47 W32/Virut.n.gen
    Microsoft 1.5302 2009.11.24 2009-11-24 6.44 Virus:Win32/Virut.gen!O
    Norman 6.01.09 6.01.00 2009-11-25 4.00 W32/Virut.FN
    Panda 9.05.01 2009.11.25 2009-11-25 1.81 W32/Sality.AO
    Trend Micro 9.000-1003 6.652.03 2009-11-25 0.04 PE_VIRUX.I
    Quick Heal 10.00 2009.11.25 2009-11-25 1.51 W32.Virut.G
    Rising 20.0 22.23.02.09 2009-11-25 1.33 Win32.Virut.cl
    Sophos 3.01.0 4.47 2009-11-26 3.01 W32/Scribble-B
    Sunbelt 5518 5518 2009-11-18 1.75 Virus.Win32.Virut.ce (v)
    Symantec 1.3.0.24 20091125.004 2009-11-25 0.06 W32.Virut.CF
    nProtect 20091125.01 6330100 2009-11-25 3.65 -
    The Hacker 6.5.0.2 v00078 2009-11-25 0.76 -
    VBA32 3.12.12.0 20091124.2139 2009-11-24 2.15 Virus.Win32.Virut.X7
    VirusBuster 4.5.11.10 10.113.29/2005008 2009-11-25 3.54 -

    The results from: C:\WINDOWS\System32\svchost.exe

    CLEAN.

    Thanks.
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Unfortunately, that last 'clean for svchost.exe isn.t going to matter. You system has basically been trashed by the Virut infection.

    We have found that the best advice when this happens is to suggest the user reformat and reinstall.

    As quickly as we might remove one Virut entry, just as quickly it 'morphs' into another. As mentioned:
    You will find more detailed information about Virut "and other file infectors" here:
    http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

    Change all of your passwords and monitor any online financial transactions. We suggest that you not be taken in by companies who may 'guarantee' that their program will remove Virut- and for a price.

    That's because the virus morphs into yet another variant. It is best you handle this immediately as the system has been badly compromised. And this is not time to back up.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.