[Solved] Win32 Heur

HappyD1717 · Mar 9, 2011

Okay so today out of the blue my AVG pops up (giving me a hear attack) telling me it has detected a threat called Win32/Heur...fantastic. What is really odd is that it found this file in:
C:\Program Files\EA Games\The Sims 2 H&M Fashion Stuff\TSBin\Sims2SP5.exe

Well I'm not happy that it's supposibly in my game file (that I haven't played or messed with in months I should add). So I google this virus and find oh so many good things about it. Now, I'm a tech student so this whole thing just feels really odd to me, I've searched my comp for files with win32 heur in it (or just heur) and haven't come up with anything. I haven't been to any questionable sites lately, mostly just facebook and youtube and some other trusted sites. I downloaded Malwarebytes' Malware Removal software, updated it, and ran it in safemode like some other sites have suggested. The results came back with my comp clean, yet when I booted my comp back up normally and went into the said file above to test to see if anything is different AVG acted up again and detected the threat. I've also cleaned my registry just to see if that would do anything (I mean it doesn't hurt either). I'm just not convinced I really have this thing, but I'm also not gonna ignore it until this whole thing disappears. I also used SpyHunter and that didn't find anything out of the ordinary, just cookies like normal which were cleaned. I'm running AVG (it is updated and current btw) for like the 3rd or 4th time and it still says said file above is infected. I've tried uninstalled the game but AVG freaked out again and wouldn't let me and I've thought about going into safe mode and uninstalling it that way but I'm not sure if that would help. So does anyone have any ideas? Or can at least tell me how I can figure out if this virus is real because my computer isn't showing any signs (and I've had more than enough experience fighting off virus' to know them) and while a virus freaks me out I am also just not convinced. Please help, thanks. (I have Windows 7 & the most recent AVG I should add).

Bobbye · Mar 9, 2011

Welcome to TechSpot! I'll be glad to help with the problem. Seems like all the AVG users are getting this alert!

But because the AVG finding of Win32/Heur can also be an indication of a more serious malware infection, I'd like you to run the following first:

Run Eset NOD32 Online AntiVirus scan HERE

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the Active X control to install

Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.

Click Start

Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked

Click Scan

Wait for the scan to finish

Click on "Copy to Clipboard"> (you won't see the 'clipboard')

Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.

Re-enable your Antivirus software.
NOTE: If you forget to copy to the clipboard, you can find the log here:
C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

===================================
Please follow with the steps in the Preliminary Virus and Malware Removal thread HERE

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

HappyD1717 · Mar 9, 2011

New Scan

I'm fairly certain this is a false positive after reading (after I posted here) a whole bunch of Win32/Heur finds among game files all over AVG's forums and such. But I did do the scan you suggested and my results came back clean for the file but it find things my AVG did but I had scanned in other places and they said it was fine but I'm no virus expert.
Here's the issues, none of them are the said file from the first post:
C:\Users\Sally\AppData\Local\Temp\jar_cache8061832944302896600.tmp multiple threats
C:\Users\Sally\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\3a9c5000-3855589f
probably a variant of Win32/Agent.FPEXZHL trojan
C:\Users\Sally\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\160ba957-15d46ed5
multiple threats
C:\Users\Sally\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\170f8765-23a5bf0f
probably a variant of Win32/Agent.HRYTTOE trojan

I guess that's in then, I'll handle these things above but I guess the other thing must be a false positive. Thanks for the help!

Bobbye · Mar 9, 2011

I would prefer if you give me the entire logs- not excerpts:

Please download OTMovit by Old Timer and save to your desktop.
Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Code:
:Files 
C:\Users\Sally\AppData\Local\Temp\jar_cache8061832944302896600.tmp 
C:\Users\Sally\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\0\3a9c5000-3855589f
C:\Users\Sally\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\23\160ba957-15d46ed5
C:\Users\Sally\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\37\170f8765-23a5bf0f
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.

Click the red Moveit! button.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
To clear the Java Plug-in cache:

[1]. Click Start > Control Panel.
[2]. Double-click the Java icon in the control panel. The Java Control Panel appears.

[3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
[4] Click Delete Files.The Delete Temporary Files dialog box appears.

There are three options on this window to clear the cache.Check all.

. Delete Files

.View Applications

.View Applets
[5]. Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
[6]. Click Apply> OK on Temporary Files Settings window.

Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.
=================================
I'm not sure what is happening with AVG/Win32/Heur: What we always have to be concerned with when there is this finding is that it frequently indicates a Virut infection- a nasty file infector. It can possibly indicate another file infector, Ramnit, so we aways have to take it seriously.

You should know though that game files and downloads frequently contain malware.

Please go ahead with the scans in the removal thread I left. That will show me what is on the system.

Bobbye · Mar 11, 2011

Please check my post here: http://www.techspot.com/vb/topic162350.html

HappyD1717 · Mar 11, 2011

Issue has been resolved

AVG's newest update solved the problem I haven't been having anymore issues, those other things that were found from the scan have been taken care of as well, thanks for all the help

Bobbye · Mar 11, 2011

You're very welcome! That's good to hear! This is not the frst time AVG has done this!

You can remove OTM if it's still on the system. I think that was all you used.

TechSpot

[Solved] Win32 Heur

HappyD1717 Newcomer, in training

Bobbye Helper on the Fringe

HappyD1717 Newcomer, in training

Bobbye Helper on the Fringe

Bobbye Helper on the Fringe

HappyD1717 Newcomer, in training

Bobbye Helper on the Fringe