TechSpot

Win32Heur, Trojan and Vundo

By helpheur
Feb 25, 2009
  1. Hi everyone,
    was after some help for getting rid of this persistent virus, after I realised I had it the first time I abandoned my old system hard drive and redid windows on a new drive that I was going to use anyway. The only common factor between the two PC's is my files drive, which I AVG'd prior to putting it in the new one (no results, don't have a log though) and some RAM which I switched over, so guessing it's in my files from the old computer, not just limited to the system files as I thought. Anyway, after a couple of days plain sailing it showed up again out of the blue. I use AVG free, but the resident shield can't do much against most of this stuff, and complete scans don't seem to have much affect. So I found some threads on your site which are almost what I'm after, but seem tailored to specific circumstances. I've run the 8 steps (I think). I'm repeatedly seeing Heur, which is in system 32, as well as some trojan.agent files and a Vundo. Only problem with steps was that SUPERAnttispyware needed to be run in safe mode, otherwise the computer would restart halfway through the scan. Hoping the log's give a better picture than me, help would be much appreciated.
    Cheers
     

    Attached Files:

  2. cubyong

    cubyong TS Rookie Posts: 45

    try getting rid of these with hijackthis.

    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
    O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
    O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
     
  3. helpheur

    helpheur TS Rookie Topic Starter

    OK, have Fixed those files, now running the 8 steps through again - will post logs when I get back later tonight.
     
  4. helpheur

    helpheur TS Rookie Topic Starter

    was offline there for a while. OK, I fixed those files but doesn't seem to have helped, here's my logs. I had to reinstall some windows things using the original CD, and SUPERAntispyware still doesn't work unless I'm in safe mode.

    PS, I'm not really noticing any ill efffects, like last time when it was restarting itself sometimes, but of course still want to get rid of this stuff.
     
  5. Devashish

    Devashish TS Rookie

    "C:\WINDOWS\system32\wwgezjcn.dll";"Virus found Win32/Heur";"Infected"

    as you can see wwgezjcn.dll file is infected with win32/heur.

    AVG does not remove this virus.
    every time I try,it demands for reboot and then nothing happens.
    somebody please HELP.....!!!

    what problems can this infection cause to my PC....?
    and how can i get rid of it..??
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    OK sorry you were missed!

    Do the below steps.

    Run HJT Scan only and select and Fix all lines listed below
    Any line that has (file missing) at the END of the line and...
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.
    =========================================
    Download ComboFix

    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    Mike

    Devashish

    Create you own new thread and post this and i or someone else will be by to help you.

    Hijacking someone else's thread is not allowed!

    mike
     
  7. helpheur

    helpheur TS Rookie Topic Starter

    Hi Mike, thanks for helping out.
    I think the computer has undergone some changes since my last logs posting, when I run HijackThis it isn't finding the same stuff as last time. I've turned off AVG's resident shield now, and will try to keep things the same. Here's the HijackThis log I just ran as you can see there's a lot less (file missing)'s, but I have no idea what that means.
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    I know that!

    You are not clean yet!

    Not interested in HJT log at this time, HJT being clean hardly means anything to me at this point.

    Get me the SDFix and ComboFix in my last post if you want all fixed!

    Mike
     
  9. helpheur

    helpheur TS Rookie Topic Starter

    Okay, tried running both those programs - Combofix worked fine, log is attached, but SDFix did not. I ran RunThis.bat in safe mode but 2 seconds after starting I get a blue error screen. Will write what it said on the off chance that it is useful.

    A problem has been detected and Windows has been shut down to prevent further damage to your computer.
    PAGE_FAULT_IN_NONPAGED_AREA
    (then some stuff, bla bla bla)

    Technical Information:
    ***STOP: 0x00000050 (0xFFFFFFFE, 0x00000000, 0x866E5ECA, 0x00000000)
    Beginning dump of physical memory
    Dumping physical memory to disk: (1-100%)
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    And after seeing the ComboFix I understand why!

    You have some real nasties and need to nip them in the Bud!

    Go here Download DrWeb http://www.techspot.com/vb/post724044-3.html

    Then....

    Boot to Safe Mode only! Not with Networking and run...

    DrWeb will fisrt do an Express Scan on its own when it completes then you should do a full scan.

    The first Virus it finds select Cure and do the same for all the rest.

    This will take hours but is your best chance at this point!

    Mike
     
  11. helpheur

    helpheur TS Rookie Topic Starter

    OK that seemed to work fine. Found a whole lot of stuff (1581 infected I think) and hopefully did something about them. After it ran I had to re-install windows using the CD again because I couldn't connect to the internet. I will run my other scans tomorrow to see what I find, thought I'd post these results in before I go to bed.
    So more logs to follow!
    PS, the DrWeb scans are both results of complete scans, I ran it twice and thought both reports might be handy.
     
  12. mflynn

    mflynn TS Rookie Posts: 2,655

    Good morning

    By reinstall do you mean a Repair install (I hope)!

    Run HJT Scan only and select and Fix all lines listed below
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
    O4 - HKCU\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
    O4 - HKUS\S-1-5-18\..\Run: [lfzyunyw.exe] C:\WINDOWS\lfzyunyw.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [xlpgzmbs.exe] C:\WINDOWS\xlpgzmbs.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [jrfusnan.exe] C:\WINDOWS\jrfusnan.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [phnvrwtk.exe] C:\WINDOWS\phnvrwtk.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [fprxvhdl.exe] C:\WINDOWS\fprxvhdl.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [lfzyunyw.exe] C:\WINDOWS\lfzyunyw.exe (User 'Default user')

    After the above and because of the removals by DrWeb we need new scans in this order.

    1. MBAM
    2. SAS
    3. ComboFix

    Mike
     
  13. helpheur

    helpheur TS Rookie Topic Starter

    Woohoo - looking heaps better.
    I ran a M-AntiMalware before getting your post, so I've included both those logs. Here's the order I did things in (logs will also appear in chronological order. I also ran an AVG complete scan, so heres that as well.
    MBAM
    HJT
    MBAM
    SAS
    ComboFix
    AVG
    HJT again, in case you needed an scan sfter all that.
    Will run another post to get in all the files - I hoping that the major problems are over?

    (please lengthen your message to at least 10 characters)

    that last posts' text was not directed at you, I was just repeating the popup message after I tried posting the attachments with no text, and just realised how it might sound - was not directed at you.
    Cheers

    Josh
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    Good morning Josh

    I understood about the message no problem. Glad things are coming together.

    In post #15 MBAM was clean.

    But SAS and ComboFix had found/removed items.

    We need new runs with SAS and ComboFix to confirm clean logs.

    Also since so much has been fixed we need to try SDFix again. But uninstall it first by deleteing it from the desktop then removing the SDFix folder that contains the RunThis.bat.

    Then re download SDFix and reinstall and run. Attach log!

    Mike
     
  15. helpheur

    helpheur TS Rookie Topic Starter

    Hi Mike,
    All running pretty smooth now - I ran through as directed, and SDFix is working fine now.
    Will attach the first three scan logs with this post, and the 'clean' scan logs with the next.

    thanks heaps for your help - my computer would have been a goner without it. Is there any other things that I need to do to clean up? For the future, is AVG usually an OK protection against this stuff?

    Cheers for all the help,
    Josh
     
  16. mflynn

    mflynn TS Rookie Posts: 2,655

    You still have signs likely just left overs

    Download Virut Remover 2 files rnvirut.exe and rmvirut.nt (DrWeb cured many perhaps all of this but lets be sure) http://free.avg.com/virus-removal.ndi-67762

    Actually AVG has fell behind.

    We now advise Avira (get it in the 8 steps) but uninstall AVG First and then run the AVG cleaners before installing Avira.

    Avira is better.

    Here are the steps.

    In Add/Remove programs first uninstall AVG.

    Reboot

    Then download and run the below

    First get CCleaner from the 8 Steps http://www.techspot.com/vb/topic58138.html

    AVG remover and run: http://www.grisoft.cz/filedir/util/avg_arm_sup_____.dir/avgremover.exe

    Download extract and run Kleaner http://support.kaspersky.com/downloads/products2009/avg8.zip

    Then run CCleaner Temps and Registy twice or more until no more found..

    Now install Avira!

    Do an immediate full scan after updating. It is so much better expect some found issues.

    Mike
     
  17. cubyong

    cubyong TS Rookie Posts: 45

    no, get rid of avg, make sure u get rid of it all! if u search in the threadsm u can find the grisoft website (i think) to completely remove avg. get avira or avast as your anti-virus. as suggested by mflynn before who helped me, download threatfire as well. it is a good programme.
     
  18. helpheur

    helpheur TS Rookie Topic Starter

    OK, was away on hoilday for the weekend.

    I ran through those steps no problem, did you know there is a new CCleaner, a more recent update than the link from the 8 steps gives you - an update message popped up when I opened CCleaner. I just ran with the original, but thought you might want to know - find it at
    http://www.filehippo.com/download_ccleaner/

    I also did away with AVG, and Avira seems to be working fine, found a couple of things with the first scan - I'm also running Comodo. I was wondering, should I keep MBAM, SAS, ComboFix, SDFix or HJT?

    I'll attach the avira log avira in case there are in other problems, the rmvirut log is too big, wont chop it up and send it unless you think I should.

    Cheers,
    Josh
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...