Win32Heur, Trojan and Vundo

[helpheur]

Hi everyone,
was after some help for getting rid of this persistent virus, after I realised I had it the first time I abandoned my old system hard drive and redid windows on a new drive that I was going to use anyway. The only common factor between the two PC's is my files drive, which I AVG'd prior to putting it in the new one (no results, don't have a log though) and some RAM which I switched over, so guessing it's in my files from the old computer, not just limited to the system files as I thought. Anyway, after a couple of days plain sailing it showed up again out of the blue. I use AVG free, but the resident shield can't do much against most of this stuff, and complete scans don't seem to have much affect. So I found some threads on your site which are almost what I'm after, but seem tailored to specific circumstances. I've run the 8 steps (I think). I'm repeatedly seeing Heur, which is in system 32, as well as some trojan.agent files and a Vundo. Only problem with steps was that SUPERAnttispyware needed to be run in safe mode, otherwise the computer would restart halfway through the scan. Hoping the log's give a better picture than me, help would be much appreciated.
Cheers

 

[cubyong]

try getting rid of these with hijackthis.

O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\system32\rsvp.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

 

[helpheur]

OK, have Fixed those files, now running the 8 steps through again - will post logs when I get back later tonight.

 

[helpheur]

was offline there for a while. OK, I fixed those files but doesn't seem to have helped, here's my logs. I had to reinstall some windows things using the original CD, and SUPERAntispyware still doesn't work unless I'm in safe mode.

PS, I'm not really noticing any ill efffects, like last time when it was restarting itself sometimes, but of course still want to get rid of this stuff.

 

[Devashish]

"C:\WINDOWS\system32\wwgezjcn.dll";"Virus found Win32/Heur";"Infected"

as you can see wwgezjcn.dll file is infected with win32/heur.

AVG does not remove this virus.
every time I try,it demands for reboot and then nothing happens.
somebody please HELP.....!!!

what problems can this infection cause to my PC....?
and how can i get rid of it..??

 

[mflynn]

OK sorry you were missed!

Do the below steps.

Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) at the END of the line and...
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike

Devashish

Create you own new thread and post this and i or someone else will be by to help you.

Hijacking someone else's thread is not allowed!

mike

 

[helpheur]

Hi Mike, thanks for helping out.
I think the computer has undergone some changes since my last logs posting, when I run HijackThis it isn't finding the same stuff as last time. I've turned off AVG's resident shield now, and will try to keep things the same. Here's the HijackThis log I just ran as you can see there's a lot less (file missing)'s, but I have no idea what that means.

 

[mflynn]

I know that!

You are not clean yet!

Not interested in HJT log at this time, HJT being clean hardly means anything to me at this point.

Get me the SDFix and ComboFix in my last post if you want all fixed!

Mike

 

[helpheur]

Okay, tried running both those programs - Combofix worked fine, log is attached, but SDFix did not. I ran RunThis.bat in safe mode but 2 seconds after starting I get a blue error screen. Will write what it said on the off chance that it is useful.

A problem has been detected and Windows has been shut down to prevent further damage to your computer.
PAGE_FAULT_IN_NONPAGED_AREA
(then some stuff, bla bla bla)

Technical Information:
***STOP: 0x00000050 (0xFFFFFFFE, 0x00000000, 0x866E5ECA, 0x00000000)
Beginning dump of physical memory
Dumping physical memory to disk: (1-100%)

 

[mflynn]

And after seeing the ComboFix I understand why!

You have some real nasties and need to nip them in the Bud!

Go here Download DrWeb https://www.techspot.com/vb/post724044-3.html

Then....

Boot to Safe Mode only! Not with Networking and run...

DrWeb will fisrt do an Express Scan on its own when it completes then you should do a full scan.

The first Virus it finds select Cure and do the same for all the rest.

This will take hours but is your best chance at this point!

Mike

 

[helpheur]

OK that seemed to work fine. Found a whole lot of stuff (1581 infected I think) and hopefully did something about them. After it ran I had to re-install windows using the CD again because I couldn't connect to the internet. I will run my other scans tomorrow to see what I find, thought I'd post these results in before I go to bed.
So more logs to follow!
PS, the DrWeb scans are both results of complete scans, I ran it twice and thought both reports might be handy.

 

[mflynn]

Good morning

By reinstall do you mean a Repair install (I hope)!

Run HJT Scan only and select and Fix all lines listed below
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKCU\..\Policies\Explorer\Run: [services] C:\WINDOWS\services.exe
O4 - HKUS\S-1-5-18\..\Run: [lfzyunyw.exe] C:\WINDOWS\lfzyunyw.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [xlpgzmbs.exe] C:\WINDOWS\xlpgzmbs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [jrfusnan.exe] C:\WINDOWS\jrfusnan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [phnvrwtk.exe] C:\WINDOWS\phnvrwtk.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [fprxvhdl.exe] C:\WINDOWS\fprxvhdl.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [lfzyunyw.exe] C:\WINDOWS\lfzyunyw.exe (User 'Default user')

After the above and because of the removals by DrWeb we need new scans in this order.

1. MBAM
2. SAS
3. ComboFix

Mike

 

[helpheur]

Woohoo - looking heaps better.
I ran a M-AntiMalware before getting your post, so I've included both those logs. Here's the order I did things in (logs will also appear in chronological order. I also ran an AVG complete scan, so heres that as well.
MBAM
HJT
MBAM
SAS
ComboFix
AVG
HJT again, in case you needed an scan sfter all that.
Will run another post to get in all the files - I hoping that the major problems are over?

(please lengthen your message to at least 10 characters)

that last posts' text was not directed at you, I was just repeating the popup message after I tried posting the attachments with no text, and just realised how it might sound - was not directed at you.
Cheers

Josh

 

[mflynn]

Good morning Josh

I understood about the message no problem. Glad things are coming together.

In post #15 MBAM was clean.

But SAS and ComboFix had found/removed items.

We need new runs with SAS and ComboFix to confirm clean logs.

Also since so much has been fixed we need to try SDFix again. But uninstall it first by deleteing it from the desktop then removing the SDFix folder that contains the RunThis.bat.

Then re download SDFix and reinstall and run. Attach log!

Mike

 

[helpheur]

Hi Mike,
All running pretty smooth now - I ran through as directed, and SDFix is working fine now.
Will attach the first three scan logs with this post, and the 'clean' scan logs with the next.

thanks heaps for your help - my computer would have been a goner without it. Is there any other things that I need to do to clean up? For the future, is AVG usually an OK protection against this stuff?

Cheers for all the help,
Josh

 

[mflynn]

You still have signs likely just left overs

Download Virut Remover 2 files rnvirut.exe and rmvirut.nt (DrWeb cured many perhaps all of this but lets be sure) http://free.avg.com/virus-removal.ndi-67762

Actually AVG has fell behind.

We now advise Avira (get it in the 8 steps) but uninstall AVG First and then run the AVG cleaners before installing Avira.

Avira is better.

Here are the steps.

In Add/Remove programs first uninstall AVG.

Reboot

Then download and run the below

First get CCleaner from the 8 Steps https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

AVG remover and run: http://www.grisoft.cz/filedir/util/avg_arm_sup_____.dir/avgremover.exe

Download extract and run Kleaner http://support.kaspersky.com/downloads/products2009/avg8.zip

Then run CCleaner Temps and Registy twice or more until no more found..

Now install Avira!

Do an immediate full scan after updating. It is so much better expect some found issues.

Mike

 

[cubyong]

no, get rid of avg, make sure u get rid of it all! if u search in the threadsm u can find the grisoft website (i think) to completely remove avg. get avira or avast as your anti-virus. as suggested by mflynn before who helped me, download threatfire as well. it is a good programme.

 

[helpheur]

OK, was away on hoilday for the weekend.

I ran through those steps no problem, did you know there is a new CCleaner, a more recent update than the link from the 8 steps gives you - an update message popped up when I opened CCleaner. I just ran with the original, but thought you might want to know - find it at
http://www.filehippo.com/download_ccleaner/

I also did away with AVG, and Avira seems to be working fine, found a couple of things with the first scan - I'm also running Comodo. I was wondering, should I keep MBAM, SAS, ComboFix, SDFix or HJT?

I'll attach the avira log avira in case there are in other problems, the rmvirut log is too big, wont chop it up and send it unless you think I should.

Cheers,
Josh