Hi, I can't seem to get rid of this win32 heur virus. AVG 8 keeps detecting a threat, first I couldn't turn on my automatic updates, I ran a combofix, and it fixed that problem. but the problem of the 'threat' is still being detected by AVG. it said it was my uniblue spyeraser, so I uninstalled it, which did nothing. Ran virus detector in safe mode- it did nothing. I need help removing this please!
Copy of Virus Vault

Resident Shield detection
Infection;"Object";"Result";"Detection time";"Object Type";"Process"
Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP411\A0058563.dll";"Moved to Virus Vault";"5/29/2008, 8:19:57 AM";"file";"C:\WINDOWS\System32\svchost.exe"
Virus found Win32/Heur;"C:\system volume information\_restore{97b25540-b35d-443e-bb0e-ff34b8745f05}\rp406\a0058310.dll";"Moved to Virus Vault";"5/29/2008, 6:34:03 AM";"file";"C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe"
Potentially harmful program Fake_AntiSpyware.TS;"C:\DOCUME~1\Karen\LOCALS~1\Temp\7zS10.tmp\SpywareRemov er\TCL.dll";"Added to PUP exceptions";"5/29/2008, 6:04:59 AM";"file";"C:\WINDOWS\system32\msiexec.exe"
Potentially harmful program Fake_AntiSpyware.TS;"C:\DOCUME~1\Karen\LOCALS~1\Temp\7zS5.tmp\SpywareRemove r\TCL.dll";"Moved to Virus Vault";"5/29/2008, 6:03:08 AM";"file";"C:\WINDOWS\system32\msiexec.exe"
Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP406\A0058310.dll";"Infected";"5/29/2008, 5:09:09 AM";"file";"C:\WINDOWS\System32\svchost.exe"
Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP406\A0058310.dll";"Infected";"5/29/2008, 4:15:44 AM";"file";"C:\WINDOWS\System32\svchost.exe"
Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP406\A0058310.dll";"Infected";"5/29/2008, 3:55:56 AM";"file";"C:\WINDOWS\System32\svchost.exe"
Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP404\A0058167.dll";"Moved to Virus Vault";"5/29/2008, 1:58:42 AM";"file";"C:\WINDOWS\System32\svchost.exe"
Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP404\A0058167.dll";"Infected";"5/28/2008, 9:09:48 PM";"file";"C:\WINDOWS\System32\svchost.exe"
Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP404\A0058166.dll";"Moved to Virus Vault";"5/28/2008, 8:03:30 PM";"file";"C:\WINDOWS\System32\svchost.exe"
Virus found Win32/Heur;"C:\WINDOWS\system32\fccbCRHw.dll";"Moved to Virus Vault";"5/28/2008, 5:56:47 PM";"file";"C:\WINDOWS\system32\winlogon.exe"
Virus found Win32/Heur;"C:\WINDOWS\system32\fccbCRHw.dll";"Moved to Virus Vault";"5/28/2008, 5:56:47 PM";"file";"C:\WINDOWS\Explorer.EXE"
Virus found Win32/Heur;"C:\WINDOWS\system32\fccbCRHw.dll";"Infected";"5/28/2008, 5:25:16 PM";"file";"C:\WINDOWS\system32\winlogon.exe"
Virus found Win32/Heur;"C:\WINDOWS\system32\fccbCRHw.dll";"Infected";"5/28/2008, 5:24:46 PM";"file";"C:\WINDOWS\system32\winlogon.exe"
Virus found Win32/Heur;"C:\WINDOWS\SYSTEM32\RGWHWDFT.DLL";"Infected";"5/28/2008, 5:14:40 PM";"file";""
Virus found Win32/Heur;"C:\WINDOWS\SYSTEM32\RGWHWDFT.DLL";"Infected";"5/28/2008, 5:14:39 PM";"file";""
Virus found Win32/Heur;"C:\WINDOWS\system32\yayyAPIX.dll";"Infected";"5/28/2008, 4:56:56 PM";"file";"C:\PROGRA~1\MOZILL~1\FIREFOX.EXE"
Virus found Win32/Heur;"C:\WINDOWS\SYSTEM32\RGWHWDFT.DLL";"Infected";"5/28/2008, 4:56:24 PM";"file";""
Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP404\A0058167.dll";"Moved to Virus Vault";"5/28/2008, 11:54:18 PM";"file";"C:\WINDOWS\System32\svchost.exe"
Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP404\A0058167.dll";"Moved to Virus Vault";"5/28/2008, 10:54:18 PM";"file";"C:\WINDOWS\System32\svchost.exe"
Virus found Win32/Heur;"C:\System Volume Information\_restore{97B25540-B35D-443E-BB0E-FF34B8745F05}\RP404\A0058167.dll";"Moved to Virus Vault";"5/28/2008, 10:42:18 PM";"file";"C:\WINDOWS\System32\svchost.exe"

AVG is getting ridiculous, it detects a number of the tools that we use as malicious. There are bad entries in the above log, but this is one of the downsides to the new AVG -> from their site

" An "ActiveX Compatibility" registry key is a result of the "Immunize" function included in some anti-spyware programs (e.g.: "Spybot search & destroy", "Spyware blaster",...)

The key contains the same registry entries as the actual threats, thus preventing them from working correctly. Some anti-spyware programs use this method to prevent launching of the malware. Unfortunately, these parts are still detected by AVG signatures and that is why AVG marks them as infected.

To assure protection provided by AVG against these threats, it is not possible to remove such signatures from AVG virus bases.
Because of this, "Immunize" function included in above mentioned softwares is NOT compatible with AVG products."

-------------------------------------------------------------

Can you attach your combofix log here.

Click reply
Click the arrow next to the paperclip icon above your reply
Navigate to C:\Combofix.txt and upload it here

Combofix txt.

Attached Files

ComboFix.txt (9.2 KB, 92 views)

I need a Hijackthis log as well, we are probably going to delete a 020

Highjackthis Instructions

• Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
• Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
• After installing, the program launches automatically, select Scan now and save a log
• After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.

Okay. I also ran another virus scan and it found a vundo virus. AVG says it removed and healed it though, so I guess that is okay?

Attached Files

hijackthis.log (7.6 KB, 37 views)

1) Malwarebytes' Anti-Malware

• Please download Malwarebytes' Anti-Malware to your desktop.
  
• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• Close MBAM till later in safe mode

-------------------------------------------------------------------------------------
2)Print out or copy and paste into notepad and save it to your desktop to have while in safe mode

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {129FA2A1-408C-4824-83A4-5001581FD01E} - (no file)
O4 - HKLM\..\Run: [LayoutM] KLayMgr.exe
O20 - Winlogon Notify: fccbCRHw - fccbCRHw.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

FileASSASSIN

• Launch Malwarebytes' Anti-Malware
• Select the More Tools Tab
• Under FileASSASSIN select Run Tool
• Navigate to C:\WINDOWS\system32\KLayMgr.exe
• Press Open

Malwarebytes' Anti-Malware

• Launch MBAM
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. please attach this log with your reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

After that, Reboot, and post a new HijackThis log with MBAM log here in a reply

Took a while for the scan to complete but I got the results. And removed 4 infections

I also now don't have any icons in my system tray- except for time, volume and MSN messenger....used to have a few more than that AVG, Calendar, and have a few more processes running, used to run around 40, now I am up to 47.

And AVG just detected the threat again.

Attached Files

mbam-log-5-29-2008 (21-25-07).txt (1.1 KB, 21 views)

When we uninstall combofix that should go back to normal.

Just to be safe lets run Vundofix then an online scan to see if I am missing anything.


Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please attach the C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

------------------------------------------------------

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

------------------------------

Attach both logs for me and we can go from there

vundo was not found, still trying to update kaspersky though

Okay, here are my results

sorry. almost forgot this one

Attached Files

	kasp scan.txt (22.2 KB, 20 views)
	New Text Document (2).txt (7.7 KB, 12 views)
	VundoFix.txt (137 Bytes, 12 views)

The only signs of it are in your restore points and combofix quarantine.

The kaspersky also showed Nero 8. Which depending how you got that program could just be a false positive or it could infact be infected. So I will list this as an optional removal. To remove it go to add/remove programs and uninstall Nero 8

Then Delete the following folders:
C:\Documents and Settings\Karen\My Documents\Karen\Downloads\Nero 8
C:\Program Files\Nero 8

----------------------------------------

I will post the clean up instructions for you when I get home from work.

K. I thought I saw Nero in there as a virus. Its gone now.

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

--------------------------------------------------------------------

OTCleanit! by Oldtimer

• Download OTCleanIt
• Click the CleanUp! button.
  • It will go thorugh the list and remove all of the tools it finds and then delete itself (requiring a reboot).

--------------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

1. Set correct settings for files
   • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View
     
     tab.
   • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
   • If unchecked please check Hide protected operating system files (Recommended)
   • If necessary check "Display content of system folders"
   • If necessary Uncheck Hide file extensions for known file types.
   • Click OK
   
   clear system restore points
   • This is a good time to clear your existing system restore points and establish a new clean restore point:
     • Go to Start > All Programs > Accessories > System Tools > System Restore
     • Select Create a restore point, and Ok it.
     • Next, go to Start > Run and type in cleanmgr
     • Select the More options tab
     • Choose the option to clean up system restore and OK it.
     This will remove all restore points except the new one you just created.
   
   
2. Make your Internet Explorer more secure - This can be done by following these simple
   
   instructions:
   1. From within Internet Explorer click on the Tools menu and then click on Options.
   2. Click once on the Security tab
   3. Click once on the Internet icon so it becomes highlighted.
   4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
         
      2. Change the Download unsigned ActiveX controls to Disable
         
      3. Change the Initialize and script ActiveX controls not marked as safe to Disable
         
      4. Change the Installation of desktop items to Prompt
         
      5. Change the Launching programs and files in an IFRAME to Prompt
         
      6. Change the Navigate sub-frames across different domains to Prompt
         
      7. When all these settings have been made, click on the OK button.
         
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
   5. Next press the Apply button and then the OK to exit the Internet Properties page.
3. Use an AntiVirus Software - It is very important that your computer has an anti-virus
   
   software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and
   
   Removal Resources
   
   
4. Update your AntiVirus Software - It is imperitive that you update your Antivirus software
   
   at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to
   
   catch any of the new variants that may come out.
   
   
5. Use a Firewall - I can not stress how important it is that you use a Firewall on your
   
   computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this
   
   and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your
   
   risk greatly.
   
   For a tutorial on Firewalls and a listing of some available ones see the link below:
   
   Understanding and Using Firewalls
   
   
   
   
6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit
   
   http://www.windowsupdate.com regularly. This will ensure your
   
   computer has always the latest security updates available installed on your computer. If there are new updates to
   
   install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with
   
   its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus
   
   protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
   
   A tutorial on installing & using this product can be found here:
   
   Using Spybot - Search & Destroy to remove
   
   Spyware , Malware, and Hijackers
   
   
8. Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with
   
   program on a regular basis just as you would an antivirus software in conjunction with Spybot.
   
   A tutorial on installing & using this product can be found here:
   
   Using Ad-aware to remove Spyware, Malware, &
   
   Hijackers from Your Computer
   
   
9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into
   
   your Internet Explorer settings that will protect you from running and downloading known malicious programs.
   
   A tutorial on installing & using this product can be found here:
   
   Using SpywareBlaster to protect your computer
   
   from Spyware and Malware
   
   
10. Update all these programs regularly - Make sure you update all the programs I have listed
    
    regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <=
  
  IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair
  
  attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you
  
  will still be able to connect to the sites.
• MVPS Hosts file <= The
  
  MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents
  
  your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free
  
  google toolbar to help stop pop up windows.
• Winpatrol <= Download and install
  
  the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious
  
  software

THANK YOU!!!

Your very welcome

BD

Magnificent walk-thru.
I was able to recover a client's computer, which was in total meltdown. It would not even go into safe mode, nor could I boot from the DVD drive. The computer had win32/heur and Vundo. All better! Thanks to both BD for his clear explanations and to KK1, who explained her problem quite intelligently!
Keltie

BD, good day.
I have tried to follow these instructions but my "hijackthis" log file is different as the specified "O4" file is missing. Can you help? I have attached a copy of my hijackthis log file.

Attached Files

hijackthis.log (12.8 KB, 2 views)

I can now be found HERE

I am using the latest vga 8 and tried to cure win 32 heur virus but without success and attached a log file of hijack utility if some one can get me a help before I start formatting my laptop which I don't want to do it at this stage...

Thank you

Attached Files

hijackthis.log (15.6 KB, 3 views)

It's crazy this thread got almost as many views as some of the stickies

Hi!

I might have the same problem. Should I just run it like your walkthrough or you would need to see my hijacklog too??

Thanks a lot..I've been goin crazy with 2 of my laptop infected with this virus...