Blind Dragon
Posts: 3,774 +4
That should do it :grinthumb
AVG finding virus win32 heur
- Thread starter kinkie_kitty1
- Start date
- Status
That should do it :grinthumb
win32/heur!
hi there, my laptop has been infected with the same damn virus, win32/heur!! AND EVERDAY avg keeps detecting and removing the threats, only 4 files ( the same files everyday) and after rebbot, i still can find these 4 files again!!! done much but with no avail.. so here is my HJ log (1st one) ....
please help me!!!
thx
nik
hi there, my laptop has been infected with the same damn virus, win32/heur!! AND EVERDAY avg keeps detecting and removing the threats, only 4 files ( the same files everyday) and after rebbot, i still can find these 4 files again!!! done much but with no avail.. so here is my HJ log (1st one) ....
please help me!!!
thx
nik
I fought this little monster last night. Here is how I beat it.
I have a friend who called me over for pop ups and lockups on his Dell Inspiron desktop running Vista Home Premium. I went there with the old standards, HihackThis, CWShredder, MalwareBytes, combofix, vundofix, etc. I thought 30 minutes and I would be out. But this was no script kitty sissy drop loader, as I would soon find out.
When I arrived, I saw some of the usually malware suspects, Registry Mechanic, SpyDoctor, etc. I removed them and ran CCleaner to get the simple junk out of the way. Each time IE or FireFox was opened, AVG would find a Win32/Huer with a c:\windows\system32\esqullmbxxxwlmxskyrfxoorreqtpqsqpf.dll as the affected file, (this name would very each time). Doing a search for it in Windows would yield no results with hidden files shown. Running AVG or MalwareBytes in normal mode would hard-lock the system. Running ACG in Safe Mode would not pick anything up, and MalwareBytes detected the same file, but under a different infection name, and would lock up again. So knowing where these two files lived, I went to Vista RE command prompt, searched for the files in the system32, and deleted them. I figured I did not get the loader, so I rebooted and sure enough, the 2 dll files reloaded. I tried to track the file through process tracing, but completely stealth.
This is where it got furry.
After the 2nd reboot, I received the message at the desktop that “Windows security processor reported a system file mismatch”, reducing Windows functionality to where explorer would not start. I used the “get more information” link for the validation site to restart explorer.exe from the URL line, and left the functionality error up so the system would not reboot. I opened a command prompt and ran the cscript c:\system32\slmgr.vbs /ilc c:\System32\licensing\ppdlic\Security-Licensing-SLC-ppdlic.xrm-ms to force the product key entry to come back at the next reboot. Once rebooted, I entered the Dell provided product key and fixed that problem. Then I pulled out the big guns.
I ran Rootkit Repeal and Rootkit revealer to track the hidden loader. Rootkit Revealer found no stealth processes, but Rootkit Repeal found the loader under the stealth section. It was hidden in the c:\windows\system32\drivers folder. It had the same esqulbrxxx**** name, but was a .sys file. I went back into RE command prompt, navigated to the directory and got it, along with the 2 dll files it was creating. Rebooted 25 times, ran scans, all clear.
Basically, the loader and the files it creates can only be seen outside of the Windows environment. Just boot to the Vista DVD, choose repair my computer, click on Command Prompt. Type c: and press <Enter>. Then type cd \windows\system32\drivers and press <Enter>. Now type dir *esqu*.sys and press <Enter>. It will show the loader file by itself. Now type del filename you found and press <enter>. Now type cd.. and press <enter>. At the c:\windows\system32 prompt, type dir *esqu*.dll and press <enter>. Follow the same stpe above to delete the two dll files you just found that were created by this loader. Reboot and you should be golden.
I have a friend who called me over for pop ups and lockups on his Dell Inspiron desktop running Vista Home Premium. I went there with the old standards, HihackThis, CWShredder, MalwareBytes, combofix, vundofix, etc. I thought 30 minutes and I would be out. But this was no script kitty sissy drop loader, as I would soon find out.
When I arrived, I saw some of the usually malware suspects, Registry Mechanic, SpyDoctor, etc. I removed them and ran CCleaner to get the simple junk out of the way. Each time IE or FireFox was opened, AVG would find a Win32/Huer with a c:\windows\system32\esqullmbxxxwlmxskyrfxoorreqtpqsqpf.dll as the affected file, (this name would very each time). Doing a search for it in Windows would yield no results with hidden files shown. Running AVG or MalwareBytes in normal mode would hard-lock the system. Running ACG in Safe Mode would not pick anything up, and MalwareBytes detected the same file, but under a different infection name, and would lock up again. So knowing where these two files lived, I went to Vista RE command prompt, searched for the files in the system32, and deleted them. I figured I did not get the loader, so I rebooted and sure enough, the 2 dll files reloaded. I tried to track the file through process tracing, but completely stealth.
This is where it got furry.
After the 2nd reboot, I received the message at the desktop that “Windows security processor reported a system file mismatch”, reducing Windows functionality to where explorer would not start. I used the “get more information” link for the validation site to restart explorer.exe from the URL line, and left the functionality error up so the system would not reboot. I opened a command prompt and ran the cscript c:\system32\slmgr.vbs /ilc c:\System32\licensing\ppdlic\Security-Licensing-SLC-ppdlic.xrm-ms to force the product key entry to come back at the next reboot. Once rebooted, I entered the Dell provided product key and fixed that problem. Then I pulled out the big guns.
I ran Rootkit Repeal and Rootkit revealer to track the hidden loader. Rootkit Revealer found no stealth processes, but Rootkit Repeal found the loader under the stealth section. It was hidden in the c:\windows\system32\drivers folder. It had the same esqulbrxxx**** name, but was a .sys file. I went back into RE command prompt, navigated to the directory and got it, along with the 2 dll files it was creating. Rebooted 25 times, ran scans, all clear.
Basically, the loader and the files it creates can only be seen outside of the Windows environment. Just boot to the Vista DVD, choose repair my computer, click on Command Prompt. Type c: and press <Enter>. Then type cd \windows\system32\drivers and press <Enter>. Now type dir *esqu*.sys and press <Enter>. It will show the loader file by itself. Now type del filename you found and press <enter>. Now type cd.. and press <enter>. At the c:\windows\system32 prompt, type dir *esqu*.dll and press <enter>. Follow the same stpe above to delete the two dll files you just found that were created by this loader. Reboot and you should be golden.
AVG detected Trojans yesterday and today Viruses or both
:dead: The day before yesterday and yesterday my AVG 8.5 resident shield kept detecting the Trojan Horse Vundu.JB then today muliple detection of Virus win32/Heur and Virus win32/Virut.
I want to do the 8 steps described and recommended for virus removal but I cannot update my AVG 8.5 and the anti-virus itseld seems to be not responding and even crashing to desktop.
Kindly guide me through the steps.
I'm connected to a domain server.
Thank you
:dead: The day before yesterday and yesterday my AVG 8.5 resident shield kept detecting the Trojan Horse Vundu.JB then today muliple detection of Virus win32/Heur and Virus win32/Virut.
I want to do the 8 steps described and recommended for virus removal but I cannot update my AVG 8.5 and the anti-virus itseld seems to be not responding and even crashing to desktop.
Kindly guide me through the steps.
I'm connected to a domain server.
Thank you
- Status
Similar threads
Latest posts
-
Apple Vision Pro is facing declining interest and sales among consumers- Atmajaya2020 replied
-
SuperAntiSpyware problem- learninmypc replied
