Help with removing Win32/Heur virus

Status
Not open for further replies.
Ok i tried running that website. It wont let me run. Any antivirus scan websites wont work. Where as every other one is fine like google etc. When i tried running, avast picked up id12.exe as a Win32:JunkPoly [Cryp]

When i was running, IExplorer, a few applications started terminating itself. Also the short cuts on my quick launch bar, such as show desktop and windows media player is gone now. So i dont know whats going on



I tried the eset scan, internet explorer wont let me go to that page. I can hop on to any other page like google etc, but not any antivirus websites - avg, avira, or any site i put in that is an antivirus site. It doesnt load at all. Thats why i have not posted up the log, because i cant.
 
Okay, we need to get together on this:

From 3 of your replies: With my reply back:

Once copied, i renamed it to asd.exe. Reply #12
You missed the point here. IF you do have Virut, putting a file extension of .exe on will allow Virus to infect it!

!! ALERT !! it is not safe to continue. The contents of the combofix package have been compromised. Reply #15
So you get this message because it is infected.

i uninstalled AVG. And installed the avast antivirus one instead, and updated it. Is that ok? Reply #19
Yes, it's okay. But you said you couldn't get on any AV sites! IF you got Avast, do a full system scan, save it and attach it.

About Virut: File infectors will typically infect many executables on a system, as well as others connected (via shares, USB drives). So, cleansing can be a bit of a process since it is not just registry entries and one or two loaded components on boot; every single infected file must be cleaned -

The following image might explain it better and unfortunately, you will see familiar entries:
viruxdiag.jpg

Image source: Raymond CC Forum
More background here:http://www.infopackets.com/news/security/2009/20090216_new_malware_virux_spreading_rampant_in_us.htm
 
I downloaded Avast from my brothers computer, combofix and all that i download it all from my brothers computer, put it on a usb and put on my computer.

When i rename it to something like asdf.html or something, it tries to run it through internet explorer. ill try renaming it to mpg or jpg and see how that goes.

Also previously, i downloaded a virut cleansing program from avg and a symantec virut virus cleaner. Ran both. But dont know if there was any luck.

That .txt that i attached through fileden is the avast log from the scan i did.
 
No luck, combo fix wont run if i renamed it to like jpg or something. It would try to open up in picture manager etc. Mp3 it would try open in media player.

So what am i headed? a reformat?
 
Can you get me a scan from Avast? Just save the log and attach here. You can't use a file extension that uses a particular application to open- like a photo viewer or a music player. You "might" be able to change the 'Open With" but I doubt it with a file extension that specific.

Get me an AV scan.

I'm going to ask kritius if he knows a way around this, but try the AV scan. If you cannot get that, then I will recommend the reformat/reinstall under the assumption it's Virut.
 
Sorry about the delay bobbye. But here are the log files for my avast scan and HJT
There are few entries when scanned by HJT that came up with file missing, after i ticked them and click fixed checked. They still reappear.

But here they are, the avast scan seems to not pick up any virut infections. I guess thats a good sign?

Ok the avast log wont upload, apparently the file is too big. So i uploaded it to fileden.
Here is the link to it
http://www.fileden.com/getfile.php?...eden.com/files/2006/10/2/255544/Avast Log.txt



The fileden link right there is the avast log of the last scan i did. It is a 700kb txt file, thats why i uploaded with fileden
 
I'm not going to open that large log/ As I Mentioned before, a log this large would indicate serous problems.

Please Download Dr.Web CureIt! HERE

  • [1] Run the utility and press the "Start" button in the opened window.
    [2] Confirm the launch by pressing the "OK" button and wait for the scanning results of the main memory and startup files. I
    [3] Select the Complete scan or the Custom scan mode (in the latter case, select the necessary objects you want to scan)
    [4] Press the "Start scanning" button on the scanner right.
    [5] When you call the utility, you can specify parameters for the scanner in the command line, i.e. to specify the objects for scanning or/and modify the scanning modes different from the default ones.
    [6] When being scanned, infected files are cured, incurable files are moved to the quarantine directory.
    [7] When the scanning is finished, the log file and the quarantine are not deleted.

Please attach log on next reply.
 
Sorry for the late reply, been busy with work on the weekend. I think im gonna reformat it. It is a pain in the rear. Files are changing, my quick start menu - some of the icons deleted itself. I have 4 partitioned drives. If i just reformat the C: drive where windows is. Should i good to go with the virus gone or is there still a chance it is still hanging around somewhere?
 
I havent reformatted my computer yet. But with this virut and heur virus. Should i be right if i just reformat the c:\???
 
For some reason, I'm not getting some of the feedback emails when there is a reply.

IF you do have the Virut malware, reformatting is the best way to go. Can I tell you it will be gone if you just reformat the C drive? No. It's going to depend what's on the other drives and if any of the infected files got in. You'll be reformatting the operating system on the C drive, right?

From McAfee:
Overview -

W32/Virut.a is an appending virus. This file infector infects .exe and .scr files by attaching its encrypted code to the end of the file.

The encrypted code contains IRCBot functionality.

Characteristics -

WhenW32/Virut.a is executed it injects it's code into all running processes

W32/Virut.a opens up backdoor at port 65520 on the compromised machine.

This virus tries to connect to IRC servers located at :

* proxima.ircgalaxy.

Another consideration is where are the System Restore files? If malware is in the restore points and the restore points are used, it can reinfect the system. I would think they are on the C drive, but I don't know this.

The IRCBot functionality can allow a remote attacker to:
• Download and execute arbitrary files
• Scan for vulnerable ports on target machines
• Attempt to infect a target vulnerable machine
• Update the bot on the infected machine

So you will need to be sure that any area- drive- on the machine is cleaned.
 
Ohhh ok. On all my other drives, it has games, music, pictures\photos and that. Thats about it really. The system restore files, if i unticked the box to have system restore on, do i just clear it by using the windows disk cleanup?

Also, avast hasnt picked up anything that has been infected by the virut virus. I have used avast to scan several times. But does not come up with it
 
How do i get rid of my system restores? Also, should i be worried about the compressed old files?
 
Ok, i just did a scan just for the hell of it with spybot. Found 3 things that is on my computer. Forgot what they were called. But one of the ones i fixed was a trojan that blocks all security and internet antivirus sites. I am going to try that online scan, ill post up the results as soon as i can. See what you see bobbye
 
Ok i tried going online to do that esset scan. Did not happen. Still blocked the website. Updated Avast. And now it thinks everything in my windows\system32 folder that has .exe on it as a virus\trojan. Keeps on coming up with win32:vitro. That is it hey? reformat is the only option?
 
Ok i definately need help now, i tried to reformat it. But when i put in the windows cd etc. Load everything up during restart in the bios. When i say install windows or repair. It says no hard drive is found, please power it on or attach it or something like that.

My computer now is really really slow when i restart, "My Computer" wont load - it doesnt show up with my drives etc. But i can access them through "Run". Some programs wont run, i can right click on the icons in the bottom right hand corner of the toolbar. Control panel takes forever to load, once loaded i try to go in to different things such as add/remove programs, it says fail and rundll32.exe or something is missing or something. Hijackthis wont finish scanning, and i can quit it unless i go in to task manager. Also, spybot picks up pws.ldpinchie and Win32.Ertfor. My computer looked like it is screwed up even worst ever since i try to go on the net again to do that esset scan. So i really need help with reformatting now. Can you please help bobbye?
 
Status
Not open for further replies.
Back