Heur.dropper - some questions

By Superbacon ยท 4 replies
Jul 6, 2011
  1. Hi,

    I'm running an Emachine netbook. My AVG antivirus has been reporting Heur.dropper. I only got around to installing an antivirus the other day (bad of me, I know), and on the first scan (immediately after installation) it found both heur and heur.dropper in with the games bundled with my computer. The reported files were all .exes. Some of the reported infected files were listed as \Bejeweled 2 Deluxe\Bejeweled2-WT.exe:\Bejeweled2-WT.exe or similar, sometimes with more 'layers' of 'Bejewled2-WT.exe:\'.

    Now, however, I get AVG Resident Shield telling me

    Virus found Win32/Heur.dropper;"c:\System Volume Information\_restore{9561038E-7CA9-48D1-83A3-3C1B9D4500B0}\RP18\A0017099.exe";"Deleted";"06/07/2011, 20:55:08";"file";"C:\WINDOWS\system32\svchost.exe"

    I don't have time to 'clean' this computer right now - it'll have to wait.

    My only immediate concerns are:

    Will this virus transfer to other computers attached to my home network?
    Am I in danger of my personal information being stolen?

    It's very hard to find decent information about what this virus (if it is a virus and not just a false positive) actually does.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Actually, there is pretty much information available about this malware. The name is Win32/Heur. The entry you left shows it's in the System Volume. This is where the System Restore points are kept. If this is the only entry, then Win32/heur isn't active in the system. However if you do a system Restore and you happen to use this restore point, you can infect the system again.

    But the location is of considerable concern: "C:\WINDOWS\system32\svchost.exe"There is a file infector that will sometimes present as Win32/Heur, when in fact if could be Virut.

    You can get all of this information by searching for it. I can only give you generalities. And you can look in AVG forums for this well-known entry. The only way to be sure the system is clean is to see what's on it.

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
  3. Superbacon

    Superbacon TS Rookie Topic Starter

    All of the info I could find on the Heur online was either a)badly written (so I wasn't sure if the informations was being supplied just to scam me into buying an untrustworthy antivirus) or was b)conflicting (sometimes suggesting that the virus was a false positive, sometimes suggesting that it was very dangerous.

    Thanks! I'll get the logs to you soon.

    What do you think about my other questions - what IS the virus (Trojan/Worm, etc)?
    Will it have been transferred to other computers in my home?

    The computers are connected via a 4-port network switch (or hub, I'm not sure of the correct terminology). This 4 port hub then connects to the 1 port internet router.

    I'm running a scan with Vipre on the computer that I'm worried the virus might have transferred to - if this scan doesn't show up with any Heur infections, do I need to worry about it?
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    I do not have enough information to answer your questions. Don't use a flash drive between the computers on the network. If it is connected to a computer with an infection- or if the flash drive itself has been infected, malware can spread to other computers.

    The Win32/Heur problem is often discussed in the AVG forums. It can be either a sign of additional malware or a false positive. AVG has put out some updates causing the FP. But I don't have the information to determine that.

    I cannot tell you if it's a virus or worm. I cannot tell you if it's been transferred. I cannot mind read your system whether you need to worry if nothing shows up!!!!

    Give me some logs to start with!
  5. Superbacon

    Superbacon TS Rookie Topic Starter

    I have a couple of notes about these logs:

    The steps here:

    Didn't happen as described - when I did them it simply opened the CMD window with the script inside, then closed that and opened the pop up where I had to click 'OK', then it opened my logs - there was no 'Optional_Scan' or anything like that. Is that 'ok'?

    Also, for my GMER 'quick scan' all it did was open the program window and there were file-names flashing down in the status bar. 30 seconds later there was no more text in that status-bar down the bottom, and I had some 'results'. Is that how the 'quick scan' works?

    Regardless, here are my logs:

    Malware Bytes


    DDS Log

    DDS Attach Log

    Thanks so much for the help!
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...