Please help with Win32 Heur Virus

Status
Not open for further replies.

HughMcB

Posts: 15   +0
Blind Dragon, like many people my computer seems to have picked up this particular virus (Win32 Heur), I've tried following your 8-steps but so far I cannot get the Malwarebytes' Anti-Malware to open and the SUPERAntiSpyware Free Edition says the application has won't update and prompts to check the firewall but I've looked in there and it's not blocking it. Can you help as I'm very stuck right now? Also can you suggest a good firewall as the links to Comodo Firewall Pro ZoneAlarm Free appear to not be working right now? Thank you very much in advance.

Hugh,

Try holding down the windows key and pressing R -> then type cmd -> press enter (if vista go to start -> all programs -> accessories -> right click on command prompt and run as administrator)

From the command prompt type ipconfig /flushdns

type exit and press enter

============================

1. Shut down your computer, and any other computer connected to your router.

2. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds. Unplug the router. Wait sixty seconds. Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.

3. Connect again to the router. The turn the router back on. When it stabilizes, reboot your workstation and try to aceess the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.

===============================

Now please retry to go through the 8 steps and post in your own thread

Blind Dragon (or other moderator), I have taken the steps advised and have downloaded/updated the relevant programs, however Malwarebytes' Anti-Malware will still not open for me? Thank you! I am using a Vista operating system.
 
Remove/uninstall from "Programs and Features" in controlpanel:
AVG8

We´ll try malwarebyte, slightly different -

Download malwarebyte
http://www.download.com/Malwarebyte...4-10804572.html?tag=mncol;pop&cdlPid=10878968

Save the file as setup.exe

Run the setup.exe file
When it gets to the final step of the installation it will seem like it froze....it hasn't but it will take anywhere from 15mins to an hour to get through that step so just let it do its thing.

If automatic update fail, download the manual update ->
http://www.gt500.org/malwarebytes/mbam-rules.exe

Go into the Malware folder in through Program Files
Rename the mbam.exe to 123.exe and run it.
Do a full computer scan

Check all and remove/fix/delete them.

Restart your computer and post the log
 
Ok so here are the logs from those scans, View attachment 47777, View attachment 47778, View attachment 47779, View attachment 47780.

Now when I access the internet these warnings still seem to pop up from Avira AntiVir
Virus or unwanted program 'TR/Dldr.Agent.brpo [trojan]'
detected in file 'C:\Windows\System32\gxvxcswochrtppbaxvcvneedxnxqutthenmsk.dll.
Action performed: Move file to quarantine


See also Comodo Antivirus Logfile for further information.
View attachment 47781

Thank you again!
 
I was not aware that it was comodo antivirus you had - my bad.
It means you still have two antivirus programs running.

I´ll therefore suggest you remove Avira or Comodo from "Programs and Features" in controlpanel.

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe
And save to the desktop.

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::

Snapshot::
File::
C:\Windows\System32\gxvxcswochrtppbaxvcvneedxnxqutthenmsk.dll.

http://www.fromsej.saknet.dk/billeder/cfscript.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Ok so I uninstalled Avira and ran the steps you provided. I dragged the CFScript.txt file into ComboFix.exe, Comodo then detected this threat C:\32788R22FWJFW\hidec.exe which I first tried to quarantine . As ComboFix.exe was nearly complete it displayed an error message (three times) Windows cannot find file 32788R22FWJFW\hidec.exe

Also Comodo detected (after the other process had completed) that a file gsar.cfexe in location C:\32788R22FWJFW was trying to get permission to execute.

Long story short, I couldn't get it to complete and therefore no logfile!
 
Please download http://swandog46.geekstogo.com/avenger2/download.php
by Swandog46 to your Desktop.
Click on Avenger.zip to open the file
Extract avenger2.exe to your desktop

Start Avenger


Files to delete:
C:\Windows\System32\gxvxcswochrtppbaxvcvneedxnxqutthenmsk.dll.
c:\program files\superantispyware\9491cfe0-14a2-4dae-b2a6-cf3b87e0b8d6.exe

Copy/Paste all the text in the above quote box into the main window
Click Execute

The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)

On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions.

This log file will be located at C:\avenger.txt

Attach C:\avenger.txt in next reply, and tell how things are running ?
 
Ok so this is the avenger logfile, View attachment 47842

Once the computer starts, Comodo quickly picks up this threat and sends me a warning message for this file.
C:\Windows\System32\gxvxcswochrtppbaxvcvneedxnxqutthenmsk.dll
Unclassified Malware@15429841
 
Looks like we need combofix to run. Uninstall the version you have - >

Click START then RUN
Now type Combofix /u in the runbox and click OK.
Note the space between the X and the /U, it needs to be there.
When shown the disclaimer, Select "2"

Reboot

Please download newest version of Combofix:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Please connect all your external hard drive/flash drive before running Combofix, if you have any

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post
 
Windows won't execute Combofix /u, when entered in Run it gives message that it cannot find "Combofix". What next? :(

I'm getting pretty disheartened here by all this, is reformatting an option?
 
Not yet.

Download http://gmer.net/gmer.zip
and save to your desktop.
Unzip/extract the file to its own folder.
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.

If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click the >>> tab
Now Click on Settings, then check the first five settings:
System Protection and Tracing
Processes
Save created processes to the log
Drivers

Save loaded drivers to the log

You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.

Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
Click on the Scan and wait for the scan to finish.

Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.

When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
If GMER doesn't work in Normal Mode try running it in Safe Mode

Important!:
Please do not select the Show all checkbox during the scan..

Attach the GMER log.
 
Ok so after many attempts I finally got the Combofix to work (I had to uninstall Comodo as it appeared to be hindering the process and reinstall Avira).

Ok so I ran Combofix and attached is the log. Please note that I had to run twice as the first time it the computer shut down. I think that it has rectified some of the problems but don't yet know if it's all good yet?! Please advise! Thanks for all your help! :)

View attachment 47899
 
You have done a good job :)

And finally you got rid of
C:\Windows\System32\gxvxcswochrtppbaxvcvneedxnxqutthenmsk.dll.

BTW. The filename are not easy to pronounce ;)

How are things running now ?
 
Ya so far everything seems to be fine, if I've any further problems I'll be sure to contact you. :D

Thank you, you guys really provide a great service here and are very much needed by the general public.Keep up the good work!!!!!!

:grinthumb :grinthumb :grinthumb
 
Sounds good, and we will :)

Now your computer problems are solved, it is time for the clean-up procedure
You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.

Please download OTCleanIt
Save it to desktop.
This will remove all the tools we used to clean your computer.
Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.
Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place

Keep safe :wave:
 
Status
Not open for further replies.
Back