Win 32 heur being a pain...

By play budokai ยท 14 replies
Nov 11, 2008
  1. Hi everyone! I'm new here, but this seems like a really great place. :)

    A day ago, I downloaded a torrent from The Pirate Bay. It was supposed to be the new episode of Dexter, but alas, it was a trojan. Ever since, it's been giving me hell - randomly opening Firefox windows to stupid websites, disabling AVG and Windows Security's update features... you name it. It'll even close down HijackThis when I try to send it in for analysis!

    I downloaded HijackThis and I'm attaching the log file. Could anyone help me out in getting this thing off my computer? I'm starting to consider wiping the whole thing. Thanks!
  2. mflynn

    mflynn TS Rookie Posts: 2,655

    play budokai

    Welcome Aboard!

    Go here:

    The TechSpot 8 steps:

    Do all skip no step (do not install another virus scanner as you already have one).

    Most importantly update MalwareBytes and SuperAntiSpyware!

    Before you scan with SuperAntiSpyWare do the below:

    SuperAntispyware config

    After installed double-click the icon on your desktop to run it.

    It asks to update the program definitions, click Yes.

    Click the Preferences button.

    Then Scanning Control.

    In Scanner Options make sure the following are checked:
    1. Close browsers before scanning
    2. Scan for tracking cookies
    3. Terminate memory threats before quarantining.
    4. Leave the others as they are.

    In MalwareBytes after update but before running
    Click settings and confirm all are Checked.

    I repeat Update these 2 programs.

    Run them and post their logs then a new HJT log.

    Do this correctly and we will make a short job of this!

  3. play budokai

    play budokai TS Rookie Topic Starter

    Thanks, mflynn! I did everything you asked. So far, I haven't gotten one of those annoying popups. Let's hope that 8-step prescription worked...

    I'm uploading those logs now.
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi play budokai

    Yes because you did such a good job and followed instructions well.

    But we are not quite done because you had so many and so many different issues. One thing we need to is is rerun MalwareBytes to confirm it comes up clean. I will direct you at the end of this post.

    Use HJT Scan only to remove the below ( the 02 is remnants of Malware the 04 is just useless)

    O2 - BHO: (no name) - {C6C06C3D-88CD-4F0B-AEBB-2F2080CE13B3} - C:\WINDOWS\system32\hgGaaBRJ.dll (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

    Once the above is complete go into add/remove programs and uninstall all Java but the newest leave it then do the following.

    Clean and update Java
    Cleanup old Java and update to newest version this program will do it all for you.

    Download JavaRa

    Unzip it, run it, to update chose Jucheck (Suns updater) first, and if you do not have Jucheck then chose Update using Sun.

    After update chose Cleanup old versions. Give it a minute and after it pops up the log file you will see what it removed.

    Then click "Additional tasks" and check "remove Useless JRE files and Remove JavaRa log files.

    After that run Search for Updates again to confirm you are up to date.

    After that run remove older versions again. This time the Log file should be empty.

    At this point reboot.

    When it arrives back at desktop, do not run any programs.
    Start MalwareBytes again update it again then run Full Scan to ascertain that it comes up clean and you have no more malware. Post the log again.

    If the log is clean continue below. If not clean wait for me to evaluate your log.

    Finishing up----------------------------------------------------------------------------------------------------------------

    An additional Malware check

    D/L Xclean_Micro

    No install, just run it delete all it finds decline to reboot on each item found, until the program finishes then reboot.

    Xclean will run minimized and will pop up a window if it finds anything. If it finds nothing it will exit.

    Please make a note of what it found if any as this might indicate a deeper Malware diag.

    Run CCleaner cleanup temps twice or until no more found and Registry twice or until no more found..

    D/L install and run ATF-Cleaner clear all except passwords in all browsers you have. Run repeatedly until no more found.

    The Malware is saved in your System Restore so we need to clean that

    Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs. Note: if you minimize now go to My Computer and note the free space and check this again after the run you will be able to see the likely large difference.

    Cleaning old shadow copies applies only if you have the Volume Shadow Copy running which is the default.

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "After cleanup at TechSpot".

    Once the new Restore point is made run the Disk Cleanup again and it will then only leave the clean "After cleanup at TechSpot" point!

    A Defrag is in order.

  5. play budokai

    play budokai TS Rookie Topic Starter

    Now that you mention it, even though the worst symptoms of the virus (opening a new window of Firefox to some random site, disabling my security software, etc..) are gone, I'm still getting a problem: almost every banner or ad on the side that you'd normally see on a site is for a "male enlargement pill," Vimax. The ads are EVERYWHERE and getting kind of annoying.

    I followed your steps up to the Malwarebytes scan. What do you know? The log found six trojans. Here's the log.
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    I am reading your log.

    So run it again and again till clean attach new log each time.

    Same for SAS.

    I finally want to see clean logs or something these 2 can not eradicate then we will deal with that!


    Edit: read log update both (don't matter if you updated earlier today)

    Boot to Safe mode only and run both programs. Get me these new logs.
  7. play budokai

    play budokai TS Rookie Topic Starter

    Mike -

    I tried to do what you asked. After Malwarebytes scanned those last trojans I showed you, those DNS changers, I told them to Remove it. Now I've got a bigger problem: when I reboot my computer, it will often not work. As in, just shut down a second after I press the button to turn it on. The good news is that after waiting a few minutes (like 15-30), the computer can turn on as normal - just not necessarily in safe mode. I've run scanners like Malwarebytes and SpyBot several times, and they're picking up these same DNS changers. And of course, the **** ads are still around.

    I've been trying to boot it in safe mode just so I can do a scan with Malwarebytes. Whenever the scan starts up, however, my computer just... shuts itself down!

    I'll get you those logs as soon as possible. They may have to be without the computer being in safe mode, though. I'm probably going to have to take the whole damn thing in to BestBuy tomorrow.
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Hello Play

    You are much much better off here than with them!

    I have 2 things to do!. Do this anyway you can full or safe mode net working!

    1. D/L and run Prevxcsi

    When it completes before reboot an Enema for your Tcp/ip, netbios, and winsock.

    Copy all in the box below then open command prompt and paste to the black screen

    @echo off
    ipconfig /all >"%USERPROFILE%"\Desktop\ipconfig.out
    ;Saves ip settings
    netsh interface ip delete arpcache
    ipconfig /flushdns
    ipconfig /release *
    ipconfig /renew *
    ipconfig /registerdns
    nbtstat -RR
    netsh winsock show catalog >"%USERPROFILE%"\Desktop\lsp.txt
    ;saves log of current settings
    netsh winsock reset catalog
    ;resets Winsock
    netsh winsock show catalog >>"%USERPROFILE%"\Desktop\lsp.txt
    ;winsock after rest
    netsh int ip reset >"%USERPROFILE%"\Desktop\tcpreset.txt
    ;reset TCP stack
    Reboot see new icons on desktop, paste contents of lsp and tcp.txt back to thread.

    Then check again with SAS and post log.

    But before running SAS add the following config

    Open SAS Update even again
    Under Configuration and Preferences, click the Preferences button.
    Then Scanning Control.
    In Scanner Options make sure the following are checked:
    1. Close browsers before scanning
    2. Scan for tracking cookies
    3. Terminate memory threats before quarantining.
    4. Leave the others as they are.

  9. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Play

    You have done such a great job. There are bad things out there!

    Since you are considering the SHOP I thought I would give you more options if the above does not work.

    Download SD Fix to Desktop among other things it runs GMER and Catchme to look for RootKits.

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-clickto RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Copy and paste the Report.txt file to your next post.

    Test for problem resolution


    If not resolved continue here.


    NOTE: If you have had ComboFix more than a few days old delete and re-download.

    Get it here:

    Or here:

    Double click combofix.exe follow the prompts.

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall

    This will take some time!!!!!!!!

    I will be ready to check log early morning my bedtime now 12:20 am.

  10. rf6647

    rf6647 TS Maniac Posts: 829

    You may consider this malarky, but check this post from pyropunky77 regarding DNSchanger trojan.

    It appears to have been part of the solution for at least 3 cases.
  11. mflynn

    mflynn TS Rookie Posts: 2,655

    Oh no I don't consider it Malarky!

    Very possible if the router has the default factory password. Play at first opportunity change the default password on the router.

    And I think we will see more router incursions soon.

    Play as to my last posts and this one by rf6647.

    While doing them begin by downloading SDFix and ComboFix but do not run.
    Unplug the network cable then REBOOT first.

    Do all with cable unplugged.

    You can reset your router if you are familiar with accessing the router and you know the settings etc. Or if the above steps fix it then plug in router and it comes back we now know how to fix it and I can help you reset the Router.

    Thanks rf6647.

    Goodnight guys,

  12. play budokai

    play budokai TS Rookie Topic Starter

    Hey -

    Wow, lots of advice! I started by downloading and running Prevxsci. I then downloaded ComboFix and SDFix, started my computer in Safe Mode, and ran SDFix. It did its thing, then I rebooted in normal mode (with the Wireless off - I'm on a laptop and I'm not connected to the network via cable), and ran Malwarebytes. Malwarebytes came up clean!

    But... then I turned the wireless back on, and what do you know, the ads are still there.

    So then I rebooted again in normal mode, wireless off again, and ran ComboFix. I turned on the internet and... ads still there.

    It seems that my computer can temporarily get rid of the virus, but then it comes back as soon as I reconnect to the Internet.

    I think resetting the router might be a good idea. I don't know where to start with that, though.

    Logs attached. I noticed the last entry on the ComboFix notes - Easy Decrypter, which was the file I opened that unleashed win 32 heur on my computer in the first place.
  13. mflynn

    mflynn TS Rookie Posts: 2,655

    I would uninstall Easy Decrypter was it downloaded via p2p torrent limewire etc?

    While connected via wireless if you search for networks are there other networks or computers in range.

    It is pointing towards the router or another computer accessible on wireless network.

    I know it takes a while but when you get a chance run mbam and sas and logs. They may find new issues or show something different since the Prevx, sdfix and combofix.

    Again what browsers are you using?

    Do this in IE. IE closed Conrtol panel and run Internet Options.

    Under general click Delete All, Under the Security Tab click Reset all zones to default level, under Advanced click Reset and approve all.

    Reboot open no other apps and run the mbam and sas from above.

  14. play budokai

    play budokai TS Rookie Topic Starter

    I use Firefox and the file Easy Decrypter) was downloaded via BitLord. It doesn't show up in Add/Remove programs, but I removed the file.

    I'm finding out how to disable my router. The plan is to turn the router off, disconnect network cables on two of the 3 computers on my network, turn on wireless on my laptop, run Malwarebytes on all the machines, change the password (just in case) and reset my router settings. I need to take back control of my DNS.
  15. mflynn

    mflynn TS Rookie Posts: 2,655

    Good going Play

    Don't forget before cleaning again to search for new wireless networks in case it is coming from someone close by.

    Also when you disconnect the other computers on your network ( I did not know about these) then try first (all others disconnected) before doing anything on the router.

    And if it is ok with the other computers off, then the issues is one of them and it is jumping accross the network.

    You have the right idea on cleaning them. But clean them one at a time with all the others off so it can not jump.

    Router incursions happen and they will get worse but they are rare. Now that I know you have a 3 node LAN that is likely where it is coming from.

    So for now I would just put your own password on the router to secure it now.

    Do the router last!

    Do you understand what i am saying above?

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...