Win32 errors

By 91BlKSi · 20 replies
Oct 24, 2009
  1. Hello all, looking for some help with some win32 errors. My AVG is detecting multiple threats usually trojans from svchost.exe, winlogon.exe and heur.exe. I have included a hijackthis log. Thanks in advance.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Welcome to TechSpot, 91BlKSi. I will help you with the malware. but first, please follow the steps in the Virus and Malware Removal HERE.

    When finished, attach the logs from Malwarebytes and Superantispyware.

    Rescan with HijackThis and paste that log> all in your next reply.

    I will review all of the logs for malware. Please be sure to check the lines in Malwarebytes and Superantispyware to remove what they find. Don't do any removals in HijackThis- I'll find those and have you remove bad entries.

    I do see malware- looks like possible Vundo infection in addition to Heur.

    I notice that you have uTorrent which is a P2P programs. P2P (person to person) programs are also called 'file sharing' programs. In earlier computer days, these programs did not have much threat. But as they progressed, so did the dangers of using them. For that reason, we do not permit discussion of this type of program, not do we support it. The exception is to suggest you uninstall and P2P programs for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read this information on P2P Warning to help you better understand these dangers.

    If you decide not to remove uTorrent, please do not use it while we are cleaning.
  3. 91BlKSi

    91BlKSi TS Rookie Topic Starter

    Ok, scans are finished. Here are my results. Thank you for your help.

    Attached Files:

  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    This is one of the malware infections:

    It also appears that you are visiting porn sites. As long as you are doing that, you are going to get malware. You are infected with a Backdoor.Bot> changes all of your passwords and monitor any online financial transactions.

    You are loading the uTorrent program. If you want my support to continue, please either uninstall it or take it off of startup:
    C:\Program Files\uTorrent\uTorrent.exe
    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

    IF you decide to remove the torrent:
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)


    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Attach the Combofix report.

    Rescan with HijackThis and PASTE new log in next reply.
  5. 91BlKSi

    91BlKSi TS Rookie Topic Starter

    Ok, Firstly I have uninstalled utorrent. I am getting an error message when I try to install combo-fix. I changed the file name, shut everything down and it tells me its unsafe to continue the contents of the package have been compromised and I may have a file patching virus "virut" I did a re-download twice from the bleepingcomputer server and once from the forospyware server with the same result each time.
  6. momok

    momok TS Rookie Posts: 2,265

    I have a suspicion the error dialogue you are getting comes from the malware. Which program is giving that error? perhaps you could post a screenshot?
  7. kritius

    kritius TS Guru Posts: 2,084

    It actually comes from ComboFix, it will not run if there is a file infector on board. You need to scan some system files such as explorer, svchost, userinit etc to see if they are infected. If so it's a reformat.
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

  9. kritius

    kritius TS Guru Posts: 2,084

    It will not run if it is compromised! No sense in doing that, get the files scanned first to check them.
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    I thought after having this fault for two days now, it may be worth a 5minute go
    I'd try it just in case, it can't hurt ;)
  11. 91BlKSi

    91BlKSi TS Rookie Topic Starter

    Thanks for the replies everyone. It is combo-fix giving me that error code. I did a quick google search and somebody suggested downloading the program with a non-infected computer and using a flash drive to transfer it to the infected computer. Any thoughts on that? I do have access to a clean computer if that sounds possible.The files that are still giving me problems are svchost and winlogon, the heur error hasnt seemed to come back yet.
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Yes that's an excellent idea
  13. kritius

    kritius TS Guru Posts: 2,084

    This will be at your own risk, the reason that ComboFix will not run is because if there are files that are patched by a file infector then they may be deleted by it, this could make the computer unbootable. This is why sUBs put that routine in, so that ComboFix would not trash your computer. It has already warned you twice, ComboFix is NO GOOD with a file infector, it was not designed to be used against them!

    This suggests virut, scan the files rather than potentially messing up your computer.

    • Make sure to use Internet Explorer for this
    • Please go to FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • C:\WINDOWS\System32\svchost.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Please follow the suggestion from kritius. I was going to give you the same one. The message you got when attempting to use Combofix is classic of a Virut infection.

    If that is confirmed, it is a waste of time and a continued danger to you to try and clean it. Most of us recommend a reformat/reinstall instead.
  15. momok

    momok TS Rookie Posts: 2,265

    Timely input by Kritius, thanks. Thought I might put in more layman terms for the OP.

    @91BlKSi: we strongly do not recommend attempting to run combofix. This is because the type of infection you have typically tries to infect your other legitimate files. More often than not, your windows system files get targeted in the process.

    Combofix is a powerful program that can remove bad files, but in your case, it will detect your system files as "bad" and attempt to remove them. Because of that, it can potentially cause disastrous damage to your system.

    Please follow kritius's suggestions. you are in good hands.
  16. 91BlKSi

    91BlKSi TS Rookie Topic Starter

  17. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    All Scanners did not find malware!

    Have you tried Combofix as yet?
    In either Safe Mode with Networking
    or via the USB Flash excellent idea
  18. kritius

    kritius TS Guru Posts: 2,084

    Try scanning explorer.exe and userinit.exe. You can't trust just one file to be scanned.

    Kimsland, you seem very eager to run ComboFix when you don't actually no what to do with it.
  19. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    91BlKSi once you finally run Combofix
    Please attach > [​IMG] the Combofix log to a new reply, so as I can view and advise on it
    Note: I've done about 10,000 of these things now, pretty sure I know what to advise
  20. kritius

    kritius TS Guru Posts: 2,084

    Thread edited at request of mod.

    The thread is all yours kimsland.
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Did you have the entire file scanned?

Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...