Win32/Heur and a sudden day from hell

[rascaluk]

Hi guys, as ever any help appreciated and greatful for advice.

Yesterday my Win7 install was running fine. Without warning my Windows firewall popped up a box asking me if I wanted to continue blocking a prog I had never heard before. I tried googling it to see what it was and from then all hell's broke loose.

Pretty much immediately fake spyware / antivirus ads started popping up and my browsers were hijacked and redirecting everything. Then it started blue screen crashing.

Running a variety of stuff including Malwarebytes in Safe Mode I can now get it to boot into the OS wthout blue screening but the broswer hijacking and the fake ads are still there.

I installed AVG and this seemed to hack away at some stuf but if I try running it now the scan won't start so I presume it's got to that. It does however load and say a bunch of files are infected with Win32/Heur. I don;t know what other evil lurks.

I have attached my Hijackthis logs and Malwarebytes. I can't download the SupeAntiSpyware prob because it says the server is down which I am also suspicious of.

Any steps to get psuedo back to normal greatfully appreciated...

Paul

 

[Bobbye]

Welcome to TechSpot, rascaluk. You do have an assortment of malware!

Questions:
1.Are you running Windows 7?

2. Are you using LimeWire or other file sharing music program.

I'd like you to check for Virut:
Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

You might want to read this:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


Change all of your passwords and monitor any online transactions.
So don't waste you time - Don't look for 'guaranteed removals'- there aren't any.

Before we 'assume' the worst, I'd like you to do the following:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe