Win32/Heur problem

Status
Not open for further replies.
L

Ledah

Posts: 21   +0
I have tried to do the 8 steps but I couldn't do all of them because somehow the drivers for the internet adapters are missing, it's my brothers computer that has the malware and I'm trying to get rid of it. I also have an external hard drive and he copied files to it and the malware is also on that too.

I was only able to use the ccleaner, mbam and SAS. Mbam was able to get rid of some of it but it kept attaching itself to other .exes but when I scanned again they don't show up. The computer has AVG and when I open a process a pop up shows that a .exe is infected with win32/heur.

I downloaded Avira with another computer and put the setup on a flash drive and when I try installing it in safe mode a message comes up that the setup has been changed and it could be due to a virus.
 
Another run indicated!
OK there were found/removed items in both MBAM and SAS so we need to run again as the first run likely exposed things that were not even seen the first time.

So another run Quick Scan will likely find more. So UPDATE run both again.

Then only after above has been run and logs attached do the below..

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.
=========================================
Download ComboFix

NOTE: If you have had ComboFix more than a few days old delete and re-download.

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

Mike
 
I ran mbam and sas but they weren't able to find anything. I also couldn't update it because the internet adapter drivers are missing.
 
Ouch! Nasties!

Run combofix again attach new log to confirm no more found.

No wonder you have no Internet!

Mike
 
OK not good we duplicated that time so second run did not fix.

You are doing great hang in there and we will fix this thing!

Download RootRepeal http://rootrepeal.googlepages.com/RootRepeal.rar

Make Folder on your Desktop name it RRepeal. Move the rar file there and extract.

Enter folder double click RootRepeal.exe.
Click the Report tab, then click Scan

It will ask what to include in the scan.

Check the following
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
Then click OK

It will ask which drive to scan.

Check C: (or your windows drive, if not C)
Click OK
The scan will begin will take a while.

When scan completes, click Save Report .

Name the log RRepeal.txt save it to your Documents folder (it should default there). Post it back.

Then

Get Nod32

Download http://finalbuilds.edskes.net/nod32.htm
If the above link if it fails go to http://home.hccnet.nl/h.edskes/mirror.htm

Slide down near bottom of page find nod32, to the right will be 3 Mirrors marked Online try each one of them will work.
Boot to,Safe mode only to run.

Before Scanning click Setup and click all boxes under Scan typically only System memory is not checked. So check it. Then click logging, Then Scan and clean.

It is very thorough and may detect some other malware cleaners as a threat so if it seems to point say SpyBot then click Leave.
If you have doubt about and issue then Quarintine it and it can be restored.

Depending on CPU and HD speed and the fact we are in (Safe Mode slower also) it could take a while.

Mike

EDIT: Don't do anything drastic like others sometimes do and begin formatting etc without discussing it with me. We go thu the steps we fix it. i will know if it takes formatting and reinstalling! OK?
 
I used the RRepeal tool.

I used Nod32 and almost every .exe was infected, I clicked clean but some were not able to be cleaned so I clicked leave. I'm now scanning it a second time.

Don't worry I haven't decided to format it.
 
Hi Ledah

I agree with removing AVG and installing Avira but reverse the order.

Install Avira first then uninstall AVG, that way you will not be without a virus scanner at any time.

With your bad infection uninstalling first will leave you totally with out a virus scanner and at computer speed a lot can happen.

Its like I said once before. If I leave the gate open unattended for five minutes the vicious Pit Bulls will not have time to attack and kill some one.

Ok get me a Status report on the NOD32.

Mike
 
Hmm you could download Avira first
Then uninstall AVG, then go offline, then install Avira
Then go online, and immediately update Avira
I'm not so sure on having 2 AntiViruses at the same time, even for 5 mins
Actually Antiviruses like Kaspersky (as an example) won't even install with AVG still around
 
I tried installing Avira in safe mode but it doesn't let me. So I tried to install in normal mode but I got a message about DEP and only the wallpaper is showing. I opened task manager and installed it but DEP stops 'run a dll as an app' from running.

It got installed and I used task manager to open Avira but I can't update. I ran a full scan, it found some malware and I quarantined them.

How do I save the status report for nod32?

Also there was some infections in my external hard drive, I've deleted the .exes with the infections would my external hard drive still be infected?
 
You may need to do an online Antivirus scan first


Run Kaspersky Online AV Scanner

In order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
I can't connect to the internet with the infected computer because the drivers for the network adapters are missing theres a yellow exclamation mark beside all of them.
 
I noticed the log function in nod is broke for some reason.

Post the Avira log.

Since Avira has removed several then we may can now finish with the following steps.

Update and run MBAM and SAS Quick scan. Reboot and run ComboFix again.

Then we will take specific steps to get reconnected to the Internet!

Mike
 
Go into device mgr and rt click all devices with a yellow Exclamation point(!) and click uninstall. If there is an Other or Unknown devices open and uninstall these also.

Reboot and they should reinstall

Then,,

--------------------------------------------------------------------------------------------------------
Boot to Safe Mode.
Update then run SuperAntiSpyware

Then Click Preferences
then click Repairs

Then counting down from top do the following entries

Numbers 6, 8, 11, 12, 13, 15,18, 19, 20, 21, 22, 24, 25, 26 and 27!

Reboot attach a new HJT log and get me a Status report on the computer and the issues you posted!
----------------------------------------------------------------------------------------------------------------------

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

First since you are doing this from another computer
Start-Run
type
notepad.exe
then paste to a file you can copy for use on the other computer.

On the other computer copy the notepad document and do the below.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

Code: 
@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del  tdss*.* /f /q /s
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del "%UserProfile%\Desktop\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk" /f /q
del "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll" /f /q
del "%UserProfile%\Start Menu\Antivirus 2009\*.*" /f /q

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del c:\WINDOWS\system32\ieupdates.exe /f /q
del c:\WINDOWS\system32\scui.cpl /f /q
del c:\WINDOWS\system32\winsrc.dll /f /q

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del c:\program files\xwdxqu.txt  /f /q
del c:\windows\x  /f /q
del c:\windows\SxsCaPendDel  /f /q

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del  /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del  /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del  /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop WinSvchostManager
sc delete WinSvchostManager

sc stop ntndis
sc delete ntndis

attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"

del  /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
del  /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"

sc stop u_lehj
sc delete u_lehj

attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
del  /f /q "c:\program files\Common Files\System\u_lehj32.dll"

attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"

del  /f /q "C:\WINDOWS\system32\svcprs32.exe"
del  /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del  /f /q "C:\WINDOWS\system32\mdmcls32.exe"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This should run and exit!

It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

Reboot

Then
------------------------------------------------------------------------------------------------------
Download XP TCP/IP Repair (Netrepair.exe) http://www.xp-smoker.com/freeware.html
Install (check place shortcut on desktop).

Then run and first click Reset TCP/IP it may or may not require a reboot here if it does not require a reboot then click the Repair Winsock and approve all to fix/repair and it will then require a reboot for sure. Reboot recheck for internet.

If the first Repair Reset TCP/IP does require a reboot the as soon as it comes back up the run the second Reset Winsock!

Reboot

Hopefully this will get us back on the Internet..

Mike
 
Uninstalling the devices with the yellow exclamation mark didn't work. I get a message saying 'failed to uninstall the device. The device may be require to boot the computer.' There was 2 devices under network adapters that I was able to uninstall but after rebooting they came back and still had the yellow exclamation mark beside them.

The computer isn't able to boot on normal mode anymore because DEP stops it, I can only run it on safe mode.

I tried everything else that you posted and it still doesn't work.
 
COMBOFIX-Script
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Code: 
KillAll::

FCopy::
C:\WINDOWS\system32\dllcache\userinit.exe | C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\dllcache\explorer.exe | C:\WINDOWS\explorer.exe
Then drag this script and drop on top of ComboFix.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.

When finished, it will create a log. Attach the log back.

Mike
 
Is the script suppose to copy files from the ServicePackFiles folder because when I checked the computer it doesn't have the ServicePackFiles folder but it has i386 folder under c:\windows\i386 and the files in it end with .ex_

Should I take out the ServicePackFiles in the script and try again?
 
No! They will have to be located or expanded.

I have to go to Post Office be for 5:00 I will post back as soon as i get back.

Mike
 
We are going to search for backups of these files so do below.

Left Drag mouse and Copy for Pasting all text in the box below.
Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt.
Code: 
@echo off
cd\
attrib /s userinit.exe >"%USERPROFILE%"\Desktop\userinit.txt
dir /s userinit.exe >>"%USERPROFILE%"\Desktop\userinit.txt
echo ----------------------------------------------------------------------------------------------------
attrib /s explorer.exe >>"%USERPROFILE%"\Desktop\userinit.txt
dir /s explorer.exe >>"%USERPROFILE%"\Desktop\userinit.txt
exit
exit
Now post the userinit.txt from the new icon on the desktop back to the thread.
 
If the dllcache folder has the backup, nod32 showed that those files were also infected and couldn't be cleaned.
 
Status
Not open for further replies.

Similar threads

E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
468
eriksnyman1
E
A
Unexpected problem with a new Asus RT-AX58U V2
Replies
2
Views
102
ajay11
A
M
Virus warning popup
Replies
1
Views
532
Mark Fuller
M

Latest posts

Back