Win32/Heur Virus - Need help to remove

Status
Not open for further replies.
Hi there, unfortunately I have picked up the crippling Win32/Heur virus after downloading a torrent off the internet.

I have AVG free 8.5 and it keeps on picking up the virus, but won't let me get rid of it because it says that the files are "white-listed" and should not be removed. I also ran Spybot which picked up a few trojan horse entries and was able to delete them, but every time I run it again, it keeps picking them up.

I am unsure as to what my next step is to remove the virus. I have downloaded and run MBAM & SAS which are now picking up like 22 entries! I've tried to delete them, but the system won't let me, again for the same reason.

Attached are the logfiles.

Thanks.
 
Just realised that I did the logs in the wrong order....re-done the scans which are still picking up a few things - updated logs attached.

This is a really frustrating virus and any help would be great.

Thanks
 
Thanks you for resubmitting the logs. Unfortunately you did not check the line in Malwarebytes that says to remove what it finds, so the malware shows No action taken.

Before repeating that, please do the following:

  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    • c:\windows\system32\userinit.exe
  • Click on the Upload button
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe

Unfortunately we are frequently seeing a Virus infection with Win32Heur, so we need to check for that first:
Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

Please include the results in your next reply.
 
Here are the results from: c:\windows\system32\userinit.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/11/26 08:27:05 (EST)
Scanner results: 68% Scanner(s) (25/37) found malware!
File Name : userinit.exe
File Size : 46080 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 4002c313adf0794221b80d6b012a682a
SHA1 : 33842f5b0c1f5e93ae371c3db051c137a8e0d123
Online report : http://virscan.org/report/2d4c8e1fdd904e33e80bf3d285f942d0.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091126033123 2009-11-26 4.07 Gen.Malware!IK
AhnLab V3 2009.11.26.00 2009.11.26 2009-11-26 0.98 Win32/Virut.F
AntiVir 8.2.1.78 7.10.1.106 2009-11-25 0.14 W32/Virut.Gen
Antiy 2.0.18 20091125.3312390 2009-11-25 0.12 -
Arcavir 2009 200911251307 2009-11-25 0.04 -
Authentium 5.1.1 200911251913 2009-11-25 1.22 W32/Virut.AI!Generic (Heuristic)
AVAST! 4.7.4 091125-1 2009-11-25 0.01 Win32:Vitro
AVG 8.5.288 270.14.83/2526 2009-11-26 0.54 Win32/Virut
BitDefender 7.81008.4603165 7.29139 2009-11-26 3.90 Win32.Virtob.Gen.12
CA (VET) 35.1.0 7141 2009-11-24 5.89 -
ClamAV 0.95.2 10070 2009-11-26 0.01 -
Comodo 3.12 3036 2009-11-25 0.86 -
CP Secure 1.3.0.5 2009.11.26 2009-11-26 0.05 -
Dr.Web 4.44.0.9170 2009.11.25 2009-11-25 7.21 Win32.Virut.56
F-Prot 4.4.4.56 20091125 2009-11-25 1.23 Possible W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.11.25.14 2009-11-25 9.17 Virus.Win32.Virut.ce [AVP]
Fortinet 11.93- 11.93 2009-11-25 0.15 -
GData 19.9000/19.585 20091125 2009-11-25 6.93 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20091125 2009.11.25 2009-11-25 0.41 -
Ikarus T3.1.01.74 2009.11.25.74594 2009-11-25 4.09 Gen.Malware
JiangMin 11.0.800 2009.11.25 2009-11-25 4.97 -
Kaspersky 5.5.10 2009.11.25 2009-11-25 0.07 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.11.25.20 2009-11-25 0.54 Win32.Virut.cr.61440
McAfee 5.3.00 5813 2009-11-25 3.41 W32/Virut.n.gen
Microsoft 1.5302 2009.11.24 2009-11-24 6.67 Virus:Win32/Virut.gen!O
Norman 6.01.09 6.01.00 2009-11-25 4.00 W32/Virut.FN
Panda 9.05.01 2009.11.25 2009-11-25 1.86 W32/Sality.AO
Trend Micro 9.000-1003 6.652.03 2009-11-25 0.04 PE_VIRUX.I
Quick Heal 10.00 2009.11.25 2009-11-25 1.58 W32.Virut.G
Rising 20.0 22.23.02.09 2009-11-25 1.18 Win32.Virut.cl
Sophos 3.01.0 4.47 2009-11-26 3.02 W32/Scribble-B
Sunbelt 5518 5518 2009-11-18 2.78 Virus.Win32.Virut.ce (v)
Symantec 1.3.0.24 20091125.004 2009-11-25 0.11 W32.Virut.CF
nProtect 20091125.01 6330100 2009-11-25 5.06 -
The Hacker 6.5.0.2 v00078 2009-11-25 1.00 -
VBA32 3.12.12.0 20091124.2139 2009-11-24 2.12 Virus.Win32.Virut.X7
VirusBuster 4.5.11.10 10.113.29/2005008 2009-11-25 3.08 -

Here are the results from: C:\WINDOWS\explorer.exe

VirSCAN.org Scanned Report :
Scanned time : 2009/11/26 08:34:34 (EST)
Scanner results: 68% Scanner(s) (25/37) found malware!
File Name : explorer.exe
File Size : 1053184 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 49f7207c20401dc18a888f60cdafeb81
SHA1 : ac3d8906b945c1efc7549cff79497d88259f2bfd
Online report : http://virscan.org/report/1d9a43095deba8342ece41ac64a1cb02.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091126033123 2009-11-26 4.22 Trojan.Win32.Patched!IK
AhnLab V3 2009.11.26.00 2009.11.26 2009-11-26 0.92 Win32/Virut.F
AntiVir 8.2.1.78 7.10.1.106 2009-11-25 0.50 W32/Virut.Gen
Antiy 2.0.18 20091125.3312390 2009-11-25 0.12 -
Arcavir 2009 200911251307 2009-11-25 0.06 -
Authentium 5.1.1 200911251913 2009-11-25 1.24 W32/Virut.AI!Generic (Heuristic)
AVAST! 4.7.4 091125-1 2009-11-25 0.05 Win32:Vitro
AVG 8.5.288 270.14.83/2526 2009-11-26 0.45 Win32/Virut
BitDefender 7.81008.4603165 7.29139 2009-11-26 3.92 Win32.Virtob.Gen.12
CA (VET) 35.1.0 7141 2009-11-24 7.35 -
ClamAV 0.95.2 10070 2009-11-26 0.17 -
Comodo 3.12 3036 2009-11-25 1.13 -
CP Secure 1.3.0.5 2009.11.26 2009-11-26 0.40 -
Dr.Web 4.44.0.9170 2009.11.25 2009-11-25 7.23 Win32.Virut.56
F-Prot 4.4.4.56 20091125 2009-11-25 1.23 Possible W32/Virut.AI!Generic
F-Secure 7.02.73807 2009.11.25.14 2009-11-25 0.12 Virus.Win32.Virut.ce [AVP]
Fortinet 11.93- 11.93 2009-11-25 0.14 -
GData 19.9000/19.585 20091125 2009-11-25 5.60 Virus.Win32.Virut.ce [Engine:A]
ViRobot 20091125 2009.11.25 2009-11-25 0.41 -
Ikarus T3.1.01.74 2009.11.25.74594 2009-11-25 4.20 Trojan.Win32.Patched
JiangMin 11.0.800 2009.11.25 2009-11-25 4.15 -
Kaspersky 5.5.10 2009.11.25 2009-11-25 0.07 Virus.Win32.Virut.ce
KingSoft 2009.2.5.15 2009.11.25.20 2009-11-25 0.53 Win32.Virut.cr.61440
McAfee 5.3.00 5813 2009-11-25 3.47 W32/Virut.n.gen
Microsoft 1.5302 2009.11.24 2009-11-24 6.44 Virus:Win32/Virut.gen!O
Norman 6.01.09 6.01.00 2009-11-25 4.00 W32/Virut.FN
Panda 9.05.01 2009.11.25 2009-11-25 1.81 W32/Sality.AO
Trend Micro 9.000-1003 6.652.03 2009-11-25 0.04 PE_VIRUX.I
Quick Heal 10.00 2009.11.25 2009-11-25 1.51 W32.Virut.G
Rising 20.0 22.23.02.09 2009-11-25 1.33 Win32.Virut.cl
Sophos 3.01.0 4.47 2009-11-26 3.01 W32/Scribble-B
Sunbelt 5518 5518 2009-11-18 1.75 Virus.Win32.Virut.ce (v)
Symantec 1.3.0.24 20091125.004 2009-11-25 0.06 W32.Virut.CF
nProtect 20091125.01 6330100 2009-11-25 3.65 -
The Hacker 6.5.0.2 v00078 2009-11-25 0.76 -
VBA32 3.12.12.0 20091124.2139 2009-11-24 2.15 Virus.Win32.Virut.X7
VirusBuster 4.5.11.10 10.113.29/2005008 2009-11-25 3.54 -

The results from: C:\WINDOWS\System32\svchost.exe

CLEAN.

Thanks.
 
Unfortunately, that last 'clean for svchost.exe isn.t going to matter. You system has basically been trashed by the Virut infection.

We have found that the best advice when this happens is to suggest the user reformat and reinstall.

As quickly as we might remove one Virut entry, just as quickly it 'morphs' into another. As mentioned:
Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

You will find more detailed information about Virut "and other file infectors" here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Change all of your passwords and monitor any online financial transactions. We suggest that you not be taken in by companies who may 'guarantee' that their program will remove Virut- and for a price.

but every time I run it again, it keeps picking them up/which are now picking up like 22 entries!/ tried to delete them, but the system won't let me.

That's because the virus morphs into yet another variant. It is best you handle this immediately as the system has been badly compromised. And this is not time to back up.
 
Status
Not open for further replies.
Back