Win32/Heur virus

[Chepper]

Hello all,


Im just new on the boards, mainly since only now it seems I should ask for asistance of a much bigger expert for these things.

Yesterday I suddenly got the warnings from AVG Free that it found various threats especially a WIN32/Heur was comming back up. It continued to wildspread pretty fast, even during the scan of the Antivirus program it continued to spread. Many .exe files were suddenly infected and when the scan was almost finished I got a windows message saying some files were severly damaged and I had to put in my Windows XP CD to repair it.

When I had my CD at hand, the computer just stopped and froze up, only thing left to do was rebooting... Though, as expected, it didn't make things better. When it starts booting up Windows, it gets a quick bluescreen and then restarts again on booting. The only way now left is getting into Safe Mode.

As far as I have been reading up here, I will need to install some extra utilities and make logs for you all, though my first question already is, "Is there still a possibility to do even that, now that I can only access Windows Safe mode?"


Please let me know what you require from me and I shall provide it ( in terms of ICT speaking ). Currently I can state is that I run Windows XP SP3, AVG Free V9.0 and CCleaner is also in my possesion.


Hoping for some helpfull feedback, thank you in advance.

 

[Bobbye]

Welcome to TechSpot Chepper. I wish I could give you better news, but you symptoms sound very much like the Virut malware. So instead of trying to run a lot of programs that won't work, let's make sure:

"Is there still a possibility to do even that, now that I can only access Windows Safe mode?"

It is not likely. But we can confirm if you can get the files below into VirSCAN.

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org FREE on-line scan service
• Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
  • c:\windows\system32\userinit.exe
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

Good explanation here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html


Change all of your passwords and monitor any online transactions.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .rar, .zip, .htm, .html files.

* Backup all your documents and important items only.
* DON'T backup any executable files (,exe .scr .html or .htm)
* DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files

You will ind excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/356-tutorial-windows-install-repair-xp-vista.html

If this scan comes back with no Virut listed, I will be glad to delete all my Virus instructions and proceed with cleaning!

 

[Chepper]

Hey Bob, Thank you for helping me out.


I tried to do what you asked. Went into Safe Mode and made a scan from the userinit.exe. That one ran all okeay, and I saved the file, but then the computer was hanging again, after rebooting, now I can't access Safe mode either since it also shoots a quick bluescreen and reboots...

The file contained on 28% of the scans that there is indeed a Virut on my computer along with the Win32/heur virus.

Is there any chance left to make somehow copies from the drive? As Im totally blocked now I really don't know what else I can do.

 

[Bobbye]

Is there any chance left to make somehow copies from the drive? As Im totally blocked now I really don't know what else I can do.

Chepper, if you referring to copies of files, I left you a list of what you can and cannot backup. If you did not backup documents and they have the files extensions that are infected, it's too late to do it now. It sounds like to don't have a choice since you can't get into the system.

I know this is bad news. You are the third out of three that I had check and come back with Virut.

• Backup all your documents and important items only.
• DON'T backup any executable files (,exe .scr .html or .htm)
  [*] DON'T back up compressed files (zip/cab/rar) that may contain .exe or .scr files
  

You will find excellent reformat/reinstall instructions here:
http://www.tech-101.com/tutorials/35...-xp-vista.html

 

[Chepper]

Heya Bob,


Alright, mmmm Im trying a few extra things to get back access into Windows and see what I can repair from the damaged goods. It is taking a few more minutes when I got some news for you again.

Will give you a heads up once I got access again.

 

[Chepper]

Bob,


I got back access again to my Windows. There are a few things I will inform you of what I done so far:


1. I made a fresh windows installation, meaning I throw out the old windows folder and installed the new one from CD, that seemed to have worked finally after trying to repair etc... At this moment I am in Windows. ( This was without formatting, its the windows install option to where you say it can install a new one after it deleted the old one, it keeps your data )

2. I have unplugged my internet cable so far.

Please advice in how to approach the situation now. Is it safe to plug in the network again and start off with a Virscan with the link you provided in the first post? Should I start backing up the files first that do not included the extensions you gave?


Awaiting your command.


PS: Thank you already for your time, people like you should live taxfree...

 

[Bobbye]

You're a good Trooper Chepper! The one thing you have to be the most careful of is putting files you save back on the computer once you've reformatted/reinstalled. If there is some way to scan a file before adding it back, that would work.

I am a bit confused about the backup question though. Where were those files when you did the reinstall? If you removed and replaced Windows, how could the files and folders still be on the computer? Are they on the hard drive? Are you using the same hard drive?

 

[Chepper]

Alright, will do so. You got any advice on how to make a good and fast scan for those files? At this moment I got an external Harddrive from my brother to use, and I would love to nuke it with all kinds of goodie antivirus scnas Since the Antivir site can only scan file by file and... Its a huuuuge load of files, it is rather a titan's work to scan em one by one. Maybe you can advice something usefull?

About the files and Windows. Yes, it is the same Harddrive. Mmm What I did was the following:

1. Insterted my Windows XP Prof. Installation CD.
2. Booted the computer from CD and started up the CD.
3. Choose to install Windows
4. The installation procedure said there is already a windows installed so it lets you choose in either:
a. Make a fresh install and format
b. Make a new Windows folder without format and keeping the old windows folder
c. Make a new Windows folder without a format and delete the old windows folder

I choose option "c"

So what it did was it was removing the windows folder it also said that it may be possible your Document and settings folder will be removed. The installation ran fine, it gave me the options of timezone, keyboard region,... and asked me for the activation key. All that went positive.

At the end the PC rebooted and I went into the "Welcome to XP" enviroment, gave up a username and/or password for admin account, gave up peoples names who will work with the computer, and then continued on the booting process. I entered Windows finally.

Ofcoarse, it was clean in terms of: The grassy background was there again instead of my personal one, the icons were all gone etc....

BUT, all my files on the drives were still around. Even my files in the My Documents folder. Only thing that was freshed up was the windows folder and there was a new My Documents folder, but I could easily find the old one back also. all programs etc were around, my outlook.pst file was still there etc...

So I can make the mass backup now and then Format the whole thing. Ofcoarse Im still willing to scan the whole shizkabang to make sure that the whole issue is gone, including scanning the external harddrive.


Hope this gives you a good feedback on the needed info.


Shall I plugin the network cable also once the backup is complete and start a scan procedure?

 

[Bobbye]

Unfortunately, you made the wrong choice- should have been:

a. Make a fresh install and format

You need to wipe the drive first. Saving the files and folders if not going to get rid of Virut!

 

[Chepper]

Making work from that now, as I type, it's formatiing. Give you an updated once I hit back into windows after format +- 1 hour.

 

[Chepper]

Format is complete, say if you need anything more extra or that I can do.

 

[Bobbye]

Chepper, you you've got to get what you want back on the system. Be very careful returning any files you saved. If you have a flash drive, send the files through it and scan with AV before returning.

Once you get up and running again, please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: See System Restore Guide This will help you understand what this is, why you need to clean and set restore points and what information is in them.
2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently. You should get All updates marked Critical and the current SP updates: Windows XP> SP2, SP3.
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.
4.Remove Temporary Internet Files regularly: Use ATF Cleaner by Atribune or TFC
5. Use an AntiVirus Software(only one)
See Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall) I recommend either of these software firewalls.- both are free and good:
Comodo or Zone Alarm
7.Consider these programs for Extra Security

• Spywareblaster: SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

All of these can help you stay safe. If I can be of further assistance, please let me know.

 

[Chepper]

Hi Bob, thanks for that information, however, I don't think I got a flash drive. The files I backed up are on an external drive from Lacie. Is it safe to hook it up on the computer and tell AVG or an online Virus scanner to scan only the esternal harddrive? Or would that already mess up things the moment I hook it up again?

Will start to work on the programs you people suggest here. Had most of them already, but it seems I can still finetune more as I read more up here