Avg Report Win32/heur

#1 imi

Member

Group: Members
Posts: 36
Joined: 15-June 07
Gender:Male
Location:NW England

Posted 21 June 2007 - 05:21 PM

My virus checker, AVG 7.5 pro, is uptodate and so is SpyBot.

Whist browsing MyComputer AVG finds that two games executable files are infected with Win32/Heur. I have the offending files in the virus vault but the heal process is unavailable. After a complete scan one other executable is now reporting infection and is an application not run for 6 months or more.

Since these files are executables will this render them unusable and require me to reinstall the apps again?

I would grateful for any assistance.

#2 buddy215

Forum Addict

Group: BC Advisor
Posts: 4,490
Joined: 14-April 06
Gender:Male
Location:West Tennessee

Posted 21 June 2007 - 05:54 PM

See the discussion in the link below on "possible" false positives and how to confirm whether a file is actually infected.
"Heur" is short for heuristic which means a malware signature wasn't detected but something about the files was suspect enough that AVG reported it to you.
http://forum.grisoft.cz/freeforum/read.php?4,100014,100026

This post has been edited by buddy215: 21 June 2007 - 06:15 PM

#3 imi

Member

Group: Members
Posts: 36
Joined: 15-June 07
Gender:Male
Location:NW England

Posted 21 June 2007 - 07:49 PM

Thanks buddy215.

I already read that post earlier but will use the information to see if it is as it suggests a false/posistive.

:thumbsup:

#4 zarathustra

New Member

Group: Members
Posts: 2
Joined: 26-January 08

Posted 31 May 2008 - 12:03 AM

Greetings all,

I managed to download this malware myself - in a file with suffix '.nfo.exe' (is there anyone dumb enough these days to _still_ be obfuscating their filetypes?)

Anyhoo, I went to Jotti's malware scanner

http://virusscan.jotti.org/

& upped it for analysis - here's what I got (v. funny :flowers:

) :

File: bleurgh.nfo.exe
Status: INFECTED/MALWARE
MD5: afc222f034bade5041cbee93dfd4fbae7
Packers detected: -

Scanner results
------------------
Scan taken on 31 May 2008 04:34:27 (GMT)

A-Squared...........................Found.........Backdoor.Win32.Kbot.by
AntiVir.................................Found.........TR/Crypt.XDR.Gen
ArcaVir.................................Found.........Adware.Searchit.J
Avast...................................Found.........Win32:Zbot-VQ
AVG Antivirus.......................Found.........nothing
BitDefender..........................Found.........nothing
ClamAV................................Found.........Trojan.Kbot-34
CPsecure.............................Found.........BackDoor.W32.Kbot.by
Dr.Web................................Found.........nothing
F-Prot Antivirus.....................Found.........nothing
F-Secure Anti-Virus...............Found.........Backdoor.Win32.Kbot.by
Fortinet................................Found.........nothing
Ikarus...................................Found.........Backdoor.Win32.Kbot.by
Kaspersky Anti-Virus.............Found.........Backdoor.Win32.Kbot.by
NOD32..................................Found.........probably a variant of Win32/Agent (probable variant)
Norman Virus Control............Found.........W32/Kbot.X
Panda Antivirus.....................Found.........nothing
Sophos Antivirus...................Found.........nothing
VirusBuster...........................Found.........nothing
VBA32...................................Found.........Backdoor.Win32.Kbot.by

Kinda says it all really, eh?

Oddly though, although Jotti's version of AVG reported 'nothing', it was exactly _that_ (AVG - my version, anyway) that flagged the file as 'Win32/Heur'...

Well, I just _had_ to get that little nuggette off my chest - & that's that.

Cheers all,

zarathustra :thumbsup:

#5 Dave Burrin

New Member

Group: Members
Posts: 4
Joined: 22-July 08

Posted 22 July 2008 - 04:56 PM

This is the topic that led me to Bleeping Computer. I've been working on a small work station in a church open-all-hours computer setting that has a Network, but without file sharing.

One of the work stations keeps getting a message from AVG Free 8 saying "Threat removed" - giving the file name as C/windows/system32/iegaieg.dll. Looking in the folder there are two files with this name, but one has .bak extension.

The message continues "Threat name: Virus found Win32/Heur - Detected on open."

Despite running a scan and looking at the history and opting to remove all threats, the message keeps coming up.

The file concerned is one that by Googling on brings up one page in Japanese; at least one other computer on the Network doesn't have this particular file in its system32 folder. The folders will not delete, which is probably a good thing.

Any ideas whether this is important, and if it isn't, is there a way of getting rid of either the virus and/or the message?

Dave Burrin

#6 beanniebaby

New Member

Group: Members
Posts: 3
Joined: 15-February 08

Posted 09 October 2008 - 02:32 PM

Dave Burrin, on Jul 22 2008, 05:56 PM, said:

to delete a file that seems unable to be deleted, write down the complete path name ( you will need it) Being familiar with DOS is helpful
2. open your command prompt window
3. open task manager
4. close all applications
5. in task manager close explorer.exe
6. type del c:\windows\system32\iegaieg.dll

if that doesn't delete the file repeate the 1-5 and do the following until you get yourself into the correct root directory in
the command prompt window.
you may have to try a few variations to get to the correct directory but if you don't know DOS cd means change directory in the command prompt window type cd:(path)

you may have to change to c first
cd\c:\
or cd c:\
then continue to change directories until you get to the one the file is in you want to delete
In other words only chainging one branch of the directory tree at a time
such as cd c:\windows
cd \system32
or cd\windows\system32 whichever works for you
anyway once the command prompt confirms you managed to change to the correct directory
type del iegaieg.dll

the trick is to do it without the windows being loaded. If you have bootable software to give you a base dos shell, great you can skip all this and do it directly from there. But it is the only way to delete a file imbedded in explorer

I hope this helps or maybe someone can explain how to use DOS a little better then I can. It has been many years since I used DOS ona regular basis.

Good luck

This post has been edited by beanniebaby: 09 October 2008 - 03:50 PM

#7 bobuk

New Member

Group: Members
Posts: 1
Joined: 23-June 11

Posted 23 June 2011 - 02:26 PM

If you are a grey hair like me and don't understand a lot of stuff try this, it worked for me.

Note which games are appearing in the list, go to add remove programs, delete those games.

Worked fine for me, good luck

#8 Adam Pollard

New Member

Group: Members
Posts: 2
Joined: 21-October 11

Posted 09 February 2012 - 08:34 AM

I'm aware this is an old post but it still comes top for "win32/heur" so I just wanted to correct some bad advice in the previous post.

Unfortunately, Mr Grey Hair (mine is mostly grey too!), this won't work for malware. For programmes to get into the add/remove programmes list, they have to adhere to a process with Windows, by providing an uninstall programme, and adding items to the registry, to let Windows know where the uninstall programme is. Think of it a courtesy, used by responsible programmers. Virus writers will do everything in their power to prevent the user removing them, and are not likely to provide a convenient route to uninstallation by providing an uninstaller and putting an entry in add/remove programmes :-)