Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


W32/Heur Removal

  • This topic is locked This topic is locked
3 replies to this topic

#1 Dilemma13


  • Members
  • 5 posts
  • Local time:07:33 AM

Posted 21 February 2009 - 03:55 PM

Recently I have come into a bit of a virus problem. My main concern is W32/Heur. My entire computer is flushed with this to the point i had to format (with backup) my computer. Unfortunately the virus spread from my locked backup, into my computer. Its infected tons of files including system ones. If i have AVG, delete or repair these files my computer will shutdown and will not reboot after the windows screen.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 12:47:11.84 on 2009-02-21
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1903.1445 [GMT -8:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
FW: *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe C:\WINDOWS\TEMP\VRT3.tmp
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/?o=101760&l=dis
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\temp\init.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0988.2\msneshellx.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [reader_s] c:\documents and settings\owner\reader_s.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [services] c:\windows\services.exe
dRun: [reader_s] c:\documents and settings\owner\reader_s.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
IE: Download all links using BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Download all videos using BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: Download link using &BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {556DDE35-E955-11D0-A707-000000521957} - hxxp://www.xblock.com/download/xclean_micro.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-2-20 12936]
R0 protect;protect;c:\windows\system32\drivers\protect.sys [2009-2-21 18944]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-20 98440]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-20 26824]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-20 90632]
R3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2009-2-20 386688]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys --> c:\windows\system32\drivers\restore.sys [?]

=============== Created Last 30 ================

2009-02-21 12:32 <DIR> --d----- c:\windows\system32\PreInstall
2009-02-21 12:29 55,809 a------- c:\windows\services.exe
2009-02-21 12:29 47,104 a------- c:\documents and settings\owner\reader_s.exe
2009-02-21 12:29 30,208 a------- c:\windows\system32\reader_s.exe
2009-02-21 12:29 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-02-21 12:29 67,585 a------- c:\windows\system32\6.tmp
2009-02-21 12:29 64,000 a------- c:\windows\system32\i386kd.exe
2009-02-21 12:29 168 a------- c:\windows\system32\4.tmp
2009-02-21 12:21 <DIR> --d----- C:\ComboFix
2009-02-20 19:46 <DIR> a-dshr-- C:\cmdcons
2009-02-20 19:45 179,200 a------- c:\windows\SWREG.exe
2009-02-20 19:45 115,712 a------- c:\windows\sed.exe
2009-02-20 19:35 <DIR> --d----- c:\program files\Trend Micro
2009-02-20 19:29 <DIR> --d----- C:\32788R22FWJFW.0.tmp
2009-02-20 19:18 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-20 19:18 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-20 19:18 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-20 19:18 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-20 19:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-20 18:38 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-20 18:28 12,936 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-02-20 18:28 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-02-20 18:28 90,632 a------- c:\windows\system32\drivers\avgtdix.sys
2009-02-20 18:27 98,440 a------- c:\windows\system32\drivers\avgldx86.sys
2009-02-20 18:27 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-02-20 18:16 <DIR> --d----- c:\program files\AVG
2009-02-20 18:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-20 18:11 <DIR> --d----- c:\program files\BitComet
2009-02-20 18:04 <DIR> --d----- c:\program files\DNA
2009-02-20 18:04 <DIR> --d----- c:\program files\AskSearch
2009-02-20 18:04 <DIR> --d----- c:\program files\AskBarDis
2009-02-20 17:52 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-20 17:52 73,728 a------- c:\windows\system32\javacpl.cpl
2009-02-20 17:51 616 a------- c:\windows\system32\14B.tmp
2009-02-20 17:50 2,560 a------- c:\windows\system32\147.tmp
2009-02-20 17:50 30,208 a------- c:\windows\system32\146.tmp
2009-02-20 17:50 208 a------- c:\windows\system32\143.tmp
2009-02-20 17:47 <DIR> --d----- c:\docume~1\owner\applic~1\McAfee.com Personal Firewall
2009-02-20 17:45 2 a------- c:\windows\msoffice.ini
2009-02-20 17:37 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-02-20 11:28 386,688 a----r-- c:\windows\system32\drivers\TNET1130.sys
2009-02-20 11:28 84,912 a----r-- c:\windows\system32\drivers\FwRad17.bin
2009-02-20 11:28 83,320 a----r-- c:\windows\system32\drivers\FwRad16.bin
2009-02-20 11:18 940,794 a------- c:\windows\system32\LoopyMusic.wav
2009-02-20 11:18 146,650 a------- c:\windows\system32\BuzzingBee.wav
2009-02-20 11:18 <DIR> --d----- c:\windows\system32\Lang
2009-02-20 11:14 8,192 a------- c:\windows\REGLOCS.OLD
2009-02-20 11:08 2,752 a------- c:\windows\system32\Status.MPF
2009-02-20 11:07 29 a------- c:\windows\wwwbatch.ini
2009-02-20 11:07 10,280 a------- c:\windows\BigFixClientOverride.dll
2009-02-20 11:07 <DIR> --d----- c:\program files\BigFix
2009-02-20 11:07 94,208 a------- c:\windows\system32\bae.dll
2009-02-20 11:05 80,512 a------- c:\windows\system32\drivers\Rtnicxp.sys
2009-02-20 11:04 <DIR> --d----- c:\program files\Realtek
2009-02-20 11:00 471,300 a------- c:\windows\wallpe.exe
2009-02-20 11:00 30,056 a------- c:\windows\system32\oemlogo.bmp
2009-02-20 10:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Napster
2009-02-20 10:55 <DIR> --d----- c:\program files\Napster
2009-02-20 10:55 <DIR> --d----- c:\program files\MSN Encarta Plus
2009-02-20 10:46 540,672 -------- c:\windows\system32\ati2sgag.exe
2009-02-20 10:46 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-02-20 10:39 <DIR> --d----- c:\windows\RegisteredPackages
2009-02-20 10:38 106,496 a------- c:\windows\unvise32qt.exe
2009-02-20 10:37 <DIR> --d----- c:\program files\common files\Nullsoft
2009-02-20 10:35 8,552 a------- c:\windows\system32\drivers\asctrm.sys
2009-02-20 10:35 <DIR> --d----- C:\My Music
2009-02-20 10:35 24,576 a------- c:\windows\system32\prefscpl.cpl
2009-02-20 10:35 <DIR> --d----- c:\program files\common files\Real
2009-02-20 10:35 <DIR> --d----- c:\program files\common files\AolCoach
2009-02-20 10:34 1,122 a---h--- C:\IPH.PH
2009-02-20 10:32 <DIR> --d----- c:\program files\common files\AOL
2009-02-20 10:26 4 a------- c:\windows\Pix11.dat
2009-02-20 10:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Prism Deploy
2009-02-20 10:25 <DIR> --d----- c:\program files\common files\New Boundary
2009-02-20 10:23 2,238 a------- c:\windows\system32\32-aol.ico
2009-02-20 10:23 1,406 a------- c:\windows\system32\16-aol.ico
2009-02-20 10:23 22,752 a------- c:\windows\system32\spupdsvc.exe
2009-02-20 10:21 376 a------- c:\windows\ODBC.INI
2009-02-20 10:21 24,816 a------- c:\windows\system32\mdimon.dll
2009-02-20 10:21 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-02-20 10:20 <DIR> --d----- c:\windows\SHELLNEW
2009-02-20 09:43 <DIR> --d-h--- c:\windows\$hf_mig$
2009-02-20 09:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com Personal Firewall
2009-02-20 09:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2009-02-20 09:31 20,992 a------- c:\windows\system32\drivers\RTL8139.sys
2009-02-20 09:30 26,624 a------- c:\windows\system32\drivers\usbehci.sys
2009-02-20 09:30 7,168 a------- c:\windows\system32\hccoin.dll
2009-02-20 09:30 17,024 a------- c:\windows\system32\drivers\usbohci.sys
2009-02-20 06:11 <DIR> --d----- C:\My Backup -- 20-02-09 0711
2009-02-20 02:03 <DIR> --d----- c:\windows\creator
2009-02-20 02:03 1,094,751 a------- c:\windows\system32\drivers\AGRSM.sys
2009-02-20 02:03 <DIR> --d----- c:\windows\SMINST
2009-02-20 02:02 <DIR> --d--r-- C:\Program Files
2009-02-20 02:02 <DIR> --d--r-- c:\documents and settings\all users\Documents
2009-02-20 02:01 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-02-20 01:58 <DIR> -cdshr-- c:\windows\system32\dllcache

==================== Find3M ====================

2009-02-20 17:50 182,912 a------- c:\windows\system32\drivers\ndis.sys
2009-01-08 03:33 385,024 a------- c:\windows\RtlUpd.exe
2009-01-08 03:33 9,730,048 a------- c:\windows\RTLCPL.exe
2009-01-08 03:32 16,139,264 a------- c:\windows\RTHDCPL.exe
2009-01-08 03:31 2,176,512 a------- c:\windows\MicCal.exe
2009-01-08 03:31 2,828,288 a------- c:\windows\alcwzrd.exe
2009-01-08 03:31 90,112 a------- c:\windows\Alcmtr.exe
2009-01-08 03:30 64,960 a------- c:\windows\system32\ChCfg.exe

============= FINISH: 12:47:39.49 ===============

Any help?

Attached Files

BC AdBot (Login to Remove)


#2 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:33 PM

Posted 22 February 2009 - 08:13 AM

Hi Dilemma13,

My name is Syler and I will be helping you to clean your computer, please give me some time
to look over your logs and I will get back to you as soon as possible.



#3 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:04:33 PM

Posted 23 February 2009 - 07:00 PM

Hi Dilemma13,

Unfortunatly your machine is severly infected with Rootkits and a very nasty file infector called Virut.
These malware can do so much damage to your machine, that the only real way to get your computer
clean is to do a format and reinstall. This has most likely happend because of your usage of P2P
software Their are many Risks to using this kind of software as well as it being illegal to do so. I
would advise that once you have reinstalled windows that you do not put any of this software back
on your computer.

You should backup any data that you want to keep now, but do not backup any .exe or .scr files, like
programs, because these have most likely already been infected. Once you have backed up your data
and formatted you should follow some simple steps to prevent this happening again.

Updating Windows
It is extremley important to keep windows upto date with the latest service pack and patches. This will prevent you
from getting the malware which uses vulnerabilities found in windows to exploit your computer. The easiest way to
do this this is by making sure that Automatic Updates is always enabled.

To do this Click on Start >> Control Panel >> Automatic updates and click Automatic (recommended) then Apply and Ok

Update your AntiVirus Software
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not
update your antivirus software then it will not be able to catch any of the new variants that may come out. If you
use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your
subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly
patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install a Firewall
I can not stress how important it is that you use a third party Firewall on your computer. Without a firewall your computer is
succeptible to being hacked and taken over. Windows firewall is good for blocking inbound connections but it does not block
outbound connections. So if Malware manages to get onto your computer it will be able to send data out when it wants.
Here are some free firewall's i would suggest trying:

Zone Alarm

After you install the third party firewall, please disable your Windows firewall. Please go to My Computer >> Control Panel >> Windows Firewall and choose Off (not recommended) option. Then please click Apply and Ok.

Install an AntiSpyware Program
A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.
Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.
Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.
Tutorials on using these programs can be found below:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you
from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware

Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.


#4 Carolyn


    Bleepin' kitten

  • Members
  • 2,131 posts
  • Local time:10:33 AM

Posted 25 February 2009 - 07:08 AM

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Member of ASAP (Alliance of Security Analysis Professionals)
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users