Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg Report Win32/heur


  • Please log in to reply
7 replies to this topic

#1 imi

imi

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NW England
  • Local time:11:38 PM

Posted 21 June 2007 - 05:21 PM

My virus checker, AVG 7.5 pro, is uptodate and so is SpyBot.

Whist browsing MyComputer AVG finds that two games executable files are infected with Win32/Heur. I have the offending files in the virus vault but the heal process is unavailable. After a complete scan one other executable is now reporting infection and is an application not run for 6 months or more.

Since these files are executables will this render them unusable and require me to reinstall the apps again?

I would grateful for any assistance.

BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,596 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:04:38 PM

Posted 21 June 2007 - 05:54 PM

See the discussion in the link below on "possible" false positives and how to confirm whether a file is actually infected.
"Heur" is short for heuristic which means a malware signature wasn't detected but something about the files was suspect enough that AVG reported it to you.
http://forum.grisoft.cz/freeforum/read.php?4,100014,100026

Edited by buddy215, 21 June 2007 - 06:15 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 imi

imi
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NW England
  • Local time:11:38 PM

Posted 21 June 2007 - 07:49 PM

Thanks buddy215.

I already read that post earlier but will use the information to see if it is as it suggests a false/posistive.

:thumbsup:

#4 zarathustra

zarathustra

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 31 May 2008 - 12:03 AM

Greetings all,

I managed to download this malware myself - in a file with suffix '.nfo.exe' (is there anyone dumb enough these days to _still_ be obfuscating their filetypes?)

Anyhoo, I went to Jotti's malware scanner
http://virusscan.jotti.org/
& upped it for analysis - here's what I got (v. funny :flowers: ) :

File: bleurgh.nfo.exe
Status: INFECTED/MALWARE
MD5: afc222f034bade5041cbee93dfd4fbae7
Packers detected: -

Scanner results
------------------
Scan taken on 31 May 2008 04:34:27 (GMT)

A-Squared...........................Found.........Backdoor.Win32.Kbot.by
AntiVir.................................Found.........TR/Crypt.XDR.Gen
ArcaVir.................................Found.........Adware.Searchit.J
Avast...................................Found.........Win32:Zbot-VQ
AVG Antivirus.......................Found.........nothing
BitDefender..........................Found.........nothing
ClamAV................................Found.........Trojan.Kbot-34
CPsecure.............................Found.........BackDoor.W32.Kbot.by
Dr.Web................................Found.........nothing
F-Prot Antivirus.....................Found.........nothing
F-Secure Anti-Virus...............Found.........Backdoor.Win32.Kbot.by
Fortinet................................Found.........nothing
Ikarus...................................Found.........Backdoor.Win32.Kbot.by
Kaspersky Anti-Virus.............Found.........Backdoor.Win32.Kbot.by
NOD32..................................Found.........probably a variant of Win32/Agent (probable variant)
Norman Virus Control............Found.........W32/Kbot.X
Panda Antivirus.....................Found.........nothing
Sophos Antivirus...................Found.........nothing
VirusBuster...........................Found.........nothing
VBA32...................................Found.........Backdoor.Win32.Kbot.by

Kinda says it all really, eh?

Oddly though, although Jotti's version of AVG reported 'nothing', it was exactly _that_ (AVG - my version, anyway) that flagged the file as 'Win32/Heur'...

Well, I just _had_ to get that little nuggette off my chest - & that's that.

Cheers all,

zarathustra :thumbsup:

#5 Dave Burrin

Dave Burrin

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:38 PM

Posted 22 July 2008 - 04:56 PM

This is the topic that led me to Bleeping Computer. I've been working on a small work station in a church open-all-hours computer setting that has a Network, but without file sharing.

One of the work stations keeps getting a message from AVG Free 8 saying "Threat removed" - giving the file name as C/windows/system32/iegaieg.dll. Looking in the folder there are two files with this name, but one has .bak extension.

The message continues "Threat name: Virus found Win32/Heur - Detected on open."

Despite running a scan and looking at the history and opting to remove all threats, the message keeps coming up.

The file concerned is one that by Googling on brings up one page in Japanese; at least one other computer on the Network doesn't have this particular file in its system32 folder. The folders will not delete, which is probably a good thing.

Any ideas whether this is important, and if it isn't, is there a way of getting rid of either the virus and/or the message?

Dave Burrin

#6 beanniebaby

beanniebaby

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:38 PM

Posted 09 October 2008 - 02:32 PM

This is the topic that led me to Bleeping Computer. I've been working on a small work station in a church open-all-hours computer setting that has a Network, but without file sharing.

One of the work stations keeps getting a message from AVG Free 8 saying "Threat removed" - giving the file name as C/windows/system32/iegaieg.dll. Looking in the folder there are two files with this name, but one has .bak extension.

The message continues "Threat name: Virus found Win32/Heur - Detected on open."

Despite running a scan and looking at the history and opting to remove all threats, the message keeps coming up.

The file concerned is one that by Googling on brings up one page in Japanese; at least one other computer on the Network doesn't have this particular file in its system32 folder. The folders will not delete, which is probably a good thing.

Any ideas whether this is important, and if it isn't, is there a way of getting rid of either the virus and/or the message?

Dave Burrin


to delete a file that seems unable to be deleted, write down the complete path name ( you will need it) Being familiar with DOS is helpful
2. open your command prompt window
3. open task manager
4. close all applications
5. in task manager close explorer.exe
6. type del c:\windows\system32\iegaieg.dll

if that doesn't delete the file repeate the 1-5 and do the following until you get yourself into the correct root directory in
the command prompt window.
you may have to try a few variations to get to the correct directory but if you don't know DOS cd means change directory in the command prompt window type cd:(path)


you may have to change to c first
cd\c:\
or cd c:\
then continue to change directories until you get to the one the file is in you want to delete
In other words only chainging one branch of the directory tree at a time
such as cd c:\windows
cd \system32
or cd\windows\system32 whichever works for you
anyway once the command prompt confirms you managed to change to the correct directory
type del iegaieg.dll

the trick is to do it without the windows being loaded. If you have bootable software to give you a base dos shell, great you can skip all this and do it directly from there. But it is the only way to delete a file imbedded in explorer

I hope this helps or maybe someone can explain how to use DOS a little better then I can. It has been many years since I used DOS ona regular basis.

Good luck

Edited by beanniebaby, 09 October 2008 - 03:50 PM.


#7 bobuk

bobuk

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:38 PM

Posted 23 June 2011 - 02:26 PM

If you are a grey hair like me and don't understand a lot of stuff try this, it worked for me.

Note which games are appearing in the list, go to add remove programs, delete those games.

Worked fine for me, good luck

#8 Adam Pollard

Adam Pollard

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales, UK
  • Local time:11:38 PM

Posted 09 February 2012 - 08:34 AM

I'm aware this is an old post but it still comes top for "win32/heur" so I just wanted to correct some bad advice in the previous post.

Unfortunately, Mr Grey Hair (mine is mostly grey too!), this won't work for malware. For programmes to get into the add/remove programmes list, they have to adhere to a process with Windows, by providing an uninstall programme, and adding items to the registry, to let Windows know where the uninstall programme is. Think of it a courtesy, used by responsible programmers. Virus writers will do everything in their power to prevent the user removing them, and are not likely to provide a convenient route to uninstallation by providing an uninstaller and putting an entry in add/remove programmes :-)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users