win32/Heur Virus - an SOS message

[Collins]

Still did not work!
I got the error message:  "The request file doesnt exist. Details HTTP/1.1 404 Not found"

[evilfantasy]

Run HijackThis and have it fix this entry: (if there)

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


1. Open Notepad. Click Start>Programs>Accessories>Notepad.
2. Copy and paste the following:

Code: [Select]

On Error Resume Next
Set shl = CreateObject("WScript.Shell")
Set fso = CreateObject("Scripting.FileSystemObject")
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
shl.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools"
shl.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr"
3. Save this file as C:\RESTORE.VBS to your desktop.
4. Double-click RESTORE.VBS to run it.

Delete the .VBS file when complete.
----------

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Did that fix it?

[Collins]

I fixed the 07.... as directed using the HiJackThis.
I did not see anything happening when I double clicked the .vbs icon on the desktop and got the error message "your system adminitrator has disbled your registry editor" when i did the fixme.

[evilfantasy]

Try this. http://majorgeeks.com/RRT_Remove_Restrictions_Tool_d5635.html

If that doesn't work create a new User Account and see if it works OK.

[Collins]

It still did not work.
I created another user and that one also did not work.  I got the same error message as before.

[evilfantasy]

I'm running out of ideas.

Download and run TrendMicro Sysclean

Create a new folder on the desktop by Right-Clicking an empty area of the desktop and select New > Folder. Name it Sysclean.

1. Download Trendmicro Sysclean and save it to the new folder on your Desktop.
2. Download the latest Pattern Files from Trendmicro and save it to the same folder as the Sysclean. Pattern file is in Zip format such as lptxxx.zip (Windows)
3. Extract the contents of the lptxxx.zip in the folder where Sysclean in located. Read here how to unzip/extract properly.

It is important that Sysclean and the Pattern Files are in the same folder.

4. Open the sysclean-folder and doubleclick sysclean.com.
5. If it requires you to login please use the login name with administrative rights. Without this privilege, Sysclean will not delete/clean infected files located on System folder.
6. Check: Automatically clean or delete detected files
7. Click Scan

*This may take time so please be patient.

8. When finished, open the sysclean-folder and copy and paste the contents of sysclean.log in your next reply.

[Collins]

Unfortunately, I could not download the two programs.  I got the message 'loading' for hours on end.  Do you think I am getting to a point when I would have to format my c-drive again?  Will formatting the disk get rid of the virus and restore my regedit and task manager facilities.

[evilfantasy]

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:

- Seneka.sys <- Or anything beginning with Seneka
- clbdriver.sys <- Or anything beginning with clbdriver
- TDSSserv.sys <- Or anything beginning with TDSS

* Let me know if you find them or not.
* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now reboot and see if you can run the scans that would not run.

[Collins]

I did not find them there.

[evilfantasy]

I don't know what's going on. We seemed to be making a bit of progress than everything fell apart.

Download UnHackMe and save it to the desktop.

* Open the compressed folder on your desktop named unhackme.zip
* Double click unhackme250.exe to begin the installation.  When asked if you wish to continue, click Yes.
* Select all the default installation options by clicking Next for every step in the installation.  When prompted, choose Yes to create a directory.
* Select the Check tab at the top of the window and then click on the Check for Trojans, Spyware, Adware button. 
* A dialog box should pop up stating "We strongly recommend you to make the virus scan at the next reboot of your computer. This is required for detecting the hidden rootkits."
* Please allow the restart of the computer.

* When scan is complete it should show what was has found.
* Look at each key and DON'T delete anything you are unsure of. Come back here and ask if you need help deciding.
* Click on the key that you want to remove.
* After selecting the key, click on the Delete Key or the Get it out! button. 
* A window will appear asking you to verify the deletion. Click Yes to delete the infected key.
* Repeat this for all of the infected keys in the list.
* When you're finished deleting all the keys in the list close UnHackMe.

[Collins]

Hey!! I just got the Task Manager and the Regedit back.
I am yet to run the Unhackme, though.  I am still downloading it.
What I did to get it back was I downloaded and installed and run Spybot S&D.  And then "fixed" the items picked during the scan.  Two of the registry items picked by the Spybot scan included something on Task Manager and Regedit disabling by either the administrator or by me.  And since I know I did not disable it and my PC is a standalone, I sort of checked Spybot S&D to fix it and after that I right clicked my Task bar and the Task manager was there.  I also checked the start ->Run -> regedit and it came up alright.
Should I still run the unhackme.zip?

[evilfantasy]

Yes try running it. Whatever was there might not be completely gone.

[Collins]

Hey!! I just got the Task Manager and the Regedit back.
I am yet to run the Unhackme, though.  I am still downloading it.
What I did to get it back was I downloaded and installed and run Spybot S&D.  And then "fixed" the items picked during the scan.  Two of the registry items picked by the Spybot scan included something on Task Manager and Regedit disabling by either the administrator or by me.  And since I know I did not disable it and my PC is a standalone, I sort of checked Spybot S&D to fix it and after that I right clicked my Task bar and the Task manager was there.  I also checked the start ->Run -> regedit and it came up alright.
Should I still run the unhackme.zip?

The Win32/Heur virus is still there anyway because the AVG8 I am using still picked it on about 9 files.  What do i do to get rid of it.  It is still a menace as it attacks the exe files of the programs on my PC.

[evilfantasy]

Try Dr Web again please.

Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe and then click Start
• An information notice will appear, click OK.
• This starts a short scan that will scan the files currently running in memory.
• If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
• If or when something is found, click the Yes button when it asks you if you want to cure it.

• Once the short scan has finished, Click Settings > Change Settings
• Under the Scanning tab UNcheck Heuristic analysis and click OK
• Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
  • Click Yes to all if it asks if you want to cure/move any file(s).
• When the scan is done.
• In the Dr.Web CureIt menu on top left, click File and choose Save report list.
• Save the DrWeb.csv report to your Desktop.
• Exit Dr.Web Cureit.

• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

[/COLOR]

• After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
• Copy and paste that log in the next reply

[/list]

[Collins]

I was able to download the DrCureIt but could not instal.    I always got an error message of corrupted file during installation.  When I tried it again this morning it could not find the exe file.