Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: win32/Heur Virus - an SOS message  (Read 25009 times)

0 Members and 1 Guest are viewing this topic.

Collins

    Topic Starter


    Beginner

    win32/Heur Virus - an SOS message
    « on: February 20, 2009, 07:20:44 PM »
    My PC has been attacked by Win32/Heur virus.  I detected it last week and it is taking over all the programs on my PC.  I need urgent help in removing this virus as I suspect it will destroy my PC if I am able to eliminate it.  It is spreading fast.  Pls help!!!

    Collins

      Topic Starter


      Beginner

      Re: win32/Heur Virus - an SOS message
      « Reply #1 on: February 24, 2009, 05:28:54 PM »
      The virus is eating up my PC.  Pls somebody help me!!!  It attacks different programs daily.  Pls help me before I lose my computer entirely.

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 493
      • Experience: Experienced
      • OS: Windows 11
      Re: win32/Heur Virus - an SOS message
      « Reply #2 on: February 24, 2009, 05:32:48 PM »

      Collins

        Topic Starter


        Beginner

        Re: win32/Heur Virus - an SOS message
        « Reply #3 on: February 24, 2009, 06:14:06 PM »
        I cannot get the ccleaner to work.
        I doesnt stay on the desktop.  When I double click on the ccleaner icon on the desktop and then on the options tab, the cclean display vanishes from the desktop.

        I was using AVG8 but the virus attacked the avgupdate executing file and so I am able to update.  What should I do?  Should I instal one of the antivirus programs listed?

        evilfantasy

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Calm like a bomb
        • Thanked: 493
        • Experience: Experienced
        • OS: Windows 11
        Re: win32/Heur Virus - an SOS message
        « Reply #4 on: February 24, 2009, 06:15:55 PM »
        Try installing MalwareBytes and let me know what happens.

        Collins

          Topic Starter


          Beginner

          Re: win32/Heur Virus - an SOS message
          « Reply #5 on: February 25, 2009, 08:01:20 PM »
          Find below the result of the Malwarebytes Scan on my PC as instructed.

          Malwarebytes' Anti-Malware 1.34
          Database version: 1804
          Windows 5.1.2600 Service Pack 2

          2/26/2009 2:51:17 AM
          mbam-log-2009-02-26 (02-51-17).txt

          Scan type: Quick Scan
          Objects scanned: 77393
          Time elapsed: 7 minute(s), 36 second(s)

          Memory Processes Infected: 0
          Memory Modules Infected: 0
          Registry Keys Infected: 11
          Registry Values Infected: 3
          Registry Data Items Infected: 2
          Folders Infected: 5
          Files Infected: 8

          Memory Processes Infected:
          (No malicious items detected)

          Memory Modules Infected:
          (No malicious items detected)

          Registry Keys Infected:
          HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{4020100d-29d7-4392-afd5-5ad713ff4b88} (Trojan.Vundo) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products (Rogue.Multiple) -> Quarantined and deleted successfully.

          Registry Values Infected:
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{4020100d-29d7-4392-afd5-5ad713ff4b88} (Trojan.Vundo) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Purchased Products\companyname (Rogue.ContentEraser) -> Quarantined and deleted successfully.
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

          Registry Data Items Infected:
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
          HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

          Folders Infected:
          C:\Program Files\WinAnonymous (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
          C:\Documents and Settings\All Users\Application Data\WinAnonymous (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
          C:\Documents and Settings\COLLINS\Application Data\WinAnonymous (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
          C:\Documents and Settings\COLLINS\Application Data\WinAnonymous\Logs (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
          C:\Program Files\Common Files\WinAnonymous (Rogue.WinAnonymous) -> Quarantined and deleted successfully.

          Files Infected:
          C:\Program Files\WinAnonymous\config.ini (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
          C:\Program Files\WinAnonymous\Scan_report.htm (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
          C:\Documents and Settings\All Users\Application Data\WinAnonymous\Abbr (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
          C:\Documents and Settings\All Users\Application Data\WinAnonymous\prod_code (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
          C:\Documents and Settings\COLLINS\Application Data\WinAnonymous\Logs\update.log (Rogue.WinAnonymous) -> Quarantined and deleted successfully.
          C:\WINDOWS\BMdbdc41e6.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
          C:\WINDOWS\BMdbdc41e6.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
          C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


          [attachment deleted by admin]

          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 493
          • Experience: Experienced
          • OS: Windows 11
          Re: win32/Heur Virus - an SOS message
          « Reply #6 on: February 25, 2009, 08:10:56 PM »
          Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

          Link #1
          Link #2

          **Note:  It is important that it is saved directly to your Desktop

          Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

          Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
           
          Double click combofix.exe & follow the prompts.
          When finished ComboFix will produce a log for you.
          Post the ComboFix log in your next reply.

          Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

          Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

          If you have problems with ComboFix usage, see How to use ComboFix

          Collins

            Topic Starter


            Beginner

            Re: win32/Heur Virus - an SOS message
            « Reply #7 on: February 26, 2009, 08:42:22 PM »
            Pls find attached the logfile from the combofix.

            Regards,
            Collins

            [attachment deleted by admin]

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 493
            • Experience: Experienced
            • OS: Windows 11
            Re: win32/Heur Virus - an SOS message
            « Reply #8 on: February 26, 2009, 09:34:25 PM »
            Please go to Start > Run and copy/paste the following, then press Enter:

            C:\QooBox\Add-Remove Programs.txt

            A text file should open. Please post the contents of that file in your next reply.

            Collins

              Topic Starter


              Beginner

              Re: win32/Heur Virus - an SOS message
              « Reply #9 on: February 27, 2009, 05:28:50 PM »
              Hello,
              Pls, Find attached the log file per your instructions.

              [attachment deleted by admin]

              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 493
              • Experience: Experienced
              • OS: Windows 11
              Re: win32/Heur Virus - an SOS message
              « Reply #10 on: February 27, 2009, 05:43:53 PM »
              Delete these files/folders, as follows:

              1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
              It must be Notepad, not Wordpad.
              2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

              Code: [Select]
              KillAll::

              Folder::
              c:\program files\NoAdware

              Registry::
              [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
              "Barsaka"=-

              3. Go to the Notepad window and click Edit > Paste
              4. Then click File > Save
              5. Name the file CFScript.txt - Save the file to your Desktop
              6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



              ComboFix will begin to execute, just follow the prompts.
              After reboot (in case it asks to reboot), it will produce a log for you.
              Post that log (Combofix.txt) in your next reply.

              Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

              Collins

                Topic Starter


                Beginner

                Re: win32/Heur Virus - an SOS message
                « Reply #11 on: February 28, 2009, 10:21:58 PM »
                Find attached the log file for the combofix scan.

                I have just realised that the Task Manager on the PC is not working.  It is not highlighted when I right click on the task bar.  How do I re instate it.  I am suspecting the win32/Heur virus may have caused it.

                [attachment deleted by admin]

                evilfantasy

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Calm like a bomb
                • Thanked: 493
                • Experience: Experienced
                • OS: Windows 11
                Re: win32/Heur Virus - an SOS message
                « Reply #12 on: February 28, 2009, 10:46:49 PM »
                Before you begin the SDFix instructions you should copy these instructions in a Notepad file and save them to your desktop or print them for easy reference. Much of SDFix will be done in Safe mode and you will be unable to access this web page after booting into Safe mode.

                Download SDFix by AndyManchesta and save it to your desktop.

                When using this tool, you must use the Administrator's account or an account with Administrative rights


                * Now, double-click on the SDFix icon that should now be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.
                * A window will now open showing SDFix being extracted into the C:\SDFix folder.     
                * Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions.
                * DO NOT use it just yet.

                Reboot your computer in Safe Mode using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

                When your computer has started in safe mode, and you see the desktop, close all open Windows.

                * Click on the Start button, click on the Run menu option, and type the following text from the Code Box into the Open: field then click the OK  button.

                Code: [Select]
                C:\SDFix\RunThis.bat
                * SDFix window will open containing some brief info and a disclaimer on the use of the tool.
                * Type Y on your keyboard and then press Enter to begin the cleanup process.
                * It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
                * Press any Key and it will restart the PC.
                * When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
                * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
                * Copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log (from normal boot mode).

                Collins

                  Topic Starter


                  Beginner

                  Re: win32/Heur Virus - an SOS message
                  « Reply #13 on: March 01, 2009, 01:38:50 AM »
                  Find below the SDFix Report.

                  SDFix: Version 1.240
                  Run by COLLINS on Sun 03/01/2009 at 07:02 AM

                  Microsoft Windows XP [Version 5.1.2600]
                  Running From: C:\SDFix

                  Checking Services :


                  Restoring Default Security Values
                  Restoring Default Hosts File

                  Rebooting


                  Checking Files :

                  No Trojan Files Found






                  Removing Temp Files

                  ADS Check :
                   


                                                   Final Check :

                  catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
                  Rootkit scan 2009-03-01 07:48:17
                  Windows 5.1.2600 Service Pack 2 NTFS

                  scanning hidden processes ...

                  scanning hidden services & system hive ...

                  scanning hidden registry entries ...

                  scanning hidden files ...

                  scan completed successfully
                  hidden processes: 0
                  hidden services: 0
                  hidden files: 0


                  Remaining Services :




                  Authorized Application Key Export:

                  [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
                  "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
                  "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
                  "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
                  "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
                  "C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
                  "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
                  "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
                  "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
                  "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
                  "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
                  "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
                  "C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
                  "C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
                  "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
                  "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
                  "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
                  "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
                  "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
                  "C:\\Program Files\\IEPro\\MiniDM.exe"="C:\\Program Files\\IEPro\\MiniDM.exe:*:Enabled:MiniDM"
                  "C:\\Program Files\\WordPerfect Mail\\Programs\\bin\\WPMail.exe"="C:\\Program Files\\WordPerfect Mail\\Programs\\bin\\WPMail.exe:*:Enabled:WordPerfect MAIL for Windows"
                  "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
                  "C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
                  "C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"="C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe:*:Enabled:Nero ControlCenter"
                  "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
                  "C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
                  "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
                  "G:\\MyDwnloadFile\\Creative LiveDrvUni-Pack(ENG) -SdBLASTERLIVEUPDATE - 12-07-05.exe"="G:\\MyDwnloadFile\\Creative LiveDrvUni-Pack(ENG) -SdBLASTERLIVEUPDATE - 12-07-05.exe:*:Enabled:ipsec"
                  "C:\\WINDOWS\\system32\\wscntfy.exe"="C:\\WINDOWS\\system32\\wscntfy.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\AVG\\AVG8\\avgui.exe"="C:\\Program Files\\AVG\\AVG8\\avgui.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVDtray.exe"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVDtray.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\AVG\\AVG8\\avgscanx.exe"="C:\\Program Files\\AVG\\AVG8\\avgscanx.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE"="C:\\Program Files\\Microsoft Office\\OFFICE11\\EXCEL.EXE:*:Enabled:ipsec"
                  "C:\\PROGRA~1\\AVG\\AVG8\\avgemc.exe"="C:\\PROGRA~1\\AVG\\AVG8\\avgemc.exe:*:Enabled:ipsec"
                  "C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\DWTRIG20.EXE"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\DWTRIG20.EXE:*:Enabled:ipsec"
                  "C:\\Program Files\\ASUS\\Asus Probe\\AsusProb.exe"="C:\\Program Files\\ASUS\\Asus Probe\\AsusProb.exe:*:Enabled:ipsec"
                  "C:\\PROGRA~1\\AVG\\AVG8\\avgupd.exe"="C:\\PROGRA~1\\AVG\\AVG8\\avgupd.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\Logitech\\Video\\ISStart.exe"="C:\\Program Files\\Logitech\\Video\\ISStart.exe:*:Enabled:ipsec"
                  "C:\\WINDOWS\\AGRSMMSG.exe"="C:\\WINDOWS\\AGRSMMSG.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\Creative\\SBLive\\PlayCenter2\\CTNMRun.exe"="C:\\Program Files\\Creative\\SBLive\\PlayCenter2\\CTNMRun.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\iTunes\\iTunesHelper.exe"="C:\\Program Files\\iTunes\\iTunesHelper.exe:*:Enabled:ipsec"
                  "C:\\PROGRA~1\\AVG\\AVG8\\avgnsx.exe"="C:\\PROGRA~1\\AVG\\AVG8\\avgnsx.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"="C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe:*:Enabled:ipsec"
                  "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe:*:Enabled:ipsec"

                  [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
                  "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
                  "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
                  "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

                  Remaining Files :



                  Files with Hidden Attributes :

                  Mon 26 Jan 2009     1,740,632 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
                  Mon 26 Jan 2009     5,365,592 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
                  Mon 26 Jan 2009     2,144,088 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
                  Sat 14 Jun 2008             8 ..SHR --- "C:\WINDOWS\system32\07BCB660F9.sys"
                  Mon 17 Mar 2008            88 A.SHR --- "C:\WINDOWS\system32\E0E3AF777A.sys"
                  Sat 14 Jun 2008         9,862 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
                  Wed 19 Mar 2008            88 ..SHR --- "C:\Documents and Settings\All Users\Application Data\E0E3AF777A.sys"
                  Tue 20 Jan 2009         2,880 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys"
                  Tue 29 Nov 2005       262,144 ...H. --- "C:\Program Files\Nero\Nero PhotoShow 4\data\DVDMPEG2Enc.dll"
                  Tue 29 Nov 2005        84,604 ...H. --- "C:\Program Files\Nero\Nero PhotoShow 4\data\movie_maker.exe"
                  Tue 29 Nov 2005        61,440 ...H. --- "C:\Program Files\Nero\Nero PhotoShow 4\data\NeASL.dll"
                  Tue 29 Nov 2005        95,892 ...H. --- "C:\Program Files\Nero\Nero PhotoShow 4\data\Nero PhotoShow Express.exe"
                  Sun  1 Mar 2009     8,129,896 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2064d652e93807b954225d9ba4a6b219\BIT3A.tmp"
                  Sun  1 Mar 2009     8,129,896 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2064d652e93807b954225d9ba4a6b219\BIT56.tmp"
                  Sun  1 Mar 2009     4,909,440 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\311b85005aa2bc8a145a290cf5a139f2\BITB.tmp"
                  Sun  1 Mar 2009     8,822,672 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\38f348c87f8c2315e0e711a1f264b063\BIT39.tmp"
                  Wed 25 Feb 2009     4,865,408 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3dc4dbb460c51f10af947c31d0b396de\BIT3E.tmp"
                  Sun  1 Mar 2009     4,865,408 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\3dc4dbb460c51f10af947c31d0b396de\BIT64.tmp"
                  Sun  1 Mar 2009     7,669,009 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f48480c3bff7fa275c02353aba158bb\BIT3D.tmp"
                  Sun  1 Mar 2009     7,669,009 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f48480c3bff7fa275c02353aba158bb\BIT63.tmp"
                  Sat 28 Feb 2009    25,634,737 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\695c9577cb50850d8e388f3cadd1563d\BIT15.tmp"
                  Sat 28 Feb 2009    50,828,850 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6a50f5f0959a43a8e56a65919822bf2a\BIT19.tmp"
                  Sat 28 Feb 2009    42,740,760 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7b8c200714ca2ac002bccebc74daeb3e\BIT1A.tmp"
                  Sat 28 Feb 2009    37,038,096 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\828e78e94bef91c4ecbc3e1b0a1b35ed\BIT17.tmp"
                  Sun  1 Mar 2009     2,863,144 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\831bad3f3b8bd3511c8a4e905fa7f844\BIT3B.tmp"
                  Sun  1 Mar 2009     9,448,904 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8d8a1db5b2c187dfff9360bceec5d807\BIT3C.tmp"
                  Sat 28 Feb 2009     3,030,568 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3e9e7327f38776a4eeeb084da3eff5a\BIT18.tmp"
                  Sun  1 Mar 2009     9,237,440 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b78797d4e2ea9a8dcbe3140f470c3736\BIT47.tmp"
                  Sun  1 Mar 2009     3,552,839 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bd64172cd2143fb5d6d9c864a6da8395\BIT38.tmp"
                  Sun  1 Mar 2009     9,249,736 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c583e569e1f1773d32894dc0975498a1\BIT18.tmp"
                  Sun  1 Mar 2009     9,249,736 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c583e569e1f1773d32894dc0975498a1\BIT37.tmp"
                  Sat 28 Feb 2009   113,491,064 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d9f6fad75dbdac35a8ef8c60acfcb1a4\BIT16.tmp"
                  Sun  1 Mar 2009     5,687,304 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\deb185b7c3743a27be869545db996079\BIT34.tmp"
                  Sun  1 Mar 2009     5,687,304 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\deb185b7c3743a27be869545db996079\BIT49.tmp"
                  Sun  1 Mar 2009     9,006,448 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f9a482c6548f5fe0d3c6095f8a2de4fc\BIT35.tmp"
                  Sat  7 Feb 2009           444 ...HR --- "C:\Documents and Settings\COLLINS\Application Data\SecuROM\UserData\securom_v7_01.bak"
                  Sun  1 Mar 2009    36,016,335 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0d3b5d19cc06db007bbe6584808bfa9e\download\BIT23.tmp"
                  Sun  1 Mar 2009    10,246,065 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fba53b5b7fa98bdc2fa6b2e0759b4674\download\BIT9.tmp"

                  Finished!



                  [attachment deleted by admin]

                  evilfantasy

                  • Malware Removal Specialist
                  • Moderator


                  • Genius
                  • Calm like a bomb
                  • Thanked: 493
                  • Experience: Experienced
                  • OS: Windows 11
                  Re: win32/Heur Virus - an SOS message
                  « Reply #14 on: March 01, 2009, 10:58:58 AM »
                  Download Lop S&D by Eric_71 and save it to your Desktop. Lop S&D will only run on Windows XP and Windows Vista

                  Disable your antivirus and antimalware programs so they do not interfere with the running of Lop S&D. If needed see: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

                  Double click LopSD.exe - If you are using Windows Vista, right-click on the LopSD icon and select Run as administrator to perform this scan.

                  • Choose the language by typing of the corresponding letter and press Enter
                  • Click OK at the informative window
                  • Type 1, to choose Option 1 (Search) then press Enter
                  • Wait until the end of the scan
                  • A report will be generated, post the contents of it in your next reply.
                  A copy of the report can be found at this location: %systemdrive%\lopR.txt, in most cases C:\lopR.txt
                  .
                  ----------

                  Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

                  • Double click on RSIT.exe to run.
                  • Click Continue at the disclaimer screen.
                  • Once it has finished, two logs will open.
                  • log.txt <will be maximized and info.txt <will be minimized
                  • Please post the contents of both logs in the next reply.

                  Collins

                    Topic Starter


                    Beginner

                    Re: win32/Heur Virus - an SOS message
                    « Reply #15 on: March 01, 2009, 03:52:57 PM »
                    Find attached the LOP and RSIT scanning reports.

                    [attachment deleted by admin]

                    evilfantasy

                    • Malware Removal Specialist
                    • Moderator


                    • Genius
                    • Calm like a bomb
                    • Thanked: 493
                    • Experience: Experienced
                    • OS: Windows 11
                    Re: win32/Heur Virus - an SOS message
                    « Reply #16 on: March 01, 2009, 04:10:31 PM »
                    Disable Windows Defender

                    We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
                    • Open Windows Defender
                    • Click on Tools > Option
                    • Scroll down and uncheck Use real-time protection (recommended)
                    • After you uncheck this, click on the Save button and then exit Windows Defender
                    • Now on your keyboard press and hold Ctrl+Alt and then press the Delete key tow times to bring up the Task Manager.
                    • Locate MSASCui.exe then right click on it and choose End Process. Click Yes on the Task Manager Security Warning.
                    After all of the fixes are complete it is very important that you enable real-time protection again.
                    .
                    ----------

                    Open HijackThis and select Do a system scan only.

                    Place a check mark next to the following entries: (if there)

                    - R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
                    - R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
                    - O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
                    - O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
                    - O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


                    Important: Close all windows except for HijackThis and then click Fix checked.

                    Exit HijackThis.

                    ----------

                    Download the OTMoveIt3 by OldTimer

                    Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

                    * Save it to your Desktop.
                    * Double-click OTMoveIt3.exe to run it.
                    * Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

                    Code: [Select]
                    :Processes
                    explorer.exe

                    :reg
                    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}]

                    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}]

                    :files
                    C:\Program Files\AskTBar
                    C:\rsit
                    C:\lopR.txt
                    C:\Lop SD
                    C:\ComboFix.txt
                    C:\WINDOWS\zip.exe
                    C:\WINDOWS\VFIND.exe
                    C:\WINDOWS\SWXCACLS.exe
                    C:\WINDOWS\SWSC.exe
                    C:\WINDOWS\SWREG.exe
                    C:\WINDOWS\sed.exe
                    C:\WINDOWS\NIRCMD.exe
                    C:\WINDOWS\grep.exe
                    C:\WINDOWS\fdsv.exe
                    C:\Qoobox
                    C:\SDFix
                    C:\VundoFix.txt
                    C:\VundoFix Backups

                    :Commands
                    [purity]
                    [emptytemp]
                    [start explorer]
                    [Reboot]

                    * Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
                    * Click the red Moveit! button.
                    * Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
                    Close OTMoveIt3

                    Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.If not, reboot anyway.

                    Is everything back to normal now?

                    evilfantasy

                    • Malware Removal Specialist
                    • Moderator


                    • Genius
                    • Calm like a bomb
                    • Thanked: 493
                    • Experience: Experienced
                    • OS: Windows 11
                    Re: win32/Heur Virus - an SOS message
                    « Reply #17 on: March 01, 2009, 04:12:59 PM »
                    Bump/ Post edited.

                    Collins

                      Topic Starter


                      Beginner

                      Re: win32/Heur Virus - an SOS message
                      « Reply #18 on: March 02, 2009, 07:38:10 PM »
                      Hi,
                      I could not open the Windows Defender.  I got an error message saying in brief "the shortcut MSAQSCui.exe is missing".
                      For this reason I could not go to the Windows defender tools.
                      I also realised that "regedit" is working and I get the message that "Regedit has been disabled by the administrator".

                      evilfantasy

                      • Malware Removal Specialist
                      • Moderator


                      • Genius
                      • Calm like a bomb
                      • Thanked: 493
                      • Experience: Experienced
                      • OS: Windows 11
                      Re: win32/Heur Virus - an SOS message
                      « Reply #19 on: March 02, 2009, 07:45:07 PM »
                      OK just go ahead with the next step.

                      Collins

                        Topic Starter


                        Beginner

                        Re: win32/Heur Virus - an SOS message
                        « Reply #20 on: March 02, 2009, 08:09:04 PM »
                        ========== PROCESSES ==========
                        Process explorer.exe killed successfully.
                        ========== REGISTRY ==========
                        Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\\ not found.
                        ========== FILES ==========
                        C:\Program Files\AskTBar\PopSwatr\History moved successfully.
                        C:\Program Files\AskTBar\PopSwatr moved successfully.
                        C:\Program Files\AskTBar\bar\Settings moved successfully.
                        C:\Program Files\AskTBar\bar\History moved successfully.
                        C:\Program Files\AskTBar\bar\Cache moved successfully.
                        C:\Program Files\AskTBar\bar\1.bin moved successfully.
                        C:\Program Files\AskTBar\bar moved successfully.
                        C:\Program Files\AskTBar moved successfully.
                        C:\rsit moved successfully.
                        C:\lopR.txt moved successfully.
                        C:\Lop SD moved successfully.
                        C:\ComboFix.txt moved successfully.
                        C:\WINDOWS\zip.exe moved successfully.
                        C:\WINDOWS\VFIND.exe moved successfully.
                        C:\WINDOWS\SWXCACLS.exe moved successfully.
                        C:\WINDOWS\SWSC.exe moved successfully.
                        C:\WINDOWS\SWREG.exe moved successfully.
                        C:\WINDOWS\sed.exe moved successfully.
                        C:\WINDOWS\NIRCMD.exe moved successfully.
                        C:\WINDOWS\grep.exe moved successfully.
                        C:\WINDOWS\fdsv.exe moved successfully.
                        C:\Qoobox\Quarantine\Registry_backups moved successfully.
                        C:\Qoobox\Quarantine\C\WINDOWS\system32 moved successfully.
                        C:\Qoobox\Quarantine\C\WINDOWS moved successfully.
                        C:\Qoobox\Quarantine\C moved successfully.
                        C:\Qoobox\Quarantine moved successfully.
                        C:\Qoobox\BackEnv moved successfully.
                        C:\Qoobox moved successfully.
                        C:\SDFix\backups_old moved successfully.
                        C:\SDFix\backups moved successfully.
                        C:\SDFix\apps\Replace\xp moved successfully.
                        C:\SDFix\apps\Replace\w2k moved successfully.
                        C:\SDFix\apps\Replace moved successfully.
                        C:\SDFix\apps moved successfully.
                        C:\SDFix moved successfully.
                        C:\VundoFix.txt moved successfully.
                        C:\VundoFix Backups moved successfully.
                        ========== COMMANDS ==========
                        File delete failed. C:\DOCUME~1\COLLINS\LOCALS~1\Temp\etilqs_BdkLuol4TTQFddMNpohV scheduled to be deleted on reboot.
                        User's Temp folder emptied.
                        User's Temporary Internet Files folder emptied.
                        User's Internet Explorer cache folder emptied.
                        Local Service Temp folder emptied.
                        File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
                        Local Service Temporary Internet Files folder emptied.
                        File delete failed. C:\WINDOWS\temp\899be76b-d426-4ad3-bb5b-26b17b4b034c.tmp scheduled to be deleted on reboot.
                        File delete failed. C:\WINDOWS\temp\TMP00000001E10A252DA4832AA9 scheduled to be deleted on reboot.
                        Windows Temp folder emptied.
                        File delete failed. C:\Documents and Settings\COLLINS\Local Settings\Application Data\Mozilla\Firefox\Profiles\nmyduj4o.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
                        File delete failed. C:\Documents and Settings\COLLINS\Local Settings\Application Data\Mozilla\Firefox\Profiles\nmyduj4o.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
                        File delete failed. C:\Documents and Settings\COLLINS\Local Settings\Application Data\Mozilla\Firefox\Profiles\nmyduj4o.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
                        File delete failed. C:\Documents and Settings\COLLINS\Local Settings\Application Data\Mozilla\Firefox\Profiles\nmyduj4o.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
                        File delete failed. C:\Documents and Settings\COLLINS\Local Settings\Application Data\Mozilla\Firefox\Profiles\nmyduj4o.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
                        File delete failed. C:\Documents and Settings\COLLINS\Local Settings\Application Data\Mozilla\Firefox\Profiles\nmyduj4o.default\XUL.mfl scheduled to be deleted on reboot.
                        FireFox cache emptied.
                        Temp folders emptied.
                        Explorer started successfully
                         
                        OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03032009_030240

                        evilfantasy

                        • Malware Removal Specialist
                        • Moderator


                        • Genius
                        • Calm like a bomb
                        • Thanked: 493
                        • Experience: Experienced
                        • OS: Windows 11
                        Re: win32/Heur Virus - an SOS message
                        « Reply #21 on: March 02, 2009, 08:12:08 PM »
                        * Download and run the following file to repair file and registry permissions: fixacl.exe

                        Download FixPolicies.exe by Bill Castner

                        Double-click FixPolicies.exe.
                        Click the Install button on the bottom toolbar of the box that will open.
                        The program will create a new Folder called FixPolicies.
                        Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
                        A black box will briefly appear and then close.
                        Restart the computer so the changes can take effect.

                        How is everything now?

                        Collins

                          Topic Starter


                          Beginner

                          Re: win32/Heur Virus - an SOS message
                          « Reply #22 on: March 02, 2009, 08:57:56 PM »
                          Hi,
                          If by "everything working well' you mean the Task Manager is enabled, then I will say no.
                          What next pls?

                          evilfantasy

                          • Malware Removal Specialist
                          • Moderator


                          • Genius
                          • Calm like a bomb
                          • Thanked: 493
                          • Experience: Experienced
                          • OS: Windows 11
                          Re: win32/Heur Virus - an SOS message
                          « Reply #23 on: March 02, 2009, 09:02:22 PM »
                          * Download and then install SubInACL (SubInACL.exe) file from Microsoft.
                          * Click Start > Run and type notepad.exe and click OK to bring up Windows Notepad.
                          * Copy and then paste the following text into Notepad.

                          Code: [Select]
                          cd /d "%ProgramFiles%\Windows Resource Kits\Tools"
                          subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f
                          subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f
                          subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f
                          subinacl /subdirectories %SystemDrive% /grant=administrators=f /grant=system=f
                          subinacl /subdirectories %windir%\*.* /grant=administrators=f /grant=system=f
                          secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

                          * Save this Notepad file as Reset.cmd to your desktop. Be sure the Save as type is set to all files.
                          * Once you have save it properly, double-click the Reset.cmd file to run the script.
                          ** Note: This script file may take a long time to run. Additionally, you have to run this script as an administrator.
                          * Now reboot your computer! You must do this before the above will take effect.

                          Collins

                            Topic Starter


                            Beginner

                            Re: win32/Heur Virus - an SOS message
                            « Reply #24 on: March 02, 2009, 09:56:11 PM »
                            Hard Luck.  The Task Manager is still disabled and access to the Regedit denied even after going through the instructions given.

                            evilfantasy

                            • Malware Removal Specialist
                            • Moderator


                            • Genius
                            • Calm like a bomb
                            • Thanked: 493
                            • Experience: Experienced
                            • OS: Windows 11
                            Re: win32/Heur Virus - an SOS message
                            « Reply #25 on: March 02, 2009, 10:13:48 PM »
                            OK another method...

                            Download the file UnHookExec.inf and save it to your desktop. http://www.filedropper.com/unhookexec

                            Go to the desktop and Right-click the UnHookExec.inf file and click Install. (This is a small file. It does not display any notice or boxes when you run it.)

                            Delete the UnHookExec.inf

                            See if you can open them now.

                            If not...

                            Go to Start > Run and type notepad.exe then click OK

                            Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

                            Code: [Select]
                            REGEDIT4

                            [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe]

                            [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\taskmgr.exe]

                            Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

                            Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

                            Delete the fixme.reg from the Desktop.

                            Collins

                              Topic Starter


                              Beginner

                              Re: win32/Heur Virus - an SOS message
                              « Reply #26 on: March 03, 2009, 05:44:42 PM »
                              The unhookexec did not work.

                              I did not receive any "success" remark when I did the fixme.reg merging.  I rather got the message "Registry editing has been disabled by your administrator".

                              I am beginning to believe the Win32/Heur virus is a dreadful one, indeed.

                              evilfantasy

                              • Malware Removal Specialist
                              • Moderator


                              • Genius
                              • Calm like a bomb
                              • Thanked: 493
                              • Experience: Experienced
                              • OS: Windows 11
                              Re: win32/Heur Virus - an SOS message
                              « Reply #27 on: March 03, 2009, 05:52:51 PM »
                              Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:
                              • Double-click on drweb-cureit.exe and then click Start
                              • An information notice will appear, click OK.
                              • This starts a short scan that will scan the files currently running in memory.
                              • If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
                              • If or when something is found, click the Yes button when it asks you if you want to cure it.
                              • Once the short scan has finished, Click Settings > Change Settings
                              • Under the Scanning tab UNcheck Heuristic analysis and click OK
                              • Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
                                • Click Yes to all if it asks if you want to cure/move any file(s).
                              • When the scan is done.
                              • In the Dr.Web CureIt menu on top left, click File and choose Save report list.
                              • Save the DrWeb.csv report to your Desktop.
                              • Exit Dr.Web Cureit.
                              • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
                              [/COLOR]
                              • After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
                              • Copy and paste that log in the next reply
                              [/list]

                              Collins

                                Topic Starter


                                Beginner

                                Re: win32/Heur Virus - an SOS message
                                « Reply #28 on: March 04, 2009, 08:12:07 PM »
                                I am unable to download this link.  It would be loading for hours on end without success.  Is there any other site I can load this program from?

                                evilfantasy

                                • Malware Removal Specialist
                                • Moderator


                                • Genius
                                • Calm like a bomb
                                • Thanked: 493
                                • Experience: Experienced
                                • OS: Windows 11
                                Re: win32/Heur Virus - an SOS message
                                « Reply #29 on: March 04, 2009, 08:15:25 PM »

                                Collins

                                  Topic Starter


                                  Beginner

                                  Re: win32/Heur Virus - an SOS message
                                  « Reply #30 on: March 04, 2009, 08:39:29 PM »
                                  Still did not work!
                                  I got the error message:  "The request file doesnt exist. Details HTTP/1.1 404 Not found"

                                  evilfantasy

                                  • Malware Removal Specialist
                                  • Moderator


                                  • Genius
                                  • Calm like a bomb
                                  • Thanked: 493
                                  • Experience: Experienced
                                  • OS: Windows 11
                                  Re: win32/Heur Virus - an SOS message
                                  « Reply #31 on: March 04, 2009, 09:26:16 PM »
                                  Run HijackThis and have it fix this entry: (if there)

                                  O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


                                  1. Open Notepad. Click Start>Programs>Accessories>Notepad.
                                  2. Copy and paste the following:

                                  Code: [Select]
                                  On Error Resume Next
                                  Set shl = CreateObject("WScript.Shell")
                                  Set fso = CreateObject("Scripting.FileSystemObject")
                                  shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
                                  shl.RegDelete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr"
                                  shl.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableRegistryTools"
                                  shl.RegDelete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\DisableTaskMgr"

                                  3. Save this file as C:\RESTORE.VBS to your desktop.
                                  4. Double-click RESTORE.VBS to run it.

                                  Delete the .VBS file when complete.
                                  ----------

                                  Go to Start > Run and type notepad.exe then click OK

                                  Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

                                  Code: [Select]
                                  REGEDIT4

                                  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
                                  "DisableTaskMgr"=-
                                  "DisableRegistryTools"=-

                                  Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

                                  Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

                                  Delete the fixme.reg from the Desktop.

                                  ----------

                                  Did that fix it?




                                  Collins

                                    Topic Starter


                                    Beginner

                                    Re: win32/Heur Virus - an SOS message
                                    « Reply #32 on: March 06, 2009, 06:56:06 PM »
                                    I fixed the 07.... as directed using the HiJackThis.
                                    I did not see anything happening when I double clicked the .vbs icon on the desktop and got the error message "your system adminitrator has disbled your registry editor" when i did the fixme.

                                    evilfantasy

                                    • Malware Removal Specialist
                                    • Moderator


                                    • Genius
                                    • Calm like a bomb
                                    • Thanked: 493
                                    • Experience: Experienced
                                    • OS: Windows 11
                                    Re: win32/Heur Virus - an SOS message
                                    « Reply #33 on: March 06, 2009, 06:59:02 PM »
                                    Try this. http://majorgeeks.com/RRT_Remove_Restrictions_Tool_d5635.html

                                    If that doesn't work create a new User Account and see if it works OK.

                                    Collins

                                      Topic Starter


                                      Beginner

                                      Re: win32/Heur Virus - an SOS message
                                      « Reply #34 on: March 06, 2009, 08:10:09 PM »
                                      It still did not work.
                                      I created another user and that one also did not work.  I got the same error message as before.

                                      evilfantasy

                                      • Malware Removal Specialist
                                      • Moderator


                                      • Genius
                                      • Calm like a bomb
                                      • Thanked: 493
                                      • Experience: Experienced
                                      • OS: Windows 11
                                      Re: win32/Heur Virus - an SOS message
                                      « Reply #35 on: March 06, 2009, 09:04:23 PM »
                                      I'm running out of ideas.

                                      Download and run TrendMicro Sysclean

                                      Create a new folder on the desktop by Right-Clicking an empty area of the desktop and select New > Folder. Name it Sysclean.

                                      1. Download Trendmicro Sysclean and save it to the new folder on your Desktop.
                                      2. Download the latest Pattern Files from Trendmicro and save it to the same folder as the Sysclean. Pattern file is in Zip format such as lptxxx.zip (Windows)
                                      3. Extract the contents of the lptxxx.zip in the folder where Sysclean in located. Read here how to unzip/extract properly.

                                      It is important that Sysclean and the Pattern Files are in the same folder.

                                      4. Open the sysclean-folder and doubleclick sysclean.com.
                                      5. If it requires you to login please use the login name with administrative rights. Without this privilege, Sysclean will not delete/clean infected files located on System folder.
                                      6. Check: Automatically clean or delete detected files
                                      7. Click Scan

                                      *This may take time so please be patient.

                                      8. When finished, open the sysclean-folder and copy and paste the contents of sysclean.log in your next reply.

                                      Collins

                                        Topic Starter


                                        Beginner

                                        Re: win32/Heur Virus - an SOS message
                                        « Reply #36 on: March 08, 2009, 12:07:23 PM »
                                        Unfortunately, I could not download the two programs.  I got the message 'loading' for hours on end.  Do you think I am getting to a point when I would have to format my c-drive again?  Will formatting the disk get rid of the virus and restore my regedit and task manager facilities.

                                        evilfantasy

                                        • Malware Removal Specialist
                                        • Moderator


                                        • Genius
                                        • Calm like a bomb
                                        • Thanked: 493
                                        • Experience: Experienced
                                        • OS: Windows 11
                                        Re: win32/Heur Virus - an SOS message
                                        « Reply #37 on: March 08, 2009, 02:21:05 PM »
                                        Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

                                        * Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
                                        * Search for any of the following:

                                        - Seneka.sys <- Or anything beginning with Seneka
                                        - clbdriver.sys <- Or anything beginning with clbdriver
                                        - TDSSserv.sys <- Or anything beginning with TDSS

                                        * Let me know if you find them or not.
                                        * If you do find it, right click on it, and select Disable. Do not try to uninstall them.
                                        * Now reboot and see if you can run the scans that would not run.

                                        Collins

                                          Topic Starter


                                          Beginner

                                          Re: win32/Heur Virus - an SOS message
                                          « Reply #38 on: March 08, 2009, 04:47:10 PM »
                                          I did not find them there.

                                          evilfantasy

                                          • Malware Removal Specialist
                                          • Moderator


                                          • Genius
                                          • Calm like a bomb
                                          • Thanked: 493
                                          • Experience: Experienced
                                          • OS: Windows 11
                                          Re: win32/Heur Virus - an SOS message
                                          « Reply #39 on: March 08, 2009, 04:54:35 PM »
                                          I don't know what's going on. We seemed to be making a bit of progress than everything fell apart.

                                          Download UnHackMe and save it to the desktop.

                                          * Open the compressed folder on your desktop named unhackme.zip
                                          * Double click unhackme250.exe to begin the installation.  When asked if you wish to continue, click Yes.
                                          * Select all the default installation options by clicking Next for every step in the installation.  When prompted, choose Yes to create a directory.
                                          * Select the Check tab at the top of the window and then click on the Check for Trojans, Spyware, Adware button. 
                                          * A dialog box should pop up stating "We strongly recommend you to make the virus scan at the next reboot of your computer. This is required for detecting the hidden rootkits."
                                          * Please allow the restart of the computer.

                                          * When scan is complete it should show what was has found.
                                          * Look at each key and DON'T delete anything you are unsure of. Come back here and ask if you need help deciding.
                                          * Click on the key that you want to remove.
                                          * After selecting the key, click on the Delete Key or the Get it out! button. 
                                          * A window will appear asking you to verify the deletion. Click Yes to delete the infected key.
                                          * Repeat this for all of the infected keys in the list.
                                          * When you're finished deleting all the keys in the list close UnHackMe.

                                          Collins

                                            Topic Starter


                                            Beginner

                                            Re: win32/Heur Virus - an SOS message
                                            « Reply #40 on: March 08, 2009, 05:52:32 PM »
                                            Hey!! I just got the Task Manager and the Regedit back.
                                            I am yet to run the Unhackme, though.  I am still downloading it.
                                            What I did to get it back was I downloaded and installed and run Spybot S&D.  And then "fixed" the items picked during the scan.  Two of the registry items picked by the Spybot scan included something on Task Manager and Regedit disabling by either the administrator or by me.  And since I know I did not disable it and my PC is a standalone, I sort of checked Spybot S&D to fix it and after that I right clicked my Task bar and the Task manager was there.  I also checked the start ->Run -> regedit and it came up alright.
                                            Should I still run the unhackme.zip?

                                            evilfantasy

                                            • Malware Removal Specialist
                                            • Moderator


                                            • Genius
                                            • Calm like a bomb
                                            • Thanked: 493
                                            • Experience: Experienced
                                            • OS: Windows 11
                                            Re: win32/Heur Virus - an SOS message
                                            « Reply #41 on: March 08, 2009, 05:54:25 PM »
                                            Yes try running it. Whatever was there might not be completely gone.

                                            Collins

                                              Topic Starter


                                              Beginner

                                              Re: win32/Heur Virus - an SOS message
                                              « Reply #42 on: March 08, 2009, 05:57:43 PM »
                                              Hey!! I just got the Task Manager and the Regedit back.
                                              I am yet to run the Unhackme, though.  I am still downloading it.
                                              What I did to get it back was I downloaded and installed and run Spybot S&D.  And then "fixed" the items picked during the scan.  Two of the registry items picked by the Spybot scan included something on Task Manager and Regedit disabling by either the administrator or by me.  And since I know I did not disable it and my PC is a standalone, I sort of checked Spybot S&D to fix it and after that I right clicked my Task bar and the Task manager was there.  I also checked the start ->Run -> regedit and it came up alright.
                                              Should I still run the unhackme.zip?

                                              The Win32/Heur virus is still there anyway because the AVG8 I am using still picked it on about 9 files.  What do i do to get rid of it.  It is still a menace as it attacks the exe files of the programs on my PC.

                                              evilfantasy

                                              • Malware Removal Specialist
                                              • Moderator


                                              • Genius
                                              • Calm like a bomb
                                              • Thanked: 493
                                              • Experience: Experienced
                                              • OS: Windows 11
                                              Re: win32/Heur Virus - an SOS message
                                              « Reply #43 on: March 08, 2009, 05:59:13 PM »
                                              Try Dr Web again please.

                                              Download DrWeb CureIt & save it to your desktop. Scan with DrWeb-CureIt as follows:
                                              • Double-click on drweb-cureit.exe and then click Start
                                              • An information notice will appear, click OK.
                                              • This starts a short scan that will scan the files currently running in memory.
                                              • If you get a prompt to buy the full version just exit out of the window. The scanner will still work without buying the full version
                                              • If or when something is found, click the Yes button when it asks you if you want to cure it.
                                              • Once the short scan has finished, Click Settings > Change Settings
                                              • Under the Scanning tab UNcheck Heuristic analysis and click OK
                                              • Back at the main window, select the Complete scan button and then click the Green Arrow Start Scanning button on the right and the scan will start.
                                                • Click Yes to all if it asks if you want to cure/move any file(s).
                                              • When the scan is done.
                                              • In the Dr.Web CureIt menu on top left, click File and choose Save report list.
                                              • Save the DrWeb.csv report to your Desktop.
                                              • Exit Dr.Web Cureit.
                                              • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
                                              [/COLOR]
                                              • After reboot, Right-click the Dr.Web log on the desktop and choose Open With > Notepad
                                              • Copy and paste that log in the next reply
                                              [/list]

                                              Collins

                                                Topic Starter


                                                Beginner

                                                Re: win32/Heur Virus - an SOS message
                                                « Reply #44 on: March 11, 2009, 07:53:14 PM »
                                                I was able to download the DrCureIt but could not instal.    I always got an error message of corrupted file during installation.  When I tried it again this morning it could not find the exe file.

                                                evilfantasy

                                                • Malware Removal Specialist
                                                • Moderator


                                                • Genius
                                                • Calm like a bomb
                                                • Thanked: 493
                                                • Experience: Experienced
                                                • OS: Windows 11
                                                Re: win32/Heur Virus - an SOS message
                                                « Reply #45 on: March 11, 2009, 07:57:22 PM »
                                                Try an online scan please.

                                                This scanner works with Internet Explorer only!

                                                Scan with the BitDefender Online Scanner
                                                Click I Agree to the license and then install the ActiveX control.
                                                Please DO NOT change the Scanning Options.
                                                That will make your logs huge and we don't need to see clean files.

                                                Select Start Scan to begin.
                                                This scan can take a while so please be patient and let it complete.

                                                Once BitDefender completes the scan:
                                                Click-on the Detected Problems tab.
                                                Then select Click here to export the scan report



                                                This will save a file named bdscan.html I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later)
                                                 
                                                You will have to upload the file online. The forums will not accept HTML.

                                                Go to File Dropper

                                                Click Upload
                                                Locate the file and double click it.
                                                Copy the download link and post it back here.

                                                Collins

                                                  Topic Starter


                                                  Beginner

                                                  Re: win32/Heur Virus - an SOS message
                                                  « Reply #46 on: March 14, 2009, 06:01:31 PM »
                                                  Pls find below the link to the bitdefender scan:

                                                  http://www.filedropper.com/bdscan

                                                  and

                                                  <img src=http://www.filedropper.com/download_button.png width=127 height=145 border=0/>
                                                  <div style=font-size:9px;font-family:Arial, Helvetica, sans-serif;width:127px;font-color:#44a854;> <a href=http://www.filedropper.com > FileDropper Free File Hosting[/url]</div>

                                                  evilfantasy

                                                  • Malware Removal Specialist
                                                  • Moderator


                                                  • Genius
                                                  • Calm like a bomb
                                                  • Thanked: 493
                                                  • Experience: Experienced
                                                  • OS: Windows 11
                                                  Re: win32/Heur Virus - an SOS message
                                                  « Reply #47 on: March 14, 2009, 06:11:21 PM »
                                                  I now see why we keep going backwards every time we seem to make any progress.

                                                  I hate to inform you that you are infected with Virut. There is no cure for this virus other than a reformat and reinstall. It is a progressive file infecting virus. In other words it never stops spreading. You can't clean/contian it in order to do so. We could do this forever and not get it fixed  :-\

                                                  Read more about this virus on my blog here > http://evilfantasy.wordpress.com/2009/02/21/vitut-on-the-rise/

                                                  You should disconnect this computer from the internet, reformat the hard drive and then install Windows as a fresh install.

                                                  evilfantasy

                                                  • Malware Removal Specialist
                                                  • Moderator


                                                  • Genius
                                                  • Calm like a bomb
                                                  • Thanked: 493
                                                  • Experience: Experienced
                                                  • OS: Windows 11
                                                  Re: win32/Heur Virus - an SOS message
                                                  « Reply #48 on: March 14, 2009, 06:12:55 PM »
                                                  Another note.

                                                  It comes from p2p/file sharing sites. Another reason to stay away from what seems to be free licenses for software.

                                                  Collins

                                                    Topic Starter


                                                    Beginner

                                                    Re: win32/Heur Virus - an SOS message
                                                    « Reply #49 on: March 14, 2009, 06:40:40 PM »
                                                    Thanks, evilfantasy, for all your support.
                                                    What about my other 2 supporting hard drives.  Should I reformat them too?

                                                    Can you give me examples of the free licenses for softwares.

                                                    You have been very helpful.   I can now get Task manager back and a scan using AVG8 did not show any virus.  Should I still go ahead and reformat the hdd (s)?

                                                    evilfantasy

                                                    • Malware Removal Specialist
                                                    • Moderator


                                                    • Genius
                                                    • Calm like a bomb
                                                    • Thanked: 493
                                                    • Experience: Experienced
                                                    • OS: Windows 11
                                                    Re: win32/Heur Virus - an SOS message
                                                    « Reply #50 on: March 14, 2009, 06:47:21 PM »
                                                    Yes you need to reformat any drive that was connected to this one. If you look at the BitDefender log you will see that pretty much every important and non-important file was infected. Virut just keeps spreading so in a few days you will be right back to where you were before BitDefender.

                                                    Collins

                                                      Topic Starter


                                                      Beginner

                                                      Re: win32/Heur Virus - an SOS message
                                                      « Reply #51 on: March 14, 2009, 07:04:11 PM »
                                                      Thanks, Pal.  I will obey thy command.
                                                      Have a nice day.

                                                      Collins

                                                        Topic Starter


                                                        Beginner

                                                        Re: win32/Heur Virus - an SOS message
                                                        « Reply #52 on: March 14, 2009, 07:35:18 PM »
                                                        One last thing.
                                                        What are p2p files???

                                                        evilfantasy

                                                        • Malware Removal Specialist
                                                        • Moderator


                                                        • Genius
                                                        • Calm like a bomb
                                                        • Thanked: 493
                                                        • Experience: Experienced
                                                        • OS: Windows 11
                                                        Re: win32/Heur Virus - an SOS message
                                                        « Reply #53 on: March 14, 2009, 08:56:29 PM »
                                                        P2P, file sharing, warez, cracks, keygens and most torrents. Whatever name is used it's all pretty much the same thing.

                                                        Collins

                                                          Topic Starter


                                                          Beginner

                                                          Re: win32/Heur Virus - an SOS message
                                                          « Reply #54 on: March 15, 2009, 11:57:23 AM »
                                                          Hi,

                                                          Do I need to reformat the system disk (ie the C-drive) using the right-click->format command before reinstalling the operating system or use the format step incorporated within the operating system installation process. Pls advise.

                                                          I have already formated the other two hdds.

                                                          evilfantasy

                                                          • Malware Removal Specialist
                                                          • Moderator


                                                          • Genius
                                                          • Calm like a bomb
                                                          • Thanked: 493
                                                          • Experience: Experienced
                                                          • OS: Windows 11

                                                          Collins

                                                            Topic Starter


                                                            Beginner

                                                            Re: win32/Heur Virus - an SOS message
                                                            « Reply #56 on: March 15, 2009, 05:17:48 PM »
                                                            One of the hdd (the slave) is not formatting.  I get the message formatting could not be completed.  I tried formating this disk using dos but it still did not work.  What should I do to get this disk formatted.  I have deleted all the data/files on this disk.  What should I do with this disk.

                                                            The other supporting disk went through formatting without problem.

                                                            evilfantasy

                                                            • Malware Removal Specialist
                                                            • Moderator


                                                            • Genius
                                                            • Calm like a bomb
                                                            • Thanked: 493
                                                            • Experience: Experienced
                                                            • OS: Windows 11
                                                            Re: win32/Heur Virus - an SOS message
                                                            « Reply #57 on: March 15, 2009, 05:52:31 PM »
                                                            Sorry but you will have to ask in the Windows forum. I'm the last one to advise on that... :-\

                                                            Collins

                                                              Topic Starter


                                                              Beginner

                                                              Re: win32/Heur Virus - an SOS message
                                                              « Reply #58 on: March 15, 2009, 06:39:26 PM »
                                                              Will deleting all files from this disk be able to take out the dangerous virus, if I am unable to reformat it?

                                                              evilfantasy

                                                              • Malware Removal Specialist
                                                              • Moderator


                                                              • Genius
                                                              • Calm like a bomb
                                                              • Thanked: 493
                                                              • Experience: Experienced
                                                              • OS: Windows 11
                                                              Re: win32/Heur Virus - an SOS message
                                                              « Reply #59 on: March 15, 2009, 06:54:19 PM »
                                                              It's not a guaranteed method. You must format, completely wipe the disk, to be sure it is gone.

                                                              Collins

                                                                Topic Starter


                                                                Beginner

                                                                Re: win32/Heur Virus - an SOS message
                                                                « Reply #60 on: March 16, 2009, 06:41:37 PM »
                                                                Hi,
                                                                If I am able to copy my personal files (word, excel, jpeg, etc) onto a CD from the infested hdd, would it still have the virus on them?  Can I use such files later when I do reformatting and reinstallation?

                                                                evilfantasy

                                                                • Malware Removal Specialist
                                                                • Moderator


                                                                • Genius
                                                                • Calm like a bomb
                                                                • Thanked: 493
                                                                • Experience: Experienced
                                                                • OS: Windows 11
                                                                Re: win32/Heur Virus - an SOS message
                                                                « Reply #61 on: March 16, 2009, 06:54:45 PM »
                                                                Yes they are infected.

                                                                When I say it spreads through every file I mean every file. Sorry...