1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Cleaning up after HEUR-DBLEXT/Crypted

Discussion in 'Virus & Other Malware Removal' started by Mithras, Feb 1, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Mithras

    Mithras Thread Starter

    Joined:
    Nov 3, 2006
    Messages:
    42
    Today when I preformed a scan with Spybot - Search & Destroy, Avira AntiVir found a virus. The virus in question was HEUR-DBLEXT/Crypted and it had infected ps2.bat, which is in Windows/system32. When it was put in quarantine and deleted, it was soon replaced again. So I made a scan on the entire computer with AntiVir, and it found a few other files infected with it. I got them all removed, and I think that the virus is now gone, as I've made numerous scans afterwards and AntiVir finds nothing. I also made a scan with Bit Defender Online Scanner, and it found nothing.

    However, when I now scan with AntiVir, it lists significantly more warnings than it did before. Usually I only got two warnings, but now I get 43! Clearly something has changed, something is different than it was before. I just wonder what it is, and if it might be dangerous. Bit Defender Online Scanner, as usual, scored zero warnings. I also wonder what kind of harm the virus in question may have done to the computer, and what kind of virus it actually is. Is it really gone from the computer, or might it has left some "presents"? Btw, neither Ad-Aware or Spybot found anything. I scanned with them as well.
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.

    Download hijack this from the link below.Please do this. Click here:

    http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

    to download HijackThis. Click scan and save a logfile, then post it here so
    we can take a look at it for you. Don't click fix on anything in hijack this
    as most of the files are legitimate.


    Post anti vir's log with the warnings?


    Have you set anti vir with heuristic at high settings?
     
  3. Mithras

    Mithras Thread Starter

    Joined:
    Nov 3, 2006
    Messages:
    42
    Here is the HijackThis log:

    Yes, I've set the AntiVir heuristic as high, but in one scan I resetted it to default, and still got unusually many warnings. I usually had the default heuristic before I got the virus btw.

    If I should post my AntiVir log, which report selection do you think is appropriate? For instance, a "Complete" saves every file scanned, so that would be a very huge post if I were to post all of that. But at the same time, it must be a report extended enough to be useful.
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    I wouldn't worry about all these warnings, I get them too, usually because it has found somehting, in my case it is because of firewall leak tests. Set heurisyic to meduim!

    I would uninstall SpywareNuker as it was listed as a rogue application and is not very good!

    http://www.spywarewarrior.com/rogue_anti-spyware.htm#swn_note


    Run a few of these scans !




    Download AVG Anti-Spyware

    http://www.ewido.net/en/


    * Once you have downloaded AVG Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    * Once the setup is complete you will need run AVG and update the definition files.
    * On the main screen select the icon "Update" then select the "Update now" link.
    * Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    * Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    * Once in the Settings screen click on "Recommended actions" and then select "Delete"
    * Under "Reports"
    * Select "Automatically generate report after every scan"
    * Un-Select "Only if threats were found"


    Run AVG Anti-Spyware!

    # IMPORTANT: Do not open any other windows or programs while AVG is scanning as it may interfere with the scanning process:
    # Launch AVG Anti-spyware by double-clicking the icon on your desktop.
    # Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    # AVG will now begin the scanning process. Be patient this may take a little time.
    Once the scan is complete do the following:
    # If you have any infections you will prompted, then select "Apply all actions"
    # Next select the "Reports" icon at the top.
    # Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    # Close AVG and reboot your system back into Normal Mode.




    * Click here to download ATF Cleaner by Atribune and save it to your desktop.

    http://majorgeeks.com/ATF_Cleaner_d4949.html


    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.
    o If you use Firefox:
    + Click Firefox at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    o If you use Opera:
    + Click Opera at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    * Click Exit on the Main menu to close the program.




    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.



    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank


    Note: this is a stand alone, it doesn't install to start/programmes.

    Download Mwav,

    http://www.spywareinfo.dk/download/mwav.exe


    double click on it and it will extract to C:\kaspersky. Click
    on the kaspersky folder and click on Kavupd, a black dos window will open
    and it will update the programme for you, be patient it will take 5-10
    minutes to download the new definitions. Once it's updated, click on mwavscan
    to launch the programme.

    Use the defaults of:

    Memory
    startup folders
    Registry
    system folders
    services

    Choose drive , all drives and, click scan all files
    and then click scan/clean. After it finishes scanning and cleaning post
    the log here with a new hijack this log.

    Note: this is a very thorough scanner, it might take anything up to an hour
    or more, depending on how many drives you have and how badly infected your
    pc is.



    Highlight the portion of the scan that lists infected items and hold
    CTRL + C to Copy then paste it here. The whole log with be extremely
    big so there is no way to copy the whole thing. I just need the
    infected items list.




    post another hijack this log, the AVG Anti-Spyware log and the Mwav scan log.
     
  5. Mithras

    Mithras Thread Starter

    Joined:
    Nov 3, 2006
    Messages:
    42
    Thank you very much. I've preformed the scans this afternoon. Regarding SpywareNuker, I had it installed a long time ago, not now. But obviously it left some traces on the computer.

    The strange thing with the warnings is that there are so many more now than before. Btw, I reset the heuristic to medium. However, when I think on it, I recently activated the "Guest" user on this computer. I have control on what happens there, but could it be that simply activating that account creates many new files that give these warnings from AntiVir?

    Ok, here are the new logs:

    AVG Anti-Spyware
    There was a problem here. First it couldn't connect to upload the definition updates for a very long while, and I tried repeatedly but without success. Then I preformed a scan anyways. However, after that scan, I was able to download the updates. So I preformed another scan. So I'll post both scan results, the top one being the one I did without updated definitions:

    Note that I deleted the tracking cookie.

    And AVG Anti-Spyware also gave me another worry. The first times it asked ZoneAlarm to access in the usual way (it failed to download the updates). But then it didn't anymore, and the time it downloaded the updates, it didn't either. And I didn't give it free access, so it shoulld has to ask. Does this mean that my ZoneaAlarm is leaking?

    Mwav

    Here is the virus it found:

    It also found 7 errors, whatever that means.

    HijackThis

    I removed the one you mentioned. Here is the new log:

     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    errors and warnings are usually to do with files or folders which the anti virus can't access for various reasons, your log is clena and nothing major turned up so I wouldn't worry.

    I would disable the guest account.





    Here's some free tools to keep you from getting infected in the future.


    To stop reinfection get spywareblaster from


    http://www.javacoolsoftware.com/downloads.html


    get the hosts file from here.Unzip it to a folder!



    http://www.mvps.org/winhelp2002/hosts.htm


    put it into : or click the mvps bat and it should do it for you!


    Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
    Win 98\ME = C:\WINDOWS



    ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

    when you visit innocent-looking sites that aren't actually innocent at all.

    http://www.spywarewarrior.com/uiuc/resource.htm


    Spyware Terminator

    http://www.spywareterminator.com/dnl/landing.aspx


    In spyware terminator, click real time protection and tick the box to use
    real time protection and tick all the boxes except file exceptions shield.
    If your confident in using its advanced feature, click advanced and tick
    the HIPS box.

    If you want to install and uninstall programs it is best to
    temporarily disable Spyware terminator and then re-enable it after you
    have installed or uninstalled a program as it will create a lot of pop ups asking you do you wish this to happen!

    Right click spyware terminator on the bottom right of your status bar and
    choose exit.Then tick the box and that is spyware terminator disabled!



    Use spybot's immunize button and use spywareblaster' enable
    protection once you update it. you can put spybot's hosts file into
    your own and lock it.



    I would also suggest switching to Mozilla's firefox browser, it's safer, has
    a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
    e-mail client.

    http://www.mozilla.org/


    Another good and free browser is Opera!

    http://www.opera.com/


    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html


    A good overall guide for firewalls, anti-virus, and anti-trojans as well as
    regular spyware cleaners.

    http://www.firewallguide.com/anti-trojan.htm



    you can mark your own thread solved through thread tools at the top of
    the page.
     
  7. Mithras

    Mithras Thread Starter

    Joined:
    Nov 3, 2006
    Messages:
    42
    Thank you very much! And ok, I won't mind the increase of warnings,

    A few of the mentioned stuff I already have. For example I use Firefox all the time except when using online scanners, as they demand IE. I also use SpywareBlaster, and also its "brother" SpywareGuard. And I use Spybot. I'll check into the other tools you mentioned as well.

    I used ATF Cleaner and it is very useful. But for some reason, I'm unable to select Firefox in it...

    I must also ask, do you think it is all out now? I mean, there was a virus that AntiVir and Bit Defender Online Scanner didn't discover, but which the Kaspersky program did. Do you think they are all flushed out now? Also, what kind of damage may the viruses have done? I don't know how long they were in the computer. Do you know if they for example had keylogging functions, so that I should change passwords?
     
  8. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    I don't know what damage they did, but it won't be that bad if you cna boot up your computer, i imagine that they are all gone and different programs find different viruses, no one anti virues will catch everything, it is an evolving war with viruses etc!

    If you are really worried and do online banking then change all your login names and passwords just to be safe!
     
  9. Mithras

    Mithras Thread Starter

    Joined:
    Nov 3, 2006
    Messages:
    42
    Ok, thanks a lot.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved Cleaning HEUR
  1. jllp
    Replies:
    6
    Views:
    636
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/540298

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice