Need some help here please. I am trying to clean a friends notebook (seems he likes collecting malware!!!) and I’ve run into a brick wall. I removed nearly all nasties on his system bar one, that is the NewHeur_PE virus.
From what I can make out, this little sod is of Chinese origin and in the case of this notebook, manifests it’s self as a file called sxs2.exe, which apparently is in the root directory, even though it can’t be seen!
He has Symantec AV (eeek) installed and it doesn’t see it. I’ve tried AVG, Avast, and Antivir, likewise they don’t see it. I’ve also tried SuperAntiSpyware, Spyware Terminator, and AVG AS. No joy.
Apparently NOD32 kind of recognises it but is a bit dubious.
As my Chinese is limited to only 20 or so words, reading the Chinese sites on how to remove this is beyond me. If anyone can help, it would be much appreaiated.
I know what you mean, you would think these well known products would be up to date for viruses wordlwide.
Perhaps if you use Autoruns to find any iffy startup entries it may give you ideas how to remove various components of the nasty or at least disable them.
Perhaps if you use Autoruns to find any iffy startup entries it may give you ideas how to remove various components of the nasty or at least disable them.
I tried that, both autoruns and process explorer show the same information, C:\sxs2.exe but nothing can find it in that location. It’s supposed to be associated with autorun.exe or autorun.inf, but again these files don’t appear to exist. The sxs2.exe process still shows in process explorer, twice!!
Honestly, once you’re backdoored the best practice is to nuke and reinstall. There’s no telling what doors have been opened within the OS.
As we all know, prevention is the only real cure.
I’ve checked some post in the NOD32 forum and as far as they know it’s a false positive but the’re still analyzing it.
If you want to be sure you can upload the file to Virustotal http://www.virustotal.com/ and see if any other antivirus finds it. (if you know were it is of course)
I haven’t tried Blacklight, but I have been through the system with gmer and Icesword, neither of which were able to detect it
Hi ~cat~ If I could actually find the files that are loading the proceess I would submit them, but that’s half the problem
Honestly, once you're backdoored the best practice is to nuke and reinstall. There's no telling what doors have been opened within the OS. :(
As we all know, prevention is the only real cure.
Agreed, and if it was my system I would. It may well come to that in the end, but I said I’d try to clean first, if only to preserve his game data!
Hi alaertsxan, I saw that info, and it seems a bit vague to me. Something is definately loading sxs2.exe in to memory, what it’s doing once loaded, however, is another matter
If you want to be sure you can upload the file to Virustotal http://www.virustotal.com/ and see if any other antivirus finds it. (if you know were it is of course)
Hope I could help ya a bit
Xan
As I said to ~cat~, I can’t actually find how the file is being loaded. Everything points to sxs2.exe existing in C:\ (root) but it doesn’t. I’ve got show hidden files turned on as well as show system files. I’ve also searched the entire disk, but I can’t find it. I even tried searching ADS!
Thanks for the replies everyone, I believe I finally managed to eliminate this particular nasty.
Thanks pandlouk for reminding me about a-squared, I’d forgotten about that program. It was with this I made some progress. After downloading the command line version and running a scan, a variant of the Trojan-Downloader.win32.Agent was detected in sxs2.exe. A-squared also allowed me to quarantine the file. Interestingly, it wasn’t able to remove a number of associated files and registry entries.
From what I have discovered, in addition to the sxs2.exe there are a number of ‘autorun.*’ files located in the root and %winroot%\system32. These files perform a number os tasks including, creating an autorun enrty in userinit.exe, changing the attributes on all the related files to hidden, system, and read only and also changing the value in:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“ShowSuperHidden” so that it’s impossible to choose the show hidden and system files in explorer.
sir i know this took so long to post again in this thread, but can you explain details on how you managed to delete this virus NewHeur_PE cause i have it also just recently… it hides my files and now i cant open them… i know its hidden cause the number of mb inside doesnt fit the number when i use properties. please i need this files. hope you can reply. i tried a lot of what i’ve read especially in your post but can’t seem to delete it still.
again can you please tell me how to delete this. i already downloaded and used a-squared but still no progress. can’t delete the autoruns cause they can’t be searched. thanks in advance kind sir.
I dont know much about computers and I have this problem now on my computer. Its saying the ewheur_pe virus is attached to files i dont seem to be able to find. Is it best just to take it to a computer person to get it fixed or can someone coach me through this?