NewHeur_PE virus Removal?

Need some help here please. I am trying to clean a friends notebook (seems he likes collecting malware!!!) and I’ve run into a brick wall. I removed nearly all nasties on his system bar one, that is the NewHeur_PE virus.

From what I can make out, this little sod is of Chinese origin and in the case of this notebook, manifests it’s self as a file called sxs2.exe, which apparently is in the root directory, even though it can’t be seen!

He has Symantec AV (eeek) installed and it doesn’t see it. I’ve tried AVG, Avast, and Antivir, likewise they don’t see it. I’ve also tried SuperAntiSpyware, Spyware Terminator, and AVG AS. No joy.

Apparently NOD32 kind of recognises it but is a bit dubious.

As my Chinese is limited to only 20 or so words, reading the Chinese sites on how to remove this is beyond me. If anyone can help, it would be much appreaiated.

Toggie

You have probably already seen these but they may help so here goes:

http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.wangyx.com/%3Fp%3D14&sa=X&oi=translate&resnum=9&ct=result&prev=/search%3Fq%3Dsxs2.exe%26hl%3Den%26sa%3DG

The second link seems to have a batch file to aid removal - I have no idea if this is safe or not as the link is for a page translated by google.

:SMLR

The second link seems to have a batch file to aid removal - I have no idea if this is safe or not as the link is for a page translated by google.

Thanks for the reply N.T.T.W, I’ve seen the first link, SBSD doesn’t detect it either :frowning:

The second link might be interesting, but the batch file has many entries in Chinese, which probably won’t work on an non Chinese system.

It seems strange to me that all the so called ‘best’ AV programs can’t detect a Chinese AV…

I know what you mean, you would think these well known products would be up to date for viruses wordlwide.

Perhaps if you use Autoruns to find any iffy startup entries it may give you ideas how to remove various components of the nasty or at least disable them.

I will keep looking for an answer.

:SMLR

Perhaps if you use Autoruns to find any iffy startup entries it may give you ideas how to remove various components of the nasty or at least disable them.

I tried that, both autoruns and process explorer show the same information, C:\sxs2.exe but nothing can find it in that location. It’s supposed to be associated with autorun.exe or autorun.inf, but again these files don’t appear to exist. The sxs2.exe process still shows in process explorer, twice!!

http://www.f-secure.com/blacklight/

Always worth a try…

“NewHeur” indicates heuristic (behavioral) detection which means it could be a little bit of anything to everything.
:-
Can or did you already send samples to bocleansubmissions@comodo.com & malwaresubmit@avlab.comodo.com ?

Honestly, once you’re backdoored the best practice is to nuke and reinstall. There’s no telling what doors have been opened within the OS. :frowning:
As we all know, prevention is the only real cure.

Hey

I’ve checked some post in the NOD32 forum and as far as they know it’s a false positive but the’re still analyzing it.

If you want to be sure you can upload the file to Virustotal http://www.virustotal.com/ and see if any other antivirus finds it. (if you know were it is of course)

Hope I could help ya a bit :wink:
Xan

I haven’t tried Blacklight, but I have been through the system with gmer and Icesword, neither of which were able to detect it :frowning:

Hi ~cat~ If I could actually find the files that are loading the proceess I would submit them, but that’s half the problem :frowning:

Honestly, once you're backdoored the best practice is to nuke and reinstall. There's no telling what doors have been opened within the OS. :( As we all know, prevention is the only real cure.

Agreed, and if it was my system I would. It may well come to that in the end, but I said I’d try to clean first, if only to preserve his game data!

Hi alaertsxan, I saw that info, and it seems a bit vague to me. Something is definately loading sxs2.exe in to memory, what it’s doing once loaded, however, is another matter

If you want to be sure you can upload the file to Virustotal http://www.virustotal.com/ and see if any other antivirus finds it. (if you know were it is of course)

Hope I could help ya a bit :wink:
Xan

As I said to ~cat~, I can’t actually find how the file is being loaded. Everything points to sxs2.exe existing in C:\ (root) but it doesn’t. I’ve got show hidden files turned on as well as show system files. I’ve also searched the entire disk, but I can’t find it. I even tried searching ADS!

Have you tried using the command prompt to browse to and list the file directory?

I did, both Normal and safe mode. I even added the recovery console and tried that way too.

Perhaps we should try it otherwise, please send a hijackthis! log so we can see if indeed something is wrong :slight_smile:

Xan

Hi Toggie,

download a-squared Free 3.0.

I would also advise you to use a bartPe cd. It will help you see what is going on outside the os.

Thanks for the replies everyone, I believe I finally managed to eliminate this particular nasty.

Thanks pandlouk for reminding me about a-squared, I’d forgotten about that program. It was with this I made some progress. After downloading the command line version and running a scan, a variant of the Trojan-Downloader.win32.Agent was detected in sxs2.exe. A-squared also allowed me to quarantine the file. Interestingly, it wasn’t able to remove a number of associated files and registry entries.

From what I have discovered, in addition to the sxs2.exe there are a number of ‘autorun.*’ files located in the root and %winroot%\system32. These files perform a number os tasks including, creating an autorun enrty in userinit.exe, changing the attributes on all the related files to hidden, system, and read only and also changing the value in:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“ShowSuperHidden” so that it’s impossible to choose the show hidden and system files in explorer.

The ‘autorun.*’ files, by the way, are:

autorun.inf
autorun.bat
autorun.reg
autorun.bin
autorun.exe
autorun.vbs
autorun.wsh
autorun.fcb
autorun.srm
autorun.txt
autorun.ini
autorun.ico

Thanks again all :slight_smile:

Toggie

Glad to see that you nailed that little $%^#. (:TNG) :■■■■

ps. tell you friend to instal CFP3. At least he will get an alert when he add another “bad guy” in his personal collection. :stuck_out_tongue:

Panagiotis

I’ve put 2.4 on for now, but 3 will go on as soon as it’s final.

sir i know this took so long to post again in this thread, but can you explain details on how you managed to delete this virus NewHeur_PE cause i have it also just recently… it hides my files and now i cant open them… i know its hidden cause the number of mb inside doesnt fit the number when i use properties. please i need this files. hope you can reply. i tried a lot of what i’ve read especially in your post but can’t seem to delete it still.

again can you please tell me how to delete this. i already downloaded and used a-squared but still no progress. can’t delete the autoruns cause they can’t be searched. thanks in advance kind sir.

if a-squared aint working use Superantispyware and/or malwarebytes antimalware

Xan

I dont know much about computers and I have this problem now on my computer. Its saying the ewheur_pe virus is attached to files i dont seem to be able to find. Is it best just to take it to a computer person to get it fixed or can someone coach me through this?

I’ll try to do my best :).

Anyway, are you sure you have an infection the ‘infected’ file is caught by heuristics. So I’m not sure if it’s a real thread.

So could you please give me a hijack this log ? Download here

Just open, click on system scan and a logfile and place the log back here.

Xan