new backdoor virus

[Madmachine]

I recieved a trojan virus called VIRUSHEAT.exe which planted itself in my tool bar(bottom right).This virus proceeded to delete all my start menu items until I was only left with my background screen . It then proceeded to delete every program I opened.I ran avast over and over but this virus was not detected. Eventually it started to corrupt all my avast files.Everything I tried to open gave me the message (cannot read "specific file" make sure disk is installed correctly). I eventually had to format my hard drive and reload everything from scratch.I have sent a letter to Virus heat anti spyware(from which the trojan originated). I have still to recieve a reply.PLEASE be careful of a program called virus heat, because if you dont purchase there product,your pc will die a slow and permanent death.

[sanctuary24]

virusheat is a rogue antispyware program from what I've read by googling it, as to how you can safely remove it I havent a clue but hopefully you wont encounter it again.  Someone else on here will have a better idea than me, hope things work out once your computer is back up and running

[Lisandro]

Thanks for posting. It's a pity that you get so much damaged with this virus and avast couldn't protect you. Can you send the samples to virus@avast.com ?
You can zip and password the files... Inform a link to this thread and the password used.
You can send the files to Chest and, from there, resend to Alwil for analysis.
Thanks again.
Maybe you should run (if possible), on-line scanning with Kaspersky and BitDefender.
To remove the virusheat, maybe you could use RogueRemover.

[CharleyO]

***

Madmachine posted above ...

I eventually had to format my hard drive and reload everything from scratch.

... and is not likely to still have the files to send.

It's a shame that they are not available.


***

[essexboy]

Virus heat does not behave in that manner - well in the instances I have seen.  It is relatively easy to remove using Malwarebytes or Combofix.    It does not eat your files, this sounds like something totally different was also downloaded at the same time  to me

Virus Heat, Virus Heat 4.3, Virus Heat 3.9, is the one of latest and most devastating counterfeit anti-spyware softwares that endangers the world of computers today. From all previous evidences that we collected, we have a good reason to believe that Virus Heat is a new variant of VirusProtect, SpyLocked and SpyCrush spyware family. Virus Heat usually installs itself onto your computer without your permission, through Zlob.Trojan, Virus or fake software. The easiest way to be infected is through installing ActiveX video codecs. Virus Heat then displays fake system alerts or fake security alerts to trick user to buy the paid version of Virus Heat.

[Lisandro]

... and is not likely to still have the files to send.

You're right Charley, my fault, it was obvious.

I think essexboy is going to the right direction.

[CharleyO]

***

Madmachine -

Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results in this thread using the "copy & paste" method. It will probably take more than one post to be able to get the complete log posted. Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/


***

[polonus]

Hi Madmachine,

Here the additional manual virus removal for virusheat:
Manual Removal Instructions:

Stop VirusHeat Processes:

VirusHeat 4.3.exe
VirusHeat 3.9.exe
VirusHeat.exe

Unregister VirusHeat DLL Files:

iinqyl.dll
wuuawkz.dll
ecxwp.dll
tvtpwp.dll
cjuvwa.dll
eeioq.dll
txdkfh.dll
heuvth.dll
wbchha.dll

Find and Delete these VirusHeat Files:

VirusHeat 4.3.exe
VirusHeat 4.3.lnk
VirusHeat 4.3.url
Uninstall VirusHeat 4.3.lnk
VirusHeat 3.9.exe
VirusHeat 3.9.lnk
VirusHeat 3.9.url
Uninstall VirusHeat 3.9.lnk
ecxwp.dll
wuuawkz.dll
tvtpwp.dll
cjuvwa.dll
eeioq.dll
txdkfh.dll
heuvth.dll
wbchha.dll

Remove VirusHeat Registry Values:

Microsoft\Windows\CurrentVersion\App Paths\VirusHeat 3.9.exe
917f93bf-6714-4e11-8982-59db2e0f88fc
{E94EB13E-D78F-0857-7734-5E67A49FFFF1
0979850F-6C3E-4294-B225-B3D3C4A6F2A1
1BB2DA5F-B78F-44EA-BDA1-771CBE1DEC68
2A4E73C5-BA3C-4391-B7E5-FFE8D3BD6245
8D42769F-07D8-494D-AAB4-AA1652C541FA
A1922071-390C-418D-916D-91209E95D286
A1F8CD95-CFB3-43D1-A956-63441CC058C1
A63B46AD-96A7-4A2C-BD8F-8CD097E1593A
A65F98DD-2360-468C-B76E-B1B84C0D547C
AE2AEED0-BE1B-4BA2-826E-20D1991081B8
D7F73787-6206-4BBA-BDC0-7CFA9940DBCB
E770F739-2968-4ED9-A63C-DC1938DC82A2
631E9E48-B066-43DA-92AC-6DADF61B173B
65C1361C-E696-4AF0-9E21-81910193F352
77DCE805-C8CE-48AA-A47F-BFA6CC7704B3
CFAFA83C-855B-4E3D-92B9-A587995B675A
44A923CA-F430-4F85-9F84-5153ECDB882E
4E6E21EC-9D72-4164-8A53-74786A467872

polonus