1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

AVG detected Win32/Hidrag.A

Discussion in 'Virus & Other Malware Removal' started by harry_v, Nov 9, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. harry_v

    harry_v Thread Starter

    Joined:
    Jul 22, 2007
    Messages:
    19
    Hi,
    AVG detected Win32/Hidrag.A when I installed it.
    I downloaded Vcleaner and ran it on my pc to remove all the infected files also downloaded jeefogui and ran that.
    Ever since the virus was detected my PC has been real slow also goes into a loop at times.
    AVG is acting wierd as in i cannot unistall it,cannot update AVG it says this options is not available,I was able to update it before.I want to uninstall it to install kaspersky.
    This is the Log generated by hijackthis,
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:34:49, on 09/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\VVSN\VVSN.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Free Download Manager\fdm.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\DC++\DCPlusPlus.exe
    E:\HiJackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe /RegAll
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8BE1399F-6078-49C4-951D-61F247465DC2}: NameServer = 172.16.1.1
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    --
    End of file - 5386 bytes



    Any advice on what the problem could be and what could be done to rectify it??
     
  2. harry_v

    harry_v Thread Starter

    Joined:
    Jul 22, 2007
    Messages:
    19
    Is this problem that i am facing not related to a virus??
    Also any suggestions on how to uninstall AVG cause when i try to uninstall it,i get a message saying

    Parameter incorrect
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    if it is hidrag or jeefo that is a file infector that infects all .exe files including antivirus so if it has infected taht you won't be able to uninstll it

    try

    Click here to download Dr.Web CureIt and save it to your desktop.
    • Doubleclick the drweb-cureit.exe file and allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click 'Yes to all' if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can click next icon next to the files found:
      [​IMG]
    • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
      [​IMG]
    • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log.
     
  4. harry_v

    harry_v Thread Starter

    Joined:
    Jul 22, 2007
    Messages:
    19
    Hi,
    I am working on that getting DE Web Cureit.
    When i ran vcleaner it did detect that AVG is infected am not sure wether it repaired/deleted the file.

    I use sygate personal firewall,I was going through the security logs generated by it yesterday when I found these logs in the archive,

    "Denial of Service "Jolt2 Attack" attack detected.
    Description:
    Jolt2 attacker floods illegally fragmented ICMP or UDP packets into your computer and causes your CPU utilization to be 100%

    Application Hijacking has been detected
    The application: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe try to launch another application: C:\Program Files\Mozilla Firefox\firefox.exe to go to remote host login.yahoo.com"


    Is this attack related to a worm?? If so then how do i find and remove this worm from my PC??
    If it is not related to a worm then how do I keep my PC from being attacked??
    How do i stop the attacker from gaining access cause from the 2nd log it does seem like he has gaine access to my machine.

    I have spoken to my ISP about this,all he could suggest was to update sygate which hasnt been of much help.
     
  5. harry_v

    harry_v Thread Starter

    Joined:
    Jul 22, 2007
    Messages:
    19
    Hi,
    I did run DrWeb-CureIt,it did find some files that wer affected byjeebo.
    Logs of DrWeb-Cureit and HJT are attached below.
    I am not able to uplaod the Log generated by Drweb cure it,It says invalid file,so am i have pasted the log below



    rebootnt.exe;C:\Documents and Settings\Gabriel\Local Settings\Temp\~vis0000;Tool.Reboot;Incurable.Moved.;
    SetupDTSB.exe;C:\Program Files\DAEMON Tools;Adware.SaveNow;Incurable.Moved.;
    VVSN.exe;C:\Program Files\VVSN;Adware.SaveNow;Incurable.Moved.;
    gain_trickler_3202.exe;C:\Program Files\DivX\DivX Pro Codec;Adware.Gator;Incurable.Moved.;
    06627187.FIL;C:\$VAULT$.AVG;Win32.HLLP.Jeefo.36352;Cured.;
    06653781.FIL;D:\$VAULT$.AVG;Win32.HLLP.Jeefo.36352;Incurable.Moved.;
    06656359.FIL;D:\$VAULT$.AVG;Win32.HLLP.Jeefo.36352;Incurable.Moved.;
     

    Attached Files:

  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    the only jeefo it found was in AVG quarantine

    lets see what this finds

    Download Combofix to your desktop:

    * Double-click combofix.exe & follow the prompts.
    * When finished, it shall produce a log for you. Post that log in your next reply.


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
     
  7. harry_v

    harry_v Thread Starter

    Joined:
    Jul 22, 2007
    Messages:
    19
    I did run ComboFix and have attached the log generated by it.
    Any suggestions on what I could do to prevent my PC from being attacked.
    Cause sygate seemingly aint doing much
     

    Attached Files:

  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    nothing obvious out of place in Combofix

    have you managed to uninstall AVG yet

    I suspect the problems came from your P2P program and no firewall will stop what you have allowed to be downloaded

    try tehn advice in post 5 http://help.lockergnome.com/windows/uninstall-avg-free-ftopict523207.html

    to remove |avg

    it involves a full reinstall of avg to overwrite any damaged components then uninstall it
     
  9. harry_v

    harry_v Thread Starter

    Joined:
    Jul 22, 2007
    Messages:
    19
    Checking out the link to uninstall AVG.

    Well the problem is sygate detects that am being attacked,some Jolt2 attack,not very sure what that is.

    A pop-up window appears giving a warning message so I usually stop all incoming ans outgoing packets for sometime still I get messages like below in the log

    "Application Hijacking has been detected
    The application: C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe try to launch another application: C:\Program Files\Mozilla Firefox\firefox.exe to go to remote host www.tenaday.co.in"
     
  10. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    this "Application Hijacking has been detected seems to be a poor detection to me

    it isn't being hijacked but working as designed

    you must be clicking on a link soemone sends you inside yahoo messenger and your browser will go to that link


    yes there can be times when a malware will click for you but I have that sort of alert with Kaspersky internet suite & they call it Launching Internet browser with parameters

    it gets annoying when KIS pops up everytime I select a link in different program, like outlook or messenger but it is a warning so see where it is going to


    jolt2 must be a false alarm as that was fixed about 4 or 5 years ago in XP

    there might have been a flood attempt against your IP but the firewall did its job & blocked them
     
  11. harry_v

    harry_v Thread Starter

    Joined:
    Jul 22, 2007
    Messages:
    19
    Well currently that seemed like the only problem.
    Got AVG working fine waiting for Kaspersky to be downloaded.


    Thank you for all your help.
     
  12. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    Turn off system restore by following instructions here
    http://www.thespykiller.co.uk/index.php?page=8
    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point. Now Empty Recycle bin on desktop

    go here http://www.thespykiller.co.uk/index.php?page=3 for info on how to tighten your security settings and how to help prevent future attacks.

    and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

    Then pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place
     
  13. harry_v

    harry_v Thread Starter

    Joined:
    Jul 22, 2007
    Messages:
    19
    Sorry for the late reply i was outa town.

    I did the system restore thing and did update all the required software's.
    When i check task manager i can see multiple svchost files running,even though i have the wireless zero configuration stopped in services.
    Also i can see a processes named ' wowexec.exe' and 'epmworker.exe' running any idea what those are??
    I stop them every time i see them on task manager.
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,283
    First Name:
    Derek
    wowexec.exe is what windows uses to run 16bit programs under windows & only appears if you are tryimng to run such a program

    epmworker.exe is part of sony ericson PC suite for your mobile phone
     
  15. harry_v

    harry_v Thread Starter

    Joined:
    Jul 22, 2007
    Messages:
    19
    Multiple versions of svchost is fine???
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/649831

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice