infection with hjt log

By swker98
Jul 31, 2006
Topic Status:
Not open for further replies.
  1. Spike

    Spike Newcomer, in training Posts: 2,371

    I assume you mean the .log file I mentioned? If so, it can't hurt. I assume that this means that DCPROMO.LOG was present in /winnt/debug? yes?

    Perhaps try running AIMfix to get rid of this. I must admit though, I don't know for sure that it will remove it.

    I'm assuming of course that you've already tried to fix it once. :)
  2. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    i have found the file in the debug foler, what should i do with it, the thing u posted to read made it sound like a bad peace of a worm
    what exactly do i have, avg turns up no worm or infection
  3. Spike

    Spike Newcomer, in training Posts: 2,371

    You don't have to do anything with the log file. Your finding it simply tells me that you have had that worm (and that I've identified it correctly), even if you no longer have it. It has been at least partially neutralised through removal though, which is why AV scans aren't detecting it. The fact that fixing it in HJT doesn't get rid of the entry though suggests that there are still one or two remnants of it in the system.

    It's called BKDR_IRCBOT.IL (by Trend Micro anyway), and is usually spread through AIM. It actually works in tandem with a nasty you've already removed.

    I posted a link in my previous post to a tool called AIMfix. One of the worms this claims to remove is the worm that you have had on that system. Please run the tool, scan with HJT, repair the 023 wgav.exe entry, and scan again to see if it's gone.

    As half of the worm has already been removed though, I can't say for sure whether the tool will in fact fix this, but it's worth a shot ;)

    (and yes, that worm is a little nasty.)
  4. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    i cant find that wvag file

    could you post the ful lextention that it looks in HJT

    and the aim scanner turned up nothing

    thanks
  5. Spike

    Spike Newcomer, in training Posts: 2,371

    The entry that seems not to be dissapearing from the HJT log is...

    O23 - Service: Windows Genuine Advantage Validation (wgav) - Unknown owner - C:\WINNT\system32\wgav.exe (file missing)

    It says that the file is missing, but the entry remains after (I assume) you tried to fix it on your last scan wit the rest?

    it's wgav.exe, not wvag.
  6. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    yea

    that isnt a Windows Genuine tool?

    or is it discuided as one?

    ill post a new log soon, ive also got firefox and avg for them

    hopfulluy this will be the last time this happinods
  7. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    heres the hopfuly last log
  8. Spike

    Spike Newcomer, in training Posts: 2,371

    That explains that then - you hadn't removed it. lol.

    No, that's not the WGA tool. The wga tool uses wgatray.exe, wgalogon.dll, legitcheckcontrol.dll, and data.dat

    It doesn't have a file named wgav.exe. This file is a worm.


    I'm happy to say now that you've fixed that entry though that your log is clean. :D

    Congrats, and no problem :)
  9. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    Im ususally prety good with this stuff, i have to say this is problby the wost ive had to handel, and i coulnt have done it withpoout u guys at techspot, hopfully ill learn alot of this stuff,


    Thanks again Spike and Howards
  10. Spike

    Spike Newcomer, in training Posts: 2,371

    oops!

    O23 - Service: ContentProtect (CwCpSvc20) - Unknown owner - C:\Program Files\ContentWatch\Internet Protection\ContentProtect\cwsvc.exe (file missing)

    Now it's clean :p It was only a file missing though. No nasty there to speak of.
  11. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    I was looknbig at that also

    i googleed it and it looks likwe it is a pErEntel control programe that they use so im apprehansive to get rid of it, but its likely thell need to install it because when i try to pen it it browes but dont find it

    in HJT when you have a missing file, does that mean only some of the program is there?
     
  12. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    Thwey usew that program, but i think its busted because of the infections and that it has a file missing

    in HJT when i file is missing, it means that the program is not fully intacked or functional

    right
  13. Spike

    Spike Newcomer, in training Posts: 2,371

    If the file is missing, chances are that the program needs reinstalling anyway.

    Physically check the location (browse to it) to see if the file really is missing, and if so, fix the entry. If the file is there, I wouldn't worry about it.
  14. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Spike. Just a couple of things you should know.

    The file missing in 023 entries can be caused by a bug in HJT. So just because it says such and such 023 file missing, doesn`t necessarily mean it is. Also any 023 entry in HJT is run as a service. Fixing the entry does not stop the service from running. You would need to run the services.msc command and physically stop/disable the service.

    016-DPF entries should be fixed execept for any Microsoft/Windows entries, which should be left alone. This is because of the new Windows validation. Fixing all 016 entries can now cause windows to become unvalidated.

    I actually think the laptop needs a reformat etc. This is because swker98 doesn`t have access to the administrator account. As you know, without access to that account, one is limited as to what can be done.

    Regards Howard :)
  15. Spike

    Spike Newcomer, in training Posts: 2,371

    I understand the first point Howard. My last post accounted for it. I was assuming also that SWKer would have a good understanding of what he was doing. I did get him to physically check for files though.

    The rest of course, is news to me after not having done any of this for some time now. I'd agree that a reformat would be better, but I figured that if he's working on it for someone else, then I couldn't really argue with the needs given. The Admin account can probably be regained though with a little knowledge :)

    All that said, the underlying message really is thanks for letting me know :) :)

    (I'm almost suprised that that little has changed to be honest lol. New threats, but the same method)
  16. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Cheers mate. :):)

    Regards Howard :)

    This thread is for the use of swker98 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  17. swker98

    swker98 TechSpot Paladin Topic Starter Posts: 1,348

    i accually looked and saw that all the accounts had aministrator privliges, but this was after i cleanded it, and the last HJT log looked good, didnt it?

    i also use hijackthis.de to find some of the obious nasties





    thank you both for your help
  18. howard_hopkinso

    howard_hopkinso Newcomer, in training Posts: 25,948   +19

    Yep, that`s a clean log.

    Regards Howard :)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.