Infection with hjt log

[Spike]

I assume you mean the .log file I mentioned? If so, it can't hurt. I assume that this means that DCPROMO.LOG was present in /winnt/debug? yes?

Perhaps try running AIMfix to get rid of this. I must admit though, I don't know for sure that it will remove it.

I'm assuming of course that you've already tried to fix it once.

 

[swker98]

i have found the file in the debug foler, what should i do with it, the thing u posted to read made it sound like a bad peace of a worm
what exactly do i have, avg turns up no worm or infection

 

[Spike]

You don't have to do anything with the log file. Your finding it simply tells me that you have had that worm (and that I've identified it correctly), even if you no longer have it. It has been at least partially neutralised through removal though, which is why AV scans aren't detecting it. The fact that fixing it in HJT doesn't get rid of the entry though suggests that there are still one or two remnants of it in the system.

It's called BKDR_IRCBOT.IL (by Trend Micro anyway), and is usually spread through AIM. It actually works in tandem with a nasty you've already removed.

I posted a link in my previous post to a tool called AIMfix. One of the worms this claims to remove is the worm that you have had on that system. Please run the tool, scan with HJT, repair the 023 wgav.exe entry, and scan again to see if it's gone.

As half of the worm has already been removed though, I can't say for sure whether the tool will in fact fix this, but it's worth a shot

(and yes, that worm is a little nasty.)

 

[swker98]

i cant find that wvag file

could you post the ful lextention that it looks in HJT

and the aim scanner turned up nothing

thanks

 

[Spike]

The entry that seems not to be dissapearing from the HJT log is...

O23 - Service: Windows Genuine Advantage Validation (wgav) - Unknown owner - C:\WINNT\system32\wgav.exe (file missing)

It says that the file is missing, but the entry remains after (I assume) you tried to fix it on your last scan wit the rest?

it's wgav.exe, not wvag.

 

[swker98]

yea

that isnt a Windows Genuine tool?

or is it discuided as one?

ill post a new log soon, ive also got firefox and avg for them

hopfulluy this will be the last time this happinods

 

[swker98]

heres the hopfuly last log

 

[Spike]

That explains that then - you hadn't removed it. lol.

No, that's not the WGA tool. The wga tool uses wgatray.exe, wgalogon.dll, legitcheckcontrol.dll, and data.dat

It doesn't have a file named wgav.exe. This file is a worm.


I'm happy to say now that you've fixed that entry though that your log is clean.

Congrats, and no problem

 

[swker98]

Im ususally prety good with this stuff, i have to say this is problby the wost ive had to handel, and i coulnt have done it withpoout u guys at techspot, hopfully ill learn alot of this stuff,


Thanks again Spike and Howards

 

[Spike]

oops!

O23 - Service: ContentProtect (CwCpSvc20) - Unknown owner - C:\Program Files\ContentWatch\Internet Protection\ContentProtect\cwsvc.exe (file missing)

Now it's clean It was only a file missing though. No nasty there to speak of.

 

[swker98]

I was looknbig at that also

i googleed it and it looks likwe it is a pErEntel control programe that they use so im apprehansive to get rid of it, but its likely thell need to install it because when i try to pen it it browes but dont find it

in HJT when you have a missing file, does that mean only some of the program is there?

 

[swker98]

Thwey usew that program, but i think its busted because of the infections and that it has a file missing

in HJT when i file is missing, it means that the program is not fully intacked or functional

right

 

[Spike]

If the file is missing, chances are that the program needs reinstalling anyway.

Physically check the location (browse to it) to see if the file really is missing, and if so, fix the entry. If the file is there, I wouldn't worry about it.

 

[howard_hopkinso]

Spike. Just a couple of things you should know.

The file missing in 023 entries can be caused by a bug in HJT. So just because it says such and such 023 file missing, doesn`t necessarily mean it is. Also any 023 entry in HJT is run as a service. Fixing the entry does not stop the service from running. You would need to run the services.msc command and physically stop/disable the service.

016-DPF entries should be fixed execept for any Microsoft/Windows entries, which should be left alone. This is because of the new Windows validation. Fixing all 016 entries can now cause windows to become unvalidated.

I actually think the laptop needs a reformat etc. This is because swker98 doesn`t have access to the administrator account. As you know, without access to that account, one is limited as to what can be done.

Regards Howard

 

[Spike]

I understand the first point Howard. My last post accounted for it. I was assuming also that SWKer would have a good understanding of what he was doing. I did get him to physically check for files though.

The rest of course, is news to me after not having done any of this for some time now. I'd agree that a reformat would be better, but I figured that if he's working on it for someone else, then I couldn't really argue with the needs given. The Admin account can probably be regained though with a little knowledge

All that said, the underlying message really is thanks for letting me know

(I'm almost suprised that that little has changed to be honest lol. New threats, but the same method)

 

[howard_hopkinso]

Cheers mate.

Regards Howard

This thread is for the use of swker98 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[swker98]

i accually looked and saw that all the accounts had aministrator privliges, but this was after i cleanded it, and the last HJT log looked good, didnt it?

i also use hijackthis.de to find some of the obious nasties





thank you both for your help

 

[howard_hopkinso]

Yep, that`s a clean log.

Regards Howard