HijackThis identified as a worm by AVG Anti-virus, Help!

Discussion in 'Windows - Virus and spyware problems' started by tmr250z, Sep 8, 2007.

  1. tmr250z

    tmr250z Guest

    I'm on Windows XP SP2. Over the last two days, explorer.exe has been crashing every time I shutdown my computer. Then last night svchost.exe crashed, so I tried to run HijackThis and see what the problem was, but it wouldn't run, saying that windows could not run it. Then AVG pops up saying that HijackThis.exe is a worm (see pic below) and moves it to the virus vault.

    [​IMG]

    So I turned off System restore, deleted all the restore points and rebooted in Safe Mode. I ran full scans of AVG Anti-virus, AVG Anti-Spyware, Ad-Aware SE, and Spybot Search & Destroy. They all came up clean, so I emptied the AVG vault and rebooted in normal mode.

    But I'm sure there is something wrong. I heard that there is are virus or spyware that prevents HijackThis from running, so I'm wondering if that's what I got. I haven't tried downloading and running HijackThis again until I get a better understanding of what's going on.

    Can someone help me out?
     
    tmr250z, Sep 8, 2007
    #1
  2. bluecoal

    bluecoal Guest

    Hi,

    Maybe there was a false positive for some reason.

    You can also delete your current copy and get a new one here:

    http://www.bleepingcomputer.com/files/hijackthis.php

    Although I am not sure about this, the impression that I had was that there is malware programmed to hide from the name hijackthis, not to actually infect the file.

    After you have downloaded a fresh copy, rename it to scanner.exe or some other name of your choice and try running it that way.

    You can also try this removal tool, Virtumonde is one of the things that will hide sometimes:
    http://www.bleepingcomputer.com/forums/topic18610.html

    Hope this helps.
    bluecoal
     
    bluecoal, Sep 11, 2007
    #2
  3. tmr250z

    tmr250z Guest

    Okay, I think that was a false positive because yesterday I deleted it, uninstall AVG, installed Kaspersky Internet Security, scanned my computer and it didn't find anything.

    But I followed you instructions anyway to make sure my comp was clean and the Vundo Fix and VirtumundoBegone logs came up as clean. I've posted them at the bottom so you can see for yourself. I also reinstalled HijackThis per your instructions, so could you have a look at it and make sure it's clean?


    VundoFix V6.5.8

    Checking Java version...

    Scan started at 11:16:29 AM 9/11/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...




    [09/11/2007, 11:25:01] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Desktop\VirtumundoBeGone.exe" )
    [09/11/2007, 11:25:09] - Detected System Information:
    [09/11/2007, 11:25:09] - Windows Version: 5.1.2600, Service Pack 2
    [09/11/2007, 11:25:09] - Current Username: Owner (Admin)
    [09/11/2007, 11:25:09] - Windows is in SAFE mode with Networking.
    [09/11/2007, 11:25:09] - Searching for Browser Helper Objects:
    [09/11/2007, 11:25:09] - BHO 1: {00011268-E188-40DF-A514-835FCD78B1BF} (IE7Pro BHO)
    [09/11/2007, 11:25:09] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
    [09/11/2007, 11:25:09] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [09/11/2007, 11:25:09] - BHO 4: {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} (Loader Class)
    [09/11/2007, 11:25:09] - Finished Searching Browser Helper Objects
    [09/11/2007, 11:25:09] - Finishing up...
    [09/11/2007, 11:25:09] - Nothing found! Exiting...



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:45:56 AM, on 9/11/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
    C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\Rainlendar\Rainlendar.exe
    C:\Program Files\Rainmeter\Rainmeter.exe
    C:\Program Files\RK Launcher\RKLauncher.exe
    C:\Program Files\Styler\Styler.exe
    C:\Program Files\TClock\tclock.exe
    C:\Program Files\YzShadow\YzShadow.exe
    C:\Program Files\Avedesk\AVEDESK.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\scanner.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
    O2 - BHO: IE7Pro BHO - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IE7Pro\IE7Pro.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Loader Class - {F880A4A8-C436-4AC4-AFD1-AA0BDC9552DD} - C:\Program Files\FindeXer Nightly V1.1.0.4-411\FindeXer.dll
    O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [AVEDESK] "C:\Program Files\Avedesk\AVEDESK.EXE"
    O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
    O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
    O4 - Startup: RK Launcher.lnk = ?
    O4 - Startup: Styler.lnk = ?
    O4 - Startup: TClock.lnk = C:\Program Files\TClock\tclock.exe
    O4 - Startup: YzShadow.lnk = C:\Program Files\YzShadow\YzShadow.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
    O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1184452671593
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
    O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe

    --
    End of file - 5495 bytes
     
    tmr250z, Sep 11, 2007
    #3
  4. bluecoal

    bluecoal Guest

    The logs all look ok to me too.
     
    bluecoal, Sep 11, 2007
    #4

Share This Page