Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

win32/hidrag.A


  • Please log in to reply

#1
Amaruve

Amaruve

    New Member

  • Member
  • Pip
  • 1 posts
I have the same problem as a whole lot of people I've seen online.

I have/had a virus on my computer called hidrag.A after searching the net for awhile i found out it was infecting my computer from %win dir%/svchost.exe. I know it doesn't belong there, it belongs in system32 so I located it no problem and deleted it without mercy.

Now according to avg nearly if not all of my executables are infected, but most of my computer runs fine anyway. I have encountered some problems though and I'd like to know how to clean fix or heal my stuff.

I just got hijack this so I could give you a log but i'm not sure how to use it. it seams simple enough though. so without further adue here is my log.

Logfile of HijackThis v1.99.1
Scan saved at 1:41:49 PM, on 4/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1112517038405
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

edit: win32/hidrag.A has is nearly identical to W32/jeefo if you are familiar with that. some people have suggested getting a program specifically intended to remove jeefo from http://www.sophos.co...rs/jeefogui.com it seems to be very affective but it didn't work for this "strand" of the virus which people are saying is just an alias of jeefo.

Any thoughts?

Edited by Amaruve, 08 April 2005 - 03:20 PM.

  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Howdy Amaruve,

Give this a try and see how it goes!

Update AVG with latest definitions!

Create a Restore Point,just in Case:
To create a new System Restore Point in Windows XP, click Start -> All Programs -> Accessories -> System Tools -> System Restore. When the System Restore Utility opens, click "Create a Restore Point" then click Next. Enter a name for this Restore Point (for instance, "Before Installing Office XP"), and click Create.

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Click Start>>Click Run>>Type in Services.msc and Click OK!

Scroll the list for "PowerManager",right-click and select properties!
Click the Stop Button and Change the StartUp Type to Disabled!
Click Apply and OK!

Next, go into "Add/Remove Hardware" in the Control Panel and click on view hidden devices, scroll down until you find "Power Manager" and uninstall it as a piece of hardware and thus a service.


Open Pocket KillBox,Copy&Paste the below Bold print in the Open Box Labeled "Full Path of File to Delete"

C:\WINDOWS\svchost.exe

Select "Delete on Reboot" and Click the Red Circle with the White X to Delete!!

Select "Yes" to Confirm
Select "Yes" to Reboot now

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam


Once in Safe Mode,Open AVG,dont scan just yet!

Right Click the TaskBar>>Select Task Manager>>Select Processes

Under Processes,locate these 2:

RunDll32.exe
and
Explorer.exe

If RunDll32 exist,Right Click and select End Process

Do the Same for Explorer.exe but when you kill this process,the Desktop and Taskbar will disappear,this is normal so dont panic!!!

Go back to AVG and let it Scan the System and Delete all it finds!

When finished,Close out AVG and go to the Task Manager and Select Shut Down!

Restart the PC in Normal Mode and Scan the System with AVG again and see if it detects any viruses!

Once Completed,Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!
Make Sure Normal Startup is Checked!!

Select the tab labeled Startup and put a Check by every box there!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Once Restarted in Normal Mode,Scan the System with HijackThis and Post those Results!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP