Author Topic: Win32.mIRC.62 need help :(  (Read 56320 times)

0 Members and 1 Guest are viewing this topic.

bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #30 on: April 08, 2007, 06:01:22 PM »
Yeah, if you say so but still why does some antivirus programs say it is infected  ???

mauserme

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #31 on: April 08, 2007, 06:13:45 PM »
Well, you have 27 scanners saying its not infected. 

2 scanners say they detect suspicious capability - its the same idea as the "risk ware" discussed earlier.  This tool will report a lot of information about your computer.

And 1 scanner, Kasperky, calls it delf.  I won't call Kaspersky bad but you've already expressed your opinion of it.  I'll just say all scanners are capable of false positives.

But if you're not comfortable with it and you don't see suspicious activity any longer then don't worry about it.  I'm not trying to force you into anything.


EDIT:  Not Kaspersky but Ikarus.  Still, a false positive none the less.
« Last Edit: April 08, 2007, 06:18:55 PM by mauserme »

bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #32 on: April 08, 2007, 06:23:27 PM »
Well I'm still a bit freaked out from the last infestation so I'll probably skip the check with ComboFix for now, I don't see any suspicious activity for now (except that my folgers in my documents keep changing from tiles to icons, but that's probably Bill Gates' fault  ;))

Btw I got this from FindAWF which I already used  :o :

AhnLab-V3 2007.4.7.0 04.06.2007  no virus found
AntiVir 7.3.1.48 04.08.2007  no virus found
Authentium 4.93.8 04.06.2007  no virus found
Avast 4.7.936.0 04.08.2007  no virus found
AVG 7.5.0.447 04.08.2007  no virus found
BitDefender 7.2 04.08.2007  no virus found
CAT-QuickHeal 9.00 04.06.2007 TrojanDropper.QuickBatch.e
ClamAV devel-20070312 04.08.2007  no virus found
DrWeb 4.33 04.08.2007  no virus found
eSafe 7.0.15.0 04.08.2007  no virus found
eTrust-Vet 30.7.3549 04.06.2007  no virus found
Ewido 4.0 04.08.2007  no virus found
FileAdvisor 1 04.08.2007  no virus found
Fortinet 2.85.0.0 04.08.2007  no virus found
F-Prot 4.3.1.45 04.04.2007  no virus found
F-Secure 6.70.13030.0 04.08.2007  no virus found
Ikarus T3.1.1.3 04.08.2007 Trojan.BAT.Small.f
Kaspersky 4.0.2.24 04.08.2007  no virus found
McAfee 5003 04.06.2007  no virus found
Microsoft 1.2405 04.08.2007  no virus found
NOD32v2 2173 04.07.2007  no virus found
Norman 5.80.02 04.05.2007  no virus found
Panda 9.0.0.4 04.08.2007 Suspicious file
Prevx1 V2 04.08.2007  no virus found
Sophos 4.16.0 04.06.2007  no virus found
Sunbelt 2.2.907.0 04.07.2007  no virus found
Symantec 10 04.08.2007  no virus found
TheHacker 6.1.6.085 04.04.2007  no virus found
VBA32 3.11.3 04.07.2007  no virus found
VirusBuster 4.3.7:9 04.07.2007  no virus found
Webwasher-Gateway 6.0.1 04.08.2007 no virus found


I'm not being paranoid, as I said I'm not very into computer knowledge so I just can't open a file that is said to have virus, I'll have nightmares  ;)

mauserme

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #33 on: April 08, 2007, 07:07:49 PM »
I understand bug_master.  It's good to be cautious. 

But please, no nightmares - I promise you FindAWF did nothing to  infect your computer  :)

bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #34 on: April 08, 2007, 07:16:33 PM »
But please, no nightmares - I promise you FindAWF did nothing to  infect your computer  :)

No worries  8)
What should the suspicious activities be if I'm infected?

mauserme

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #35 on: April 08, 2007, 07:23:46 PM »
It could be any number of symptoms but generally unusual system slow downs, your firewall alerting to programs you don't recognize trying the establish an internet connection, additional malware suddenly appearing ...


bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #36 on: April 08, 2007, 07:29:39 PM »
And how do the log files help  ???

mauserme

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #37 on: April 08, 2007, 07:44:16 PM »
There are several different tools you might be asked to use if you're fighting an infection.  The most common is probably HijackThis.   It produces a log enumerating the running processes and also atypical registry entries that can show where the malware loads, how a browser hijack was effected, etc.  A tool called Deckard's System Scanner does this same thing (installing and running HijackThis for you) but also shows files recently created and some other useful system information.

FindAWF, as you can see in your log, shows files that have matching backups and their locations.  This can be used to find infections that create backups as part of the infection process (it actually does sound like you had and agent.awf infection, or similar, that you cleaned by yourself).

ComboFix looks for other types of malware that have rootkit ability and some of the more difficult adware.  If you look at this thread

http://forum.avast.com/index.php?topic=27121.msg222054#msg222054

you'll see a HijackThis log and a Combofix log that Matty attached in relation to an agent.awf infection (you need to be logged in to see the attachments).  There is also a FindAWF log somewhere in that thread too.  Keep in mind that the fixes in that thread are specific to Matty's computer and should not be taken as a general fix.

bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #38 on: April 08, 2007, 08:26:37 PM »
Ok thanx very much for the info  :D

Tomorrow I'll run a check with HijackThis and post it  :)

mauserme

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #39 on: April 08, 2007, 08:27:35 PM »
No problem.

bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #40 on: April 08, 2007, 08:28:16 PM »
From where to download it?

mauserme

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #41 on: April 08, 2007, 08:32:03 PM »
Download link and instructions:

 Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #42 on: April 08, 2007, 09:20:09 PM »
Is Hijack This enough or do I need ComboFix two  :-\

mauserme

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #43 on: April 08, 2007, 11:15:45 PM »
Both logs would give us a very good look at your system.

bug_master

  • Guest
Re: Win32.mIRC.62 need help :(
« Reply #44 on: April 09, 2007, 04:11:14 PM »
Logfile of HijackThis v1.99.1
Scan saved at 16:58:50, on 09.4.2007 г.
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\DAEMON Tools\daemon.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DAEMON Tools] "D:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AGEIA PhysX System Tray Icon.lnk = C:\Program Files\AGEIA Technologies\TrayIcon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=about:blank
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D39A1FC5-87CB-48A2-AA99-6CD9E88C23F8}: NameServer =
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: 
O23 - Service: Abiosrvhm -  - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe


So am I ok  ;D