Good evening DAL peoples,

Today AVG 8.5 popped up a residential shield notification stating that I have a a Win32/Hidrag virus. I tried to click "remove as power user", but the window was unresponsive and there is no documentation in the residential list that informs you of previous notifications or removals. So, I went into safe mode then I ran AnitMalware and Antispyware and they did not find anything. Then I went a downloaded VCleaner, AVG Antivirus and Security Software - Virus Removal AVG suggests to remove this type of virus. It scanned for about an hour , I come back later and it did not give me any results, it was just closed.

I have not seen any symptoms yet, but they said its hides itself as a svchost.exe. What do you suggest I do?

Thank you 4 your time, dnk

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Under Configuration and Preferences, click the Preferences button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* Back on the main screen, under Scan for Harmful Software click Scan your computer.
* On the left, make sure you check C:\Fixed Drive.
* On the right, under Complete Scan, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.
NOTE: Tracking cookies may be omitted from the log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.14972
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4. Download HijackThis:
TrendSecure | Download TrendMicro HijackThis
by clicking on Download HijackThis Installer
Install, and run it.
Post HijackThis log.
Do NOT attempt to "fix" anything!


DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

SUPERAntiSpyware Free Edition did not find any infections

GWER always makes me log out, I don't know if its bugged or something.

Malwarebytes' Anti-Malware log

Malwarebytes' Anti-Malware 1.36
Database version: 2127
Windows 5.1.2600 Service Pack 3

5/13/2009 7:46:48 PM
mbam-log-2009-05-13 (19-46-37).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 226340
Time elapsed: 2 hour(s), 37 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\ErrorSmart (Rogue.ErrorSmart) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\ErrorSmart (Rogue.ErrorSmart) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Dad\Application Data\ErrorSmart (Rogue.ErrorSmart) -> No action taken.
C:\Documents and Settings\Dad\Application Data\ErrorSmart\Log (Rogue.ErrorSmart) -> No action taken.
C:\Documents and Settings\Dad\Application Data\ErrorSmart\Registry Backups (Rogue.ErrorSmart) -> No action taken.
C:\Documents and Settings\Owner\Application Data\ErrorSmart (Rogue.ErrorSmart) -> No action taken.
C:\Documents and Settings\Owner\Application Data\ErrorSmart\Log (Rogue.ErrorSmart) -> No action taken.

Files Infected:
C:\Documents and Settings\Dad\Application Data\ErrorSmart\Log\2008 Aug 30 - 08_51_46 PM_375.log (Rogue.ErrorSmart) -> No action taken.
C:\Documents and Settings\Dad\Application Data\ErrorSmart\Registry Backups\2008-08-24_02-51-48.reg (Rogue.ErrorSmart) -> No action taken.
C:\Documents and Settings\Dad\Application Data\ErrorSmart\Registry Backups\2008-08-24_03-15-28.reg (Rogue.ErrorSmart) -> No action taken.
C:\Documents and Settings\Dad\Application Data\ErrorSmart\Registry Backups\2008-08-27_18-51-18.reg (Rogue.ErrorSmart) -> No action taken.
C:\Documents and Settings\Dad\Application Data\ErrorSmart\Registry Backups\2008-08-27_18-51-50.reg (Rogue.ErrorSmart) -> No action taken.
C:\Documents and Settings\Owner\Application Data\ErrorSmart\Log\2008 Aug 29 - 06_35_42 PM_750.log (Rogue.ErrorSmart) -> No action taken.
C:\Documents and Settings\Owner\Application Data\ErrorSmart\Log\2008 Aug 29 - 08_50_09 PM_593.log (Rogue.ErrorSmart) -> No action taken.

I have error smart pro for awhile now, I really don't think its infecting my PC.


HiJack This log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:41 PM, on 5/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dad\Desktop\Programs\PC Tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 0.0.0.0:80
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 3268 bytes



This is a report from my AVG 08' residental shield findings as of May 13th

Resident Shield detection
"Infection";"Object";"Result";"Detection time";"Object Type";"Process"
"Virus identified Win32/Hidrag.A";"C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP33\A0007406.exe";"Moved to Virus Vault";"5/13/2009, 2:57:02 PM";"file";"C:\WINDOWS\system32\svchost.exe"
"Virus identified Win32/Hidrag.A";"C:\System Volume Information\_restore{FDF7E1BD-3514-4652-A0DC-09D8FF2520E1}\RP33\A0007406.exe";"Infected";"5/12/2009, 10:15:36 PM";"file";"C:\WINDOWS\system32\svchost.exe"
"Virus identified Win32/Hidrag.A";"C:\Documents and Settings\Dad\My Documents\Downloads\Counter-Strike Source FULL [October 15 2007] DiGiTALZonE\CSS_FULL_Oct-15-07_DiGiTALZonE_2FINISH.exe";"Deleted";"5/12/2009, 6:02:49 PM";"file";"C:\Documents and Settings\Dad\Desktop\Programs\Apps\uTorrent.exe"

HJT log looks clean.
AVG report indicates three infection locations.
One in Documents & Settings, which was cured.
Two others are in Restore Points.
One was moved to the vault, the other can't be cured.
We'll reset System Restore, and it should take care of the problem.

1. Download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Unselect Cookies.
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Unselect Cookies.
Click the Empty Selected button.


If you use Opera browser
Click Opera at the top and choose: Select All
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Unselect Cookies.
Click the Empty Selected button.


Click Exit on the Main menu to close the program.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

6. Empty AVG vault. Re-run AVG, and see, if it still reports anything.

Ok,

Please bare with me, its been 4 hours and AVG is still scanning Luckly is hasn't found anything yet.

Don't worry about it. Let it scan. We need to know final result

OMG!

After more than 10 hours of scanning it didn't find anything, Geeeezzzuus this scan is slow.
I tried to find the path for the virus file but I couldn't find any System Information restore folder. Do you know the path?

After more than 10 hours of scanning it didn't find anything

All good then

I tried to find the path for the virus file but I couldn't find any System Information restore folder.

We did remove all restore points since some of them were infected.
We created new, clean restore point.

System Information folder is hidden, system folder, located in root (C) drive.
If you really want to see it, open Windows Explorer, go Tools>Folder options.



Close, and reopen Windows Explorer.

Thanks a lot Broni,

You guys here a DAL are kickass at what you do.