[Ham-Computers] RE: AVG healing/repairing infected files

Tue Jul 22 17:26:20 EDT 2008

Hi again Frank,

Doing a quick search, the most dangerous of the three you mentioned is the Fujacks virus.  Based on it's payload and propagation techniques, I would highly recommend that the system be wiped and the OS re-installed from scratch.  Why?  Fujacks attempts to infect all executable and HTML/ASP files.  It also deletes some EXE files and disables anti-virus apps.  It does a *LOT* more, but these two reasons would be the prime reasons why I would wipe/re-install the OS.  Even if you were able to clean all the EXE's, there's no guarantee that some system EXE or app was deleted causing future problems.

The Hidrag creates an mIRC client named "svchost.exe" (to mask it's identity).  It then launches this client on Windows boot - the client connects to a mIRC channel which allows someone to remotely control the infected system.

One thing to keep in mind...both of these create files that have the exact or similar names to legitimate files.  For example, spo0lsv.exe instead of spoolsv.exe (note the "0" instead of "o").  Another example is svchost.exe.  The legit version is the \Windows\System32 folder - virii/worms will create a file of the same name somewhere else like in \Windows.  Most people won't know where files are supposed to be, so they'll see the name and think it's legit.

So, Frank, some of the files you see may actually be stand-alone virii masking themselves as legit system files.  However, based on the infection type, I would think there are also many legit files still infected.  There's also no guarantee that your system is currently running "clean" - we would need a HiJackThis log as a starting point to determine this.

Again, based on my personal (and professional) opinion, I would wipe and re-install the OS (and I don't suggest this lightly).  I've been known to spend 8+ hours on a single system cleaning up virii and spyware - but in these cases, I *know* that there aren't any "lingering" side-effects (such as missing system files) caused by the virii/spyware .

GL & 73,

  - Aaron Hsu, NN6O

Oh, BTW, you might want to remove your "personal" info from your e-mail signatures.  It's a common way spammers and data harvesters gather e-mail and phone number information.  You might find a lot more "junk" e-mails and faxes due to your signature (I've clipped them in these replies).

  - Aaron Hsu
    Sr. Desktop Analyst
    MediaWorks IT | Compute Build | Desktop Technology
    NBC Universal

-----Original Message-----
Sent: Tuesday, July 22, 2008 2:51 PM
Subject: [Ham-Computers] AVG healing/repairing infected files

Michael, Hsu and Kurt

Michael tks for the avast suggestion.

Hsu and Kurt, no they are not stand-alone files... all the files are the .exe files of applications that are loaded in sub-dir program files and other. For example, and ironically, aAvgApi.exe, avgcfgcx.exe and avgfrw.exe, but most of my .exe files are locked up in the avg-vault.

The 3 reported virusses are virus Win32/Hidrag, Win32/Fujacks and the 
worm Generic.Agx 

Quite a few of the applications affected will be difficult to replace and others will be cumbersome to download as here at the bottom end of the Africa Continent I have dial-up service and pay per secong connected!

For Michael's suggestion to use "avast", I suppose i have to release the infected .exe files one by one from the avg-vault and the catch the virus wit avast before the infection get's a chance to infest the whole computer!

Thanks again all and 73 de Frank ZS1CM

" "
>From the desk of				Frank DAELEMANS, ZS1CM