Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg Antispyware Found Inetchk.exe (hijacker.small)


  • Please log in to reply
19 replies to this topic

#1 bloomcounty

bloomcounty

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 08 August 2007 - 04:22 PM

Hi,

I just downloaded and ran AVG Antispyware on my current laptop (which I'm getting rid of and am in the process of setting up a replacement laptop). I wanted to try out the program on the old laptop before using it on the new one (once it's set up), and also make sure the computer was clean before transferring over my files, etc. to the new laptop.

So I instaled/ran AVG Antispyware per these instructions from CastleCops and quietman7:

INSTRUCTIONS FOR USING AVG ANTI-SPYWARE in "NORMAL MODE"

Download and scan with AVG Anti-Spyware 7.5
• After download, double click on the file to launch the install process.
• Choose a language, click "OK" and then click "Next".
• Read the "License Agreement" and click "I Agree".
• Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
• After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
• Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer.
Once the updates are installed do the following:
• Click on the "Scanner" button and choose the "Settings" tab.
• Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
• Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
• Under "Reports" select "Automatically generate report after every scan" and uncheck "Only if threats were found".
• Click the "Scan" tab to return to scanning options.
• Click "Complete System Scan" to start.
• When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
• You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
• Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
• Exit AVG Anti-Spyware when done.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.


However, this is what happened:

A. I did the scan, and it found a Hijacker.Small (Risk: High) that it said was called C:/Program Files/music_now/inetchk.exe (and the description of it said that it could change your start page or something like that). [Note: It looks like this "music now" stuff is some crap that came with my computer. But it's nothing that's installed that I know of...]

B. I next clicked on Apply All Actions, since the Action listed next to it said Quarantine.

C. The Action changed to "Done" and it says on the right side that "All actions have been applied".

D. I went to Save Report, but I can not do it. The button is ghosted and I can't click it! (Please note, I do have it set to Automatically generate a report after every scan.)

E. So I went to the Infections section and nothing is listed in the Quarantine!

F. I searched my hard drive, and the file does not show up.

G. When I go to C: and look at the C:/Program Files, the "music_now" folder is dated with today's date/time that I did the scan (most likely the time I applied the Quarantine). However, all the files in the folder (including one calle "inetchk.ini") are all dated 8/22/2005 (which strongly implies this stuff came on my computer).

The best answer would be that for some reason AVG just deleted the file (but even then, why can't I save a report, and why would it do that if it was set to "quarantine"?). If it's really something bad (and not just a file that came with whatever "music now" is), could it have "hidden" itself?

Since there is also that .ini file with the same name, it implies that the .exe was just the file to execute the "music now" program...? Unless it's really something else and was just calling itself that file name...

Questions:

1. So what the heck is going on? Is this serious?

2. Is the program not working right? Why can't I save a report and why isn't the item showing up in Quarantine? Is it possible that because it's just an .exe that's stilling there that it just gets deleted and that's it? (I do not see the file in that location it said it was.)

3. Do I need to redo the scan in safe mode?

4. Yesterday, I saved all the files/folders of my stuff that I want to transfer over to my new computer (nothing from that "music now" folder) -- is that stuff "safe" to copy onto my new computer? Or do I need to figure this out first then reburn dvds with all my files again before putting them on my new computer?

5. What do I do now?

Please note that I am experiencing no issues that I know of on my system.

I'm supposed to start setting up my new laptop tonight, so any help as soon as possible would be greatly appreciated! I'm kind of freaked out now... :flowers:

(I've still got the AVG Antispyware program open -- I haven't closed it or did anything in it yet other than what is describe above.)

Thanks! Hope to hear back soon! :thumbsup:

Edited by bloomcounty, 08 August 2007 - 05:08 PM.

My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

BC AdBot (Login to Remove)

 


#2 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 08 August 2007 - 05:37 PM

Please note: I completely exited the program and restarted it, and now the threat is showing up in Quarantine.

Also, apparently, you need to choose "Do Not Automatically Generate Reports" and then click to create a report.

But all my questions about the threat and what I need to do (and how it effects the files I've already backed up to dvd for transfer to my new laptop) are all still pertinent.

Thanks!
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#3 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:07:57 AM

Posted 08 August 2007 - 05:44 PM

Hi bloomcounty

Yes, run AVG-AS in Safe Mode.
First, click on Update Now on the Status page to ensure the data base is updated.

Be sure you save the Report only after clicking the Apply all actions button.
Click on Reports to view all completed scans. Click on the most recent scan you just performed and select "Save report as".

~You should do a completely new backup for transfer to your laptop, if it was made before Hijacker.Small was quarantined.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#4 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 08 August 2007 - 05:49 PM

I will re-run in safe mode.

However, it's important to note that a report was not generated. I've been told now that you need to select "Do not automatically generate reports" under settings in order for the button to save the report to work after you "apply all actions". I had it set to "Automatically generate a report after every scan" and no report was generated. I looked on the reports tab as well as in the program folder that contains the reports. Nothing. Weird...

I will be back with the report of the safe-mode scan (hopefully it will generate one).

Hope you can stick with me... Thanks! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#5 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 08 August 2007 - 05:54 PM

Also, that's a bummer about having to redo the disks. But do I also have to redownload all the programs I did yesterday (like AVG, Ad-Aware, Spybot, etc. etc.) that I'm going to put on the new computer? I'll reburn them to the dvds when I do all that again, but do I actually have to redownload them? Or should the downloaded installation .exe's for all those be safe?
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#6 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:07:57 AM

Posted 08 August 2007 - 06:09 PM

No, you don't have to re-download your programs and apps.

If the problem is resolved, then you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system if you use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:

* Go to Start > Programs > Accessories > System Tools and click "System Restore".
* Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
* Then use Disk Cleanup to remove all but the most recent Restore Point.
* Go to Start > Run and type: Cleanmgr
* Click "OK".
* Click the "More Options" Tab.
* Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

Edited by TMacK, 08 August 2007 - 06:11 PM.

Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 08 August 2007 - 06:11 PM

I went to Save Report, but I can not do it. The button is ghosted and I can't click it!

Don't fret about this. The newest version of AVGAS has a quirk in saving reports. If you choose "Automatically generate report after every scan" the save log button is greyed out & you cannot save a report. However, if you choose "Do not automatically generate reports" you get a report. I recently edited the setup/scan instructions to reflect this.

I did a quick search of music_now/inetchk.exe and it appears there are numerous examples of AVGAS detecting and removing the file. One scan log indicated in was a sign of "Win32:Trojan-gen. {VB}". BitDefender is flagging it as Trojan.Click.HD.

Since your longer finding that file, it appears AVGAS did its job and removed it. And since the program is something you never use, you might want to remove it altogether. If so, go to Start > Settings > Control Panel, double-click on Add/Remove Programs. From within Add/Remove Programs highlight "music_now" (if listed) and select Remove.

Then search for the folder and if its still listed in Program Files, right-click on it and choose delete. If there is no entry in Add/Remove, then look for an uninstall file within the music_now folder and double-click on it to remove. If there is no uninstall file, then just delete the folder.

Edited by quietman7, 08 August 2007 - 06:14 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 08 August 2007 - 08:58 PM

Thanks for the replies. Here is the order I did everything you folks said to here on this thread:

1. Ran AVG Antispyware scan in "safe mode". It took 2.5 hours (almost 4 times as long as in normal mode). It found something else. I believe it found the same file, but in the "system restore" part of the hard drive. I quarantined it as well and created a log. Here is the log for this second item found:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:26:59 PM 8/8/2007

+ Scan result:

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP119\A0028234.exe -> Hijacker.Small : Cleaned with backup (quarantined).

::Report end


2. There was no "music_now" in add/remove programs, nor was there any uninstaller in the Program Files folder for it. There was a file called mn_drop.exe (which may have been an uninstaller, but I wasn't about to double-click it), so I just deleted the entire "music_now" folder.

3. I set a new System Restore point and deleted old ones via these instructions:
* Go to Start > Programs > Accessories > System Tools and click "System Restore".
* Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
Give the R.P. a name, then click "Create". The new point will be stamped with the current date
and time. Keep a log of this so you can find it easily should you need to use System Restore.
* Then use Disk Cleanup to remove all but the most recent Restore Point.
* Go to Start > Run and type: Cleanmgr
* Click "OK".
* Click the "More Options" Tab.
* Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.


Note: One vital thing to include in future listing of these instructions might be that you need to cancel out of the Cleanmgr, othewise if you hit OK after it's down deleting the system restore points, it will actually delete the stuff marked on the first tab (but you get a warning first, which is how I knew).

4. I was dialed-up to the internet the whole time with Firefox open, hope that was okay?

Please let me know if I did the right things in the right order here (as it was a combination of both TMack's and quietman's instructions).

Also, both things are still in quarantine... do I leave them there, or is there something I do to permanently delete them?

Thanks! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 09 August 2007 - 06:47 AM

When a program quarantines a file or moves it into a virus vault, that file is safely held there (and no longer a threat) until you take action to delete it. One reason for doing this is to prevent deletion of an essential file that may have been flagged as a "False Positive". If that is the case, then you can restore the file. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure.

In your case, we know these items were bad so you can delete them from quarantine anytime.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 09 August 2007 - 09:24 AM

Glad I did the right order.

So we can assume that the second one (which was found in system restore) as:

C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP119\A0028234.exe -> Hijacker.Small : Cleaned with backup (quarantined).

...is the same thing as the "music_now" one and not something vital that's in system restore? I'm assuming that's the case, but there's really no way to tell what that file is, right? But I'm guessing that since it's part of system restore and I've quarantined it and made a new restore point (and deleted the old ones), that even it was a "false positive", it wouldn't matter?

Anyways, just wanted to double-check on that one before permanently deleting it. Let me know -- thanks! :thumbsup:
My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 09 August 2007 - 11:14 AM

So we can assume that the second one (which was found in system restore)...is the same thing as the "music_now" one...

Yes. It was backup there and should have been removed when you cleared your old restore points and created a new one.

Edited by quietman7, 09 August 2007 - 11:14 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 09 August 2007 - 12:01 PM

Okay, thanks. So I've deleted both things in AVG Antispyware permanently.

Now, my new replacement laptop has the same music_now folder on it with that same .exe in it that was flagged by AVG Antispyware on the other laptop (which I'm still currently using). So it's possible it might technically be a false positive, but either way, can I just delete that music_now folder on the new laptop with that .exe file in it? Or do I have to run AVG Antispyware at some point (once it's installed -- many steps before that happens) and let it quarantine the .exe first? And what about the system restore version of the file that probably exists as well on the new laptop?

Edited by bloomcounty, 09 August 2007 - 12:01 PM.

My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 09 August 2007 - 01:07 PM

Who is the manufacturer of the new laptop? Is it the same as the old? It may well be a program that came preinstalled by the vendor.

I don't know anything about music_now and everything I find shows the inetchk.exe file being detected as bad but theres not anything more specific about it.

Since its a new laptop, you just might want to contact the manufacturer and ask them what this program is. While your at it, let them know that one of its files is being flagged as malware. They need to know about this.

Why don't you submit the file to jotti's virusscan or virustotal.com and see what comes back on it. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 bloomcounty

bloomcounty
  • Topic Starter

  • Members
  • 672 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 09 August 2007 - 01:18 PM

Same manufacturer -- HP.

So don't delete that folder yet on the new laptop?

I'm not ready for it to go fully on the internet, so I can't upload anything at this point.

I did notice that the icon for that .exe is a music note, and underneath the name of the file, it says America Online.

Edited by bloomcounty, 09 August 2007 - 01:23 PM.

My stats: Windows XP Home SP2; Firefox 3.0.14 w/ Ad-Block Plus; IE 6.0 (used only for monthly Windows Critical Updates); ZoneAlarm 6.1.744.001 Free; AVG 8.5 A/V Free; SuperAntispyware Free 4.28.1010

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,593 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:57 AM

Posted 09 August 2007 - 01:34 PM

I did notice that the icons for that music_now stuff says AOL.

That helps but I never heard of it. Did the laptop come bundled with AOL? If so, I would still contact the vendor and let them know. I would also contact and inform the AOL folks since it now appears the program is related to their software. If this is something new, it could be a false positive but the creator needs to investigate.

Regardless, if the program is something you don't use and never asked for then I would remove it altogether. AOL comes bundled with a lot of extra stuff that I find useless and/or unnecessary so I always remove it. Doing that doesn't affect the basic core of AOL if you use them as your ISP.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users