Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Virus picked up with AVG...NEED HELP

  • Please log in to reply
4 replies to this topic

#1 montequila


  • Members
  • 6 posts
  • Local time:08:19 AM

Posted 30 December 2008 - 01:33 PM

Hi, I'm new here, and never had any success with removing viruses.(I usually reinstall windows).

My situation is like, 10 backdoors, and they're all dlls that modify explorer and iexplorer

I have a hijackthis log please guide me on my next step..

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,561 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:08:19 AM

Posted 30 December 2008 - 01:52 PM

The identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 montequila

  • Topic Starter

  • Members
  • 6 posts
  • Local time:08:19 AM

Posted 30 December 2008 - 09:09 PM

Well, AVG said i had a backdoor...so i took up virustotal's scanner and went through all the av software.
I dont know if i'm infected, and i;m using the computer right now. There are signs of sudden lags, but it just may be the slow laptop's capabilities.
I just need a verification from someone.

-----------File ajttq.dll received on 12.31.2008 03:03:16 (CET)Antivirus Version Last Update Result
a-squared 2008.12.31 Rootkit.Win32.Podnuha!IK
AhnLab-V3 2008.12.31.0 2008.12.30 -
AntiVir 2008.12.30 TR/BHO.Gen
Authentium 2008.12.30 -
Avast 4.8.1281.0 2008.12.30 Win32:Rootkit-gen
AVG 2008.12.30 BackDoor.Generic10.ADJZ
BitDefender 7.2 2008.12.31 -
CAT-QuickHeal 10.00 2008.12.30 Rootkit.Podnuha.biu
ClamAV 0.94.1 2008.12.30 -
Comodo 851 2008.12.31 -
DrWeb 2008.12.31 Adware.Bho.327
eSafe 2008.12.30 Suspicious File
eTrust-Vet 31.6.6284 2008.12.31 Win32/Kvol!generic
Ewido 4.0 2008.12.30 -
F-Prot 2008.12.30 -
F-Secure 8.0.14470.0 2008.12.31 -
Fortinet 2008.12.30 -
GData 19 2008.12.31 Win32:Rootkit-gen
Ikarus T3. 2008.12.31 Rootkit.Win32.Podnuha
K7AntiVirus 7.10.571 2008.12.30 -
Kaspersky 2008.12.31 -
McAfee 5479 2008.12.30 Generic.dx
McAfee+Artemis 5479 2008.12.30 Generic.dx
Microsoft 1.4205 2008.12.31 Trojan:Win32/Boaxxe.I
NOD32 3724 2008.12.30 probably a variant of Win32/Rootkit.Podnuha
Norman 5.80.02 2008.12.30 -
Panda 2008.12.30 Generic Trojan
PCTools 2008.12.30 -
Prevx1 V2 2008.12.31 Malicious Software
Rising 2008.12.30 Trojan.Clicker.Win32.Delf.bes
SecureWeb-Gateway 6.7.6 2008.12.30 Trojan.BHO.Gen
Sophos 4.37.0 2008.12.31 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.31 -
TheHacker 2008.12.30 -
TrendMicro 8.700.0.1004 2008.12.31 -
VBA32 2008.12.30 -
ViRobot 2008.12.30.1540 2008.12.30 -
VirusBuster 2008.12.30 -

Additional information
File size: 117504 bytes
MD5...: 0c2cffaa8eb2117c512fb923020d1f88
SHA1..: 1a5031a6e918a19c8b2d96a8f60bda2c729d0103
SHA256: 35fc3eba8be44d492c42d4dae681c4d82fb57997cc06893ea73c3c06c2f5bf72
SHA512: 37b9236b5195e2040bf5e619dc354455db13d2a8d48dcd1b9fccbd69ea6d7e51<BR>5101ce2f80c4c3894743713d7272375b2121ab6aa23b7022c0e0ea44c02e7ebe<BR>
ssdeep: 3072:+YJ+/xCUhXNZAF/fqSSGyMPOvTAPKDxKP13LvgnY:7qxCAkZhyoUTLxI1rg<BR>nY<BR>
PEiD..: -
TrID..: File type identification<BR>UPX compressed Win32 Executable (42.6%)<BR>Win32 EXE Yoda's Crypter (37.0%)<BR>Win32 Executable Generic (11.8%)<BR>Win16/32 Executable Delphi generic (2.8%)<BR>Generic Win/DOS Executable (2.7%)
PEInfo: PE Structure information<BR><BR>( base data )<BR>entrypointaddress.: 0x43f0c0<BR>timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)<BR>machinetype.......: 0x14c (I386)<BR><BR>( 3 sections )<BR>name viradd virsiz rawdsiz ntrpy md5<BR>UPX0 0x1000 0x28000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e<BR>UPX1 0x29000 0x17000 0x16400 7.90 dc0f988b0fd549eb10853327b138e74e<BR>.rsrc 0x40000 0x1000 0xe00 3.70 03981706342d522e0c334de35be0aef0<BR><BR>( 6 imports ) <BR>&gt; KERNEL32.DLL: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree<BR>&gt; advapi32.dll: RegCloseKey<BR>&gt; ole32.dll: IsEqualGUID<BR>&gt; oleaut32.dll: LoadTypeLib<BR>&gt; shell32.dll: SHGetMalloc<BR>&gt; user32.dll: SetTimer<BR><BR>( 5 exports ) <BR>DllCanUnloadNow, DllGetClassObject, DllRegisterServer, DllUnregisterServer, InitEntry0<BR>
CWSandbox info: &lt;a href='http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=0c2cffaa8eb2117c512fb923020d1f88' target='_blank'&gt;http://research.sunbelt-software.com/partnerresource/MD5.aspx?md5=0c2cffaa8eb2117c512fb923020d1f88&lt;/a&gt;
Prevx info: &lt;a href='http://info.prevx.com/aboutprogramtext.asp?PX5=59D2663E00D48395CBDE0184463EC100D2E1984D' target='_blank'&gt;http://info.prevx.com/aboutprogramtext.asp?PX5=59D2663E00D48395CBDE0184463EC100D2E1984D&lt;/a&gt;
packers (Kaspersky): PE_Patch.UPX, UPX
packers (F-Prot): UPX

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,109 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:19 AM

Posted 30 December 2008 - 10:17 PM

Hello montequila,

I have merged your second topic in the Am I Infected forum to your previously existing topic on the same issue. I have also deleted one of the two HiJack This topics you have created. Your remaining topic is here: http://www.bleepingcomputer.com/forums/t/190690/need-a-diagnosis/

I understand your panic and frustration, however, posting multiple topics on the same issue confuses things for everyone and makes the disinfection process, should you decide to go through it, more difficult.

In your second post here, you state:

I just need a verification from someone.

Well, you got that verification from boopme in his response to your initial post. Please read what boopme has written and read the information in the links boopme provided to help you decide if you should reformat. Please let us know as a response to this topic if you decide to reformat the computer rather than disinfect it.

While you make that decision, I shall temporarily close your HiJack This topic. If you decide to disinfect the machine, I shall reopen that topic for you.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 30 December 2008 - 10:21 PM.
Edited to add HJT link. ~ OB

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


#5 garmanma


    Computer Masochist

  • Members
  • 27,809 posts
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:19 AM

Posted 31 December 2008 - 08:33 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.

Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users