Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Trojan Backdoor.Generic11.ZNE infection?

  • Please log in to reply
1 reply to this topic

#1 StormieStar


  • Members
  • 2 posts
  • Local time:05:52 AM

Posted 04 July 2009 - 04:50 PM

I posted this one other place, but hopefully someone somewhere can help me out, because I'm feeling really desperate about this. My system is a 32-bit Vista Laptop.

From the top: My sister sent me an IP Cloaking program in a zip file. I'd used the software before on a different PC, everything looked fine and it seemed good, she said it ran fine for her. The package had the installer, readme, system info file, and one other file (a keygen). I installed it, using my serial code, but then AVG freaked out and said that the keygen was a threat. Healed it, then blue screen popped up.

Restarted, ran an AVG scan, some tracking cookies popped up, deleted them. Fine, so I opened IE 8, and suddenly this new one pops up on the Resident Shield, Backdoor.Generic11.ZNE. I think, okay, I'll just heal it, Virus Vault, whatever. IT COMES BACK! Again and again. Then it starts saying my attempts to heal it were "interrupted by user". Lies. The actual file is C:\Windows\system32\hjgrimimnbbxb.dll, but manual searches can't find it. AVG keeps freaking out and I started to panic and shut off my wireless switch. A google search (on a different PC) reveals no solutions, but only 2 other English results and some foreign ones, none with a solution other than scan and delete.

I find another forum, follow their instructions to run MalwareBytes. Try get it on a USB so the infected laptop doesn't access the internet. USB ports start shutting down as the zombie file is accessed by or starts a process. Finally, I turn the internet back on, download MalwareBytes and Windows rootkit. MalwareBytes freezes, but detects 6 infected files before freezing. Windows Malware Kit detects nothing. AVG is still freaking out in the background, a new entry in Resident Shield popping up every time I click something.

I reboot into Safe Mode, uninstall AVG (dumb, I know), run MalwareBytes (successfully), and fix what it says needs to be fixed. Reboot into normal mode, and my desktop can't be found. Files are still there in my Desktop folder in Windows Explorer, but not on actual desktop. So I decide I can live with it. Redownload AVG, install, then it starts AGAIN. The file is still there! Still doing God knows what, and I have no idea what it is. I tried to run MalwareBytes again, froze. Something in normal mode is freezing it.

So I'm feeling like a zombie hunter shooting wildly and missing the head everytime. I'm trying to get a HijackThis Log, but it's kinda difficult. Please please let me know if there is anything else I can do, or if can get the log, if I should post it.

I know this is crazy long, but I'm in a panic over this, I just logged into my bank/credit accounts yesterday and I (stupidly) don't have everything backed up.

Edited by The weatherman, 04 July 2009 - 05:19 PM.
Moved from hjt to a more appropriate forum. Tw

BC AdBot (Login to Remove)


#2 Zllio


  • Members
  • 1,107 posts
  • Local time:06:52 AM

Posted 09 July 2009 - 02:53 AM

Hi StormieStar,

The word keygen is another word for alreadybeenhacked. The fact that there is a keygen with the program, means the program has been, by definition, compromised from the start. There is almost 100% chance of getting infected using cracked software, because it comes with built in vulnerabilities. If you have not already uninstalled the program which led to this big mess, please do so now. Then continue as follows.

Your thread was moved to this fourm, most likely because you didn't post the requested logs. The HJT forum is where you need to be, but in order to post there, you have to go through the Preparation Guide and give them the logs they need to work with so they can locate the file. It will take special tools to remove this virus that we can't use in the AII forum.

So ... please follow the instructions in the Preparation Guide and start a new thread in the HJT forum with your logs. If you can't get the logs, explain why. Also, put a reference to this thread in your new thread.

Once you complete the Preparation Guide, please do not make any changes to your computer until someone can help you and thanks very much for being very patient.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users