Trojan Horse Backdoor.Ptakks.AC found by AVG?

Ok, I updated all my software today, and done a full scan (With AVG, F-Prot for DOS, a2 free, adaware, spybot S&D, Bazooka spyware scanner) and AVG found this:
Results of Complete Test, date and time 5/27/04 22:11:36 :

Testing C:\ serial 3B3F-1EDE
C:\DEV-PAS\BIN\UPX.EXE repaired

Test finished, duration 00:08:54.5 s
16782 objects tested, 1 found infected

It also said it was Backdoor.Ptakks.AC

I scanned with AVG first, then f-prot, a2, etc, and none of them found anything, the folder it was in was for Dev-Pascal (The compiler I use for the current programming langauge I am learning) I think it has been there for a while, so was it a False-Positive? AVG auto-fixed it, so I cannot send it to anyone for examination, here is a hijack this log file that I just took:
Logfile of HijackThis v1.97.7
Scan saved at 11:37:46 PM, on 5/27/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REGPROT\REGPROT.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\MOZILLA\FIREFOX\FIREFOX.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGW.EXE
C:\PROGRAM FILES\MIRC\MIRC.EXE
C:\PROGRAM FILES\HIJACK THIS!\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [RegProt] c:\program files\regprot\regprot.exe /start
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O5 - control.ini: inetcpl.cpl=no
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

I have all the necessary Windows98 security patches (noth critical, and non-critical)

 

there is nothing in your log.
this sure does sound like a false positive..UPX.EXE is a perfectly legitimate(and useful) file in a programmers computer .it's a pity avg deleted the file, they should have it to fix that FP..or did avg just delete it or was it moved to the vault?

 

It moved it to the virus vault, I'd actually like to have the file, but AVG wont let me ignore it, and I can't switch antiviruses, as the other free ones aren't as good, or won't run (Avast won't run on my PC at all, I tried to get it working) and AntiVir isn't that good... I wouldn't know where to send this into Grisoft and get the FP fixed...

 

Hello Comp1,

Just little add-on ...

You are running adequate version of IE. Go to windows update and upgrade your IE.

With thanks !
Newkid !

 

can you disable avg for a while and recover that file from the vault?

then you can zip it up(password protect it too) and send it to
virus@grisoft.cz with explanation

 

IE6.0+ doesn't run right on my PC. (I use the free version of Lite-PC to remove IE shell integration, so that may be the reason why, I don't know) last time I installed IE6 with updates, I ended up having to go back, I was told that 5.5 SP2 with the cumlative security pack would be just as secure as IE6...

I am sending the FP to Grisoft right now...

 

Comp, Would you like to put some more light what had happend exactly last time as a result you ended up having go back and installed IE 5.5 ??

Newkid

 

Sorry it took a day to get back to you, but, I went back to IE5.5 Service Pack 2 because IE6 caused my system to be really unstable...

 

Sorry Clance, I am bit busy these days with extra stuffs so i took some time to get back to you. Here are some of vulnerabilities of IE 5.5 service pack 2 for you :

The first one is Cookies across domains vulnerability. In this a malicious user could potentially craft a URL that would allow them to gain unauthorized access to a user's cookies and potentially modify the values contained in them. Because some web sites store sensitive information in a user's cookies, this could allow personal information to be compromised. This vulnerability could be exploited either by hosting specially crafted URL's on a web page or by sending them to the victim in an HTML email.

The second vulnerability is Zone Spoofing vulnerability i.e. how IE handles URLs that include dotless IP addresses. If a web site were specified using a dotless IP format (e.g., http://031713501415 rather than http://207.46.131.13), and the request were malformed in a particular way, IE would not recognize that the site was an Internet site. Instead, it would treat the site as an intranet site, and open pages on the site in the Intranet Zone rather than the correct zone. This would allow the site to run with fewer security restrictions than appropriate. This vulnerability does not affect IE 6.

Then, Integer Overflow in Processing Bitmap Files vulnerability. In this, a remote user can execute arbitrary code on the target system. It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.

Then Cross Domain Vulnerability. In this Internet Explorer 5.5 SP2 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain".

I guess, it's enough for you to update your IE and install all critical patches with Service Pack.

With Thanks !
Newkid !