Trojan Horse Backdoor.Ptakks.AC found by AVG?

Discussion in 'malware problems & news' started by Comp01, May 27, 2004.

Thread Status:
Not open for further replies.
  1. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Ok, I updated all my software today, and done a full scan (With AVG, F-Prot for DOS, a2 free, adaware, spybot S&D, Bazooka spyware scanner) and AVG found this:
    Results of Complete Test, date and time 5/27/04 22:11:36 :

    Testing C:\ serial 3B3F-1EDE
    C:\DEV-PAS\BIN\UPX.EXE repaired

    Test finished, duration 00:08:54.5 s
    16782 objects tested, 1 found infected

    It also said it was Backdoor.Ptakks.AC

    I scanned with AVG first, then f-prot, a2, etc, and none of them found anything, the folder it was in was for Dev-Pascal (The compiler I use for the current programming langauge I am learning) I think it has been there for a while, so was it a False-Positive? AVG auto-fixed it, so I cannot send it to anyone for examination, here is a hijack this log file that I just took:
    Logfile of HijackThis v1.97.7
    Scan saved at 11:37:46 PM, on 5/27/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\REGPROT\REGPROT.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\ptsnoop.exe
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\MOZILLA\FIREFOX\FIREFOX.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGW.EXE
    C:\PROGRAM FILES\MIRC\MIRC.EXE
    C:\PROGRAM FILES\HIJACK THIS!\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gamefaqs.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [RegProt] c:\program files\regprot\regprot.exe /start
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O5 - control.ini: inetcpl.cpl=no
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -

    I have all the necessary Windows98 security patches (noth critical, and non-critical)
     
  2. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    there is nothing in your log.
    this sure does sound like a false positive..UPX.EXE is a perfectly legitimate(and useful) file in a programmers computer .it's a pity avg deleted the file, they should have it to fix that FP..or did avg just delete it or was it moved to the vault?
     
  3. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    It moved it to the virus vault, I'd actually like to have the file, but AVG wont let me ignore it, and I can't switch antiviruses, as the other free ones aren't as good, or won't run (Avast won't run on my PC at all, I tried to get it working) and AntiVir isn't that good... I wouldn't know where to send this into Grisoft and get the FP fixed...
     
  4. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Comp1,

    Just little add-on ...

    You are running adequate version of IE. Go to windows update and upgrade your IE.

    With thanks !
    Newkid !
     
  5. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    can you disable avg for a while and recover that file from the vault?

    then you can zip it up(password protect it too) and send it to
    virus@grisoft.cz with explanation
     
  6. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    IE6.0+ doesn't run right on my PC. (I use the free version of Lite-PC to remove IE shell integration, so that may be the reason why, I don't know) last time I installed IE6 with updates, I ended up having to go back, I was told that 5.5 SP2 with the cumlative security pack would be just as secure as IE6...

    I am sending the FP to Grisoft right now...
     
  7. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Comp, Would you like to put some more light what had happend exactly last time as a result you ended up having go back and installed IE 5.5 ??

    Newkid
     
  8. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Sorry it took a day to get back to you, but, I went back to IE5.5 Service Pack 2 because IE6 caused my system to be really unstable...
     
  9. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Sorry Clance, I am bit busy these days with extra stuffs so i took some time to get back to you. Here are some of vulnerabilities of IE 5.5 service pack 2 for you :

    The first one is Cookies across domains vulnerability. In this a malicious user could potentially craft a URL that would allow them to gain unauthorized access to a user's cookies and potentially modify the values contained in them. Because some web sites store sensitive information in a user's cookies, this could allow personal information to be compromised. This vulnerability could be exploited either by hosting specially crafted URL's on a web page or by sending them to the victim in an HTML email.

    The second vulnerability is Zone Spoofing vulnerability i.e. how IE handles URLs that include dotless IP addresses. If a web site were specified using a dotless IP format (e.g., http://031713501415 rather than http://207.46.131.13), and the request were malformed in a particular way, IE would not recognize that the site was an Internet site. Instead, it would treat the site as an intranet site, and open pages on the site in the Intranet Zone rather than the correct zone. This would allow the site to run with fewer security restrictions than appropriate. This vulnerability does not affect IE 6.

    Then, Integer Overflow in Processing Bitmap Files vulnerability. In this, a remote user can execute arbitrary code on the target system. It is reported that a remote user can create a specially crafted bitmap file that, when loaded by IE, will trigger an integer overflow and execute arbitrary code.

    Then Cross Domain Vulnerability. In this Internet Explorer 5.5 SP2 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain".

    I guess, it's enough for you to update your IE and install all critical patches with Service Pack. ;)

    With Thanks !
    Newkid !
     
Loading...
Thread Status:
Not open for further replies.