Problem with win32:trojan

[bowrez]

My laptop has been very slow of late, especially when bringing up Firefox. I scheduled a boot scan with Avast and it returned a Win32:Trojan. Could someone please take a look at my HijackThis and provide some advise. Any help would be much appreciated. - Thanks

[polonus]

Hi bowrez,

With HJT fix this: O4 - HKCU\..\Run: [dll] rundll32 dll32,sm

 MBAM, download from here: http://www.malwarebytes.org/mbam-download.php
After a scan on reboot it will probably delete the following if HJT not already fixed it:
Memory modules infected:
C:\WINDOWS\system32\dll32.dll (Backdoor.Bot.Q) -> Delete on reboot.

You apparently do not have an active software firewall there running, so you are more vulnerable online,

polonus

[DavidR]

You don't appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?


FIX:
O4 - HKCU\..\Run: [dll] rundll32 dll32,sm
First find the dll32.sm and check it out, see below

Other than that I don't see anything obvious.

####
Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic, the URL in the Address bar of the VT results page.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.
####

[polonus]

Hi bowrez,

@bowrez - Twice more or less the same advice, must be convincing.


@DavidR - you have some more postings to go to outscore poor old Tech, but he is still has some more,

polonus

[bowrez]

First off, Thanks for your help as I am rather inept with these issues.

1.) I fixed the issue (O4 - HKCU\..\Run: [dll] rundll32 dll32,sm) with HJT as suggested by polonus. I did this prior to seeing DavidR's post, my apologies.

2.) Ran MBAM but only fixed first sections as allowed by free trial version. There were additional problems reported by this program that were not fixed by the scan. I am not sure if this will correct my issues or if I will need to purchase full version, please advise.

3.) Currently performing boot scan with avast, I will post anything additional.

Polonus: what do I need to do to for your suggestion (i.e. where would I find this or using which program)                                                                                         "Memory modules infected:C:\WINDOWS\system32\dll32.dll (Backdoor.Bot.Q) -> Delete on reboot"

In response to DavidR's question: I have just the Windows XP firewall turned on, if there is a free or inexpensive version that you could suggest I would appreciate it.

Again thank you for your help and I apologize for my ineptitude.

[polonus]

Hi bowrez,

MBAM free will just work right as on-demand scanner, and you do not need to purchase it.
Try another scan with this Super Anti Spyware: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE and fill us in with the log as an additional txt file to your next posting. See if you can find up: \dll32.dll and upload it to VirusTotal.com to see what the results there are, and give us the link. If not on your OS HJT already cleansed the issue. You could also give us a new fresh HJT scan txt as an additional txt file!

A nice free software FW could be ZoneAlarm free on XP.

Then check your OS is completely updated and fully patched, and check your third party software with Secunia PSI: http://secunia.com/PSISetup.exe

That is it in a nutshell, stay safe and secure online,

polonus

[DavidR]

First off, Thanks for your help as I am rather inept with these issues.

1.) I fixed the issue (O4 - HKCU\..\Run: [dll] rundll32 dll32,sm) with HJT as suggested by polonus. I did this prior to seeing DavidR's post, my apologies.
<snip>

Fixing in HJT won't remove the file, my concern was running MBAM before trying to find the file, so it can be analysed.

[bowrez]

I followed the advice of Polonus and ran Super AntiSpyware. I also uploaded the file to Virus Total. I have attached the results from VirusTotal, the Super AntiSpyware report, and a HJT report after quarantining the file with Super AntiSpyware.

Could someone please take a look and advise further actions as I would like to remove the virus/files form my laptop. Thanks for your advise and help with this problem.

[DavidR]

Well the VT results are conclusive and you should send the sample to avast.

[bowrez]

Thanks DavidR, what do I need to do to send the sample to Avast since the Super Antispyware scan quarantined the files?

Should I remove them from the quarantine and do a scan with Avast?

Thanks for your quick reply and advise

[DavidR]

Well this is why I was trying to get you to upload and send a sample to avast as I don't line restoring files from quarantine as restore actually places the file back where it was, rather than coping to a temp location.

You could restore it, add it to the avast chest User Files section, this is just a copy. Follow my instructions in Reply #2 above to send it from the chest.

You need to run SAS again, detecting it to put it back in the quarantine.