Help computer Infected with Trojan Horse Generic9.AAUM

[jase]

Hi jase,

Not so desperate, my good friend. Let us not haste into things that are not at hand at the moment.
It is well possible that the scanner that alerted you to the malware did delete it, whereas toolbarcop mentioned it was Empty, something must have emptied it. The registry entrance on it has been removed. So there are two possibilities a: this is a ghost notice, or something else is preventing the delete. Let us try a couple of things next. A upload the cd.dll to virustotal, and give me the details what the scan gives there. Follow essexboy's suggestions now, anxious to know what is the matter really, when you use his tool first clean all your temporary files using ATF-Cleaner http://www.atribune.org/ccount/click.php?id=1
& you must not allow system restore when using this.


polonus

I am sorry, I didn't understand you on this virustotal. Is it a website? is it www.virustotal.com?

[jase]

Hi Jase if you could run AVZ that should enable me to kill it

What's AVZ now?

[polonus]

Hi Jase,

Do as essexboy says, after cleaning the temp files with ATF cleaner, and having disabled system restore.
Here are the avz4 check-up data: http://www.spywaredata.com/spyware/malware/avz.exe.php

pol

[essexboy]

I'll repost the instructions

Download avz4.zip from

here

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

.
When restarted

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

.
Attach both zip files to your next post[/list][/list][/list]

[jase]

I'll repost the instructions

Download avz4.zip from

here

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

.
When restarted

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

.
Attach both zip files to your next post[/list][/list][/list]

Ok i am on it. and thank youtoo   :)

[jase]

Hi jase,

Not so desperate, my good friend. Let us not haste into things that are not at hand at the moment.
It is well possible that the scanner that alerted you to the malware did delete it, whereas toolbarcop mentioned it was Empty, something must have emptied it. The registry entrance on it has been removed. So there are two possibilities a: this is a ghost notice, or something else is preventing the delete. Let us try a couple of things next. A upload the cd.dll to virustotal, and give me the details what the scan gives there. Follow essexboy's suggestions now, anxious to know what is the matter really, when you use his tool first clean all your temporary files using ATF-Cleaner http://www.atribune.org/ccount/click.php?id=1
& you must not allow system restore when using this.


polonus

Hi polonus, just want you to know that the result i got from virustotal on the file "cd.dll"......

0 bytes size received / Se ha recibido un archivo vacio


What does it mean? Does it mean it's just a ghost file?

[jase]

I'll repost the instructions

Download avz4.zip from

here

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Healing/Quarantine and Advanced System Investigation" check box.
• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

.
When restarted

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Investigation" check box.
• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

.
Attach both zip files to your next post[/list][/list][/list]

This is what I got after running avz4....


AVZ Antiviral Toolkit log; AVZ version is 4.29
Scanning started at 12/16/2007 4:54:41 AM
Database loaded: signatures - 139338, NN profile(s) - 2, microprograms of healing - 55, signature database released 15.12.2007 17:17
Heuristic microprograms loaded: 371
SPV microprograms loaded: 9
Digital signatures of system files loaded: 67629
Heuristic analyzer mode: Medium heuristics level
Healing mode: enabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Recovery: Disabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=07B180)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 80552180
   KiST = 80501030 (284)
Function NtOpenProcess (7A) intercepted (805BFB78->F7C078AC), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
>>> Function recovered successfully !
>>> Hook code blocked
Function NtTerminateProcess (101) intercepted (805C74C8->F7C07812), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
>>> Function recovered successfully !
>>> Hook code blocked
Function ObOpenObjectByName (805AFA54) - machine code modification Method not defined.
>>> Function recovered successfully !
Functions checked: 284, intercepted: 2, restored: 3
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Checking IDT and SYSENTER - complete
 >>>> Suspicion for Rootkit mzcxlbyk C:\WINDOWS\system32\drivers\ewjppfle.dat
1.4 Searching for masking processes and drivers
 Checking not performed: the extended monitoring driver (AVZPM) is not installed
2. Scanning memory
 Number of processes found: 36
 Number of modules loaded: 396
Memory checking - complete
3. Scanning disks
Direct reading C:\Documents and Settings\jase\Local Settings\Temp\~DF2490.tmp
Direct reading C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033203-223.dll
Quarantine file: failed (error), attempt of direct disk reading (C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033203-223.dll)
 Quarantine file (direct disk reading) "%S" - successful
File quarantined succesfully (C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033203-223.dll)
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033203-223.dll >>>>> Trojan.Win32.BHO.abo  deleted successfully
Direct reading C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033328-126.dll
Quarantine file: failed (error), attempt of direct disk reading (C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033328-126.dll)
 Quarantine file (direct disk reading) "%S" - successful
File quarantined succesfully (C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033328-126.dll)
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071216-033328-126.dll >>>>> Trojan.Win32.BHO.abo  deleted successfully
Direct reading C:\WINDOWS\system32\cd.dll
Quarantine file: failed (error), attempt of direct disk reading (C:\WINDOWS\system32\cd.dll)
 Quarantine file (direct disk reading) "%S" - successful
File quarantined succesfully (C:\WINDOWS\system32\cd.dll)
>>>To delete the file C:\WINDOWS\system32\cd.dll reboot is required
C:\WINDOWS\system32\cd.dll >>>>> Trojan.Win32.BHO.abo  error deleting
Removing traces of deleted files...
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
 Checking disabled by user
7. Heuristic system check
Checking complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed TermService (Terminal Services)
>> Services: potentially dangerous service allowed SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking complete
9. Troubleshooting wizard
 >>  Thaw-maut end of services is outside of admissible values
Checking complete
Files scanned: 48080, extracted from archives: 36217, malicious programs found 3, suspicions - 0
Scanning finished at 12/16/2007 5:01:16 AM
Attention !!! Reboot is required to complete the healing.
!!! Attention !!! Recovered 3 KiST functions during Anti-Rootkit operation
This may affect execution of several programs, so it is strongly recommended to reboot
Time of scanning: 00:06:36
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
Creating archive of files from Quarantine
Creating archive of files from Quarantine - complete
System Analysis in progress
System Analysis - complete

[polonus]

Hi Jase,

That explains what I have said before, what you cannot upload, ...........So avz4 should help us here further. Let essexboy fly you home, and hopefully you land with a secure system, that is the way the avast "crew" does it. Your hjt log just has the same cd.dll as questionable.

polonus

[jase]

ok this is what I got from the Advanced system analysis....


AVZ Antiviral Toolkit log; AVZ version is 4.29
Scanning started at 12/16/2007 5:12:17 AM
Database loaded: signatures - 139338, NN profile(s) - 2, microprograms of healing - 55, signature database released 15.12.2007 17:17
Heuristic microprograms loaded: 371
SPV microprograms loaded: 9
Digital signatures of system files loaded: 67629
Heuristic analyzer mode: Maximum heuristics level
Healing mode: disabled
Windows version: 5.1.2600, Service Pack 2 ; AVZ is launched with administrator rights
System Recovery: Disabled
1. Searching for Rootkits and programs intercepting API functions
1.1 Searching for user-mode API hooks
 Analysis: kernel32.dll, export table found in section .text
 Analysis: ntdll.dll, export table found in section .text
 Analysis: user32.dll, export table found in section .text
 Analysis: advapi32.dll, export table found in section .text
 Analysis: ws2_32.dll, export table found in section .text
 Analysis: wininet.dll, export table found in section .text
 Analysis: rasapi32.dll, export table found in section .text
 Analysis: urlmon.dll, export table found in section .text
 Analysis: netapi32.dll, export table found in section .text
1.2 Searching for kernel-mode API hooks
 Driver loaded successfully
 SDT found (RVA=07B180)
 Kernel ntkrnlpa.exe found in memory at address 804D7000
   SDT = 80552180
   KiST = 80501030 (284)
Function NtOpenProcess (7A) intercepted (805BFB78->F7BEB8AC), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Function NtTerminateProcess (101) intercepted (805C74C8->F7BEB812), hook C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
Function ObOpenObjectByName (805AFA54) - machine code modification Method not defined.
Functions checked: 284, intercepted: 2, restored: 0
1.3 Checking IDT and SYSENTER
 Analysis for CPU 1
 Checking IDT and SYSENTER - complete
1.4 Searching for masking processes and drivers
 Checking not performed: the extended monitoring driver (AVZPM) is not installed
2. Scanning memory
 Number of processes found: 36
Analyzer - the process under analysis is 1528 C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer - the process under analysis is 1584 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 1620 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 512 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 536 C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 136 C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
[ES]:Application has no visible windows
[ES]:Registered in autoruns !!
Analyzer - the process under analysis is 972 C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer - the process under analysis is 2304 C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
[ES]:Contains network functionality
[ES]:Application has no visible windows
Analyzer - the process under analysis is 2384 C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
[ES]:Application has no visible windows
 Number of modules loaded: 379
Memory checking - complete
3. Scanning disks
4. Checking  Winsock Layered Service Provider (SPI/LSP)
 LSP settings checked. No errors detected
5. Searching for keyboard/mouse/windows events hooks (Keyloggers, Trojan DLLs)
6. Searching for opened TCP/UDP ports used by malicious programs
 Checking disabled by user
7. Heuristic system check
Checking complete
8. Searching for vulnerabilities
>> Services: potentially dangerous service allowed TermService (Terminal Services)
>> Services: potentially dangerous service allowed SSDPSRV (SSDP Discovery Service)
>> Services: potentially dangerous service allowed Schedule (Task Scheduler)
>> Services: potentially dangerous service allowed RDSessMgr (Remote Desktop Help Session Manager)
> Services: please bear in mind that the set of services depends on the use of the PC (home PC, office PC connected to corporate network, etc)!
>> Security: disk drives' autorun is enabled
>> Security: administrative shares (C$, D$ ...) are enabled
>> Security: anonymous user access is enabled
>> Security: sending Remote Assistant queries is enabled
Checking complete
9. Troubleshooting wizard
 >>  Thaw-maut end of services is outside of admissible values
Checking complete
Files scanned: 415, extracted from archives: 0, malicious programs found 0, suspicions - 0
Scanning finished at 12/16/2007 5:12:51 AM
Time of scanning: 00:00:35
If you have a suspicion on presence of viruses or questions on the suspected objects,
you can address http://virusinfo.info conference
System Analysis in progress
System Analysis - complete

[jase]

Hi Jase,

That explains what I have said before, what you cannot upload, ...........So avz4 should help us here further. Let essexboy fly you home, and hopefully you land with a secure system, that is the way the avast "crew" does it. Your hjt log just has the same cd.dll as questionable.

polonus

Hi polonus,
Thank you and sorry for the trouble......
after all the scanning I could still find the file "cd.dll" in system32 folder and the antivirus is picking it up whenever i open a window or a browser window.

Is there a possible way to delete this ghost file? Am not sure if this is a ghost file though.

[polonus]

Hi jase,

Be calm, this cd.dll can be part of something that your computer say is there, or keeps telling that should be there. Shortly we will have essexboys' analysis, and he will help you with the further cleansing. Wait a bit until he has done his homework. In the meantime I have glanced in the log for an executable named ntkrnlpa.exe, this could be a legit Microsoft file, but in some cases it could be overwritten by a trojan, also depending where this file resides, see info under:


Process: Ntkrnlpa.exe

Program: Operating System Kernel

Publisher: Microsoft Corporation

Purpose: Main OS file

Propriety: Potentially Undesirable

Perception: System

Postscript: Operating System Kernel could be legitimate Windows OS process. Operating System Kernel is the Operating System (OS) kernel for computers with memory of 4GB or more. CAUTION: Various trojan/worm/spyware overwrite or create a file by this name. You could try to upload this ntkrnlpa.exe to virustotal.
The info for cd.dll you can analyse here:
http://www.spywaredata.com/spyware/malware/cd.dll.php

We will get there, do not worry, it will take some time, but it will all be solved.

polonus

[polonus]

Hi Jase,

Just a question, just because of the cd.dll. Did you have half life or a similar game on your comp? If this program is no longer there, this could explain a lot, thinking of Agobot or an Rbot infection. Just run this tool: http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Damian

[jase]

hi guys.....
this is the report I've got from virustotal about ntkrnlpa.exe



File ntkrnlpa.exe received on 12.14.2007 08:26:19 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.12.14.10 2007.12.13 -
AntiVir 7.6.0.45 2007.12.13 -
Authentium 4.93.8 2007.12.13 -
Avast 4.7.1098.0 2007.12.13 -
AVG 7.5.0.503 2007.12.13 -
BitDefender 7.2 2007.12.14 -
CAT-QuickHeal 9.00 2007.12.13 -
ClamAV 0.91.2 2007.12.13 -
DrWeb 4.44.0.09170 2007.12.13 -
eSafe 7.0.15.0 2007.12.13 -
eTrust-Vet 31.3.5374 2007.12.13 -
Ewido 4.0 2007.12.13 -
FileAdvisor 1 2007.12.14 No threat detected, but known vulnerabilities exist
Fortinet 3.14.0.0 2007.12.14 -
F-Prot 4.4.2.54 2007.12.13 -
F-Secure 6.70.13030.0 2007.12.14 -
Ikarus T3.1.1.15 2007.12.14 -
Kaspersky 7.0.0.125 2007.12.14 -
McAfee 5185 2007.12.13 -
Microsoft 1.3109 2007.12.14 -
NOD32v2 2722 2007.12.14 -
Norman 5.80.02 2007.12.13 -
Panda 9.0.0.4 2007.12.14 -
Prevx1 V2 2007.12.14 -
Rising 20.22.40.00 2007.12.14 -
Sophos 4.24.0 2007.12.14 -
Sunbelt 2.2.907.0 2007.12.14 -
Symantec 10 2007.12.14 -
TheHacker 6.2.9.159 2007.12.14 -
VBA32 3.12.2.5 2007.12.14 -
VirusBuster 4.3.26:9 2007.12.13 -
Webwasher-Gateway 6.6.2 2007.12.14 -
 
Additional information
File size: 2056832 bytes
MD5: 947fb1d86d14afcffdb54bf837ec25d0
SHA1: cf8d0e6a71ecfc7e49a3fb1313a0b246f379f311
PEiD: -
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=947fb1d86d14afcffdb54bf837ec25d0


 

[jase]

Hi Jase,

Just a question, just because of the cd.dll. Did you have half life or a similar game on your comp? If this program is no longer there, this could explain a lot, thinking of Agobot or an Rbot infection. Just run this tool: http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Damian

hi... hmm..... no I didn't have any game like half life installed. I came to know when it got infected was when I was looking for a crack on the internet for the game starship troopers. Found the cracked file and downloaded and ran it. That's when the warning sign (small triangle with exclaimation mark in the system tray) came up and stated "Warning, your antivirus might not be installed". Where at that time Avast was installed. And it didn't sniff out the virus.

So had to check to be sure and I installed AVG and yes AVG done the job but not completely. not able to delete the file even after reboot.

[essexboy]

Hi jase I need you to attach the 2 zip files as will use my copy of AVZ to analyse and create a fix.  The zip files will be in 

A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Could you please attach those two zip files to your next post.  To do this when you are posting on the left will be ADDITIONAL OPTIONS select this then using the BROWSE button add the two files