Win32:Pakes-AKM [Trj]

[dbills]

Hello!

Avast found an instance of Win32:Pakes-AKM [trj] on my machine quite some time ago in C:
Windows\system32\consol.dll.  Of course, it could not delete it or move it to chest, and nothing else has been able to work.  I also could not wipe/shred it using Glary Utilities.  I noticed it only while using IE, so simply just stopped using it and used only Firefox.  Now, I just want to get rid of it once and for all.  I have noticed through my searches that many people have posted their HijackThis log and someone has been nice enough to help them through the process, and I was hoping somebody might be able to do that for me to!  I am not very wise in the ways of this kind of stuff, so please be patient with me and let me know if you need anything more from me.

I appreciate everyone's help in advance!

My log is attached as pasting it exceeded maximum characters allowed.

[DavidR]

Why couldn't it be moved to the chest, what errors are displayed, file in use by another program, etc. ?

Have you tried a boot-time scan - If you have XP, vista32bit or Win2k, you could enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.

Lots of hits on the file name, http://www.google.co.uk/search?q=consol.dll.

[dbills]

I have indeed done a boot time scan on a couple of occasions, and that did not remove it.  When I attempt to remove to chest, the message received is: 

Access Denied:  Cannot process "C:\Windows\system32\consol.dll" file

I also received an Access Denied message when trying to wipe it with Glary Utilities.  I attempted to delete it upon re-boot through HijackThis, and that did not work either.  I ran HouseCall on it, in which it was recognized, but also could not be removed.

[DavidR]

Try Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.

If it is a process in Task Manager then it may be that which blocks it, try ending the process first before trying to move to the chest.

I have been able to take a quick look at your HJT log.
Obviously:
Unknown - FIX:
O2 - BHO: (no name) - {43113ACD-C9D0-4007-93AA-29786D4BB0FD} - C:\WINDOWS\system32\consol.dll

Unknown:
This and all other entries for DisplayLinkManager.exe look suspect is this something that you are aware of and installed ? - Also see http://www.prevx.com/filenames/3367555367709079075-0/DISPLAYLINKMANAGER.EXE.html. Pretty difficult to find any info on DisplayLink Core Software which in itself could be suspicious and the main thing is do you know what it does.

C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkManager.exe
C:\Program Files\DisplayLink Core Software\DisplayLinkUI.exe
O23 - Service: DisplayLink Service (DisplayLinkService) - DisplayLink Corp. - C:\Program Files\DisplayLink Core Software\DisplayLinkService.exe

Unknown - Redundant:
O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

Do you use this if not FIX:
O9 - Extra button: Internet Radio by Endicosoft.com - {1F958B09-3312-7f0e-9723-4C1324C57B20} - C:\Program Files\Internet Radio\Radio.exe (file missing)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

Unknown
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://www.nevadadot.com/ACGM/Acgm.cab

[dbills]

Thank you DavidR!  I fixed those that you stated, except the DisplayLinkManager (which I use).  However, it did not remove the O2-BHO for consol.dll.  I will also try the other link you provided for Unlocker.

Edit:  I downloaded Unlocker, but when I tried to unlock that file, it told me that the consol.dll file was not locked.

[DavidR]

That's fine if you know what it is and installed it.

I suspected it might not remove the BHO given the problem you had in trying to get rid of consol.dll

Try renaming hijackthis.exe to dbills HJT.exe as some malware can detect and avoid it and run it again.

Try checking out that google link I gave on consol.dll and see if there is anything there like these.
http://www.geekstogo.com/forum/malware-name-Win32-BHO-KD-Trj-t183959.html
http://www.prevx.com/filenames/X2107544024453961068-0/CONSOL.DLL.html, this link says it is related to Vundo infection so you could try this tool:

Vundo Fix Tool - Aliases - WinFixer / Virtumonde / Msevents / Trojan.vundo.
Here are the cleansing instructions for Virtumonde: http://www.bleepingcomputer.com/forums/topic18610.html

Download VundoFix.exe to your desktop.

Now SuperAntiSpyware also detects several variants of Vundo (as does avast) you could also try running SAS from safe mode (usually by pressing the F8 key during boot). This stops many programs running and getting into memory (including some viri), once in run the SAS scan.

- Problems getting into safe mode, USB Keyboard, etc. Press Windows Start > Run > type msconfig into the run box and press Enter. When MSConfig starts, click the BOOT.INI TAB and put a check mark against /SAFEBOOT. Next time you boot, Windows will automatically start in Safe mode without any need to press F8. Remember later to take out the check mark otherwise your PC will always boot in Safe Mode. Also see http://support.microsoft.com/kb/310560.

[dbills]

Thanks!  Renamed HJT, but that still did not work.  Downloaded Vundo and ran a scan, but it found no infected files.  I find it strange that Avast finds this file, but other programs do not.  Will download SAS and run a scan with that to see if it finds anything.

[Jtaylor83]

Go ahead and try. Let me know if it doesn't work.

[dbills]

The only thing SAS found was 10 cookies.  Ran the test in safe mode, and that was all that came up.  Any ideas of what else I should try?  Could Avast just be mistaken in that it is finding something that nothing else seems to be able to?

[Jtaylor83]

Upload the file to VirusTotal and post the results.

[dbills]

Scanned at Virus Total, results below.


File consol.dll received on 08.12.2008 06:30:33 (CET)
Antivirus   Version   Last Update   Result
AhnLab-V3   2008.8.12.0   2008.08.12   -
AntiVir   7.8.1.19   2008.08.11   -
Authentium   5.1.0.4   2008.08.12   -
Avast   4.8.1195.0   2008.08.11   Win32:Pakes-AKM
AVG   8.0.0.156   2008.08.11   -
BitDefender   7.2   2008.08.12   Trojan.Spy.Bzub.NGP
CAT-QuickHeal   9.50   2008.08.11   -
ClamAV   0.93.1   2008.08.12   -
DrWeb   4.44.0.09170   2008.08.11   -
eSafe   7.0.17.0   2008.08.11   -
eTrust-Vet   31.6.6025   2008.08.12   -
Ewido   4.0   2008.08.11   -
F-Prot   4.4.4.56   2008.08.12   -
F-Secure   7.60.13501.0   2008.08.12   Trojan.Win32.Pakes.cdw
Fortinet   3.14.0.0   2008.08.11   -
GData   2.0.7306.1023   2008.08.12   Trojan.Win32.Pakes.cdw
Ikarus   T3.1.1.34.0   2008.08.12   Trojan.Win32.Pakes.cdw
K7AntiVirus   7.10.411   2008.08.11   -
Kaspersky   7.0.0.125   2008.08.12   Trojan.Win32.Pakes.cdw
McAfee   5358   2008.08.11   -
Microsoft   1.3807   2008.08.12   -
NOD32v2   3347   2008.08.11   -
Norman   5.80.02   2008.08.11   -
Panda   9.0.0.4   2008.08.11   -
PCTools   4.4.2.0   2008.08.11   Trojan-Spy.Bzub
Prevx1   V2   2008.08.12   Rootkit
Rising   20.57.10.00   2008.08.12   -
Sophos   4.32.0   2008.08.12   -
Sunbelt   3.1.1542.1   2008.08.12   -
Symantec   10   2008.08.12   -
TheHacker   6.2.96.396   2008.08.12   -
TrendMicro   8.700.0.1004   2008.08.12   -
VBA32   3.12.8.3   2008.08.11   -
ViRobot   2008.8.11.1331   2008.08.11   -
VirusBuster   4.5.11.0   2008.08.11   -
Webwasher-Gateway   6.6.2   2008.08.12   -
Additional information
File size: 83968 bytes
MD5...: 11f036bf3fef8bd84b95064757e04587
SHA1..: 7a5856a441c98474270f7e4eb29ec9f62ef5b443
SHA256: e7de41ba68b2a0ff136dc979f79fb56ffe7e969a820afac4ca9b06f2f013aae3
SHA512: 4b98bdf67322915172a14d8e31f7e653142fe0300553daa32c7d3f16e79fb945<br>a0dc68798ea39cd13163ed4a5cfe7d034e1d2a4567a5ad1eabdf141de015d715
PEiD..: -
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x101c0<br>timedatestamp.....: 0x477a0000 (Tue Jan 01 08:55:28 2008)<br>machinetype.......: 0x14c (I386)<br><br>( 1 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1c0 0x5 0x40 4.55 74f93209caca45f372d040016c5dec5e<br><br>( 0 imports ) <br><br>( 0 exports ) <br>
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=7732964700168E1A48360169FA251D00643869BE

[Jtaylor83]

Can you try Malwarebyte's Anti-Malware?

[dbills]

JTaylor, here is my Malwarebytes log.  I have tried removing these files and a reboot is required for a few of them to delete during boot up...will do that now to see if it works.


Malwarebytes' Anti-Malware 1.24
Database version: 1043
Windows 5.1.2600 Service Pack 2

10:52:08 PM 8/11/2008
mbam-log-8-11-2008 (22-52-08).txt

Scan type: Quick Scan
Objects scanned: 48954
Time elapsed: 18 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43113acd-c9d0-4007-93aa-29786d4bb0fd} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{43113acd-c9d0-4007-93aa-29786d4bb0fd} (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\AdvRemoteDbg (Adware.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\consol.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\system32\WhoisCL.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\RECYCLER\ADAPT_Installer.exe (Heuristics.Malware) -> Quarantined and deleted successfully.

[dbills]

After reboot, re-scanned with Malwarebytes, with the three BHO entries a problem, along with the other three Agent keys that had not been found by any other scanner.  I cannot delete any of the registry keys.

Malwarebytes' Anti-Malware 1.24
Database version: 1043
Windows 5.1.2600 Service Pack 2

11:20:36 PM 8/11/2008
mbam-log-8-11-2008 (23-20-33).txt

Scan type: Quick Scan
Objects scanned: 48772
Time elapsed: 13 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43113acd-c9d0-4007-93aa-29786d4bb0fd} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{43113acd-c9d0-4007-93aa-29786d4bb0fd} (Trojan.BHO) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\consol.dll (Trojan.BHO) -> No action taken.

[DavidR]

In this case you need to manually find the entry in the registry and take ownership (permissions) of it and you can them manually delete the key.

Windows, Start, Run and type regedit, you need to be using an account with administrator privileges and navigate to this Key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings.
First export this key (right click menu) before doing anything else, give it a meaningful name that you can remember what it is for. Right click on this key, select Permissions, choose your account name and then tick Full Control, Allow in the bottom half of the window and click OK. This ensures you have permission to do what is necessary.

You will see the bf, bk and iu sub sections, it is those and only that you need to remove so you need to exercise care as the remainder of the main key is important. First highlight (select) the bf part, right click and select delete, repeat for the bk and iu parts.

The same needs to be done for these (see below), navigate to the key, first export a copy, take ownership and finally delete the elements, {43113acd-c9d0-4007-93aa-29786d4bb0fd} and {43113acd-c9d0-4007-93aa-29786d4bb0fd} in their respective keys (again exercise care and only delete these values and not the entire key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{43113acd-c9d0-4007-93aa-29786d4bb0fd}
HKEY_CLASSES_ROOT\CLSID\{43113acd-c9d0-4007-93aa-29786d4bb0fd}

It may be that until you remove the registry keys you will be unable to deal with the consol.dll file.

Did you read those links I posted about consol.dll ?