My sister has seem to run into this trojan and I need help getting rid of it.
The problem seems to be this "Trojan horse Generic 12" which AVG is picking up. The full title varies as "Trojan horse Generic12.CAWB, Trojan horse Generic12.CBKK, Trojan horse Generic 12.CBKR" etc. I've seen many other extensions. It seems to be a random 4 letter ending each time so I think that part is irrelevent.
The obvious effect of the virus is that it pops up advertisements for virus removal 2009 software. (Whoever runs this company should be arrested since it's obvious they have something to do with this trojan)
Another effect seems to be that internet explorer can't open windows update. I saw windows update pop up for a bit in the system tray saying "Updating 1%" and then it just vanished. Did it update? No idea...but it happened too fast for me to believe this computer is getting updates. I'm thinking she got this virus by navigating to a webpage that used a vulnerability in something windows hasn't updated. She runs firefox exclusively but I guess that didn't matter. It doesn't appear to me that she has installed or ran any executable files that could have done this. I don't know where it came from.
I ran hijackthis and these are the ones that worry me (i tried to fix them but they just come back):
O4 - HKLM\..\Run: [CPM43ae1301] Rundll32.exe "c:\windows\system32\pomijowu.dll",a
O4 - HKLM\..\Run: [409d209d] rundll32.exe "C:\WINDOWS\system32\tehayela.dll",b
O20 - AppInit_DLLs: c:\windows\system32\pomijowu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pomijowu.dll
Everything else looks like it should be there.
Oh, I almost forgot, when I do a virus scan with AVG it tells me two files have 'changed' but doesn't do anything to either. (Considering which files they are it's not surprising)
shell32.dll and ntoskrnl.exe (both are in system32 folder)
I have noticed one more thing
I did a file search for shell32.dll on her computer and one appears under c:\windows\system32 of size 8,257KB
but another shows up in c:\windows\softwaredistribution\download\dd9ab51935011484cf5e6884fa1d22f9e of size 8,263KB
Also, ntoskml.exe shows up in 3 places with 3 sizes
c:\windows\system32 (2,086KB)
c:\windows\driver cache\i386 (2,130KB)
c:\windows\softwaredistribution\download\dd9ab5193501484cf5e6884fa1d22f93 (2,138KB)
I am currently considering the following courses of action but would like to get a second opinion first:
1. turn off automatic updates and delete everything inside the softwaredistribution folder
2. after AVG finishes scanning again, try kaspersky and trend micro's online scanners
3. uninstall avg and install nod32 trial and scan (rinse, repeat with other anti virus softwares)
I read about this virus a bit but the best 'info' i got was some guy telling someone to download some odd .exe file from his home webpage or whatever...I'm not sure I want to go down that route.
I was going to format but my old windows xp cd is giving me errors. I might have to wipe her whole drive MBR and all before the cd works properly...or maybe the CD has a scratch and now I have to find a new version of windows / buy it for her. I really don't want to spend $150-200 on a legit copy of windows xp after this computer already HAD a legit copy (its a dell) that I couldn't reinstall since DELL never gave her the CDs to recover with. :rollseyes:
Thanks for listening
The problem seems to be this "Trojan horse Generic 12" which AVG is picking up. The full title varies as "Trojan horse Generic12.CAWB, Trojan horse Generic12.CBKK, Trojan horse Generic 12.CBKR" etc. I've seen many other extensions. It seems to be a random 4 letter ending each time so I think that part is irrelevent.
The obvious effect of the virus is that it pops up advertisements for virus removal 2009 software. (Whoever runs this company should be arrested since it's obvious they have something to do with this trojan)
Another effect seems to be that internet explorer can't open windows update. I saw windows update pop up for a bit in the system tray saying "Updating 1%" and then it just vanished. Did it update? No idea...but it happened too fast for me to believe this computer is getting updates. I'm thinking she got this virus by navigating to a webpage that used a vulnerability in something windows hasn't updated. She runs firefox exclusively but I guess that didn't matter. It doesn't appear to me that she has installed or ran any executable files that could have done this. I don't know where it came from.
I ran hijackthis and these are the ones that worry me (i tried to fix them but they just come back):
O4 - HKLM\..\Run: [CPM43ae1301] Rundll32.exe "c:\windows\system32\pomijowu.dll",a
O4 - HKLM\..\Run: [409d209d] rundll32.exe "C:\WINDOWS\system32\tehayela.dll",b
O20 - AppInit_DLLs: c:\windows\system32\pomijowu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pomijowu.dll
Everything else looks like it should be there.
Oh, I almost forgot, when I do a virus scan with AVG it tells me two files have 'changed' but doesn't do anything to either. (Considering which files they are it's not surprising)
shell32.dll and ntoskrnl.exe (both are in system32 folder)
I have noticed one more thing
I did a file search for shell32.dll on her computer and one appears under c:\windows\system32 of size 8,257KB
but another shows up in c:\windows\softwaredistribution\download\dd9ab51935011484cf5e6884fa1d22f9e of size 8,263KB
Also, ntoskml.exe shows up in 3 places with 3 sizes
c:\windows\system32 (2,086KB)
c:\windows\driver cache\i386 (2,130KB)
c:\windows\softwaredistribution\download\dd9ab5193501484cf5e6884fa1d22f93 (2,138KB)
I am currently considering the following courses of action but would like to get a second opinion first:
1. turn off automatic updates and delete everything inside the softwaredistribution folder
2. after AVG finishes scanning again, try kaspersky and trend micro's online scanners
3. uninstall avg and install nod32 trial and scan (rinse, repeat with other anti virus softwares)
I read about this virus a bit but the best 'info' i got was some guy telling someone to download some odd .exe file from his home webpage or whatever...I'm not sure I want to go down that route.
I was going to format but my old windows xp cd is giving me errors. I might have to wipe her whole drive MBR and all before the cd works properly...or maybe the CD has a scratch and now I have to find a new version of windows / buy it for her. I really don't want to spend $150-200 on a legit copy of windows xp after this computer already HAD a legit copy (its a dell) that I couldn't reinstall since DELL never gave her the CDs to recover with. :rollseyes:
Thanks for listening
