Trojan horse Generic 12

By Aro2220 ยท 4 replies
Mar 7, 2009
  1. My sister has seem to run into this trojan and I need help getting rid of it.

    The problem seems to be this "Trojan horse Generic 12" which AVG is picking up. The full title varies as "Trojan horse Generic12.CAWB, Trojan horse Generic12.CBKK, Trojan horse Generic 12.CBKR" etc. I've seen many other extensions. It seems to be a random 4 letter ending each time so I think that part is irrelevent.

    The obvious effect of the virus is that it pops up advertisements for virus removal 2009 software. (Whoever runs this company should be arrested since it's obvious they have something to do with this trojan)

    Another effect seems to be that internet explorer can't open windows update. I saw windows update pop up for a bit in the system tray saying "Updating 1%" and then it just vanished. Did it update? No idea...but it happened too fast for me to believe this computer is getting updates. I'm thinking she got this virus by navigating to a webpage that used a vulnerability in something windows hasn't updated. She runs firefox exclusively but I guess that didn't matter. It doesn't appear to me that she has installed or ran any executable files that could have done this. I don't know where it came from.

    I ran hijackthis and these are the ones that worry me (i tried to fix them but they just come back):

    O4 - HKLM\..\Run: [CPM43ae1301] Rundll32.exe "c:\windows\system32\pomijowu.dll",a
    O4 - HKLM\..\Run: [409d209d] rundll32.exe "C:\WINDOWS\system32\tehayela.dll",b
    O20 - AppInit_DLLs: c:\windows\system32\pomijowu.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\pomijowu.dll

    Everything else looks like it should be there.

    Oh, I almost forgot, when I do a virus scan with AVG it tells me two files have 'changed' but doesn't do anything to either. (Considering which files they are it's not surprising)

    shell32.dll and ntoskrnl.exe (both are in system32 folder)

    I have noticed one more thing
    I did a file search for shell32.dll on her computer and one appears under c:\windows\system32 of size 8,257KB

    but another shows up in c:\windows\softwaredistribution\download\dd9ab51935011484cf5e6884fa1d22f9e of size 8,263KB

    Also, ntoskml.exe shows up in 3 places with 3 sizes
    c:\windows\system32 (2,086KB)
    c:\windows\driver cache\i386 (2,130KB)
    c:\windows\softwaredistribution\download\dd9ab5193501484cf5e6884fa1d22f93 (2,138KB)

    I am currently considering the following courses of action but would like to get a second opinion first:
    1. turn off automatic updates and delete everything inside the softwaredistribution folder
    2. after AVG finishes scanning again, try kaspersky and trend micro's online scanners
    3. uninstall avg and install nod32 trial and scan (rinse, repeat with other anti virus softwares)

    I read about this virus a bit but the best 'info' i got was some guy telling someone to download some odd .exe file from his home webpage or whatever...I'm not sure I want to go down that route.

    I was going to format but my old windows xp cd is giving me errors. I might have to wipe her whole drive MBR and all before the cd works properly...or maybe the CD has a scratch and now I have to find a new version of windows / buy it for her. I really don't want to spend $150-200 on a legit copy of windows xp after this computer already HAD a legit copy (its a dell) that I couldn't reinstall since DELL never gave her the CDs to recover with. :rollseyes:

    Thanks for listening
  2. LinkedKube

    LinkedKube TechSpot Project Baby Posts: 3,485   +45

    I'd start with your step 2. Most people here wont recommend avg. Look into avira, its pretty good.

    Look into the 8 step malware/virus removal thread here on TS. Its straight forward and more than 10 people a day use it here. I'm sure it will help solve your issue.
  3. Aro2220

    Aro2220 TS Rookie Topic Starter

    SUPERAntiSpyware 4.25.1012 download link cannot find the associated file in the 8 step post. I had to remove my links to both of those because this site won't let me do that for another few posts.

    After updating AVG (apparently, it wasn't) and doing another scan I got rid of 6 instances of the trojan 'successfully'. There has not been another ad popup for the last hour, which is promising.

    I'm updating Java, as well. I didn't realize java was so vulnerable. Also, I am going to try out Avira after uninstalling AVG. I am still planning on using those two online scanners I mentioned previously.
  4. Aro2220

    Aro2220 TS Rookie Topic Starter

    this trojan is practically impossible to remove without a reformat

    it hides in places you cannot access while the system is on. anti virus is useless.

  5. Aro2220

    Aro2220 TS Rookie Topic Starter


    After running Avira again and getting rid of everything I could I ran CCleaner and got rid of all the temp junk.

    I uninstalled Avira, rebooted, and installed Kaspersky

    I ran a scan and it didn't alert me to any trojans/virii but it did notify me about a lot of vulnerabilities relating to the current version of Quicktime, Java, and Flash. I updated everything and then scanned again.

    It came up clean.

    I also played around with my registry a bit to get rid of the instances in msconfig startup that were starting old copies of the virus that were now gone (to make the list cleaner).

    I gave it another reboot and checked msconfig/hijackthis again to see if it had replicated new instances of itself but didn't see anything suspicious.

    Thank you very much for your help. That 8 step process has some good software in it.
    I am almost certain that my sister got this trojan through a vulnerability in some of her software.

    Oh, and I checked to see if Windows Update would run (it did). That's the best sign of all since what worried me the most (beside the ads) was that when I ran windows update it gave me a blank screen.

    I told her to let me know if her computer does anything weird and I left Kaspersky on her computer for the remainder of the 30 day trial. I am planning on putting Avira back on after.

    I am quite impressed with Avira. I have installed it on my other two computers and found some more junk on one of them. Although, I think most of these are false positives. One probably wasn't.

    Thanks again!! I will be reccomending this site.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...