Help computer Infected with Trojan Horse Generic9.AAUM

Viruses and worms
1

I need help. My O.S. is Win Xp and was using Avast free home edition antivirus. I was trying to download a file from the internet and got infected. At the time of Infection there was a triangle Icon which popped out from the system tray which said “Antivirus not installed” or something which I forgot exactly what it said.

Now Avast wasn’t able to detect it so had to install a different antivirus to check, installed AVG and walla… it detected that the file C:\WINDOWS\system32\cd.dll is infected with “Trojan Horse Generic9.AAUM”

Now the problem is I ain’t able to delete or fix the file. It just keeps coming back. Even deleting from the folder system32 wouldn’t let me delete the file. Tried using safe mode still the same.

Is there a way to remove this? Please help. Thanks in advance.

2

Hi Jase,

As this is a malware BHO download toolbarcop from here: http://www.majorgeeks.com/download4126.html
Fire it up and copy to clipboard its findings, put them here as a textfile (if not inside 1 post, use more), then we can see what you should remove from the list after analysis.

pol

3

Oh no… something went wrong. I downloaded toolbarcop and unzipped to a new folder on the desktop but when tried to run it this is what came up “Component ‘mscomctl.ocx’ or one of its dependencies not correctly registered: a file is missing or invalid”

4

Hi Jase,

Component MSCOMCTL.OCX or one of its dependencies not currently registered …

Sometime certain Microsoft Libraries can become unregistered when installing and uninstalling a lot of software. One very common problem is the MSCOMCTL.OCX.

To correct the error, first search your drive for MSCOMCTL.OCX to see if you have it. If not you can download it from HERE:
http://www.majorgeeks.com/files/mscomctl.zip

The file should be placed in your C:\WINDOWS\SYSTEM directory. Or, in C:\WINDOWS\SYSTEM32 if you are using WinXP.

Once it is there click START–> RUN and type “REGSVR32 MSCOMCTL.OCX” (No quotes) in the box.

That should fix the problem.

Here are the other downloadsites for that toolbar cop:
http://www.majorgeeks.com/download4126.html

Try to run the tool again and do as I proposed in the former posting.

polonus

5

Hi Thank you for replying back to me. I did what you told me to and this is what I got after I ran toolbar.

n/a
Browser Extension
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
Enabled
All Users

Skype
Browser Extension
{77BF5300-1474-4EC7-9980-D32B190E9B07}
C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
Enabled
All Users

Messenger
Browser Extension
{FB5F1910-F110-11D2-BB9E-00C04F795683}
C:\Program Files\Messenger\msmsgs.exe
Enabled
All Users

&Address
Toolbar
{01E04581-4EEE-11D0-BFE9-00AA005B4383}
%SystemRoot%\system32\browseui.dll
Enabled
Current User

&Links
Toolbar
{0E5CBF21-D15F-11D0-8301-00AA005B4383}
%SystemRoot%\system32\SHELL32.dll
Enabled
Current User

Skype add-on (mastermind)
BHO
{22BF413B-C6D2-4D91-82A9-A0F997BA588C}
C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
Enabled
All Users

BHO
{53707962-6F74-2D53-2644-206D7942484F}
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
Enabled
All Users

SSVHelper Class
BHO
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
Enabled
All Users

(Empty)
BHO
{9828DDAB-2B7A-4626-885A-5579EA690FEB}
C:\WINDOWS\system32\cd.dll
Enabled
All Users

Yahoo! Pager
Run - Startup

“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
Enabled
Current User

MSMSGS
Run - Startup

“C:\Program Files\Messenger\msmsgs.exe” /background
Enabled
Current User

SoundMan
Run - Startup

SOUNDMAN.EXE
Enabled
All Users

NvCplDaemon
Run - Startup

RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
Enabled
All Users

nwiz
Run - Startup

nwiz.exe /install
Enabled
All Users

NvMediaCenter
Run - Startup

RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
Enabled
All Users

HP Software Update
Run - Startup

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Enabled
All Users

NeroFilterCheck
Run - Startup

C:\WINDOWS\system32\NeroCheck.exe
Enabled
All Users

SunJavaUpdateSched
Run - Startup

“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
Enabled
All Users

!AVG Anti-Spyware
Run - Startup

“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
Enabled
All Users

AVG7_CC
Run - Startup

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
Enabled
All Users

6

Hi jase,

Good you got the library dependency back. Now we can proceed.

Just fire up toolbarcop again, put a tag before
(Empty)
BHO
{9828DDAB-2B7A-4626-885A-5579EA690FEB}
C:\WINDOWS\system32\cd.dll
Enabled
All Users
And delete if from your comp.

That’s it. You could decide to post a hijackthis log for eventual further analysis:
http://download.hijackthis.eu/hijackthis_199.zip

All the best from,

polonus

7

Hi polonus, thanks again. But I was not able to delete it. I have even tried to disable it first and then delete. But it just wouldn’t be deleted.
Is there another way?

8

Hi Jase,

Then we try to do that with killbox from here: http://www.killbox.net/

pol

9

Hi polonus… when I tried using killbox with path as “c:\windows\system32\cd.dll” to delete. It says file does not exist. But when I checked it manually going to sytem32 folder. File is still there. When I tried “delete on reboot” the virus changes the registry and reboot stops. Is there another way to delete this file? Please help!!!

10

Hi jase,

You could also try to delete it with BruteForceUninstaller, get it from here:
http://www.majorgeeks.com/Brute_Force_Uninstaller_BFU_d4714.html

If that would not work start up in safe mode and try to kill cd.dll there.

STEP 1
Start the computer in Safe mode

1
Exit all programs.

2
Click Start > Run.

3
In Run dialog box, type the following text:
msconfig

4
Click OK.

5
In the System Configuration Utility, on the BOOT.INI tab, check /SAFEBOOT.

6
Click OK.

7
When you are asked to restart the computer, click Restart.

The computer restarts in Safe mode. This can take several minutes.

NOTE Note After you complete the work in Safe mode, use the System Configuration Utility to start Windows XP in Normal mode. Go to STEP 2.
STEP 2
Start the computer in Normal mode

1
Close all programs.

2
Click Start > Run.

3
In Run dialog box, type the following text:
msconfig

4
Click OK.

5
In the System Configuration Utility, on the BOOT.INI tab, uncheck /SAFEBOOT.

6
Click OK.

7
Close all programs, and restart the computer.

pol

11

Hi polonus,
This is the log of killbox prior to safe boot…

[b]Pocket Killbox version 2.0.0.978
Running on Windows XP as jase(Administrator)
was started @ Sunday, December 16, 2007, 1:43 AM

1 [Files to Delete]

Path = c:\windows\system32\cd.dll
*This file does not seem to exist

2 [Files to Delete]

Path = C:\WINDOWS\system32\cd.dll
*This file does not seem to exist

3 [Files to Delete]

Path = C:\WINDOWS\system32\cd.dll
*This file does not seem to exist

Killbox Closed(Exit) @ 1:50:48 AM

Pocket Killbox version 2.0.0.978
Running on Windows XP as jase(Administrator)
was started @ Sunday, December 16, 2007, 1:54 AM

1 [Delete on Reboot]

Path = C:\WINDOWS\system32\cd.dll

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 1:55:59 AM

2 [Delete on Reboot]

Path = C:\WINDOWS\system32\cd.dll

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 1:56:31 AM

3 [Files to Delete]

Path = C:\WINDOWS\system32\cd.dll
*This File could not be Deleted

4 [Files to Delete]

Path = C:\WINDOWS\system32\cd.dll
*This File could not be Deleted

5 [Delete on Reboot]

Path = C:\WINDOWS\system32\cd.dll
*This File could not be Deleted

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 1:58:55 AM

6 [Files to Delete]

Path = C:\WINDOWS\system32\cd.dll
*This File could not be Deleted

7 [Delete on Reboot]

Path = C:\WINDOWS\system32\cd.dll
*This File could not be Deleted

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 2:01:18 AM
Killbox Closed(Exit) @ 2:01:20 AM

Pocket Killbox version 2.0.0.978
Running on Windows XP as jase(Administrator)
was started @ Sunday, December 16, 2007, 2:13 AM

1 [Delete on Reboot]

Path = C:\WINDOWS\system32\cd.dll

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 2:14:43 AM
Killbox Closed(Exit) @ 2:14:47 AM

Pocket Killbox version 2.0.0.978
Running on Windows XP as jase(Administrator)
was started @ Sunday, December 16, 2007, 2:17 AM

1 [Files to Delete]

Path = C:\WINDOWS\system32\cd.dll
*This File could not be Deleted

2 [Delete on Reboot]

Path = C:\WINDOWS\system32\cd.dll
*This File could not be Deleted

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 2:18:27 AM
Killbox Closed(Exit) @ 2:18:33 AM

Pocket Killbox version 2.0.0.978
Running on Windows XP as jase(Administrator)
was started @ Sunday, December 16, 2007, 3:34 AM

1 [Files to Delete]

Path = C:\WINDOWS\system32\cd.dll
*This File could not be Deleted

2 [Files to Delete]

Path = C:\WINDOWS\system32\cd.dll
*This File could not be Deleted

3 [Delete on Reboot]

Path = C:\WINDOWS\system32\cd.dll
*This File could not be Deleted

PendingFileRenameOperations Registry Data has been Removed by External Process! @ 3:36:41 AM
Killbox Closed(Exit) @ 3:36:48 AM

Pocket Killbox version 2.0.0.978
Running on Windows XP as jase(Administrator)
was started @ Sunday, December 16, 2007, 3:52 AM

1 [Files to Delete]

Path = C:\WINDOWS\system32\cd.dll
*This File could not be Deleted

2 [Files to Delete]

Path = C:\WINDOWS\system32\cd.dll
*This File could not be Deleted

Killbox Closed(Exit) @ 3:53:42 AM
__________________________________________________[/b]

I feel so useless. I tried the safe boot as well. Nothing seems to be going right for me.

I have also tried bruteforce as you have suggested. I tried it in Normal and safe mode and the file would just not be deleted.

I guess the last option for me is to format my C: :-[

12
I guess the last option for me is to format my C:
NO there are other options such as this

Download avz4.zip from here

[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://rathat.geekstogo.com/images/AVZupdate.jpg

[*]Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

[*] Start AVZ.

[] Choose from the menu “File” => "Standard scripts " and mark the “Healing/Quarantine and Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[] Automatic scanning, healing and system check will be executed.
[] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.

.

When restarted

[*] Start AVZ.

[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

.

Attach both zip files to your next post

13

Hi jase,

Not so desperate, my good friend. Let us not haste into things that are not at hand at the moment.
It is well possible that the scanner that alerted you to the malware did delete it, whereas toolbarcop mentioned it was Empty, something must have emptied it. The registry entrance on it has been removed. So there are two possibilities a: this is a ghost notice, or something else is preventing the delete. Let us try a couple of things next. A upload the cd.dll to virustotal, and give me the details what the scan gives there. Follow essexboy’s suggestions now, anxious to know what is the matter really, when you use his tool first clean all your temporary files using ATF-Cleaner http://www.atribune.org/ccount/click.php?id=1
& you must not allow system restore when using this.

polonus

14

Also, I have tried HijackThis in normal and safeboot and here is the log…

[b]Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:06 AM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - -{9828DDAB-2B7A-4626-885A-5579EA690FEB} - (no file)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9828DDAB-2B7A-4626-885A-5579EA690FEB} - C:\WINDOWS\system32\cd.dll
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-19..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘Default user’)
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://jumboplay.bluehyppo.com/class/DragonbackCtl.ocx
O17 - HKLM\System\CCS\Services\Tcpip..{3FF36DEA-5641-4823-ADE6-CA6CB723108B}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS1\Services\Tcpip..{3FF36DEA-5641-4823-ADE6-CA6CB723108B}: NameServer = 125.22.47.125,202.56.250.5
O17 - HKLM\System\CS2\Services\Tcpip..{3FF36DEA-5641-4823-ADE6-CA6CB723108B}: NameServer = 125.22.47.125,202.56.250.5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


End of file - 5799 bytes[/b]

15

Hi Jase if you could run AVZ that should enable me to kill it

16

I am sorry, I didn’t understand you on this virustotal. Is it a website? is it www.virustotal.com?

17

What’s AVZ now?

18

Hi Jase,

Do as essexboy says, after cleaning the temp files with ATF cleaner, and having disabled system restore.
Here are the avz4 check-up data: http://www.spywaredata.com/spyware/malware/avz.exe.php

pol

19

[list]I’ll repost the instructions

Download avz4.zip from here
[list]
[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://rathat.geekstogo.com/images/AVZupdate.jpg

[*]Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again

[*] Start AVZ.

[*] Choose from the menu “File” => "Standard scripts " and mark the “Healing/Quarantine and Advanced System Investigation” check box.
[*] Click on the “Execute selected scripts”.
[*] Automatic scanning, healing and system check will be executed.
[*] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[*] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[*] All applications will work properly after the system restart.
.
When restarted

[*] Start AVZ.

[*] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Investigation” check box.
[*] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
.
Attach both zip files to your next post[/list][/list]

20

Ok i am on it. and thank youtoo :slight_smile: