I did an online scan using symantec's online scanner, and it found a virus
that it called Trojan Horse in the system32 folder. the file that was
infected was called awttqpo.dll but when I googled this file name, it
returned NO results... I dont mean no usable results, I mean NONE. What kind
of virus is discovered by norton, but not discussed by ANYONE on the
internet. It says "Did you ean" but no.. I didn't mean ANYTHING other than
what I typed. Anywho, as you probably guessed, lookig for the path given by
the scanner had poor results. It's not there in reguler or safe mode. So my
question is:

How do you delete awttqpo.dll in C:\WINDOWS\system32 if it can not been seen
in even safe mode, there are no discussion groups on the internet for it, and
there are NO references, phrases, or the SLIGHTEST mention of it ANYWHER in
exstence except for here, right now... Anyone, any ideas? Thanks in advance.

P.S. I put this question here because its a Windows problem (The file is
hidden in a VERY advanced way) and because thre are no other grups that have
discussions for it. Please don't send me other places... I beg of you!

From: "(E-Mail Removed)" <(E-Mail Removed)>

| I did an online scan using symantec's online scanner, and it found a virus
| that it called Trojan Horse in the system32 folder. the file that was
| infected was called awttqpo.dll but when I googled this file name, it
| returned NO results... I dont mean no usable results, I mean NONE. What kind
| of virus is discovered by norton, but not discussed by ANYONE on the
| internet. It says "Did you ean" but no.. I didn't mean ANYTHING other than
| what I typed. Anywho, as you probably guessed, lookig for the path given by
| the scanner had poor results. It's not there in reguler or safe mode. So my
| question is:
|
| How do you delete awttqpo.dll in C:\WINDOWS\system32 if it can not been seen
| in even safe mode, there are no discussion groups on the internet for it, and
| there are NO references, phrases, or the SLIGHTEST mention of it ANYWHER in
| exstence except for here, right now... Anyone, any ideas? Thanks in advance.
|
| P.S. I put this question here because its a Windows problem (The file is
| hidden in a VERY advanced way) and because thre are no other grups that have
| discussions for it. Please don't send me other places... I beg of you!

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

You said "...found a virus that it called Trojan Horse"
You are confused, this is a Trojan and it is NOT a virus !

Google is a NOT a source for all information. At best Google will tell you if a file name
is legitimate or not but that is only half the story since any file can be named anything !

Looking at the file name I'll give it two possibilities.

1. It is <20KB DLL file and it is a Conhook/Klone Trojan

2. It is >400KB DLL file and is really a Vundo Trojan.

Trojans can and do hide. They can make themselves invisible to EXPLORER.EXE and also mark
the file as a Hidden & System file.
However, chaging its attributes so it is NOT a Hidden and System file and performing a
DIRectory command in a Command Prompt would reveal it.

If you look in the Registry, I'll bet you will find...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awttqpo

Pointing to...

C:\WINDOWS\system32\awttqpo.dll

Now, are you ready to listen ?

I ask that because I noted alot of attitude and assunmoptions in your post and if you want
help you need to drop them and listen. This includes the understanding that if you think
you have a virus, you ask about it is a virus relatede News Group.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Hi Thunder,

"(E-Mail Removed)" wrote:

> I did an online scan using symantec's online scanner, and it found a virus
> that it called Trojan Horse in the system32 folder. the file that was
> infected was called awttqpo.dll but when I googled this file name, it
> returned NO results.

=> Viruses can be named any name so that not new, the new in the Virus case
is how it is Behave and it's ability to do a severe damage to the infected
Computer/System.
There are many viruses try to Hide from Scanners and Anti-Viruses by
changing their Name, Path and pretend that they are a ligitimate System
Processor to con the AV.

... I dont mean no usable results, I mean NONE. What kind
> of virus is discovered by norton, but not discussed by ANYONE on the
> internet. It says "Did you ean" but no.. I didn't mean ANYTHING other than
> what I typed. Anywho, as you probably guessed, lookig for the path given by
> the scanner had poor results. It's not there in reguler or safe mode. So my
> question is:
>
> How do you delete awttqpo.dll in C:\WINDOWS\system32 if it can not been seen

=> First try to Disable the Runing Processor by Pressing ALT + CTRL + DEL on
your Keyboard/Pad and if Norton mention the Processor say 4 ex. awtt.exe
Disable this and Open your search Engine and type the full name for the
file/folder created by this Virus and Delete it by pressing SHIFT + Delete.
And scan again with your Av to see if it will pick it up again.

> in even safe mode, there are no discussion groups on the internet for it, and
> there are NO references, phrases, or the SLIGHTEST mention of it ANYWHER in
> exstence except for here, right now... Anyone, any ideas? Thanks in advance.


=> There is a NG for Viruses here on MS NG;
http://www.microsoft.com/communities...&lang=en&cr=US


> P.S. I put this question here because its a Windows problem (The file is
> hidden in a VERY advanced way) and because thre are no other grups that have
> discussions for it. Please don't send me other places... I beg of you!

HTH.
Please let us know your progress.
Regards,
nass
-------
www.nasstec.co.uk

On Mon, 9 Oct 2006 08:39:01 -0700, (E-Mail Removed)
<(E-Mail Removed)> wrote:

>I did an online scan using symantec's online scanner, and it found a virus
>that it called Trojan Horse in the system32 folder. the file that was
>infected was called awttqpo.dll but when I googled this file name, it
>returned NO results... I dont mean no usable results, I mean NONE. What kind
>of virus is discovered by norton, but not discussed by ANYONE on the
>internet. It says "Did you ean" but no.. I didn't mean ANYTHING other than
>what I typed. Anywho, as you probably guessed, lookig for the path given by
>the scanner had poor results. It's not there in reguler or safe mode. So my
>question is:
>
>How do you delete awttqpo.dll in C:\WINDOWS\system32 if it can not been seen
>in even safe mode, there are no discussion groups on the internet for it, and
>there are NO references, phrases, or the SLIGHTEST mention of it ANYWHER in
>exstence except for here, right now... Anyone, any ideas? Thanks in advance.
>
>P.S. I put this question here because its a Windows problem (The file is
>hidden in a VERY advanced way) and because thre are no other grups that have
>discussions for it. Please don't send me other places... I beg of you!

Some viruses generate filenames using semi-random names, so not
finding the name elsewhere isn't such a big or suprising thing.

An interesting reply David. I did find some of the spelling in the last
paragraph a
little bizarre, however <g>.

One aspect you didn't mention. Wouldn't an anti-virus scanner normally give
the
option to remove, to quarantine or leave? Most of us would opt to remove or
quarantine thus the file may not still be there to find?

--

Regards.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~


"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:(E-Mail Removed)...
> From: "(E-Mail Removed)"
> <(E-Mail Removed)>
>
> | I did an online scan using symantec's online scanner, and it found a
> virus
> | that it called Trojan Horse in the system32 folder. the file that was
> | infected was called awttqpo.dll but when I googled this file name, it
> | returned NO results... I dont mean no usable results, I mean NONE. What
> kind
> | of virus is discovered by norton, but not discussed by ANYONE on the
> | internet. It says "Did you ean" but no.. I didn't mean ANYTHING other
> than
> | what I typed. Anywho, as you probably guessed, lookig for the path given
> by
> | the scanner had poor results. It's not there in reguler or safe mode. So
> my
> | question is:
> |
> | How do you delete awttqpo.dll in C:\WINDOWS\system32 if it can not been
> seen
> | in even safe mode, there are no discussion groups on the internet for
> it, and
> | there are NO references, phrases, or the SLIGHTEST mention of it ANYWHER
> in
> | exstence except for here, right now... Anyone, any ideas? Thanks in
> advance.
> |
> | P.S. I put this question here because its a Windows problem (The file is
> | hidden in a VERY advanced way) and because thre are no other grups that
> have
> | discussions for it. Please don't send me other places... I beg of you!
>
> There are anti virus News Groups specifically for this type of discussion.
>
> microsoft.public.security.virus
> alt.comp.virus
> alt.comp.anti-virus
>
> You said "...found a virus that it called Trojan Horse"
> You are confused, this is a Trojan and it is NOT a virus !
>
> Google is a NOT a source for all information. At best Google will tell
> you if a file name
> is legitimate or not but that is only half the story since any file can be
> named anything !
>
> Looking at the file name I'll give it two possibilities.
>
> 1. It is <20KB DLL file and it is a Conhook/Klone Trojan
>
> 2. It is >400KB DLL file and is really a Vundo Trojan.
>
> Trojans can and do hide. They can make themselves invisible to
> EXPLORER.EXE and also mark
> the file as a Hidden & System file.
> However, chaging its attributes so it is NOT a Hidden and System file and
> performing a
> DIRectory command in a Command Prompt would reveal it.
>
> If you look in the Registry, I'll bet you will find...
>
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Notify\awttqpo
>
> Pointing to...
>
> C:\WINDOWS\system32\awttqpo.dll
>
> Now, are you ready to listen ?
>
> I ask that because I noted alot of attitude and assunmoptions in your post
> and if you want
> help you need to drop them and listen. This includes the understanding
> that if you think
> you have a virus, you ask about it is a virus relatede News Group.
>
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

A "Trojan Horse" is technically not a virus. If the Symantec scanner did
identify it; however, it should have offered either a removal/quarantine
mode or a statement that it did not presently have one. I suggest you
Google with something like "free Trojan Horse scanner and remover" to find a
remover.
Gene K

Symantec's online scanner would have given you the name of the Trojan - that
is the name you should have googled for, and you would have found hundreds
of hits. The filename is probably a randomly generated name, as already
suggested.

--
Jon


The reason I decided to write that, was mainly because
"(E-Mail Removed)"
<(E-Mail Removed)> wrote in message
news:7C2FFCCC-68A4-42F4-967A-(E-Mail Removed)...
>I did an online scan using symantec's online scanner, and it found a virus
> that it called Trojan Horse in the system32 folder. the file that was
> infected was called awttqpo.dll but when I googled this file name, it
> returned NO results... I dont mean no usable results, I mean NONE. What
> kind
> of virus is discovered by norton, but not discussed by ANYONE on the
> internet. It says "Did you ean" but no.. I didn't mean ANYTHING other than
> what I typed. Anywho, as you probably guessed, lookig for the path given
> by
> the scanner had poor results. It's not there in reguler or safe mode. So
> my
> question is:
>
> How do you delete awttqpo.dll in C:\WINDOWS\system32 if it can not been
> seen
> in even safe mode, there are no discussion groups on the internet for it,
> and
> there are NO references, phrases, or the SLIGHTEST mention of it ANYWHER
> in
> exstence except for here, right now... Anyone, any ideas? Thanks in
> advance.
>
> P.S. I put this question here because its a Windows problem (The file is
> hidden in a VERY advanced way) and because thre are no other grups that
> have
> discussions for it. Please don't send me other places... I beg of you!

From: "Gerry Cornell" <(E-Mail Removed)>

| An interesting reply David. I did find some of the spelling in the last
| paragraph a
| little bizarre, however <g>.
|
| One aspect you didn't mention. Wouldn't an anti-virus scanner normally give
| the
| option to remove, to quarantine or leave? Most of us would opt to remove or
| quarantine thus the file may not still be there to find?
|

Yeah, I embarass myself way too often with spellings mistakes. :-(

The problem with this, and I'll bet it is a Conhook/Klone Trojan rather than the Vundo
Trojan, is not only does it use the Winlogon Notify function to load but it loads as a
Browser Helper Object (BHO) with a randomized CSLID. This is a self preservation Trojan.
That it is takes steps to prevent its removal. Quarantining is removal but storing it in a
safe place where it can do no harm if it is truly malicious or restorable if it was deemed
non-malicious (aka; False Positive).

If it is what I suspect, then if you try to delete...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awttqpo

it would appear as if you were succesful but, if you close Regedit and look again it would
still be there. The same goes for the BHO and if you used something like BHODemon it
wouldn't be able to remove it either.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

David

Thanks. Point taken.


--

Regards.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:(E-Mail Removed)...
> From: "Gerry Cornell" <(E-Mail Removed)>
>
> | An interesting reply David. I did find some of the spelling in the last
> | paragraph a
> | little bizarre, however <g>.
> |
> | One aspect you didn't mention. Wouldn't an anti-virus scanner normally
> give
> | the
> | option to remove, to quarantine or leave? Most of us would opt to remove
> or
> | quarantine thus the file may not still be there to find?
> |
>
> Yeah, I embarass myself way too often with spellings mistakes. :-(
>
> The problem with this, and I'll bet it is a Conhook/Klone Trojan rather
> than the Vundo
> Trojan, is not only does it use the Winlogon Notify function to load but
> it loads as a
> Browser Helper Object (BHO) with a randomized CSLID. This is a self
> preservation Trojan.
> That it is takes steps to prevent its removal. Quarantining is removal
> but storing it in a
> safe place where it can do no harm if it is truly malicious or restorable
> if it was deemed
> non-malicious (aka; False Positive).
>
> If it is what I suspect, then if you try to delete...
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
> NT\CurrentVersion\Winlogon\Notify\awttqpo
>
> it would appear as if you were succesful but, if you close Regedit and
> look again it would
> still be there. The same goes for the BHO and if you used something like
> BHODemon it
> wouldn't be able to remove it either.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

From: "Gerry Cornell" <(E-Mail Removed)>

| David
|
| Thanks. Point taken.
|

The problem is how to remove it under a running OS. It would mean killing; EXPLORER, SMSS,
CSRSS and the WINLOGON processes at the minimum or at least suspending those process.
However, the last time I ran against a Conhook/Klone Trojan the above process created a BSoD
condition.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm