brand new virus?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I did an online scan using symantec's online scanner, and it found a virus
that it called Trojan Horse in the system32 folder. the file that was
infected was called awttqpo.dll but when I googled this file name, it
returned NO results... I dont mean no usable results, I mean NONE. What kind
of virus is discovered by norton, but not discussed by ANYONE on the
internet. It says "Did you ean" but no.. I didn't mean ANYTHING other than
what I typed. Anywho, as you probably guessed, lookig for the path given by
the scanner had poor results. It's not there in reguler or safe mode. So my
question is:

How do you delete awttqpo.dll in C:\WINDOWS\system32 if it can not been seen
in even safe mode, there are no discussion groups on the internet for it, and
there are NO references, phrases, or the SLIGHTEST mention of it ANYWHER in
exstence except for here, right now... Anyone, any ideas? Thanks in advance.

P.S. I put this question here because its a Windows problem (The file is
hidden in a VERY advanced way) and because thre are no other grups that have
discussions for it. Please don't send me other places... I beg of you!
 
From: "(e-mail address removed)" <[email protected]>

| I did an online scan using symantec's online scanner, and it found a virus
| that it called Trojan Horse in the system32 folder. the file that was
| infected was called awttqpo.dll but when I googled this file name, it
| returned NO results... I dont mean no usable results, I mean NONE. What kind
| of virus is discovered by norton, but not discussed by ANYONE on the
| internet. It says "Did you ean" but no.. I didn't mean ANYTHING other than
| what I typed. Anywho, as you probably guessed, lookig for the path given by
| the scanner had poor results. It's not there in reguler or safe mode. So my
| question is:
|
| How do you delete awttqpo.dll in C:\WINDOWS\system32 if it can not been seen
| in even safe mode, there are no discussion groups on the internet for it, and
| there are NO references, phrases, or the SLIGHTEST mention of it ANYWHER in
| exstence except for here, right now... Anyone, any ideas? Thanks in advance.
|
| P.S. I put this question here because its a Windows problem (The file is
| hidden in a VERY advanced way) and because thre are no other grups that have
| discussions for it. Please don't send me other places... I beg of you!

There are anti virus News Groups specifically for this type of discussion.

microsoft.public.security.virus
alt.comp.virus
alt.comp.anti-virus

You said "...found a virus that it called Trojan Horse"
You are confused, this is a Trojan and it is NOT a virus !

Google is a NOT a source for all information. At best Google will tell you if a file name
is legitimate or not but that is only half the story since any file can be named anything !

Looking at the file name I'll give it two possibilities.

1. It is <20KB DLL file and it is a Conhook/Klone Trojan

2. It is >400KB DLL file and is really a Vundo Trojan.

Trojans can and do hide. They can make themselves invisible to EXPLORER.EXE and also mark
the file as a Hidden & System file.
However, chaging its attributes so it is NOT a Hidden and System file and performing a
DIRectory command in a Command Prompt would reveal it.

If you look in the Registry, I'll bet you will find...

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awttqpo

Pointing to...

C:\WINDOWS\system32\awttqpo.dll

Now, are you ready to listen ?

I ask that because I noted alot of attitude and assunmoptions in your post and if you want
help you need to drop them and listen. This includes the understanding that if you think
you have a virus, you ask about it is a virus relatede News Group.
 
Hi Thunder,

[email protected] said:
I did an online scan using symantec's online scanner, and it found a virus
that it called Trojan Horse in the system32 folder. the file that was
infected was called awttqpo.dll but when I googled this file name, it
returned NO results.
Click to expand...

=> Viruses can be named any name so that not new, the new in the Virus case
is how it is Behave and it's ability to do a severe damage to the infected
Computer/System.
There are many viruses try to Hide from Scanners and Anti-Viruses by
changing their Name, Path and pretend that they are a ligitimate System
Processor to con the AV.

... I dont mean no usable results, I mean NONE. What kind
of virus is discovered by norton, but not discussed by ANYONE on the
internet. It says "Did you ean" but no.. I didn't mean ANYTHING other than
what I typed. Anywho, as you probably guessed, lookig for the path given by
the scanner had poor results. It's not there in reguler or safe mode. So my
question is:

How do you delete awttqpo.dll in C:\WINDOWS\system32 if it can not been seen
Click to expand...

=> First try to Disable the Runing Processor by Pressing ALT + CTRL + DEL on
your Keyboard/Pad and if Norton mention the Processor say 4 ex. awtt.exe
Disable this and Open your search Engine and type the full name for the
file/folder created by this Virus and Delete it by pressing SHIFT + Delete.
And scan again with your Av to see if it will pick it up again.
in even safe mode, there are no discussion groups on the internet for it, and
there are NO references, phrases, or the SLIGHTEST mention of it ANYWHER in
exstence except for here, right now... Anyone, any ideas? Thanks in advance.
Click to expand...


=> There is a NG for Viruses here on MS NG;
http://www.microsoft.com/communitie...b85-5bde-4e6f-b9f4-c199b934c707&lang=en&cr=US

P.S. I put this question here because its a Windows problem (The file is
hidden in a VERY advanced way) and because thre are no other grups that have
discussions for it. Please don't send me other places... I beg of you!
Click to expand...

HTH.
Please let us know your progress.
Regards,
nass
 
I did an online scan using symantec's online scanner, and it found a virus
that it called Trojan Horse in the system32 folder. the file that was
infected was called awttqpo.dll but when I googled this file name, it
returned NO results... I dont mean no usable results, I mean NONE. What kind
of virus is discovered by norton, but not discussed by ANYONE on the
internet. It says "Did you ean" but no.. I didn't mean ANYTHING other than
what I typed. Anywho, as you probably guessed, lookig for the path given by
the scanner had poor results. It's not there in reguler or safe mode. So my
question is:

How do you delete awttqpo.dll in C:\WINDOWS\system32 if it can not been seen
in even safe mode, there are no discussion groups on the internet for it, and
there are NO references, phrases, or the SLIGHTEST mention of it ANYWHER in
exstence except for here, right now... Anyone, any ideas? Thanks in advance.

P.S. I put this question here because its a Windows problem (The file is
hidden in a VERY advanced way) and because thre are no other grups that have
discussions for it. Please don't send me other places... I beg of you!
Click to expand...

Some viruses generate filenames using semi-random names, so not
finding the name elsewhere isn't such a big or suprising thing.
 
An interesting reply David. I did find some of the spelling in the last
paragraph a
little bizarre, however <g>.

One aspect you didn't mention. Wouldn't an anti-virus scanner normally give
the
option to remove, to quarantine or leave? Most of us would opt to remove or
quarantine thus the file may not still be there to find?

--

Regards.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
A "Trojan Horse" is technically not a virus. If the Symantec scanner did
identify it; however, it should have offered either a removal/quarantine
mode or a statement that it did not presently have one. I suggest you
Google with something like "free Trojan Horse scanner and remover" to find a
remover.
Gene K
 
Symantec's online scanner would have given you the name of the Trojan - that
is the name you should have googled for, and you would have found hundreds
of hits. The filename is probably a randomly generated name, as already
suggested.

--
Jon


The reason I decided to write that, was mainly because
"(e-mail address removed)"
 
From: "Gerry Cornell" <[email protected]>

| An interesting reply David. I did find some of the spelling in the last
| paragraph a
| little bizarre, however <g>.
|
| One aspect you didn't mention. Wouldn't an anti-virus scanner normally give
| the
| option to remove, to quarantine or leave? Most of us would opt to remove or
| quarantine thus the file may not still be there to find?
|

Yeah, I embarass myself way too often with spellings mistakes. :-(

The problem with this, and I'll bet it is a Conhook/Klone Trojan rather than the Vundo
Trojan, is not only does it use the Winlogon Notify function to load but it loads as a
Browser Helper Object (BHO) with a randomized CSLID. This is a self preservation Trojan.
That it is takes steps to prevent its removal. Quarantining is removal but storing it in a
safe place where it can do no harm if it is truly malicious or restorable if it was deemed
non-malicious (aka; False Positive).

If it is what I suspect, then if you try to delete...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awttqpo

it would appear as if you were succesful but, if you close Regedit and look again it would
still be there. The same goes for the BHO and if you used something like BHODemon it
wouldn't be able to remove it either.
 
David

Thanks. Point taken.


--

Regards.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
From: "Gerry Cornell" <[email protected]>

| David
|
| Thanks. Point taken.
|

The problem is how to remove it under a running OS. It would mean killing; EXPLORER, SMSS,
CSRSS and the WINLOGON processes at the minimum or at least suspending those process.
However, the last time I ran against a Conhook/Klone Trojan the above process created a BSoD
condition.
 
sry if my spelling gave you the hebee jebees.. lol, no... really, I didnt
mean to piss ou off with poor spelling. anywho... I checked for the registry
entries with no luck, I even searched the registry for he file name, but I
only found it under Search Assistant somehwere off in HKEY_Users under
Software/Microsoft/Search Assistant

The reason the scanner didnt have that option to delete or quarantine is
because I am using hte Norton Online scanner to CHECK for all the viruses.
So, can someone explian to me, as I am not really sure of how his works.....
How is the virus hiding itself? Is it really in the system32 folder, just
hidden? If so, and if it is like you say (hidden to explorer) is there any
forcable way to unhide it?
 
You need to post in the name of the Trojan that the online scanner gave you.
Re-run it if you don't remember. I doubt very much that the only information
it gave you was a filename.

--
Jon


I was more than a little surprised to hear the following from
"(e-mail address removed)"
 
From: "(e-mail address removed)" <[email protected]>

| sry if my spelling gave you the hebee jebees.. lol, no... really, I didnt
| mean to piss ou off with poor spelling. anywho... I checked for the registry
| entries with no luck, I even searched the registry for he file name, but I
| only found it under Search Assistant somehwere off in HKEY_Users under
| Software/Microsoft/Search Assistant
|
| The reason the scanner didnt have that option to delete or quarantine is
| because I am using hte Norton Online scanner to CHECK for all the viruses.
| So, can someone explian to me, as I am not really sure of how his works.....
| How is the virus hiding itself? Is it really in the system32 folder, just
| hidden? If so, and if it is like you say (hidden to explorer) is there any
| forcable way to unhide it?
|

Go to; Start --> Run
enter; CMD.EXE

Tyep the following commands in the Command Prompt

cd %windir%\system32

attrib -r -h -s *.dll

copy awttqpo.dll c:\

exit



Please submit "C:\awttqpo.dll" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.
 
Some notes about seeing hidden files.

To investigate how you are using hard disk space you need to make sure that
you can see all files. Go to Start, Control Panel, Folder Options, View,
Advanced Settings and verify that the box before "Show hidden files and
folders" is checked and "Hide protected operating system files " is
unchecked. You may need to scroll down to see the second item. You should
also make certain that the box before "Hide extensions for known file types"
is not checked. Next in Windows Explorer make sure View, Details is selected
and then select View, Choose Details and check before Name, Type, Total
Size, and Free Space.

You still will not see the System Volume Information folder.
How to Gain Access to the System Volume Information Folder
http://support.microsoft.com/default.aspx?scid=kb;en-us;309531

FileSize -a useful tool for use with Windows Explorer when investigating how
disk space is being used.
http://markd.mvps.org/

The download link is not obvious. Click the here in the two sentences of the
web page accessed through the link above. "I can't count the number of times
someone has asked for this. So here is a module you can install that shows a
Folder Size column in Explorer."

However, some viruses / trojans circumvent normal viewing methods. To
remove
them you need specialist advice. If you run the Online Scan again and it is
still
present you can get the name of the actual Trojan which is needed.

--

Hope this helps.

Gerry
~~~~
FCA
Stourport, England

Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~


"(e-mail address removed)"
 
the name given by the scanner is simply Trojan Horse. Believe it or not.....
it said: C:\WINDOWS\system32\awttqpo.dl is infected with Trojan Horse.

as for those cmd codes, ill give them a try, but i wish it was a little
easier for me to read what u mean.. like, so I know EXACTLY what I have to
type. anywho, when u say I should post it back here, does that mean you'll e
watching this thread no matter how far back it goes? or should I start up a
new one (if you say yes, then ill make a new thread with the same name as
this one but name it #2)
 
From: "(e-mail address removed)" <[email protected]>

| the name given by the scanner is simply Trojan Horse. Believe it or not.....
| it said: C:\WINDOWS\system32\awttqpo.dl is infected with Trojan Horse.
|
| as for those cmd codes, ill give them a try, but i wish it was a little
| easier for me to read what u mean.. like, so I know EXACTLY what I have to
| type. anywho, when u say I should post it back here, does that mean you'll e
| watching this thread no matter how far back it goes? or should I start up a
| new one (if you say yes, then ill make a new thread with the same name as
| this one but name it #2)
|

Yes, I am monitoring this thread. Please doOT create a new thread.
I need YOU to monitor as well as we can't have a dialogue that takes hours between posts.

I'll repeat my request...

Go to; Start --> Run
enter; CMD.EXE

Type the following commands in the Command Prompt

cd %windir%\system32

attrib -r -h -s *.dll

copy awttqpo.dll c:\

exit

Please submit "C:\awttqpo.dll" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.
That is copy the contents of that report and paste it in your reply.
 
the results:

AntiVir 7.2.0.25 10.09.2006 TR/Agent.51725
Authentium 4.93.8 10.06.2006 no virus found
Avast 4.7.892.0 10.08.2006 no virus found
AVG 386 10.07.2006 Adware Generic.REV
BitDefender 7.2 10.09.2006 DeepScan:Generic.Malware.SYddldg.510F17D4
CAT-QuickHeal 8.00 10.07.2006 no virus found
ClamAV devel-20060426 10.09.2006 no virus found
DrWeb 4.33 10.09.2006 no virus found
eTrust-InoculateIT 23.73.16 10.07.2006 no virus found
eTrust-Vet 30.3.3123 10.09.2006 Win32/Chisyne!generic
Ewido 4.0 10.09.2006 Adware.Virtumonde
Fortinet 2.82.0.0 10.09.2006 Vundo!tr!025
F-Prot 3.16f 10.06.2006 no virus found
F-Prot4 4.2.1.29 10.06.2006 no virus found
Ikarus 0.2.65.0 10.09.2006 no virus found
Kaspersky 4.0.2.24 10.09.2006 not-a-virus:AdWare.Win32.Virtumonde.de
McAfee 4869 10.09.2006 Vundo
Microsoft 1.1603 10.09.2006 no virus found
NOD32v2 1.1795 10.09.2006 a variant of Win32/TrojanDownloader.ConHook
Norman 5.80.02 10.09.2006 W32/Vundo.gen1
Panda 9.0.0.4 10.09.2006 Spyware/Virtumonde
Sophos 4.10.0 10.05.2006 no virus found
TheHacker 6.0.1.094 10.08.2006 no virus found
UNA 1.83 10.09.2006 no virus found
VBA32 3.11.1 10.08.2006 no virus found
VirusBuster 4.3.7:9 10.09.2006 no virus found





looks like its infected with BOTH of hte viruses you guys mentioned AND
more... yikes. Whats's the next step to getting rid of it?
 
From: "(e-mail address removed)" <[email protected]>

| the results:
|
| AntiVir 7.2.0.25 10.09.2006 TR/Agent.51725
| Authentium 4.93.8 10.06.2006 no virus found
| Avast 4.7.892.0 10.08.2006 no virus found
| AVG 386 10.07.2006 Adware Generic.REV
| BitDefender 7.2 10.09.2006 DeepScan:Generic.Malware.SYddldg.510F17D4
| CAT-QuickHeal 8.00 10.07.2006 no virus found
| ClamAV devel-20060426 10.09.2006 no virus found
| DrWeb 4.33 10.09.2006 no virus found
| eTrust-InoculateIT 23.73.16 10.07.2006 no virus found
| eTrust-Vet 30.3.3123 10.09.2006 Win32/Chisyne!generic
| Ewido 4.0 10.09.2006 Adware.Virtumonde
| Fortinet 2.82.0.0 10.09.2006 Vundo!tr!025
| F-Prot 3.16f 10.06.2006 no virus found
| F-Prot4 4.2.1.29 10.06.2006 no virus found
| Ikarus 0.2.65.0 10.09.2006 no virus found
| Kaspersky 4.0.2.24 10.09.2006 not-a-virus:AdWare.Win32.Virtumonde.de
| McAfee 4869 10.09.2006 Vundo
| Microsoft 1.1603 10.09.2006 no virus found
| NOD32v2 1.1795 10.09.2006 a variant of Win32/TrojanDownloader.ConHook
| Norman 5.80.02 10.09.2006 W32/Vundo.gen1
| Panda 9.0.0.4 10.09.2006 Spyware/Virtumonde
| Sophos 4.10.0 10.05.2006 no virus found
| TheHacker 6.0.1.094 10.08.2006 no virus found
| UNA 1.83 10.09.2006 no virus found
| VBA32 3.11.1 10.08.2006 no virus found
| VirusBuster 4.3.7:9 10.09.2006 no virus found
|
| looks like its infected with BOTH of hte viruses you guys mentioned AND
| more... yikes. Whats's the next step to getting rid of it?


"you guys mentioned " ? Just me. I thought it to be a Vundo Trojan or a Conhook/Klone
Trojan.

It looks like it is a Vundo trojan.

Before you perform the following steps, I would like you to email me a copy of awttqpo.dll.

Please put awttqpo.dll in a password protected ZIP file with the password being; infected
{ password = infected }

To email it to me, just remove ~nospam~ from [email protected] and attach the
password protected ZIP file.

Please follow ALL the instructions below...

---------------

Two phase answer...

Perform Part 1 then perform Part 2

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.


If you are using any version of Sun Java that is prior to JRE Version 5.0 update 9,
then you are strongly urged to remove any/all versions.
There are vulnerabilities in them and they are actively being exploited.

It is highly suggested that you update to the latest version which is Sun Java JRE/JSE
Version 5.0 Update 9

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version.

Such as...
C:\Program Files\Java\jre1.5.0_09

http://java.sun.com/javase/downloads/index.jsp

FYI:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102557-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1



Part 1
------------
Download Adware-Virtumundo Removal Tool --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:
--------------

Download Atribune's VUNDOFIX.EXE
http://www.atribune.org/ccount/click.php?id=4

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *
 
ill be doing thosesteps... im just making hte zip now.. give me a few
minutes.. i dont often make passworded zips.
 
Back
Top