Avast WEBforum

Other => Viruses and worms => Topic started by: 4g63 on April 11, 2008, 08:48:16 AM

Title: Win32:TratBHO [Trj] please help
Post by: 4g63 on April 11, 2008, 08:48:16 AM

i have log of what are going in background but need help fixing problem

Title: Re: Win32:TratBHO [Trj] please help
Post by: CharleyO on April 11, 2008, 09:04:56 PM

***

While I am not an expert on reading HJT logs, I have done some research to help with the problem. Please wait for someone else to give you the next steps to take.

These are not needed as there is no files associated :

O2 - BHO: (no name) - {140BD8E3-C167-11D4-B4A3-080000180323} - (no file)

O2 - BHO: (no name) - {23D44BCF-AA7A-41D6-8905-E808F16322EF} - C:\WINDOWS\system32\cbxxwvs.dll (file missing)

O2 - BHO: (no name) - {2C3DDDAC-48DB-495A-BA80-3C587D695BFA} - C:\WINDOWS\system32\mllmn.dll (file missing)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O9 - Extra button: (no name) - {85e1f530-48f4-11d9-9629-08ff2ffc9f67} - (no file)

I could not find any information on these which makes them suspicious to me :

O4 - HKLM\..\Run: [47238889] rundll32.exe "C:\WINDOWS\system32\lpygbeak.dll",b

O4 - HKLM\..\Run: [BM4410bb15] Rundll32.exe "C:\WINDOWS\system32\yknupcwi.dll",s
O20 - Winlogon Notify: xgrcvozi - xgrcvozi.dll (file missing)

Know to be associated with malware:

O20 - Winlogon Notify: cbxxwvs - cbxxwvs.dll (file missing)
information here ... http://fileinfo.prevx.com/fileinfo.asp?PXC=4a7283952238

Hopefully, someone will be along some to farther help you.


***

Title: Re: Win32:TratBHO [Trj] please help
Post by: oldman on April 12, 2008, 01:45:58 AM

Yuo have some major infections happening. We'll try to get some of it with this tool.

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

**Note:  In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• If you are using Firefox, make sure that your download settings are as follows:

     -Tools->Options->Main tab
     -Set to "Always ask me where to Save the files".

• During the download, rename Combofix to Combo-Fix as follows:

(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif)

(http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif)

• It is important you rename Combofix during the download, but not after.
• Please do not rename Combofix to other names, but only to the one indicated.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.[/color]
  
  -----------------------------------------------------------

• Close any open browsers.
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
  
• When finished, it will produce a report for you. 
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Title: Re: Win32:TratBHO [Trj] please help
Post by: lpg_unit on April 12, 2008, 02:27:29 AM

I seem to have the same problem on a Pentium III machine; here's my Hijackthis log, there's some gibberishly named DLL file that I can't remove from the startup list:

Logfile of HijackThis v1.99.1
Scan saved at 8:25:14 AM, on 4/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\SUPPORT\System32\smss.exe
C:\SUPPORT\system32\winlogon.exe
C:\SUPPORT\system32\services.exe
C:\SUPPORT\system32\lsass.exe
C:\SUPPORT\system32\svchost.exe
C:\SUPPORT\System32\svchost.exe
C:\SUPPORT\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\SUPPORT\System32\rundll32.exe
c:\_\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
F2 - REG:system.ini: UserInit=C:\SUPPORT\System32\userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\SUPPORT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM06252bd9] Rundll32.exe "C:\SUPPORT\System32\nradyocr.dll",s
O4 - HKLM\..\Run: [05161845] rundll32.exe "C:\SUPPORT\System32\mrsuvhnr.dll",b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://www.majorgeeks.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206250239018
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\SUPPORT\wanmpsvc.exe

There are also some random pop-ups that flash on my Firefox, coming from 89.188.16.22, which turned out to be a Vundo site... Can anyone help me with this???

EDIT: Solved; admins, feel free to delete this...

Title: Re: Win32:TratBHO [Trj] please help
Post by: oldman on April 12, 2008, 03:09:46 AM

Yes, I may be able to help you. But first you have to do a few things for me. Deal?

1. Please start your own thread with this information
2. Please delete the old copy of HJT and get a new one from Click here (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) to download HJTsetup.exe

follow the prompts so it gets installed in it's own folder and you have a shortcut on your desktop.

3. when you have your own thread started, please delete your post from this one. You ill have to leave at least one letter in it or the words Deleted.

I'll see you at your new thread

Thanks

Title: Re: Win32:TratBHO [Trj] please help
Post by: 4g63 on April 12, 2008, 09:14:44 AM

alright thank you!!! Will do as soon as I get to my comp I'm on my phone right at thus moment.