Author Topic: I'm sorry: Win32:TratBHO [Trj] again (Read 22548 times)

scubamaggo · « **on:** January 08, 2008, 08:47:32 PM »

I know this topic is coming up here almost every day. I looked through the old threads and tried to get rid of it they same way as described, but it didn't work. Avast keeps finding Win32:TratBHO [trj] and i cant remove it, because the access to the .dll is denied. I downloaded combo fix and ran it, but it didn't delete the .dll. It just said it was created in the past month. HJT didn't work either. I will attach my combofix log, the infected .dll is ati3duagv.dll

edit: I'm sorry, its actually Win32:BHO-KD[trj] not Win32:TratBHO [trj]!

scubamaggo · « **Reply #1 on:** January 08, 2008, 08:48:31 PM »

ComboFix 08-01-07.5 - Maggo 2008-01-08 20:18:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1031.18.133 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Maggo\Desktop\ComboFix(2).exe
* Neuer Wiederherstellungspunkt wurde erstellt
.

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rpcc.exe

.
((((((((((((((((((((((( Dateien erstellt von 2007-12-08 bis 2008-01-08 ))))))))))))))))))))))))))))))
.

2008-01-08 20:17 . 2008-01-08 20:17   <DIR>   d--h-----   C:\WINDOWS\PIF
2008-01-08 20:17 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-08 19:39 . 2001-08-18 13:00   13,312   --a--c---   C:\WINDOWS\system32\dllcache\ctfmon.exe.backup
2008-01-08 19:39 . 2001-08-18 13:00   13,312   --a------   C:\WINDOWS\system32\ctfmon.exe.backup
2008-01-08 19:10 . 2008-01-08 19:10   <DIR>   d--------   C:\Programme\Avira
2008-01-08 19:10 . 2008-01-08 19:55   <DIR>   d--------   C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-01-08 01:02 . 2008-01-08 01:03   <DIR>   d--------   C:\Programme\weblin
2008-01-08 01:01 . 2008-01-08 01:03   <DIR>   d--------   C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\zweitgeist
2008-01-08 00:30 . 2002-11-14 20:43   221,696   --a------   C:\WINDOWS\system32\srrstr.dll
2008-01-08 00:30 . 2002-11-14 20:43   221,696   --a--c---   C:\WINDOWS\system32\dllcache\srrstr.dll
2008-01-08 00:26 . 2008-01-08 00:34   <DIR>   d--h-c---   C:\WINDOWS\$xpsp1hfm$
2008-01-08 00:26 . 2004-01-10 06:11   26,112   --a------   C:\WINDOWS\system32\xpsp1hfm.exe
2008-01-08 00:25 . 2008-01-08 00:25   <DIR>   d---s----   C:\WINDOWS\system32\Microsoft
2008-01-06 15:16 . 2008-01-08 19:13   49   --a------   C:\WINDOWS\transp.gif
2008-01-06 14:40 . 2008-01-06 14:40   <DIR>   d--------   C:\Programme\Alwil Software
2008-01-06 14:40 . 2003-03-18 21:20   1,060,864   --a------   C:\WINDOWS\system32\MFC71.dll
2008-01-06 14:40 . 2007-12-04 14:04   837,496   --a------   C:\WINDOWS\system32\aswBoot.exe
2008-01-06 14:40 . 2003-03-18 20:14   499,712   --a------   C:\WINDOWS\system32\MSVCP71.dll
2008-01-06 14:40 . 2004-01-09 10:13   380,928   --a------   C:\WINDOWS\system32\actskin4.ocx
2008-01-06 14:40 . 2007-12-04 13:54   95,608   --a------   C:\WINDOWS\system32\AvastSS.scr
2008-01-06 14:40 . 2007-12-04 15:55   94,544   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-06 14:40 . 2007-12-04 15:56   93,264   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-06 14:40 . 2007-12-04 15:51   42,912   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-06 14:40 . 2007-12-04 15:49   26,624   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-06 14:40 . 2007-12-04 15:53   23,152   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-06 14:29 . 2008-01-08 20:05   150   --a------   C:\WINDOWS\ODBC.INI
2008-01-06 14:22 . 2008-01-06 14:22   <DIR>   d--------   C:\Programme\Gemeinsame Dateien\Agnitum Shared
2008-01-06 14:22 . 2008-01-06 14:22   <DIR>   d--------   C:\Programme\Agnitum
2008-01-06 14:19 .    19,584      C:\WINDOWS\system32\drivers\vkrukkpm.dat
2008-01-06 14:15 . 2008-01-06 14:19   <DIR>   d--------   C:\WINDOWS\system32\AppCert
2008-01-06 14:15 . 2007-08-22 02:47   84,992   --a------   C:\WINDOWS\system32\ati3duagv.dll
2007-12-27 16:12 . 2007-12-27 16:12   2,400   --a------   C:\WINDOWS\system32\wpa.bak
2007-12-27 06:31 . 2007-12-27 06:31   754   --a------   C:\WINDOWS\WORDPAD.INI
2007-12-27 02:39 . 2007-12-27 02:39   <DIR>   d--------   C:\Temp
2007-12-22 22:25 . 2008-01-05 23:56   1,266   --a------   C:\WINDOWS\PartyGrabber.ini
2007-12-18 00:42 . 2004-02-25 18:05   348,160   --a------   C:\WINDOWS\system32\msvcr71.dll
2007-12-18 00:39 . 2007-12-18 00:43   <DIR>   d--------   C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\fretsonfire

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 19:01   ---------   d-----w   C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\Skype
2008-01-08 18:39   23,552   ----a-w   C:\WINDOWS\system32\ctfmon.exe
2008-01-08 17:05   ---------   d-----w   C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\skypePM
2008-01-08 01:12   ---------   d---a-w   C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2007-12-06 16:42   ---------   d-----r   C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\Brother
2007-12-06 00:28   ---------   d--h--w   C:\Programme\InstallShield Installation Information
2007-11-30 02:12   32   ----a-w   C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2007-11-30 02:10   ---------   d-----w   C:\Programme\Skype
2007-11-30 02:10   ---------   d-----w   C:\Programme\Gemeinsame Dateien\Skype
2007-11-30 02:10   ---------   d-----w   C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype
2007-11-29 21:25   ---------   d-----w   C:\Programme\ICQ
2007-11-29 21:25   ---------   d-----w   C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\ICQLite
2007-11-29 20:38   ---------   d-----w   C:\Programme\Gemeinsame Dateien\Adobe
2007-11-28 23:23   ---------   d-----w   C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\DivX
2007-11-28 02:01   ---------   d-----w   C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\Winamp
2007-11-28 01:57   ---------   d-----w   C:\Programme\Winamp
2007-11-28 01:47   ---------   d-----w   C:\Programme\Gemeinsame Dateien\InstallShield
2007-11-28 01:38   ---------   d-----w   C:\Programme\DivX
2007-11-28 00:31   ---------   d-----w   C:\Programme\microsoft frontpage
2007-11-28 00:30   ---------   d-----w   C:\Programme\Online-Dienste
2007-11-28 00:29   ---------   d-----w   C:\Programme\Gemeinsame Dateien\MSSoap
2007-11-28 00:29   ---------   d-----w   C:\Programme\Gemeinsame Dateien\Dienste
2007-11-28 00:21   ---------   d-----w   C:\Programme\Gemeinsame Dateien\SpeechEngines
2007-11-28 00:21   ---------   d-----w   C:\Programme\Gemeinsame Dateien\ODBC
2007-10-20 00:56   524,288   ----a-w   C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56   3,596,288   ----a-w   C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56   200,704   ----a-w   C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56   129,784   ------w   C:\WINDOWS\system32\pxafs.dll
2007-10-20 00:56   120,056   ------w   C:\WINDOWS\system32\pxcpyi64.exe
2007-10-20 00:56   118,520   ------w   C:\WINDOWS\system32\pxinsi64.exe
2007-10-20 00:56   1,044,480   ----a-w   C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54   823,296   ----a-w   C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54   823,296   ----a-w   C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54   81,920   ----a-w   C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54   802,816   ----a-w   C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54   739,840   ----a-w   C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54   196,608   ----a-w   C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06   156,992   ----a-w   C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03   593,920   ----a-w   C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03   57,344   ----a-w   C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03   53,248   ----a-w   C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03   344,064   ----a-w   C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03   294,912   ----a-w   C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03   294,912   ----a-w   C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02   12,288   ----a-w   C:\WINDOWS\system32\DivXWMPExtType.dll
.

scubamaggo · « **Reply #2 on:** January 08, 2008, 08:48:56 PM »

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACE42F47-341D-427F-84BB-297751AA19CA}]
2007-08-22 02:47 84992 --a------ C:\WINDOWS\System32\ati3duagv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Programme\Skype\Phone\Skype.exe" [2007-11-12 15:48 21760296]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ICQ Lite"="C:\Programme\ICQ\ICQLite.exe" [2006-07-11 11:15 3144800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nForce Tray Options"="sstray.exe" [2003-09-02 17:25 73728 C:\WINDOWS\system32\sstray.exe]
"Adobe Reader Speed Launcher"="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"ICQ Lite"="C:\Programme\ICQ\ICQLite.exe" [2006-07-11 11:15 3144800]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"Outpost Firewall"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe" [2006-03-30 10:51 91648]
"OutpostFeedBack"="C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe" [2006-05-11 12:05 356420]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-01-08 19:39 23552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll

R0 caiplgdr;caiplgdr;C:\WINDOWS\System32\drivers\vkrukkpm.dat []
R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [2006-03-30 10:53]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [2006-03-30 10:53]
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ARP.DLL [2006-03-30 10:53]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [2006-03-30 10:53]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [2006-03-30 10:53]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [2006-03-30 10:53]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [2006-03-30 10:53]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [2006-03-30 10:53]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [2006-03-30 10:53]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [2006-03-30 10:53]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [2006-03-30 10:53]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [2006-03-30 10:53]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [2006-03-30 10:53]
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\SECRET.DLL [2006-03-30 10:53]
R4 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys []

*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 20:19:18
Windows 5.1.2600 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
Zeit der Fertigstellung: 2008-01-08 20:19:56
ComboFix-quarantined-files.txt 2008-01-08 19:19:41

polonus · « **Reply #3 on:** January 08, 2008, 09:04:06 PM »

Hi scubamaggo,

Can you also make a StartDreck scan and attach a logfile as an attachment.
Niksoft StartDreck Ein mächtiger Autoruns-Editor mit einem einfachen aber sehr funktionellem Design

StartDreck from Niksoft is a start-up editor for your Microsoft Windows computer. It is a useful tool for removing spyware.
Requirements

The tool will run on any Microsoft Windows operating system. This includes,

* Windows 95
* Windows 98
* Windows ME
* Windows 2000
* Windows XP
* Windows Server 2003

Approximately 400KB of disk space is required for the tool.
Download

This site is an official mirror of StartDreck.

Note: Please send all contact regarding this tool directly to the author, Niksoft.

Latest Version: 2.1.7
Download Size: 406.585 Bytes
MD5: cf15b20807e52446503ab2742e5acf55
Download from here: http://ben.cheetham.me.uk/download/niksoft/startdreck217.zip

polonus

essexboy · « **Reply #4 on:** January 08, 2008, 09:10:37 PM »

If Pol's suggestion does not work then try this

1. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote

Files to delete:
C:\WINDOWS\system32\ati3duagv.dll
C:\WINDOWS\system32\drivers\vkrukkpm.dat

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ACE42F47-341D-427F-84BB-297751AA19CA}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

scubamaggo · « **Reply #5 on:** January 08, 2008, 09:30:55 PM »

ok, thanks for the quick help. At first, the Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nilsdasa

*******************

Script file located at: \??\C:\Program Files\nfacnwrt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Could not open file C:\WINDOWS\system32\ati3duagv.dll for deletion
Deletion of file C:\WINDOWS\system32\ati3duagv.dll failed!

Could not process line:
C:\WINDOWS\system32\ati3duagv.dll
Status: 0xc0000022

Could not open file C:\WINDOWS\system32\drivers\vkrukkpm.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\vkrukkpm.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\vkrukkpm.dat
Status: 0xc0000022

Could not open registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ACE42F47-341D-427F-84BB-297751AA19CA} for deletion
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ACE42F47-341D-427F-84BB-297751AA19CA} failed!
Status: 0xc0000022

Completed script processing.

*******************

Finished! Terminate.

scubamaggo · « **Reply #6 on:** January 08, 2008, 09:31:43 PM »

and now the startdeck log:

StartDreck (build 2.1.7 public stable) - 2008-01-08 @ 21:33:28 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as Maggo at MARCO

»Registry
»Run Keys
»Current User
»Run
*Skype="C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
»RunOnce
*ICQ Lite=C:\Programme\ICQ\ICQLite.exe -trayboot
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*nForce Tray Options=sstray.exe /r
*Adobe Reader Speed Launcher="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
*ICQ Lite="C:\Programme\ICQ\ICQLite.exe" -minimize
*UserFaultCheck=%systemroot%\system32\dumprep 0 -u
*Outpost Firewall=C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
*OutpostFeedBack=C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
*avast!=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll
»Files
»Autostart Folders
»Current User
*C:\Dokumente und Einstellungen\Maggo\Startmenü\Programme\Autostart\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Autostart\desktop.ini
»Local Machine
*C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
*C:\WINDOWS\System32\drivers\etc\hosts

scubamaggo · « **Reply #7 on:** January 08, 2008, 09:32:44 PM »

»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+576=\SystemRoot\System32\smss.exe
+632=\??\C:\WINDOWS\system32\csrss.exe
+668=\??\C:\WINDOWS\system32\winlogon.exe
+720=C:\WINDOWS\system32\services.exe
+732=C:\WINDOWS\system32\lsass.exe
+892=C:\WINDOWS\System32\Ati2evxx.exe
+932=C:\WINDOWS\system32\svchost.exe
+988=C:\WINDOWS\System32\svchost.exe
+1100=C:\WINDOWS\System32\svchost.exe
+1180=C:\WINDOWS\system32\Ati2evxx.exe
+1212=C:\WINDOWS\System32\svchost.exe
+1356=C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
+1412=C:\Programme\Alwil Software\Avast4\ashServ.exe
+1632=C:\WINDOWS\system32\spoolsv.exe
+1928=C:\WINDOWS\System32\sstray.exe
+1944=C:\Programme\ICQ\ICQLite.exe
+1976=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+1984=C:\Programme\Skype\Phone\Skype.exe
+188=C:\WINDOWS\System32\alg.exe
+348=C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
+412=E:\PostgreSQL\bin\pg_ctl.exe
+124=E:\PostgreSQL\bin\postmaster.exe
+1228=C:\WINDOWS\System32\wdfmgr.exe
+1736=E:\PostgreSQL\bin\postgres.exe
+1992=E:\PostgreSQL\bin\postgres.exe
+332=E:\PostgreSQL\bin\postgres.exe
+2360=C:\Programme\Skype\Plugin Manager\skypePM.exe
+2828=C:\Programme\Alwil Software\Avast4\ashWebSv.exe
+3144=C:\WINDOWS\explorer.exe
+3124=C:\WINDOWS\system32\notepad.exe
+3656=E:\PostgreSQL\bin\postgres.exe
+3252=C:\Programme\Mozilla Firefox\firefox.exe
+1864=C:\Dokumente und Einstellungen\Maggo\Desktop\startdreck217\StartDreck.exe
»NT Services
*Warndienst   Alerter   -   on demand
*Gatewaydienst auf Anwendungsebene   ALG   running   on demand
*Anwendungsverwaltung   AppMgmt   -   on demand
*ASP.NET State Service   aspnet_state   -   on demand
*avast! iAVS4 Control Service   aswUpdSv   running   auto
*Ati HotKey Poller   Ati HotKey Poller   running   auto
*ATI Smart   ATI Smart   -   auto
*Windows Audio   AudioSrv   running   auto
*avast! Antivirus   avast! Antivirus   running   auto
*avast! Web Scanner   avast! Web Scanner   running   on demand
*Intelligenter Hintergrundübertragungsdienst   BITS   running   auto
*Computerbrowser   Browser   running   auto
*Indexing Service   cisvc   -   on demand
*Ablagemappe   ClipSrv   -   on demand
*.NET Runtime Optimization Service v2.0.50727_X8   clr_optimization_v2.   -   on demand
`6
*COM+-Systemanwendung   COMSysApp   -   on demand
*Kryptografiedienste   CryptSvc   running   auto
*DHCP-Client   Dhcp   running   auto
*Verwaltungsdienst für die Verwaltung logischer    dmadmin   -   on demand
`Datenträger
*Verwaltung logischer Datenträger   dmserver   running   auto
*DNS-Client   Dnscache   running   auto
*Error Reporting Service   ERSvc   running   auto
*Ereignisprotokoll   Eventlog   running   auto
*COM+-Ereignissystem   EventSystem   running   on demand
*Kompatibilität für schnelle Benutzerumschaltung   FastUserSwitchingCom   running   on demand
*Hilfe und Support   helpsvc   running   auto
*Eingabegerätezugang   HidServ   -   disabled
*IMAPI-CD-Brenn-COM-Dienste   ImapiService   -   on demand
*Server   lanmanserver   running   auto
*Arbeitsstationsdienst   lanmanworkstation   running   auto
*TCP/IP-NetBIOS-Hilfsprogramm   LmHosts   running   auto
*Nachrichtendienst   Messenger   running   auto
*NetMeeting-Remotedesktop-Freigabe   mnmsrvc   -   on demand
*Distributed Transaction Coordinator   MSDTC   -   on demand
*Windows Installer   MSIServer   -   on demand
*Netzwerk-DDE-Dienst   NetDDE   -   on demand
*Netzwerk-DDE-Serverdienst   NetDDEdsdm   -   on demand
*Anmeldedienst   Netlogon   -   on demand
*Netzwerkverbindungen   Netman   running   on demand
*NLA (Network Location Awareness)   Nla   running   on demand
*NT-LM-Sicherheitsdienst   NtLmSsp   -   on demand
*Wechselmedien   NtmsSvc   -   on demand
*Outpost Firewall Service   OutpostFirewall   running   auto
*PostgreSQL Database Server 8.0   pgsql-8.0   running   auto
*Plug & Play   PlugPlay   running   auto
*IPSEC-Dienste   PolicyAgent   running   auto
*Geschützter Speicher   ProtectedStorage   running   auto
*Verwaltung für automatische RAS-Verbindung   RasAuto   running   on demand
*RAS-Verbindungsverwaltung   RasMan   running   on demand
*Sitzungs-Manager für Remotedesktophilfe   RDSessMgr   -   on demand
*Routing und RAS   RemoteAccess   -   disabled
*Remote-Registrierung   RemoteRegistry   running   auto
*RPC-Locator   RpcLocator   -   on demand
*Remoteprozeduraufruf (RPC)   RpcSs   running   auto
*QoS-RSVP   RSVP   -   on demand
*Sicherheitskontenverwaltung   SamSs   running   auto
*Smartcard-Hilfsprogramm   SCardDrv   -   on demand
*Smartcard   SCardSvr   -   on demand
*Taskplaner   Schedule   running   auto
*Sekundäre Anmeldung   seclogon   running   auto
*Systemereignisbenachrichtigung   SENS   running   auto
*Internetverbindungsfirewall/Gemeinsame Nutzung    SharedAccess   running   auto
`der Internetverbindung
*Shellhardwareerkennung   ShellHWDetection   running   auto
*Druckwarteschlange   Spooler   running   auto
*Systemwiederherstellungsdienst   srservice   running   auto
*SSDP-Suchdienst   SSDPSRV   running   on demand
*Windows-Bilderfassung (WIA)   stisvc   -   on demand
*MS Software Shadow Copy Provider   SwPrv   -   on demand
*Leistungsdatenprotokolle und Warnungen   SysmonLog   -   on demand
*Telefonie   TapiSrv   running   on demand
*Terminaldienste   TermService   running   on demand
*Designs   Themes   running   auto
*Telnet   TlntSvr   -   on demand
*Überwachung verteilter Verknüpfungen (Client)   TrkWks   running   auto
*Windows User Mode Driver Framework   UMWdf   running   auto
*Upload-Manager   uploadmgr   running   auto
*Universeller Plug & Play-Gerätehost   upnphost   -   on demand
*Uninterruptible Power Supply   UPS   -   on demand
*Volumeschattenkopie   VSS   -   on demand
*Windows-Zeitgeber   W32Time   running   auto
*WebClient   WebClient   running   auto
*Windows-Verwaltungsinstrumentation   winmgmt   running   auto
*Portable Media Serial Number Service   WmdmPmSN   -   on demand
*Treibererweiterungen für Windows-Verwaltungsins   Wmi   -   on demand
`trumentation
*WMI-Leistungsadapter   WmiApSrv   -   on demand
*Automatische Updates   wuauserv   running   auto
*Konfigurationsfreie drahtlose Verbindung   WZCSVC   running   auto
»Application specific

essexboy · « **Reply #8 on:** January 08, 2008, 09:37:44 PM »

Well Avenger didn't kill it - lets try Icesword

Please download and unzip Icesword to its own folder

If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1: Run IceSword. Click the "Processes" tab and watch for processes displayed in red colour. A red colored process in this list indicates that it's hidden. Note the filenames of processes in red color. Also, make a note of the folders.

Step 2: Click the "Win32 Services" tab and look out for red colored entry in the services list. This red coloured service entry indicates that it’s rooted. Note the name of this service.

Step 3: Now, click "SSDT" tab and check for red colored entries. If there are any, note the file and folder names.

Now post all of the data collected under the headings
Processes
Win32 Services
SSDT

polonus · « **Reply #9 on:** January 08, 2008, 09:45:14 PM »

Hi scubammago,

This was only part of StartDreck, do the following. In the tool you see at the bottom of the window:
Refresh Config New Search Save. Now click with Save this: drive:\StartDreck\startdreck217\StartDreck.log
and put it on your desktop, go to Attach and browse to StartDreck\startdreck217\StartDreck.log
and post it,

pol

scubamaggo · « **Reply #10 on:** January 08, 2008, 09:50:38 PM »

Processes and Win32 Services didn't have any red entries.
SSDT
0x101 0xB2F80330 \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\200}FILTNT.SYS 0x8056C6DC NtTerminateProcess
0x115 0xB2F80290 \??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\200}FILTNT.SYS 0x8057F7E6 NtWriteVirtualMemeroy

scubamaggo · « **Reply #11 on:** January 08, 2008, 09:52:25 PM »

@polonos hm.. i thought i did this. ok, 2nd try:

StartDreck (build 2.1.7 public stable) - 2008-01-08 @ 22:01:00 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as Maggo at MARCO

»Registry
»Run Keys
»Current User
»Run
*Skype="C:\Programme\Skype\Phone\Skype.exe" /nosplash /minimized
»RunOnce
*ICQ Lite=C:\Programme\ICQ\ICQLite.exe -trayboot
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*nForce Tray Options=sstray.exe /r
*Adobe Reader Speed Launcher="C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
*ICQ Lite="C:\Programme\ICQ\ICQLite.exe" -minimize
*UserFaultCheck=%systemroot%\system32\dumprep 0 -u
*Outpost Firewall=C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
*OutpostFeedBack=C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
*avast!=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\System32\mshta.exe "%1" %*
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1"
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url "%1"
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Browser Helper Objects (LM)
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll
»Files
»Autostart Folders
»Current User
*C:\Dokumente und Einstellungen\Maggo\Startmenü\Programme\Autostart\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Autostart\desktop.ini
»Local Machine
*C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
*C:\WINDOWS\System32\drivers\etc\hosts

scubamaggo · « **Reply #12 on:** January 08, 2008, 09:52:47 PM »

»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+580=\SystemRoot\System32\smss.exe
+636=\??\C:\WINDOWS\system32\csrss.exe
+672=\??\C:\WINDOWS\system32\winlogon.exe
+724=C:\WINDOWS\system32\services.exe
+736=C:\WINDOWS\system32\lsass.exe
+892=C:\WINDOWS\System32\Ati2evxx.exe
+932=C:\WINDOWS\system32\svchost.exe
+988=C:\WINDOWS\System32\svchost.exe
+1080=C:\WINDOWS\System32\svchost.exe
+1128=C:\WINDOWS\System32\svchost.exe
+1152=C:\WINDOWS\system32\Ati2evxx.exe
+1352=C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
+1404=C:\Programme\Alwil Software\Avast4\ashServ.exe
+1632=C:\WINDOWS\system32\spoolsv.exe
+1804=C:\WINDOWS\Explorer.EXE
+1936=C:\WINDOWS\System32\sstray.exe
+1952=C:\Programme\ICQ\ICQLite.exe
+1984=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+2016=C:\Programme\Skype\Phone\Skype.exe
+264=C:\WINDOWS\System32\alg.exe
+388=C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
+532=E:\PostgreSQL\bin\pg_ctl.exe
+1332=E:\PostgreSQL\bin\postmaster.exe
+1204=C:\WINDOWS\System32\wdfmgr.exe
+2288=E:\PostgreSQL\bin\postgres.exe
+2324=E:\PostgreSQL\bin\postgres.exe
+2340=C:\Programme\Skype\Plugin Manager\skypePM.exe
+2624=C:\Programme\Alwil Software\Avast4\ashWebSv.exe
+2892=C:\Programme\Mozilla Firefox\firefox.exe
+3324=C:\WINDOWS\system32\NOTEPAD.EXE
+3992=D:\PartyPoker\PartyGaming.exe
+2252=<unkown>
+3076=C:\Dokumente und Einstellungen\Maggo\Desktop\startdreck217\StartDreck.exe
»NT Services
*Warndienst   Alerter   -   on demand
*Gatewaydienst auf Anwendungsebene   ALG   running   on demand
*Anwendungsverwaltung   AppMgmt   -   on demand
*ASP.NET State Service   aspnet_state   -   on demand
*avast! iAVS4 Control Service   aswUpdSv   running   auto
*Ati HotKey Poller   Ati HotKey Poller   running   auto
*ATI Smart   ATI Smart   -   auto
*Windows Audio   AudioSrv   running   auto
*avast! Antivirus   avast! Antivirus   running   auto
*avast! Web Scanner   avast! Web Scanner   running   on demand
*Intelligenter Hintergrundübertragungsdienst   BITS   running   auto
*Computerbrowser   Browser   running   auto
*Indexing Service   cisvc   -   on demand
*Ablagemappe   ClipSrv   -   on demand
*.NET Runtime Optimization Service v2.0.50727_X8   clr_optimization_v2.   -   on demand
`6
*COM+-Systemanwendung   COMSysApp   -   on demand
*Kryptografiedienste   CryptSvc   running   auto
*DHCP-Client   Dhcp   running   auto
*Verwaltungsdienst für die Verwaltung logischer    dmadmin   -   on demand
`Datenträger
*Verwaltung logischer Datenträger   dmserver   running   auto
*DNS-Client   Dnscache   running   auto
*Error Reporting Service   ERSvc   running   auto
*Ereignisprotokoll   Eventlog   running   auto
*COM+-Ereignissystem   EventSystem   running   on demand
*Kompatibilität für schnelle Benutzerumschaltung   FastUserSwitchingCom   running   on demand
*Hilfe und Support   helpsvc   running   auto
*Eingabegerätezugang   HidServ   -   disabled
*IMAPI-CD-Brenn-COM-Dienste   ImapiService   -   on demand
*Server   lanmanserver   running   auto
*Arbeitsstationsdienst   lanmanworkstation   running   auto
*TCP/IP-NetBIOS-Hilfsprogramm   LmHosts   running   auto
*Nachrichtendienst   Messenger   running   auto
*NetMeeting-Remotedesktop-Freigabe   mnmsrvc   -   on demand
*Distributed Transaction Coordinator   MSDTC   -   on demand
*Windows Installer   MSIServer   -   on demand
*Netzwerk-DDE-Dienst   NetDDE   -   on demand
*Netzwerk-DDE-Serverdienst   NetDDEdsdm   -   on demand
*Anmeldedienst   Netlogon   -   on demand
*Netzwerkverbindungen   Netman   running   on demand
*NLA (Network Location Awareness)   Nla   running   on demand
*NT-LM-Sicherheitsdienst   NtLmSsp   -   on demand
*Wechselmedien   NtmsSvc   -   on demand
*Outpost Firewall Service   OutpostFirewall   running   auto
*PostgreSQL Database Server 8.0   pgsql-8.0   running   auto
*Plug & Play   PlugPlay   running   auto
*IPSEC-Dienste   PolicyAgent   running   auto
*Geschützter Speicher   ProtectedStorage   running   auto
*Verwaltung für automatische RAS-Verbindung   RasAuto   running   on demand
*RAS-Verbindungsverwaltung   RasMan   running   on demand
*Sitzungs-Manager für Remotedesktophilfe   RDSessMgr   -   on demand
*Routing und RAS   RemoteAccess   -   disabled
*Remote-Registrierung   RemoteRegistry   running   auto
*RPC-Locator   RpcLocator   -   on demand
*Remoteprozeduraufruf (RPC)   RpcSs   running   auto
*QoS-RSVP   RSVP   -   on demand
*Sicherheitskontenverwaltung   SamSs   running   auto
*Smartcard-Hilfsprogramm   SCardDrv   -   on demand
*Smartcard   SCardSvr   -   on demand
*Taskplaner   Schedule   running   auto
*Sekundäre Anmeldung   seclogon   running   auto
*Systemereignisbenachrichtigung   SENS   running   auto
*Internetverbindungsfirewall/Gemeinsame Nutzung    SharedAccess   running   auto
`der Internetverbindung
*Shellhardwareerkennung   ShellHWDetection   running   auto
*Druckwarteschlange   Spooler   running   auto
*Systemwiederherstellungsdienst   srservice   running   auto
*SSDP-Suchdienst   SSDPSRV   running   on demand
*Windows-Bilderfassung (WIA)   stisvc   -   on demand
*MS Software Shadow Copy Provider   SwPrv   -   on demand
*Leistungsdatenprotokolle und Warnungen   SysmonLog   -   on demand
*Telefonie   TapiSrv   running   on demand
*Terminaldienste   TermService   running   on demand
*Designs   Themes   running   auto
*Telnet   TlntSvr   -   on demand
*Überwachung verteilter Verknüpfungen (Client)   TrkWks   running   auto
*Windows User Mode Driver Framework   UMWdf   running   auto
*Upload-Manager   uploadmgr   running   auto
*Universeller Plug & Play-Gerätehost   upnphost   -   on demand
*Uninterruptible Power Supply   UPS   -   on demand
*Volumeschattenkopie   VSS   -   on demand
*Windows-Zeitgeber   W32Time   running   auto
*WebClient   WebClient   running   auto
*Windows-Verwaltungsinstrumentation   winmgmt   running   auto
*Portable Media Serial Number Service   WmdmPmSN   -   on demand
*Treibererweiterungen für Windows-Verwaltungsins   Wmi   -   on demand
`trumentation
*WMI-Leistungsadapter   WmiApSrv   -   on demand
*Automatische Updates   wuauserv   running   auto
*Konfigurationsfreie drahtlose Verbindung   WZCSVC   running   auto
»Application specific

polonus · « **Reply #13 on:** January 08, 2008, 10:01:56 PM »

Hi scubamaggo,

Verstehen Sie wie dies getan wird, sehe hinunter, da habe ich soetwas beigefuegt. Tun Sie das auch mit StartDrecklog in aehnlicher Weise,

pol

essexboy · « **Reply #14 on:** January 08, 2008, 10:03:52 PM »

Hi Pol you are the expert on this (still reading)

*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll

this is the one to go

Author Topic: I'm sorry: Win32:TratBHO [Trj] again (Read 22548 times)

scubamaggo

I'm sorry: Win32:TratBHO [Trj] again

scubamaggo

Re: I'm sorry: Win32:TratBHO [Trj] again

scubamaggo

Re: I'm sorry: Win32:TratBHO [Trj] again

polonus

Re: I'm sorry: Win32:TratBHO [Trj] again

essexboy

Re: I'm sorry: Win32:TratBHO [Trj] again

scubamaggo

Re: I'm sorry: Win32:TratBHO [Trj] again

scubamaggo

Re: I'm sorry: Win32:TratBHO [Trj] again

scubamaggo

Re: I'm sorry: Win32:TratBHO [Trj] again

essexboy

Re: I'm sorry: Win32:TratBHO [Trj] again

polonus

Re: I'm sorry: Win32:TratBHO [Trj] again

scubamaggo

Re: I'm sorry: Win32:TratBHO [Trj] again

scubamaggo

Re: I'm sorry: Win32:TratBHO [Trj] again

scubamaggo

Re: I'm sorry: Win32:TratBHO [Trj] again

polonus

Re: I'm sorry: Win32:TratBHO [Trj] again

essexboy

Re: I'm sorry: Win32:TratBHO [Trj] again