Author Topic: Win32:TratBHO trojan - help needed.  (Read 37194 times)

0 Members and 1 Guest are viewing this topic.

Nebu

  • Guest
Win32:TratBHO trojan - help needed.
« on: January 13, 2008, 07:34:49 PM »
Hey.

As many others it seems i've been infected with this Win32:TratBHO trojan, and been unable to remove it. Also ever since it appeared, on my first reboot, i've noticed this .exe : C:\is9.exe , which opens in a cmd promt upon startup (it didnt this time after i ran combofix and had to reboot to regain net connection (i got kicked off the net it seemed))

Hope anyone is able to/willing to help me :)

ComboFix 08-01-13.1 - Th 2008-01-13 19:14:08.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1030.18.1552 [GMT 1:00]
Running from: C:\Documents and Settings\Th\Skrivebord\ComboFix.exe
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\Quarantine
C:\WINDOWS\images.zip
C:\WINDOWS\system32\vtuvtsp.dll

.
(((((((((((((((((((((((((   Files Created from 2007-12-13 to 2008-01-13  )))))))))))))))))))))))))))))))
.

2008-01-13 19:13 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-13 19:00 . 2008-01-13 19:00   <DIR>   d--------   C:\Programmer\Trend Micro
2008-01-13 18:52 . 2008-01-13 18:52   <DIR>   d--------   C:\Documents and Settings\Th\Application Data\Comodo
2008-01-13 18:52 . 2008-01-13 18:52   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Comodo
2008-01-13 18:47 . 2006-04-18 17:35   211   --a------   C:\boot.ini.comodofirewall
2008-01-13 18:46 . 2008-01-13 18:46   <DIR>   d--------   C:\Programmer\Comodo
2008-01-13 18:39 . 2008-01-13 18:39   <DIR>   d--------   C:\Programmer\SpywareBlaster
2008-01-13 18:30 . 2008-01-13 18:50   <DIR>   d--------   C:\Programmer\SUPERAntiSpyware
2008-01-13 18:30 . 2008-01-13 18:30   <DIR>   d--------   C:\Documents and Settings\Th\Application Data\SUPERAntiSpyware.com
2008-01-13 18:30 . 2008-01-13 18:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 17:55 . 2008-01-13 17:55   <DIR>   d--h-----   C:\WINDOWS\PIF
2008-01-13 17:40 . 2008-01-13 18:55   5,197   --a------   C:\is9.exe
2008-01-04 18:29 . 2008-01-04 18:29   <DIR>   dr-------   C:\Documents and Settings\Th\Application Data\Brother
2008-01-04 18:09 . 2008-01-04 18:17   <DIR>   d--------   C:\Programmer\Brownie
2008-01-04 18:07 . 2008-01-04 18:09   <DIR>   d--------   C:\Programmer\Brother
2008-01-04 18:07 . 2004-10-12 01:24   188,416   --a------   C:\WINDOWS\system32\Pdrvinst.dll
2008-01-04 18:07 . 2002-10-31 01:09   81,920   --a------   C:\WINDOWS\system32\BrWebIns.dll
2008-01-04 18:07 . 2003-07-03 01:08   65,536   --a------   C:\WINDOWS\system32\BRWEBUP.EXE
2008-01-04 16:52 . 2007-12-29 23:00   313,344   -r-hs----   C:\WINDOWS\wkssvr.exe
2007-12-30 17:36 . 2007-12-30 17:36   <DIR>   d--------   C:\Programmer\EVEMon
2007-12-30 17:36 . 2007-12-30 17:52   <DIR>   d--------   C:\Documents and Settings\Th\Application Data\EVEMon
2007-12-28 00:27 . 2007-12-28 00:27   <DIR>   d--------   C:\Programmer\iPod
2007-12-28 00:27 . 2008-01-13 18:52   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2007-12-28 00:27 . 2007-12-28 00:28   1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-28 00:26 . 2007-12-28 00:26   <DIR>   d--------   C:\Programmer\QuickTime
2007-12-28 00:24 . 2007-12-28 00:24   <DIR>   d--------   C:\Programmer\Fælles filer\Apple
2007-12-28 00:24 . 2007-10-31 14:09   30,464   --a------   C:\WINDOWS\system32\drivers\usbaapl.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 17:56   ---------   d-----w   C:\Documents and Settings\Th\Application Data\Skype
2008-01-13 17:29   ---------   d-----w   C:\Programmer\Fælles filer\Wise Installation Wizard
2008-01-13 16:25   ---------   d-----w   C:\Documents and Settings\Th\Application Data\uTorrent
2008-01-04 17:17   ---------   d--h--w   C:\Programmer\InstallShield Installation Information
2008-01-04 17:07   ---------   d-----w   C:\Programmer\Fælles filer\InstallShield
2007-12-28 00:23   ---------   d-----w   C:\Programmer\iTunes
2007-12-10 17:16   ---------   d-----w   C:\Programmer\EFT
2007-12-04 14:56   93,264   ------w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ------w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ------w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ------w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ------w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-11-30 21:33   ---------   d-----w   C:\Programmer\Pocket Tanks Deluxe
2007-11-27 20:42   43,520   ----a-w   C:\WINDOWS\system32\CmdLineExt03.dll
2007-11-16 13:53   ---------   d-----w   C:\Programmer\Java
2007-11-13 10:25   20,480   ------w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:28   723,456   ----a-w   C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:44   1,291,776   ----a-w   C:\WINDOWS\system32\quartz.dll
2007-10-25 08:28   222,720   ----a-w   C:\WINDOWS\system32\wmasf.dll
2006-03-16 13:05   32   ----a-r   C:\Documents and Settings\All Users\hash.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Programmer\Skype\Phone\Skype.exe" [2007-03-30 12:34 25263144]
"MsnMsgr"="C:\Programmer\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]
"Aim6"="" []
"Utopia Angel"="C:\Utopia\Angel\Angel.exe" [ ]
"DAEMON Tools"="C:\Programmer\DAEMON Tools\daemon.exe" [2007-04-03 23:29 165784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 13:00 15360]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 11:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 18:58 81920]
"SoundMan"="SOUNDMAN.EXE" [2006-05-11 13:19 77824 C:\WINDOWS\soundman.exe]
"WebcamMaxMoniter"="C:\Programmer\WebcamMax\CAMTHINS.exe" [2006-07-20 14:25 73728]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"QuickTime Task"="C:\Programmer\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Programmer\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"COMODO Firewall Pro"="C:\Programmer\Comodo\Firewall\CPF.exe" [2008-01-13 18:46 1115728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-27 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [ ]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Adobe Reader Hurtigstart.lnk - C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
EVEMon.lnk - C:\Programmer\EVEMon\EVEMon.exe [2007-07-04 00:30:42]
Logitech SetPoint.lnk - C:\Programmer\Logitech\SetPoint\SetPoint.exe [2006-04-18 18:55:31]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys [2007-04-01 12:18]
R3 LUsbKbd;Logitech SetPoint USB Keyboard Filter;C:\WINDOWS\system32\Drivers\LUsbKbd.Sys [2004-12-10 11:48]
S2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CamthWDM.sys [2006-07-03 07:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc3e5e2a-ed34-11db-8d26-0013d448bbbe}]
\Shell\AutoRun\command - G:\Autorun.exe

*Newly Created Service* - CMDAGENT
*Newly Created Service* - CMDMON
*Newly Created Service* - INSPECT
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 15:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmer\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 19:20:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 19:20:34
ComboFix-quarantined-files.txt  2008-01-13 18:20:20
.
2008-01-09 12:37:25   --- E O F ---  

Nebu

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #1 on: January 13, 2008, 07:36:07 PM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:21:43, on 13-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\WebcamMax\CAMTHINS.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\QuickTime\QTTask.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\WINDOWS\wkssvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Comodo\Firewall\CPF.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\EVEMon\EVEMon.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\Fælles filer\Logitech\KHAL\KHALMNPR.EXE
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programmer\Viewpoint\Common\ViewpointService.exe
C:\Programmer\Fælles filer\Sony Shared\AVLib\SSScsiSV.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe
C:\Programmer\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Programmer\WebcamMax\CAMTHINS.exe" /m
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programmer\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EVEMon.lnk = C:\Programmer\EVEMon\EVEMon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.nordic-t.org
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204

Nebu

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #2 on: January 13, 2008, 07:37:01 PM »
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0714915C-028E-4340-B500-3FCD0D466377}: NameServer = 212.242.40.3,212.242.40.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{0714915C-028E-4340-B500-3FCD0D466377}: NameServer = 212.242.40.3,212.242.40.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{0714915C-028E-4340-B500-3FCD0D466377}: NameServer = 212.242.40.3,212.242.40.51
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmer\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmer\Fælles filer\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmer\Fælles filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmer\Fælles filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmer\Fælles filer\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programmer\Viewpoint\Common\ViewpointService.exe

--
End of file - 9728 bytes

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #3 on: January 13, 2008, 09:57:15 PM »
You are runnung AVG and Avast together not a good plan

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
File::
C:\is9.exe



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Nebu

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #4 on: January 13, 2008, 10:24:16 PM »
TY mate :)
And actually im not running AVG, but it got fucked up when uninstalling it, havent been able to remove all the crap it left behind.

ComboFix 08-01-13.1 - Th 2008-01-13 22:10:17.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1030.18.1523 [GMT 1:00]
Running from: C:\Documents and Settings\Th\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Th\Skrivebord\CFScript.txt
 * Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\is9.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\is9.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-13 to 2008-01-13  )))))))))))))))))))))))))))))))
.

2008-01-13 19:13 . 2000-08-31 08:00   51,200   --a------   C:\WINDOWS\NirCmd.exe
2008-01-13 19:00 . 2008-01-13 19:00   <DIR>   d--------   C:\Programmer\Trend Micro
2008-01-13 18:52 . 2008-01-13 18:52   <DIR>   d--------   C:\Documents and Settings\Th\Application Data\Comodo
2008-01-13 18:52 . 2008-01-13 18:52   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Comodo
2008-01-13 18:47 . 2006-04-18 17:35   211   --a------   C:\boot.ini.comodofirewall
2008-01-13 18:46 . 2008-01-13 18:46   <DIR>   d--------   C:\Programmer\Comodo
2008-01-13 18:39 . 2008-01-13 18:39   <DIR>   d--------   C:\Programmer\SpywareBlaster
2008-01-13 18:30 . 2008-01-13 18:50   <DIR>   d--------   C:\Programmer\SUPERAntiSpyware
2008-01-13 18:30 . 2008-01-13 18:30   <DIR>   d--------   C:\Documents and Settings\Th\Application Data\SUPERAntiSpyware.com
2008-01-13 18:30 . 2008-01-13 18:30   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-13 17:55 . 2008-01-13 17:55   <DIR>   d--h-----   C:\WINDOWS\PIF
2008-01-04 18:29 . 2008-01-04 18:29   <DIR>   dr-------   C:\Documents and Settings\Th\Application Data\Brother
2008-01-04 18:09 . 2008-01-04 18:17   <DIR>   d--------   C:\Programmer\Brownie
2008-01-04 18:07 . 2008-01-04 18:09   <DIR>   d--------   C:\Programmer\Brother
2008-01-04 18:07 . 2004-10-12 01:24   188,416   --a------   C:\WINDOWS\system32\Pdrvinst.dll
2008-01-04 18:07 . 2002-10-31 01:09   81,920   --a------   C:\WINDOWS\system32\BrWebIns.dll
2008-01-04 18:07 . 2003-07-03 01:08   65,536   --a------   C:\WINDOWS\system32\BRWEBUP.EXE
2008-01-04 16:52 . 2007-12-29 23:00   313,344   -r-hs----   C:\WINDOWS\wkssvr.exe
2007-12-30 17:36 . 2007-12-30 17:36   <DIR>   d--------   C:\Programmer\EVEMon
2007-12-30 17:36 . 2007-12-30 17:52   <DIR>   d--------   C:\Documents and Settings\Th\Application Data\EVEMon
2007-12-28 00:27 . 2007-12-28 00:27   <DIR>   d--------   C:\Programmer\iPod
2007-12-28 00:27 . 2008-01-13 19:26   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2007-12-28 00:27 . 2007-12-28 00:28   1,409   --a------   C:\WINDOWS\QTFont.for
2007-12-28 00:26 . 2007-12-28 00:26   <DIR>   d--------   C:\Programmer\QuickTime
2007-12-28 00:24 . 2007-12-28 00:24   <DIR>   d--------   C:\Programmer\Fælles filer\Apple
2007-12-28 00:24 . 2007-10-31 14:09   30,464   --a------   C:\WINDOWS\system32\drivers\usbaapl.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 21:02   ---------   d-----w   C:\Documents and Settings\Th\Application Data\uTorrent
2008-01-13 18:27   ---------   d-----w   C:\Documents and Settings\Th\Application Data\Skype
2008-01-13 17:29   ---------   d-----w   C:\Programmer\Fælles filer\Wise Installation Wizard
2008-01-04 17:17   ---------   d--h--w   C:\Programmer\InstallShield Installation Information
2008-01-04 17:07   ---------   d-----w   C:\Programmer\Fælles filer\InstallShield
2007-12-28 00:23   ---------   d-----w   C:\Programmer\iTunes
2007-12-10 17:16   ---------   d-----w   C:\Programmer\EFT
2007-12-04 14:56   93,264   ------w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55   94,544   ------w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53   23,152   ------w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51   42,912   ------w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49   26,624   ------w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04   837,496   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54   95,608   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-11-30 21:33   ---------   d-----w   C:\Programmer\Pocket Tanks Deluxe
2007-11-27 20:42   43,520   ----a-w   C:\WINDOWS\system32\CmdLineExt03.dll
2007-11-16 13:53   ---------   d-----w   C:\Programmer\Java
2007-11-13 10:25   20,480   ------w   C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:28   723,456   ----a-w   C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:44   1,291,776   ----a-w   C:\WINDOWS\system32\quartz.dll
2007-10-25 08:28   222,720   ----a-w   C:\WINDOWS\system32\wmasf.dll
2006-03-16 13:05   32   ----a-r   C:\Documents and Settings\All Users\hash.dat
.

(((((((((((((((((((((((((((((   snapshot@2008-01-13_19.20.08,06   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 18:13:54   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-13 21:10:11   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-13 18:13:54   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-13 21:10:11   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-13 18:13:54   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-13 21:10:12   229,376   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-13 18:13:54   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-13 21:10:12   8,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-13 18:13:54   6,152,192   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-13 21:10:12   6,209,536   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-13 18:13:54   544,768   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 21:10:12   544,768   ----a-w   C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-13 18:26:41   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_5fc.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Programmer\Skype\Phone\Skype.exe" [2007-03-30 12:34 25263144]
"MsnMsgr"="C:\Programmer\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55 5674352]
"Aim6"="" []
"Utopia Angel"="C:\Utopia\Angel\Angel.exe" [ ]
"DAEMON Tools"="C:\Programmer\DAEMON Tools\daemon.exe" [2007-04-03 23:29 165784]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-27 13:00 15360]
"SUPERAntiSpyware"="C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-12-10 11:45 49152 C:\WINDOWS\KHALMNPR.Exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 11:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 11:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 18:58 81920]
"SoundMan"="SOUNDMAN.EXE" [2006-05-11 13:19 77824 C:\WINDOWS\soundman.exe]
"WebcamMaxMoniter"="C:\Programmer\WebcamMax\CAMTHINS.exe" [2006-07-20 14:25 73728]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 11:22 86016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"QuickTime Task"="C:\Programmer\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"iTunesHelper"="C:\Programmer\iTunes\iTunesHelper.exe" [2007-12-11 12:10 267048]
"COMODO Firewall Pro"="C:\Programmer\Comodo\Firewall\CPF.exe" [2008-01-13 18:46 1115728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-27 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [ ]

C:\Documents and Settings\All Users\Menuen Start\Programmer\Start\
Adobe Reader Hurtigstart.lnk - C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
EVEMon.lnk - C:\Programmer\EVEMon\EVEMon.exe [2007-07-04 00:30:42]
Logitech SetPoint.lnk - C:\Programmer\Logitech\SetPoint\SetPoint.exe [2006-04-18 18:55:31]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmer\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmer\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmer\SUPERAntiSpyware\SASWINLO.dll

R1 bbcap;bbcap;C:\WINDOWS\system32\DRIVERS\bbcap.sys [2007-04-01 12:18]
R3 LUsbKbd;Logitech SetPoint USB Keyboard Filter;C:\WINDOWS\system32\Drivers\LUsbKbd.Sys [2004-12-10 11:48]
S2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CamthWDM.sys [2006-07-03 07:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc3e5e2a-ed34-11db-8d26-0013d448bbbe}]
\Shell\AutoRun\command - G:\Autorun.exe

Nebu

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #5 on: January 13, 2008, 10:24:47 PM »
.
Contents of the 'Scheduled Tasks' folder
"2008-01-04 15:46:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programmer\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 22:15:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Programmer\Logitech\SetPoint\GameHook.dll
.
Completion time: 2008-01-13 22:16:36
ComboFix-quarantined-files.txt  2008-01-13 21:16:21
.
2008-01-09 12:37:25   --- E O F --- 


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:08, on 13-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\WebcamMax\CAMTHINS.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\QuickTime\QTTask.exe
C:\Programmer\iTunes\iTunesHelper.exe
C:\Programmer\Comodo\Firewall\CPF.exe
C:\Programmer\MSN Messenger\MsnMsgr.Exe
C:\Programmer\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programmer\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Programmer\Viewpoint\Common\ViewpointService.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\Fælles filer\Sony Shared\AVLib\SSScsiSV.exe
C:\Programmer\iPod\bin\iPodService.exe
C:\Programmer\Logitech\SetPoint\SetPoint.exe
C:\Programmer\Fælles filer\Logitech\KHAL\KHALMNPR.EXE
C:\Programmer\Alwil Software\Avast4\setup\avast.setup
C:\Programmer\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Trend Micro\HijackThis\HijackThis.exe

Nebu

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #6 on: January 13, 2008, 10:26:40 PM »
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmer\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmer\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Programmer\WebcamMax\CAMTHINS.exe" /m
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Programmer\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programmer\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Utopia Angel] "C:\Utopia\Angel\Angel.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Programmer\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmer\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = ?
O4 - Global Startup: Adobe Reader Hurtigstart.lnk = C:\Programmer\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EVEMon.lnk = C:\Programmer\EVEMon\EVEMon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programmer\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Opslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.nordic-t.org
O16 - DPF: {029FDBA6-3547-11D7-AA4C-0050BF051A00} (Rawflow ICD Client) - http://downol.dr.dk/download/netradio/Rawflow.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.pestpatrol.com/pestscan/pestscan.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0714915C-028E-4340-B500-3FCD0D466377}: NameServer = 212.242.40.3,212.242.40.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{0714915C-028E-4340-B500-3FCD0D466377}: NameServer = 212.242.40.3,212.242.40.51
O17 - HKLM\System\CS2\Services\Tcpip\..\{0714915C-028E-4340-B500-3FCD0D466377}: NameServer = 212.242.40.3,212.242.40.51
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FLLESF~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programmer\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmer\Fælles filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programmer\Fælles filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Programmer\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programmer\Fælles filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Programmer\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Programmer\Fælles filer\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Programmer\Fælles filer\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Programmer\Fælles filer\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Programmer\Fælles filer\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Programmer\Viewpoint\Common\ViewpointService.exe

--
End of file - 9785 bytes

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #7 on: January 13, 2008, 10:29:38 PM »
Looks a lot better how is it running now ?

Nebu

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #8 on: January 13, 2008, 10:42:52 PM »
Yea, i cant detect anything :)

Something still seems a bit off though, maybe its just time to format it all.

Thank you for your help  ;)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #9 on: January 13, 2008, 10:46:37 PM »
Maybe it just needs a wash and brush up

Prefetch is clickable for more information

Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm

Click start then all programmes, accessories, system tools to run disc clean up

Reboot

Click start then all programmes, accessories, system tools to run defragmenter

Download, install and run
Tune Up 2007 Trial

Run Tune Up disc clean up

Run Tune Up registry clean up

Then click Optimize and Improve to run Reg Defrag, the screen will lose colour during the process which can take a few minutes and then needs a reboot

Those will have cleared the drive of obsolete software errors

These are suggestions for making the most of the free trial

Click optimize and improve then system optimizer to optimize the computer, select computer with an internet connection from the drop down menu, this also requires a reboot

After the reboot, click optimize then system optimizer to accelerate downloads, select the speed just above your actual connection speed, this requires a reboot.

After the reboot, click optimize then system optimizer to run system advisor



tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #10 on: January 26, 2008, 01:55:00 AM »
Same problem as everyone else.  Ran ComboFix - no idea if it worked or not yet but here is my log report in two posts:

Code: [Select]
ComboFix 08-01-23.1C - Stores 2008-01-25 17:35:57.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.193 [GMT -5:00]
Running from: C:\Documents and Settings\Stores\Desktop\ComboFix.exe
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\bbadd.ini2
C:\WINDOWS\system32\opnnklk.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qqsut.ini
C:\WINDOWS\system32\qqsut.ini2

.
(((((((((((((((((((((((((   Files Created from 2007-12-25 to 2008-01-25  )))))))))))))))))))))))))))))))
.

2008-01-25 17:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 12:07 . 2008-01-24 12:42 <DIR> d-------- C:\Program Files\Uniblue
2008-01-23 13:48 . 2008-01-23 13:48 294 --ahs---- C:\WINDOWS\system32\catdbfny.ini
2008-01-22 19:42 . 2008-01-22 19:43 81,569,865 --a------ C:\WINDOWS\pav.sig
2008-01-22 19:33 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2008-01-22 19:32 . 2008-01-23 21:07 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2008-01-22 19:32 . 2008-01-23 22:39 30,590 --a------ C:\WINDOWS\system32\pavaspro.ico
2008-01-22 19:32 . 2008-01-23 22:39 3,377 --a------ C:\WINDOWS\system32\.ico
2008-01-22 19:32 . 2008-01-23 22:39 2,550 --a------ C:\WINDOWS\system32\Uninstallpro.ico
2008-01-22 19:32 . 2008-01-23 22:39 1,406 --a------ C:\WINDOWS\system32\Helppro.ico
2008-01-22 18:26 . 2008-01-23 21:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-22 18:26 . 2008-01-22 18:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-22 18:26 . 2008-01-22 18:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-22 18:26 . 2008-01-22 18:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-22 17:12 . 2008-01-22 12:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-20 11:10 . 2008-01-20 11:10 <DIR> d-------- C:\WINDOWS\system32\vx2
2008-01-20 11:10 . 2008-01-21 06:09 <DIR> d-------- C:\WINDOWS\system32\sa3
2008-01-20 11:10 . 2008-01-20 11:10 <DIR> d-------- C:\TEMP\gTiis19
2008-01-20 11:09 . 2008-01-22 19:14 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-20 11:09 . 2008-01-20 11:09 <DIR> d-------- C:\TEMP\cXzz9
2008-01-19 18:34 . 2008-01-19 18:34 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-18 23:21 . 2008-01-23 22:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 23:21 . 2008-01-18 23:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 21:26 . 2008-01-17 21:26 <DIR> d-------- C:\Program Files\ESTsoft
2008-01-17 21:16 . 2001-12-19 11:45 8,576 --a------ C:\WINDOWS\system32\drivers\VCdRom.sys
2008-01-15 07:10 . 2007-11-27 17:06 372,584 --a------ C:\WINDOWS\system32\drivers\ndasfat.sys
2008-01-15 07:10 . 2007-11-27 17:06 254,440 --a------ C:\WINDOWS\system32\drivers\lfsfilt.sys
2008-01-15 07:09 . 2008-01-15 07:09 <DIR> d-------- C:\Program Files\NDAS
2008-01-14 14:32 . 2008-01-14 14:32 <DIR> d-------- C:\Program Files\SMPlayer
2008-01-14 14:09 . 2008-01-14 14:10 <DIR> d-------- C:\Program Files\QuickTime
2008-01-13 15:38 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-01-13 15:38 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-13 15:38 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-01-13 15:38 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-01-13 15:38 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-01-13 15:37 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-01-13 15:37 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-13 15:37 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-01-13 15:37 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-01-13 15:36 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-01-13 15:36 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-13 15:35 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-01-13 15:35 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-01-13 15:35 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-01-07 13:54 . 2008-01-07 13:54 <DIR> d-------- C:\Program Files\Software River Solutions
2007-12-31 02:30 . 2007-12-31 02:30 <DIR> d-------- C:\Program Files\That 16 remote

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 02:00 --------- d-----w C:\Program Files\Windows Defender
2008-01-24 01:59 --------- d-----w C:\Program Files\SmartFTP Client
2008-01-24 01:59 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 01:56 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 01:53 --------- d-----w C:\Program Files\EditPlus 2
2008-01-24 01:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 01:17 --------- d-----w C:\Program Files\DivX
2007-12-20 21:08 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-12 16:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 00:56 --------- d-----w C:\Program Files\CFPAS_SEPFC_2007
2007-12-08 00:24 --------- d-----w C:\Program Files\DumbiTV
2007-12-07 14:23 --------- d-----w C:\Program Files\Get-Torrent
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-27 22:06 75,752 ----a-w C:\WINDOWS\system32\drivers\ndasbus.sys
2007-11-27 22:06 62,056 ----a-w C:\WINDOWS\system32\drivers\lpx.sys
2007-11-27 22:06 187,240 ----a-w C:\WINDOWS\system32\drivers\ndasscsi.sys
2007-11-27 20:29 --------- d-----w C:\Program Files\Apple Software Update

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #11 on: January 26, 2008, 01:55:57 AM »
part 2:

Code: [Select]
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04D7F46E-6D3A-4B05-A98C-8967D12273DB}]
C:\Program Files\ComPlus Applications\holenuC:\WINDOWS\system32\sa3\renamd83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB25B075-5901-44C5-B283-33D7FF5AFA74}]
C:\WINDOWS\system32\ddabb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA8D9C4A-945A-4B08-8F19-DD4E21472298}]
C:\WINDOWS\system32\tusqq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 13:42 401491]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-03 09:55 1260296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 14:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 14:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 20:10 335872]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 16:33 81920]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 15:19 290816]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52 483328]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"V0250Mon.exe"="C:\WINDOWS\V0250Mon.exe" [2006-06-08 00:00 32768]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 00:11 24576]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 15:14 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 16:48:22 565309]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-15 03:16:43 692224]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-11-27 17:06:54 236520]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\desktop.htm
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\desktop\desktop.htm
FriendlyName=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SHOWBIKE"=C:\DOCUME~1\Stores\APPLIC~1\THAT16~1\INTRA LIST.exe

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-11-27 17:06]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-11-27 17:06]
R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 08:50]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-11-27 17:06]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 cpqWebDmi;Insight Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2003-05-12 16:38]
R2 PDRJNDL;PDRJNDL;C:\Program Files\Dekart\Private Disk\PDRJNDL.SYS [2004-03-19 09:17]
R2 PRVDISK;PRVDISK;C:\Program Files\Dekart\Private Disk\PRVDISK.SYS [2004-04-27 02:51]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 19:49]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-11-27 17:06]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-07-17 16:06]
S3 Apache2.2;Apache2.2;"C:\www\Apache22\bin\httpd.exe" [2007-03-20 12:02]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 09:50]
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-11-27 17:06]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys [2006-06-27 10:25]
S3 V0250Vfx;V0250Vfx;C:\WINDOWS\system32\DRIVERS\V0250Vfx.sys [2006-03-24 15:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{258f20b8-c21b-11dc-b032-0012795af11d}]
\Shell\AutoRun\command - G:\Autorun.exe /run
\Shell\Shell00\Command - G:\Autorun.exe /run
\Shell\Shell01\Command - G:\Autorun.exe /action
\Shell\Shell02\Command - G:\Autorun.exe /uninstall

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8080ee0e-6007-11dc-afa6-0012795af11d}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96f1be1b-4039-11dc-af4b-0012795af11d}]
\Shell\AutoRun\command - F:\CDGO.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 18:00:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-25 22:47:42 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-25 01:27:13 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 17:45:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 17:48:20 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-25 22:48:16
.
2008-01-23 19:44:29 --- E O F --- 

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #12 on: January 26, 2008, 01:58:08 AM »
I might add that after running it, my windows defender started asking me to accept changes....not sure what to do *shrug*  They are all "Windows Firewall Exceptions" which look like this:

Code: [Select]
Summary:
System Configuration change occurred.

This agent monitors security related configuration changes made to Windows.

Detected changes:
New: 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
Original: Not available

firewallport (New):
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP

Advice:
Permit this configuration change only if you trust its origin. It is recommended that you run a quick scan if you choose to deny this change.

Checkpoint:
Firewall Port Exceptions

Category:
Configuration Change

Just going to leave them for now until i get advice here....

Thanks!


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #13 on: January 26, 2008, 03:25:32 PM »





1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
File::
C:\WINDOWS\system32\catdbfny.ini
C:\WINDOWS\system32\.ico
C:\WINDOWS\system32\sa3\renamd83122.exe.dll
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\tusqq.dll

Folder::
C:\TEMP\cXzz9
C:\TEMP\gTiis19
C:\WINDOWS\system32\sa3
C:\WINDOWS\system32\vx2
C:\WINDOWS\system32\nGpxx01

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB25B075-5901-44C5-B283-33D7FF5AFA74}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{04D7F46E-6D3A-4B05-A98C-8967D12273DB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA8D9C4A-945A-4B08-8F19-DD4E21472298}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{258f20b8-c21b-11dc-b032-0012795af11d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{96f1be1b-4039-11dc-af4b-0012795af11d}]


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #14 on: January 27, 2008, 12:32:20 AM »
Well - still no luck of it popping up *crosses fingers*

Here's the report:

Code: [Select]
ComboFix 08-01-23.1C - Stores 2008-01-26 14:33:23.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.195 [GMT -5:00]
Running from: C:\Documents and Settings\Stores\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stores\Desktop\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE
C:\WINDOWS\system32\.ico
C:\WINDOWS\system32\catdbfny.ini
C:\WINDOWS\system32\ddabb.dll
C:\WINDOWS\system32\sa3\renamd83122.exe.dll
C:\WINDOWS\system32\tusqq.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\TEMP\cXzz9
C:\TEMP\gTiis19
C:\TEMP\gTiis19\lTig.log
C:\WINDOWS\system32\.ico
C:\WINDOWS\system32\catdbfny.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\sa3
C:\WINDOWS\system32\vx2

.
(((((((((((((((((((((((((   Files Created from 2007-12-26 to 2008-01-26  )))))))))))))))))))))))))))))))
.

2008-01-25 17:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 12:07 . 2008-01-24 12:42 <DIR> d-------- C:\Program Files\Uniblue
2008-01-22 19:42 . 2008-01-22 19:43 81,569,865 --a------ C:\WINDOWS\pav.sig
2008-01-22 19:33 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2008-01-22 19:32 . 2008-01-23 21:07 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2008-01-22 19:32 . 2008-01-23 22:39 30,590 --a------ C:\WINDOWS\system32\pavaspro.ico
2008-01-22 19:32 . 2008-01-23 22:39 2,550 --a------ C:\WINDOWS\system32\Uninstallpro.ico
2008-01-22 19:32 . 2008-01-23 22:39 1,406 --a------ C:\WINDOWS\system32\Helppro.ico
2008-01-22 18:26 . 2008-01-23 21:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-22 18:26 . 2008-01-22 18:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-22 18:26 . 2008-01-22 18:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-22 18:26 . 2008-01-22 18:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-22 17:12 . 2008-01-22 12:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:34 . 2008-01-19 18:34 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-18 23:21 . 2008-01-23 22:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 23:21 . 2008-01-18 23:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 21:26 . 2008-01-17 21:26 <DIR> d-------- C:\Program Files\ESTsoft
2008-01-17 21:16 . 2001-12-19 11:45 8,576 --a------ C:\WINDOWS\system32\drivers\VCdRom.sys
2008-01-15 07:10 . 2007-11-27 17:06 372,584 --a------ C:\WINDOWS\system32\drivers\ndasfat.sys
2008-01-15 07:10 . 2007-11-27 17:06 254,440 --a------ C:\WINDOWS\system32\drivers\lfsfilt.sys
2008-01-15 07:09 . 2008-01-15 07:09 <DIR> d-------- C:\Program Files\NDAS
2008-01-14 14:32 . 2008-01-14 14:32 <DIR> d-------- C:\Program Files\SMPlayer
2008-01-14 14:09 . 2008-01-14 14:10 <DIR> d-------- C:\Program Files\QuickTime
2008-01-13 15:38 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-01-13 15:38 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-13 15:38 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-01-13 15:38 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-01-13 15:38 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-01-13 15:37 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-01-13 15:37 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-13 15:37 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-01-13 15:37 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-01-13 15:36 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-01-13 15:36 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-13 15:35 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-01-13 15:35 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-01-13 15:35 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-01-07 13:54 . 2008-01-07 13:54 <DIR> d-------- C:\Program Files\Software River Solutions
2007-12-31 02:30 . 2007-12-31 02:30 <DIR> d-------- C:\Program Files\That 16 remote

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 02:00 --------- d-----w C:\Program Files\Windows Defender
2008-01-24 01:59 --------- d-----w C:\Program Files\SmartFTP Client
2008-01-24 01:59 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 01:56 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 01:53 --------- d-----w C:\Program Files\EditPlus 2
2008-01-24 01:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-29 01:17 --------- d-----w C:\Program Files\DivX
2007-12-20 21:08 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-12 16:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 00:56 --------- d-----w C:\Program Files\CFPAS_SEPFC_2007
2007-12-08 00:24 --------- d-----w C:\Program Files\DumbiTV
2007-12-07 14:23 --------- d-----w C:\Program Files\Get-Torrent
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-27 22:06 75,752 ----a-w C:\WINDOWS\system32\drivers\ndasbus.sys
2007-11-27 22:06 62,056 ----a-w C:\WINDOWS\system32\drivers\lpx.sys
2007-11-27 22:06 187,240 ----a-w C:\WINDOWS\system32\drivers\ndasscsi.sys
2007-11-27 22:06 15,848 ----a-w C:\WINDOWS\system32\wshlpx.dll
2007-11-27 22:06 14,312 ----a-w C:\WINDOWS\system32\ndasiomg.dll
2007-11-27 20:29 --------- d-----w C:\Program Files\Apple Software Update
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-01-25_17.48.04.89   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-26 19:33:06 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-26 19:33:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-26 19:33:06 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-26 19:33:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-25 22:34:49 6,766,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-26 19:33:07 6,782,976 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-25 22:34:49 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-26 19:33:07 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat