Author Topic: Win32:TratBHO trojan - help needed.  (Read 37196 times)

0 Members and 1 Guest are viewing this topic.

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #15 on: January 27, 2008, 12:32:51 AM »
and the next part:

Code: [Select]
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 13:42 401491]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-03 09:55 1260296]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 14:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 14:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 20:10 335872]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 16:33 81920]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 15:19 290816]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52 483328]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"V0250Mon.exe"="C:\WINDOWS\V0250Mon.exe" [2006-06-08 00:00 32768]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 00:11 24576]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 15:14 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 16:48:22 565309]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-15 03:16:43 692224]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-11-27 17:06:54 236520]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\desktop.htm
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\desktop\desktop.htm
FriendlyName=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SHOWBIKE"=C:\DOCUME~1\Stores\APPLIC~1\THAT16~1\INTRA LIST.exe

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-11-27 17:06]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-11-27 17:06]
R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 08:50]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-11-27 17:06]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 PDRJNDL;PDRJNDL;C:\Program Files\Dekart\Private Disk\PDRJNDL.SYS [2004-03-19 09:17]
R2 PRVDISK;PRVDISK;C:\Program Files\Dekart\Private Disk\PRVDISK.SYS [2004-04-27 02:51]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 19:49]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-11-27 17:06]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-07-17 16:06]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 09:50]
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-11-27 17:06]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys [2006-06-27 10:25]
S3 V0250Vfx;V0250Vfx;C:\WINDOWS\system32\DRIVERS\V0250Vfx.sys [2006-03-24 15:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8080ee0e-6007-11dc-afa6-0012795af11d}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 18:00:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-26 07:02:29 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-25 01:27:13 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 14:37:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-26 14:38:35
ComboFix-quarantined-files.txt  2008-01-26 19:38:14
ComboFix2.txt  2008-01-25 22:48:20
.
2008-01-23 19:44:29 --- E O F --- 

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #16 on: January 27, 2008, 11:55:48 AM »
Hi I just found another miscreant that did not show in the first scan

To enable the viewing of Hidden files follow these steps:

Close all programs so that you are at your desktop.
Double-click on the My Computer icon.
Select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
Press the Apply button and then the OK button and close My Computer.
Now your computer is configured to show all hidden files.




Please delete this folder (Unless you know exactly what it is ) as it look like LOP/Adfirst

C:\DOCUMENTS AND SETTINGS\Stores\APPLICATION DATA\THAT16~1

Then re-scan with Hijackthis and delete this 04 entry

"SHOWBIKE"=C:\DOCUME~1\Stores\APPLIC~1\THAT16~1\INTRA LIST.exe


Then post a new Hijackthis log

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #17 on: January 27, 2008, 04:51:49 PM »
Ok check or unchecked everything as instructed.
Could not find the folder mentioned in that path
I'm sure I did it right though....can see all the system folders...


C:\DOCUMENTS AND SETTINGS\Stores\APPLICATION DATA\THAT16~1




Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #18 on: January 27, 2008, 06:10:31 PM »
Could you post a new Hijackthis log please

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #19 on: January 27, 2008, 06:20:58 PM »
Do you want me to start a fresh scan or use the text file from above?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #20 on: January 27, 2008, 06:23:06 PM »
Fresh one please

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #21 on: January 28, 2008, 12:02:50 AM »
Here it is - thank you for the help :)

Code: [Select]
ComboFix 08-01-23.1C - Stores 2008-01-27 15:55:19.3 - NTFSx86
Running from: C:\Documents and Settings\Stores\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2007-12-27 to 2008-01-27  )))))))))))))))))))))))))))))))
.

2008-01-26 18:27 . 2008-01-26 18:27 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-01-25 17:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 12:07 . 2008-01-24 12:42 <DIR> d-------- C:\Program Files\Uniblue
2008-01-22 19:42 . 2008-01-22 19:43 81,569,865 --a------ C:\WINDOWS\pav.sig
2008-01-22 19:33 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2008-01-22 19:32 . 2008-01-23 21:07 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2008-01-22 19:32 . 2008-01-23 22:39 30,590 --a------ C:\WINDOWS\system32\pavaspro.ico
2008-01-22 19:32 . 2008-01-23 22:39 2,550 --a------ C:\WINDOWS\system32\Uninstallpro.ico
2008-01-22 19:32 . 2008-01-23 22:39 1,406 --a------ C:\WINDOWS\system32\Helppro.ico
2008-01-22 18:26 . 2008-01-23 21:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-22 18:26 . 2008-01-22 18:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-22 18:26 . 2008-01-22 18:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-22 18:26 . 2008-01-22 18:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-22 17:12 . 2008-01-22 12:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:34 . 2008-01-19 18:34 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-18 23:21 . 2008-01-26 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 23:21 . 2008-01-18 23:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 21:26 . 2008-01-17 21:26 <DIR> d-------- C:\Program Files\ESTsoft
2008-01-17 21:16 . 2001-12-19 11:45 8,576 --a------ C:\WINDOWS\system32\drivers\VCdRom.sys
2008-01-15 07:10 . 2007-11-27 17:06 372,584 --a------ C:\WINDOWS\system32\drivers\ndasfat.sys
2008-01-15 07:10 . 2007-11-27 17:06 254,440 --a------ C:\WINDOWS\system32\drivers\lfsfilt.sys
2008-01-15 07:09 . 2008-01-15 07:09 <DIR> d-------- C:\Program Files\NDAS
2008-01-14 14:32 . 2008-01-14 14:32 <DIR> d-------- C:\Program Files\SMPlayer
2008-01-14 14:09 . 2008-01-14 14:10 <DIR> d-------- C:\Program Files\QuickTime
2008-01-13 15:38 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-01-13 15:38 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-13 15:38 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-01-13 15:38 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-01-13 15:38 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-01-13 15:37 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-01-13 15:37 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-13 15:37 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-01-13 15:37 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-01-13 15:36 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-01-13 15:36 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-13 15:35 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-01-13 15:35 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-01-13 15:35 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-01-07 13:54 . 2008-01-07 13:54 <DIR> d-------- C:\Program Files\Software River Solutions
2007-12-31 02:30 . 2007-12-31 02:30 <DIR> d-------- C:\Program Files\That 16 remote

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 23:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 02:00 --------- d-----w C:\Program Files\Windows Defender
2008-01-24 01:59 --------- d-----w C:\Program Files\SmartFTP Client
2008-01-24 01:59 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 01:56 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 01:53 --------- d-----w C:\Program Files\EditPlus 2
2007-12-29 01:17 --------- d-----w C:\Program Files\DivX
2007-12-20 21:08 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-12 16:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 00:56 --------- d-----w C:\Program Files\CFPAS_SEPFC_2007
2007-12-08 00:24 --------- d-----w C:\Program Files\DumbiTV
2007-12-07 14:23 --------- d-----w C:\Program Files\Get-Torrent
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-27 22:06 75,752 ----a-w C:\WINDOWS\system32\drivers\ndasbus.sys
2007-11-27 22:06 62,056 ----a-w C:\WINDOWS\system32\drivers\lpx.sys
2007-11-27 22:06 187,240 ----a-w C:\WINDOWS\system32\drivers\ndasscsi.sys
2007-11-27 22:06 15,848 ----a-w C:\WINDOWS\system32\wshlpx.dll
2007-11-27 22:06 14,312 ----a-w C:\WINDOWS\system32\ndasiomg.dll
2007-11-27 20:29 --------- d-----w C:\Program Files\Apple Software Update
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #22 on: January 28, 2008, 12:03:17 AM »
part 2

Code: [Select]
(((((((((((((((((((((((((((((   snapshot@2008-01-25_17.48.04.89   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-26 19:33:06 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-26 19:33:06 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-26 19:33:06 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-26 19:33:07 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-25 22:34:49 6,766,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-26 19:33:07 6,782,976 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-25 22:34:49 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-26 19:33:07 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 13:42 401491]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-03 09:55 1260296]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 14:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 14:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 20:10 335872]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 16:33 81920]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 15:19 290816]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52 483328]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"V0250Mon.exe"="C:\WINDOWS\V0250Mon.exe" [2006-06-08 00:00 32768]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 00:11 24576]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 15:14 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 16:48:22 565309]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-15 03:16:43 692224]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-11-27 17:06:54 236520]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\desktop.htm
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\desktop\desktop.htm
FriendlyName=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SHOWBIKE"=C:\DOCUME~1\Stores\APPLIC~1\THAT16~1\INTRA LIST.exe

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-11-27 17:06]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-11-27 17:06]
R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 08:50]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-11-27 17:06]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 cpqWebDmi;Insight Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2003-05-12 16:38]
R2 PDRJNDL;PDRJNDL;C:\Program Files\Dekart\Private Disk\PDRJNDL.SYS [2004-03-19 09:17]
R2 PRVDISK;PRVDISK;C:\Program Files\Dekart\Private Disk\PRVDISK.SYS [2004-04-27 02:51]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 19:49]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-11-27 17:06]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-07-17 16:06]
S3 Apache2.2;Apache2.2;"C:\www\Apache22\bin\httpd.exe" [2007-03-20 12:02]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 09:50]
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-11-27 17:06]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys [2006-06-27 10:25]
S3 V0250Vfx;V0250Vfx;C:\WINDOWS\system32\DRIVERS\V0250Vfx.sys [2006-03-24 15:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8080ee0e-6007-11dc-afa6-0012795af11d}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 18:00:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-27 07:02:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-25 01:27:13 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 16:00:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 16:01:29
ComboFix-quarantined-files.txt  2008-01-27 21:01:07
ComboFix2.txt  2008-01-26 19:38:36
ComboFix3.txt  2008-01-25 22:48:20
.
2008-01-23 19:44:29 --- E O F --- 

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #23 on: January 28, 2008, 12:06:43 AM »
Also - what about these processes that windows defender has for approval?
Should I allow them?

They all look like this:

Code: [Select]
Summary:
System Configuration change occurred.

This agent monitors security related configuration changes made to Windows.

Detected changes:
New: 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
Original: Not available

firewallport (New):
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP

Advice:
Permit this configuration change only if you trust its origin. It is recommended that you run a quick scan if you choose to deny this change.

Checkpoint:
Firewall Port Exceptions

Category:
Configuration Change

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #24 on: January 28, 2008, 12:38:03 AM »
Unfortunately Defender does not say which file made the change

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #25 on: January 28, 2008, 07:12:25 AM »
Roger - i'll just let them go.  It changed my default browser from Firefox back to IE too...
Here's the log:

Code: [Select]
ComboFix 08-01-23.1C - Stores 2008-01-27 23:06:05.4 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.237 [GMT -5:00]
Running from: C:\Documents and Settings\Stores\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stores\Desktop\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-28  )))))))))))))))))))))))))))))))
.

2008-01-26 18:27 . 2008-01-26 18:27 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-01-25 17:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 12:07 . 2008-01-24 12:42 <DIR> d-------- C:\Program Files\Uniblue
2008-01-22 19:42 . 2008-01-22 19:43 81,569,865 --a------ C:\WINDOWS\pav.sig
2008-01-22 19:33 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2008-01-22 19:32 . 2008-01-23 21:07 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2008-01-22 19:32 . 2008-01-23 22:39 30,590 --a------ C:\WINDOWS\system32\pavaspro.ico
2008-01-22 19:32 . 2008-01-23 22:39 2,550 --a------ C:\WINDOWS\system32\Uninstallpro.ico
2008-01-22 19:32 . 2008-01-23 22:39 1,406 --a------ C:\WINDOWS\system32\Helppro.ico
2008-01-22 18:26 . 2008-01-23 21:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-22 18:26 . 2008-01-22 18:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-22 18:26 . 2008-01-22 18:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-22 18:26 . 2008-01-22 18:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-22 17:12 . 2008-01-22 12:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:34 . 2008-01-19 18:34 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-18 23:21 . 2008-01-26 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 23:21 . 2008-01-18 23:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 21:26 . 2008-01-17 21:26 <DIR> d-------- C:\Program Files\ESTsoft
2008-01-17 21:16 . 2001-12-19 11:45 8,576 --a------ C:\WINDOWS\system32\drivers\VCdRom.sys
2008-01-15 07:10 . 2007-11-27 17:06 372,584 --a------ C:\WINDOWS\system32\drivers\ndasfat.sys
2008-01-15 07:10 . 2007-11-27 17:06 254,440 --a------ C:\WINDOWS\system32\drivers\lfsfilt.sys
2008-01-15 07:09 . 2008-01-15 07:09 <DIR> d-------- C:\Program Files\NDAS
2008-01-14 14:32 . 2008-01-14 14:32 <DIR> d-------- C:\Program Files\SMPlayer
2008-01-14 14:09 . 2008-01-14 14:10 <DIR> d-------- C:\Program Files\QuickTime
2008-01-13 15:38 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-01-13 15:38 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-13 15:38 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-01-13 15:38 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-01-13 15:38 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-01-13 15:37 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-01-13 15:37 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-13 15:37 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-01-13 15:37 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-01-13 15:36 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-01-13 15:36 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-13 15:35 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-01-13 15:35 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-01-13 15:35 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-01-07 13:54 . 2008-01-07 13:54 <DIR> d-------- C:\Program Files\Software River Solutions
2007-12-31 02:30 . 2007-12-31 02:30 <DIR> d-------- C:\Program Files\That 16 remote

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 23:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 02:00 --------- d-----w C:\Program Files\Windows Defender
2008-01-24 01:59 --------- d-----w C:\Program Files\SmartFTP Client
2008-01-24 01:59 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 01:56 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 01:53 --------- d-----w C:\Program Files\EditPlus 2
2007-12-29 01:17 --------- d-----w C:\Program Files\DivX
2007-12-20 21:08 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-12 16:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 00:56 --------- d-----w C:\Program Files\CFPAS_SEPFC_2007
2007-12-08 00:24 --------- d-----w C:\Program Files\DumbiTV
2007-12-07 14:23 --------- d-----w C:\Program Files\Get-Torrent
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-27 22:06 15,848 ----a-w C:\WINDOWS\system32\wshlpx.dll
2007-11-27 22:06 14,312 ----a-w C:\WINDOWS\system32\ndasiomg.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-01-25_17.48.04.89   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-28 04:05:49 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-28 04:05:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-28 04:05:49 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-28 04:05:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-25 22:34:49 6,766,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-28 04:05:50 6,799,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-25 22:34:49 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-28 04:05:50 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #26 on: January 28, 2008, 07:13:10 AM »
...and the next part

Code: [Select]
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 13:42 401491]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-03 09:55 1260296]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 14:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 14:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 20:10 335872]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 16:33 81920]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 15:19 290816]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52 483328]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"V0250Mon.exe"="C:\WINDOWS\V0250Mon.exe" [2006-06-08 00:00 32768]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 00:11 24576]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 15:14 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 16:48:22 565309]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-15 03:16:43 692224]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-11-27 17:06:54 236520]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\desktop.htm
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\desktop\desktop.htm
FriendlyName=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-11-27 17:06]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-11-27 17:06]
R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 08:50]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-11-27 17:06]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 cpqWebDmi;Insight Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2003-05-12 16:38]
R2 PDRJNDL;PDRJNDL;C:\Program Files\Dekart\Private Disk\PDRJNDL.SYS [2004-03-19 09:17]
R2 PRVDISK;PRVDISK;C:\Program Files\Dekart\Private Disk\PRVDISK.SYS [2004-04-27 02:51]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 19:49]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-11-27 17:06]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-07-17 16:06]
S3 Apache2.2;Apache2.2;"C:\www\Apache22\bin\httpd.exe" [2007-03-20 12:02]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 09:50]
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-11-27 17:06]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys [2006-06-27 10:25]
S3 V0250Vfx;V0250Vfx;C:\WINDOWS\system32\DRIVERS\V0250Vfx.sys [2006-03-24 15:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8080ee0e-6007-11dc-afa6-0012795af11d}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-21 18:00:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-27 07:02:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-25 01:27:13 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 23:08:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 23:09:44
ComboFix-quarantined-files.txt  2008-01-28 04:09:22
ComboFix2.txt  2008-01-27 21:01:29
ComboFix3.txt  2008-01-26 19:38:36
ComboFix4.txt  2008-01-25 22:48:20
.
2008-01-23 19:44:29 --- E O F --- 

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #27 on: January 28, 2008, 08:33:12 PM »
how is your system running now ?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Win32:TratBHO trojan - help needed.
« Reply #28 on: January 29, 2008, 12:31:24 AM »
Hi tnttroy,

Just interested what a silent runners script would turn up in the given situation. Instructions as how to put a txt file of it's results here: http://silentrunners.org/sr_scriptuse.html

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #29 on: January 29, 2008, 03:07:28 AM »
It seems to be running very smoothly.
Hey - would that scan have picked up if there was a keylogger on this machine?

polonus, as requested:
Code: [Select]
"Silent Runners.vbs", revision 55, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"H/PC Connection Agent" = ""C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Uniblue SpyEraser" = ""C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m" ["Uniblue Software"]
"Skype" = ""C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized" ["Skype Technologies S.A."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"IMJPMIG8.1" = ""C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32" [MS]
"PHIME2002ASync" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC" [MS]
"PHIME2002A" = "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName" [MS]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"ChkAdmin" = "C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" ["Hewlett-Packard Company"]
"eabconfg.cpl" = "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start" ["Hewlett-Packard "]
"Acrobat Assistant 7.0" = ""C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"" ["Adobe Systems Inc."]
"avast!" = "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" ["ALWIL Software"]
"HP Software Update" = "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" ["Hewlett-Packard Development Company, L.P."]
"V0250Mon.exe" = "C:\WINDOWS\V0250Mon.exe" ["Creative Technology Ltd."]
"AVFX Engine" = "C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" ["Creative Technology Ltd."]
"Kernel and Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"QuickTime Task" = ""C:\Program Files\QuickTime\QTTask.exe" -atboottime" ["Apple Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AE7CD045-E861-484f-8273-0445EE161910}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF Conversion Toolbar Helper"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {HKLM...CLSID} = "Display Panning CPL Extension"
                   \InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {HKLM...CLSID} = "HyperTerminal Icon Ext"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
  -> {HKLM...CLSID} = "My Sharing Folders"
                   \InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}" = "EditPlus Context Menu Handler"
  -> {HKLM...CLSID} = "EditPlus Context Menu Handler"
                   \InProcServer32\(Default) = "C:\Program Files\EditPlus 2\eppshell.dll" [null data]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Copy Hook"
  -> {HKLM...CLSID} = "SmartFTP Copy Hook"
                   \InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\smarthook.dll" ["SmartSoft Ltd."]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{472083B0-C522-11CF-8763-00608CC02F24}" = "avast"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
  -> {HKLM...CLSID} = "Microsoft Office Outlook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
  -> {HKLM...CLSID} = "Outlook File Icon Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
  -> {HKLM...CLSID} = "My Bluetooth Places"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\btneighborhood.dll" ["WIDCOMM, Inc."]
"{F49C55B9-D417-45A1-A6E7-D6E057946280}" = "FdmUplShlExt"
  -> {HKLM...CLSID} = "FdmUplShlExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Free Download Manager\FUM\fumshext.dll" [null data]
"{39DD67E0-73B6-4a11-AF55-49E1EBBF72BE}" = "SmartFTP Favorites Namespace"
  -> {HKLM...CLSID} = "FavoritesShellFolder Class"
                   \InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfFavoritesShellExtension.dll" ["SmartSoft Ltd."]
"{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}" = "SmartFTP ContextMenu"
  -> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{40FDFA48-5F4E-4627-A78E-6A49A3D4492F}" = "SmartFTP ShellDropHandler"
  -> {HKLM...CLSID} = "SmartFTP ShellDropHandler Class"
                   \InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{EA5A76F7-8138-4B53-B0F5-ADCC730CAFBD}" = "SmartFTP Drop ShellIconOverlayHandler"
  -> {HKLM...CLSID} = "SmartFTP Drop ShellIconOverlayHandler"
                   \InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]
"{DC70C4A5-2044-4c59-B806-DEFB9AE0DF7C}" = "Logitech Setpoint Extension"
  -> {HKLM...CLSID} = "KbLogiExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\kbcplext.dll" ["Logitech Inc."]
"{B9B9F083-2B04-452A-8691-83694AC1037B}" = "Logitech Setpoint Extension"
  -> {HKLM...CLSID} = "LogiExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Logitech\SetPoint\mcplext.dll" ["Logitech Inc."]
"{4EB37360-49E8-11D3-95B5-004033382980}" = "ALZip 4.0 Context Menu Shell Extension"
  -> {HKLM...CLSID} = "ALZip 7.0 Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\ESTsoft\ALZip\AZCTM.dll" ["ESTsoft"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
  -> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
                   \InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
  -> {HKLM...CLSID} = "WPDShServiceObj Class"
                   \InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
  -> {HKLM...CLSID} = (no title provided)
                   \InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
« Last Edit: January 29, 2008, 03:13:54 AM by tnttroy »