Author Topic: Win32:TratBHO trojan - help needed.  (Read 37193 times)

0 Members and 1 Guest are viewing this topic.

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #30 on: January 29, 2008, 03:14:17 AM »
2nd part:

Code: [Select]
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
  -> {HKLM...CLSID} = "PDF Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
  -> {HKLM...CLSID} = "Acrobat Elements Context Menu"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
ALZip\(Default) = "{4EB37360-49E8-11D3-95B5-004033382980}"
  -> {HKLM...CLSID} = "ALZip 7.0 Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\ESTsoft\ALZip\AZCTM.dll" ["ESTsoft"]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]
EditPlus\(Default) = "{63AFBDFB-5EF8-4791-AF79-9A3C0DE48974}"
  -> {HKLM...CLSID} = "EditPlus Context Menu Handler"
                   \InProcServer32\(Default) = "C:\Program Files\EditPlus 2\eppshell.dll" [null data]
SmartFTP\(Default) = "{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}"
  -> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
ALZip\(Default) = "{4EB37360-49E8-11D3-95B5-004033382980}"
  -> {HKLM...CLSID} = "ALZip 7.0 Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\ESTsoft\ALZip\AZCTM.dll" ["ESTsoft"]
SmartFTP\(Default) = "{F87DED31-303F-4ED1-9BCE-D360FBC74E0A}"
  -> {HKLM...CLSID} = "SmartFTP ContextMenu Shell Extension"
                   \InProcServer32\(Default) = "C:\Program Files\SmartFTP Client\sfShellTools.dll" ["SmartSoft Ltd"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
ALZip\(Default) = "{4EB37360-49E8-11D3-95B5-004033382980}"
  -> {HKLM...CLSID} = "ALZip 7.0 Context Menu Shell Extension"
                   \InProcServer32\(Default) = "C:\PROGRA~1\ESTsoft\ALZip\AZCTM.dll" ["ESTsoft"]
avast\(Default) = "{472083B0-C522-11CF-8763-00608CC02F24}"
  -> {HKLM...CLSID} = "avast"
                   \InProcServer32\(Default) = "C:\Program Files\Alwil Software\Avast4\ashShell.dll" ["ALWIL Software"]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
FdmUplShlExt\(Default) = "{F49C55B9-D417-45A1-A6E7-D6E057946280}"
  -> {HKLM...CLSID} = "FdmUplShlExt Class"
                   \InProcServer32\(Default) = "C:\Program Files\Free Download Manager\FUM\fumshext.dll" [null data]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Stores" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"BTTray" -> shortcut to: "C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe" ["WIDCOMM, Inc."]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
"NDAS Device Management" -> shortcut to: "C:\Program Files\NDAS\System\ndasmgmt.exe /startup" ["XIMETA, Inc."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]
"Uniblue SpyEraser" -> launches: "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -s" ["Uniblue Software"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}"
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{47833539-D0C5-4125-9FA8-0819E2EAAC93}" = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #31 on: January 29, 2008, 03:14:40 AM »
...it was a little large....last part

Code: [Select]
Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\(Default) = (no title provided)
  -> {HKLM...CLSID} = "Adobe PDF"
                   \InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll" ["Adobe Systems Incorporated"]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}\
"ButtonText" = "Create Mobile Favorite"
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
  -> {HKLM...CLSID} = "Create Mobile Favorite"
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS]

{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}\
"MenuText" = "Create Mobile Favorite..."
"CLSIDExtension" = "{2EAF5BB0-070F-11D3-9307-00C04FAE2D4F}"
  -> {HKLM...CLSID} = "Create Mobile Favorite"
                   \InProcServer32\(Default) = "C:\Program Files\Microsoft ActiveSync\inetrepl.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

{FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1}\
"ButtonText" = "Upload"
"CLSIDExtension" = "{FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1}"
  -> {HKLM...CLSID} = "FDMUploadBtnForIe Class"
                   \InProcServer32\(Default) = "C:\Program Files\Free Download Manager\FUM\fumiebtn.dll" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! Antivirus, avast! Antivirus, ""C:\Program Files\Alwil Software\Avast4\ashServ.exe"" ["ALWIL Software"]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" ["ALWIL Software"]
avast! Mail Scanner, avast! Mail Scanner, ""C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service" ["ALWIL Software"]
avast! Web Scanner, avast! Web Scanner, ""C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service" ["ALWIL Software"]
Bluetooth Service, btwdins, "C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe" ["WIDCOMM, Inc."]
cpqdmi, cpqdmi, "C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe" ["Compaq Computer Corporation"]
Insight Local Alerter, CPQALERT, "C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe" ["Hewlett-Packard Company"]
Insight Web Agent, cpqWebDmi, "C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe" ["Hewlett-Packard Company"]
Messenger Sharing Folders USN Journal Reader service, usnjsvc, ""C:\Program Files\MSN Messenger\usnsvc.exe"" [MS]
NDAS Service, ndassvc, ""C:\Program Files\NDAS\System\ndassvc.exe"" ["XIMETA, Inc."]
Remote Diagnostics Enabling Agent, DfwWebAgent, "C:\WINDOWS\Cpqdiag\Cpqdfwag.exe" ["Hewlett-Packard"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Win32Sl, WIN32SL, "C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe" ["Intel"]
Windows Defender, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Adobe PDF Port\Driver = "C:\WINDOWS\system32\AdobePDF.dll" ["Adobe Systems Incorporated."]
Bluetooth Printer Port\Driver = "bthcrp.dll" ["WIDCOMM, Inc."]
HP Mobile Port\Driver = "C:\WINDOWS\system32\HPBMOMON.dll" ["Hewlett-Packard Company"]
HP Standard TCP/IP Port\Driver = "HpTcpMon.dll" ["Hewlett Packard"]
Language Monitor\Driver = "hpz3l054.dll" ["Hewlett-Packard Company"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2008-01-28 19:09:00)
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points, use the -supp parameter or answer "No" at the
  first message box and "Yes" at the second message box.
---------- (total run time: 53 seconds, including 18 seconds for message boxes)

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #32 on: January 30, 2008, 04:54:15 AM »
It seems to be running very smoothly.
Hey - would that scan have picked up if there was a keylogger on this machine?

....just wanted to ask this again

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Win32:TratBHO trojan - help needed.
« Reply #33 on: January 30, 2008, 09:46:59 PM »
Hi tnttroy,

If it ran it would have given out signs, sure. You could install Keyscrambler on your machine, which will make it impossible for an installed keylogger to register your true keystrokes, unless the man or woman isn't looking right over your shoulder. Use it as a Firefox add-on: https://addons.mozilla.org/en-US/firefox/addon/3383 or when you like to use it for all of your machine download from here:
http://www.download.com/KeyScrambler-Personal/3000-2144_4-10571274.html

As far as your log is concerned:

Go to Start > Run and type MsConfig and click OK.
Uncheck the following if they show up:
      REFIEBAR.DLL
      ENCSBAR.DLL
      localsplnet.dll
      netdaemon.exe

Then go to task manager and make sure netdaemon.exe is not a running process. If it is then right-click and end process tree.

Then go to Start > Run > Regedit
Go to HKLM\Software\Microsoft\Windows\Current Version\Run and delete the value (in the right-hand pane):      netdaemon

Do a search for the the others and delete:
      REFIEBAR.DLL   (should be there)
      ENCSBAR.DLL    (possibly not there, search anyway)
      localsplnet.dll    (idem)

Then delete the following files/folders (if they are found, suggested, but you don't have to):
Click on Tools>Folder Options>View within any folder and click the Show Hidden Files & Folders radial button.

     c:\windows\system32\   delete: netdaemon.exe and localsplnet.dll
     C:\Program Files\Common Files\Microsoft Shared delete folder: Encarta Search Bar (possibly not there)
     C:\PROGRA~1\MICROS~3\OFFICE11 delete: REFIEBAR.DLL (we found that one)
     C:\PROGRAM Files\MICROSoft office\OFFICE11 delete: REFIEBAR.DLL

Use internet explorer (tools>internet options) to delete internet cookies and temp internet files often. Also delete the C:\Windows\Temp folder files (also suggested by others) and all folders within the C:\Windows\Temporary Internet Files\Content.IE5 folder with the exception of the index.dat file.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #34 on: January 31, 2008, 01:52:09 AM »
Shesh...I was just about to start doing as you said, then it started all over again :(

Shall I start another scan and post?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Win32:TratBHO trojan - help needed.
« Reply #35 on: January 31, 2008, 02:01:35 AM »
Hi tnttroy,

You can do that, post a new hijackthis. Try to do the manual cleansing anyway, and run the silent runners anew with a fresh version of it (delete the previous one). I will look into these logs to-morrow, because here on the other side of the Atlantic it is late late night now, call the thread "tnttroy refiebar trouble", I will answer to it  in the virus and worms,

good-night,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #36 on: January 31, 2008, 02:41:51 AM »
*sigh* here we go again lol

Combo Fix Log:

Code: [Select]
ComboFix 08-01-23.1C - Stores 2008-01-30 17:55:27.5 - NTFSx86
Running from: C:\Documents and Settings\Stores\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b122.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\jkkkkhf.dll
C:\WINDOWS\system32\pac.txt

.
(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-31  )))))))))))))))))))))))))))))))
.

2008-01-30 17:53 . 2008-01-30 17:53 <DIR> d-------- C:\Program Files\KeyScrambler
2008-01-30 17:53 . 2007-12-29 09:35 112,992 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2008-01-30 17:47 . 2008-01-30 17:47 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-30 17:44 . 2008-01-30 17:44 <DIR> d-------- C:\WINDOWS\system32\oup5
2008-01-30 17:43 . 2008-01-30 17:43 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-30 17:43 . 2008-01-30 17:44 <DIR> d-------- C:\WINDOWS\system32\bac13
2008-01-30 17:43 . 2008-01-30 17:43 <DIR> d-------- C:\TEMP\gTiis19
2008-01-30 17:43 . 2008-01-30 17:43 <DIR> d-------- C:\TEMP\cXzz9
2008-01-30 17:43 . 2008-01-30 17:43 224,768 --a------ C:\TEMP\nDcca1109.exe
2008-01-28 20:59 . 2008-01-29 18:16 <DIR> d-------- C:\Program Files\Quick Screen Recorder
2008-01-28 19:53 . 2008-01-28 19:53 <DIR> d-------- C:\WINDOWS\tiinst
2008-01-26 18:27 . 2008-01-26 18:27 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-01-25 17:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 12:07 . 2008-01-24 12:42 <DIR> d-------- C:\Program Files\Uniblue
2008-01-22 19:42 . 2008-01-22 19:43 81,569,865 --a------ C:\WINDOWS\pav.sig
2008-01-22 19:33 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2008-01-22 19:32 . 2008-01-23 21:07 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2008-01-22 19:32 . 2008-01-23 22:39 30,590 --a------ C:\WINDOWS\system32\pavaspro.ico
2008-01-22 19:32 . 2008-01-23 22:39 2,550 --a------ C:\WINDOWS\system32\Uninstallpro.ico
2008-01-22 19:32 . 2008-01-23 22:39 1,406 --a------ C:\WINDOWS\system32\Helppro.ico
2008-01-22 18:26 . 2008-01-23 21:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-22 18:26 . 2008-01-22 18:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-22 18:26 . 2008-01-22 18:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-22 18:26 . 2008-01-22 18:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-22 17:12 . 2008-01-22 12:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:34 . 2008-01-19 18:34 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-18 23:21 . 2008-01-26 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 23:21 . 2008-01-18 23:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 21:26 . 2008-01-17 21:26 <DIR> d-------- C:\Program Files\ESTsoft
2008-01-17 21:16 . 2001-12-19 11:45 8,576 --a------ C:\WINDOWS\system32\drivers\VCdRom.sys
2008-01-15 07:10 . 2007-11-27 17:06 372,584 --a------ C:\WINDOWS\system32\drivers\ndasfat.sys
2008-01-15 07:10 . 2007-11-27 17:06 254,440 --a------ C:\WINDOWS\system32\drivers\lfsfilt.sys
2008-01-15 07:09 . 2008-01-15 07:09 <DIR> d-------- C:\Program Files\NDAS
2008-01-14 14:32 . 2008-01-14 14:32 <DIR> d-------- C:\Program Files\SMPlayer
2008-01-14 14:09 . 2008-01-14 14:10 <DIR> d-------- C:\Program Files\QuickTime
2008-01-13 15:38 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-01-13 15:38 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-13 15:38 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-01-13 15:38 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-01-13 15:38 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-01-13 15:37 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-01-13 15:37 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-13 15:37 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-01-13 15:37 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-01-13 15:36 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-01-13 15:36 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-13 15:35 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-01-13 15:35 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-01-13 15:35 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-01-07 13:54 . 2008-01-07 13:54 <DIR> d-------- C:\Program Files\Software River Solutions
2007-12-31 02:30 . 2007-12-31 02:30 <DIR> d-------- C:\Program Files\That 16 remote
2007-12-20 16:08 . 2007-12-20 16:08 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-12-11 11:54 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-11 11:54 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-11 11:54 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-11 11:54 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-11 11:54 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-11 11:54 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-11 11:54 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-11 11:54 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-11 11:54 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-07 15:54 . 2007-12-28 20:17 <DIR> d-------- C:\Program Files\DivX
2007-12-07 15:54 . 2007-12-07 15:56 672 --a------ C:\WINDOWS\mozver.dat
2007-12-06 21:39 . 2007-12-07 09:23 <DIR> d-------- C:\Program Files\Get-Torrent
2007-12-01 11:43 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-01 11:43 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 20:19 --------- d-----w C:\Program Files\CFPAS_SEPFC_2007
2008-01-26 23:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 02:00 --------- d-----w C:\Program Files\Windows Defender
2008-01-24 01:59 --------- d-----w C:\Program Files\SmartFTP Client
2008-01-24 01:59 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 01:56 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 01:53 --------- d-----w C:\Program Files\EditPlus 2
2007-12-12 16:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 00:24 --------- d-----w C:\Program Files\DumbiTV
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #37 on: January 31, 2008, 02:42:19 AM »
....and part II

Code: [Select]
(((((((((((((((((((((((((((((   snapshot@2008-01-25_17.48.04.89   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-28 04:05:49 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-28 04:05:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-28 04:05:49 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-28 04:05:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-25 22:34:49 6,766,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-28 04:05:50 6,799,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-25 22:34:49 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-28 04:05:50 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-19 13:13:12 32,768 ----a-w C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
+ 2007-08-03 01:44:02 169,147 ----a-w C:\WINDOWS\system32\oup5\lenamd83122.exe
+ 2008-01-30 23:02:44 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6e0.dat
+ 2003-02-07 00:23:40 59,328 ----a-w C:\WINDOWS\tiinst\gticard.sys
+ 2004-03-30 22:05:24 66,816 ----a-w C:\WINDOWS\tiinst\tifm.sys
+ 2003-02-19 20:20:16 225,280 ----a-w C:\WINDOWS\tiinst\tifmicon.dll
+ 2004-01-20 19:17:40 142,848 ----a-w C:\WINDOWS\tiinst\uminst.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7240605C-C73C-4D9A-8480-230386F08B3A}]
C:\Program Files\ComPlus Applications\holenuC:\WINDOWS\system32\oup5\lenamd83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 13:42 401491]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-03 09:55 1260296]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 14:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 14:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 20:10 335872]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 16:33 81920]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 15:19 290816]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52 483328]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"V0250Mon.exe"="C:\WINDOWS\V0250Mon.exe" [2006-06-08 00:00 32768]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 00:11 24576]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 15:14 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 16:48:22 565309]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-15 03:16:43 692224]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-11-27 17:06:54 236520]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\desktop.htm
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\desktop\desktop.htm
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{98663E21-9CCE-4CF6-863C-911A9523A66F}"= C:\WINDOWS\system32\jkkkkhf.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-11-27 17:06]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-11-27 17:06]
R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 08:50]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-11-27 17:06]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 cpqWebDmi;Insight Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2003-05-12 16:38]
R2 PDRJNDL;PDRJNDL;C:\Program Files\Dekart\Private Disk\PDRJNDL.SYS [2004-03-19 09:17]
R2 PRVDISK;PRVDISK;C:\Program Files\Dekart\Private Disk\PRVDISK.SYS [2004-04-27 02:51]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 19:49]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-12-29 09:35]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-11-27 17:06]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-07-17 16:06]
S3 Apache2.2;Apache2.2;"C:\www\Apache22\bin\httpd.exe" [2007-03-20 12:02]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 09:50]
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-11-27 17:06]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys [2006-06-27 10:25]
S3 V0250Vfx;V0250Vfx;C:\WINDOWS\system32\DRIVERS\V0250Vfx.sys [2006-03-24 15:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8080ee0e-6007-11dc-afa6-0012795af11d}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 18:00:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-30 23:05:44 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-25 01:27:13 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 20:24:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-30 20:27:37 - machine was rebooted
ComboFix-quarantined-files.txt  2008-01-31 01:27:33
ComboFix2.txt  2008-01-28 04:09:44
ComboFix3.txt  2008-01-27 21:01:29
ComboFix4.txt  2008-01-26 19:38:36
ComboFix5.txt  2008-01-25 22:48:20
.
2008-01-29 17:58:05 --- E O F ---

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Win32:TratBHO trojan - help needed.
« Reply #38 on: January 31, 2008, 08:08:00 PM »
Hi tnttroy,

Now post a new hijackthis log here,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #39 on: January 31, 2008, 09:35:19 PM »
Hi - is "hijackthis" the combofix.exe file??
If so, that's a new one up top....here's the new scan I just did

Code: [Select]
ComboFix 08-01-23.1C - Stores 2008-01-31 13:20:41.6 - NTFSx86
Running from: C:\Documents and Settings\Stores\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-31  )))))))))))))))))))))))))))))))
.

2008-01-30 17:53 . 2008-01-30 17:53 <DIR> d-------- C:\Program Files\KeyScrambler
2008-01-30 17:53 . 2007-12-29 09:35 112,992 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2008-01-30 17:47 . 2008-01-30 17:47 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-30 17:44 . 2008-01-30 17:44 <DIR> d-------- C:\WINDOWS\system32\oup5
2008-01-30 17:43 . 2008-01-30 17:43 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-30 17:43 . 2008-01-30 17:44 <DIR> d-------- C:\WINDOWS\system32\bac13
2008-01-30 17:43 . 2008-01-30 17:43 <DIR> d-------- C:\TEMP\gTiis19
2008-01-30 17:43 . 2008-01-30 17:43 <DIR> d-------- C:\TEMP\cXzz9
2008-01-30 17:43 . 2008-01-30 17:43 224,768 --a------ C:\TEMP\nDcca1109.exe
2008-01-28 20:59 . 2008-01-29 18:16 <DIR> d-------- C:\Program Files\Quick Screen Recorder
2008-01-28 19:53 . 2008-01-28 19:53 <DIR> d-------- C:\WINDOWS\tiinst
2008-01-26 18:27 . 2008-01-26 18:27 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-01-25 17:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 12:07 . 2008-01-24 12:42 <DIR> d-------- C:\Program Files\Uniblue
2008-01-22 19:42 . 2008-01-22 19:43 81,569,865 --a------ C:\WINDOWS\pav.sig
2008-01-22 19:33 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2008-01-22 19:32 . 2008-01-23 21:07 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2008-01-22 19:32 . 2008-01-23 22:39 30,590 --a------ C:\WINDOWS\system32\pavaspro.ico
2008-01-22 19:32 . 2008-01-23 22:39 2,550 --a------ C:\WINDOWS\system32\Uninstallpro.ico
2008-01-22 19:32 . 2008-01-23 22:39 1,406 --a------ C:\WINDOWS\system32\Helppro.ico
2008-01-22 18:26 . 2008-01-23 21:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-22 18:26 . 2008-01-22 18:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-22 18:26 . 2008-01-22 18:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-22 18:26 . 2008-01-22 18:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-22 17:12 . 2008-01-22 12:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:34 . 2008-01-19 18:34 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-18 23:21 . 2008-01-26 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 23:21 . 2008-01-18 23:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 21:26 . 2008-01-17 21:26 <DIR> d-------- C:\Program Files\ESTsoft
2008-01-17 21:16 . 2001-12-19 11:45 8,576 --a------ C:\WINDOWS\system32\drivers\VCdRom.sys
2008-01-15 07:10 . 2007-11-27 17:06 372,584 --a------ C:\WINDOWS\system32\drivers\ndasfat.sys
2008-01-15 07:10 . 2007-11-27 17:06 254,440 --a------ C:\WINDOWS\system32\drivers\lfsfilt.sys
2008-01-15 07:09 . 2008-01-15 07:09 <DIR> d-------- C:\Program Files\NDAS
2008-01-14 14:32 . 2008-01-14 14:32 <DIR> d-------- C:\Program Files\SMPlayer
2008-01-14 14:09 . 2008-01-14 14:10 <DIR> d-------- C:\Program Files\QuickTime
2008-01-13 15:38 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-01-13 15:38 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-13 15:38 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-01-13 15:38 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-01-13 15:38 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-01-13 15:37 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-01-13 15:37 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-13 15:37 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-01-13 15:37 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-01-13 15:36 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-01-13 15:36 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-13 15:35 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-01-13 15:35 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-01-13 15:35 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-01-07 13:54 . 2008-01-07 13:54 <DIR> d-------- C:\Program Files\Software River Solutions
2007-12-31 02:30 . 2007-12-31 02:30 <DIR> d-------- C:\Program Files\That 16 remote
2007-12-20 16:08 . 2007-12-20 16:08 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-12-11 11:54 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-11 11:54 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-11 11:54 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-11 11:54 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-11 11:54 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-11 11:54 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-11 11:54 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-11 11:54 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-11 11:54 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-07 15:54 . 2007-12-28 20:17 <DIR> d-------- C:\Program Files\DivX
2007-12-07 15:54 . 2007-12-07 15:56 672 --a------ C:\WINDOWS\mozver.dat
2007-12-06 21:39 . 2007-12-07 09:23 <DIR> d-------- C:\Program Files\Get-Torrent
2007-12-01 11:43 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-01 11:43 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 20:19 --------- d-----w C:\Program Files\CFPAS_SEPFC_2007
2008-01-26 23:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 02:00 --------- d-----w C:\Program Files\Windows Defender
2008-01-24 01:59 --------- d-----w C:\Program Files\SmartFTP Client
2008-01-24 01:59 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 01:56 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 01:53 --------- d-----w C:\Program Files\EditPlus 2
2007-12-12 16:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 00:24 --------- d-----w C:\Program Files\DumbiTV
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-27 22:06 15,848 ----a-w C:\WINDOWS\system32\wshlpx.dll
2007-11-27 22:06 14,312 ----a-w C:\WINDOWS\system32\ndasiomg.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #40 on: January 31, 2008, 09:35:41 PM »
next part

Code: [Select]
(((((((((((((((((((((((((((((   snapshot@2008-01-25_17.48.04.89   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-28 04:05:49 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-28 04:05:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-28 04:05:49 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-28 04:05:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-25 22:34:49 6,766,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-28 04:05:50 6,799,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-25 22:34:49 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-28 04:05:50 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-19 13:13:12 32,768 ----a-w C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
+ 2007-08-03 01:44:02 169,147 ----a-w C:\WINDOWS\system32\oup5\lenamd83122.exe
+ 2008-01-31 16:57:37 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_72c.dat
+ 2003-02-07 00:23:40 59,328 ----a-w C:\WINDOWS\tiinst\gticard.sys
+ 2004-03-30 22:05:24 66,816 ----a-w C:\WINDOWS\tiinst\tifm.sys
+ 2003-02-19 20:20:16 225,280 ----a-w C:\WINDOWS\tiinst\tifmicon.dll
+ 2004-01-20 19:17:40 142,848 ----a-w C:\WINDOWS\tiinst\uminst.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7240605C-C73C-4D9A-8480-230386F08B3A}]
C:\Program Files\ComPlus Applications\holenuC:\WINDOWS\system32\oup5\lenamd83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 13:42 401491]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-03 09:55 1260296]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 14:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 14:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 20:10 335872]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 16:33 81920]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 15:19 290816]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52 483328]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"V0250Mon.exe"="C:\WINDOWS\V0250Mon.exe" [2006-06-08 00:00 32768]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 00:11 24576]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 15:14 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 16:48:22 565309]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-15 03:16:43 692224]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-11-27 17:06:54 236520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\desktop.htm
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\desktop\desktop.htm
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{98663E21-9CCE-4CF6-863C-911A9523A66F}"= C:\WINDOWS\system32\jkkkkhf.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-11-27 17:06]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-11-27 17:06]
R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 08:50]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-11-27 17:06]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 cpqWebDmi;Insight Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2003-05-12 16:38]
R2 PDRJNDL;PDRJNDL;C:\Program Files\Dekart\Private Disk\PDRJNDL.SYS [2004-03-19 09:17]
R2 PRVDISK;PRVDISK;C:\Program Files\Dekart\Private Disk\PRVDISK.SYS [2004-04-27 02:51]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 19:49]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-12-29 09:35]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-11-27 17:06]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-07-17 16:06]
S3 Apache2.2;Apache2.2;"C:\www\Apache22\bin\httpd.exe" [2007-03-20 12:02]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 09:50]
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-11-27 17:06]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys [2006-06-27 10:25]
S3 V0250Vfx;V0250Vfx;C:\WINDOWS\system32\DRIVERS\V0250Vfx.sys [2006-03-24 15:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8080ee0e-6007-11dc-afa6-0012795af11d}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 18:00:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-31 17:00:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-25 01:27:13 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 13:25:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 13:27:00
ComboFix-quarantined-files.txt  2008-01-31 18:26:43
ComboFix2.txt  2008-01-31 01:27:37
ComboFix3.txt  2008-01-28 04:09:44
ComboFix4.txt  2008-01-27 21:01:29
ComboFix5.txt  2008-01-26 19:38:36
.
2008-01-29 17:58:05 --- E O F --- 

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #41 on: January 31, 2008, 09:48:18 PM »
Hi tnttroy what can you tell me about these folders - do you recognise them ?

If not can you write down the name of ONE .exe file and ONE .dll file from each and post them

C:\WINDOWS\system32\oup5
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\bac13
C:\TEMP\gTiis19
C:\TEMP\cXzz9
C:\TEMP\nDcca1109.exe
C:\WINDOWS\tiinst

They all look like malware and were created yesterday

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Win32:TratBHO trojan - help needed.
« Reply #42 on: January 31, 2008, 10:07:59 PM »
Hi tnttroy and essexboy,

If C:\WINDOWS\system32\nGpxx01 is there, consider a generic infection like described here:
http://www.threatexpert.com/report.aspx?uid=7b8ced2f-cc2f-401f-b794-dcdf4ad479e2

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #43 on: January 31, 2008, 10:54:43 PM »
No idea what those folders are.... :(

Here are files that are in those folders:
C:\WINDOWS\system32\oup5\lenamd83122.exe
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\bac13\   [empty dir]

I just emptied my c:/TEMP folder today....sorry

C:\TEMP\gTiis19\
C:\TEMP\cXzz9\
C:\TEMP\nDcca1109.exe

C:\WINDOWS\tiinst\uminst.exe (lots of other file in this dir as well)
C:\WINDOWS\tiinst\tifmicon.dll
« Last Edit: January 31, 2008, 10:59:20 PM by tnttroy »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #44 on: January 31, 2008, 11:47:28 PM »
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
Folder::
C:\WINDOWS\system32\oup5
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\bac13
C:\TEMP\gTiis19
C:\TEMP\cXzz9
C:\TEMP\nDcca1109.exe
C:\WINDOWS\tiinst

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.