Author Topic: Win32:TratBHO trojan - help needed.  (Read 37308 times)

0 Members and 1 Guest are viewing this topic.

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #45 on: February 01, 2008, 01:11:20 AM »
Here's the new report

Code: [Select]
ComboFix 08-01-23.1C - Stores 2008-01-31 17:04:55.7 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.243 [GMT -5:00]
Running from: C:\Documents and Settings\Stores\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stores\Desktop\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bac13
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\oup5
C:\WINDOWS\system32\oup5\lenamd83122.exe
C:\WINDOWS\tiinst
C:\WINDOWS\tiinst\gticard.cat
C:\WINDOWS\tiinst\gticard.inf
C:\WINDOWS\tiinst\gticard.sys
C:\WINDOWS\tiinst\tifm.cat
C:\WINDOWS\tiinst\TIFM.INF
C:\WINDOWS\tiinst\tifm.sys
C:\WINDOWS\tiinst\TIFMDISK.CAT
C:\WINDOWS\tiinst\TIFMDISK.INF
C:\WINDOWS\tiinst\tifmicon.dll
C:\WINDOWS\tiinst\uminst.exe

.
(((((((((((((((((((((((((   Files Created from 2007-12-28 to 2008-01-31  )))))))))))))))))))))))))))))))
.

2008-01-30 17:53 . 2008-01-30 17:53 <DIR> d-------- C:\Program Files\KeyScrambler
2008-01-30 17:53 . 2007-12-29 09:35 112,992 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2008-01-30 17:47 . 2008-01-30 17:47 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-28 20:59 . 2008-01-29 18:16 <DIR> d-------- C:\Program Files\Quick Screen Recorder
2008-01-26 18:27 . 2008-01-26 18:27 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-01-25 17:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 12:07 . 2008-01-24 12:42 <DIR> d-------- C:\Program Files\Uniblue
2008-01-22 19:42 . 2008-01-22 19:43 81,569,865 --a------ C:\WINDOWS\pav.sig
2008-01-22 19:33 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2008-01-22 19:32 . 2008-01-23 21:07 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2008-01-22 19:32 . 2008-01-23 22:39 30,590 --a------ C:\WINDOWS\system32\pavaspro.ico
2008-01-22 19:32 . 2008-01-23 22:39 2,550 --a------ C:\WINDOWS\system32\Uninstallpro.ico
2008-01-22 19:32 . 2008-01-23 22:39 1,406 --a------ C:\WINDOWS\system32\Helppro.ico
2008-01-22 18:26 . 2008-01-23 21:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-22 18:26 . 2008-01-22 18:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-22 18:26 . 2008-01-22 18:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-22 18:26 . 2008-01-22 18:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-22 17:12 . 2008-01-22 12:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:34 . 2008-01-19 18:34 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-18 23:21 . 2008-01-26 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 23:21 . 2008-01-18 23:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 21:26 . 2008-01-17 21:26 <DIR> d-------- C:\Program Files\ESTsoft
2008-01-17 21:16 . 2001-12-19 11:45 8,576 --a------ C:\WINDOWS\system32\drivers\VCdRom.sys
2008-01-15 07:10 . 2007-11-27 17:06 372,584 --a------ C:\WINDOWS\system32\drivers\ndasfat.sys
2008-01-15 07:10 . 2007-11-27 17:06 254,440 --a------ C:\WINDOWS\system32\drivers\lfsfilt.sys
2008-01-15 07:09 . 2008-01-15 07:09 <DIR> d-------- C:\Program Files\NDAS
2008-01-14 14:32 . 2008-01-14 14:32 <DIR> d-------- C:\Program Files\SMPlayer
2008-01-14 14:09 . 2008-01-14 14:10 <DIR> d-------- C:\Program Files\QuickTime
2008-01-13 15:38 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-01-13 15:38 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-13 15:38 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-01-13 15:38 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-01-13 15:38 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-01-13 15:37 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-01-13 15:37 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-13 15:37 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-01-13 15:37 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-01-13 15:36 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-01-13 15:36 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-13 15:35 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-01-13 15:35 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-01-13 15:35 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-01-07 13:54 . 2008-01-07 13:54 <DIR> d-------- C:\Program Files\Software River Solutions
2007-12-31 02:30 . 2007-12-31 02:30 <DIR> d-------- C:\Program Files\That 16 remote
2007-12-20 16:08 . 2007-12-20 16:08 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-12-11 11:54 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-11 11:54 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-11 11:54 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-11 11:54 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-11 11:54 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-11 11:54 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-11 11:54 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-11 11:54 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-11 11:54 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-07 15:54 . 2007-12-28 20:17 <DIR> d-------- C:\Program Files\DivX
2007-12-07 15:54 . 2007-12-07 15:56 672 --a------ C:\WINDOWS\mozver.dat
2007-12-06 21:39 . 2007-12-07 09:23 <DIR> d-------- C:\Program Files\Get-Torrent
2007-12-01 11:43 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2007-12-01 11:43 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 20:19 --------- d-----w C:\Program Files\CFPAS_SEPFC_2007
2008-01-26 23:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 02:00 --------- d-----w C:\Program Files\Windows Defender
2008-01-24 01:59 --------- d-----w C:\Program Files\SmartFTP Client
2008-01-24 01:59 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 01:56 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 01:53 --------- d-----w C:\Program Files\EditPlus 2
2007-12-12 16:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 00:24 --------- d-----w C:\Program Files\DumbiTV
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-27 22:06 15,848 ----a-w C:\WINDOWS\system32\wshlpx.dll
2007-11-27 22:06 14,312 ----a-w C:\WINDOWS\system32\ndasiomg.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-10 23:56 824,832 ----a-w C:\WINDOWS\system32\wininet.dll

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #46 on: February 01, 2008, 01:11:53 AM »
and the next part....is there something else i'm supposed to do?

Code: [Select]
(((((((((((((((((((((((((((((   snapshot@2008-01-25_17.48.04.89   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-31 22:04:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-31 22:04:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-31 22:04:49 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-31 22:04:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-25 22:34:49 6,766,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-31 22:04:49 7,684,096 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-25 22:34:49 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-31 22:04:49 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-31 16:57:37 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_72c.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7240605C-C73C-4D9A-8480-230386F08B3A}]
C:\Program Files\ComPlus Applications\holenuC:\WINDOWS\system32\oup5\lenamd83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 13:42 401491]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-03 09:55 1260296]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 14:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 14:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 20:10 335872]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 16:33 81920]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 15:19 290816]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52 483328]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"V0250Mon.exe"="C:\WINDOWS\V0250Mon.exe" [2006-06-08 00:00 32768]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 00:11 24576]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 15:14 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 16:48:22 565309]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-15 03:16:43 692224]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-11-27 17:06:54 236520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\desktop.htm
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\desktop\desktop.htm
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{98663E21-9CCE-4CF6-863C-911A9523A66F}"= C:\WINDOWS\system32\jkkkkhf.dll [ ]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-11-27 17:06]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-11-27 17:06]
R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 08:50]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-11-27 17:06]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 cpqWebDmi;Insight Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2003-05-12 16:38]
R2 PDRJNDL;PDRJNDL;C:\Program Files\Dekart\Private Disk\PDRJNDL.SYS [2004-03-19 09:17]
R2 PRVDISK;PRVDISK;C:\Program Files\Dekart\Private Disk\PRVDISK.SYS [2004-04-27 02:51]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 19:49]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-12-29 09:35]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-11-27 17:06]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-07-17 16:06]
S3 Apache2.2;Apache2.2;"C:\www\Apache22\bin\httpd.exe" [2007-03-20 12:02]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 09:50]
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-11-27 17:06]
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys []
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys [2006-06-27 10:25]
S3 V0250Vfx;V0250Vfx;C:\WINDOWS\system32\DRIVERS\V0250Vfx.sys [2006-03-24 15:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8080ee0e-6007-11dc-afa6-0012795af11d}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 18:00:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-31 17:00:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-25 01:27:13 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 17:09:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 17:10:11
ComboFix-quarantined-files.txt  2008-01-31 22:09:51
ComboFix2.txt  2008-01-31 18:27:00
ComboFix3.txt  2008-01-31 01:27:37
ComboFix4.txt  2008-01-28 04:09:44
ComboFix5.txt  2008-01-27 21:01:29
.
2008-01-29 17:58:05 --- E O F --- 

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #47 on: February 01, 2008, 07:10:49 PM »
I would like to see a Hijackthis log

Download & Run HijackThis.exe

  • Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


There are two elements to get rid of now

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: [Select]
File::
C:\WINDOWS\system32\jkkkkhf.dll

Registry::
[-hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]


3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
..
If you could just post the Hijackthis log

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #48 on: February 02, 2008, 10:58:24 PM »
HiJackThis Log:

Code: [Select]
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:56, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\V0250Mon.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Boingo\GoBoingo\GoBoingo.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: (no name) - {7240605C-C73C-4D9A-8480-230386F08B3A} - C:\Program Files\ComPlus Applications\holenuC:\WINDOWS\system32\oup5\lenamd83122.exe.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [V0250Mon.exe] C:\WINDOWS\V0250Mon.exe
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #49 on: February 02, 2008, 10:59:22 PM »
2nd Part

Code: [Select]
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [GoBoingo] C:\Program Files\Boingo\GoBoingo\GoBoingo.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
O15 - Trusted Zone: http://www.pandasecurity.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apache2.2 - Apache Software Foundation - C:\www\Apache22\bin\httpd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett-Packard - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: MySQL - Unknown owner - C:\www\mysql5\bin\mysqld-nt.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
O24 - Desktop Component 1: (no name) - C:\desktop.htm
O24 - Desktop Component 2: (no name) - C:\desktop\desktop.htm

--
End of file - 13346 bytes

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #50 on: February 02, 2008, 11:36:07 PM »
ComboFix Report:

Code: [Select]
ComboFix 08-01-23.1C - Stores 2008-02-02 17:01:59.8 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.160 [GMT -5:00]
Running from: C:\Documents and Settings\Stores\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Stores\Desktop\CFScript.txt
 * Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]

FILE
C:\WINDOWS\system32\jkkkkhf.dll
.

(((((((((((((((((((((((((   Files Created from 2008-01-02 to 2008-02-02  )))))))))))))))))))))))))))))))
.

2008-02-02 16:55 . 2008-02-02 16:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-01 06:19 . 2008-02-01 06:19 <DIR> d-------- C:\Program Files\Boingo
2008-01-30 17:53 . 2008-01-30 17:53 <DIR> d-------- C:\Program Files\KeyScrambler
2008-01-30 17:53 . 2007-12-29 09:35 112,992 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2008-01-30 17:47 . 2008-01-30 17:47 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-28 20:59 . 2008-01-29 18:16 <DIR> d-------- C:\Program Files\Quick Screen Recorder
2008-01-26 18:27 . 2008-01-26 18:27 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-01-25 17:33 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 12:07 . 2008-01-24 12:42 <DIR> d-------- C:\Program Files\Uniblue
2008-01-22 19:42 . 2008-01-22 19:43 81,569,865 --a------ C:\WINDOWS\pav.sig
2008-01-22 19:33 . 2005-10-20 10:34 69,632 --a------ C:\WINDOWS\system32\asprouni.exe
2008-01-22 19:32 . 2008-01-23 21:07 <DIR> d-------- C:\WINDOWS\system32\ASPRO
2008-01-22 19:32 . 2008-01-23 22:39 30,590 --a------ C:\WINDOWS\system32\pavaspro.ico
2008-01-22 19:32 . 2008-01-23 22:39 2,550 --a------ C:\WINDOWS\system32\Uninstallpro.ico
2008-01-22 19:32 . 2008-01-23 22:39 1,406 --a------ C:\WINDOWS\system32\Helppro.ico
2008-01-22 18:26 . 2008-01-23 21:27 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-22 18:26 . 2008-01-22 18:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-22 18:26 . 2008-01-22 18:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-22 18:26 . 2008-01-22 18:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-22 17:12 . 2008-01-22 12:44 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-01-19 18:34 . 2008-01-19 18:34 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-01-18 23:21 . 2008-01-26 19:40 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-18 23:21 . 2008-01-18 23:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-17 21:26 . 2008-01-17 21:26 <DIR> d-------- C:\Program Files\ESTsoft
2008-01-17 21:16 . 2001-12-19 11:45 8,576 --a------ C:\WINDOWS\system32\drivers\VCdRom.sys
2008-01-15 07:10 . 2007-11-27 17:06 372,584 --a------ C:\WINDOWS\system32\drivers\ndasfat.sys
2008-01-15 07:10 . 2007-11-27 17:06 254,440 --a------ C:\WINDOWS\system32\drivers\lfsfilt.sys
2008-01-15 07:09 . 2008-01-15 07:09 <DIR> d-------- C:\Program Files\NDAS
2008-01-14 14:32 . 2008-01-14 14:32 <DIR> d-------- C:\Program Files\SMPlayer
2008-01-14 14:09 . 2008-01-14 14:10 <DIR> d-------- C:\Program Files\QuickTime
2008-01-13 15:38 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-01-13 15:38 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-01-13 15:38 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-01-13 15:38 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-01-13 15:38 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-01-13 15:38 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-01-13 15:37 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-01-13 15:37 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2008-01-13 15:37 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2008-01-13 15:37 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2008-01-13 15:37 . 2007-10-22 03:37 17,928 --a------ C:\WINDOWS\system32\X3DAudio1_2.dll
2008-01-13 15:36 . 2007-04-04 18:55 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2008-01-13 15:36 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-01-13 15:35 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-01-13 15:35 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-01-13 15:35 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-01-07 13:54 . 2008-01-07 13:54 <DIR> d-------- C:\Program Files\Software River Solutions

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 20:19 --------- d-----w C:\Program Files\CFPAS_SEPFC_2007
2008-01-26 23:27 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 02:00 --------- d-----w C:\Program Files\Windows Defender
2008-01-24 01:59 --------- d-----w C:\Program Files\SmartFTP Client
2008-01-24 01:59 --------- d-----w C:\Program Files\MSN Messenger
2008-01-24 01:56 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-01-24 01:53 --------- d-----w C:\Program Files\EditPlus 2
2007-12-31 07:30 --------- d-----w C:\Program Files\That 16 remote
2007-12-29 01:17 --------- d-----w C:\Program Files\DivX
2007-12-20 21:08 --------- d-----w C:\Program Files\Common Files\Skype
2007-12-12 16:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 00:24 --------- d-----w C:\Program Files\DumbiTV
2007-12-07 14:23 --------- d-----w C:\Program Files\Get-Torrent
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-12-04 12:54 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-11-27 22:06 15,848 ----a-w C:\WINDOWS\system32\wshlpx.dll
2007-11-27 22:06 14,312 ----a-w C:\WINDOWS\system32\ndasiomg.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.

(((((((((((((((((((((((((((((   snapshot@2008-01-25_17.48.04.89   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-02-02 22:01:42 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-02-02 22:01:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-25 22:34:48 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-02-02 22:01:42 1,392,640 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-25 22:34:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-02-02 22:01:42 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-25 22:34:49 6,766,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-02-02 22:01:43 7,856,128 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-25 22:34:49 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-02-02 22:01:43 32,768 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-02-01 11:19:45 65,681 ----a-r C:\WINDOWS\Installer\{D130AA29-F814-4FD4-9BA8-244FA8B0F55E}\ARPPRODUCTICON.exe
+ 2008-02-01 11:19:45 106,496 ----a-r C:\WINDOWS\Installer\{D130AA29-F814-4FD4-9BA8-244FA8B0F55E}\NewShortcut1_0380E703A97C4B2B92CEB9062A5240E6.exe
+ 2008-02-01 11:19:45 106,496 ----a-r C:\WINDOWS\Installer\{D130AA29-F814-4FD4-9BA8-244FA8B0F55E}\NewShortcut2_0380E703A97C4B2B92CEB9062A5240E6.exe
+ 2006-06-06 22:22:54 20,096 ----a-r C:\WINDOWS\system32\drivers\PCASp50.sys
+ 2006-06-06 22:22:54 108,752 ----a-r C:\WINDOWS\system32\W32N55.dll
+ 2008-02-02 21:50:32 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_710.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7240605C-C73C-4D9A-8480-230386F08B3A}]
C:\Program Files\ComPlus Applications\holenuC:\WINDOWS\system32\oup5\lenamd83122.exe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 13:42 401491]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2007-12-03 09:55 1260296]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #51 on: February 02, 2008, 11:36:39 PM »
and part 2

Code: [Select]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 07:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 07:00 455168]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 14:09 110592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 14:08 618496]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 12:24 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-25 20:10 335872]
"ChkAdmin"="C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE" [2003-05-12 16:33 81920]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-09-17 15:19 290816]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52 483328]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"V0250Mon.exe"="C:\WINDOWS\V0250Mon.exe" [2006-06-08 00:00 32768]
"AVFX Engine"="C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 00:11 24576]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\WINDOWS\KHALMNPR.Exe]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 10:56 286720]
"GoBoingo"="C:\Program Files\Boingo\GoBoingo\GoBoingo.exe" [2007-10-18 13:13 337200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"CPQDFWAG"="C:\WINDOWS\Cpqdiag\CpqDfwAg.exe" [2003-03-13 15:14 212992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-06-02 16:48:22 565309]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-11-15 03:16:43 692224]
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-11-27 17:06:54 236520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideShutdownScripts"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\desktop.htm
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\desktop\desktop.htm
FriendlyName=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-11-27 17:06]
R0 lpx;LPX Protocol;C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-11-27 17:06]
R1 ClntMgmt;HP Client Management Driver;C:\WINDOWS\system32\Drivers\ClntMgmt.sys [2003-03-06 08:50]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-11-27 17:06]
R1 vcdrom;Virtual CD-ROM Device Driver;C:\WINDOWS\system32\drivers\VCdRom.sys [2001-12-19 11:45]
R2 cpqWebDmi;Insight Web Agent;C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe [2003-05-12 16:38]
R2 PDRJNDL;PDRJNDL;C:\Program Files\Dekart\Private Disk\PDRJNDL.SYS [2004-03-19 09:17]
R2 PRVDISK;PRVDISK;C:\Program Files\Dekart\Private Disk\PRVDISK.SYS [2004-04-27 02:51]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 19:49]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-12-29 09:35]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-11-27 17:06]
R3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys [2006-06-06 17:22]
R3 WLAN_400_500_SERVICE;HP WLAN W400/W500 Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\ar5211.sys [2003-07-17 16:06]
S3 Apache2.2;Apache2.2;"C:\www\Apache22\bin\httpd.exe" [2007-03-20 12:02]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 09:50]
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-11-27 17:06]
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys [2006-06-27 10:25]
S3 V0250Vfx;V0250Vfx;C:\WINDOWS\system32\DRIVERS\V0250Vfx.sys [2006-03-24 15:24]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8080ee0e-6007-11dc-afa6-0012795af11d}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-28 18:00:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-02 21:53:32 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-01-25 01:27:13 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-02 17:05:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-02 17:06:05
ComboFix-quarantined-files.txt  2008-02-02 22:05:43
ComboFix2.txt  2008-01-31 22:10:11
ComboFix3.txt  2008-01-31 18:27:00
ComboFix4.txt  2008-01-31 01:27:37
ComboFix5.txt  2008-01-28 04:09:44
.
2008-02-01 13:54:12 --- E O F --- 

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33937
  • malware fighter
Re: Win32:TratBHO trojan - help needed.
« Reply #52 on: February 03, 2008, 12:14:07 AM »
Hi tnttroy,

You better fix the following entries with HijackThis, start it, tag these items and give enter:

O15 - Trusted Zone: http://www.pandasecurity.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #53 on: February 03, 2008, 12:47:02 AM »
Download and run deldomains.inf from my website (link in my sig) when downloaded right click and select install

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #54 on: February 03, 2008, 05:39:01 AM »
Ok I fixed those entries - though I did add at least one of them when I was trying to fix this problem
Panda online scan was one of the sites I used

Essexboy - done :)

Anything else to ensure this is clean?  Thanks for all the help guys

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #55 on: February 03, 2008, 01:48:34 PM »
What I always like to do is clear the stray files and registry entries that I didn't see by using SAS

Download and then run SuperAntispyware
  • On the first page select Check for Updates
  • On completion select SCAN YOUR COMPUTER
  • On the next page select COMPLETE SCAN and tick ALL your drives
  • The next stage will take a while as your entire drive(s), memory and registry are scanned
  • When it has completed click NEXT
  • The next screen shows the problems found click OK
  • On the next screen place a tick against all items and select NEXT
  • Now to get the log Go to the PREFERENCES button on the right bottom
  • Select the STATISTICS/LOG tab
  • Highlight the scan just completed and click VIEW LOG
  • This will open a notepad text file copy and paste this to your next reply

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #56 on: February 03, 2008, 06:41:28 PM »
Ok here's the log - but now i have 3 anti-spywares running lol

Should I keep the all or remove one/more?

Code: [Select]
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/03/2008 at 12:31 PM

Application Version : 3.9.1008

Core Rules Database Version : 3394
Trace Rules Database Version: 1386

Scan type       : Complete Scan
Total Scan Time : 00:48:39

Memory items scanned      : 532
Memory threats detected   : 0
Registry items scanned    : 5644
Registry threats detected : 5
File items scanned        : 62410
File threats detected     : 8

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{98663E21-9CCE-4CF6-863C-911A9523A66F}
HKCR\CLSID\{98663E21-9CCE-4CF6-863C-911A9523A66F}
HKCR\CLSID\{98663E21-9CCE-4CF6-863C-911A9523A66F}\InprocServer32
HKCR\CLSID\{98663E21-9CCE-4CF6-863C-911A9523A66F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKKKHF.DLL
HKCR\CLSID\{98663E21-9CCE-4CF6-863C-911A9523A66F}

Adware.Tracking Cookie
C:\Documents and Settings\Stores\Cookies\stores@atdmt[2].txt
C:\Documents and Settings\Stores\Cookies\stores@msnportal.112.2o7[1].txt

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINADMIN.EXE.VIR

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OUP5\LENAMD83122.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{852A5A7B-A8D9-45B5-B020-3E1E8C987B9D}\RP12\A0001835.EXE

Trojan.Unclassifed/AffiliateBundle
C:\SYSTEM VOLUME INFORMATION\_RESTORE{852A5A7B-A8D9-45B5-B020-3E1E8C987B9D}\RP11\A0001555.DLL

Adware.Vundo Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{852A5A7B-A8D9-45B5-B020-3E1E8C987B9D}\RP3\A0000008.DLL

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33937
  • malware fighter
Re: Win32:TratBHO trojan - help needed.
« Reply #57 on: February 03, 2008, 07:50:02 PM »
Hi tnttroy,

If the anti spyware programs are non-resident they can easily run together, lest they do not consume too much of your cycles, I use residemt BoClean and RuBotted together with non resident A-squared free, Ad-Aware, Ewido-Micro as non-residents.

What are these three, so we can see if they can run alongside each other. If they are on demand, no sweat. One warning 'though - do not install rogue anti-spyware programs, they sure give your computer malware again.  Look for them like this: http://www.spywareguide.com/product_search.php?s=

polonus

« Last Edit: February 03, 2008, 07:53:39 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

tnttroy

  • Guest
Re: Win32:TratBHO trojan - help needed.
« Reply #58 on: February 03, 2008, 10:11:02 PM »
Well I think that's how I got this thing in the first place - some anti-spyware program that I tried :(

I'm currently running SpyEraser, MS Defender and the one you just gave me
Any possible problems with this combo?
I'd like to get rid of spyeraser - Don't think it's working lol

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32:TratBHO trojan - help needed.
« Reply #59 on: February 03, 2008, 11:24:46 PM »
Personal preference for me at the moment is SAS only along with Spywareblaster..

SAS looked good a few stray registry entries and the quarantined files

You can delete the combofix and its associated quarantine folder C:\QOOBOX