Another Win32:TRATBHO[trj] infection

Viruses and worms
1

Same story as all the others, one day everything is good and the next day Avast is popping up alerts every 5 minutes…

Taking advice from the other threads on this I downloaded combofix and ran it, then I ran hijackthis and made log files. They are both attached.

Tell me what to do next…

Thanks in advance

2

Having a look now. Hang on.

3

Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following

Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer” and SDHelper if installed
click allow change
reboot

Go to add/remove programs and uninstall the following, if found

Rabio
Cool

Open HJT, run a system scan only, check mark these lines if present

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\LOG2E.tmp

Folder::
C:\WINDOWS\system32\nGpxx01
C:\Documents and Settings\All Users\Application Data\Rabio
C:\Temp\isgTi19

DirLook::
C:\Program Files\RABCO

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

After you post the new logs, you can do this. Old java can be exploited by malware.

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to “Java Runtime Environment (JRE) 6 Update 4…allows end-users to run Java applications”.

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

4

Done and here are the logs…

I am working on the Java Update right now.

5

Looks good here, how’s it at your end?

6

Everything is working fine. Thank you very much for your help, the last time this happened I just reformated and reloaded windows to solve my problems. This seems much easier. Now I have to lock this machine down so I quit having these problems, although I suspect my 17 year old son and his memory stick have something to do with it.

One more question, I have a bunch of files in my virus chest. What should I do with them?

7

You can leave them there if you want to wait to be sure that they are really infected. They can be scanned in the chest by right click, scan. They can’t be run from with in the chest or accessed from outside. Or if you are sure, just right click the files and select delete.

Ok, if you’re happy, we’'l clean up the tools we used.

This is an empty folder, you can delete it if you don’t recognize it.

C:\Program Files[b]RABCO[/b]

Time to clean up the tools

  1. Click start button, click run, copy and paste the following line into the box and click ok.

combofix /u

  1. Open HJT, click misc tools button, slide the slider down, click uninstall. You will have to delete the hjt.exe

  2. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  1. Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.
  1. If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

Take care and keep safe.

8

All done, Thanks again you saved me many hours of reloading software.

9

You’re welcome. Don’t forget to turn teatimer back on.