How do i get rid of Win32:TratBHO [Trj]

Hi, i’m new to all this and recently got infected with: Win32:TratBHO [trj]
and i was wondering how i can remove it and protect myself in the future…
thanks

Hi, welcome to the forum, Let’s see what we can do.

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[
]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

a question about combofix…it asks if i want to continue even tho 1/100 fail the disinfection process. like it’ll restart or somehting if it finds a problem…do i want to continue?

Yes, I’ve never had a failure. :slight_smile: It’s a warning the author put in because of the very slight chance of something going wrong. We can do something different if you want. A bit more tedious, but it can be done.

Let me know. :slight_smile:

lol, ok thanks. it’s a scary warning but i’ll give it a go :slight_smile: *fingers crossed

ok I"ll be here.

Ok here are the log reports…combofix then hijackthis. they’re too big so i’ll have to break them up.

ComboFix 08-05-01.3 - Gutter Mouth 2008-05-03 19:05:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.175 [GMT 10:00]
Running from: C:\Documents and Settings\Gutter Mouth\Desktop\ComboFix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Gutter Mouth\Application Data\ShoppingReport
C:\Documents and Settings\Gutter Mouth\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\Gutter Mouth\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\Gutter Mouth\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\Gutter Mouth\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\Gutter Mouth\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\Gutter Mouth\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\Gutter Mouth\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Program Files\ShoppingReport
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhpwppth.ini
C:\WINDOWS\system32\mlJYpOEW.dll
C:\WINDOWS\system32\UpMedia
C:\WINDOWS\system32\WEOpYJlm.ini
C:\WINDOWS\system32\WEOpYJlm.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.

2008-04-29 20:41 . 2008-04-29 21:14 109,765 --a------ C:\WINDOWS\BM072a2bb7.xml
2008-04-28 18:25 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-04-28 18:25 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-04-28 18:25 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-04-28 18:25 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-04-22 18:25 . 2008-04-22 18:25 d-------- C:\Program Files\iPod
2008-04-21 10:21 . 2008-04-21 10:27 d-------- C:\Documents and Settings\Gutter Mouth.freemind
2008-04-19 19:27 . 2008-04-19 19:27 15,710,270 --a------ C:\WINDOWS\Karl_Blo.scr
2008-04-19 19:27 . 2008-04-19 19:27 231,330 --a------ C:\WINDOWS\uninstall Karl_Blo.exe
2008-04-19 19:26 . 2008-04-19 19:26 d-------- C:\Program Files\FreeMind
2008-04-05 08:56 . 2008-04-05 08:56 d-------- C:\Program Files\ZoneAlarmSB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-03 09:19 4,888,608 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-03 09:16 19,039 ----a-w C:\WINDOWS\system32\drivers\GVTDrv.sys
2008-05-03 09:14 60,380 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-03 09:13 --------- d-----w C:\Program Files\Eraser
2008-05-03 07:51 --------- d-----w C:\Documents and Settings\Gutter Mouth\Application Data\uTorrent
2008-05-03 07:20 13,440 ----a-w C:\WINDOWS\GPCIDrv.sys
2008-04-29 10:43 --------- d-----w C:\Documents and Settings\Gutter Mouth\Application Data\Vso
2008-04-28 08:26 87,608 ----a-w C:\Documents and Settings\Gutter Mouth\Application Data\inst.exe
2008-04-28 08:26 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-28 08:26 47,360 ----a-w C:\Documents and Settings\Gutter Mouth\Application Data\pcouffin.sys
2008-04-28 08:25 --------- d-----w C:\Program Files\VSO
2008-04-28 08:05 --------- d-----w C:\Program Files\LimeWire
2008-04-22 22:52 --------- d-----w C:\Program Files\Apple Software Update
2008-04-22 08:26 --------- d-----w C:\Program Files\iTunes
2008-04-22 08:22 --------- d-----w C:\Program Files\QuickTime
2008-04-21 06:28 --------- d-----w C:\Program Files\DivX
2008-04-06 03:49 --------- d-----w C:\Documents and Settings\Gutter Mouth\Application Data\eBookPro6
2008-04-05 11:56 --------- d-----w C:\Program Files\MSECACHE
2008-04-04 22:57 --------- d-----w C:\Program Files\ZoneAlarm
2008-04-01 12:03 371,712 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-03-29 00:58 2,641,408 ----a-w C:\WINDOWS\Internet Logs\xDBA.tmp
2008-03-25 17:01 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-24 11:33 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-03-24 11:33 --------- d-----w C:\Program Files\THQ
2008-03-24 07:29 --------- d-----w C:\Program Files\Seagate
2008-03-24 07:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Seagate
2008-03-24 07:28 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-24 06:37 --------- d-----w C:\Program Files\Lame MP3 Codec
2008-03-24 06:36 65,024 ----a-w C:\WINDOWS\IFinst26.exe
2008-03-24 06:36 --------- d-----w C:\Program Files\XviD
2008-03-24 06:35 --------- d-----w C:\Program Files\Samsung
2008-03-24 06:35 --------- d-----w C:\Program Files\MarkAny
2008-03-24 06:35 --------- d-----w C:\Documents and Settings\Gutter Mouth\Application Data\DataCast
2008-03-21 03:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software
2008-03-20 22:53 --------- d-----w C:\Program Files\dvdSanta
2008-03-14 07:35 --------- d-----w C:\Program Files\Netcom3 Cleaner
2008-03-13 13:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-03-10 01:51 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-10 00:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-08 23:46 --------- d-----w C:\Program Files\Java
2008-03-08 23:42 --------- d-----w C:\Program Files\Windows Live
2008-03-08 23:41 --------- dcsh–w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-08 23:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-08 12:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-03-08 08:03 --------- d-----w C:\Documents and Settings\Gutter Mouth\Application Data\skypePM
2007-12-20 09:29 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat

ok i’ve just figured out how to attach…i think this is all of it (combofix)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:54 PM, on 3/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Gutter Mouth\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [DAEMON Tools-1033] “C:\Program Files\D-Tools\daemon.exe” -lang 1033
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe”
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKLM..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM..\Run: [basicsmssmenu] “C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKCU..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpyClean] C:\Program Files\Netcom3 Cleaner\SpyClean.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Instant Buzz - {066040F0-5018-4E15-8AA0-81D36136D989} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - Winlogon Notify: byXPGxur - byXPGxur.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: IFA_Moore Service - Unknown owner - C:\Program Files\Common Files\Primal Pictures Shared\Service\IFA_Moore Service File.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetCom3 Service (Netcom3) - Unknown owner - C:\Program Files\Netcom3 Cleaner\PSCMonitor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 9452 bytes

The first you have to do is move hijackthis.exe into it own folder. For example C:\hijackthis

Then

Open HJT, run a system scan only, check mark these lines if present

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O20 - Winlogon Notify: byXPGxur - byXPGxur.dll (file missing)

Close all other browsers/windows, click fix, close HJT.

How is everyhing on your end?

umm…i can’t move it to it’s own folder. it just makes short cuts and it’s not a .exe type anyway???

can i just run a system scan from where it is or does it really need it’s own folder.

my computer restarted before combofix posted the log and now i don’t have the avast icon down the bottom (for on access protection, etc.) i don’t know what else is wrong…

i just did a system scan from where it was and all 3 of those things were there…just waiting to see if it should be in it’s own folder tho. right now it’s just on the desktop

We’ll fix up the icon problem, it happens.

Hijackthis.exe should be in it’s own folder, because anthing we fix with HJt will be backed up in that folder.

Open windows explorer. Click on the C drive.
At the top of windows explorer, click file , hilite new, select folder
A new folder will appear in the right hand panel called New folder.
the name will be highlighted, just type in hijackthis

Now navigate to C:\Documents and Settings\Gutter Mouth\Desktop and locate hijackthis.exe

Click on the file with the right mouse button, hold the button down and drag the file to the folder you created. Release the button, a menu will pop up, select move here.

Open that folder and right click on hijackthis.exe, select send to, select Desktop(create shortcut)

The file will now be in it’s own folder and you will have a new shortcut on your desktop.

For the avast icon, we can give you a temp fix for now.

Still in window explorer navigate to this folder

C:\Program Files\Alwil Software\Avast4

in the right hand panel locate ashdisp.exe

right click on it. select send to, select Desktop(create shortcut)

You can use this to place the icon in the tray. You will have to do this each time you start the computer. We will do a more permanent fix after we are done.

We have some files to test at virustotal

Please submit these files for analysis

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\BM072a2bb7.xml
C:\Documents and Settings\Gutter Mouth\Application Data\inst.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

ok so i moved it to it’s own folder…getting those files scanned now and i’ll fix up those other 3 things as well…out of curiosity what were they?

C:\WINDOWS\BM072a2bb7.xml

Antivirus Version Last Update Result
AhnLab-V3 2008.5.3.0 2008.05.02 -
AntiVir 7.8.0.11 2008.05.02 -
Authentium 4.93.8 2008.05.02 -
Avast 4.8.1169.0 2008.05.03 -
AVG 7.5.0.516 2008.05.03 -
BitDefender 7.2 2008.05.03 -
CAT-QuickHeal 9.50 2008.05.02 -
ClamAV 0.92.1 2008.05.02 -
DrWeb 4.44.0.09170 2008.05.03 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5755 2008.05.03 -
Ewido 4.0 2008.05.03 -
F-Prot 4.4.2.54 2008.05.02 -
F-Secure 6.70.13260.0 2008.05.03 -
FileAdvisor 1 2008.05.03 -
Fortinet 3.14.0.0 2008.05.03 -
Ikarus T3.1.1.26.0 2008.05.03 -
Kaspersky 7.0.0.125 2008.05.03 -
McAfee 5287 2008.05.02 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3072 2008.05.03 -
Norman 5.80.02 2008.05.02 -
Panda 9.0.0.4 2008.05.03 -
Prevx1 V2 2008.05.03 -
Rising 20.42.22.00 2008.04.30 -
Sophos 4.29.0 2008.05.03 -
Sunbelt 3.0.1097.0 2008.05.03 -
Symantec 10 2008.05.03 -
TheHacker 6.2.92.299 2008.05.03 -
VirusBuster 4.3.26:9 2008.05.02 -
Webwasher-Gateway 6.6.2 2008.05.03 -
Additional information
File size: 109765 bytes
MD5…: 5b4fb2f2939542695c845b0972202da3
SHA1…: bf4f748d83d35979aac8dc6ae156dacdfc904997
SHA256: 4d890a0024956d668d866fab9484f0d26b9d07f8696e4a0fd729bb6d9fa15f73
SHA512: 45c4a8aa516ab73462e9c5cd20e2dfd126cb4c8b0301d0054f58ba1398de1de0
b45129b0a92f32f1932fc078b018d4cfd5ff408d2b7d57e83bcae0045637a8d3
PEiD…: -
PEInfo: -

File inst.exe received on 05.03.2008 13:13:45 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 0/31 (0%)
Loading server information…
Your file is queued in position: 2.
Estimated start time is between 40 and 57 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.5.3.0 2008.05.02 -
AntiVir 7.8.0.11 2008.05.02 -
Authentium 4.93.8 2008.05.02 -
Avast 4.8.1169.0 2008.05.03 -
AVG 7.5.0.516 2008.05.03 -
BitDefender 7.2 2008.05.03 -
CAT-QuickHeal 9.50 2008.05.02 -
ClamAV 0.92.1 2008.05.02 -
DrWeb 4.44.0.09170 2008.05.03 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5755 2008.05.03 -
Ewido 4.0 2008.05.03 -
F-Prot 4.4.2.54 2008.05.02 -
F-Secure 6.70.13260.0 2008.05.03 -
Fortinet 3.14.0.0 2008.05.03 -
Ikarus T3.1.1.26 2008.05.03 -
Kaspersky 7.0.0.125 2008.05.03 -
McAfee 5287 2008.05.02 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3072 2008.05.03 -
Norman 5.80.02 2008.05.02 -
Panda 9.0.0.4 2008.05.03 -
Prevx1 V2 2008.05.03 -
Rising 20.42.22.00 2008.04.30 -
Sophos 4.29.0 2008.05.03 -
Sunbelt 3.0.1097.0 2008.05.03 -
Symantec 10 2008.05.03 -
TheHacker 6.2.92.299 2008.05.03 -
VBA32 3.12.6.5 2008.05.02 -
VirusBuster 4.3.26:9 2008.05.02 -
Webwasher-Gateway 6.6.2 2008.05.03 -
Additional information
File size: 87608 bytes
MD5…: 254fbca565e049648b0cce2ceadf05d2
SHA1…: f5c6d09fcd7df2f8efd51c2bcf7ef0702686071c
SHA256: c74d2fa6374b5f1e251e3205de0efe99ed026b8b7a0ad5ee549ee3700f8e63d7
SHA512: 9f587078ac71165f4b862f59ffa9279c92d3c84c19080b9f71d3c3a54964a5e0
a8a55d160f7fee7d505ccb41afea9f8720a475de2de50219037a435ccbc55709
PEiD…: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x402277
timedatestamp…: 0x44a114a2 (Tue Jun 27 11:21:06 2006)
machinetype…: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xc1d4 0xd000 6.39 8b23740868f02bb731a1556e3e89ec4b
.rdata 0xe000 0x25c2 0x3000 4.48 1c4aa9b67a1e4fb62d587545d74e9148
.data 0x11000 0x2e48 0x2000 1.28 e79d5ce42e7132af5b6039889e4670ab
.rsrc 0x14000 0xb0 0x1000 3.06 cec9b95146f57b35474dc9da6c445146

( 6 imports )

newdev.dll: UpdateDriverForPlugAndPlayDevicesW
SETUPAPI.dll: SetupDiRemoveDevice, SetupDiCallClassInstaller, SetupDiSetDeviceRegistryPropertyW, SetupDiCreateDeviceInfoW, SetupDiCreateDeviceInfoList, SetupDiGetDeviceRegistryPropertyW, SetupDiOpenDeviceInfoW
KERNEL32.dll: HeapSize, ReadFile, SetEndOfFile, WriteConsoleW, CreateFileA, FormatMessageW, GetLastError, CloseHandle, GetCurrentProcess, GetPrivateProfileStringW, MultiByteToWideChar, LocalFree, GetModuleFileNameA, GetConsoleOutputCP, WriteConsoleA, LoadLibraryA, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, RtlUnwind, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, GetProcAddress, GetModuleHandleA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, ExitProcess, WriteFile, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualAlloc, HeapReAlloc, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, Sleep, CreateFileW, InitializeCriticalSection, SetFilePointer, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA
ADVAPI32.dll: LookupPrivilegeValueA, AdjustTokenPrivileges, OpenProcessToken
SHELL32.dll: SHGetFolderPathW
ole32.dll: CLSIDFromString

( 0 exports )

Two didn’t go anywhere, just strays. The 3rd, the 020 line was part of the infection at one time. The file was missing, probably avast or another scanner removed it, but left the reg key.

One little scan to see if any traces are left. Then we’ll work on getting the icon back. :wink:

Any sign of problems other than the icon missing?

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

thanks, i’m not aware of any other problems…it seems to be normal. i haven’t been prompted by avast yet that i’m infected with the trojan, it used to let me know constantly whenever i tried to access the net, is it possible combofix thing could have fixed it when it restarted my pc?

running malware scan now.

Malwarebytes’ Anti-Malware 1.11
Database version: 710

Scan type: Quick Scan
Objects scanned: 37383
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Installer\Features\9ee2330ae5f4470cac801baac83818c9 (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\568267acfc5644dab06f058006ddbae3 (Adware.Zango) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Registry Defender (Rogue.Registry.Defender) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Registry Defender (Rogue.Registry.Defender) → Quarantined and deleted successfully.
C:\Program Files\Registry Defender\backup (Rogue.Registry.Defender) → Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Registry Defender\report.csv (Rogue.Registry.Defender) → Quarantined and deleted successfully.
C:\Program Files\Registry Defender\backup\15_12_2007.reg (Rogue.Registry.Defender) → Quarantined and deleted successfully.

You betcha, combofix got it. The logs are clean, malwarebytes is a second opinion. It may find a few stray reg keys or files we can’t see because they didn’t show up in the logs.

Now the icon

First we’ll try a repair, if that doesn’t work then we’ll add the shortcut to your start menu. If that’s the route you have to go, you should all ready have one on your desktop that you created earlier. That’s the one you will use with the instructions found here

http://techpaul.wordpress.com/2007/07/10/adding-programs-to-your-startup-folder/

Try the repair first

Go to add/remove programs, in the list find avast.

Click on it, click remove/uninstall
In the next window, scroll down to repair. Click repair. Follow the prompts, if any and reboot if asked. Did it come back?

After you are done with the above, you can clean up the tools you used.

  • Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

  • Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

  • Remove old restore points
  • Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

*Go to http://java.sun.com/javase/downloads/index.jsp

Scroll down to “Java Runtime Environment (JRE) 6 Update 6…allows end-users to run Java applications”.

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

Select the platform (Windows, in your case), mutli language.
Accept the license agreement, click continue.

You do not have to install the Java Web Start ActiveX Control

Scroll down and click on Windows Offline Installation,

Save the file jre-6u6-windows-i586-p.exe to your desktop; do not select Run it. Do not install it yet.

When the download is complete, close your browser.

Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files\JavaVM <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

  • Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp by Steven Gould

http://www.stevengould.org/downloads/cleanup/

Gotta go now, it’s after 5 am, plus I’ve been fighting with a quirky connection all night. >:(

I’ll check on you later. Let me know how you make out and if you have any problems with the steps.

edit: seems malwarebytes did find something. Keep malware bytes and run it from time to time. It is on demand only.

It seems I missed one. ??? I’m not sure if it’s the same one malwarebytes found.

Use this link to get malwarebytes’ Rougue remover. Scroll down to the free one.

http://www.malwarebytes.org/products.php