I'm sorry: Win32:TratBHO [Trj] again

Viruses and worms
1

I know this topic is coming up here almost every day. I looked through the old threads and tried to get rid of it they same way as described, but it didn’t work. Avast keeps finding Win32:TratBHO [trj] and i cant remove it, because the access to the .dll is denied. I downloaded combo fix and ran it, but it didn’t delete the .dll. It just said it was created in the past month. HJT didn’t work either. I will attach my combofix log, the infected .dll is ati3duagv.dll

edit: I’m sorry, its actually Win32:BHO-KD[trj] not Win32:TratBHO [trj]!

2

ComboFix 08-01-07.5 - Maggo 2008-01-08 20:18:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1031.18.133 [GMT 1:00]
ausgeführt von:: C:\Dokumente und Einstellungen\Maggo\Desktop\ComboFix(2).exe

  • Neuer Wiederherstellungspunkt wurde erstellt
    .

(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\rpcc.exe

.
((((((((((((((((((((((( Dateien erstellt von 2007-12-08 bis 2008-01-08 ))))))))))))))))))))))))))))))
.

2008-01-08 20:17 . 2008-01-08 20:17 d–h----- C:\WINDOWS\PIF
2008-01-08 20:17 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-08 19:39 . 2001-08-18 13:00 13,312 --a–c— C:\WINDOWS\system32\dllcache\ctfmon.exe.backup
2008-01-08 19:39 . 2001-08-18 13:00 13,312 --a------ C:\WINDOWS\system32\ctfmon.exe.backup
2008-01-08 19:10 . 2008-01-08 19:10 d-------- C:\Programme\Avira
2008-01-08 19:10 . 2008-01-08 19:55 d-------- C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Avira
2008-01-08 01:02 . 2008-01-08 01:03 d-------- C:\Programme\weblin
2008-01-08 01:01 . 2008-01-08 01:03 d-------- C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\zweitgeist
2008-01-08 00:30 . 2002-11-14 20:43 221,696 --a------ C:\WINDOWS\system32\srrstr.dll
2008-01-08 00:30 . 2002-11-14 20:43 221,696 --a–c— C:\WINDOWS\system32\dllcache\srrstr.dll
2008-01-08 00:26 . 2008-01-08 00:34 d–h-c— C:\WINDOWS$xpsp1hfm$
2008-01-08 00:26 . 2004-01-10 06:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-01-08 00:25 . 2008-01-08 00:25 d—s---- C:\WINDOWS\system32\Microsoft
2008-01-06 15:16 . 2008-01-08 19:13 49 --a------ C:\WINDOWS\transp.gif
2008-01-06 14:40 . 2008-01-06 14:40 d-------- C:\Programme\Alwil Software
2008-01-06 14:40 . 2003-03-18 21:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-06 14:40 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-06 14:40 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\MSVCP71.dll
2008-01-06 14:40 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-06 14:40 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-06 14:40 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-06 14:40 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-06 14:40 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-06 14:40 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-06 14:40 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-06 14:29 . 2008-01-08 20:05 150 --a------ C:\WINDOWS\ODBC.INI
2008-01-06 14:22 . 2008-01-06 14:22 d-------- C:\Programme\Gemeinsame Dateien\Agnitum Shared
2008-01-06 14:22 . 2008-01-06 14:22 d-------- C:\Programme\Agnitum
2008-01-06 14:19 . 19,584 C:\WINDOWS\system32\drivers\vkrukkpm.dat
2008-01-06 14:15 . 2008-01-06 14:19 d-------- C:\WINDOWS\system32\AppCert
2008-01-06 14:15 . 2007-08-22 02:47 84,992 --a------ C:\WINDOWS\system32\ati3duagv.dll
2007-12-27 16:12 . 2007-12-27 16:12 2,400 --a------ C:\WINDOWS\system32\wpa.bak
2007-12-27 06:31 . 2007-12-27 06:31 754 --a------ C:\WINDOWS\WORDPAD.INI
2007-12-27 02:39 . 2007-12-27 02:39 d-------- C:\Temp
2007-12-22 22:25 . 2008-01-05 23:56 1,266 --a------ C:\WINDOWS\PartyGrabber.ini
2007-12-18 00:42 . 2004-02-25 18:05 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-12-18 00:39 . 2007-12-18 00:43 d-------- C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\fretsonfire

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 19:01 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\Skype
2008-01-08 18:39 23,552 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-08 17:05 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\skypePM
2008-01-08 01:12 --------- d—a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP
2007-12-06 16:42 --------- d-----r C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\Brother
2007-12-06 00:28 --------- d–h–w C:\Programme\InstallShield Installation Information
2007-11-30 02:12 32 ----a-w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\ezsid.dat
2007-11-30 02:10 --------- d-----w C:\Programme\Skype
2007-11-30 02:10 --------- d-----w C:\Programme\Gemeinsame Dateien\Skype
2007-11-30 02:10 --------- d-----w C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Skype
2007-11-29 21:25 --------- d-----w C:\Programme\ICQ
2007-11-29 21:25 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\ICQLite
2007-11-29 20:38 --------- d-----w C:\Programme\Gemeinsame Dateien\Adobe
2007-11-28 23:23 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\DivX
2007-11-28 02:01 --------- d-----w C:\Dokumente und Einstellungen\Maggo\Anwendungsdaten\Winamp
2007-11-28 01:57 --------- d-----w C:\Programme\Winamp
2007-11-28 01:47 --------- d-----w C:\Programme\Gemeinsame Dateien\InstallShield
2007-11-28 01:38 --------- d-----w C:\Programme\DivX
2007-11-28 00:31 --------- d-----w C:\Programme\microsoft frontpage
2007-11-28 00:30 --------- d-----w C:\Programme\Online-Dienste
2007-11-28 00:29 --------- d-----w C:\Programme\Gemeinsame Dateien\MSSoap
2007-11-28 00:29 --------- d-----w C:\Programme\Gemeinsame Dateien\Dienste
2007-11-28 00:21 --------- d-----w C:\Programme\Gemeinsame Dateien\SpeechEngines
2007-11-28 00:21 --------- d-----w C:\Programme\Gemeinsame Dateien\ODBC
2007-10-20 00:56 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-10-20 00:56 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-10-20 00:56 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-10-20 00:56 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-10-20 00:56 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-10-20 00:56 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-10-20 00:56 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-10-20 00:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-10-20 00:54 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-10-20 00:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-10-20 00:54 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-10-20 00:54 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-10-18 09:06 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-10-18 09:03 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-10-18 09:03 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-10-18 09:03 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-10-18 09:03 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-10-18 09:03 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-10-18 09:02 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
.

3

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
Hinweis leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{ACE42F47-341D-427F-84BB-297751AA19CA}]
2007-08-22 02:47 84992 --a------ C:\WINDOWS\System32\ati3duagv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Skype”=“C:\Programme\Skype\Phone\Skype.exe” [2007-11-12 15:48 21760296]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
“ICQ Lite”=“C:\Programme\ICQ\ICQLite.exe” [2006-07-11 11:15 3144800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“nForce Tray Options”=“sstray.exe” [2003-09-02 17:25 73728 C:\WINDOWS\system32\sstray.exe]
“Adobe Reader Speed Launcher”=“C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51 39792]
“ICQ Lite”=“C:\Programme\ICQ\ICQLite.exe” [2006-07-11 11:15 3144800]
“UserFaultCheck”=“C:\WINDOWS\system32\dumprep 0 -u”
“Outpost Firewall”=“C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe” [2006-03-30 10:51 91648]
“OutpostFeedBack”=“C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe” [2006-05-11 12:05 356420]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 14:00 79224]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\System32\CTFMON.EXE” [2008-01-08 19:39 23552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“AppInit_DLLs”= C:\PROGRA~1\Agnitum\OUTPOS~1.0\wl_hook.dll

R0 caiplgdr;caiplgdr;C:\WINDOWS\System32\drivers\vkrukkpm.dat
R1 VFILT;Outpost Firewall Kernel Driver;C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\2000\FILTNT.SYS [2006-03-30 10:53]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ADBLOCK.DLL [2006-03-30 10:53]
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\ARP.DLL [2006-03-30 10:53]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\CONTENT.DLL [2006-03-30 10:53]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\DNSCACHE.DLL [2006-03-30 10:53]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\FTPFILT.DLL [2006-03-30 10:53]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTMLFILT.DLL [2006-03-30 10:53]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\HTTPFILT.DLL [2006-03-30 10:53]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\IMAPFILT.DLL [2006-03-30 10:53]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\MAILFILT.DLL [2006-03-30 10:53]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\NNTPFILT.DLL [2006-03-30 10:53]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\POP3FILT.DLL [2006-03-30 10:53]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\PROTECT.DLL [2006-03-30 10:53]
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\SECRET.DLL [2006-03-30 10:53]
R4 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys

Newly Created Service - PROCEXP90
.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 20:19:18
Windows 5.1.2600 NTFS

Scanne versteckte Prozesse…

Scanne versteckte Autostart Einträge…

Scanne versteckte Dateien…

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

.
Zeit der Fertigstellung: 2008-01-08 20:19:56
ComboFix-quarantined-files.txt 2008-01-08 19:19:41

4

Hi scubamaggo,

Can you also make a StartDreck scan and attach a logfile as an attachment.
Niksoft StartDreck Ein mächtiger Autoruns-Editor mit einem einfachen aber sehr funktionellem Design

StartDreck from Niksoft is a start-up editor for your Microsoft Windows computer. It is a useful tool for removing spyware.
Requirements

The tool will run on any Microsoft Windows operating system. This includes,

* Windows 95
* Windows 98
* Windows ME
* Windows 2000
* Windows XP
* Windows Server 2003

Approximately 400KB of disk space is required for the tool.
Download

This site is an official mirror of StartDreck.

Note: Please send all contact regarding this tool directly to the author, Niksoft.

Latest Version: 2.1.7
Download Size: 406.585 Bytes
MD5: cf15b20807e52446503ab2742e5acf55
Download from here: http://ben.cheetham.me.uk/download/niksoft/startdreck217.zip

polonus

5

If Pol’s suggestion does not work then try this

  1. Please download The Avenger by Swandog46 to your Desktop.
    [*]Click on Avenger.zip to open the file[*]Extract avenger.exe to your desktop

  2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

[QUOTE]Files to delete:
C:\WINDOWS\system32\ati3duagv.dll
C:\WINDOWS\system32\drivers\vkrukkpm.dat

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{ACE42F47-341D-427F-84BB-297751AA19CA}
[/quote]

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

  1. Now, start The Avenger program by clicking on its icon on your desktop.
    [*] Under “Script file to execute” choose “Input Script Manually”.
    [*]Now click on the Magnifying Glass icon which will open a new window titled “View/edit script
    [*] Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    [*] Click Done
    [*] Now click on the Green Light to begin execution of the script
    [*] Answer “Yes” twice when prompted.
  2. The Avenger will automatically do the following:
    [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Unload”, The Avenger will actually restart your system twice.)
    [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
    [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  3. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
6

ok, thanks for the quick help. At first, the Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\nilsdasa

Script file located at: ??\C:\Program Files\nfacnwrt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

Beginning to process script file:

Could not open file C:\WINDOWS\system32\ati3duagv.dll for deletion
Deletion of file C:\WINDOWS\system32\ati3duagv.dll failed!

Could not process line:
C:\WINDOWS\system32\ati3duagv.dll
Status: 0xc0000022

Could not open file C:\WINDOWS\system32\drivers\vkrukkpm.dat for deletion
Deletion of file C:\WINDOWS\system32\drivers\vkrukkpm.dat failed!

Could not process line:
C:\WINDOWS\system32\drivers\vkrukkpm.dat
Status: 0xc0000022

Could not open registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{ACE42F47-341D-427F-84BB-297751AA19CA} for deletion
Deletion of registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{ACE42F47-341D-427F-84BB-297751AA19CA} failed!
Status: 0xc0000022

Completed script processing.

Finished! Terminate.

7

and now the startdeck log:

StartDreck (build 2.1.7 public stable) - 2008-01-08 @ 21:33:28 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as Maggo at MARCO

»Registry
»Run Keys
»Current User
»Run
*Skype=“C:\Programme\Skype\Phone\Skype.exe” /nosplash /minimized
»RunOnce
*ICQ Lite=C:\Programme\ICQ\ICQLite.exe -trayboot
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*nForce Tray Options=sstray.exe /r
*Adobe Reader Speed Launcher=“C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe”
*ICQ Lite=“C:\Programme\ICQ\ICQLite.exe” -minimize
*UserFaultCheck=%systemroot%\system32\dumprep 0 -u
*Outpost Firewall=C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
*OutpostFeedBack=C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
*avast!=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
batfile=“%1” %
+.com
comfile=“%1” %
+.exe
exefile=“%1” %
+.hta
htafile=C:\WINDOWS\System32\mshta.exe “%1” %
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url “%1”
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url “%1”
+.js
JSFile=%SystemRoot%\System32\WScript.exe “%1” %
+.jse
JSEFile=%SystemRoot%\System32\WScript.exe “%1” %
+.pif
piffile=“%1” %
+.reg
*regfile=regedit.exe “%1”
+.scr
*scrfile=“%1” /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
VBSFile=%SystemRoot%\System32\WScript.exe “%1” %
+.vbe
VBEFile=%SystemRoot%\System32\WScript.exe “%1” %
+.wsh
WSHFile=%SystemRoot%\System32\WScript.exe “%1” %
+.wsf
WSFFile=%SystemRoot%\System32\WScript.exe “%1” %
+.lnk
lnkfile= [key or value does not exist] »Browser Helper Objects (LM) *AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} InprocServer32=C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll
»Files
»Autostart Folders
»Current User
*C:\Dokumente und Einstellungen\Maggo\Startmenü\Programme\Autostart\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Autostart\desktop.ini
»Local Machine
*C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
»INI-Files
»WIN.INI[windows]
*LOAD=
*RUN=
»SYSTEM.INI[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
*C:\WINDOWS\System32\drivers\etc\hosts

8

»System/Drivers
»Running Processes
+0=
+4=
+576=\SystemRoot\System32\smss.exe
+632=??\C:\WINDOWS\system32\csrss.exe
+668=??\C:\WINDOWS\system32\winlogon.exe
+720=C:\WINDOWS\system32\services.exe
+732=C:\WINDOWS\system32\lsass.exe
+892=C:\WINDOWS\System32\Ati2evxx.exe
+932=C:\WINDOWS\system32\svchost.exe
+988=C:\WINDOWS\System32\svchost.exe
+1100=C:\WINDOWS\System32\svchost.exe
+1180=C:\WINDOWS\system32\Ati2evxx.exe
+1212=C:\WINDOWS\System32\svchost.exe
+1356=C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
+1412=C:\Programme\Alwil Software\Avast4\ashServ.exe
+1632=C:\WINDOWS\system32\spoolsv.exe
+1928=C:\WINDOWS\System32\sstray.exe
+1944=C:\Programme\ICQ\ICQLite.exe
+1976=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+1984=C:\Programme\Skype\Phone\Skype.exe
+188=C:\WINDOWS\System32\alg.exe
+348=C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
+412=E:\PostgreSQL\bin\pg_ctl.exe
+124=E:\PostgreSQL\bin\postmaster.exe
+1228=C:\WINDOWS\System32\wdfmgr.exe
+1736=E:\PostgreSQL\bin\postgres.exe
+1992=E:\PostgreSQL\bin\postgres.exe
+332=E:\PostgreSQL\bin\postgres.exe
+2360=C:\Programme\Skype\Plugin Manager\skypePM.exe
+2828=C:\Programme\Alwil Software\Avast4\ashWebSv.exe
+3144=C:\WINDOWS\explorer.exe
+3124=C:\WINDOWS\system32\notepad.exe
+3656=E:\PostgreSQL\bin\postgres.exe
+3252=C:\Programme\Mozilla Firefox\firefox.exe
+1864=C:\Dokumente und Einstellungen\Maggo\Desktop\startdreck217\StartDreck.exe
»NT Services
*Warndienst Alerter - on demand
*Gatewaydienst auf Anwendungsebene ALG running on demand
*Anwendungsverwaltung AppMgmt - on demand
*ASP.NET State Service aspnet_state - on demand
*avast! iAVS4 Control Service aswUpdSv running auto
*Ati HotKey Poller Ati HotKey Poller running auto
*ATI Smart ATI Smart - auto
*Windows Audio AudioSrv running auto
*avast! Antivirus avast! Antivirus running auto
*avast! Web Scanner avast! Web Scanner running on demand
*Intelligenter Hintergrundübertragungsdienst BITS running auto
*Computerbrowser Browser running auto
*Indexing Service cisvc - on demand
*Ablagemappe ClipSrv - on demand
*.NET Runtime Optimization Service v2.0.50727_X8 clr_optimization_v2. - on demand
6 *COM+-Systemanwendung COMSysApp - on demand *Kryptografiedienste CryptSvc running auto *DHCP-Client Dhcp running auto *Verwaltungsdienst für die Verwaltung logischer dmadmin - on demand Datenträger
*Verwaltung logischer Datenträger dmserver running auto
*DNS-Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Ereignisprotokoll Eventlog running auto
*COM±Ereignissystem EventSystem running on demand
*Kompatibilität für schnelle Benutzerumschaltung FastUserSwitchingCom running on demand
*Hilfe und Support helpsvc running auto
*Eingabegerätezugang HidServ - disabled
*IMAPI-CD-Brenn-COM-Dienste ImapiService - on demand
*Server lanmanserver running auto
*Arbeitsstationsdienst lanmanworkstation running auto
*TCP/IP-NetBIOS-Hilfsprogramm LmHosts running auto
*Nachrichtendienst Messenger running auto
*NetMeeting-Remotedesktop-Freigabe mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Netzwerk-DDE-Dienst NetDDE - on demand
*Netzwerk-DDE-Serverdienst NetDDEdsdm - on demand
*Anmeldedienst Netlogon - on demand
*Netzwerkverbindungen Netman running on demand
*NLA (Network Location Awareness) Nla running on demand
*NT-LM-Sicherheitsdienst NtLmSsp - on demand
*Wechselmedien NtmsSvc - on demand
*Outpost Firewall Service OutpostFirewall running auto
*PostgreSQL Database Server 8.0 pgsql-8.0 running auto
*Plug & Play PlugPlay running auto
*IPSEC-Dienste PolicyAgent running auto
*Geschützter Speicher ProtectedStorage running auto
*Verwaltung für automatische RAS-Verbindung RasAuto running on demand
*RAS-Verbindungsverwaltung RasMan running on demand
*Sitzungs-Manager für Remotedesktophilfe RDSessMgr - on demand
*Routing und RAS RemoteAccess - disabled
*Remote-Registrierung RemoteRegistry running auto
*RPC-Locator RpcLocator - on demand
*Remoteprozeduraufruf (RPC) RpcSs running auto
*QoS-RSVP RSVP - on demand
*Sicherheitskontenverwaltung SamSs running auto
*Smartcard-Hilfsprogramm SCardDrv - on demand
*Smartcard SCardSvr - on demand
*Taskplaner Schedule running auto
*Sekundäre Anmeldung seclogon running auto
*Systemereignisbenachrichtigung SENS running auto
*Internetverbindungsfirewall/Gemeinsame Nutzung SharedAccess running auto
der Internetverbindung *Shellhardwareerkennung ShellHWDetection running auto *Druckwarteschlange Spooler running auto *Systemwiederherstellungsdienst srservice running auto *SSDP-Suchdienst SSDPSRV running on demand *Windows-Bilderfassung (WIA) stisvc - on demand *MS Software Shadow Copy Provider SwPrv - on demand *Leistungsdatenprotokolle und Warnungen SysmonLog - on demand *Telefonie TapiSrv running on demand *Terminaldienste TermService running on demand *Designs Themes running auto *Telnet TlntSvr - on demand *Überwachung verteilter Verknüpfungen (Client) TrkWks running auto *Windows User Mode Driver Framework UMWdf running auto *Upload-Manager uploadmgr running auto *Universeller Plug & Play-Gerätehost upnphost - on demand *Uninterruptible Power Supply UPS - on demand *Volumeschattenkopie VSS - on demand *Windows-Zeitgeber W32Time running auto *WebClient WebClient running auto *Windows-Verwaltungsinstrumentation winmgmt running auto *Portable Media Serial Number Service WmdmPmSN - on demand *Treibererweiterungen für Windows-Verwaltungsins Wmi - on demand trumentation
*WMI-Leistungsadapter WmiApSrv - on demand
*Automatische Updates wuauserv running auto
*Konfigurationsfreie drahtlose Verbindung WZCSVC running auto
»Application specific

9

Well Avenger didn’t kill it - lets try Icesword

Please download and unzip Icesword to its own folder

If you get a lot of “red entries” in an IceSword log, don’t panic.

Step 1: Run IceSword. Click the “Processes” tab and watch for processes displayed in red colour. A red colored process in this list indicates that it’s hidden. Note the filenames of processes in red color. Also, make a note of the folders.

Step 2: Click the “Win32 Services” tab and look out for red colored entry in the services list. This red coloured service entry indicates that it’s rooted. Note the name of this service.

Step 3: Now, click “SSDT” tab and check for red colored entries. If there are any, note the file and folder names.

Now post all of the data collected under the headings
Processes
Win32 Services
SSDT

10

Hi scubammago,

This was only part of StartDreck, do the following. In the tool you see at the bottom of the window:
Refresh Config New Search Save. Now click with Save this: drive:\StartDreck\startdreck217\StartDreck.log
and put it on your desktop, go to Attach and browse to StartDreck\startdreck217\StartDreck.log
and post it,

pol

11

Processes and Win32 Services didn’t have any red entries.
SSDT
0x101 0xB2F80330 ??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\200}FILTNT.SYS 0x8056C6DC NtTerminateProcess
0x115 0xB2F80290 ??\C:\PROGRA~1\Agnitum\OUTPOS~1.0\kernel\200}FILTNT.SYS 0x8057F7E6 NtWriteVirtualMemeroy

12

@polonos hm… i thought i did this. ok, 2nd try:

StartDreck (build 2.1.7 public stable) - 2008-01-08 @ 22:01:00 (GMT +01:00)
Platform: Windows XP (Win NT 5.1.2600 )
Internet Explorer: 6.0.2600.0000
Logged in as Maggo at MARCO

»Registry
»Run Keys
»Current User
»Run
*Skype=“C:\Programme\Skype\Phone\Skype.exe” /nosplash /minimized
»RunOnce
*ICQ Lite=C:\Programme\ICQ\ICQLite.exe -trayboot
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\System32\CTFMON.EXE
»RunOnce
»Local Machine
»Run
*nForce Tray Options=sstray.exe /r
*Adobe Reader Speed Launcher=“C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe”
*ICQ Lite=“C:\Programme\ICQ\ICQLite.exe” -minimize
*UserFaultCheck=%systemroot%\system32\dumprep 0 -u
*Outpost Firewall=C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
*OutpostFeedBack=C:\PROGRA~1\Agnitum\OUTPOS~1.0\feedback.exe /dump:os_startup
*avast!=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
batfile=“%1” %
+.com
comfile=“%1” %
+.exe
exefile=“%1” %
+.hta
htafile=C:\WINDOWS\System32\mshta.exe “%1” %
+.htm
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url “%1”
+.html
*FirefoxHTML=C:\PROGRA~1\MOZILL~1\FIREFOX.EXE -requestPending -osint -url “%1”
+.js
JSFile=%SystemRoot%\System32\WScript.exe “%1” %
+.jse
JSEFile=%SystemRoot%\System32\WScript.exe “%1” %
+.pif
piffile=“%1” %
+.reg
*regfile=regedit.exe “%1”
+.scr
*scrfile=“%1” /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
VBSFile=%SystemRoot%\System32\WScript.exe “%1” %
+.vbe
VBEFile=%SystemRoot%\System32\WScript.exe “%1” %
+.wsh
WSHFile=%SystemRoot%\System32\WScript.exe “%1” %
+.wsf
WSFFile=%SystemRoot%\System32\WScript.exe “%1” %
+.lnk
lnkfile= [key or value does not exist] »Browser Helper Objects (LM) *AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} InprocServer32=C:\Programme\Gemeinsame Dateien\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll
»Files
»Autostart Folders
»Current User
*C:\Dokumente und Einstellungen\Maggo\Startmenü\Programme\Autostart\desktop.ini
»Default User
*C:\WINDOWS\system32\config\systemprofile\Startmenü\Programme\Autostart\desktop.ini
»Local Machine
*C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini
»INI-Files
»WIN.INI[windows]
*LOAD=
*RUN=
»SYSTEM.INI[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\System32\config.nt
*C:\autoexec.bat
*C:\WINDOWS\System32\autoexec.nt
*C:\WINDOWS\System32\drivers\etc\hosts

13

»System/Drivers
»Running Processes
+0=
+4=
+580=\SystemRoot\System32\smss.exe
+636=??\C:\WINDOWS\system32\csrss.exe
+672=??\C:\WINDOWS\system32\winlogon.exe
+724=C:\WINDOWS\system32\services.exe
+736=C:\WINDOWS\system32\lsass.exe
+892=C:\WINDOWS\System32\Ati2evxx.exe
+932=C:\WINDOWS\system32\svchost.exe
+988=C:\WINDOWS\System32\svchost.exe
+1080=C:\WINDOWS\System32\svchost.exe
+1128=C:\WINDOWS\System32\svchost.exe
+1152=C:\WINDOWS\system32\Ati2evxx.exe
+1352=C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
+1404=C:\Programme\Alwil Software\Avast4\ashServ.exe
+1632=C:\WINDOWS\system32\spoolsv.exe
+1804=C:\WINDOWS\Explorer.EXE
+1936=C:\WINDOWS\System32\sstray.exe
+1952=C:\Programme\ICQ\ICQLite.exe
+1984=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
+2016=C:\Programme\Skype\Phone\Skype.exe
+264=C:\WINDOWS\System32\alg.exe
+388=C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
+532=E:\PostgreSQL\bin\pg_ctl.exe
+1332=E:\PostgreSQL\bin\postmaster.exe
+1204=C:\WINDOWS\System32\wdfmgr.exe
+2288=E:\PostgreSQL\bin\postgres.exe
+2324=E:\PostgreSQL\bin\postgres.exe
+2340=C:\Programme\Skype\Plugin Manager\skypePM.exe
+2624=C:\Programme\Alwil Software\Avast4\ashWebSv.exe
+2892=C:\Programme\Mozilla Firefox\firefox.exe
+3324=C:\WINDOWS\system32\NOTEPAD.EXE
+3992=D:\PartyPoker\PartyGaming.exe
+2252=
+3076=C:\Dokumente und Einstellungen\Maggo\Desktop\startdreck217\StartDreck.exe
»NT Services
*Warndienst Alerter - on demand
*Gatewaydienst auf Anwendungsebene ALG running on demand
*Anwendungsverwaltung AppMgmt - on demand
*ASP.NET State Service aspnet_state - on demand
*avast! iAVS4 Control Service aswUpdSv running auto
*Ati HotKey Poller Ati HotKey Poller running auto
*ATI Smart ATI Smart - auto
*Windows Audio AudioSrv running auto
*avast! Antivirus avast! Antivirus running auto
*avast! Web Scanner avast! Web Scanner running on demand
*Intelligenter Hintergrundübertragungsdienst BITS running auto
*Computerbrowser Browser running auto
*Indexing Service cisvc - on demand
*Ablagemappe ClipSrv - on demand
*.NET Runtime Optimization Service v2.0.50727_X8 clr_optimization_v2. - on demand
6 *COM+-Systemanwendung COMSysApp - on demand *Kryptografiedienste CryptSvc running auto *DHCP-Client Dhcp running auto *Verwaltungsdienst für die Verwaltung logischer dmadmin - on demand Datenträger
*Verwaltung logischer Datenträger dmserver running auto
*DNS-Client Dnscache running auto
*Error Reporting Service ERSvc running auto
*Ereignisprotokoll Eventlog running auto
*COM±Ereignissystem EventSystem running on demand
*Kompatibilität für schnelle Benutzerumschaltung FastUserSwitchingCom running on demand
*Hilfe und Support helpsvc running auto
*Eingabegerätezugang HidServ - disabled
*IMAPI-CD-Brenn-COM-Dienste ImapiService - on demand
*Server lanmanserver running auto
*Arbeitsstationsdienst lanmanworkstation running auto
*TCP/IP-NetBIOS-Hilfsprogramm LmHosts running auto
*Nachrichtendienst Messenger running auto
*NetMeeting-Remotedesktop-Freigabe mnmsrvc - on demand
*Distributed Transaction Coordinator MSDTC - on demand
*Windows Installer MSIServer - on demand
*Netzwerk-DDE-Dienst NetDDE - on demand
*Netzwerk-DDE-Serverdienst NetDDEdsdm - on demand
*Anmeldedienst Netlogon - on demand
*Netzwerkverbindungen Netman running on demand
*NLA (Network Location Awareness) Nla running on demand
*NT-LM-Sicherheitsdienst NtLmSsp - on demand
*Wechselmedien NtmsSvc - on demand
*Outpost Firewall Service OutpostFirewall running auto
*PostgreSQL Database Server 8.0 pgsql-8.0 running auto
*Plug & Play PlugPlay running auto
*IPSEC-Dienste PolicyAgent running auto
*Geschützter Speicher ProtectedStorage running auto
*Verwaltung für automatische RAS-Verbindung RasAuto running on demand
*RAS-Verbindungsverwaltung RasMan running on demand
*Sitzungs-Manager für Remotedesktophilfe RDSessMgr - on demand
*Routing und RAS RemoteAccess - disabled
*Remote-Registrierung RemoteRegistry running auto
*RPC-Locator RpcLocator - on demand
*Remoteprozeduraufruf (RPC) RpcSs running auto
*QoS-RSVP RSVP - on demand
*Sicherheitskontenverwaltung SamSs running auto
*Smartcard-Hilfsprogramm SCardDrv - on demand
*Smartcard SCardSvr - on demand
*Taskplaner Schedule running auto
*Sekundäre Anmeldung seclogon running auto
*Systemereignisbenachrichtigung SENS running auto
*Internetverbindungsfirewall/Gemeinsame Nutzung SharedAccess running auto
der Internetverbindung *Shellhardwareerkennung ShellHWDetection running auto *Druckwarteschlange Spooler running auto *Systemwiederherstellungsdienst srservice running auto *SSDP-Suchdienst SSDPSRV running on demand *Windows-Bilderfassung (WIA) stisvc - on demand *MS Software Shadow Copy Provider SwPrv - on demand *Leistungsdatenprotokolle und Warnungen SysmonLog - on demand *Telefonie TapiSrv running on demand *Terminaldienste TermService running on demand *Designs Themes running auto *Telnet TlntSvr - on demand *Überwachung verteilter Verknüpfungen (Client) TrkWks running auto *Windows User Mode Driver Framework UMWdf running auto *Upload-Manager uploadmgr running auto *Universeller Plug & Play-Gerätehost upnphost - on demand *Uninterruptible Power Supply UPS - on demand *Volumeschattenkopie VSS - on demand *Windows-Zeitgeber W32Time running auto *WebClient WebClient running auto *Windows-Verwaltungsinstrumentation winmgmt running auto *Portable Media Serial Number Service WmdmPmSN - on demand *Treibererweiterungen für Windows-Verwaltungsins Wmi - on demand trumentation
*WMI-Leistungsadapter WmiApSrv - on demand
*Automatische Updates wuauserv running auto
*Konfigurationsfreie drahtlose Verbindung WZCSVC running auto
»Application specific

14

Hi scubamaggo,

Verstehen Sie wie dies getan wird, sehe hinunter, da habe ich soetwas beigefuegt. Tun Sie das auch mit StartDrecklog in aehnlicher Weise,

pol

15

Hi Pol you are the expert on this (still reading)

*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll

this is the one to go

16

ok, like this?

17

Hi essexboy,

We do this together, one, two, three,

Let Scubammago fire up StartDreck, inside there he must highlight by clicking on
the lines (these lines turn blue)

*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll

and then Scubammago clicks Disable,

Thats all there is folks,

pol

18

ok, i disabled the file and restarted my pc. its still disabled in startdeck, nevertheless i cant delete it through avast or manually. Avast is still giving me the warning. Should i press the delete button in startdreck?

19

Hi scubammago,

Yes you may do that now, delete but only these two lines that essexboy spelled out for us,

*{ACE42F47-341D-427F-84BB-297751AA19CA}
`InprocServer32=C:\WINDOWS\System32\ati3duagv.dll

I hope we don’t have to use OTMOveIt2 for ati3duagv.dll, but it might work in one go,
push delete, and hope for the best, Keith keep your fingers crossed,

pol

20

hm… it disappeared from the Startdreck log, but its still on my computer and i still cant delete it manually