1. How was it detected? What was scanning, you yourself or the back-ground scanner? When did the message occur on a download, unzipping, opening a file, mail or mail-attachment, etc.?
   *AVAST DETECTED IT WHILE I WAS BROWSING A WEB PAGE

2. What was the source of the file, where did the file come from?.: e.g. address, URL, source.
   *WEBSITE WITH LINKS TO SOFTWARE CRACKS [I KNOW, I KNOW – THESE ARE RISKY]

3. When was it downloaded or received?
   *14 FEBRUARY, 2008

4. What is the exact file name with extension.
   *ILEHTQIS.DLL

5. What was the exact wording of the message that the AV program came up with? This is important for later.
   TROJAN HORSE DETECTED - Win32:TratBHO [trj]

6. Now go back and do nothing yet. Scan the particular file once again with your AV product.
   RAN SPYBOT USING UPDATED DETECTION LIBRARY ON 15 FEBRUARY; AVAST DETECTED THE SAME TROJAN HORSE MID-WAY THROUGH THE SPYBOT SCAN

7. Check with an on line scanner or update to jotti for a second opinion. Jotti resides at http://virusscan.jotti.org/
   NEVER HEARD OF THIS SOFTWARE. IS IT REALLY NECESSARY?

RAN COMBOFIX. SEE LOG RESULTS IN NEXT POST…

ComboFix 08-02-16.2 - Biff 2008-02-16 2:57:23.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.1045 [GMT -5:00]
Running from: C:\Users\Biff\Desktop\Gotcha.exe

• Created a new restore point
  .

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Users\Biff\AppData\Roaming\inst.exe
C:\Windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-01-16 to 2008-02-16 )))))))))))))))))))))))))))))))
.

2008-02-13 19:15 . 2008-02-13 19:15 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-02-13 18:30 . 2008-02-13 18:29 691,545 --a------ C:\Windows\unins000.exe
2008-02-13 18:30 . 2008-02-13 18:30 3,442 --a------ C:\Windows\unins000.dat
2008-02-13 18:20 . 2008-02-13 18:20 dr-h----- C:\MSOCache
2008-02-13 11:42 . 2008-02-13 11:42 d-------- C:\Program Files\Microsoft Silverlight
2008-02-13 03:09 . 2008-02-13 03:09 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-13 03:09 . 2008-02-13 03:09 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 03:04 . 2008-02-13 03:04 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 03:02 . 2008-02-13 03:02 1,383,424 --a------ C:\Windows\System32\mshtml.tlb
2008-02-11 18:56 . 2008-02-11 18:56 246,434,254 --a------ C:\Windows\MEMORY.DMP
2008-02-04 18:23 . 2008-02-04 18:23 693,792 --a------ C:\Windows\System32\OGACheckControl.DLL
2008-01-24 22:05 . 2008-01-24 22:05 dr------- C:\Users\Guest\Videos
2008-01-24 22:05 . 2008-01-24 22:05 dr------- C:\Users\Guest\Searches
2008-01-24 22:05 . 2008-01-24 22:05 dr------- C:\Users\Guest\Saved Games
2008-01-24 22:05 . 2008-01-24 22:05 dr------- C:\Users\Guest\Pictures
2008-01-24 22:05 . 2008-01-24 22:05 dr------- C:\Users\Guest\Music
2008-01-24 22:05 . 2008-01-24 22:05 dr------- C:\Users\Guest\Links
2008-01-24 22:05 . 2008-01-24 22:05 dr------- C:\Users\Guest\Downloads
2008-01-24 22:05 . 2008-01-24 22:05 dr------- C:\Users\Guest\Documents
2008-01-24 22:05 . 2008-01-24 22:05 dr------- C:\Users\Guest\Contacts
2008-01-24 22:05 . 2008-01-24 22:05 d-------- C:\Users\Guest\AppData\Roaming\Sony Corporation
2008-01-24 22:05 . 2006-11-02 07:37 d-------- C:\Users\Guest\AppData\Roaming\Media Center Programs
2008-01-24 22:05 . 2008-01-24 22:05 d–h----- C:\Users\Guest\AppData
2008-01-19 21:13 . 2008-01-19 21:13 6,144 --a------ C:\Windows\System32\kbdru_zh.dll
2008-01-16 02:07 . 2008-01-16 02:10 d-------- C:\Program Files\File Renamer
2008-01-16 02:07 . 2008-01-16 02:07 109,481 --a------ C:\Windows\File Renamer - Basic Uninstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 07:39 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-02-16 07:39 --------- d-----w C:\Program Files\Spybot S&D
2008-02-15 08:02 --------- d-----w C:\ProgramData\Microsoft Help
2008-02-14 00:21 --------- d-----w C:\Program Files\MSBuild
2008-02-14 00:21 --------- d-----w C:\Program Files\Microsoft Works
2008-02-14 00:18 --------- d-----w C:\Program Files\Microsoft.NET
2008-02-13 08:04 803,328 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 08:01 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 08:01 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 08:01 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 08:01 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-01-25 21:46 --------- d-----w C:\Users\Biff\AppData\Roaming\Vso
2008-01-11 08:02 --------- d-----w C:\Program Files\Windows Mail
2008-01-10 08:08 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-10 08:01 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-10 08:01 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-10 08:01 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-05 23:17 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2008-01-05 23:17 47,360 ----a-w C:\Users\Biff\AppData\Roaming\pcouffin.sys
2008-01-05 23:17 --------- d-----w C:\Program Files\DVDFab Platinum 4
2007-12-28 16:21 104,448 ----a-w C:\Windows\system32\drivers\Rtlh86.sys
2007-12-23 00:55 --------- d-----w C:\Program Files\URLSnooper2
2007-12-21 09:22 --------- d-----w C:\ProgramData\DonationCoder
2007-12-21 09:22 --------- d-----w C:\Program Files\WinPcap
2007-12-21 09:17 --------- d-----w C:\Program Files\StreamboxVcrSuite2
2007-12-19 17:47 --------- d-----w C:\Program Files\JPEG Lossless Rotator
2007-12-19 17:39 --------- d-----w C:\Program Files\FastStone MaxView
2007-12-19 17:26 --------- d-----w C:\Users\Biff\AppData\Roaming\Corel
2007-12-18 08:04 9,728 ----a-w C:\Windows\System32\LAPRXY.DLL
2007-12-18 08:04 223,232 ----a-w C:\Windows\System32\WMASF.DLL
2007-12-18 08:04 1,327,104 ----a-w C:\Windows\System32\quartz.dll
2007-12-18 08:03 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-18 08:03 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-18 08:03 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-18 08:03 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-11-17 08:01 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-10-27 07:14 174 --sha-w C:\Program Files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@={F2F31467-B1AC-4df0-AE79-FD5FA085E22B}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@={A3E208F7-0E3A-4182-A7A6-B169D5D691AA}

[HKEY_CLASSES_ROOT\CLSID{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2007-01-05 15:41 2857984 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CLASSES_ROOT\CLSID{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2007-01-05 15:41 2857984 --a------ C:\Program Files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“WindowsWelcomeCenter”=“rundll32.exe” [2006-11-02 04:45 44544 C:\Windows\System32\rundll32.exe]
“ehTray.exe”=“C:\Windows\ehome\ehTray.exe” [2006-11-02 07:35 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2007-05-03 13:24 1006264]
“RtHDVCpl”=“RtHDVCpl.exe” [2007-04-06 13:18 4423680 C:\Windows\RtHDVCpl.exe]
“IgfxTray”=“C:\Windows\system32\igfxtray.exe” [2007-03-23 22:06 138008]
“HotKeysCmds”=“C:\Windows\system32\hkcmd.exe” [2007-03-23 22:05 154392]
“Persistence”=“C:\Windows\system32\igfxpers.exe” [2007-03-23 22:06 133912]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [2007-03-07 21:38 835584]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11 132496]
“ISBMgr.exe”=“C:\Program Files\Sony\ISB Utility\ISBMgr.exe” [2007-04-16 21:06 321656]
“NapsterShell”=“C:\Program Files\Napster\napster.exe”
“VAIOCameraUtility”=“C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe” [2007-04-02 18:49 411768]
“VAIO Center Access Bar”=“c:\program files\sony\VAIO Center Access Bar\VCAB.exe” [2007-03-06 17:22 36864]
“VAIOSecurity”=“C:\Program Files\Sony\VAIO Security Center\VSC.exe” [2007-03-13 19:13 2322432]
“QuickBooks Simple Start”=“C:\Program Files\Intuit\SimpleStartEntice\entice.exe” [2007-01-30 23:59 371712]
“Acrobat Assistant 8.0”=“C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe” [2008-01-11 19:54 623992]
“PSQLLauncher”=“C:\Program Files\Protector Suite QL\launcher.exe” [2007-01-05 15:07 49168]
“Corel Photo Downloader”=“C:\Program Files\Corel\Corel Snapfire\Corel PhotoDownloader.exe”
“VAIOSurvey”=“C:\Program Files\Sony\VAIO Survey\Vista VAIO Survey.exe” [2006-12-06 19:08 577536]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-10-09 01:50 185632]
“avast!”=“C:\PROGRA~1\Avast\ashDisp.exe” [2007-09-06 05:06 79224]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]
“GrooveMonitor”=“C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe” [2007-08-24 07:00 33648]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2006-11-29 13:09:20 968224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“DisableCAD”= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{93994DE8-8239-4655-B1D1-5F4E91300429}”= C:\Program Files\DVD Region+CSS Free\DVDShell.dll [2004-10-09 15:18 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
C:\Windows\system32\psqlpwd.dll 2007-01-05 15:28 90112 C:\Windows\System32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
VESWinlogon.dll 2007-04-23 19:19 98304 C:\Windows\System32\VESWinlogon.dll

R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2007-09-06 05:02]
R2 MSSQL$VAIO_VEDB;SQL Server (VAIO_VEDB);“C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe” [2007-02-10 05:29]
R2 regi;regi;C:\Windows\system32\drivers\regi.sys [2007-01-03 13:19]
R2 SQLWriter;SQL Server VSS Writer;“C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe” [2007-02-10 05:29]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-02-27 07:18]
R3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys [2007-03-23 22:05]
R3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 13:12]
R3 R5U870FLx86;R5U870 UVC Lower Filter ;C:\Windows\system32\Drivers\R5U870FLx86.sys [2007-04-04 09:13]
R3 R5U870FUx86;R5U870 UVC Upper Filter ;C:\Windows\system32\Drivers\R5U870FUx86.sys [2007-04-04 09:13]
R3 RTL8169;Realtek 8169 NT Driver;C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-12-28 11:21]
R3 SonyImgF;Sony Image Conversion Filter Driver;C:\Windows\system32\DRIVERS\SonyImgF.sys [2007-04-05 08:06]
R3 TcUsb;TC USB Kernel Driver;C:\Windows\system32\Drivers\tcusb.sys [2006-12-01 07:07]
R3 ti21sony;ti21sony;C:\Windows\system32\drivers\ti21sony.sys [2007-04-23 12:29]
S3 ICScsiSV;Image Converter SCSI Service;C:\Program Files\Sony\Image Converter 3\ICScsiSV.exe [2007-01-26 13:41]
S3 IcVzMonLauncher;IcVzMonLauncher;“C:\Program Files\Sony\Image Converter 3\IcVzMonLauncher.exe” [2007-01-26 13:41]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;C:\Program Files\Sony\Image Converter 3\IcVzMon.exe [2007-01-26 13:41]
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys [2007-06-21 15:55]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-02-15 22:06:34 C:\Windows\Tasks\User_Feed_Synchronization-{DFD2146F-409B-412F-9A8D-08E7DA58CA32}.job”

• C:\Windows\system32\msfeedssync.exe
  .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-16 03:04:31
Windows 6.0.6000 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Protector Suite QL\upeksvr.exe
C:\Program Files\Avast\aswUpdSv.exe
C:\Program Files\Avast\ashServ.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Sony\VAIO Event Service\VESMgrSub.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\igfxext.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Avast\ashMaiSv.exe
C:\Program Files\Avast\ashWebSv.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Windows\system32\conime.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Protector Suite QL\psqltray.exe
C:\Program Files\Avast\ashDisp.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\DllHost.exe
C:\?\C:\Windows\system32\wbem\WMIADAP.EXE
.

.
Completion time: 2008-02-16 3:08:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-16 08:07:55
.
2008-02-15 09:10:32 — E O F —

It’s just to be sure, the better will be test the file against on-line scanners. Submit the file to:
Virustotal
Jotti
There is also Kaspersky File Scanner (The file should not be larger than 1 MB).

I suggest:

1. Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on.
4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.