My system is an intel p4 system running in win xp home. Recently a win32.TratBHO [trj] has infected my system. When once the trojan enters the system, it manifests in different dll files each time. Avast is able to intercept and kill them. In the past two days, Avast intercepted more than 15 times and moved to chest. Even after a thorough scan both by avast and spy sweeper, and returning a clean report, the trojan comes with a different file name again and again. As I see in the discussions posted in the forum, it appears that this is a common trojan and quite a few face the same problem as I. Identifying the root cause appears to be quite a laborious one.

I would be extremely thankful if some expert clarify the following:

1. Does this trajan migrate from the system partition to other partitions and stay resident in some other programs?
2. Would a system restore to an earlier virus/trojan/malware free situation solve this problem?
3. Would reformatting the system partition and reinstalling the OS, would give the virus free system?

Thanks

pscraja

1. Does this trajan migrate from the system partition to other partitions and stay resident in some other programs?

I haven’t seen it do that.

2. Would a system restore to an earlier virus/trojan/malware free situation solve this problem?

No, because SR doesn’t restore the entire partition.

3. Would reformatting the system partition and reinstalling the OS, would give the virus free system?

Yes it should, but removing it is faster.

May I request you to give me step by step instructions? I would try that before doing anything else since you say that removing the trojan is very simple.

Is there any trojan hunter which can unearth the root of trojan and solve this problem?

Awaiting your guidance.

pscraja

Please run the programs in the order I poted them.

Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

.
Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Dear Oldman(!)

Thank you for your guidance. I have downloaded all the files. I wanted to execute the cleanup. The program shows 4 options. I was confused which one to select. Can you guide me?

Sorry if my question is silly. Please bear with me since I am new to this.

Custom clean is fine, just as your picture shows.

Dear Sir,

I have attached the log files to this.

No need for the sir.

Are you having problems with your home page, or are you not using one by choice?

Open HJT, run a system scan only, check mark these lines if present

O20 - Winlogon Notify: fcccccy - fcccccy.dll (file missing)
O20 - Winlogon Notify: wingsa32 - wingsa32.dll (file missing)

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: D:\WINDOWS\vpc32.INI

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

.
edit to add

You also have this toolbar, vmntoolbar, it’s classified as spyware/adware. Let me know if you want it.

http://www.spywaredata.com/spyware/threat_list/VMNTOOLBAR/result.php

Your choice

http://www.castlecops.com/tk29797-vmntoolbar_dll_VMNTOO_1_DLL.html

Thank you for your immediate response. I have carried out all the operations as you had instructed. I am attaching the new combofix.txt and HJT log.

I have removed the VMN tool bar from my system. Should I remove calling ID tool bar also since I may not miss it much? It tells me how far I can trust the site. I can be without it. If calling ID is a safe one, I would keep it. But if it has a doubtable reputation I would remove it. Kindly advise. Thank you once again.

pscraja

Please submit these files for analysis, while I go over your logs.

To submit a file to virustoal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

D:\WINDOWS\system32\CJoamzmzon.dll
D:\WINDOWS\system32\dllcache\tcpip.sys
D:\WINDOWS\system32\sample1.pk
D:\WINDOWS\system32\LoopyMusic.pk
D:\WINDOWS\system32\sample1.wav

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

The Calling ID toolbar is a good one, keep it. ;D

You didn’t answer me regarding your homepage.

I have submitted all the five files for analysis. As instructed, I would post them as soon as I receive the results.

Regarding the home page, I have a blank page. Sorry for my oversight.

By choice?

Yes please

Fair enough, I won’t worry about it then. I just didn’t know if something had changed it or if you did it yourself.

I am attaching the reports from virustotal.

The fifth report could not be sent. Hence I am sending it.

What about these ones, did you submit them? I don’t see a result for them.

[b]D:\WINDOWS\system32\CJoamzmzon.dll
D:\WINDOWS\system32\LoopyMusic.pk
[b]

Since I was not able to send more than 4, I am combining all in one file and sending it.

Starangly, I couldnot send the file tcpip to virustotal since it returned it saying that the file size is large and has to be split into small files. Even giving a command to split, it couldnot send.

Hence I sent it through the browser instead of sending by email.

All the reports are put together in one .txt file

I am not able to load any more attachments. I have made one file for all. I will send it later since the forum is not taking any more attachments.

The analysis for all the files is sent in one file