Win32: tratBHO(trj) avast found it

I have been trying to kill this thing but need your help please. I have run ccleaner, avast, avg, spyblaster and spyware doctor to no avail. Avast is the only one to show this problem. I have installed and run a hijackthis updated (5/2/08) and have the log hopefully attached. Any help would be gladly appreciated.

You can try the VundoFix tool as described here:

Download VundoFix.exe by Atribuneto your desktop.
1. Double-click VundoFix.exe to run the program.
2. Click the Scan for Vundo button.
3. When the scan is complete, click the Remove Vundo button.
4. If VundoFix responds with a "No infected files were found" message, right-click the list box (white box) in the main VundoFix window.

        * Select Add More Files? from the menu that comes up. This will open a new VundoFix window.
        * You must examine your HJT log. and copy and paste the complete file path present in your 02 BHO and 020 WinLogon Notify entries into the first field of the list box.

            Using our first HJT example above, this would be: C:\WINDOWS\system32\mljjj.dll 

        * In the second field, copy and paste the same path but the filename should be spelled in reverse and an asterisk (wildcard symbol) should replace the file extension:

            Using our first HJT example, this would be: C:\WINDOWS\system32\jjjlm.*

    Note: You must substitute the filename found in your own HJT log for the filename used in the example

        * Click the Add Files button.
        * Click the Close Window button.
        * Click the Remove Vundo button.

5. You will receive a prompt asking if you want to remove the files, click Yes 
6. Once you click Yes, your desktop will go blank as it starts removing Vundo. 
7. When completed, it will prompt that it will shutdown your computer, click OK. 
8. Restart your computer 
9. A log called vundofix.txt will be created in your C:\ directory 
10. Inspect C:\vundofix.txt with Notepad to be sure the fix completed properly

Please retain the log created C:\vundofix.txt should you need to post a HijackThis log.

http://wiki.castlecops.com/Malware_Removal:_Virtumundo

In your case substitute this file name:

C:\WINDOWS\SYSTEM32\ljJDTnMF.dll

C:\WINDOWS\SYSTEM32\FMnTDJjl.*

I don’t know if this procedure still works for new variants, but it’s worth a try.

You could also try some other anti-spyware scanners:

Ad-Aware Free

Spybot Search & Destroy

SUPERAntiSpyware Free

See this discussion on the dangers of having two AV’s installed at the same time:

http://forum.avast.com/index.php?topic=35034.0

Sorry for the delay my CPU is runnig at 100% and getting Vundo to work is slow going. I keep getting a redirected to a second explorer opening up that I have to close.
After running Vundofix it gave the “No infected files were found” message so I right clicked. I don’t know if a second window opened but I clicked on “add more files?”. Pasted in first field but it wouldn’t let me paste in second field, it asked for “file type”. I have to keep closing explorer down and reopen to get any CPU usage. Today it is running 50-78%.

Hi.
Besides the vundo you have 2 antivirus programs running, avast and avg. Uninstall one of them.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, rename Combofix to Combo-Fix as follows:

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

[]It is important you rename Combofix during the download, but not after.
[
]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[
]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Combofix closed windows after finding an error. It asked “for any further assistance contact sytem admin. or network” and then gave
“Technical Information Combo-Fix Stop: 0x0000008E(0xc0000005, 0x80563ED6, 0xB8F4FC30, 0x00000000)”

I turned off the system and then double clicked Combo-Fix and it did the same thing. I have attached my hjt log run after combo-fix. I know the program is combofix but saved it per your instr. as combo-fix.

Thank You

Hi

That ok. You shouldn’t have ran it again.

Combofix did do something though. Please check at this location for a log.
C:\combofix.txt

We’ll fix a few thing with HJT (hijackthis), then use another scan tool to look for left overs.

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {086E763C-457E-4426-978D-0CDFBCCA8EA8} - C:\WINDOWS\system32\ssqOEVlj.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {7F3EA905-DE65-4D00-BC1F-FF3A77F8CA30} - C:\WINDOWS\system32\ljJDTnMF.dll (file missing)
O20 - Winlogon Notify: ljJDTnMF - ljJDTnMF.dll (file missing)
O21 - SSODL: ServiceBoot - {0281ebf1-f1e4-48ab-bb17-fd324627618d} - C:\WINDOWS\Resources\ServiceBoot.dll (file missing)

Close all other browsers/windows, click fix checked, close HJT.

Please download FixWareout from

http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure “Run fixit” is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is NORMAL.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

Please post back with the Fixwareout log and the DSS (Deckards) log. Also the combofix log if it is present in the location mentioned above.

Any improvement?

OK here we go. Me being as frustrated and non-computer friendly as I can be have run HJT,FixWareOut and DSS like you asked and I promptly closed the main and extra notepads and for the life of me can’t locate them. VERY SORRY MY FAULT.
I’m attaching combofix, fixwareout and maybe the dss report but still no luck. Can’t get dss report to stick sorry.

No problem. They will be found at C:\Deckards

I can’t find the extra.txt file but I am not sure how to look for it. Avast found a win32/heur virus. Hit ignore before I copied down the location doto the fact I have had to hit ignore as opposed to put in chest because avast could not. My fault I do better next time.

Don’t worry about the extra text, it should have been with the main.txt. If it wasn’t, you won’t have one.

Looking now, will post later. Bedtime for me.

What the heck. I stayed up for a bit.

Do you recognize this folder?

C:\Program Files\GameHouse

Download and run ERUNT http://www.larshederer.homepage.t-online.de/erunt/

(the download link is server1 or server2, or server3)

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click “…” to browse your computer’s drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Next, select the backup options:

  • System registry:

  • Current user registy: .

  • Other open user registries:

Click “OK” and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

REGISTRY FIX

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
“Authentication Packages”=hex(7):6d,73,76,31,5f,30,00,00

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad click FILE > SAVE AS
Next in the FILE NAME box type (including the " " marks “fix.reg”
make sure the box at the top is set to save in Desktop

This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Please download
OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\jlVEOqss.ini2
C:\WINDOWS\system32\ssqOEVlj
C:\WINDOWS\system32\khfgdeBQ.dll
C:\Documents and Settings\All Users\Application Data\dwrifkzo
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC

Return to OTMoveIt2, right click in the “Paste List Of Files/Folders To Move” window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

Download Malwarebytes’ Anti-Malware unto your desktop from here:
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html
Doubleclick mbam-setup.exe and choose for “Next” to install this tool.
When the installation is complete, put a tag at “Update MalwareBytes’ Anti-Malware” and at bij “Launch MalwareBytes’ Anti-Malware”.
Then click “Finish”.
Choose in mainfarme for tab “Scanner” then select “Perform full scan”.
Click “Scan” and make sure all hard disks/partitions are selected.
Then click “Start Scan”.
When the scan has finished, you click OK, then “Show Results” to see the scan results.
Make sure all are being selected, then click “Remove Selected”.
Whenever the program asks for a restart, allow!.
Then a log will open(mbam-log-XX-XX-XXXX(xx-xx-xx).txt)

Attach this log next, the OTMOVEIT2 results and a new DSS (Deckard) log to your next post.

Here is the DSS log, I Hope.

That’s the old DSS log. :wink:

Well here are the others you requested. I do not know how to attach things that are on the notepad as I can not find them. Thank you for your GREAT instructions and taking the time to help me. I am adding the logs now. Well I thought I had them but came back with a error saying the attachments were to large and I have know clue as to how to find them. I am truly sorry for my ineptness I get in a hurry and close things to fast and lose them.

C:\WINDOWS\system32\jlVEOqss.ini2 moved successfully.
File/Folder C:\WINDOWS\system32\ssqOEVlj not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\khfgdeBQ.dll
C:\WINDOWS\system32\khfgdeBQ.dll NOT unregistered.
C:\WINDOWS\system32\khfgdeBQ.dll moved successfully.
C:\Documents and Settings\All Users\Application Data\dwrifkzo moved successfully.
< HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC >
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05062008_110416

Tip: When the log is presented in a note pad, click file, click
save as,
at the top of the box, set it to desktop,
in file name enter a name
click save

It will now be on your desktop.

The DSS log should be at the same location you found the other one.

Also check c:\program files\malwarebytes for the log

I need this info.

Thanks

I am lost on which files are what because I click on one and it runs and generate new logs which I then close and lose the info you need. I have tried to save as to desktop but it had another file in existence and I did not want to copy over, frustated and worried.
Here is what I think you need.

OK how about this one sorry for the empty one.

Malwarebytes’ Anti-Malware 1.12
Database version: 723

Scan type: Full Scan (C:|D:|E:|)
Objects scanned: 133461
Time elapsed: 46 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\uninstall (Fake.Dropped.Malware) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks{7f3ea905-de65-4d00-bc1f-ff3a77f8ca30} (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102\A0171852.dll (Trojan.Vundo) → Quarantined and deleted successfully.
C:\System Volume Information_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1102\A0171855.dll (Trojan.Vundo) → Quarantined and deleted successfully.
C:_OTMoveIt\MovedFiles\05062008_110416\WINDOWS\system32\khfgdeBQ.dll (Trojan.Vundo) → Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url (Rogue.Link) → Quarantined and deleted successfully.

Did you do the regfix yet? According to the log you haven’t.

Just right clicked on it and merged.

Okay one more DSS log and we should be finished.

What about that folder I asked you about?

Do you recognize this folder?

C:\Program Files\GameHouse

and this one?

C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9