Win32:TratBHO[Trj] - Please help!

Sorry to be adding to the multiple posts on this, but I tried everything to no avail.

4/29 my ZoneAlarm kept bugging me about a registry change that wanted to take place, stupid me thought it was a MS update b/c it was so persistent (and b/c I had just turned on my computer). I allowed it, then bam.

I am running Avast Home 4.8, it picks up the trojan in the memory test that runs before the scan commences. It is always the same .dll that is infected, found in

c:\WINNIT\system32\xevrbebc.dll

The rest of the scan is clean. I ran Avast multiple times and tried to remove it but it can’t, tried to run it is safe mode, still can’t, ran Spybot, cleaned some stuff up, ran Vundofix and VirtmundoBeGone in reg & safe modes, nada, & was going to try to manually remove the .dll myself w/Unlocker but it showed that many apps were tied to it, was afraid to delete b/c I have no idea what I am doing. I also ran AVG Anti-Rootkit twice and came up clean both times.

I cleaned all w/CCleaner, rebooted, then ran DSS and have the current version of HiJackThis installed. The main.txt from DSS follows, the HiJackThis log is identical except for the line numbering. Let me know if I should DL/run ComboFix & post that log.

BTW, I haven’t noticed any persistent negative effects from the trojan in the few times that I have used the laptop since infection, though I have decided to stop using that laptop (I’m posting on another now, using a USB drive to transfer info). It’s an older laptop but has served me well. The problems that have popped up are a physical dumping of memory, causing the laptop to restart (I have 2 gigs of 17 total free on my hard, am running basic RAM levels, perhaps I am cutting it too close?) - this happens a few minutes after start up, once scandisk runs it stabilizes. I think I do recall errant pop ups for spyware cleaners too - characteristic symptoms of this trojan according to what I have read.

Okay, the log will follow in the next post, I can’t get all of this into 1 w/o exceeding the character max. I’m sorry to be verbose, thought that the more info provided the better, thanks in advance for your help!

My DSS/HJT Log, part 1 (still too large to be able to fit into 1 post)

Deckard’s System Scanner v20071014.68
Run by Owner on 2008-05-01 17:43:39
Computer is in Normal Mode.

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 255 MiB (256 MiB recommended).
System Drive C: has 2.06 GiB (less than 15%) free.

HijackThis (run as Owner.exe)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:49 PM, on 5/1/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch\utils\mspm.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\James\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4020100D-29D7-4392-AFD5-5AD713FF4B88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A7A72F59-4C9B-46CD-A57E-0FE22E375B8E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM..\Run: [TP4EX] tp4ex.exe
O4 - HKLM..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM..\Run: [Tgcmd] “C:\Program Files\Support.com\bin\tgcmd.exe /server”
O4 - HKLM..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM..\Run: [mspm] C:\Program Files\Maxtor\OneTouch\utils\mspm.exe
O4 - HKLM..\Run: [mxomssmenu] “C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [UnlockerAssistant] “C:\Program Files\Unlocker\UnlockerAssistant.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [3f3f145f] rundll32.exe “C:\WINNT\system32\xevrbebc.dll”,b
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS.DEFAULT..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘Default user’)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m…,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O20 - Winlogon Notify: iifdcAqq - iifdcAqq.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

End of file - 8210 bytes

DSS/HJT Log part 2:

Files created between 2008-04-01 and 2008-05-01

2008-05-01 17:37:31 0 d-------- C:\Program Files\Trend Micro
2008-04-30 14:10:23 0 d-------- C:\VundoFix Backups
2008-04-30 12:35:00 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2c4.dat
2008-04-30 09:38:15 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4b4.dat
2008-04-30 09:09:43 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_69c.dat
2008-04-30 00:02:47 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4ac.dat
2008-04-29 23:46:31 97856 --a------ C:\WINNT\system32\xevrbebc.dll
2008-04-29 23:43:47 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4d4.dat
2008-04-29 00:13:52 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_538.dat
2008-04-28 23:36:22 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_49c.dat
2008-04-28 23:35:39 528356 --ahs---- C:\WINNT\system32\qYFiQqru.ini2
2008-04-15 01:26:10 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_468.dat
2008-04-12 00:28:15 0 d-------- C:\Program Files\Image Grabber II
2008-04-11 01:54:10 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_5e0.dat
2008-04-11 01:38:00 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2b8.dat
2008-04-11 00:23:54 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_be0.dat
2008-04-08 15:30:57 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2c8.dat
2008-04-08 04:18:18 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_724.dat
2008-04-05 12:27:53 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4f0.dat

Find3M Report

2008-05-01 12:32:32 4212 —h----- C:\WINNT\system32\zllictbl.dat
2008-03-23 13:47:50 0 d-------- C:\Program Files\KMPlayer
2008-03-22 23:17:50 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_478.dat
2008-03-21 13:10:28 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6cc.dat
2008-03-16 01:52:42 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_54c.dat
2008-03-14 13:44:20 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6d4.dat
2008-03-12 09:38:08 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4b0.dat
2008-02-23 23:55:48 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6a4.dat
2008-02-23 12:08:20 2540 --a------ C:\WINNT\unins000.dat
2008-02-23 11:54:50 691545 --a------ C:\WINNT\unins000.exe
2008-02-15 23:59:12 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_494.dat
2008-02-14 17:00:08 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6d8.dat
2008-02-09 23:34:22 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_498.dat
2008-02-08 12:16:06 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6e4.dat
2008-02-02 01:29:18 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_5a0.dat

Registry Dump

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{4020100D-29D7-4392-AFD5-5AD713FF4B88}]

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{A7A72F59-4C9B-46CD-A57E-0FE22E375B8E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SynTPLpr”=“C:\Program Files\Synaptics\SynTP\SynTPLpr.exe” [06/24/03 02:34p]
“SynTPEnh”=“C:\Program Files\Synaptics\SynTP\SynTPEnh.exe” [06/24/03 02:33p]
“ATIModeChange”=“Ati2mdxx.exe” [06/18/02 10:14a C:\WINNT\system32\Ati2mdxx.exe]
“Synchronization Manager”=“mobsync.exe” [06/19/03 03:05p C:\WINNT\system32\mobsync.exe]
“PRPCMonitor”=“PRPCUI.exe” [03/25/02 02:30p C:\WINNT\system32\prpcui.exe]
“TPHOTKEY”=“C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe” [06/28/02 03:10p]
“TP4EX”=“tp4ex.exe” [02/22/02 01:04a C:\WINNT\system32\TP4EX.exe]
“BMMGAG”=“C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll” [06/28/02 01:30a]
“AGRSMMSG”=“AGRSMMSG.exe” [02/22/02 04:37p C:\WINNT\AGRSMMSG.exe]
“QCWLICON”=“C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE” [07/15/02 02:20a]
“Tgcmd”=“C:\Program Files\Support.com\bin\tgcmd.exe” [11/07/01 03:50a]
“MaxtorOneTouch”=“C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe” [03/01/06 11:58a]
“mspm”=“C:\Program Files\Maxtor\OneTouch\utils\mspm.exe” [09/03/05 04:10a]
“mxomssmenu”=“C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe” [10/17/05 04:24p]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [09/25/07 01:11a]
“UnlockerAssistant”=“C:\Program Files\Unlocker\UnlockerAssistant.exe” [09/07/06 01:19p]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [03/29/08 01:37p]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [07/27/07 08:14p]
“ZoneAlarm Client”=“C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe” [03/13/08 11:11p]
“3f3f145f”=“C:\WINNT\system32\xevrbebc.dll” [04/29/08 11:46p]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SpybotSD TeaTimer”=“C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe” [01/28/08 11:43a]

[HKEY_USERS.default\software\microsoft\windows\currentversion\runonce]
“^SetupICWDesktop”=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/20/2000 9:15:54 PM]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [1/22/2008 8:25:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdcAqq]
iifdcAqq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packages”= msv1_0 C:\WINNT\system32\urqQiFYq

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@=“Driver”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@=“Driver”

End of Deckard’s System Scanner: finished at 2008-05-01 17:44:30

OK, I just read in another post about using Vundofix when it doesn’t find any infected files, am going to see if that works now…

ComboFix seems to be quite successful in dealing with Vundo.

Run it following all the usual warnings as in this post:

http://forum.avast.com/index.php?topic=35198.msg295765#msg295765

OK, will do it now, I was just looking at the alternate way of scanning with Vundofix when it doesn’t find infected files and cannot follow what I should be doing for that so hopefully this avenue will work. Thanks very much, will post results when I am done.

Cheers!

Done! The damned trojan is gone! ComboFix targeted the file that was showing up as infected almost immediately! I ran Avast 2x more, then a few RootKit and Malware programs and all is coming up clean. Thanks for the help!

Cheers!

I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Immunize your system with SpywareBlaster or Windows Advanced Care.
  7. Check if you have insecure applications with Secunia Software Inspector.