help! Win32 TratBHO TROJAN ATTACK!

Discussion in 'Windows Desktop Systems' started by trogdorwasaman, Jan 15, 2008.

  1. trogdorwasaman

    trogdorwasaman OSNN Junior Addict

    idk wat to do. every so often, my avast! antivirus professional edition gets an infected file. i went into safe mode to see if i could diagnose to prob and did a scan. i found a file named "akeygen.exe" which was the source. it was a Win32:trj-gen or something. i tried to quarantine it and delete it, but it wouldnt let me. i tried to scan while in normal mode in windows and it doesnt appear. also my spysweeper and avast virus cleaner cant find it either. im currently running Vundofix. someone help

    btw i dont me to sound like a whiney puss or anything but im desperate.

    also i dont know how to use hijack this and dont know wat its used for
    Last edited by a moderator: Jan 16, 2008
  2. Steevo

    Steevo Spammer representing. Political User Folding Team

    Hijack this is a program that makes a record of the most important parts of your system to help detect and delete a majority of Malware and spyware as well as some forms of viri and backdoor exploits.

    YOu may download it here

    Before you click the executable however right click it and rename it to something else as some malware/spyware will hide when it detects the name "hijackthis" as one of the processes running on your computer. I use my nickname. Steevo.

    I will copy my log so you can see what it will look like.

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 11:07:51 PM, on 1/15/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\Program Files\COMODO\Firewall\cmdagent.exe
    C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe
    C:\Program Files\COMODO\Firewall\cfp.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe

    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) -
    O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) -
    O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
    O23 - Service: asurscsi - Voyetra Turtle Beach, Inc. - C:\DOCUME~1\Steevo\LOCALS~1\Temp\MSI4C.tmp
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: MPICH2 Process Manager, Argonne National Lab (mpich2_smpd) - Unknown owner - C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe
    O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

    End of file - 3944 bytes
  3. Steevo

    Steevo Spammer representing. Political User Folding Team

    So far as I know I am clean from any infection. So there is nothing extra to really be removed or cleaned from my system.

    After opening hijackthis you should click the top button the reads "Do a system scan and create a logfile" The logfile will open in notepad so you may save it and copy and past it into your forum reply.

    After this you should close the program and NOT attempt to make any repairs or changes yourself.

    When someone gets to look at it they will make recommendations of how to proceed. Please be patient if you do not receive a reply right away as only a handful of people know the workings of this tool, and improper use can damage a system more severely than the original infection.
    falconguard likes this.
  4. trogdorwasaman

    trogdorwasaman OSNN Junior Addict

    well good news

    i entered safe mode and performed multiple scans and deleted 2 files named

    "Win32: trj-gen"

    "Win32: TratBHO"

    for now, no more pop up messeges from my anti virus about .dll's being infected...
    Last edited by a moderator: Jan 17, 2008