help! Win32 TratBHO TROJAN ATTACK!

trogdorwasaman

OSNN Junior Addict
Joined
17 May 2007
Messages
11
idk wat to do. every so often, my avast! antivirus professional edition gets an infected file. i went into safe mode to see if i could diagnose to prob and did a scan. i found a file named "akeygen.exe" which was the source. it was a Win32:trj-gen or something. i tried to quarantine it and delete it, but it wouldnt let me. i tried to scan while in normal mode in windows and it doesnt appear. also my spysweeper and avast virus cleaner cant find it either. im currently running Vundofix. someone help

btw i dont me to sound like a whiney puss or anything but im desperate.

also i dont know how to use hijack this and dont know wat its used for
 
Last edited by a moderator:

Steevo

Spammer representing.
Political Access
Joined
1 Sep 2004
Messages
2,567
Hijack this is a program that makes a record of the most important parts of your system to help detect and delete a majority of Malware and spyware as well as some forms of viri and backdoor exploits.


YOu may download it here http://www.merijn.org/files/HiJackThis_v2.exe

Before you click the executable however right click it and rename it to something else as some malware/spyware will hide when it detects the name "hijackthis" as one of the processes running on your computer. I use my nickname. Steevo.

I will copy my log so you can see what it will look like.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:07:51 PM, on 1/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\Steevo\LOCALS~1\Temp\MSI4C.tmp
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Share\Steevo2.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.CPL,CMICtrlWnd
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175/7d/runaware.download.akamai.com/25175/citrix/wficat-no-eula.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax5523.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: asurscsi - Voyetra Turtle Beach, Inc. - C:\DOCUME~1\Steevo\LOCALS~1\Temp\MSI4C.tmp
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MPICH2 Process Manager, Argonne National Lab (mpich2_smpd) - Unknown owner - C:\Program Files\Folding@Home Windows SMP Client V1.01\smpd.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

--
End of file - 3944 bytes
 

Steevo

Spammer representing.
Political Access
Joined
1 Sep 2004
Messages
2,567
So far as I know I am clean from any infection. So there is nothing extra to really be removed or cleaned from my system.


After opening hijackthis you should click the top button the reads "Do a system scan and create a logfile" The logfile will open in notepad so you may save it and copy and past it into your forum reply.


After this you should close the program and NOT attempt to make any repairs or changes yourself.


When someone gets to look at it they will make recommendations of how to proceed. Please be patient if you do not receive a reply right away as only a handful of people know the workings of this tool, and improper use can damage a system more severely than the original infection.
 

trogdorwasaman

OSNN Junior Addict
Joined
17 May 2007
Messages
11
well good news

i entered safe mode and performed multiple scans and deleted 2 files named

"Win32: trj-gen"

"Win32: TratBHO"

edit:
for now, no more pop up messeges from my anti virus about .dll's being infected...
huzzah
 
Last edited by a moderator:

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,014
Messages
673,490
Members
5,613
Latest member
robertwnielsenIA