Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I think I have TratBHO (still)

Started by saerenna , Jan 15 2008 05:08 PM

  • Please log in to reply

#1
saerenna
Posted 15 January 2008 - 05:08 PM

saerenna

    New Member

  • Member
  • Pip
  • 1 posts
I'm afraid trying to fix this all by myself has made it worse. I've searched the internet for fixes but I'm at the point where I don't know what's wrong anymore. I have those modified .exes and can't find the root .dll if there is one. The problem started January 13 around 23:00, where Avast! said I had TratBHO in an ssqrlo.dll, and I'd delete it, but everytime I rebooted it came back. Something I did after looking around at other people's problems and trying to fix it myself seems to have stopped the ssqrlo.dll from coming back and now Avast! isn't catching any TratBHO. I'm sorry, I don't remember exactly what it was that I did; I tried many things. I thought I was clean, but it looks like I'm not; combocheck comes up with what I'm pretty sure are problems, but I don't know how to find or fix them.

Here's my hijackthis;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:03:07, on 2008/01/15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\lxdjcoms.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Saerenna\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [lxdjmon.exe] "C:\Program Files\Lexmark 1400 Series\lxdjmon.exe"
O4 - HKLM\..\Run: [LXDJCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Winupdate Engine] C:\WINDOWS\system32\wupeng.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp .exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [mschkdsk.exe] C:\WINDOWS\system32\mschkdsk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {A22B8FD2-4CAA-4EFB-82F7-680CD656D9B0} (NowStarter Control) - http://www.gogobox.c...GNowStarter.cab
O16 - DPF: {D8F2DC62-F4A1-4A10-AE19-61DF6EC9BF50} (xc_loader_activex.cntMain) - http://157.201.248.4...der_activex.CAB
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - C:\Program Files\MSN Messenger\usnsvc.exe (file missing)
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Saerenna\My Documents\My Pictures\Hyoutei2a.jpg
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Saerenna\My Documents\My Pictures\Hyoutei5.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Saerenna\My Documents\My Pictures\yagyuu.png
O24 - Desktop Component 4: The Rogue Beat - http://roguebeat.cro.....20no Wake.mp3
O24 - Desktop Component 5: (no name) - C:\Documents and Settings\Saerenna\Desktop\Shounen_Onmyouji_-_Egao_no_Wake.mp3
O24 - Desktop Component 6: (no name) -
O24 - Desktop Component 7: (no name) - C:\Documents and Settings\Saerenna\My Documents\Hyotei_Gakuen.htm

--
End of file - 6821 bytes


And here's also my combofix log:
ComboFix 08-01-15.4 - Saerenna 2008-01-15 5:16:59.2 - NTFSx86
Running from: C:\Documents and Settings\Saerenna\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 04:09 . 2007-12-04 04:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-15 04:09 . 2007-12-04 06:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-15 04:09 . 2007-12-04 06:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-15 04:09 . 2007-12-04 06:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-15 04:09 . 2007-12-04 06:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-15 04:08 . 2004-01-09 01:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-15 00:02 . 2008-01-15 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-14 23:32 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-14 21:19 . 2008-01-14 21:19 <DIR> d-------- C:\Program Files\CCleaner
2008-01-14 20:50 . 2008-01-15 05:07 2,148 --a------ C:\WINDOWS\system32\wpa.dbl
2008-01-14 13:32 . 2008-01-14 15:04 <DIR> d-------- C:\VundoFix Backups
2008-01-14 02:54 . 2008-01-15 02:32 <DIR> d-------- C:\Documents and Settings\Saerenna\Application Data\AVG7
2008-01-14 02:53 . 2008-01-14 02:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-14 02:53 . 2008-01-15 05:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-13 22:39 . 2007-07-16 15:53 48 --a------ C:\Documents and Settings\Saerenna\readme.bat
2007-12-28 21:53 . 2007-12-29 10:11 <DIR> d-------- C:\Program Files\GridService
2007-12-28 21:53 . 2007-12-28 21:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grid

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 12:04 --------- d-----w C:\Program Files\MegauploadToolbar
2008-01-15 12:04 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-01-15 10:20 --------- d-----w C:\Program Files\Common Files\AOL
2008-01-15 10:19 --------- d-----w C:\Program Files\Acoustica Mixcraft 3
2008-01-15 04:30 --------- d-----w C:\Program Files\Lexmark 1400 Series
2008-01-15 03:19 --------- d-----w C:\Program Files\DellSupport
2008-01-15 03:10 --------- d-----w C:\Program Files\QuickTime
2008-01-14 06:50 --------- d-----w C:\Documents and Settings\Saerenna\Application Data\MegauploadToolbar
2008-01-14 04:16 --------- d-----w C:\Program Files\VideoLAN
2008-01-14 01:23 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-28 23:52 --------- d-----w C:\Documents and Settings\Saerenna\Application Data\BitTorrent
2007-12-04 14:53 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 13:04 837,496 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-11-30 03:22 8,612 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-11-26 07:56 --------- d-----w C:\Documents and Settings\Saerenna\Application Data\AdobeUM
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 09:55 3,065,856 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-28 01:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2006-05-20 08:08 0 ---ha-w C:\Documents and Settings\All Users\Application Data\gwseh.dat
2007-07-19 17:29 88 --sh--r C:\WINDOWS\system32\E7D1A1E3A5.sys
.
<pre>
----a-w			81,920 2008-01-15 03:49:53  C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
----a-w		   249,856 2008-01-14 11:45:57  C:\Program Files\Common Files\InstallShield\UpdateService\isuspm  .exe
----a-w			53,248 2008-01-15 03:49:49  C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w		 1,032,192 2008-01-15 03:49:52  C:\Program Files\Dell\QuickSet\quickset .exe
----a-w		   157,696 2008-01-14 22:58:31  C:\Program Files\Google\Google Desktop Search\GoogleDesktop .exe
----a-w		   579,072 2008-01-15 03:50:36  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w			69,632 2008-01-15 03:50:25  C:\Program Files\HP\HP Share-to-Web\hpgs2wnd .exe
----a-w			20,480 2008-01-15 03:50:17  C:\Program Files\Lexmark 1400 Series\lxdjamon .exe
----a-w		 1,121,792 2008-01-15 03:50:01  C:\Program Files\McAfee\SpamKiller\MSKDetct .exe
----a-w		   761,947 2008-01-15 03:49:43  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
----a-w		 4,670,968 2008-01-15 03:51:13  C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w		   208,952 2008-01-14 11:46:25  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w			59,392 2008-01-14 11:46:30  C:\WINDOWS\system32\IME\PINTLGNT\ImScInst .exe
----a-w		   455,168 2008-01-14 11:46:34  C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-14_23.49.51.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-15 13:05:40 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_55c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mschkdsk.exe"="C:\WINDOWS\system32\mschkdsk.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:00 15360]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [ ]
"Aim6"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-09-09 20:19 393216 C:\WINDOWS\stsystra.exe]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe" [2008-01-14 03:45 249856]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 02:00 208952]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 02:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 02:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 02:00 455168]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"ClubBox"="" []
"lxdjmon.exe"="C:\Program Files\Lexmark 1400 Series\lxdjmon.exe" [ ]
"LXDJCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll" [2007-02-09 15:21 102400]
"Winupdate Engine"="C:\WINDOWS\system32\wupeng.exe" [ ]
"avp"="C:\WINDOWS\avp .exe" [ ]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 05:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-19 23:57:39]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Documents and Settings\Saerenna\My Documents\My Pictures\Hyoutei2a.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= C:\Documents and Settings\Saerenna\My Documents\My Pictures\Hyoutei5.jpg
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= C:\Documents and Settings\Saerenna\My Documents\My Pictures\yagyuu.png
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\5]
Source= C:\Documents and Settings\Saerenna\Desktop\Shounen_Onmyouji_-_Egao_no_Wake.mp3
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\7]
Source= C:\Documents and Settings\Saerenna\My Documents\Hyotei_Gakuen.htm
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2004-09-13 15:49 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

S3 CoachUsb;Coach Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2004-11-24 13:34]
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-08-04 02:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-07 17:48:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 05:27:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDJCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDJtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 5:31:35
ComboFix2.txt 2008-01-15 07:50:27
.
2008-01-09 11:04:44 --- E O F ---
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP