Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:tratbho Infection


  • Please log in to reply
6 replies to this topic

#1 Caustic Soul

Caustic Soul

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 13 January 2008 - 04:20 PM

My computer is severely infected with this, and I have no idea where to start. avast can't get it and one of the files infected is a system file. where and how do I start?

The one file that is a system file is ddabc.dll in the systems folder.

Edited by Caustic Soul, 13 January 2008 - 04:26 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:53 AM

Posted 13 January 2008 - 04:35 PM

Welcome to BC Caustic Soul :flowers:

I would start by downloading, if you don't already have them, AVG Anti-Spyware and SuperAntiSpyware Free and scanning with them in safe mode . Links and directions are below.
-----------------

AVG Anti-Spyware 7.5
Download AVG AntiSpyware 7.5 (formerly Edwido) found here: http://www.ewido.net/en/download/
Directions for use in both normal and safe modes are provided here by our own quietman7:
http://www.castlecops.com/t137442-CCSP_Ewi...structions.html
You will also find the directions to disable the real-time scanning which I would advise doing right away as it is only available for the paid version which the free version is like for the first 30 days. I would suggest doing the scan in safe mode after setting up the proper scanning selections.
---
Here is a brief summary for installation and set-up. If scanning in safe-mode, set-up in Normal mode first, then reboot into safe-mode:
Double click the avg-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, AVG A-S will open.

Updating AVG Anti-Spyware:

* By default AVG A-S is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following: Click the Update icon at the top and under "Manual Update" - click the Start update button.
* Either AVG A-S will update or inform you that no update was available.

Disabling the Resident Shield:
* By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
(When the PC has been cleaned you can activate the shield again, if you wish.)
* Click the Shield icon at the top and under "Resident shield is..." - click active.
* This should now change to inactive.

Changing Recommended Actions
* Click the Scanner icon at the top and then click the Settings Tab.
* Under "How to act?" click Recommended actions and select "Quarantine" from the menu.

And for scanning:
Ensure that ALL open Windows / Programs / Folders are closed and then run AVG A-S.

* If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
* Click "Complete System Scan"
* While the scan is in progress the PC should be left otherwise idle.
* When the scan has completed, any threats that AVG A-S has detected will be displayed.
* Click the Apply all actions button at the bottom.
* When AVG A-S has finished, it will display the message "All actions have been applied".

Saving a report:
* Click the Save Report button at the bottom left and the "Reports" window will open.
* The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports folder.
* You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.

Close AVG Anti-Spyware.


+++++++++++++++++++
Next:
Download and install SUPERAntiSpyware free found here: http://www.superantispyware.com/superantis...efreevspro.html

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.
+++++++++++++

Please post both logs in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:53 AM

Posted 13 January 2008 - 05:29 PM

Please follow the the instructions for using Vundofix in BC's self-help tutorial: "How To Remove Vundo/Winfixer Infection".

After running VundoFix, a text file named vundofix.txt will have automatically been saved to the root of the system drive, usually at C:\vundofix.txt. Please copy & paste the contents of that text file into your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Caustic Soul

Caustic Soul
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 13 January 2008 - 05:53 PM

Okay, now I ran AVG, and told it to do what It needed to, and the virus just deleted AVG!

#5 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:08:53 AM

Posted 13 January 2008 - 05:56 PM

Please follow Quietman7's directions in the post just previous to your latest. He knows a lot more than I do!

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#6 Caustic Soul

Caustic Soul
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:53 AM

Posted 13 January 2008 - 06:23 PM

VundoFix V6.7.7

Checking Java version...

Scan started at 5:57:20 PM 1/13/2008

Listing files found while scanning....

C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.exe
C:\WINDOWS\system32\NeroCheck.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cbadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddabc.exe
C:\WINDOWS\system32\ddabc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\NeroCheck.exe
C:\WINDOWS\system32\NeroCheck.exe Has been deleted!

Performing Repairs to the registry.
Done!


I rechecked, and it said there are 7 more.

Edited by Caustic Soul, 13 January 2008 - 06:24 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,267 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:53 AM

Posted 14 January 2008 - 07:20 AM

I rechecked, and it said there are 7 more

What did you recheck? What did you use to recheck and what else was found?

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install the current version of HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

Edited by quietman7, 14 January 2008 - 07:28 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users