Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


That Dang Win32:tratbho[trj] Trojan

  • This topic is locked This topic is locked
2 replies to this topic

#1 J24


  • Members
  • 2 posts
  • Local time:10:55 AM

Posted 02 May 2008 - 09:50 AM

Hi all:

I'm sorry to be adding to the multiple posts on this bugger, but I tried all that I have found to no avail. This trojan is a tough one to remove!

So, on 4/29/08 my ZoneAlarm keep bugging me about a registry change that wanted to take place, this happened multiple times, stupid me thought it was a MS update of some sort b/c it was so persistent (and b/c I had just turned on my computer). I allowed it, then *bam*, I am sacked w/the trojan.

I am running Avast Home 4.8, it picks up the trojan in the memory test that runs before the scan commences. It is always the same .dll that is infected, found in


The rest of the scan is clean. I ran Avast a number of times and tried to remove it but it can't, tried to run it is safe mode, still won't remove it, ran Spybot, cleaned some stuff up, ran Vundofix and VirtmundoBeGone in both regular and safe modes, nada, and was going to try to manually remove the .dll myself using Unlocker but Unlocker showed that many apps were tied to it, was afraid to delete b/c I have no idea what I am doing.

I cleaned all with the newest version of CCleaner, rebooted, then ran DSS and have the current version of HiJackThis installed. However, after reviewing your Prep Guide before posting, I see that a extra.txt should have been generated, I ran it twice but this text never came up, I hope that doesn't affect matters much. The main.txt from DSS follows, the HiJackThis log is identical I see, except for the line numbering. I was going to DL and run ComboFix but the guide doesn't speak to that so I held off, will do so if recommended.

BTW, I haven't noticed any persistent negative effects from the trojan as of yet, though I have stopped using that laptop (I'm posting on another now, using a USB drive to transfer info). It's an older laptop but has served me well. The problems that have popped up are a physical dumping of memory, causing the laptop to restart (I have 2 gigs of 17 total free on my hard, am running basic RAM levels, perhaps I am cutting it too close?) - this happens a few minutes after start up, once scandisk runs it stabilizes. I think I do recall errant message pop ups for false spyware cleaners too - characteristic symptoms of this trojan according to what I have read.

Okay, here is the log, sorry to be verbose, thought that the more info provided the better, thanks in advance for your help!

Deckard's System Scanner v20071014.68
Run by Owner on 2008-05-01 17:43:39
Computer is in Normal Mode.

Percentage of Memory in Use: 82% (more than 75%).
Total Physical Memory: 255 MiB (256 MiB recommended).
System Drive C: has 2.06 GiB (less than 15%) free.

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:43:49 PM, on 5/1/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
C:\Program Files\Maxtor\OneTouch\utils\mspm.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\James\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4020100D-29D7-4392-AFD5-5AD713FF4B88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A7A72F59-4C9B-46CD-A57E-0FE22E375B8E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe
O4 - HKLM\..\Run: [mspm] C:\Program Files\Maxtor\OneTouch\utils\mspm.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [3f3f145f] rundll32.exe "C:\WINNT\system32\xevrbebc.dll",b
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O20 - Winlogon Notify: iifdcAqq - iifdcAqq.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe

End of file - 8210 bytes

-- Files created between 2008-04-01 and 2008-05-01 -----------------------------

2008-05-01 17:37:31 0 d-------- C:\Program Files\Trend Micro
2008-04-30 14:10:23 0 d-------- C:\VundoFix Backups
2008-04-30 12:35:00 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2c4.dat
2008-04-30 09:38:15 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4b4.dat
2008-04-30 09:09:43 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_69c.dat
2008-04-30 00:02:47 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4ac.dat
2008-04-29 23:46:31 97856 --a------ C:\WINNT\system32\xevrbebc.dll
2008-04-29 23:43:47 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4d4.dat
2008-04-29 00:13:52 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_538.dat
2008-04-28 23:36:22 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_49c.dat
2008-04-28 23:35:39 528356 --ahs---- C:\WINNT\system32\qYFiQqru.ini2
2008-04-15 01:26:10 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_468.dat
2008-04-12 00:28:15 0 d-------- C:\Program Files\Image Grabber II
2008-04-11 01:54:10 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_5e0.dat
2008-04-11 01:38:00 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2b8.dat
2008-04-11 00:23:54 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_be0.dat
2008-04-08 15:30:57 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_2c8.dat
2008-04-08 04:18:18 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_724.dat
2008-04-05 12:27:53 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4f0.dat

-- Find3M Report ---------------------------------------------------------------

2008-05-01 12:32:32 4212 ---h----- C:\WINNT\system32\zllictbl.dat
2008-03-23 13:47:50 0 d-------- C:\Program Files\KMPlayer
2008-03-22 23:17:50 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_478.dat
2008-03-21 13:10:28 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6cc.dat
2008-03-16 01:52:42 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_54c.dat
2008-03-14 13:44:20 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6d4.dat
2008-03-12 09:38:08 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_4b0.dat
2008-02-23 23:55:48 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6a4.dat
2008-02-23 12:08:20 2540 --a------ C:\WINNT\unins000.dat
2008-02-23 11:54:50 691545 --a------ C:\WINNT\unins000.exe
2008-02-15 23:59:12 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_494.dat
2008-02-14 17:00:08 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6d8.dat
2008-02-09 23:34:22 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_498.dat
2008-02-08 12:16:06 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_6e4.dat
2008-02-02 01:29:18 16384 --a------ C:\WINNT\system32\Perflib_Perfdata_5a0.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4020100D-29D7-4392-AFD5-5AD713FF4B88}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7A72F59-4C9B-46CD-A57E-0FE22E375B8E}]

"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [06/24/03 02:34p]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [06/24/03 02:33p]
"ATIModeChange"="Ati2mdxx.exe" [06/18/02 10:14a C:\WINNT\system32\Ati2mdxx.exe]
"Synchronization Manager"="mobsync.exe" [06/19/03 03:05p C:\WINNT\system32\mobsync.exe]
"PRPCMonitor"="PRPCUI.exe" [03/25/02 02:30p C:\WINNT\system32\prpcui.exe]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [06/28/02 03:10p]
"TP4EX"="tp4ex.exe" [02/22/02 01:04a C:\WINNT\system32\TP4EX.exe]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [06/28/02 01:30a]
"AGRSMMSG"="AGRSMMSG.exe" [02/22/02 04:37p C:\WINNT\AGRSMMSG.exe]
"QCWLICON"="C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE" [07/15/02 02:20a]
"Tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [11/07/01 03:50a]
"MaxtorOneTouch"="C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe" [03/01/06 11:58a]
"mspm"="C:\Program Files\Maxtor\OneTouch\utils\mspm.exe" [09/03/05 04:10a]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [10/17/05 04:24p]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [09/25/07 01:11a]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [09/07/06 01:19p]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [03/29/08 01:37p]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [07/27/07 08:14p]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/13/08 11:11p]
"3f3f145f"="C:\WINNT\system32\xevrbebc.dll" [04/29/08 11:46p]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a]

"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/20/2000 9:15:54 PM]
Wireless-G Notebook Adapter.lnk - C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe [1/22/2008 8:25:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdcAqq]

"Authentication Packages"= msv1_0 C:\WINNT\system32\urqQiFYq



-- End of Deckard's System Scanner: finished at 2008-05-01 17:44:30 ------------

Edited by J24, 02 May 2008 - 09:59 AM.

BC AdBot (Login to Remove)


#2 J24

  • Topic Starter

  • Members
  • 2 posts
  • Local time:10:55 AM

Posted 03 May 2008 - 10:40 PM

Done, it's gone! I DL'd and ran ComboFix, it targeted the known infected file right away and cleaned up my computer. I ran Avast 2x more since then (to be sure) and a few rootkit and malware programs as well, nothing else shows up. Now, to update my Java so that the vulnerabilities can't be pounced upon again.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,011 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:55 AM

Posted 05 May 2008 - 12:13 AM

Hello J24,

Thank you for letting us know that your problem is resolved. You are lucky in that regard as ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Since your problem is resolved, I am closing this topic.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users