Monday, January 07, 2008

[log] Win32:TratBHO [Trj], Win32:Agent-PCJ [Adw], Win32:Bojo-G [Trj]

Marc must have downloaded the Xmas specials malware pack. When we got the laptop, we could not even use internet explorer to download the anti-virus software. The browser was so jacked that the clicks would be intercepted to go else where and every few minutes a random browser window would open to "Secret Lovers".

- Changed the desktop background from a lovely picture of his daughters to straight black, windows explorer and start menu to "classic" mode. Yes, this had to be done before I could proceed.
- Downloaded FireFox by manually typing in the download path, all the while fighting off randomly opening windows
- Installed FireFox, and from there downloaded and installed Avast!, Ad Aware, and CCleaner.
- Ran CCleaner, which deleted 3.6 GB of crap
- Ran AdAware, noticed that there were still a huge number of cached files in Local Settings\Temp. No doubt downloaded by all the malware. Manually unhid the folders and files to delete them.
- Downloaded and ran Norton Removal Tool to uninstall Norton 2005, so that Avast! could function fully
- Ran Avast! which found the first two malware in the boot-time scan:

"Win32:Trojan-gen {Other}" found in "C:\WINDOWS\system32\tuvtqpq.dll"
"Win32:Bojo-G [Trj]" found in "C:\WINDOWS\system32\moywh.dll"


- Avast! easily removed these two. Though the power adaptor on the laptop had not been working right, and the computer decided to hibernate in the middle of the scan.
- Woke it up from hibernate, fudged with the power cord until it seems to be charging, and continued scan with blank screen with no sense of progress. Entertained myself by chatting with Jessica and watching Jose and Scruffy run around.

- Avast! scan finally finished. The computer is behaving much better now. But, malware still left clearly, since "Secret Lovers" were still popping up every so often, especially when I try to use IE.
- Ran Windows Updates to upgrade IE and Hotfixes to latest version. This took a while as it had to upgrade to IE7. Entertained myself by doing work on my work laptop.
- Finally it was done, and with Avast! now running resident, it started to alert on a new malware:

"Win32:Agent-PCJ [Adw]" found in "C:\DOCUME~1\Marc\LOCALS~1\Temp\wjsfldwg.exe"

- I had Avast! delete it. Only to find that after I reboot, Avast! would then complain about the same malware but in a different file name:

"Win32:Agent-PCJ [Adw]" found in "C:\DOCUME~1\Marc\LOCALS~1\Temp\cymqdwmk.exe"

- Checked the startup list in CCleaner. Noticed a suspicious entry that loaded a dll with the same random 8 letter file name from the system32 folder. I delete the entry.
- After a reboot, it got worse. Now the login just hung. I brought up task manager and killed explorer and restarted it, in order to be able to do anything again. I checked startup list in CCleaner again, and, voila, that entry is back, with a different dll!
- From command prompt, went to c:\windows\system32, and ran dir /O:D *.dll to see the DLL files order by create date -- Saw dozen of dlls with the similar random 8 letter names, but cleverly, all with slightly different file sizes.
- I deleted them all but could not delete the latest two -- "File in use. Access denied". Meanwhile, Avast! keep alerting me of the same Win32:Agent-PCJ with the exe file in the Temp folder.
- After repeating this a couple of more times, I came up with the idea of killing the explorer process from Task Manager, which finally allowed me to clear out the last of the random 8 letter dlls. Hurray!

- I reboot the computer, and what do I see? Another trojan horse alert from Avast!

"Win32:TratBHO [Trj]" found in "C:\WINDOWS\SYSTEM32\TUSQO.DLL"

- I asked Avast! to delete it. I reboot. Same problem.
- Did it again, and manually checked it in cmd prompt. I noticed that Avast! did not actually delete the file. I tried to delete it myself, and of course, the good old "File in use. Access denied" message showed up.
- I immediately tried the same "kill explorer then kill dll" trick. This time, no luck. I proceeded to try to kill a bunch more processes, still no luck. I tried regsrv32 /u tusqo.dll. Nope.
- Tried Avast! a few more times with Delete and Chest on the file, with "delete file on next boot as necessary". Reboot. Still nope.
- Finally, I got Avast! to Rename/Move, with "move file on next boot as necessary". Reboot.
- Voila -- Victory!
- (Who knows why the same did not work for delete, but I guess that's part of the challenge)


After ridding not 1, not 2, not 3, but 4 different malware, all freshies (TratBHO only made it into the virus definition file on 2008 Jan 4), this poor little Pentium III with 256MB RAM is one clean mean machine. IE actually loads faster on it than on my duo core laptop.

Now if only all that work had earned me some achievement points ...

3 comments:

  1. Hi Wandy,
    I hoped your experience with the trojan was useful for me but this don't.
    As you, I done all steps, but the trojan is alive in my PC (silently but alive, and I suppose is alive in your PC too...).
    So don't think that killing a trojan or a virus is a simple thing. Apply all seriously part of you in actions otherwise your blog page appear to substitute pages and pages of forums and resolve grave problems to desperate people...

    The only good thing is that I have seen you and you are very very beautiful.
    I hope to have a nice chat with you one of these days.
    Bye Bye.

    Fabio (Rome, Italy)

    Please reply at this comment, I will hearing of you...

    ReplyDelete
  2. For anyone who still have problem with TratBHO, here is a patch to get rid of it in this link :
    http://www.net-studio.org/application/TratBHO.php
    Download the patch and put it in your desktop, uncompress it, reboot your system in safe mode and launch the patch.

    That's all

    ReplyDelete
  3. Anonymous said...

    For anyone who still have problem with TratBHO, here is a patch to get rid of it in this link :
    http://www.net-studio.org/application/TratBHO.php
    Download the patch and put it in your desktop, uncompress it, reboot your system in safe mode and launch the patch.

    That's all

    Many thanks, that seems to have gotten rid of it.

    ReplyDelete