TechSpot

How to remove w32\trats virus

By dasport99
Jan 22, 2008
Topic Status:
Not open for further replies.
  1. I am new to this message board and just wanted some help in removing this virus. I currently use Mcafee and it will locate the virus but cannot remove it. Thanks!
  2. momok

    momok TS Rookie Posts: 2,272

    Hi dasport99 and welcome to techspot. =)

    I suggest you do the following before doing anything else.

    Important: Please read this thread HERE before deciding if you should CLEAN or FORMAT your system

    Should you decide to that cleaning your system is the best option, please go to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given.
    Do follow all the instructions exactly.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread.
    Do not copy and paste your logs if not they will be removed.

    Our experts here will tend to your queries thereafter.

    Also, please provide the results of the Antirootkit scan


    Regards,
    momok =)

    This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
  3. dasport99

    dasport99 TS Rookie Topic Starter

    I am at step 11 and there were no rootkits found in the scan. There was nothing removed or repaired.
  4. dasport99

    dasport99 TS Rookie Topic Starter

    I have attached my HJT and AVG Antispyware logs. As I said below, there was nothing found in the rootkit scan.

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)

    The Combofix file is 1.26MB and it will not let me upload it.
  5. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your AVG log shows 'no action' for all detections.

    Could you run the AVG antispyware scan once more via the instructions HERE? Note that you should save the report after applying all the "quarantine" actions after the scan. Post the latest log in your reply.

    Also run another Combofix scan and try attaching that new log.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Boot into safe mode under your normal user name. See how HERE
    2. Next turn on "Show all files and folders, including hidden and system". See how HERE

    3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
      O4 - HKLM\..\Run: [1cfcb5d0] rundll32.exe "C:\WINDOWS\system32\ekwlyvbm.dll",b
      O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting .exe

      O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
      O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

      Close HJT.

    4. Navigate in Windows Explorer and delete the following files and folders in bold.
      C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
      C:\WINDOWS\system32\ekwlyvbm.dll
      C:\Program Files\NetWaiting\netWaiting .exe

    5. Reboot into normal mode and rehide your protected OS files.
    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread. Do not copy and paste the logs.


    Regards,
    momok =)

    This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. dasport99

    dasport99 TS Rookie Topic Starter

    I have attached the most recent AVG Log

    I have attache my most recent HJT Log

    I have attached my most recent Combofix Log

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)
  7. momok

    momok TS Rookie Posts: 2,272

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Boot into safe mode under your normal user name. See how HERE
    2. Next turn on "Show all files and folders, including hidden and system". See how HERE

    3. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
      O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe
      O4 - HKLM\..\Run: [1cfcb5d0] rundll32.exe "C:\WINDOWS\system32\ekwlyvbm.dll",b
      O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting .exe

      O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
      O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -

      Close HJT.

    4. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    5. Save this as CFScript on the desktop.
    6. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    7. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    8. Reboot into normal mode and rehide your protected OS files.
    Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


    Regards,
    momok =)

    This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  8. dasport99

    dasport99 TS Rookie Topic Starter

    New logs are attached.

    I have attached fresh HJT, AVG and Combofix logs
  9. momok

    momok TS Rookie Posts: 2,272

    Hi,

    1. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    2. Save this as CFScript on the desktop.
    3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    Thereafter, please post a fresh HJT log and the resultant ComboFix log from the above instructions as attachments into this thread.


    Regards,
    momok =)

    This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
  10. dasport99

    dasport99 TS Rookie Topic Starter

    New logs

    I have attached fresh HJT and Combo logs
  11. momok

    momok TS Rookie Posts: 2,272

    Hi,

    1. Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
      1. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

        Save this file as avengerscript.txt.
        Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

      2. Now, runThe Avenger program. Under "Script file to execute" choose "Load script from file".
        Now click on the folder icon which will open a new window titled "open Script File"
        navigate to the avengerscript.txt, click on it and press open.
        Now click on the Green Light to begin execution of the script.
        Answer "Yes" twice when prompted.

      3. The Avenger will automatically do the following:

        It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
        On reboot, it will briefly open a black command window on your desktop, this is normal.
        After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
        The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

      4. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HijackThis and Combofix log.


      Regards,
      momok =)
     
  12. dasport99

    dasport99 TS Rookie Topic Starter

    New log files

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\ykjnlofn

    *******************

    Script file located at: \??\C:\WINDOWS\system32\^xhgwhfv.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:



    File C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe not found!
    Deletion of file C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe failed!

    Could not process line:
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
    Status: 0xc0000034



    File C:\Program Files\Microsoft Location Finder\LocationFinder .exe not found!
    Deletion of file C:\Program Files\Microsoft Location Finder\LocationFinder .exe failed!

    Could not process line:
    C:\Program Files\Microsoft Location Finder\LocationFinder .exe
    Status: 0xc0000034


    Completed script processing.

    *******************

    Finished! Terminate.
  13. momok

    momok TS Rookie Posts: 2,272

    Hi,

    1. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

    2. Save this as CFScript on the desktop.
    3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

    I would like you to download and run this program here. When the program runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log in your next reply.
    Thereafter, please post a fresh HJT log and the resultant ComboFix log from the above instructions as attachments into this thread.


    Regards,
    momok =)

    This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
  14. dasport99

    dasport99 TS Rookie Topic Starter

    Fresh Logs

    I have attached my fresh logs
  15. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Sorry about the previous instructions I misread your logs.
    Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    1. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

      Save this file as avengerscript.txt.
      Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    2. Now, boot into safe mode and run The Avenger program. Under "Script file to execute" choose "Load script from file".
      Now click on the folder icon which will open a new window titled "open Script File"
      navigate to the avengerscript.txt, click on it and press open.
      Now click on the Green Light to begin execution of the script.
      Answer "Yes" twice when prompted.

    3. The Avenger will automatically do the following:

      It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
      On reboot, it will briefly open a black command window on your desktop, this is normal.
      After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
      The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    4. Please attach the content of c:\avenger.txt into your reply, as well as a fresh Combofix log.


    Regards,
    momok =)
  16. dasport99

    dasport99 TS Rookie Topic Starter

    new logs

    I have attached my recent logs.
  17. momok

    momok TS Rookie Posts: 2,272

    Hi,

    I would like you to check this 2 folders and let me know if you find the following files. (Please make sure that your 'show hidden files and folders' option is checked)

    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe <- 2 spaces after 'avgas'
    C:\Program Files\Microsoft Location Finder\LocationFinder .exe <- 2 spaces after 'LocationFinder'

    Also, are you experiencing any more malware related issues currently?


    Regards,
    momok
  18. dasport99

    dasport99 TS Rookie Topic Starter

    Hi

    Hi,

    I do not see those files. No I have not had any other malware problems.

    Thanks
  19. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your logs look clean now.

    1. Please download and run CCleaner via step 9 of the instructions HERE.

    2. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    3. Turn off system restore (XP/ME only). Learn how to do that HERE.
      This will remove all the remaining nasties from your old restore points.

    4. After that turn system restore back on.
      This would have created a new safe and clean restore point for your system.

    5. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
      May I recommend you to read this article.
      This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    momok =)

    This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.