How to remove w32\trats virus
- Thread starter dasport99
- Start date
- Status
momok
Posts: 2,127 +6
Hi dasport99 and welcome to techspot. =)
I suggest you do the following before doing anything else.
Important: Please read this thread HERE before deciding if you should CLEAN or FORMAT your system
Should you decide to that cleaning your system is the best option, please go to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given.
Do follow all the instructions exactly.
Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread.
Do not copy and paste your logs if not they will be removed.
Our experts here will tend to your queries thereafter.
Also, please provide the results of the Antirootkit scan
Regards,
momok =)
This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
I suggest you do the following before doing anything else.
Important: Please read this thread HERE before deciding if you should CLEAN or FORMAT your system
Should you decide to that cleaning your system is the best option, please go to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given.
Do follow all the instructions exactly.
Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread.
Do not copy and paste your logs if not they will be removed.
Our experts here will tend to your queries thereafter.
Also, please provide the results of the Antirootkit scan
Regards,
momok =)
This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
I have attached my HJT and AVG Antispyware logs. As I said below, there was nothing found in the rootkit scan.
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)
The Combofix file is 1.26MB and it will not let me upload it.
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)
The Combofix file is 1.26MB and it will not let me upload it.
momok
Posts: 2,127 +6
Hi,
Your AVG log shows 'no action' for all detections.
Could you run the AVG antispyware scan once more via the instructions HERE? Note that you should save the report after applying all the "quarantine" actions after the scan. Post the latest log in your reply.
Also run another Combofix scan and try attaching that new log.
You may wish to copy and paste these instructions on notepad for easier reference later.
Regards,
momok =)
This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Your AVG log shows 'no action' for all detections.
Could you run the AVG antispyware scan once more via the instructions HERE? Note that you should save the report after applying all the "quarantine" actions after the scan. Post the latest log in your reply.
Also run another Combofix scan and try attaching that new log.
You may wish to copy and paste these instructions on notepad for easier reference later.
- Boot into safe mode under your normal user name. See how HERE
- Next turn on "Show all files and folders, including hidden and system". See how HERE
- After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [1cfcb5d0] rundll32.exe "C:\WINDOWS\system32\ekwlyvbm.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting .exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
Close HJT.
- Navigate in Windows Explorer and delete the following files and folders in bold.
C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
C:\WINDOWS\system32\ekwlyvbm.dll
C:\Program Files\NetWaiting\netWaiting .exe
- Reboot into normal mode and rehide your protected OS files.
Regards,
momok =)
This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
I have attached the most recent AVG Log
I have attache my most recent HJT Log
I have attached my most recent Combofix Log
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)
I have attache my most recent HJT Log
I have attached my most recent Combofix Log
(Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)
momok
Posts: 2,127 +6
Hi,
You may wish to copy and paste these instructions on notepad for easier reference later.
Regards,
momok =)
This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
You may wish to copy and paste these instructions on notepad for easier reference later.
- Boot into safe mode under your normal user name. See how HERE
- Next turn on "Show all files and folders, including hidden and system". See how HERE
- After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe
O4 - HKLM\..\Run: [1cfcb5d0] rundll32.exe "C:\WINDOWS\system32\ekwlyvbm.dll",b
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting .exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://w4s2.work4sure.com/c/ge/w4sgeen9.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
Close HJT.
- Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
- Save this as CFScript on the desktop.
- Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
- ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
- Reboot into normal mode and rehide your protected OS files.
Regards,
momok =)
This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
momok
Posts: 2,127 +6
Hi,
Thereafter, please post a fresh HJT log and the resultant ComboFix log from the above instructions as attachments into this thread.
Regards,
momok =)
This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
- Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
- Save this as CFScript on the desktop.
- Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
- ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
Thereafter, please post a fresh HJT log and the resultant ComboFix log from the above instructions as attachments into this thread.
Regards,
momok =)
This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
momok
Posts: 2,127 +6
Hi,
- Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
- Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
Save this file as avengerscript.txt.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Now, runThe Avenger program. Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the avengerscript.txt, click on it and press open.
Now click on the Green Light to begin execution of the script.
Answer "Yes" twice when prompted.
- The Avenger will automatically do the following:
It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
- Please attach the content of c:\avenger.txt into your reply, as well as a fresh HijackThis and Combofix log.
Regards,
momok =) - Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
New log files
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ykjnlofn
*******************
Script file located at: \??\C:\WINDOWS\system32\^xhgwhfv.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe not found!
Deletion of file C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe failed!
Could not process line:
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
Status: 0xc0000034
File C:\Program Files\Microsoft Location Finder\LocationFinder .exe not found!
Deletion of file C:\Program Files\Microsoft Location Finder\LocationFinder .exe failed!
Could not process line:
C:\Program Files\Microsoft Location Finder\LocationFinder .exe
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ykjnlofn
*******************
Script file located at: \??\C:\WINDOWS\system32\^xhgwhfv.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe not found!
Deletion of file C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe failed!
Could not process line:
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
Status: 0xc0000034
File C:\Program Files\Microsoft Location Finder\LocationFinder .exe not found!
Deletion of file C:\Program Files\Microsoft Location Finder\LocationFinder .exe failed!
Could not process line:
C:\Program Files\Microsoft Location Finder\LocationFinder .exe
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
momok
Posts: 2,127 +6
Hi,
I would like you to download and run this program here. When the program runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.
Attach the Autoruns log in your next reply.
Thereafter, please post a fresh HJT log and the resultant ComboFix log from the above instructions as attachments into this thread.
Regards,
momok =)
This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
- Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
- Save this as CFScript on the desktop.
- Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
- ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
I would like you to download and run this program here. When the program runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.
Attach the Autoruns log in your next reply.
Thereafter, please post a fresh HJT log and the resultant ComboFix log from the above instructions as attachments into this thread.
Regards,
momok =)
This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our Security and The Web forum.
momok
Posts: 2,127 +6
Hi,
Sorry about the previous instructions I misread your logs.
Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
Regards,
momok =)
Sorry about the previous instructions I misread your logs.
Download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.
- Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
Save this file as avengerscript.txt.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
- Now, boot into safe mode and run The Avenger program. Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the avengerscript.txt, click on it and press open.
Now click on the Green Light to begin execution of the script.
Answer "Yes" twice when prompted.
- The Avenger will automatically do the following:
It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
- Please attach the content of c:\avenger.txt into your reply, as well as a fresh Combofix log.
Regards,
momok =)
momok
Posts: 2,127 +6
Hi,
I would like you to check this 2 folders and let me know if you find the following files. (Please make sure that your 'show hidden files and folders' option is checked)
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe <- 2 spaces after 'avgas'
C:\Program Files\Microsoft Location Finder\LocationFinder .exe <- 2 spaces after 'LocationFinder'
Also, are you experiencing any more malware related issues currently?
Regards,
momok
I would like you to check this 2 folders and let me know if you find the following files. (Please make sure that your 'show hidden files and folders' option is checked)
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe <- 2 spaces after 'avgas'
C:\Program Files\Microsoft Location Finder\LocationFinder .exe <- 2 spaces after 'LocationFinder'
Also, are you experiencing any more malware related issues currently?
Regards,
momok
momok
Posts: 2,127 +6
Hi,
Your logs look clean now.
Should you have any further problems, please post in this thread.
Regards,
momok =)
This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
Your logs look clean now.
- Please download and run CCleaner via step 9 of the instructions HERE.
- Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
- Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.
- After that turn system restore back on.
This would have created a new safe and clean restore point for your system.
- Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.
Should you have any further problems, please post in this thread.
Regards,
momok =)
This thread is for the use of dasport99 only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
- Status
