TechSpot

TR/Unpacked.Gen & TR/ATRAPS.Gen removal woes

By mattyp123
Apr 4, 2009
  1. Hey there,

    I'm working on a friends PC to remove a few trojans/rootkits that I've found on his PC. After getting rid of most of them, scanning with Ad-Aware, SB: S&D, Trojan Hunter, SUPERAntiSpyware (pro), Avira, Ccleaner, Malwarebytes Anti-Malware, & McAfee Stinger, two stil remain. All the software apart from Avira cannot spot them. If I delete the files when Avira finds them, they just replicate in the C:\Windows\Temp or C:\Documents and Settings\User\Local Settings\Temp\.

    Virus or unwanted program 'TR/ATRAPS.Gen [trojan]'
    detected in file 'C:\WINDOWS\Temp\00031661.exe.
    Action performed: Deny access

    Virus or unwanted program 'TR/Unpacked.Gen [trojan]'
    detected in file 'C:\WINDOWS\Temp\00020197.exe.
    Action performed: Deny access

    Virus or unwanted program 'TR/Unpacked.Gen [trojan]'
    detected in file 'C:\WINDOWS\Temp\00026543.exe.
    Action performed: Deny access

    Virus or unwanted program 'TR/Unpacked.Gen [trojan]'
    detected in file 'C:\WINDOWS\Temp\00019884.exe.
    Action performed: Deny access

    As per Julio's thread http://www.techspot.com/vb/topic58138.html. I've done the following:-

    1: Using Avira at present.
    2: Ran Ccleaner twice.
    3: Shut down all the real time monitors.
    4/5/7: Scanned with the software.
    6: Java Updated.
    8: Logs attached

    Any advice on getting rid of these bloody Trojans is appreciated.

    Thanks in advance.
    Matt
     

    Attached Files:

  2. touch

    touch TS Rookie Posts: 978

    Hello mattyp123

    You have two antivirus programs running now - Avira and Norton/Symantec AntiVirus. if your friend have paid for Norton and want to keep it, then I´ll suggest you remove Avira from add/remove programs in controlpanel.

    If he don´t want to keep it- Remove Norton/Symantec AntiVirus, and keep Avira

    Then ->

    Please download Combofix:
    http://subs.geekstogo.com/ComboFix.exe
    And save to the desktop.


    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://img.photobucket.com/albums/v6...FScriptB-4.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  3. mattyp123

    mattyp123 TS Rookie Topic Starter

    Heya,

    Thanks for your help.

    It's true two were runing, though Avira's real time monitoring was disabled. Though I've followed your advice & uninstalled Avria for now.

    The files had been denied access to the system by Avira & since restarting the PC the files have been renamed by the virus, hence the files in the log have different names.

    Bellow is the new report.

    Thanks
     
  4. touch

    touch TS Rookie Posts: 978

    Ok

    Download Flash_Disinfector.exe by sUBs from http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
    and save it to your desktop.
    Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
    Wait until it has finished scanning and then exit the program.
    Reboot your computer when done.

    Please attach fresh combofix log

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
     
  5. mattyp123

    mattyp123 TS Rookie Topic Starter

    Thanks for your prompt reply.

    I've just downloaded the file you suggested. Antivir on my PC has found a virus in the file as it downloaded:-

    Virus or unwanted program 'WORM/Generic.4084 [worm]'
    detected in file 'C:\Documents and Settings\Matt\Desktop\Flash_Disinfector.exe.

    Any thoughts?

    Thanks,
     
  6. touch

    touch TS Rookie Posts: 978

    It´s not an infecion ->

    "Flash_Disinfector.exe is detected by some antivirus programs as a "RiskTool/infektion"; it is not a virus. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user"
     
  7. mattyp123

    mattyp123 TS Rookie Topic Starter

    Thanks.

    I've downloaded the file, it wouldn't run in normal mode, no dialogue boxes popped up. It did run in safe mode, flash devices have be inserted & cleaned.
     
  8. touch

    touch TS Rookie Posts: 978

    Ok :)

    Open notepad and copy/paste the text in the codebox below into it:
    Name the file as CFScript
    and Save it on the desktop



    Code:
    Killall::
    
    Snapshot::
    
    File::
    G:\kk3.bat
    C:\copetttt.com 
    D:\copetttt.com
    C:\copetttt.com
    H:\copetttt.com
    G:\l9dwu8.bat
    H:\l9dwu8.bat
    H:\f9lv.exe
    
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12c2e27c-5218-11dd-82be-0016d308ed9b}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bb24fc6-5b95-11dd-82cc-0016d308ed9b}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ce9fefe-9a57-11dd-8326-0016d308ed9b}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{757b7cc9-04a5-11dd-8279-0016d308ed9b}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d2b0268-1dbb-11de-83d5-0016d308ed9b}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d2b0269-1dbb-11de-83d5-0016d308ed9b}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b31c133a-fe01-11dc-826c-0016d308ed9b}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df96bee6-998f-11dc-81d7-0016d308ed9b}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0acdab7-7ef0-11dd-82fb-0016d308ed9b}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6a74ea2-01e5-11dd-8271-0016d308ed9b}]
    http://img.photobucket.com/albums/v6...FScriptB-4.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post/attach back the resulting report.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
     
  9. mattyp123

    mattyp123 TS Rookie Topic Starter

    Hi,
    Thanks again. As requested the log is attached.

    Regards.
     
  10. touch

    touch TS Rookie Posts: 978

    It looks clean.

    Please attach fresh hijackthis log, and tell how your computer are running ?
     
  11. mattyp123

    mattyp123 TS Rookie Topic Starter

    Yeah it does seem clean now :D

    Thank you very much for your help!
     
  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You have two Antiviruses running
    Stacks of startups
    Stacks of services
    Some strange thing in your Internet browser settings: (among the dozens)
    I'd say it's running slow ! Basically its bit of mess :(

    Try this:

    Log on to an Administrator privileged account (confirmed in Control Panel > Users)

    Uninstall Symantec (Norton) everything!
    Run the Norton Removal tool

    Restart

    Run Startup Control Panel and remove any not required startups: (should be most if not all! except Avira Antivirus)

    Run IE Reset (irrespective of which browser you usually use) http://www.techspot.com/vb/post682762-2.html

    Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
    You need to run this multiple times, until all hidden Malwares are uncovered and removed

    Restart again

    Please download and run SDFix (I'm sorry, but I must refer you to t h i s tutorial on its use, scroll down to "SDFix Instructions")
    Download, and run the "RunThis.bat" in Safe Mode, as advised
    Then attach the log and (after the SDFix scan) a new HJT log
    Oh by the way, it says that it may take 20mins to scan! (Mine took over an hour to complete!)
    Save the log to be attached to a new reply

    Then supply a much cleaner HijackThis log (although I suspect you still have further issues)
     
  13. mattyp123

    mattyp123 TS Rookie Topic Starter

    Hi Kimsland,

    As suggested, a bit f tidying & new scan logs.

    many thanks.
     
  14. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    BearShare

    File Sharing Programs found in logs

    Info on using P2P Programs => http://www.techspot.com/vb/topic124748.html

    Quote from 8-Step Removal Guide:
     
  15. mattyp123

    mattyp123 TS Rookie Topic Starter




    Ah ok :D That was added to the 8 part guide after me making the initial thread, so I hadn't seen that before. Thanks for pointing that out to me.

    Bearshare has now been shot. Over.
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Oh yeah 6 Days Ago ;)
    Also very observant of you too :rolleyes:

    Hmm, I can see that you won't be easily led :D

    Well at the moment I must go, family calls ;) But I'll just post this (which will help you likely)

    Download Combofix
    Lots of info on its use h e r e
    Direct download h e r e

    Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
    Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
    ComboFix will also restart your computer (eventually) and then (eventually) create a log

    Save this log file to be attached to a new reply

    Restart

    Then do another scan with HJT (scan and log file) and attach this to a new reply as well
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...