TR/Unpacked.Gen & TR/ATRAPS.Gen removal woes

Status
Not open for further replies.

mattyp123

Posts: 12   +0
Hey there,

I'm working on a friends PC to remove a few trojans/rootkits that I've found on his PC. After getting rid of most of them, scanning with Ad-Aware, SB: S&D, Trojan Hunter, SUPERAntiSpyware (pro), Avira, Ccleaner, Malwarebytes Anti-Malware, & McAfee Stinger, two stil remain. All the software apart from Avira cannot spot them. If I delete the files when Avira finds them, they just replicate in the C:\Windows\Temp or C:\Documents and Settings\User\Local Settings\Temp\.

Virus or unwanted program 'TR/ATRAPS.Gen [trojan]'
detected in file 'C:\WINDOWS\Temp\00031661.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Unpacked.Gen [trojan]'
detected in file 'C:\WINDOWS\Temp\00020197.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Unpacked.Gen [trojan]'
detected in file 'C:\WINDOWS\Temp\00026543.exe.
Action performed: Deny access

Virus or unwanted program 'TR/Unpacked.Gen [trojan]'
detected in file 'C:\WINDOWS\Temp\00019884.exe.
Action performed: Deny access

As per Julio's thread https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/. I've done the following:-

1: Using Avira at present.
2: Ran Ccleaner twice.
3: Shut down all the real time monitors.
4/5/7: Scanned with the software.
6: Java Updated.
8: Logs attached

Any advice on getting rid of these bloody Trojans is appreciated.

Thanks in advance.
Matt
 

Attachments

  • hijackthis.log
    19.6 KB · Views: 10
  • mbam-log-2009-04-04 (19-29-48).txt
    851 bytes · Views: 6
Hello mattyp123

You have two antivirus programs running now - Avira and Norton/Symantec AntiVirus. if your friend have paid for Norton and want to keep it, then I´ll suggest you remove Avira from add/remove programs in controlpanel.

If he don´t want to keep it- Remove Norton/Symantec AntiVirus, and keep Avira

"If the resident scanners of two different AV programs are used simultaneously, conflicts can result. The computer may run very, very slowly, it may become difficult to access files"

Then ->

Please download Combofix:
http://subs.geekstogo.com/ComboFix.exe
And save to the desktop.


Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::
File::
C:\WINDOWS\Temp\00031661.exe.
C:\WINDOWS\Temp\00020197.exe.
C:\WINDOWS\Temp\00026543.exe.
C:\WINDOWS\Temp\00019884.exe.

http://img.photobucket.com/albums/v6...FScriptB-4.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Heya,

Thanks for your help.

It's true two were runing, though Avira's real time monitoring was disabled. Though I've followed your advice & uninstalled Avria for now.

The files had been denied access to the system by Avira & since restarting the PC the files have been renamed by the virus, hence the files in the log have different names.

Bellow is the new report.

Thanks
 
Ok

Download Flash_Disinfector.exe by sUBs from http://download.bleepingcomputer.com/sUBs/Flash_Disinfector.exe
and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Please attach fresh combofix log

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.
 
Thanks for your prompt reply.

I've just downloaded the file you suggested. Antivir on my PC has found a virus in the file as it downloaded:-

Virus or unwanted program 'WORM/Generic.4084 [worm]'
detected in file 'C:\Documents and Settings\Matt\Desktop\Flash_Disinfector.exe.

Any thoughts?

Thanks,
 
It´s not an infecion ->

"Flash_Disinfector.exe is detected by some antivirus programs as a "RiskTool/infektion"; it is not a virus. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user"
 
Thanks.

I've downloaded the file, it wouldn't run in normal mode, no dialogue boxes popped up. It did run in safe mode, flash devices have be inserted & cleaned.
 
Ok :)

Open notepad and copy/paste the text in the codebox below into it:
Name the file as CFScript
and Save it on the desktop



Code:
Killall::

Snapshot::

File::
G:\kk3.bat
C:\copetttt.com 
D:\copetttt.com
C:\copetttt.com
H:\copetttt.com
G:\l9dwu8.bat
H:\l9dwu8.bat
H:\f9lv.exe


Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12c2e27c-5218-11dd-82be-0016d308ed9b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bb24fc6-5b95-11dd-82cc-0016d308ed9b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ce9fefe-9a57-11dd-8326-0016d308ed9b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{757b7cc9-04a5-11dd-8279-0016d308ed9b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d2b0268-1dbb-11de-83d5-0016d308ed9b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d2b0269-1dbb-11de-83d5-0016d308ed9b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b31c133a-fe01-11dc-826c-0016d308ed9b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{df96bee6-998f-11dc-81d7-0016d308ed9b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0acdab7-7ef0-11dd-82fb-0016d308ed9b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6a74ea2-01e5-11dd-8271-0016d308ed9b}]

http://img.photobucket.com/albums/v6...FScriptB-4.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post/attach back the resulting report.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
It looks clean.

Please attach fresh hijackthis log, and tell how your computer are running ?
 
You have two Antiviruses running
Stacks of startups
Stacks of services
Some strange thing in your Internet browser settings: (among the dozens)
O16 - DPF: {6EAEDC28-C528-4D19-A4DD-EC63F695EF3E} (cKoreaKey.acKoreaKey) - http://www.hebogo.com/ActiveX/cKoreaKey.CAB

I'd say it's running slow ! Basically its bit of mess :(

Try this:

Log on to an Administrator privileged account (confirmed in Control Panel > Users)

Uninstall Symantec (Norton) everything!
Run the Norton Removal tool

Restart

Run Startup Control Panel and remove any not required startups: (should be most if not all! except Avira Antivirus)

Run IE Reset (irrespective of which browser you usually use) https://www.techspot.com/vb/post682762-2.html

Start up Malwarebytes again; Update it; then run a full scan (remove all found Malwares)
You need to run this multiple times, until all hidden Malwares are uncovered and removed

Restart again

Please download and run SDFix (I'm sorry, but I must refer you to t h i s tutorial on its use, scroll down to "SDFix Instructions")
Download, and run the "RunThis.bat" in Safe Mode, as advised
Then attach the log and (after the SDFix scan) a new HJT log
Oh by the way, it says that it may take 20mins to scan! (Mine took over an hour to complete!)
Save the log to be attached to a new reply

Then supply a much cleaner HijackThis log (although I suspect you still have further issues)
 
BearShare

File Sharing Programs found in logs

Info on using P2P Programs => https://www.techspot.com/vb/topic124748.html

Quote from 8-Step Removal Guide:
Uninstall File Sharing/P2P Programs

During the cleaning process all File Sharing Programs should be uninstalled
This is to avoid any possible reinfection of any malwares through file sharing

We reserve the right to withdraw our support:
  • If such programs are found in your logs
  • Should you not agree to their removal.
As they are normally set to bypass your Firewall and Anti-Virus software
Filesharing/P2P Programs serves as a constant threat to your computer
 
Oh yeah 6 Days Ago ;)
Also very observant of you too :rolleyes:

Hmm, I can see that you won't be easily led :D

Well at the moment I must go, family calls ;) But I'll just post this (which will help you likely)

Download Combofix
Lots of info on its use h e r e
Direct download h e r e

Locate the downloaded Combofix. Double click on it to run, answering any prompts along the way
Note: during Combofix scan (lasting up to 10mins) your Desktop and clock may reset (all normal)
ComboFix will also restart your computer (eventually) and then (eventually) create a log

Save this log file to be attached to a new reply

Restart

Then do another scan with HJT (scan and log file) and attach this to a new reply as well
 
Status
Not open for further replies.
Back