Trojan.FatObfus.2.Gen PLease help me get rid of it!

Status
Not open for further replies.
Francisco9

Francisco9

Posts: 13   +0
Hi. i use bitdefender v10 antivirus and every day it pops up with a message saying my computer is infected with the Trojan.FatObfus.2.Gen.
It then says it has blocked the trojan but that it cannot remove it.
I have tried spybot S&D, ad-aware, AVG antispyware, bitdefender, windows defender, counterspy and also ccleaner to get rid of temp internet files and all the other stuff. In safe mode it wont even let me open bitdefender, i double click on it and nothing happens.

my computer is running much much slower than before and i think this trojan also uses some of my cap coz it seems to go pretty quickly.

If anyone can please help me in getting rid of this trojan it would be greatly appreciated, because i have run out of ideas on what to do. thanx

cisco
 
Have you tried any of the free on-line scans, ie...housecall at trendmicro.com or activescan at pandasoftware.com or the scan at trojanscan.com? Try these. If all else fails, if you know where this trojan resides in your computer, maybe you can try bringing up your msdos prompt and do a manual delete...Best to you...
 
Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of Francisco9 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
I am attaching the logs as instructed

hi there again. sorry for the delay.
i did the scans as requested and here are the logs that you asked for.

View attachment 24974

View attachment 24975

View attachment 24976

The panda antirootkit said no rootkits have been found.
When i logged onto my pc now the shortcut that connects me to the internet was even deleted off my desktop. i'm really not liking this trojan.
hope the logs help. thanks
 
Please do a search of your system and tell me where this file is located.

RavMon.exe

Regards Howard :)

This thread is for the use of Francisco9 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Click on the fix checked button.

Close HJT and reboot your system.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:


File::

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{914ae178-0da0-11db-bc50-0011d8ecf6dd}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbf6e3c1-5bb5-11dc-b925-0011d8ecf6dd}]
Click to expand...
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f49f2fb1-4fde-11db-b57d-806d6172696f}]



Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard :)

This thread is for the use of Francisco9 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Download this TOOL. Extract it and run the Noob_kill.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop:
Note: Please delete any existing copy of Flash Disinfector(if any) on your pc and download this one.

* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Wait until the program has finished scanning, then please exit the program.
* Restart your computer and see if problem still persists.

Post a fresh Combofix log.

Regards Howard :)

This thread is for the use of Francisco9 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Here is the latest combofix log after running the flash disinfector

View attachment 25060

I am not sure if this has worked but the computer does seem to be running faster, however i keep getting a windows security alert telling me that bitdefender is not up to date. I go to bitdefender and press on update now, it then says no update available and next to where it says "last updated:" it says never. I'm not sure what this is about. It started soon after i purchased bitdefender a few weeks ago.

Thanks for your help thus far
 
I suggest you uninstall and reinstall Bitdefender and see if that cures the problem.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:


Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{914ae178-0da0-11db-bc50-0011d8ecf6dd}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbf6e3c1-5bb5-11dc-b925-0011d8ecf6dd}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f49f2fb1-4fde-11db-b57d-806d6172696f}]
Click to expand...


Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Regards Howard :)

This thread is for the use of Francisco9 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
sorry i accidentally missed the noob_kill application. I got it now but i am not sure what to press? when i run it the options are:
- Kill Wscript.exe [end process]
- Delete all Traces of [TLA]
- Delete all Traces of [HBG]
- Clean the registry
- Autofix-[KILL TLA]
- Autofix-[KILL HBG]
- Advanced-[Noob KILL]

must i clean registry?
 
Yes, clean the registry.

In fact, you should run all options.

Then, follow the instructions in my post above.

Regards Howard :)

This thread is for the use of Francisco9 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ok, i ran all the options in noob_kill and rebooted my pc. then i did the combofix thing you asked me to do. here is the log just incase:

View attachment 25063

is this where the road ends?
i am not aware of any immediate problems just yet, hopefully there won't be any. I will re-install bitdefender to see if that windows security alert problem goes away.
What exactly was the problem with my pc?
 
Your system has an infection in it`s registry, that so far as evaded all attempts to delete it.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\m ountpoints2\{914ae178-0da0-11db-bc50-0011d8ecf6dd}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\m ountpoints2\{bbf6e3c1-5bb5-11dc-b925-0011d8ecf6dd}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\m ountpoints2\{f49f2fb1-4fde-11db-b57d-806d6172696f}]
Click to expand...
Save this as "fix.reg" Choose to save as *all files and place it on your desktop.

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Post a fresh Combofix log.

Regards Howard :)

This thread is for the use of Francisco9 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Damn, still there.

I have found this Ravmon virus removal tool.

Go HERE and follow the instructions exactly.

Post a fresh Combofix log when done.

Regards Howard :)

This thread is for the use of Francisco9 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Nope, still there.

I`m running out of ideas on this very fast.

Let`s try manually removing the registry entries.

Please make sure any antispyware programmes are disabled, including Windows defender.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.


Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

Navigate to the following regkeys and delete the Bold sections.


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\m ountpoints2\{914ae178-0da0-11db-bc50-0011d8ecf6dd}

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\m ountpoints2\{bbf6e3c1-5bb5-11dc-b925-0011d8ecf6dd}

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\m ountpoints2\{f49f2fb1-4fde-11db-b57d-806d6172696f}

Close regedit.

Locate and delete the following bold files and/or folders(if there).

C:\windows\ravmon.exe
C:\windows\system32\ravmon.exe

Reboot into normal mode and rehide your protected OS files.


Post a fresh Combofix log.

Regards Howard :)

This thread is for the use of Francisco9 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
We`ve managed to get rid of some, but not all. There`s still one left.

1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

2. Download the attached avengerscript.txt and save it to your desktop

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

Regards Howard :)

This thread is for the use of Francisco9 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Check to see if you can locate this regkey.

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbf6e3c1-5bb5-11dc-b925-0011d8ecf6dd}

Delete the bold portion if found.

Reboot your system and post a fresh Combofix log.

Regards Howard :)

This thread is for the use of Francisco9 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Excellent, that`s got it. That was one heck of stubborn bugger to get rid of.

I think you`re now good to go.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of Francisco9 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Status
Not open for further replies.

Similar threads

dcovalencia
Solved Downloaded a .exe file from a copy of a website
Replies
23
Views
3K
Broni
Broni
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
467
eriksnyman1
E
losdavos
Malware removal help, please and thank you!
Replies
1
Views
804
losdavos
losdavos

Latest posts

Back