W32.Trats!.inf

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide

 

Okay now we need to use a new tool.

* Download and save to RenV.exe from following link to Desktop (
must be on the Desktop)
* Now Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).

Code:

C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm                .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm               .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm             .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm            .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm           .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm          .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm         .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm        .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm       .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm      .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm     .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm    .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm   .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm  .exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm .exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Dell\Media Experience\DMXLauncher .exe
C:\Program Files\DellSupport\DSAgnt .exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr .exe
C:\Program Files\Logitech\QuickCam10\QuickCam10 .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Microsoft IntelliPoint\point32 .exe
C:\Program Files\Microsoft IntelliType Pro\type32 .exe
C:\Program Files\Microsoft Student\Microsoft Student 2006 DVD\EDICT .EXE
C:\Program Files\QuickTime\qttask                                    .exe
C:\Program Files\QuickTime\qttask                                   .exe
C:\Program Files\QuickTime\qttask                                  .exe
C:\Program Files\QuickTime\qttask                                 .exe
C:\Program Files\QuickTime\qttask                                .exe
C:\Program Files\QuickTime\qttask                               .exe
C:\Program Files\QuickTime\qttask                              .exe
C:\Program Files\QuickTime\qttask                             .exe
C:\Program Files\QuickTime\qttask                            .exe
C:\Program Files\QuickTime\qttask                           .exe
C:\Program Files\QuickTime\qttask                          .exe
C:\Program Files\QuickTime\qttask                         .exe
C:\Program Files\QuickTime\qttask                        .exe
C:\Program Files\QuickTime\qttask                       .exe
C:\Program Files\QuickTime\qttask                      .exe
C:\Program Files\QuickTime\qttask                     .exe
C:\Program Files\QuickTime\qttask                    .exe
C:\Program Files\QuickTime\qttask                   .exe
C:\Program Files\QuickTime\qttask                  .exe
C:\Program Files\QuickTime\qttask                 .exe
C:\Program Files\QuickTime\qttask                .exe
C:\Program Files\QuickTime\qttask               .exe
C:\Program Files\QuickTime\qttask              .exe
C:\Program Files\QuickTime\qttask             .exe
C:\Program Files\QuickTime\qttask            .exe
C:\Program Files\QuickTime\qttask           .exe
C:\Program Files\QuickTime\qttask          .exe
C:\Program Files\QuickTime\qttask         .exe
C:\Program Files\QuickTime\qttask        .exe
C:\Program Files\QuickTime\qttask       .exe
C:\Program Files\QuickTime\qttask      .exe
C:\Program Files\QuickTime\qttask     .exe
C:\Program Files\QuickTime\qttask    .exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui .exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide .exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon .exe
C:\Program Files\Windows Defender\MSASCui .exe
C:\WINDOWS\ehome\ehtray .exe

de]
* Now using your mouse, drag Log.txt onto RenV.exe
* When finished, RenV.exe will produce a new log names Log.txt on your Desktop I will ask for this log later.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {CB9D9045-AD12-405B-8C38-C11605468F74} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: (no name) - {ef5e6441-ad81-4d8a-b05b-4a7a8a434b96} - C:\WINDOWS\system32\qvfbmakp.dll
O4 - HKLM\..\Run: [d4f21e30] rundll32.exe "C:\WINDOWS\system32\byawjgba.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA7048] command /c del "C:\WINDOWS\system32\pmkjg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5540] cmd /c del "C:\WINDOWS\system32\pmkjg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5980] command /c del "C:\WINDOWS\system32\pmkjg.dll_old" G
O4 - HKCU\..\RunOnce: [SpybotDeletingD2025] cmd /c del "C:\WINDOWS\system32\pmkjg.dll_old"

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger and the RenV log.

Be sure to tell us how things are running.

 

You need to turn of SPybot's Teatimer or much of this will not work.
To Disable Spybot's TeaTimer

* Run Spybot and click Mode
* Select Advanced Mode.
* Then click Tools and select Resident.
* Now in the right window pane, uncheck TeaTimer.
* Also while this is open, in the left column now select IE Tweaks
* and then in the right pane make sure all the Miscellaneous locks are unchecked.
* Now quit Spybot!

Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).

Code:

C:\WINDOWS\ehome\ehtray .exe

* Now using your mouse, drag Log.txt onto RenV.exe
* When finished, RenV.exe will produce a new log names Log.txt on your Desktop I will ask for this log later.

Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

After reboot look for all of the above files we had Avenger attempt to delete. If you still see them, delete them yourself.

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it.
Then attach the new logs:
* Log.tx from running RenV
* c:\avenger.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Webcams are safe ...not to worry about that. We still have two items to deal with:

Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
o If it is not on your Desktop, the below will not work.
* Open Notepad and copy/paste the text in the below quote box into it:

Code:

File:
C:\WINDOWS\ehome\ehtray .exe

Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
* At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
Use your mouse to drag CFscript.txt on top of ComboFix.exe
* Follow the prompts.
* When it finishes, a log will be produced named c:\combofix.txt
* I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger and the new ComboFix log.

 

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Now Copy the bold text in the below code box to notepad. Save it as Log.txt to your desktop. (It must be on your Desktop).

Code:

C:\WINDOWS\ehome\ehtray .exe

* Now using your mouse, drag Log.txt onto RenV.exe
* When finished, RenV.exe will produce a new log names Log.txt on your Desktop I will ask for this log later.

* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

Attach the new RenV and Avenger logs.

 

That file just does not want to go away ...use windows explorer to find and delete it ...make sure you are deleting the right one (with the extra spaces after the name and the .exe):

Code:

67,584 2008-01-04 23:18:29  C:\WINDOWS\ehome\ehtray .exe

Let me know if you are successful.

 

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
* Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

 

It's the quarantine folder ....nothing to worry about ....but if you want:

* Run avenger.exe by double-clicking on it.
* Check the 'Input script manually' box.
* Click on the magnifying glass icon.
* Copy everything in the Quote box below, and paste it in the box that opens:

* Now click the 'Done' button.
* Click on the traffic light icon and OK the prompt.
* You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.

 

Go to Start/Run/Regedit:
Look at both these keys and tell me what is there ---->
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The two items refer to your display drivers ....

 

First go into your "Control Panel" and open "Folder Options", under the "View" tab make sure that "Restore previous folder windows at logon" is unchecked, click Apply/OK.

If you still have the problem, then tell me what the values are for:
HKEY_LOCAL_MACHINE\SOFTWARE\Mircosoft\Windows\CurrentVersion\Run
NcCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

 

We need to remove this in HJT ....
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

It intializes the clock and memory settings on nVidia based graphics cards. If you don't overclock your card it can be removed.