TR/ATRAPS.gen2 trojan

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by NevTheTreeSurgeonYorkUK, Jun 22, 2012.

  1. NevTheTreeSurgeonYorkUK

    NevTheTreeSurgeonYorkUK Private E-2

    Hi,
    after looking at the sticky post about not going on porn sites and causing everyone a load of work and hassle; I can only put my hands up and say fair play, I admit it, that's what I did, didn't think about it like this before, and I won't be doing it again! Reading some other posts though people make some rare excuses about where the malware originated from; rather than just own up don't they?

    Can I humbly ask someone for help please? I seriously would appreciate the benefit of some expert advice! My laptop is infected with a TR/ATRAPS.gen2 Trojan I believe. I did have Avira free on the system when it happened, fat lot of good it did, but have since removed it and replaced it with AVG. I followed the malware removal/cleaning procedure to the letter I think. But AVG is still picking up loads of alerts. Please find attached the logs. I have a feeling, even though I know very little about the subject,that the operating system is real mucked up. Anyway this is my problem, I have been honest and I am embarrassed. Hope I did the logs right,
    Many thanks,
    Chris N, York, UK :-o
     

    Attached Files:

    NevTheTreeSurgeonYorkUK, Jun 22, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download to your desktop and run:

    ComboFix

    Attach the log when you are finished.
     
    TimW, Jun 22, 2012
    #2
  3. NevTheTreeSurgeonYorkUK

    NevTheTreeSurgeonYorkUK Private E-2

    Hi, Thankyou so much for your help, I am trying to visit the site but my browser just directs me elsewhere? I am on my pc now by the way and it is my laptop that is infected. I may have made a big mistake because I got tired and overlooked the instruction to download straight to the desktop on the lappy. as well.....I downloaded it onto my pc, dragged it onto my ext harddrive then from there onto the laptop and it rebooted halfway through. Sorry I am just not thinking straight, been sat here trying to follow advice and instructions all day and feel like I just made it worse, cant handle breaking all three devices, can I get rid of this thing? Am worried now...
     
    Last edited: Jun 22, 2012
    NevTheTreeSurgeonYorkUK, Jun 22, 2012
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    TimW, Jun 22, 2012
    #4
  5. NevTheTreeSurgeonYorkUK

    NevTheTreeSurgeonYorkUK Private E-2

    oh and not trying to bump but now I got a screen saying an unauthorized change was made to windows. You will no longer receive notifications, including those about your license or activation. Use the link below to find out how to fix your system. Learn more online...

    ????? I aint touched it
     
    NevTheTreeSurgeonYorkUK, Jun 22, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Where you able to download ComboFix?
     
    TimW, Jun 23, 2012
    #6
  7. NevTheTreeSurgeonYorkUK

    NevTheTreeSurgeonYorkUK Private E-2

    Yes but it seems that it isn't working? I may have it wrong. The process bears very little similarity to the process described on the authors page? And no log at the end also it says a file is missing and gives me the option to ignore? I am so edgy now I am questioning whether this site is real,and whether this pc is infected as well as the laptop I am trying to fix and whether I am just in a totally fake online web??AVG just randomly activated a thing called DO Not Track and google chrome just randomly opened a weird browser called incognito?? but I daren't press anything unless I am inadvertently excecuting a rogue programme. Its sending me insane!!
    Is it all in my head?
     
    NevTheTreeSurgeonYorkUK, Jun 23, 2012
    #7
  8. NevTheTreeSurgeonYorkUK

    NevTheTreeSurgeonYorkUK Private E-2

    ok I downloaded direct to desktop, double click and with all programmes and AV disabled, left it running and came back to nothing. Has it finished or been intercepted?
     
    NevTheTreeSurgeonYorkUK, Jun 23, 2012
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please do the below so that we can boot to System Recovery Options to run a scan. There will be two options to choose from. One if you do not have your Windows 7 boot DVD and another when you have your DVD.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Option1: Enter System Recovery Options from the Advanced Boot Options:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    Option2: Enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
    TimW, Jun 23, 2012
    #9
  10. NevTheTreeSurgeonYorkUK

    NevTheTreeSurgeonYorkUK Private E-2

    Hi does it matter that my laptop is running vista? And no I don't have my boot disk.
     
    Last edited: Jun 23, 2012
    NevTheTreeSurgeonYorkUK, Jun 23, 2012
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, it works on Vista.
     
    TimW, Jun 23, 2012
    #11
  12. NevTheTreeSurgeonYorkUK

    NevTheTreeSurgeonYorkUK Private E-2

    HiI restarted but there does not seem to be the system recovery option? Options available are: safe mode, safe mode with networking, safe mode with command prompt, enable boot logging, enable low resolution video, last known good configuration (advanced), debugging mode, disable automatic restart on system failure, disable driver signature enforcement and start windows normally.
     
    Last edited: Jun 23, 2012
    NevTheTreeSurgeonYorkUK, Jun 23, 2012
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Use safe mode with command prompt, we need to get some sort of log.
     
    TimW, Jun 23, 2012
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Only if you have the Vista boot DVD. ;)
     
    chaslang, Jun 23, 2012
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Tim you can get started by use MGlogs.zip. For example, see the zafind.txt log ;) And newfiles.txt...etc.

    If ComboFix does not run then try OTL
     
    Last edited: Jun 23, 2012
    chaslang, Jun 23, 2012
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay since I have a few minutes, let me see if I can get you started on fixing this. This will probably not get everything as you may have some infected system files.


    Please download OTM by Old Timer and save it to your Desktop.
    • Right-click OTM.exe and select Run as administrator to run it.
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Windows\installer\50ca34e.msi
C:\Windows\installer\50ca352.msi
C:\Windows\installer\50ca356.msi
C:\Windows\installer\63a0c94.msi
C:\Windows\installer\63a0c99.msi
C:\Windows\installer\63a0cb3.msi
C:\Windows\installer\63a0cba.msi
C:\Windows\installer\63a0cc2.msi
C:\Windows\installer\63a0cc7.msi
C:\Windows\installer\{b6102466-d281-48ee-7af2-5dd727822c00}\L\00000004.@
C:\Windows\installer\{b6102466-d281-48ee-7af2-5dd727822c00}\L\201d3dde
C:\Windows\installer\{b6102466-d281-48ee-7af2-5dd727822c00}\L\55490ac4
C:\Windows\installer\{b6102466-d281-48ee-7af2-5dd727822c00}\U\00000004.@
C:\Windows\installer\{b6102466-d281-48ee-7af2-5dd727822c00}\U\00000008.@
C:\Windows\installer\{b6102466-d281-48ee-7af2-5dd727822c00}\U\000000cb.@
C:\Windows\installer\{b6102466-d281-48ee-7af2-5dd727822c00}\U\80000000.@
C:\Windows\installer\{b6102466-d281-48ee-7af2-5dd727822c00}\U\80000032.@
C:\Windows\installer\{b6102466-d281-48ee-7af2-5dd727822c00}\U\80000064.@
C:\Windows\installer\{b6102466-d281-48ee-7af2-5dd727822c00}\L
C:\Windows\installer\{b6102466-d281-48ee-7af2-5dd727822c00}\U
C:\Windows\installer\{b6102466-d281-48ee-7af2-5dd727822c00}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Windows\TEMP\MGtE909.tmp
 
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip


    Now please download Farbar Service Scanner and run it on the computer with the issue.
    • Put a check mark in each option box on the left side.
    • Click "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please attach this log to your next reply.


    Goto the below link and follow the instructions for running TDSSKiller from Kaspersky
    • Be sure to attach your log from TDSSKiller
     
    chaslang, Jun 23, 2012
    #16
  17. NevTheTreeSurgeonYorkUK

    NevTheTreeSurgeonYorkUK Private E-2

    Hi, are the log files I attached no good?

    I have tried command prompt in safe mode but nothing seems to be working, what should I be typing here? Why is the command line saying c:\windows\system32> even though my os is 64 bit?

    Oh and by the way I am thankful Tim for your help, if I do not reply for a while it is because I run a business and get called away for hours then have my little'un and missus to look after. Not being rude, really want to sort this and don't want to take up loads of your time so apologies for the delays in reply posts...
     
    NevTheTreeSurgeonYorkUK, Jun 23, 2012
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just try what I just posted befoe you posted this.
     
    chaslang, Jun 23, 2012
    #18
  19. NevTheTreeSurgeonYorkUK

    NevTheTreeSurgeonYorkUK Private E-2

    Hi please find attached logs requested,
    thankyou.
     

    Attached Files:

    NevTheTreeSurgeonYorkUK, Jun 23, 2012
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    As I suspected, not everything was able to be fixed due to the infection that you have. It would be much easier if you have your Vista Boot DVD. Since you don't let's try some other ways.

    • Please make sure that you have put the ComboFix.exe file directly onto your Desktop.
    • Then reboot your PC in safe boot mode.
    • Shutdown all other programs you are running and then right click on the ComboFix.exe file and select Run As Administrator.
    • Wait for it to finish running!!! DO not click anyway on the windows that ComboFix opens or it could cause it to hang.
    • When ComboFix finishes, it should reboot your PC.
    • After reboot, attach the C:\combofix.txt log
    • Also if ( and only if ComboFix ran ) then do the below
      • Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).
      • Then attach the new C:\MGlogs.zip file
     
    chaslang, Jun 23, 2012
    #20
  21. NevTheTreeSurgeonYorkUK

    NevTheTreeSurgeonYorkUK Private E-2

    Hi I did this but half way through it stopped for ages at this point: Output folder:c:\32788R22FWFFW\N_
    Output folder:c:\32788R22FWFFW
    and when I came back the program had closed. I am sure there was no reboot because it would be at the password screen wouldn't it? it was just as if I had not opened a program in the first place. The system now is sluggish.
     
    Last edited: Jun 24, 2012
    NevTheTreeSurgeonYorkUK, Jun 24, 2012
    #21
  22. NevTheTreeSurgeonYorkUK

    NevTheTreeSurgeonYorkUK Private E-2

    Sorry tried to edit the post but was to late. Line should have read....

    "Hi I did this but half way through it stopped for ages at this point:
    Extract:streamtools.zip
    Output folder:c:\32788R22FWFFW\N_
    Output folder:c:\32788R22FWFFW "
     
    NevTheTreeSurgeonYorkUK, Jun 24, 2012
    #22
  23. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please delete any current copies of ComboFix.exe that you have.

    Also delete the below folders if found

    c:\32788R22FWFFW
    c:\QooBox
    C:\ComboFix

    Then download the current version of ComboFix and try again >> combofix.exe

    If this does not work, you are going to have to see it you can borrow a Vista Boot DVD from someone, or you will have to purchase one. Another possibility may be to try making the below CD and booting from it and running a scan with it:

    http://support.kaspersky.com/viruses/rescuedisk/all?qid=208282173
     
    chaslang, Jun 24, 2012
    #23

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds