Help With Pe_trats.a, Infected computer

hello just joined up hoping to find some solutions. I recently received a message from trend micro that said i have PE_TRATS.A and i also have alot of pop ups starting to appear. I have trend micro and ad ware se and spyware bot. I scan pretty regularly but i am now all of a sudden getting pop ups and recieving message from trend micro about PE_TRATS.A, its a virus or Trojan i think not sure. I'm not sure how to remove it and it is messing with some .exe files. I need to direction and help. Trend didn't really have a solution, any help would be greatly appreciated. O and i have some weird errors involving system32 cant open things correctly, on start up. There are about 4 messages, and I am assuming theses are and occurance of: PE_TRATS.A

Thanks. Again any help is appreciated.

 

Hi Brico!
Welcome to Major Geeks!

Please go to the READ & RUN ME FIRST and follow the instructions there, noting those specific to your operating system. When you finish, attach the logs with your next post so we can post a set of removal instructions for you.


abri

 

I ran everything and followed the READ & RUN ME FIRST and it fixed somethings. I haven't received a warning from trend about PE_TRATS.A, but im still thinking there is a problem associated with PE_TRATS.A or something else. I still receive one error on windows start up which warns me saying should initialize or load C:\windows\system32\vwfpthkr.dll. I attached some logs with the post. Thanks for the help.

 

anyone?

 

Hi Brico!

You have a bad infection. Please don't use your computer except to work on this and don't go through any unnecessary boots. Also, please be patient. There are many people wanting help and not many of us. I'm looking at your logs.

abri

 

Brico,


1) Go to add/remove programs and uninstall the below:

- J2SE Runtime Environment 5.0 Update 11
- Viewpoint Media Player


2) What's in the following folder? Don't open any files.

C:\Program Files\Common Files\Alias Shared

3) Please scan the following file(s) at either
jotti or VirusTotal and let me know the results.


C:\WINDOWS\458200~1.TMP Sep 13 2007 "458200709BE54785B770A50F5240250B.TMP"
C:\WINDOWS\85EBB2~1.TMP Sep 27 2007 "85EBB28365AF4C539EBE7C0A232762F7.TMP


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [6472afe6] rundll32.exe "C:\WINDOWS\system32\vwfpthkr.dll",b
O20 - Winlogon Notify: winwim32 - C:\WINDOWS\

Do the following belong to programs you know or want to keep? (Zango, formerly 180solutions and Hotbar, manufactures known adware and spyware typically required to access partner's games, DRM-protected videos) If not, please fix them as well.

O4 - HKLM\..\Run: [ZangoOE] C:\Program Files\Zango\bin\10.0.370.0\OEAddOn.exe
O4 - HKLM\..\Run: [ZangoSA] "C:\Program Files\Zango\bin\10.0.370.0\ZangoSA.exe"

After you click fix, just close hijackthis.


5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


6) Download and install Erunt. Use it to create a backup of your registry.

7) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixme.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixme.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

8) Please do the following:

• Download and save to RenV.exe to your Desktop (must be on the Desktop)
• Doubleclick RenV.exe

• When finished, it will produce a new log named Log.txt on the Desktop.
• Attach this log to your next reply.

9) And now please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the RenV log.


Let me know how things are running now?

abri

 

Abri let me first apologize for the first reply I just thought that nobody would give poor old me any help. Anyway back to the problem, I did each of the steps that you posted. I restarted after and I got no system error pop up when i restarted. I hope everything is back top normal. I know at least that something was fixed this time ar ound for sure. I posted a the two logs below for you to take a look at. Oh yea I ran a check on these two files:

C:\WINDOWS\458200~1.TMP Sep 13 2007 "458200709BE54785B770A50F5240250B.TMP"

C:\WINDOWS\85EBB2~1.TMP Sep 27 2007 "85EBB28365AF4C539EBE7C0A232762F7.TMP

Both programs found nothing on each. Thanks you so much for taking the time to help me out Abri, I hope everything is back to normal or progressing towards it. Thanks for the help.

 

Hi Brico!

Continue as follows:

Copy the text in the box below to notepad. Save it as Log.txt to your desktop.

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a new log. Attach the new Log.txt to your next reply.
• Run ComboFix
• Run C:\MGtools\GetLogs.bat by double clicking on it.
• Attach the below new logs:
  • Log.txt
  • C:\ComboFix.txt
  • C:\MGlogs.zip

abri

 

Ok did everything you said Abri. The logs are attached.....

 

Hi Brico,
In Post 8 I had you make log.txt with some file names and pull that log.txt across onto the RenV.exe on the desktop. I missed one file. Please repeat those instructions in Post 8 for the following:

After you finish that, please continue as follows:

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below quote box into it:

Code:

File::
C:\Program Files\Download Manager\DLM    .exe
C:\Program Files\QuickTime\QTTask  .exe

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have the below icons on your Desktop (click on the link to see them)

http://forums.majorgeeks.com/attachment.php?attachmentid=78961&thumb=1&d=1198874840

• Now refer to the above image and use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

• Run RenV.exe and attach the new Log.txt file
• Attach the new log from ComboFix
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created.

 

Ok here ya go I hope i did everything right. I noticed that we deleted the DLM.exe. I used that to download things of a certain site i can re download it if need be just wondering why we deleted it.

logs below......

 

Hi Brico!

Please go back to post 6, Step 8 and run RenV again and have it produce another log. There are several problems involved in this infection. One of them is that the virus gets worse each time you reboot. Another is identifying the correct .exe to leave while deleting those which are bad. The bad ones and good ones have the same program names.

Post the log from the RenV and while you wait, please use your computer as little as possible for the time-being.

Thanks so much.
abri

 

Ok i ran RenV and the log is attached.

 

Copy the text in the box below to notepad. Save it as Log.txt to your desktop. Quote:
C:\Program Files\Trend Micro\AntiVirus 2007\tavui .exe

• Now using your mouse, drag Log.txt onto RenV.exe
• When finished, RenV.exe will produce a new log. Attach the new Log.txt to your next reply.
• Run ComboFix (attach log)

 

ok did exactly what you said abri... here you go

 

Hi Brico,
Please run GetLogs.bat by double clicking on it. It's in the MGTools folder under C:
It will produce MGlogs.zip which you can find directly under C: next to the superman icon.
Attach it here.

I see two entries for this infection left. The MGlogs should allow me to see if there are any others.

Thanks.
abri

 

ok here it is......

Ty for all this help abri, hope were nearing the end .....

 

Hi Brico!
Each of the three files we tried to remove were removed and then came back, which means something is still there to regenerate them. I have to get more information on this and get back to you. Sorry this is taking time.
abri

 

Ahh thats unfortunate, thats fine Abri... get back to me when you can... ty again.

 

Ok i think i saw the same thing with trend micro guess i may have to delete it ?

 

Ok thanks.... I deleted Trend and the folder after reboot. I reinstalled Trend after running Reg. search. Thanks, I really appreciate the help.

 

Hey i still not sure everything is alright my Firefox browser opened to a new window not seen before.... i scanned with Spybot S & D and with Avg. I cleaned some things up. But Spybot S & D found spyware bot... which i manually removed the program... but it found it in the registry still....

I posted combo fix log and MGlogs... just something "smells fishy still"

 

Sry here are the attachtments

 

ok that "new window" is gone. I added those two lines of text to the registry. I searched through C:\WINDOWS\SRCHASST. I saw microsoft English language server and search assistant controls and other numerous microsoft things. I ran RegSearch using the search string. Log attached.

 

Ok did everything you said. Everything seems ok... i guess the logs will tell the truth...

 

Brico,
Avenger didn't run correctly. Please try it again only do the following. Turn your computer off and disconnect from the internet, then boot back up. Disable all your antivirus, antispyware and firewall software. Run it again and be sure that you follow the instructions carefully, making sure to extract it before hand. When you copy the contents of the box, be sure to copy everything including the words Registry keys to delete:

Check the log after you rerun it and see if it ran properly this time. Then shut down your computer, reconnect to the internet. Make sure your protection programs are all turned on again. Attach the avenger log to your next post here. If it didn't run properly, Chaslang will give you another way to run it.

Thanks.
abri

 

Ok did what you said abri. It seemed to run correctly this time, log is attached...

 

Ok here are the logs from RegSearch and MGlogs.zip file.

 

Well thanks very, very much you were and enormous help... Thanks again... I cant tell you how much i appreciate it.