[Zeiram]

Hi,

how are you guys?
I'm pretty new to this, so I really hope someone can help me.

Avira found this trojan (TR/Atraps.Gen2) on my system, so I did a scan
and deleted it, but somehow it just keeps being there...

I also tried to fix the problem using the two malware programs MALWAREBYTES ANTI-MALWARE
and SPYBOT - SEARCH & DESTROY while running in safe mode, but that only lead to the
laptop shutting down during the scan!

I'm not sure if it's of any help, but I think it all started when installing this driver
for my old printer.

Kind regards

[Advertisements]

Hi and welcome to Geeks to Go.

A few questions first if I may as follows...

1 - Which Operating System does your computer have?

2 - Could you post the log from the Malwarebytes' Anti-Malware scan you mentioned please if it is still available.

3 - Is your computer able to boot-up into Normal Mode?

[Dakeyras]

Hi and welcome to Geeks to Go.

A few questions first if I may as follows...

1 - Which Operating System does your computer have?

2 - Could you post the log from the Malwarebytes' Anti-Malware scan you mentioned please if it is still available.

3 - Is your computer able to boot-up into Normal Mode?

[Zeiram]

Hi!

Thanks for the quick reply.

1 - Windows Vista Home Premium 32-Bit (Service Pack 2)

2 - I am not sure if that's the correct one, because as I mentioned before

the laptop shutdown in the middle of the full scanning process.

2012/08/31 07:54:54 +0200 MARISA-PC Besitzer MESSAGE Starting protection
2012/08/31 07:54:57 +0200 MARISA-PC Besitzer MESSAGE Protection started successfully
2012/08/31 07:55:00 +0200 MARISA-PC Besitzer MESSAGE Starting IP protection
2012/08/31 07:55:07 +0200 MARISA-PC Besitzer MESSAGE IP Protection started successfully
2012/08/31 08:19:52 +0200 MARISA-PC Besitzer IP-BLOCK 77.78.221.2 (Type: outgoing, Port: 58297, Process: explorer.exe)
2012/08/31 08:27:05 +0200 MARISA-PC Besitzer MESSAGE Starting protection
2012/08/31 08:27:08 +0200 MARISA-PC Besitzer MESSAGE Protection started successfully
2012/08/31 08:27:11 +0200 MARISA-PC Besitzer MESSAGE Starting IP protection
2012/08/31 08:27:18 +0200 MARISA-PC Besitzer MESSAGE IP Protection started successfully
2012/08/31 09:11:13 +0200 MARISA-PC Besitzer IP-BLOCK 77.78.218.41 (Type: outgoing, Port: 56073, Process: explorer.exe)
2012/08/31 09:12:09 +0200 MARISA-PC Besitzer IP-BLOCK 89.28.41.6 (Type: outgoing, Port: 56073, Process: explorer.exe)
2012/08/31 09:15:22 +0200 MARISA-PC Besitzer IP-BLOCK 77.78.221.2 (Type: outgoing, Port: 56073, Process: explorer.exe)
2012/08/31 09:26:11 +0200 MARISA-PC Besitzer IP-BLOCK 77.78.221.2 (Type: outgoing, Port: 56073, Process: explorer.exe)
2012/08/31 09:52:52 +0200 MARISA-PC Besitzer IP-BLOCK 89.28.74.237 (Type: outgoing, Port: 56073, Process: explorer.exe)
2012/08/31 09:56:20 +0200 MARISA-PC Besitzer IP-BLOCK 89.28.74.237 (Type: outgoing, Port: 56073, Process: explorer.exe)
2012/08/31 13:49:53 +0200 MARISA-PC Besitzer MESSAGE Starting protection
2012/08/31 13:49:57 +0200 MARISA-PC Besitzer MESSAGE Protection started successfully
2012/08/31 13:50:00 +0200 MARISA-PC Besitzer MESSAGE Starting IP protection
2012/08/31 13:50:07 +0200 MARISA-PC Besitzer MESSAGE IP Protection started successfully
2012/08/31 13:50:24 +0200 MARISA-PC Besitzer DETECTION C:\$RECYCLE.BIN\S-1-5-21-519506957-228419792-2819942408-1000\$98d68bdb1e4a22c63e789ffccaed241c\U\800000cb.@ Rootkit.0Access QUARANTINE
2012/08/31 13:50:32 +0200 MARISA-PC Besitzer IP-BLOCK 77.78.209.252 (Type: outgoing, Port: 58991, Process: explorer.exe)
2012/08/31 13:50:37 +0200 MARISA-PC Besitzer DETECTION c:\$recycle.bin\s-1-5-21-519506957-228419792-2819942408-1000\$98d68bdb1e4a22c63e789ffccaed241c\u\800000cb.@ Rootkit.0Access DENY
2012/08/31 13:50:40 +0200 MARISA-PC Besitzer IP-BLOCK 77.78.209.252 (Type: outgoing, Port: 58991, Process: explorer.exe)

I'm also sending this log via the attachment option, just in case. Hope it is of any help.

3 - Yes, it is.


Please let me know if you need any more information concerning this.

I'll be more than happy to pass it to you.

Appreciate it.

Regards

Attached Files

•  protection-log-2012-08-31.txt   6.32KB   58 downloads

[Dakeyras]

Hi.

Thanks for the quick reply.

You're welcome!

I am not sure if that's the correct one, because as I mentioned before

the laptop shutdown in the middle of the full scanning process.

Looks like the Protection Module log from Malwarebytes' Anti-Malware. However it has provided myself with a fairly decent assessment of what your machine is infected with.

Anyway it appears your machne is infected with a variant of the ZA Rootkit. As a precaution if you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Next:

For the time being I am going to ask for a specific scan from outside the windows environment as follows...

Scan with Farbar Recovery Scan Tool:

Please download and save Farbar Recovery Scan Tool to a Flash/USB drive.

Then insert the Flash/USB drive into your machine....

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:


Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter[/list] Note: Replace letter e with the drive letter of your flash drive.

• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste the contents of the aforementioned notepad file in your next reply.

[Zeiram]

I'm glad you could read the log and

thanks for the hint concerning my bank.


At the moment I am doing a backup as you said,

which is taking a while.


I also downloaded Farbar Recovery Scan Tool

and will do that scan as soon as I am done

with that backup and post you the result.


Bye for now.

[Dakeyras]

Acknowledged.

[Dakeyras]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.