Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

How to remove TR/Atraps.Gen2? [Closed]


  • This topic is locked This topic is locked

#1
Zeiram

Zeiram

    New Member

  • Member
  • Pip
  • 3 posts
Hi,

how are you guys?
I'm pretty new to this, so I really hope someone can help me.

Avira found this trojan (TR/Atraps.Gen2) on my system, so I did a scan
and deleted it, but somehow it just keeps being there...

I also tried to fix the problem using the two malware programs MALWAREBYTES ANTI-MALWARE
and SPYBOT - SEARCH & DESTROY while running in safe mode, but that only lead to the
laptop shutting down during the scan!

I'm not sure if it's of any help, but I think it all started when installing this driver
for my old printer.

Kind regards
  • 0

Advertisements


#2
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi and welcome to Geeks to Go. :)

A few questions first if I may as follows...

1 - Which Operating System does your computer have?

2 - Could you post the log from the Malwarebytes' Anti-Malware scan you mentioned please if it is still available.

3 - Is your computer able to boot-up into Normal Mode?
  • 0

#3
Zeiram

Zeiram

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi!

Thanks for the quick reply. :thumbsup:

1 - Windows Vista Home Premium 32-Bit (Service Pack 2)

2 - I am not sure if that's the correct one, because as I mentioned before

the laptop shutdown in the middle of the full scanning process.

2012/08/31 07:54:54 +0200 MARISA-PC Besitzer MESSAGE Starting protection
2012/08/31 07:54:57 +0200 MARISA-PC Besitzer MESSAGE Protection started successfully
2012/08/31 07:55:00 +0200 MARISA-PC Besitzer MESSAGE Starting IP protection
2012/08/31 07:55:07 +0200 MARISA-PC Besitzer MESSAGE IP Protection started successfully
2012/08/31 08:19:52 +0200 MARISA-PC Besitzer IP-BLOCK 77.78.221.2 (Type: outgoing, Port: 58297, Process: explorer.exe)
2012/08/31 08:27:05 +0200 MARISA-PC Besitzer MESSAGE Starting protection
2012/08/31 08:27:08 +0200 MARISA-PC Besitzer MESSAGE Protection started successfully
2012/08/31 08:27:11 +0200 MARISA-PC Besitzer MESSAGE Starting IP protection
2012/08/31 08:27:18 +0200 MARISA-PC Besitzer MESSAGE IP Protection started successfully
2012/08/31 09:11:13 +0200 MARISA-PC Besitzer IP-BLOCK 77.78.218.41 (Type: outgoing, Port: 56073, Process: explorer.exe)
2012/08/31 09:12:09 +0200 MARISA-PC Besitzer IP-BLOCK 89.28.41.6 (Type: outgoing, Port: 56073, Process: explorer.exe)
2012/08/31 09:15:22 +0200 MARISA-PC Besitzer IP-BLOCK 77.78.221.2 (Type: outgoing, Port: 56073, Process: explorer.exe)
2012/08/31 09:26:11 +0200 MARISA-PC Besitzer IP-BLOCK 77.78.221.2 (Type: outgoing, Port: 56073, Process: explorer.exe)
2012/08/31 09:52:52 +0200 MARISA-PC Besitzer IP-BLOCK 89.28.74.237 (Type: outgoing, Port: 56073, Process: explorer.exe)
2012/08/31 09:56:20 +0200 MARISA-PC Besitzer IP-BLOCK 89.28.74.237 (Type: outgoing, Port: 56073, Process: explorer.exe)
2012/08/31 13:49:53 +0200 MARISA-PC Besitzer MESSAGE Starting protection
2012/08/31 13:49:57 +0200 MARISA-PC Besitzer MESSAGE Protection started successfully
2012/08/31 13:50:00 +0200 MARISA-PC Besitzer MESSAGE Starting IP protection
2012/08/31 13:50:07 +0200 MARISA-PC Besitzer MESSAGE IP Protection started successfully
2012/08/31 13:50:24 +0200 MARISA-PC Besitzer DETECTION C:\$RECYCLE.BIN\S-1-5-21-519506957-228419792-2819942408-1000\$98d68bdb1e4a22c63e789ffccaed241c\U\[email protected] Rootkit.0Access QUARANTINE
2012/08/31 13:50:32 +0200 MARISA-PC Besitzer IP-BLOCK 77.78.209.252 (Type: outgoing, Port: 58991, Process: explorer.exe)
2012/08/31 13:50:37 +0200 MARISA-PC Besitzer DETECTION c:\$recycle.bin\s-1-5-21-519506957-228419792-2819942408-1000\$98d68bdb1e4a22c63e789ffccaed241c\u\[email protected] Rootkit.0Access DENY
2012/08/31 13:50:40 +0200 MARISA-PC Besitzer IP-BLOCK 77.78.209.252 (Type: outgoing, Port: 58991, Process: explorer.exe)

I'm also sending this log via the attachment option, just in case. Hope it is of any help.

3 - Yes, it is.


Please let me know if you need any more information concerning this.

I'll be more than happy to pass it to you.

Appreciate it.

Regards

Attached Files


  • 0

#4
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Hi. :)

Thanks for the quick reply. :thumbsup:

You're welcome!

I am not sure if that's the correct one, because as I mentioned before

the laptop shutdown in the middle of the full scanning process.

Looks like the Protection Module log from Malwarebytes' Anti-Malware. However it has provided myself with a fairly decent assessment of what your machine is infected with.

Anyway it appears your machne is infected with a variant of the ZA Rootkit. As a precaution if you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Before we start:

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Next:

For the time being I am going to ask for a specific scan from outside the windows environment as follows...

Scan with Farbar Recovery Scan Tool:

Please download and save Farbar Recovery Scan Tool to a Flash/USB drive.

Then insert the Flash/USB drive into your machine....

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:


Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter[/list] Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste the contents of the aforementioned notepad file in your next reply.

  • 0

#5
Zeiram

Zeiram

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I'm glad you could read the log and

thanks for the hint concerning my bank.


At the moment I am doing a backup as you said,

which is taking a while.


I also downloaded Farbar Recovery Scan Tool

and will do that scan as soon as I am done

with that backup and post you the result.


Bye for now.
  • 0

#6
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Acknowledged. :)
  • 0

#7
Dakeyras

Dakeyras

    Anti-Malware Mammoth

  • Expert
  • 9,684 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP