Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

atraps.gen2 winning the war.... [Solved]


  • This topic is locked This topic is locked

#1
turbo99

turbo99

    Member

  • Member
  • PipPip
  • 13 posts
I have also posted this in the can't run antivirus part of the forum, feel free to delete that as I feel this section is more relevant.

I have some nasty viral infections - atraps.gen2 and w32/patched.UC amongst other things constantly popping up on my Avira.

Avira and Malwarebytes fails to clean them and when I try and run OTL.exe it just comes back with incorrect paramater error and wont run.

This virus also changed my internet settings and I had various winsock errors coming up. After running the repair from windows 7 64bit disk these paticular errors have stopped and Im able to use the internet again. However the virus alerts from Avira still persist.

Any ideas, any help would be massively appreciated.

These are the two files which Avira is showing positives -

c:\windows\installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\u\80000032.@ (atraps.gen2)

windows/system32/servies.exe (patched.UC)
  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there thank you for the details .. I know where to go from here

  • Download RogueKiller and save it on your desktop.

    NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
  • Quit all programs
  • Start RogueKiller.exe.
  • Wait until Prescan has finished ...
  • Click on Scan
Posted Image

  • Wait for the end of the scan.
  • The report has been created on the desktop.
  • Click on the Delete button.
Posted Image
  • The report has been created on the desktop.

  • Next click on the ShortcutsFix
    Posted Image
  • The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.

THEN

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    Posted Image
  • Select All Users
  • Under the Custom Scan box paste this in

    netsvcs
    BASESERVICES
    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    qmgr.dll
    /md5stop
    %systemdrive%\$Recycle.Bin|@;true;true;true
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
    CREATERESTOREPOINT

  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

  • 0

#3
turbo99

turbo99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Thanks for the fast reply :)

Here all the logs -

RK Report 1

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Karl [Admin rights]
Mode : Scan -- Date : 09/15/2012 11:02:55

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (8.8.8.8:80) -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableCMD (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableCMD (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableCMD (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND
[Sig - ZeroAccess][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 axandra.com
127.0.0.1 www.axandra.com
127.0.0.1 keywordindex.com
127.0.0.1 www.keywordindex.com
127.0.0.1 gs.apple.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500418AS ATA Device +++++
--- User ---
[MBR] f1ce849529a18b0d0ab301dca35803d5
[BSP] 07d6766566af304619d0600e90a231fa : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

RK Report 2

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Karl [Admin rights]
Mode : Remove -- Date : 09/15/2012 11:04:27

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 9 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (8.8.8.8:80) -> NOT REMOVED, USE PROXYFIX
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableCMD (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> DELETED
[HJPOL] HKLM\[...]\System : DisableCMD (0) -> DELETED
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] @ : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\@ --> REMOVED AT REBOOT
[Del.Parent][FILE] 00000004.@ : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\U\00000004.@ --> REMOVED
[Del.Parent][FILE] 00000008.@ : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\U\00000008.@ --> REMOVED
[Del.Parent][FILE] 000000cb.@ : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\U\000000cb.@ --> REMOVED
[Del.Parent][FILE] 80000000.@ : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\U\80000000.@ --> REMOVED
[Del.Parent][FILE] 80000032.@ : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\U\80000032.@ --> REMOVED
[Del.Parent][FILE] 80000064.@ : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\U\80000064.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\L\00000004.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\Windows\Installer\{63650fa6-6936-2d1e-b7a1-44b8e35769fc}\L --> REMOVED
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> REMOVED AT REBOOT
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> REMOVED AT REBOOT
[Sig - ZeroAccess][FILE] services.exe : C:\Windows\system32\services.exe --> REPLACED AT REBOOT (C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe)

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 axandra.com
127.0.0.1 www.axandra.com
127.0.0.1 keywordindex.com
127.0.0.1 www.keywordindex.com
127.0.0.1 gs.apple.com


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3500418AS ATA Device +++++
--- User ---
[MBR] f1ce849529a18b0d0ab301dca35803d5
[BSP] 07d6766566af304619d0600e90a231fa : Windows 7 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 476838 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

RK Report 3

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Karl [Admin rights]
Mode : Shortcuts HJfix -- Date : 09/15/2012 11:16:46

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] RogueKiller.exe -- C:\Users\Karl\Desktop\RogueKiller.exe -> KILLED [TermProc]

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ File attributes restored: ¤¤¤
Desktop: Success 1 / Fail 0
Quick launch: Success 1 / Fail 0
Programs: Success 21 / Fail 0
Start menu: Success 1 / Fail 0
User folder: Success 175 / Fail 0
My documents: Success 4 / Fail 4
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 158 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 34 / Fail 0
Backup: [NOT FOUND]

Drives:
[C:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[D:] \Device\CdRom0 -- 0x5 --> Skipped

¤¤¤ Infection : ¤¤¤

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt


OTL

http://pastebin.com/5yAdJpu2

Extras

http://pastebin.com/agvykSR6
  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Whilst I look at the log, could you confirm that you rebooted after the RoguKiller runs
  • 0

#5
turbo99

turbo99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Yes, after the first scan it prompted for a reboot which I accepted. When the PC restarted I loaded RK again and clicked fix shortcuts.
  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
On completion of this let me know what problems remain

OK download the attached zip file to your desktop
[attachment=60524:turbo99.zip]
Extract all files to your desktop
Double click each in turn and allow to merge with the registry
Reboot

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Posted Image

    :OTL
    IE:64bit: - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://www.searchqu.com/web?src=ieb&appid=113&systemid=406&sr=0&q={searchTerms}
    IE - HKLM\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://www.searchqu.com/web?src=ieb&appid=113&systemid=406&sr=0&q={searchTerms}
    IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2611275
    IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
    IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
    IE - HKU\S-1-5-21-2940742586-2969632360-1708331661-1000\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}: "URL" = http://www.searchqu.com/web?src=ieb&appid=113&systemid=406&sr=0&q={searchTerms}
    IE - HKU\S-1-5-21-2940742586-2969632360-1708331661-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2611275
    FF - prefs.js..browser.search.defaultenginename: "Web Search"
    FF - prefs.js..keyword.URL: "http://www.searchqu.com/web?src=ffb&appid=113&systemid=406&sr=0&q="
    O2 - BHO: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found.
    O3:64bit: - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
    O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {99079a25-328f-4bd4-be04-00955acaa0a7} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    [2012/09/15 09:26:08 | 000,000,000 | ---D | C] -- C:\Users\Karl\AppData\Local\{93D016DB-113E-424E-ACB0-99838096A7E1}
    [2012/09/14 22:27:33 | 000,000,000 | ---D | C] -- C:\Users\Karl\AppData\Local\lptmp458887651
    [2012/09/08 19:54:10 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Catalyst Control Center
    
    :Reg
    [HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32] 
    ""="%systemroot%\system32\wbem\wbemess.dll" 
    [-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] 
    
    :Files
    ipconfig /flushdns /c
    netsh int ip reset c:\resetlog.txt  /c
    ipconfig /release /c
    ipconfig /renew /c
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#7
turbo99

turbo99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok done that, however I realised after I had hit quick scan (after applying the fix and rebooting) I did not have "scan all users" ticked, only "include 64 bit" was ticked.

Anyway here is the report - This time there was no extras file? -
http://pastebin.com/PPxRwYJk

Let me know if you need me to do that again with all users.

Huge thanks for all your help so far, will be sending a pint of the finest ale via paypal!

Edited by turbo99, 15 September 2012 - 05:19 AM.

  • 0

#8
turbo99

turbo99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Enjoy the beers! Just running the last Avira scan now, so far passed the webroot secureanywhere check!
  • 0

#9
turbo99

turbo99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Quick update, I have an Avira scan running for an hour since last post - now on 85% - so far two detections with last detection being atraps.gen2 :(

I will let the scan complete and post details.
  • 0

#10
turbo99

turbo99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok complete - this is the report

Beginning disinfection:
C:\Windows\assembly\GAC_64\Desktop.ini
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '559623b1.qua'.
C:\Windows\assembly\GAC_32\Desktop.ini
[DETECTION] Is the TR/ATRAPS.Gen2 Trojan
[NOTE] The file was moved to the quarantine directory under the name '4d010c1c.qua'.


For some reason I had two desktop files - desktop.ini both infected with atraps.gen2

No idea where these came from they weren't there after last reboot, they seem to have gone now and been quarantined.

Should I run another scan to make sure all traces are gone?
  • 0

Advertisements


#11
turbo99

turbo99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Finally!

The scan has been done completely.

36839 Scanned directories
1036590 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1036590 Files not concerned
38092 Archives were scanned
28 Warnings
0 Notes

Many thanks for your help essexboy!
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Cheers for the drink. :cheers: .. Those desktop.ini files always seem to hang on for as long as possible.

How is the computer now, any problems before I tidy up ?
  • 0

#13
turbo99

turbo99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Your welcome, the computer seems much faster than before I had the virus so all good this end!

No errors or problems seen so far.

Let me know if anything else needs to be done :)
  • 0

#14
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Just this

Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :Commands
    [resethosts]
    [emptytemp]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Go to control panel
  • Select folder options (Appearance > Folder options in category view)
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Go to this site and click Do I have Java
  • It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point
  • Go to Control Panel and select System
  • Select System
  • On the left select System Protection and accept the warning if you get one
  • Select System Protection Tab
  • Select Create at the bottom
  • Type in a name i.e. Clean
  • Select Create

Now we can purge the infected ones
  • GoStart > All programs > Accessories > system tools
  • Right click Disc cleanup and select run as administrator
  • Select Your main drive and accept the warning if you get one
  • For a few moments the system will make some calculations
  • Select the More Options tab
  • In the System Restore and Shadow Backups select Clean up
  • Select Delete on the pop up
  • Select OK
  • Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
Posted Image
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave:
  • 0

#15
turbo99

turbo99

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Ok thanks doing that now. Just one thing Avira just popped up host file blocked (for my protection) when running this fix.

Do I need to quit Avira?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP