Need help removing Backdoor.ProRat virus



Mitch@this_is_not_a_real_address.com
07-09-2005, 11:49 PM
I'm running XP, and a file reginv.dll is infected with the ProRat
virus.

I follwed these instructions,
(http://securityresponse.symantec.com/avcenter/venc/data/backdoor.prorat.html)

but none of the registry keys mentioned exist on my system.

My Norton Antivirus has been rendered inactive, my Firewall is turned
off, and won't let me turn it back on.

I've read about this nasty thing...any help removing it is
appreciated.

David H. Lipman
07-09-2005, 11:49 PM
From: <Mitch@this_is_not_a_real_address.com>

| I'm running XP, and a file reginv.dll is infected with the ProRat
| virus.
|
| I follwed these instructions,
| (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.prorat.html)
|
| but none of the registry keys mentioned exist on my system.
|
| My Norton Antivirus has been rendered inactive, my Firewall is turned
| off, and won't let me turn it back on.
|
| I've read about this nasty thing...any help removing it is
| appreciated.
|

I think McAfee calls this the Backdoor-AVW.
Please try the following McAfee Command Line Scanner to remove it.


Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear


Download CLEAN.EXE from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter
{ http://kixtart.org Kixtart is CareWare } three batch files, two Kixtart scripts, two Link
(.lnk) files and a PDF instruction file.

GETFILES.BAT -- For downloading (FTP) the files needed to run the McAfee Command Line
Scanner. You may have to disable your FireWall or allow FTP.EXE to go through your FireWall
to allow the FTP utility to download the needed files

CLEAN.BAT -- For running within Windows after running c:\mcafee\GetFiles.BAT. If you choose
to scan again at a future date, run this batch file. It will automatically check the date
of the McAfee DAT files and if it is a couple of days old, it will download (FTP) the latest
signature files and install them before performing the scan.

DOSCLEAN.BAT -- For use on a Win9x/ME PC or on a Win2K/WinXP PC that is using FAT32 after
you have booted from an Emergency Boot Disk or DOS disk and have already executed;
c:\mcafee\GetFiles.BAT from within Windows. DOS disk boot images can be obtained from;
http://www.bootdisk.com/bootdisk.htm

I need you to perform the following...

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

Execute; c:\mcafee\GetFiles.BAT
{ or Double-click on 'GetFiles Link' in c:\mcafee }

Reboot the PC into Safe Mode [F8 key during boot]

Shutdown as many applications as possible !
It would also help for you to read - "How to perform a clean boot in Windows XP"
http://support.microsoft.com/kb/310353

Execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


* * * Please report back your results * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Mitch@this_is_not_a_real_address.com
07-09-2005, 11:49 PM
Thanks for your help!

Ok, I printed your instructions and followed them step-by-step.
Everything extracted and downloaded successfully.

But when I ran Clean.bat in Safe Mode, the report generated is simply:

"Virus Scan Report File
Virus Scan Information

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004
"

That's all.

Mitch@this_is_not_a_real_address.com
07-09-2005, 11:49 PM
I scanned again in normal mode.
It does a very quick scan (< 3 seconds), and reports:

"Virus Scan Report File
Virus Scan Information

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4505 created Jun 02 2005
Scanning for 129329 viruses, trojans and variants.

Virus Scan Results



06/02/2005 17:37:51


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /MIME /HTML "C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
"

David H. Lipman
07-09-2005, 11:49 PM
From: <Mitch@this_is_not_a_real_address.com>

| Thanks for your help!
|
| Ok, I printed your instructions and followed them step-by-step.
| Everything extracted and downloaded successfully.
|
| But when I ran Clean.bat in Safe Mode, the report generated is simply:
|
| "Virus Scan Report File
| Virus Scan Information
|
| McAfee VirusScan for Win32 v4.40.0
| Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
| reserved.
| (408) 988-3832 LICENSED COPY - Sep 23 2004
| "
|
| That's all.

The program just stopped running ? Hmmm, I wonder if it knew the name of the executable and
shut it down ?

I re-programmed the script to thwart shutting down the scanner and updated the web site with
a new version of the CLEAN.EXE self extracting ZIP file.

Go back and download CLEAN.EXE again from the URL --
http://www.ik-cs.com/programs/virtools/clean.exe

Execute; CLEAN.EXE
Choose; Unzip
Choose; Close

The file...
C:\mcafee\clean.kix should now have the date of 6/2/2005 @ 6:50 PM
{ If it doesn't, clear the Browser cache and then download and execute CLEAN.EXE again }

Then... execute; c:\mcafee\CLEAN.BAT
{ or Double-click on 'Clean Link' in c:\mcafee }

If it runs OK, then reboot and run it in Safe Mode.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Mitch@this_is_not_a_real_address.com
07-09-2005, 11:49 PM
I get the same effect. The DOS box flashes for a fraction of a
second, and the report is empty.

Here's something else. When I run Ad-Aware, it finds Backdoor.ProRat,
several instances, and it gives the affected registry keys.

These keys match those that Symantec says to check in
(http://securityresponse.symantec.com/avcenter/venc/data/backdoor.prorat.html).

So Ad-Aware sees these registry keys. But if I go into Regedit,
whether Safe or Normal mode, Administrator or not, none of those keys
are there!

David H. Lipman
07-09-2005, 11:49 PM
From: <Mitch@this_is_not_a_real_address.com>

| I get the same effect. The DOS box flashes for a fraction of a
| second, and the report is empty.
|
| Here's something else. When I run Ad-Aware, it finds Backdoor.ProRat,
| several instances, and it gives the affected registry keys.
|
| These keys match those that Symantec says to check in
| (http://securityresponse.symantec.com/avcenter/venc/data/backdoor.prorat.html).
|
| So Ad-Aware sees these registry keys. But if I go into Regedit,
| whether Safe or Normal mode, Administrator or not, none of those keys
| are there!
|

Is the PC running on NTFS or FAT32 hard disk ?

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Mitch@this_is_not_a_real_address.com
07-09-2005, 11:49 PM
>Is the PC running on NTFS or FAT32 hard disk ?

NTFS.

David H. Lipman
07-09-2005, 11:49 PM
From: <Mitch@this_is_not_a_real_address.com>

|
>> Is the PC running on NTFS or FAT32 hard disk ?
|
| NTFS.

Well that precludes loading a MS DOS disk.....

You can try some online scanners...

Trend Micro - Free online virus Scan
http://housecall.trendmicro.com/
http://housecall.antivirus.com

Kaspersky
http://www.kaspersky.com/service?chapter=161739400#betatest

Panda ActiveScan - Free online scanner
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

Computer Associates:
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

DialogueScience:
http://www.antivir.ru/english/www_av/

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Mitch@this_is_not_a_real_address.com
07-09-2005, 11:49 PM
I ran Sysclean in Safe Mode.

After I rebooted and tried to do a manual virus scan, the
backdoor.prorat remains.

Here's the Sysclean log:

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 2)

Start time : Thu Jun 02 2005 22:46:18

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Mitch
Brink\Desktop\Sysclean\tsc.ptn" (version 608) [success]
BKDR_PRORAT.A[virus found]
-->delete registry key("HKEY_LOCAL_MACHINE","SOFTWARE\Microsoft\Active
Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}","")
success
-->modify registry
value("HKEY_LOCAL_MACHINE","SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon","Shell") success
-->modify registry
value("HKEY_LOCAL_MACHINE","SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SystemRestore","DisableSR") success
-->modify ini data("C:\WINDOWS\SYSTEM.INI","boot","shell") success
TROJ_DLOADER.CI[virus found]
-->delete registry
value("n/a","Software\Microsoft\Windows\CurrentVersion\Run","WebSpecials")
success

Complete time : Thu Jun 02 2005 22:46:30
Execute pattern count(3671), Virus found count(2), Virus clean
count(2), Clean failed count(0)

David H. Lipman
07-09-2005, 11:49 PM
From: <Mitch@this_is_not_a_real_address.com>

| I ran Sysclean in Safe Mode.
|
| After I rebooted and tried to do a manual virus scan, the
| backdoor.prorat remains.
|
| Here's the Sysclean log:
|
| Damage Cleanup Engine (DCE) 3.9(Build 1020)
| Windows XP(Build 2600: Service Pack 2)
|
| Start time : Thu Jun 02 2005 22:46:18
|
| Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Mitch
| Brink\Desktop\Sysclean\tsc.ptn" (version 608) [success]
| BKDR_PRORAT.A[virus found]
| -->delete registry key("HKEY_LOCAL_MACHINE","SOFTWARE\Microsoft\Active
| Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}","")
| success
| -->modify registry
| value("HKEY_LOCAL_MACHINE","SOFTWARE\Microsoft\Windows
| NT\CurrentVersion\Winlogon","Shell") success
| -->modify registry
| value("HKEY_LOCAL_MACHINE","SOFTWARE\Microsoft\Windows
| NT\CurrentVersion\SystemRestore","DisableSR") success
| -->modify ini data("C:\WINDOWS\SYSTEM.INI","boot","shell") success
| TROJ_DLOADER.CI[virus found]
| -->delete registry
| value("n/a","Software\Microsoft\Windows\CurrentVersion\Run","WebSpecials")
| success
|
| Complete time : Thu Jun 02 2005 22:46:30
| Execute pattern count(3671), Virus found count(2), Virus clean
| count(2), Clean failed count(0)
|

Hi Mich:

Hee is Trend Micro's library writeup...

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR%5FPRORAT%2EA&VSect=P

Download SysInternals Process Explorer
http://www.sysinternals.com/Files/ProcessExplorerNt.zip

In the "Solutions" section of the library "BKDR_PRORAT.A", "Terminating the Malware Program
"
Use Process Explorer and "kill" malware processes and follow the rest of the directions then
scan the computer using Trend Sysclean.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Mitch@this_is_not_a_real_address.com
07-09-2005, 11:49 PM
Just a follow-up in case anyone else is struggling with this virus.
I ran a program called HiJackThis, and posted the log at Geeks to Go.

The instructions they gave me worked!

They told me to check the following items in HiJackThis for and remove
them:



R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {C5EC4D7A-D7B3-8832-CB0E-AFC86CF829B2} -
C:\WINDOWS\system32\ywcfm.dll (file missing)

O2 - BHO: (no name) - {F5C17D09-FA87-C907-E639-EEE52EBD04F1} -
C:\WINDOWS\system32\ywcfm.dll (file missing)

O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe

O4 - HKLM\..\Run: [firlnin] C:\Documents and Settings\<my name>\Local
Settings\Temporary Internet
Files\Content.IE5\IPOZELQ5\delf061225[1].exe
O4 - HKLM\..\Run: [ISNISWireless] E:

O4 - HKCU\..\Run: [Lieo] C:\WINDOWS\system32\d?dplay.exe
O4 - HKCU\..\Run: [Mdns] C:\Program Files\shuh\cbtc.exe

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683}
- file://C:\Program
Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing)
(HKCU)

Reboot into safe mode and delete:
C:\Program Files\shuh <= entire folder


Need help removing Backdoor.ProRat virus