TR/ATRAPS.Gen2

I use avira and keep getting an alert about the TR/ATRAPS.Gen2 virus. I have tried quaranteeing and deleting and it keeps coming back.
Any ideas?

Thanks

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Thanks, I saw this response under the TR/ATRAPS.Gen solution and I did run MBAM but it didn't recognize or delete the virus. Everytime I boot up my computer avira alerts me to a file being infected and gives me the options to deny, delete, quaratine, rename. I choose delete but when I reboot it comes back again. It appears 4 times on the same file name but under different directories.

Any other ideas.

What file is Avira flagging as infected?

Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link DO NOT use yet.
Please download and install SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
• Under the "Configuration and Preferences", click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.

• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

I followed your directions and still get the virus alert from avira. Here is what I get:

Virus or unwanted program 'TR/ATRAPS.Gen2 [trojan]'
detected in file 'C:\Windows\SysWOW64\msmunpera.dll.
Action performed: Move file to quarantine

and
Virus or unwanted program 'TR/ATRAPS.Gen2 [trojan]'
detected in file 'C:\Program Files (x86)\Kaavnpriqeh\msmunpera.dll.
Action performed: Move file to quarantine

Here is the log file from SuperAnti Spyware.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/31/2009 at 07:38 AM

Application Version : 4.27.1000

Core Rules Database Version : 4023
Trace Rules Database Version: 1963

Scan type : Complete Scan
Total Scan Time : 00:43:21

Memory items scanned : 126
Memory threats detected : 0
Registry items scanned : 6327
Registry threats detected : 0
File items scanned : 38316
File threats detected : 40

Adware.Tracking Cookie
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@247realmedia[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@ad.yieldmanager[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@adlegend[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@adopt.euroclick[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@adopt.specificclick[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@adrevolver[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@ads.pointroll[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@advertising[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@apmebf[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@at.atwola[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@atdmt[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@atwola[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@bluestreak[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@bs.serving-sys[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@collective-media[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@doubleclick[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@dynamic.media.adrevolver[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@ehg-dig.hitbox[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@fastclick[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@hearstugo.112.2o7[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@hitbox[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@iacas.adbureau[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@imrworldwide[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@insightexpressai[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@interclick[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@linksynergy[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@media.adrevolver[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@media6degrees[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@mediaplex[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@questionmarket[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@realmedia[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@revsci[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@richmedia.yahoo[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@serving-sys[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@specificclick[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@specificmedia[1].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@tacoda[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@trafficmp[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@tribalfusion[2].txt
C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Low\trevor@zedo[1].txt

Thanks

Upload one of these msmunpera.dll files to Jotti for analysis. Post back the results.

AVG responded with CORRUPT
Avira responded with TR/CRYPT.XPACK.Gen
F-PROT responded with W32/SuspPack.AA.gen!Eldorado

What should my next step be?
Everytime I chose to delete it when I reboot and run another scan the file is there and i get a virus alert.

Thanks,

We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop:
  • RootRepeal
• Extract RootRepeal.exe from the zip archive.
• Open on your desktop.
• Click the tab.
• Click the button.
• Check the Files box:
• Push Ok
• Check the box for your main system drive (Usually C:), and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Hello,

I have same problem.
Is this problem solved now and what was the method?

reagrds,
Matthijs (Beukelnoot)