Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Pc Has Vttuts.exe Tmp2.tmp W32.trats Viruses

  • Please log in to reply
2 replies to this topic

#1 jag123


  • Members
  • 43 posts
  • Local time:04:08 AM

Posted 22 January 2008 - 01:21 PM


My desktop PC (WIN XP HE) has some type of virus.

Here is what is happening:

1.) As soon as my Win XP loads one of these viruse filenames is caught under NAV and it puts them in Quarantine (W32.Trats, TMP2.tmp, vtuts.exe, 5_swp[1}.htm, A0179516.exe) and other variations of these. When I delete these in NAV they keep coming back even when I shut the PC off and reboot.

2.) NAV is still running in the background but the icon that is normally next to the time display at the bottom right corner is missing. When I try and Load Norton Antivrus Services manually by checking the box a new window pops up saying "Norton Antivirus service is not responding. If you are trying to unload NAV services, you need to have Adminstrator rights to unload a WIN NT service."

3.) When I'm online I keep getting popup windows every few minites and one specific one telling me I have a virus and redirects me to the MALAWARE ALARM site.

4.) A lot of the icons that were next to the time display in the bottom right corner are now gone (NAV, MSN & Yahoo messenger, Weather channel) etc.

I have tried using the following software to fix the problem but to no avail:

WinCleaner One Click CleanUp, Ad-Aware 2007, Norton Antivirus Corporate Edition

Any help would be appreciated .. thank you!

BC AdBot (Login to Remove)


#2 Tomo2


  • Members
  • 402 posts
  • Gender:Male
  • Location:Wanganui, Aotearoa NZ
  • Local time:09:08 PM

Posted 22 January 2008 - 05:00 PM

Here is Synamtecs Description of W32.trats http://www.symantec.com/security_response/writeup.jsp Although you seem to be having more trouble than that suggests. It infects your startup programs And sends your info to a remote web server.
One of the files looks like it has infected your system restore folder. Norton will not be able to remove that as windows blocks all access to the System Volume Information folder where system restore is hidden.
To clear system restore:

Right click My computer and open properties, then go to the system restore tab and and check "turn off system restore
on all drives" This will clear the system restore folder on shutdown. After rebooting turn it back on again.

Then start your computer in safe mode and launch NAV there. Run a full system scan and remove the malware it finds.
NAV will not be able to remove two registry keys that are generated by the virus. BACKUP YOUR REGISTRY, to do this go to Start -> Run: regedit.exe. Once open click file -> export... and save the file in a safe place (make sure that under what to export you have all selected and not current branch). Then navigate to and delete:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "[RANDOM CHARACTERS].exe"
Also edit:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"Notification Packages" = "scecli [RANDOM CHARACTERS].dll"
Double click to edit and Remove the [RANDOM CHARACTERS].dll and leave scecli in the box and close.

In some instances you cannot open the registry editor due to the virus, if that is the case then go to this page and download the the tool and run it. This will fix the problem of opening the registry editor.

Hope this helps!

Edited by Tomo2, 22 January 2008 - 05:01 PM.

L&P, World Famous in New Zealand since ages ago!
Posted Image
Avast! Antivirus : Spybot S&D : Trend Micro Housecall : Hosts file : HiJack This
Don't be too open minded - your brains will fall out

#3 jag123

  • Topic Starter

  • Members
  • 43 posts
  • Local time:04:08 AM

Posted 23 January 2008 - 02:46 PM

Hi Tomo2,

Here is what I've done so far:

I ran the NAV under safe mode and it found (4) W32 related viruses and deleted them. Then when I rebooted in Normal mode it immediately quarantined TMP2.tmp and vtuts.exe. I currently have System Restore off (you are right it has infected the System Restore folder because I tried using that before posting on here and it wouldn't work).

Now I'm at the edit Registry part and I have 2 questions.

1.) For this part HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "[RANDOM CHARACTERS].exe"

I currently have HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\"load" =

Do I need to make any changes here?

2.) For this "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"Notification Packages" = "scecli [RANDOM CHARACTERS].dll"

I don't have this part "[RANDOM CHARACTERS].dll" currently in my registry. I only have the "scecli" so I'm assuming I don't need to do anything here.

However I did notice under "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\"Authentification Packages" = "msv1_0 C:\WINDOWS\system32\vtuts"

I remember the vtuts was one of the viruses NAV found. Should I delete or edit anything here?

Thanks a lot for you help!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users