Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trouble Removing Prorat.16 (Win32.Backdoor.Prorat16)


  • Please log in to reply
1 reply to this topic

#1 JTR9000

JTR9000

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:53 AM

Posted 10 May 2009 - 08:32 AM

Hey, basically I am having trouble removing a piece of malware known as Prorat.16. Scanning with Ad-Aware allows me to Quarantine the infection, but not remove it. Ad-Aware returns the following results:

Win32.Backdoor.Prorat16
c:\windows\system32\winkey.dll
c:\windows\system32\reginv.dll
HKLM:software\microsoft\active setup\installed components\{5y99ae78-58tt-11dw-be53-y67078979y}:
HKLM:software\microsoft\active setup\installed components\{5y99ae78-58tt-11dw-be53-y67078979y}:stubpath
HKU:S-1-5-21-1078081533-1606980848-725345543-1003\software\microsoft\windows nt script host\microsoft dxdiag\winsettings:

My DDS log follows:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Jordan at 14:38:57.87 on 10/05/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.358 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Jordan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
mWinlogon: Shell=Explorer.exe c:\windows\system32\fservice.exe
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twext.exe,
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mExplorerRun: [DirectX For Microsoft® Windows] c:\windows\system32\fservice.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jordan\applic~1\mozilla\firefox\profiles\ydzn3muo.default\
FF - prefs.js: browser.search.selectedEngine - Scroogle
FF - prefs.js: browser.startup.homepage - hxxp://www.deftones.com
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCortona.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-25 64160]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 953168]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;\??\c:\progra~1\belkin\belkin~1.11g\dnindis5.sys --> c:\progra~1\belkin\belkin~1.11g\DNINDIS5.SYS [?]
S4 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-8-29 935208]

=============== Created Last 30 ================

2009-05-10 02:13 128 a---h--- C:\aaw7boot.cmd
2009-05-10 02:08 36,864 a------- c:\windows\system32\reginv.dll
2009-05-10 02:08 13,312 a------- c:\windows\system32\winkey.dll
2009-05-10 01:46 350,764 ---sh--- c:\windows\services.exe
2009-05-10 01:43 <DIR> --d----- C:\!KillBox
2009-05-10 01:39 <DIR> --d----- c:\program files\Trend Micro
2009-05-07 21:40 54,156 a---h--- c:\windows\QTFont.qfn
2009-05-07 21:40 1,409 a------- c:\windows\QTFont.for
2009-04-29 20:51 350,764 ---sh--- c:\windows\system\sservice.exe
2009-04-19 18:46 <DIR> --d----- c:\program files\VirtualDJ
2009-04-16 02:02 <DIR> --d----- c:\docume~1\jordan\applic~1\Smart Recorder

==================== Find3M ====================

2009-04-22 20:38 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-22 20:38 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-04 22:34 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-02 19:51 22,328 a------- c:\docume~1\jordan\applic~1\PnkBstrK.sys
2006-11-21 11:04 257,203 a------- c:\program files\setup.inx
2008-02-17 05:52 350,764 ---sh--- c:\windows\services.exe
2008-02-17 05:52 350,764 ---sh--- c:\windows\system\sservice.exe
2008-02-17 05:52 350,764 ---sh--- c:\windows\system32\fservice.exe

============= FINISH: 14:39:30.17 ===============



Thanks a million in advance to anyone who can help!

Attached Files


Edited by JTR9000, 10 May 2009 - 09:00 AM.


BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:04:53 AM

Posted 20 May 2009 - 06:01 PM

hi JTR9000,

log is several days old. if you still need help reply back with a update on your malware situation.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users