winkey.dll / backdoor.prorat removal help plz

Discussion in 'malware problems & news' started by finger, Jul 19, 2004.

Thread Status:
Not open for further replies.
  1. finger

    finger Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    3
    Location:
    Trinidad & Tobago
    after researching it
    ive learnt and my own view
    - if delete when system reboots.. it makes another copy
    - its meant to be a keylogger
    - it disables all antivirus..
    - its source is in system files.. an when u try to delete it.. it won't delete
    -etc.. da's the basics

    i've tried to remove it using norton removal procedures.. and everytime i delete one from the registry an look back again at the same location.. it returns


    i've also looked site but these give the closest to its removal

    http://securityresponse.symantec.com/avcenter/venc/data/backdoor.prorat.html
    http://www.mcse.ms/archive177-2004-4-497067.html
    http://www.sophos.com/virusinfo/analyses/trojproratd.html

    thing is i use i use WINDOWS 98.. an most info is 4 XP..

    CAN ANYONE HELP ME.. i've been tryin for too long.. i'm fed up seein a pop up in startup sayin that i have this trojan...

    THANKS A MIL.. 4 WHAEVA HELP U GIVE!! :D
     
  2. finger

    finger Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    3
    Location:
    Trinidad & Tobago
    plzz.. somebody.. anything i'll try b.c i'm fed up seein it
     
  3. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi finger,

    Please try this.

    Download and install the 30-day free trial of TDS-3

    Before you open and run the program you must bring it up-todate. Download the latest radius database file from here: Radius td3 update. Right-click on the link shown on the updates page, and choose "Save target as" and save it to your TDS install directory (say "yes" to overwriting the one that is there). Reboot your computer after installing.

    Now reboot your computer again, but this time into Safe Mode, by tapping the F8 key just before Windows begins to load.

    Then open TDS and press the "Scan Control" and tick all the boxes in the bottom part of the window. Press "Save configuration" and then close the window by pressing the red x in the top right corner. Now select "System Testing" and choose the 'Full system Scan" and scan your local drives.

    Once the scan is finished, TDS3 will display what it finds in the lower screen. It will show "Positive Identification" or "Suspicious File". Right-click on anything found as "Positive Identification" and choose Delete.

    For any "Suspicious" files, right-click on those and choose "Save to Text". Since most suspicious files are harmless, we would want to see the scandump.txt for them first before deciding what should be done with them. Go to the TDS-3 folder (usually C:\Program Files\TDS3) and find the scandump.txt file. Open it and copy & paste the contents here in your next reply.

    Please disable your antivirus before running TDS3 so it will not interfere with the scan.

    Let us know how it goes.

    Regards,

    snap
     
  4. atoxrava

    atoxrava Guest

    Re: winkey.dll / backdoor.prorat removal help an

    i kick it of my pc with search and destroy and working like sophos site says..it take me 2 days...avast antivirus shows prorat but cant delete it. so it is useful ran rav antivirus scan, and reboot severals times ..use hjackthis too...prorat (prohak)
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi atoxrava

    I've removed your 'test post'. We do have a Test Forum if you wish to practice posting. ;)

    Regards,

    snap
     
  6. finger

    finger Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    3
    Location:
    Trinidad & Tobago
    hey thx for the help.. i'll post back if i get anyluck after tryin...

    thx again!
     
  7. rfen25

    rfen25 Guest


    I have downloaded and installed tds3, but it won't run, any suggestions?
     
  8. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    best way to get rid of it is to download the prorat package and use the client part of it( there is a button called remove local server) to uninstall it...
    google for the package.

    remember to delete it afterwards cause it is illegal to use such a program.


    you could also experiment by renaming tds to something else> rename tds.exe to killtrojans.exe. prorat can be configured to kill tds, but it does this searching for a process name. renaming can help
     
  9. rfen25

    rfen25 Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    3
    I have installed and run tds-3, after running a full system scan, it came up with 10 positive identifications. I was able to delete all but 2 of them. 2 said that the delete failed, these 2 are the prorat files that I want to get rid of. This is the scandump.txt for these 2 files:

    Scan Control Dumped @ 15:27:25 10-08-04
    Positive identification: RAT.ProRat 1.8 (UPX)
    File: c:\windows\services.exe

    (DELETED) Positive identification: RAT.ProRat 1.8 (UPX)
    File: c:\windows\system\sservice.exe

    (DELETED) Positive identification: RAT.ProRat 1.8 (UPX)
    File: c:\windows\system32\fservice.exe

    Positive identification (DLL): RAT.ProRat 1.1 (dll)
    File: c:\windows\system32\wininv.dll


    Do you have any ideas as to how to get rid of these files, they are a huge nuisance... :D
     
  10. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    just a little bit more than a nuisance.. prorat is one of the most powerful backdoors out..
    and especially hard to remove. if you haven't got a firewall, you can assume that all your data is stolen.. change the passwords of you all online accounts, check your credit card etc for strange payments etc

    i PM'd you some instructions, but try killing process c:\windows\services.exe with task manager. press ctrl+alt +del, select processes tab, right click on c:\windows\services.exe
    and select end process.

    download and install apm from
    http://www.diamondcs.com.au/index.php?page=apm
    and launch it

    on the upper panel higlight one process at a time and search for c:\windows\system32\wininv.dll. if you find it, right click on it and select unload dll
    search through all processes , unload evry instance of that dll you find.

    rescan with tds, remember to update it, you know tds updates every weekday, so there's again a new update,, so scan after you've updated
     
  11. gaelpixie

    gaelpixie Registered Member

    Joined:
    Aug 24, 2004
    Posts:
    1
    I found a folder in the registry called "Search Assistant" that contained bits of prorat, panther, inferno nuker and flooder that had all been dumped on my system. I'd followed instructions to delete various prorat components in the registry and the monster kept coming back - until I deleted the Search Assistant folder. That enabled me to delete the winint and winkey components. Hey presto - no more regeneration. I know I still have some nasties and I've run Spy Bot, Spyware Doctor, Ad-Aware also McAfee and AVG, and found a few other odds and ends. At least now I can run anti-virus and my firewalls are back up.
    But I'm still plagued by SpotOnbh that arrived at the same time as all the rest, and the Prorat shortcut is still on my IE toolbar.
    Any suggestions?
     
  12. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    gaelpixie here's a link to SpotOnbh removal. :)
     
  13. webster

    webster Registered Member

    Joined:
    Feb 23, 2004
    Posts:
    285
    Location:
    Denmark
  14. Lucifer

    Lucifer Guest

    Thank you for the advise, it works greate!
     
  15. Netherlands

    Netherlands Guest

    Hi,

    Ive got the same problem, Im using WinXP Home...
    My keyboard doesnt work good anymore because of it too...

    I found the ProRat packaga at ~snipped out link~
    And it can connect, but the problem is that it asks for a password...

    Anybody got any idea?

    Greetings,
    Arno

    Mod Note - link removed from post. Please review our TOS - snap
     
    Last edited by a moderator: Sep 4, 2004
  16. Netherlands

    Netherlands Guest

    Hi,

    I just read that if I've got the ProRat Special Edition, or something like that, I could remove any server of my pc without knowing the password...

    Greetings,
    Arno
     
  17. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  18. Fefe

    Fefe Guest

    Haven't tried to download the free utilities program mentioned above, but after several hours trying out what Trend micro and Symantec suggested and installing several different antivirus-programs that didn't work, I finally found something that definitely looks to have taken care of it.

    Downloaded the latest trial version of TrojanHunter (4.0) at www.trojanhunter.com

    Installed it, started it...and fixed!

    Yippi!!!
     
  19. hazzaa

    hazzaa Guest


    Thanks Webster it worked with me.
     
  20. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Links posted by guest removed - TOS violation
     
  21. The_Napster

    The_Napster Guest

    10x 4 dhelp dude!!!!!!
     
  22. light

    light Guest

    Im trying this , and its not working either :(
     
  23. Nemesys

    Nemesys Guest

    hi,
    my pc was infected by prorat last week and today i kill it!!
    it's simple..

    Download DelLater.
    Unzip dellater.exe into C:\Windows or into desktop

    Copy and paste the following text into notepad and save as "del.bat" on your desktop.

    Code:
    dellater.exe C:\Windows\services.exe
    dellater.exe C:\windows\system\sservice.exe
    dellater.exe C:\windows\system32\winkey.dll
    dellater.exe C:\WINDOWS\system32\fservice.exe
    dellater.exe C:\windows\system32\wininv.dll





    Copy and paste the following text into notepad and save as "fix.reg" on your desktop.

    Code:
    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Shell"="Explorer.exe"

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]






    Doubleclick the del.bat file. You will get a notification for every file marked for deletion. Click OK

    Reboot.

    If you get error messages about files missing on restart, that is a good sign.

    Doubleclick the fix.reg file. Confirm that you want to merge the information into the registry.

    After you can use Norton Antivirus to delete the other files.

    Bye
     
  24. Nemesys

    Nemesys Guest

  25. CoP

    CoP Guest

    hi Nemesys,
    I did exactly you said..it did delete winkey.dll but wasnt able to delete wininv.dll
    i tried to use dellater.exe manually from cmd.exe (Win XP) to mark winkey.dll for deletion:
    typed dellater.exe c:\windows\system32\wininv.dll then i got a box saying "Unable to mark this file for deletion" as heading name for the box and "c:\windows\system32\wininv.dll" as the message..
    so im not really sure what to do next..
    any help would be appreciated..thanks
     
Loading...
Thread Status:
Not open for further replies.