Backdoor.prorat -- Wtf Over!
Page 1 of 2 1 2 LastLast
Results 1 to 15 of 21

Thread: Backdoor.prorat -- Wtf Over!

  1. #1
    Registered User pinhead's Avatar
    Join Date
    Jul 2002
    Location
    Pennsylvania
    Posts
    114

    Backdoor.prorat -- Wtf Over!

    I have a system that detects Backdoor.ProRat. Norton AV 2003 was installed, but I could not run a system scan with it. Have tried installing Etrust, Panda, AVG, and McAfee & was unable to scan with any of these AV's. We pulled the drive and put it in another machine to scan it, but the scan came up clean (virus defs are up to date). Booted back up and keeps detecting ProRat again. Tried to remove virus manually, but it comes back every time I boot up. Procedure used to remove virus manually: PS -- Windows XP Home Edition.

    1. Turn off System Restore.
    2. Boot in safe mode and log on as Administrator
    3. In registry, Remove any of the following entries from the following keys:
    ENTRIES:
    "MSNMESENGER"="%System%\Main.exe"
    "DirectX for Microsoft Windows"="%Sstem%\Sservice.exe"
    "StubPath"="C:\Windows\system\Sservice.exe"

    KEYS:
    HKLM\Software\Microsoft\Windows\Current Version\Run
    HKLM\Software\Microsoft\Windows\Current Version\Policies\Explorer\Run
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dw-BE53-Y67078979Y}
    HKCU\SOFTWARE\Microsoft\Windows\Current Version\Run

    4. Through Windows Explorer, My Computer, or DOS Prompt: Delete winkey.dll & wininv.dll from the c:\Windows\System32 folder. (can't delete from any of the above -- Access is denied). Tried checking attributes (Archive is the only attribute selected). I can rename and move the files, but still can't delete them. Also tried slaving the drive in another machine and deleting them there, but they reappear on the next boot. If I log off of Administrator and log back on as User, I can delete them, but they reappear on the next boot, whether it is in normal mode or safe mode.

    Figured something was starting them up on boot (obviously), so I set the msconfig to diagnostic startup (no startup items, unnecessary services, win.ini, boot.ini, or system.ini), but the problem persists.

    Machine cannot be reloaded as the user has NO FREAKIN' BACKUPS. :butt:

    Sorry about the long rant, but I've been screwing with this piece of #$@% all day.

    Any help would be greatly appreciated.

  2. #2
    Registered User pinhead's Avatar
    Join Date
    Jul 2002
    Location
    Pennsylvania
    Posts
    114
    I just found this in google...

    http://www.megasecurity.org/trojans/...rorat_all.html

    Could this, by any chance, be a program that the user installed? I don't see it in add/remove programs, but I don't play with this crap at all.

    I also found this link that's pretty interesting, but I can't belive this could possibly be legal:

    http://www.prorat.net/main.php?language=english

    If anyone's heard of this, please let me know if you have any suggestions. Thanks in advance for your time.

  3. #3
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    What? remote pc handling illegal?
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

  4. #4
    Registered User
    Join Date
    May 2004
    Location
    Victoria, BC
    Posts
    7

    Wink

    I trust my Symantec Corporate Edition
    ------------------------------------------

    The following is info from the ProRat web site about updates in the latest version... good for a laugh any ways. Then the help file from the extracted zip I downloaded from their web site. Symantec Corporate quarantined it post hastum.

    _____________________
    In this version of ProRat, Some applications are been added and some errors has been fixed to make the program work better.
    To make use of these applications don’t forget that you must have ProRat v1.8. if you connect to a ProRat v1.6 or ProRat v.1.8 server
    with a ProRat v1.6 client you will still have problems.

    Firstly control your version and your server version by connecting to your victim and pressing on to Online editor, you can check out the server version there.
    If you want to upload a new server, firstly create a new server with ProRat v1.6 and upload it with file manager and press run,
    after you reset server on victims PC you will see it has been changed to ProRat v1.8
    __________________________________________________ ________________________________
    ----------------------------------------------------------------------------------
    RENEWAL AND ARRANGMENTS MADE IN ProRat VERSION 1.8 : Saturday 24.04.2004
    ----------------------------------------------------------------------------------

    The reasons for preparing and putting ProRat v1.8 for download are :

    -All security bugs on Client and Server are closed.

    -We added a remote for Forbidding a web site.

    -We stabilized the Email notification module.

    -We added Briefcase Server Converter.

    -We added Generic extensions converter.

    -we added a feature to add a shotcut on Internet Explorer Bar.

    -We added a automatic ftp connection over FlashFXP.

    -we added a modul to find the new ICQ 4.0 passwords on victims PC.

    -All files are modified to be undetectable against antivirus programs.

    -We fixed the problem with the disconnect button which was not working correctly.

    -Melt server on install was not working on version 1.6. We fixed that bug.

    -Services Manager was added.
    Explanation: You can remote Service Managers on 2000,NT and XP systems with this menu. You can open Remote Desktop service and connect with remote desktop to your victim. you can open a telnet server also you can close or delete some antivirus and firewalls services from systems.

    -ProMessenger help file was not showned after you pressed it. We fixed this problem.

    -We cancelled the extra applications against unpacking the client so the client can run faster. We put a password to the server in client which is protected with a 128 bit crypto algorithm protect made with ProGroup protecter.

    -The victim couldnt write sometimes when using matrix chat without clicking on the screen. we fixed this problem.

    -ProRat was opening in english as a default language but if you closed and open it again without changing the language it was opening in arabic. we fixed this problem.

    -We added a feature to use the menu forms on the client in a easy way, you can close these menus by pressing on esc.

    -The bug in Removing local server modul was fixed.

    -We improved and changed the File Manager.

    -We added Panda AntiVirus to the antivirus killing list.

    -Norton and XP internal firewall didnt work after you removed a local or remote server. We fixed this problem.

    -We added a Mydoom uploader feature.

    -We added Run Reg entries.

    -We added lots of new language supports.

    P®O Group
    __________________________________________

    I downloaded the program to my system (call me stupid or crazy)
    unzipped and Sym Corp immediately quarantined Backdoor.ProRat.

    Here is the help file from the unzipped folder.

    PLEASE READ THIS INFORMATION BEFORE USING ProRat :
    ----------------------------------------------------------------------------------

    1- Before using ProRat please read the help file. You can reach to the help file by pressing on the “?” sign which is just on the top of the ProRat client. As you will see there is enough information there for use and solving your problems.

    2- All kind of user problems with ProRat are discussed in http://www.prorat.net/forum
    Before writing to the form we suggest you to read the help file once more and if you can't find the answer in the help file write it to the form under the right topic correctly with details such as your operating system, error message etc. so we can solve the problem fast and properly. We don’t answer any kind of questions like "why cant i connect to the server what should I do?"

    3- You cannot start ProRat directly in a zip file first you must unzip and then you can start the client. This is not a error this is just made to work ProRat properly.

    4- To connect to a PC with ProRat client the server should have a direct connection to internet. Ýf its a PC in network and has a ÝP address like “192.168.0.* or if its behind a Router and has a ÝP like “10.*.*.* you will be unable to connect with ProRat and this kind of situation is also valid for other kind Trojans. Ýf you will use ProRat in you own local network this is possible and i wont matter if the ÝP address is starting with 192.168.*.* , You can use and connect to any PC you offer.

    5- ProRat will not send any keylogg files or any passwords to your email address. ProRat is a "ProHack.Net Remote Administrator Tool" you can only get the keylogg files and passwords you want to learn by connect to the victims PC.

    6- You can connect to all PC in your country and other country’s as well. Ýf the victim is connected to internet this will be enough

    7- Ýf you cant connect to a victim this doesn’t mean that you cannot connect to all victims. Please try new victims and you will see that it will connect. Ýf you still cant connect to a victim after trying few times read the help file and try to find where you are making a mistake and feel free to ask us questions if you still have problems.

    8- Ýf your or your victims PC is being forced to closing after you started ProRat server or ProMessenger this is not ProRat fault because some kind of worm virus like msblast can infiltrate to PC which doesn’t have security patches. ProRat will close the Firewall (optional) and this will give a chance to this kind of worms to infiltrate and close systems. To take measures please read the help file and you will see links to download patch files.

    9- if you try to make ProRat server undetectable to AntiVirus the ProRat will not connect to the server. Ýf you want a server which is undetectable from AntiVirus you must buy ProRat Special Edition, For more information please get in contact with [email protected].
    Ýf you didn’t try to change server and you still get a connection reject message, possibly the server wasn’t installed properly to the victims PC

    10- Please attach importance to the Online News on you client. You will find important messages and news about ProRat and ProGroup. Sometimes Online news would not work and this does not mean it wont work forever. Try few days later because during updates and server problems it could be closed.
    ----------------------------------------------------------------------------------

    oh and DON'T do what I did, it was dumb, but now we know symantec corporate kills prorat.

    cheers

  5. #5
    Registered User
    Join Date
    May 2004
    Posts
    1
    umm... I'm having the same problem, can anyone help us?

  6. #6
    Registered User
    Join Date
    Jun 2004
    Posts
    1
    I contacted the authorities in Turkey regarding ProRat.net Software. Hopefully, this will get them taken down. As for removing it I am still lost, I cannot get it removed from my system. I think I have stopped all communications with the hacker, but I still get the NAV warning that won't go away. It still won't run a system scan or even a simple file scan. I still cannot delete the infected files. Does this mean I have to format my harddrive?

  7. #7
    Registered User Tekboy's Avatar
    Join Date
    Oct 2003
    Location
    Florida
    Posts
    1,492
    Quote Originally Posted by Shootmaster_44
    I contacted the authorities in Turkey regarding ProRat.net Software. Hopefully, this will get them taken down. As for removing it I am still lost, I cannot get it removed from my system. I think I have stopped all communications with the hacker, but I still get the NAV warning that won't go away. It still won't run a system scan or even a simple file scan. I still cannot delete the infected files. Does this mean I have to format my harddrive?
    Well, to me anyway, the best thing to do would be to copy all your user files to some sort of other storage medium, and zero-fill the drive. Anything that persistent needs to be eradicated by ANY means.

    I know it sucks, but the internet is getting to be a nasty place, and if you go out there unprepared, this is the kind of stuf that happens.
    Good Luck.
    If only you knew what's inside of me now,
    You wouldn't want to know me, somehow.

  8. #8
    Registered User HappyPenguin's Avatar
    Join Date
    Aug 2004
    Location
    Leeds, UK
    Posts
    1
    Hello folks,

    Have joined this forum to pass on my experience of Prorat - 8 long hours on Sunday trying to get it off my friends computer - Windows XP Home, McAfee Anti Virus.

    Followed advice given on Symantec site and lots of the forums but without success. Then I had a bit of a brain wave and did a search in the registry for the two nasty .dll files that kept popping up every time the computer started (wininv.dll and winkey.dll).

    I discovered a whole new folder in the registry that contained not just stuff to launch prorat but also various bits and pieces of adware, spyware, droppers, trojans, etc. The folder called 'Search Assistant' was in HKEY_USERS in one of the S-1-5-21-Lots of numbers folders. Deleting this seemed to effectively stop the virus from running or coming back when the system rebooted.

    Unfortunately there still seem to be traces of the virus left, but the McAfee anti virus software is now running again and the Firewall. I suggest searching the registry for the following terms and removing anything that looks suspicious (I checked against my unifected laptop):

    wininv.dll
    winkey.dll
    fservice.exe
    KTD32.atm
    sservice.exe

    Then delete any of these files from the computer.

    If I discover anything else I'll pass it on.

    Happy Penguin

  9. #9
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    Thanks for the tips happy penguin and welcome to windrivers!
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

  10. #10
    Registered User Jeff316's Avatar
    Join Date
    Jul 2004
    Location
    Birmingham, AL
    Posts
    65

    Different Trojan but maybe helpful....

    Quote Originally Posted by pinhead
    I have a system that detects Backdoor.ProRat. Norton AV 2003 was installed, but I could not run a system s........

    Sorry about the long rant, but I've been screwing with this piece of #$@% all day.

    Any help would be greatly appreciated.

    Hi Pinhead:

    Different trojan but I had a similar problem a while back and posted what I had to do to remove the bad files on this thread:

    http://forums.windrivers.com/showthread.php?t=61723

    HTH.

  11. #11
    Registered User
    Join Date
    Nov 2003
    Posts
    92
    Quote Originally Posted by ShannonandShannon

    -we added a modul to find the new ICQ 4.0 passwords on victims PC.

    -All files are modified to be undetectable against antivirus programs.


    -Melt server on install was not working on version 1.6. We fixed that bug.

    -We added Panda AntiVirus to the antivirus killing list.

    -Norton and XP internal firewall didnt work after you removed a local or remote server. We fixed this problem.

    -We added a Mydoom uploader feature.
    My GOD! This is horrendous. Do you pay for this program?! victim, mydoom uploader, disable AV products. God .. i hope these peopl pay for this. This is a seriously jacked up version of SubTen/Netbus, whatever you wanna call it.

    Phaeton

  12. #12
    Registered User
    Join Date
    Oct 2004
    Posts
    3

    yo

    hey, I found some of the files that happy penguin was talking bout, but I'm pretty sure its still there, however, my AVG Anti-Virus still runs, but finds nothing. Heres the message i get:

    Virus found! Trojan Horse BackDoor.prorat.2.S

    Virus found in : C:\System Vloume Information\_restore{0BE26A91-5F7B-41C1-94AB-41E7706D4A7}\RP103\A0016536.exe

    I'm guessing that I may have a diff version than everyone else? lol
    (by the way, the file i found was "winkey.dll")
    any other ideas ppl?

  13. #13
    Registered User
    Join Date
    Oct 2004
    Posts
    3

    Unhappy

    Quote Originally Posted by boogaloo
    hey, I found some of the files that happy penguin was talking bout, but I'm pretty sure its still there, however, my AVG Anti-Virus still runs, but finds nothing. Heres the message i get:

    Virus found! Trojan Horse BackDoor.prorat.2.S

    Virus found in : C:\System Vloume Information\_restore{0BE26A91-5F7B-41C1-94AB-41E7706D4A7}\RP103\A0016536.exe

    I'm guessing that I may have a diff version than everyone else? lol
    (by the way, the file i found was "winkey.dll")
    any other ideas ppl?
    well guess what? I found a new one!! how fortunate of me!
    heres the new message I got sent (I wonder if I could make a record of most viruses in the last 10 mins....):


    Virus
    Trojan Horse BackDoor.Prorat.2.AE

    Is found in file
    C:\System Vloume Information\_restore{0BE26A91-5F7B-41C1-94AB-41E7706D4DA7}\RP106\A0016787.DLL




    ......
    ...so, whadda I do?? Some expert come on this and help me!!

  14. #14
    Registered User pinhead's Avatar
    Join Date
    Jul 2002
    Location
    Pennsylvania
    Posts
    114
    Quote Originally Posted by HappyPenguin
    I discovered a whole new folder in the registry that contained not just stuff to launch prorat but also various bits and pieces of adware, spyware, droppers, trojans, etc. The folder called 'Search Assistant' was in HKEY_USERS in one of the S-1-5-21-Lots of numbers folders. Deleting this seemed to effectively stop the virus from running or coming back when the system rebooted.
    The PC I had this on needed to be finished, so we just reloaded it, but recently I've noticed that PC's with Home Search Assistant or Search Assistant in the Add/Remove Programs also have a variant of Cool Web Search on the PC. I've tried a few tools, but nothing seems to fix it. What I ended up doing is looking through the Windows, Windows/system, and windows/system32 folders file by file for random character files. It takes a bit of time, but it seems to work.

    Anyways, just wanted to let you know that if you have seach assistant, check for Cool Web Search as well...

    Enjoy...

  15. #15
    Driver Terrier NooNoo's Avatar
    Join Date
    Dec 2000
    Location
    UK
    Posts
    31,824
    Quote Originally Posted by boogaloo
    well guess what? I found a new one!! how fortunate of me!
    heres the new message I got sent (I wonder if I could make a record of most viruses in the last 10 mins....):


    Virus
    Trojan Horse BackDoor.Prorat.2.AE

    Is found in file
    C:\System Vloume Information\_restore{0BE26A91-5F7B-41C1-94AB-41E7706D4DA7}\RP106\A0016787.DLL




    ......
    ...so, whadda I do?? Some expert come on this and help me!!
    That means it's in system restore. All you have to do is turn off system restore so that the old restore files get deleted - bye bye trojan. Reboot and then turn it back on again and set a new restore point.
    Never, ever approach a computer saying or even thinking "I will just do this quickly."

Similar Threads

  1. E-mail WTF???
    By ilovetheusers in forum Tech Lounge & Tales
    Replies: 7
    Last Post: October 24th, 2002, 02:54 PM
  2. WTF?
    By Radical Dreamer in forum Internet and Networking
    Replies: 6
    Last Post: May 23rd, 2002, 08:20 PM
  3. WTF?????
    By Vette in forum Internet and Networking
    Replies: 1
    Last Post: March 22nd, 2002, 11:57 AM
  4. [RESOLVED] WTF?!?!?!
    By Blackhawk in forum Tech Lounge & Tales
    Replies: 7
    Last Post: March 23rd, 2001, 08:16 PM
  5. [RESOLVED] FILES32.vxd WTF is it??
    By GT98 in forum Windows 95/98/98SE/ME
    Replies: 1
    Last Post: October 20th, 2000, 12:30 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •