Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bitten by Prorat

0 views
Skip to first unread message

David W. Hodgins

unread,
Mar 22, 2004, 2:00:19 AM3/22/04
to
On Mon, 22 Mar 2004 06:20:37 GMT, Al Bundy <postm...@127.0.0.1> wrote:

> I looked at the symantec site. They make it sound simple to remove but NFG.
> This must some other version.

Searching on the file names, it appears to be prorat-d, which explains
the differences.

See http://www.sophos.com/virusinfo/analyses/trojproratd.html

Try removing the additions to system.ini, and win.ini, reboot into
safe mode, and then fix the registry entries, and delete the
files.

Regards, Dave Hodgins

--
Change nomail.afraid.org to rogers.com to reply by email.
(nomail.afraid.org has been set up specfically for
use in usenet. Feel free to use it yourself.)

FromTheRafters

unread,
Mar 22, 2004, 10:51:15 PM3/22/04
to

"Al Bundy" <postm...@127.0.0.1> wrote in message news:Xns94B4DA65...@news.verizon.net...

Sorry, I can't help you with your problem. You seem to
know what it is even though you claim it wasn't identified.
??
Anyway, I just wanted to mention that it is not generally
recommended to poke malware files with a stick while it
is still active on the machine.

Some may not take very kindly to the prodding.


Al Bundy

unread,
Mar 23, 2004, 1:07:15 AM3/23/04
to
"David W. Hodgins" <dhodg...@nomail.afraid.org> wrote in
news:opr484evj8qz8bjc@nntp:

> On Mon, 22 Mar 2004 06:20:37 GMT, Al Bundy <postm...@127.0.0.1>
> wrote:
>
>> I looked at the symantec site. They make it sound simple to remove
>> but NFG. This must some other version.
>
> Searching on the file names, it appears to be prorat-d, which explains
> the differences.
>
> See http://www.sophos.com/virusinfo/analyses/trojproratd.html
>
> Try removing the additions to system.ini, and win.ini, reboot into
> safe mode, and then fix the registry entries, and delete the
> files.
>
> Regards, Dave Hodgins
>


I've figured out how to get rid of ProratD manually. Everything is running
as before. There is one piece of info I think I know the answer to but
someone please confirm. My OS is Xp home.

Please tell me if this key exists

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Expl
orer\Run]


I don't believe it will exist. But if it does, what is the value.

Thanks again...

David W. Hodgins

unread,
Mar 23, 2004, 2:05:49 AM3/23/04
to
On Tue, 23 Mar 2004 06:07:15 GMT, Al Bundy <postm...@127.0.0.1> wrote:

> I've figured out how to get rid of ProratD manually. Everything is running
> as before. There is one piece of info I think I know the answer to but
> someone please confirm. My OS is Xp home.

Glad you got it fixed.

> Please tell me if this key exists
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Expl
> orer\Run]
>
> I don't believe it will exist. But if it does, what is the value.

Sorry, I have win98 and three versions of linux. No eXtra Patch system
here<G>. Hopefully someone else here will respond to your question.

Anti_Freak_Machine

unread,
Mar 23, 2004, 2:23:07 AM3/23/04
to
Al Bundy wrote:

>
> I've figured out how to get rid of ProratD manually. Everything is running
> as before. There is one piece of info I think I know the answer to but
> someone please confirm. My OS is Xp home.
>
> Please tell me if this key exists
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Expl
> orer\Run]
>
>
> I don't believe it will exist. But if it does, what is the value.
>
> Thanks again...

Doesn't exist on my system (XP Pro)

--
Super Mike
Mi asno quiere un enano!
[My donkey wants a midget]

FromTheRafters

unread,
Mar 23, 2004, 6:04:37 PM3/23/04
to

"Al Bundy" <postm...@127.0.0.1> wrote in message news:Xns94B56FBF...@130.81.64.196...
> "FromTheRafters" <!00...@nomad.fake> wrote in
> news:105vd1j...@corp.supernews.com:
> ??
>
> That leaves two choices: Let the malware run or poke and attempt to kill
> it.

Get it to a state where it isn't active, and poke all you want to.
The problem is that some "guardians" may retaliate rather than
just reinstall the file or registry entry that you just removed.

> I'm not going to let it run even if I have to reload the box so I
> might as well poke.

Please feel free to do so, I was only cautioning you.

> If it trashes the system there's no loss. Am I
> missing something in your comments?

No, not really. I just assumed that trashing the system (or run
the chance of running a CIH-like payload) wasn't something
that you wanted to do.

> Critical/non-replaceable already data backed up on CD.

That's a *good* thing. ;o)

I was only saying that it is not generally a good idea to
attempt repairs while the beast is still awake.


Frankenstein

unread,
Mar 23, 2004, 9:40:44 PM3/23/04
to
I got Prorat myself. The only antivirus program that seemed to work on my
Win98 computer was Avast! antivirus. I had to tinker with the registry a bit
as well.

I deleted a string labelled (5Y99AE78-58TT-11dW--BE53--Y67078979Y) and that
seemed to keep sservice from reinstalling everytime I deleted it. After
that, I got the use of NAV and my Zone Alarm came back online. I used NAV to
run a scan and got rid of the rest of this pain in the a** virus. Everything
seems OK now.

Hope this helps...


Al Bundy

unread,
Mar 23, 2004, 11:44:45 PM3/23/04
to
"FromTheRafters" <!00...@nomad.fake> wrote in
news:1061gk7...@corp.supernews.com:


No biggie. Thanks for the tips. In all my years I've never been
effectively hit. Gettin old :-( So, I'm green at that for sure.

Thanks again.

0 new messages