Heres what i posted in the trojen spyware thred at top.

tomparadox
Lord Of Melee


Join Date: March 2003
Posts: 522


Ok i have a serios problem. this may be a "bit" off topic but it can effect my NC account and all that. i have a virus that is in a file called winkey.dll and wininv.dll, i know this is a virus because everyone i talked to that has XP dose not have this exept me and my m8, norton also told me its a virus but it couldent get rid of it, an online scaning thing ( forgot name of it ) said its a virus but cant get rid of it cus its being accessed by a diferent program, its blocking my MSN mail AOL mail or anything like that exept this site, neocron, my website, and my yahoo mail. the infermation said its somekinda backdoor torjen or something like that that gives access to my computer to a sertem person that has a tool that they made or something like this. i downloaded panda titanium and all that, it cant detect it. it whont update itself, but yet on my laptop it detected it and removed it.. can anyone please tell me how to get this virus off my computer? and formating it is not an option because i cant atm...


edit : btw these 2 files ( winkey.dll and wininv.dll ) are both in windows/system32 on my windows XP comp...
______
J. Folsom



Assuming the virus you're talking about is Backdoor.Prorat, then these should be the full removal instructions from Symantec. Since you're using Norton these should be accurate...
______
Tomparadox


yea, thats what they said it is... ill try that and see if it helps. do these also block my MSN and all that?

see. the thing is i cant delet it... it sais access denyed or something like that because its in use by another program :/...


edit: yea i jest did all that that it said i found the reg things and deleted em but every time the anti virus trys you delet it it sais it cant repair it and access is denyed.
Last edited by tomparadox : Today at 13:08.



i used the ---- to indicate the sepret post, i made this a new post to try to get help faster...

@J. Folsom i did your advise in that post and it dident work :/ kept saying access denyed as i said above.

@All, this time i whent into safemode ranamed the thing and it came back. i renamed it in regular mode deleted all the text in it and saved it with the old file name " winkey.dll" jest with no text in it ( or code), it came back, WTF IS IT KEEP COMEING BACK :/. dose anyone know how to fix this other than reformating my damn computer witch i jest had to fucking do less than a month ago?

You = /set kill_self 1

yep =p, i know who made it. it sais in the damn file "P@O group" whoever the hell that is....

Funny you post this as today I had every damn virus scanner, trojan and port scanner trying to trash some pest on my computer today. I knew it was there as my modem was active all the time even when not doing anything I thought it might be spyware. But I did every possible check on my system and still could not work out why my computer seemed to be downloading something. As I remembered the last time my computer acted this way was the fact of a trojan I backed up everything and my beloved neocron onto my second hardisk.

Then yep you guessed REFORMAT :mad: bloody pisses me off these wankers that write these programs 4 hours later after updating my windows and stuff. I'm on here reading this thread with neocron rdy to reinstall what a waste of my time eh :mad:

Well at least you know what it is so you can run a search on the trojan name on the web and get removal instructions normally means editing the registry but if you print them out its not the hard.

step by step I removed a trojan this way so that it never comes back goodluck :)

Edit: The reason why it keeps comming back is because it will have one or many startup methods it will likely be in the registry or it might be in win.ini or system.ini or it might be in all of them. You will need to find manual removal intructions on the web on which registry keys need deleting befor you can delete those files that are in use by the system.

Heres a start (http://www.altavista.com/web/results?q=Backdoor.Prorat+P@O+group&kgs=0&kls=1)

http://housecall.trendmicro.com/housecall/start_corp.asp <---- this is a very good free virus scanner.... Otherwise go into safe mode and delete it that way. or look through all your processes that you are running and delete any anomolies....hmmmm else your fucked :)

ty, iv been trying to find the trojen removal instruktions, but i think i found the program they use to access your computer Oo ( im not posting the link). i might jest reformat the comp :/ the instruktions systomac ( norton ) gave me dont work cus it whont delet it :/... thisl be the 3rd time iv reformated this computer. so damn anoying...

sorry for spam..
http://housecall.trendmicro.com/hou.../start_corp.asp <---- this is a very good free virus scanner.... Otherwise go into safe mode and delete it that way. or look through all your processes that you are running and delete any anomolies....hmmmm else your fucked

i use that scaner. dident work whont clean it or delet it sais access is denyed. i think its masking its prosses somehow.tyred safemode it said it was denyed so i jest renamed it to like .1244qdasdq insted of .dll and it still came back and left the .141413212 or whatever i named it...

http://www.grisoft.com/us/us_index.php

that one is free, haven´t met a virus it couldnt clean yet.

Surely if you could have changed the file name whilst in safe mode, and it stayed the same then you could delete it ? Did you try to delete it yourself ? if it's masking it's process it'll probably be masked as an SVChost....but the trick is to delete the right one, otherwise your computer shuts it self down (personal experience here -DF :lol: ) .... Hmmmmm otherwise, yeah go with the reinstall.


DarknessFairy :p

Most virus scanners only attempt to delete the files but his won't fix it if it starts up by the methods I mentioned above ^^^

Failing that reformat and it will be gone :lol: but yeah pain in the arse it is trojans are the worst type and hardest to gid rid of as the hacker that wrote it . Will make it very hard to remove thats his aim so he can continue to intrude you computer your just lucky you found it people lose personel info like bank details through these.

yea i tryed manuely deleting it and all that, i cant find its prosses, but ill try that aboe mentiond online virus scaner. ill brb with the virus it couldent remove =p

It´s not always a reformat will do..


And unless you´re certain that it´s a virus and not a worm then you should keep that in mind..


most worms have a tendency of leaving a shadow version of themselves in memory, or in partition info, making them just come back all the time.



viruses are pieces of code being put into a files code.

worms are pieces of code replacing or adding to a files code, or simply a file of its own.


if it masks itself as a SVHOST service, then it has some files inside the windows library somewhere, these "independent" files must be located and deleted, and the dependent files must be cleaned.


most worms and viruses become harmless with a FULLY updated windows (XP).

You should check whether or not your windows is fully updated.

also,

see if you can have taskmanager, regedit, any antivirus program, or windows update running for at least a few minutes since most newer worms and viruses has a self defense mechanism, by closing any of the before mentioned programs down as soon as they are able to, making it damn hard to do anything about them.

tryed updating windows. it whont let me update it.... the auto updater sais it cant connect to my computer...

When you run the virus checker whats its name as there are many strains of it if you tell me this I will find out removal instructions for you there a pain in the arse mind cos there manual

is it any of these by any chance:- Backdoor.Prorat.13, BDS/Prorat.13.D
Backdoor.Prorat.16, BDS/Prorat.16
BKDR_PRORAT.13
BKDR_PRORAT.16

Lots of the same one different strains and all have different startup methods

ok, TY ill go find out the name of it.

Well this looks like the little beast and a nasty one at that

http://www.pestpatrol.com/pestinfo/p/prorat.asp

Yeah if it were me I would reformat cos removing that takes the piss so many files to remove and registry keys

My PC started opening programs by itself today :wtf:
wonder if this has anything to do with it

Ok i looked in the winkey.dll and it sais "[ProRat v1.4 Trojan Horse - Coded by P®O Group - Made in Turkey] " and inside the wininv.dll it dosent say. i also ran the trenmicro online scan and it sais "BDK PRORAT.13" for somereason its not finding the wininv.dll but i think its the same thing...

edit:
My PC started opening programs by itself today
wonder if this has anything to do with it

yea. the program i foud assosiated with this virus when i looked it up online seems to be able to do all the shit like format the computer and run programs and all this other crap ( i dont use it i jest looked at it )

edit2:
Well this looks like the little beast and a nasty one at that

http://www.pestpatrol.com/pestinfo/p/prorat.asp

Yeah if it were me I would reformat cos removing that takes the piss so many files to remove and registry keys
i jest looked at that and the things it sais to close like client.exe in the taskmanager/processes arnt there...

The only thing I can suggest is ctrl + alt + delete click processes tab and kill any process other than these

nvsvc32.exe (I think this is my nivida card)
alg.exe ( not sure what this is but leave it)
explorer.exe
spoolsv.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe (yeah theres alot of these but if its in capital letters bin it)
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system
system idle process

^^^ leave any of these alone kill the rest I reinstalled windows today this is my process list its clean from any crap

Click start Then Run type in:- Regedit
Then search for winkey.dll with the find key option and delete any keys with reference to this file then reboot and try deleting winkey.dll file.

I would leave wininv.dll alone though as I don't think that has anything to do with the virus

Edit: I think if you can kill the process and delete winkey.dll with out it coming back it will be problem solved as thats where the trojan lives in that file. You saying you can't delete winkey.dll means its in use find the running process kill it then delete it anyway goodluck.

Nah even better for you :)

enter this in the run box in the windows start menu

regsvr32 /u c:\windows\system32\winkey.dll

that will unregister that DLL file and then reboot and delete it hope that one works

ok, thx ill go try it brb...

nope... whont let me delet the file. i closed all processes but the ones you listed then searched regedit for winkey.dll deleted all of the things it came up with then reboted it ran a scandisk Oo and it whonjt let meh delet it... mabyill jest format it tonight :/ beter start backin up the shit i need...

damn I hate the people in this world that write these things 3 times I have got one of these trojans don't know how I get them.

yea, if you ask me people that write viruses is probly some ****** ass 13 year old that thinks hes badass cus he can make one...

a dll file you call a virus...hmm........
well in my 13 years of being alive i have never been hit by a virus that is a dll file.
most common is .exe
how are you sure that this IS a virus exactly?

erm? you must not know a hole lot about them =p this virus is a DLL its a special trojen that gives someone else access to your computer. its a DLL that apparently attaches itself to the OS itself or something...

ah right
didnt know :lol:

some 'special' viruses are capable of writing to and thus replacing/corrupting critical windows dll files...very bad if this happens.


Kinda felt like that would add to the thread somehow, sorry if it didn't. ^^;

it did =p i dont know alot about viruses myself...

Btw the features of it make it a trojan, and not a virus. ;)

I can't see how deleting it isn't working though, if you've followed the instructions on antivirus sites it shouldn't be a problem. Try going to start-->run and type msconfig. Load that up and go to the Startup tab. Scroll down the list and find any references to that list of processes above (things like Client.exe). It's possible the trojan can hide the processes when you hit Ctrl+Alt+Del which is why they don't show up but you can't delete the files. If you find any references, clear the checkbox next to them, and then check the registry key which corresponds to it. Load up regedit and delete those entries, then reboot and try to delete the files again. You might also find lots of other stuff in the Startup list which isn't needed and is just slowing down your comp, try www.pacs-portal.co.uk (http://www.pacs-portal.co.uk) for a list of processes to see which ones you can kill.

It would help if you posted a hijackthis log here to see what's running. It served me well to check what is 'really' running, at least until I started to mess more often with the registry keys manually.

http://www.spywareinfo.com/~merijn/files/hijackthis.zip if you don't have the program.

ill take a look at it... oh and client isent runing so i dun think its called client...

The site says it can 'hide' from the process list. Just because it's not there doesn't mean it's not running, that's why you should check msconfig and see if it's listed to start up. Since you can't delete the file, it suggests that the program is in fact running.