Removal of ProRat and attached Virusses

Subject: Removal of ProRat and attached Virusses Wed 26 Nov 2008, 2:02 pm

Dear members,

If you want to remove PROrat and its virusses you need not only need to edit your registery but start in Safe Mode too. So if you want to remove the virus print this page. I will also make an TXT file for those who dont have an printer.

Since i cant type backslashes replace every slash for a backslash

Here we go.

Windows 2000/NT/XP

for Windows 95/98/ME skip step number 11,12

Quote :

Step 1
Go to Start > Run

Step 2
type regedit and press enter ok click ok

Step 3
Navigate to this key HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run

Step 4
Delete this value MSNMESENGER"="%System%/Main.exe

Step 5
Navigate to this key HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/
Policies/Explorer/Run

Step 6
Delete this value DirectX for Microsoft Windows"="%System%/Fservice.exe

Step 7
Navigate to this key HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Active Setup/Installed Components/{5Y99AE78-58TT-11dW-BE53-Y67078979Y}

Step 8
Delete this value DirectX for Microsoft Windows"="%System%/Sservice.exe

Step 9
Navigate to this key HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run

Step 10
Delete this value StubPath"="C:/Windows/system/Sservice.exe

Step 11
Navigate to this key HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon

Step 12
Modify this"Shell"="explorer.exe %System%/Fservice.exe" into this "Shell"="explorer.exe"

Step 13
Exit your Registry Editor and restart your PC in Safe mode with Command prompt (shut down then start up and hit and hold F8 untill and black screen with white letters appears)

Step 14
log on your own account and then you should see command prompt on the left and nothing else exept maybe some writing like Safe Mode Windows blahblahblah.

Step 15
type in cd/windows like that.

Step 16
type in erase services.exe

Step 17
Then type in cd/windows/system

Step 18
Type in erase sservice.exe like that. I did not misspelled it.

Step 19
Then type in cd/windows/system32

Step 20
Then type the following codes in

Code:: [i]erase C:/windows/system32/reginv.dll
erase C:/windows/system32/fservice.exe
erase C:/windows/system32/winkey.dll
erase C:/windows/system32/wininv.dll[/i]

Step 21
Then type in cd/ and then start explorer Note: you dont have internet

Step 22
Browse to your windows folder and check if the following files are deleted.
Code:

Code:: [i]C:/windows/system32/reginv.dll
C:/windows/system32/fservice.exe
C:/windows/system32/winkey.dll
C:/windows/services.exe
C:/windows/system/sservice.exe
C:/windows/system32/wininv.dll[/i]

Step 23
If you havent deleted it already delete PROrat without running it. the go to Start > Run again and if the following still exsist. If so delete/modify it again.
Code:

Code:: [b]HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run[/b]

MSNMESENGER"="%System%/Main.exe

[b]HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/WindowsCurrent/Version/
Policies/Explorer/Run[/b]

DirectX for Microsoft Windows"="%System%/Fservice.exe

[b]HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Active Setup/Installed Components/{5Y99AE78-58TT-11dW-BE53-Y67078979Y}[/b]

DirectX for Microsoft Windows"="%System%/Sservice.exe

[b]HKEY_CURRENT_USER/SOFTWARE/Microsoft/Windows/CurrentVersion/Run[/b]

StubPath"="C:/Windows/system/Sservice.exe

[b]HKEY_LOCAL_MACHINE/Software/Microsoft/Windows NT/CurrentVersion/Winlogon[/b]

"Shell"="explorer.exe %System%/Fservice.exe" must be "Shell"="explorer.exe"

Step 24
Now restart your PC again and browse to your windows folder again to check if these files are gone. if not repeat from step 1.

Code:: [i]C:/windows/system32/reginv.dll
C:/windows/system32/fservice.exe
C:/windows/system32/winkey.dll
C:/windows/services.exe
C:/windows/system/sservice.exe
C:/windows/system32/wininv.dll[/i]

Step 25
Run your virusscanner to check for virusses. Now it should say nothing unless you have other virussses or hacks.

Congratulations. Your PC is now Good to Go again. Have a nice day. Twisted Evil