I am working on trying to rid my friend's comp of the privacy protector virus(red biohazard screen on desktop).. I have downloaded and burned onto a CD: Hijackthis, AVG, Superantispyware, Smitfraudfix, Spybot, and the latest version of Firefox. Currently his computer cannot connect, apparently due to the virus. I am somewhat familiar with these programs as I had a nasty virus I couldn't rid myself of a while back. Please direct me as to what to do with each program, I would really appreciate it.


Mike

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

we will also need to get atf cleaner, the manual updates for SAS and download malwarebytes anitmalware and it's updates

there may be another one or two also, wait to burn another cd

do you have a usb drive, we need to get logs back from the infected machine, we will disinfect/immunizhe drive first tho

hi Chewy, thanks for the info. I was following a procedure to remove this that was posted on majorgeek.com. It had me Install Superantispyware, Spybot, Malwarebytes anti-malware, combofix, and MG Tools. I couldn't use the internet before, and the virus wouldn't let me install Superantispyware. So I used Malwarebytes, and it found and removed some stuff, but the internet still wasn't working. I then used Smitfraud, option 2, and it got the internet going again, and I was able to install Superantispyware. So I was able to go through the list I mentioned. I have logs for Superantispyware, Combofix and MGtools, which I could post.

Post the MBAM and SAS logs,please.

here is the SAS report

Generated 05/09/2008 at 09:06 PM

Application Version : 4.0.1154

Core Rules Database Version : 3456
Trace Rules Database Version: 1448

Scan type : Quick Scan
Total Scan Time : 00:04:29

Memory items scanned : 536
Memory threats detected : 0
Registry items scanned : 444
Registry threats detected : 4
File items scanned : 4210
File threats detected : 5

Adware.MyWebSearch
HKU\PE_C_JACKSON\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKU\PE_C_KARLA\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}

Adware.Tracking Cookie
C:\Documents and Settings\Joe\Cookies\joe@adnetserver[1].txt
C:\Documents and Settings\Joe\Cookies\joe@sale.antispywaremaster[2].txt
C:\Documents and Settings\Joe\Cookies\joe@advancedcleaner[1].txt
C:\Documents and Settings\Joe\Cookies\joe@secure.advancedcleaner[1].txt
C:\Documents and Settings\Joe\Cookies\joe@antispywaremaster[1].txt

Browser Hijacker.Internet Explorer Settings Hijack
HKU\PE_C_KARLA\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ]

Adware.Zango/ShoppingReport
HKU\PE_C_JACKSON\Software\ShoppingReport

here is the mbam report, though it said it found nothing

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 36839
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I forgot to ask did you run the Cleaning (part 2) of SmitfraudFix from safe Mode?

yes I did, but before I ran SAS, mbam, Spybot, Combofix and MGtools.

You still have the Privacy Protector Icon in the system tray or a warning from it on your desktop?/

also, let me add that the computer seems almost back to normal, but there are these windows ".dll" and "checkdsk" missing file messages that keep popping up occasionally. That biohazard screen is gone, and I think there is still a browser hijack attached to internet explorer.

um, there is no viruprotect icon, there's actually no icons on the desktop that look suspicious. There's only one in the add/remove programs area that looks suspicious and it is "freeze.com" toolbar. I can't remove it because every time I click the button to change/remove it it does nothing

I just went through the other 2 user desktops and everything appears normal, just getting those .rundll warnings

This dll message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan.

To resolve this, download Autoruns, search for the related entry and then delete it.
Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.

ok, I installed and ran it, looking through the list right now. It is very long on the tab "everything," which tab is it under?

should I get rid of the ones that say "file not found" under image path?

Yes

ok, I deleted them all, there were a couple dozen.. rebooting

ok, I'm not getting the messages anymore! I even was able to switch the background to normal. Do you thing this thing is clean now?

Ok great job !! I would think so. If you want to one more scan an Online scan and post back it's fine with me. Also are your windows updates up to date and Java running the latest version(if installed)?

Please run a BitDefender Online Scan

• Click I Agree to agree to the EULA.
• Allow the ActiveX control to install when prompted.
• Click Click here to scan to begin the scan.
• Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
• When the scan is finished, click on Click here to export the scan results.
• Save the report to your desktop so you can post it in your next reply.

ok I'm having some trouble getting IE to accept ActiveX, I think it keeps blocking it. I set the security levels way down but it still isn't working

ok, got it to accept

ok, it is scanning, I will post the log as soon as its done. Thanks you soooo very much for your quick replies, I really appreciate it! My friend will be very happy to see his computer working again!

OK ,I'll be back tomorrow.

ok, here is the log

BitDefender Online Scanner

Scan report generated at: Fri, May 09, 2008 - 23:49:54

Scan path: C:\;D:\;E:\;


Statistics

Time


00:25:10

Files


164940

Folders


5774

Boot Sectors


4

Archives


3307

Packed Files


7162



Results

Identified Viruses


3

Infected Files


14

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


26







Engines Info

Virus Definitions


1191025

Engine build


AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins


16

Archive plugins


42

Unpack plugins


7

E-mail plugins


6

System plugins


5







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3246438C.exe=>(Quarantine-2)


Infected with: Trojan.Patched.U

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3246438C.exe=>(Quarantine-2)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3246438C.exe=>(Quarantine-2)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4CA1393C.exe=>(Quarantine-2)


Infected with: Trojan.Patched.U

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4CA1393C.exe=>(Quarantine-2)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4CA1393C.exe=>(Quarantine-2)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\567661E4.exe=>(Quarantine-2)


Infected with: Trojan.Patched.U

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\567661E4.exe=>(Quarantine-2)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\567661E4.exe=>(Quarantine-2)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\567D35DD.exe=>(Quarantine-2)


Infected with: Trojan.Patched.U

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\567D35DD.exe=>(Quarantine-2)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\567D35DD.exe=>(Quarantine-2)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\56805FD9.exe=>(Quarantine-2)


Infected with: Trojan.Patched.U

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\56805FD9.exe=>(Quarantine-2)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\56805FD9.exe=>(Quarantine-2)


Deleted

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B491F3E.exe=>(Quarantine-2)


Infected with: Trojan.Patched.U

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B491F3E.exe=>(Quarantine-2)


Disinfection failed

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7B491F3E.exe=>(Quarantine-2)


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008716.exe=>(Quarantine-2)


Infected with: Trojan.Patched.U

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008716.exe=>(Quarantine-2)


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008716.exe=>(Quarantine-2)


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008717.exe=>(Quarantine-2)


Infected with: Trojan.Patched.U

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008717.exe=>(Quarantine-2)


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008717.exe=>(Quarantine-2)


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008718.exe=>(Quarantine-2)


Infected with: Trojan.Patched.U

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008718.exe=>(Quarantine-2)


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008718.exe=>(Quarantine-2)


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008719.exe=>(Quarantine-2)


Infected with: Trojan.Patched.U

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008719.exe=>(Quarantine-2)


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008719.exe=>(Quarantine-2)


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008720.exe=>(Quarantine-2)


Infected with: Trojan.Patched.U

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008720.exe=>(Quarantine-2)


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008720.exe=>(Quarantine-2)


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008721.exe=>(Quarantine-2)


Infected with: Trojan.Patched.U

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008721.exe=>(Quarantine-2)


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0008721.exe=>(Quarantine-2)


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0003021.ini


Infected with: Trojan.Vundo.DVS

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0003021.ini


Disinfection failed

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0003021.ini


Deleted

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0006024.exe


Detected with: Adware.NewDotNet.BK

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0006024.exe


Deleted

http://www.bleepingcomputer.com/forums/ind...st&p=818357


I would clean up my system restore points

and empty nortons quarantine

done, thank you guys so much! You rock!