Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virusprotect 3.8 Infection


  • Please log in to reply
8 replies to this topic

#1 t33r0y

t33r0y

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, VA
  • Local time:10:22 AM

Posted 24 November 2007 - 01:43 PM

Hello,

This is my first post to your forums. Yesterday my wife infected her computer with the VirusProtect 3.8 malware. I tried a few things but could not get rid of the tray icon that kept popping up. I ran a Spybot S&D, NOD32 and AdAware 2007 scan and all eventually came up clean but the tray icon was still there. I then tried a system restore and now the tray icon is gone and all new scans are clean. I actually uninstalled NOD32 (trial period was almost up anyway) and reinstalled my F-Secure 7 licensed software on her computer that we get from work.

My question is, do you think that everything is fine now or do I still need to use the smitfraud removal tool?

Just wondering.

Troy

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:22 AM

Posted 24 November 2007 - 02:41 PM

I would say to be truly safe as it may still resize in a restore point is to run The BC removal tool. Use the automated removal. Instruction link How to remove VirusProtect or Virus Protect (Removal Instructions)
Get a new version of the Smitfraud Tool
I would still follow with a (click link>>) SUPERAntiSpyware
Running it from Safe Mode. How to start Windows in Safe Mode
Install it ,it will create a desktop icon. Open it with that icon, and Update it.
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.

Then reboot into Safe Mode. Run a complete scan of the root drive,usually C:\
Click OK for the summary box to quarantine All items found,(make certain they are all checked first.
Click yes to reboot.

Please post back with the Results of theses scans ,as there is one more step if all has been removed.

Edited by boopme, 24 November 2007 - 02:43 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 t33r0y

t33r0y
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, VA
  • Local time:10:22 AM

Posted 24 November 2007 - 06:44 PM

I did the smitfraud scan and a scan using SUPERAntiSPyWare. I forgot to save the log from the smitfraud.exe file but it only found some .url files and deleted them from the temp folder. The SUPERAntiSpyware only found some tracking cookies.

What is this last step?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,907 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:22 AM

Posted 24 November 2007 - 07:12 PM

The smitfraudfix log (called rapport.txt) is automatically saved to the root of the system drive, usually at C:\rapport.txt. Please copy/paste the contents of that report into your next reply.

Also advise if your getting any more pop ups from the system tray.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 t33r0y

t33r0y
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, VA
  • Local time:10:22 AM

Posted 24 November 2007 - 09:34 PM

Thanks, here is the report.

SmitFraudFix v2.253

Scan done at 16:26:46.71, Sat 11/24/2007
Run from C:\Documents and Settings\xxxx\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts


127.0.0.1 localhost

Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\xxxx\FAVORI~1\Online Security Test.url Deleted

DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{582876A5-2746-4D1E-A989-A04EA2FF9496}: DhcpNameServer=208.67.222.222 208.67.220.220 209.145.84.131
HKLM\SYSTEM\CS1\Services\Tcpip\..\{582876A5-2746-4D1E-A989-A04EA2FF9496}: DhcpNameServer=208.67.222.222 208.67.220.220 209.145.84.131
HKLM\SYSTEM\CS3\Services\Tcpip\..\{582876A5-2746-4D1E-A989-A04EA2FF9496}: DhcpNameServer=208.67.222.222 208.67.220.220 209.145.84.131
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220 209.145.84.131
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220 209.145.84.131
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=208.67.222.222 208.67.220.220 209.145.84.131


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

#6 t33r0y

t33r0y
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, VA
  • Local time:10:22 AM

Posted 24 November 2007 - 11:21 PM

Sorry, I forgot to say that I am no longer gettng the popups. I was not getting them after I did the system restore.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,907 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:22 AM

Posted 25 November 2007 - 08:11 AM

Good job.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 t33r0y

t33r0y
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, VA
  • Local time:10:22 AM

Posted 25 November 2007 - 11:34 AM

Thank you for the very timely replies. I will have to definately check this site more often since I am in the IT department at work but I am a network engineer so I do not deal with the desktop issues anymore. I am always being asked to help people with their computers and home networks. I am sure you are also.

Again, thank you!

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,907 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:22 AM

Posted 25 November 2007 - 01:29 PM

Your welcome. :thumbsup:

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"The 10 Biggest Security Risks".
"Hardening Windows Security - Part 1" and "Hardening Windows Security - Part 2".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users