Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Seem To Be Infected With: Viruswebprotect.com


  • Please log in to reply
7 replies to this topic

#1 BN_Iowa

BN_Iowa

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 26 March 2008 - 01:45 PM

I have a notebook that is continually getting pop-ups saying it is infected with: Worm.win32.netsky

Operating System is: XP Pro - Sp2

On 03/24 at 7:52 it ended up with the following icons added to the desktop:
Spyware & Malware Protection
Privacy Protector
Error Cleaner

All three point back to http: viruswebprotect.com

The desktop background was changed to a message that says there is an infected file and to click on a link, which points to http: antispyware-reviews.biz

I have not clicked on any of the links only went to the properties to see where they went.

Trend Micros - OfficeScan said it was out of date, so I did update before unplugging from the network. Ran a full scan, but it came up clean.

Ran a full Spy Sweeper scan, following is the log for what was quarantined:

I have kept the computer off the network, and it continues to give pop-ups requesting access to the internet to fix the problem. I would really appreciate some help on removing this off of the notebook.

Thanks - Bonnie


********
2008-03-20 7:55 AM: | Start of Session, Thursday, March 20, 2008 |
2008-03-20 7:55 AM: Spy Sweeper Enterprise Started
2008-03-20 7:55 AM: Memory Shield is On
2008-03-20 7:55 AM: "hosts" file Shield is On
2008-03-20 7:55 AM: IE Hijack Shield is On
2008-03-20 7:55 AM: Spy Installation Shield is On
2008-03-20 7:55 AM: Startup Shield is On
2008-03-20 12:09 PM: Startup Shield Detection: item removed, antiviirus : C:\Program Files\antiviirus.exe
2008-03-20 12:10 PM: Startup Shield Detection: item removed, luvniwnj : C:\WINDOWS\system32\luvniwnj.exe
2008-03-20 12:10 PM: Spy Installation Shield Detection: Item Quarantined, inet delivery
********
2008-03-20 1:50 PM: | Start of Session, Thursday, March 20, 2008 |
2008-03-20 1:50 PM: Spy Sweeper Enterprise Started
2008-03-20 1:50 PM: Memory Shield is On
2008-03-20 1:50 PM: "hosts" file Shield is On
2008-03-20 1:50 PM: IE Hijack Shield is On
2008-03-20 1:50 PM: Spy Installation Shield is On
2008-03-20 1:50 PM: Startup Shield Detection: item removed, antiviirus : "C:\Program Files\antiviirus.exe"
2008-03-20 1:50 PM: Startup Shield is On
2008-03-20 1:50 PM: Removing From Quarantine: inet delivery
2008-03-20 2:00 PM: Sweep Started: 3/20/2008 2:00:19 PM
2008-03-20 2:00 PM: Spy Sweeper version: 3.1.0.1844
2008-03-20 2:00 PM: Spy Definition version: 1112
2008-03-20 2:00 PM: Sweep Known Directories Only
2008-03-20 2:00 PM: Sweep Memory: True
2008-03-20 2:00 PM: Use Sandbox: False
2008-03-20 2:00 PM: Sweep Registry: True
2008-03-20 2:00 PM: Sweep Cookies: False
2008-03-20 2:07 PM: Sweep Completed
2008-03-20 2:07 PM: Sweep Quarantine Process Start
2008-03-20 2:07 PM: Adware [1] found: keyhost hijacker - jraun Action: Quarantined
2008-03-20 2:07 PM: Adware [1] found: logih adware Action: Quarantined
2008-03-20 2:07 PM: Adware [1] found: mindset interactive - favoriteman Action: Quarantined
2008-03-20 2:07 PM: Trojan Horse [2] found: trojan-backdoor-5sec Action: Quarantined
2008-03-20 2:07 PM: Adware [1] found: safesurf Action: Quarantined
2008-03-20 2:07 PM: Trojan Horse [2] found: trojan-downloader-zlob Action: Quarantined
2008-03-20 2:07 PM: Trojan Horse [2] found: trojan-ace-x Action: Quarantined
2008-03-20 2:07 PM: Adware [1] found: golden palace casino Action: Quarantined
2008-03-20 2:07 PM: System Monitor [3] found: absolute keylogger Action: Quarantined
2008-03-20 2:07 PM: Adware [1] found: inet delivery Action: Quarantined
2008-03-20 2:07 PM: Trojan Horse [2] found: magiccontrol Action: Quarantined
2008-03-20 2:07 PM: Sweep Quarantine Process End
2008-03-20 2:07 PM: Removing From Quarantine: absolute keylogger
2008-03-20 2:07 PM: Removing From Quarantine: trojan-downloader-zlob
2008-03-20 2:07 PM: Removing From Quarantine: trojan-backdoor-5sec
2008-03-20 2:07 PM: Removing From Quarantine: trojan-backdoor-5sec
2008-03-20 2:07 PM: Removing From Quarantine: mindset interactive - favoriteman
2008-03-20 2:07 PM: Removing From Quarantine: magiccontrol
2008-03-20 2:07 PM: Removing From Quarantine: logih adware
2008-03-20 2:07 PM: Removing From Quarantine: safesurf
2008-03-20 2:07 PM: Removing From Quarantine: inet delivery
2008-03-20 2:07 PM: Removing From Quarantine: golden palace casino
2008-03-20 2:07 PM: Removing From Quarantine: keyhost hijacker - jraun
********
2008-03-24 7:52 AM: | Start of Session, Monday, March 24, 2008 |
2008-03-24 7:52 AM: Spy Sweeper Enterprise Started
2008-03-24 7:52 AM: Memory Shield is On
2008-03-24 7:52 AM: "hosts" file Shield is On
2008-03-24 7:52 AM: IE Hijack Shield is On
2008-03-24 7:52 AM: Spy Installation Shield is On
2008-03-24 7:52 AM: Startup Shield is On
2008-03-24 7:52 AM: IEHijack Shield Detection: Admin Homepage can not be set blank, Homepage reset
2008-03-24 8:00 AM: Memory Shield Detection: item quarantined, etlrlws toolbar
2008-03-24 8:01 AM: Removing From Quarantine: etlrlws toolbar
2008-03-24 8:01 AM: Removing From Quarantine: etlrlws toolbar
2008-03-24 8:20 AM: Spy Installation Shield Detection: Item Quarantined, spyware isolator
2008-03-24 8:20 AM: Spy Installation Shield Detection: Item Quarantined, spyware isolator
2008-03-24 8:20 AM: Spy Installation Shield Detection: Item Quarantined, spyware isolator
2008-03-24 8:20 AM: Spy Installation Shield Detection: Item Quarantined, spyware isolator
2008-03-24 8:20 AM: Spy Installation Shield Detection: Item Quarantined, spyware isolator
2008-03-24 8:20 AM: Spy Installation Shield Detection: Item Quarantined, spyware isolator
2008-03-24 10:28 AM: Sweep Started: 3/24/2008 10:28:01 AM
2008-03-24 10:28 AM: Spy Sweeper version: 3.1.0.1844
2008-03-24 10:28 AM: Spy Definition version: 1114
2008-03-24 10:28 AM: Sweep Known Directories Only
2008-03-24 10:28 AM: Sweep Memory: True
2008-03-24 10:28 AM: Use Sandbox: False
2008-03-24 10:28 AM: Sweep Registry: True
2008-03-24 10:28 AM: Sweep Cookies: False
2008-03-24 10:34 AM: Sweep Completed
2008-03-24 10:34 AM: Sweep Quarantine Process Start
2008-03-24 10:34 AM: Adware [1] found: etlrlws toolbar Action: Quarantined
2008-03-24 10:34 AM: Sweep Quarantine Process End
2008-03-24 10:34 AM: Removing From Quarantine: spyware isolator
2008-03-24 10:34 AM: Removing From Quarantine: spyware isolator
2008-03-24 10:34 AM: Removing From Quarantine: spyware isolator
2008-03-24 10:34 AM: Removing From Quarantine: spyware isolator
2008-03-24 10:34 AM: Removing From Quarantine: spyware isolator
2008-03-24 10:34 AM: Removing From Quarantine: spyware isolator
2008-03-24 10:34 AM: Removing From Quarantine: etlrlws toolbar
2008-03-24 10:34 AM: Removing From Quarantine: etlrlws toolbar
2008-03-24 10:35 AM: Sweep Started: 3/24/2008 10:35:01 AM

2008-03-24 10:35 AM: Spy Sweeper version: 3.1.0.1844
2008-03-24 10:35 AM: Spy Definition version: 1114
2008-03-24 10:35 AM: Sweep Known Directories Only
2008-03-24 10:35 AM: Sweep Memory: True
2008-03-24 10:35 AM: Use Sandbox: False
2008-03-24 10:35 AM: Sweep Registry: True
2008-03-24 10:35 AM: Sweep Cookies: False
2008-03-24 10:41 AM: Sweep Completed
2008-03-24 10:41 AM: Sweep Quarantine Process Start
2008-03-24 10:41 AM: Sweep Quarantine Process End

Edited by BN_Iowa, 26 March 2008 - 01:54 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:18 AM

Posted 26 March 2008 - 09:47 PM

Hello and welcome to BC.
Please start with the removal instructions from our tutorial How to remove Privacy Protector or PrivacyProtector (Removal Instructions)

Next:
Download RogueRemover ,Saving to the desktop.
Double-click on rr-free-setup.exe to install
Check for Updates and click Download if any are found
Select Scan and follow the onscreen directions to remove anything found.
If nothing is found, exit RogueRemover.
If something , is found it will present a list of detected items.
Click on Save log, then Ok at the prompt.
Click Remove selected, then Yes at the prompt.
Wait for the removal to complete and then close.
A file will be created and saved at C:\Program Files\RogueRemover\RRLog******.txt
Copy and post the contents of the RRLog file in your next reply.

Please ask any questions,post log(s) and tell us how the PC is running now.

Edited by boopme, 26 March 2008 - 09:53 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 BN_Iowa

BN_Iowa
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 27 March 2008 - 01:59 PM

:thumbsup:

Bless you boobme!

Your instructions seem to have taken care of the problem. I am most grateful! The computer seems to be running fine now.

RogueRemover found no problems.

Bonnie

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:18 AM

Posted 27 March 2008 - 03:56 PM

You're welcome
Let's just make sure and do one more scan and get a scan log.
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Acan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 BN_Iowa

BN_Iowa
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 27 March 2008 - 06:33 PM

Thanks again boopme I did as you suggested

1st Scan found the following, and it did make me do a restart to delete additional files:

Malwarebytes' Anti-Malware 1.09
Database version: 558

Scan type: Quick Scan
Objects scanned: 39847
Time elapsed: 6 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\etlrlws.bfor (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5558fa30-552a-49a3-8b31-ae95e6e39d6e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40455917-0e1a-4b66-b62e-ad42fd2a2d84} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000000da-0786-4633-87c6-1aa7a4429ef1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0b682cc1-fb40-4006-a5dd-99edd3c9095d} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0e1230f8-ea50-42a9-983c-d22abc2eeb4c} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b8c0220d-763d-49a4-95f4-61dfdec66ee6} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\etlrlws.bfor (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2f63dd45-30a0-422e-af1e-01dd88ba9a5c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{0656a137-b161-cadd-9777-e37a75727e78} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\bsouthard\Desktopvirii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\RECYCLER\S-1-5-21-1873807865-713966729-441284377-4745\Dc8.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\luvniwnj.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\fmsxwqs.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\bsouthard\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\bsouthard\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\bsouthard\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\bsouthard\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\bsouthard\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\bsouthard\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\bsouthard\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\bsouthard\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lsass.log (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.




After Restart ran it a 2nd time, and it did not find anything. Here is the log for that:

Malwarebytes' Anti-Malware 1.09
Database version: 558

Scan type: Quick Scan
Objects scanned: 39938
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:18 AM

Posted 27 March 2008 - 09:38 PM

Man I don't know but I think the site went down for a bit earlier when I was here. You were on and had recently posted ???
have to scan the BC server :thumbsup:
Anyway all looks good here. PC is running well now?? If so then do this last thing.


Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanupto remove all but the most recently created Restore Point.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 BN_Iowa

BN_Iowa
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 28 March 2008 - 01:32 PM

Here's to you boopme - :thumbsup:

The system restore was not enable, but it is now, and a restore point has been made.

The PC seems to be running fine.

Thanks again for your help - you were a life saver!

Bonnie

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,942 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:18 AM

Posted 28 March 2008 - 02:14 PM

You're welcome on behalf of the Bleeping Computer community.

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"Best Practices - Internet Safety for 2008".
"Hardening Windows Security - Part 1 & Part 2".
"IE Recommended Minimal Security Settings".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users