Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With Privacy Protector Virus


  • Please log in to reply
26 replies to this topic

#1 cptnick

cptnick

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 09 May 2008 - 05:14 PM

I am working on trying to rid my friend's comp of the privacy protector virus(red biohazard screen on desktop).. I have downloaded and burned onto a CD: Hijackthis, AVG, Superantispyware, Smitfraudfix, Spybot, and the latest version of Firefox. Currently his computer cannot connect, apparently due to the virus. I am somewhat familiar with these programs as I had a nasty virus I couldn't rid myself of a while back. Please direct me as to what to do with each program, I would really appreciate it.


Mike

Edited by Orange Blossom, 09 May 2008 - 06:08 PM.
Moved to more appropriate forum. ~ OB


BC AdBot (Login to Remove)

 


m

#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:15 PM

Posted 09 May 2008 - 06:21 PM

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Chewy

No. Try not. Do... or do not. There is no try.

#3 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:15 PM

Posted 09 May 2008 - 06:24 PM

we will also need to get atf cleaner, the manual updates for SAS and download malwarebytes anitmalware and it's updates

there may be another one or two also, wait to burn another cd

do you have a usb drive, we need to get logs back from the infected machine, we will disinfect/immunizhe drive first tho

Edited by DaChew, 09 May 2008 - 06:25 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#4 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 09 May 2008 - 08:34 PM

hi Chewy, thanks for the info. I was following a procedure to remove this that was posted on majorgeek.com. It had me Install Superantispyware, Spybot, Malwarebytes anti-malware, combofix, and MG Tools. I couldn't use the internet before, and the virus wouldn't let me install Superantispyware. So I used Malwarebytes, and it found and removed some stuff, but the internet still wasn't working. I then used Smitfraud, option 2, and it got the internet going again, and I was able to install Superantispyware. So I was able to go through the list I mentioned. I have logs for Superantispyware, Combofix and MGtools, which I could post.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:15 PM

Posted 09 May 2008 - 08:37 PM

Post the MBAM and SAS logs,please.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 09 May 2008 - 08:39 PM

here is the SAS report

Generated 05/09/2008 at 09:06 PM

Application Version : 4.0.1154

Core Rules Database Version : 3456
Trace Rules Database Version: 1448

Scan type : Quick Scan
Total Scan Time : 00:04:29

Memory items scanned : 536
Memory threats detected : 0
Registry items scanned : 444
Registry threats detected : 4
File items scanned : 4210
File threats detected : 5

Adware.MyWebSearch
HKU\PE_C_JACKSON\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKU\PE_C_KARLA\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}

Adware.Tracking Cookie
C:\Documents and Settings\Joe\Cookies\joe@adnetserver[1].txt
C:\Documents and Settings\Joe\Cookies\joe@sale.antispywaremaster[2].txt
C:\Documents and Settings\Joe\Cookies\joe@advancedcleaner[1].txt
C:\Documents and Settings\Joe\Cookies\joe@secure.advancedcleaner[1].txt
C:\Documents and Settings\Joe\Cookies\joe@antispywaremaster[1].txt

Browser Hijacker.Internet Explorer Settings Hijack
HKU\PE_C_KARLA\Software\Microsoft\Internet Explorer\Main#Start Page [ http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2 ]

Adware.Zango/ShoppingReport
HKU\PE_C_JACKSON\Software\ShoppingReport

#7 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 09 May 2008 - 08:40 PM

here is the mbam report, though it said it found nothing

Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 36839
Time elapsed: 2 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:15 PM

Posted 09 May 2008 - 08:44 PM

I forgot to ask did you run the Cleaning (part 2) of SmitfraudFix from safe Mode?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 09 May 2008 - 08:46 PM

yes I did, but before I ran SAS, mbam, Spybot, Combofix and MGtools.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:15 PM

Posted 09 May 2008 - 08:50 PM

You still have the Privacy Protector Icon in the system tray or a warning from it on your desktop?/

Edited by boopme, 09 May 2008 - 08:58 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 09 May 2008 - 08:53 PM

also, let me add that the computer seems almost back to normal, but there are these windows ".dll" and "checkdsk" missing file messages that keep popping up occasionally. That biohazard screen is gone, and I think there is still a browser hijack attached to internet explorer.

#12 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 09 May 2008 - 08:56 PM

um, there is no viruprotect icon, there's actually no icons on the desktop that look suspicious. There's only one in the add/remove programs area that looks suspicious and it is "freeze.com" toolbar. I can't remove it because every time I click the button to change/remove it it does nothing

#13 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 09 May 2008 - 09:08 PM

I just went through the other 2 user desktops and everything appears normal, just getting those .rundll warnings

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,109 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:15 PM

Posted 09 May 2008 - 09:23 PM

This dll message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan.

To resolve this, download Autoruns, search for the related entry and then delete it.
Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 cptnick

cptnick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:15 PM

Posted 09 May 2008 - 09:34 PM

ok, I installed and ran it, looking through the list right now. It is very long on the tab "everything," which tab is it under?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users