Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

win32 protection c virus / NOD32 could not clean


  • Please log in to reply
22 replies to this topic

#1 vince73

vince73

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:03:48 AM

Posted 05 August 2009 - 04:43 PM

Hello my name is vince,

I have a problem with cleaning a file thats being detectect bij my NOD 32 virusscanner.

The file is named Win32ProtectorC.virus

cannot download anymore from sites like AGV or any other download site for free antivirus, browser is very slow.

Im running my OS now in savemodus

Also is startup ``in normal windows XP Home`` is verry slow.

is there anybody on this forum that knows how to kill this bug

please let me know


Vince

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 05 August 2009 - 05:54 PM

Try this scan. You can copy it over from another computer if you need to:

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 vince73

vince73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:03:48 AM

Posted 06 August 2009 - 04:11 AM

thanxs a lot for the info

going home right after work and try it

let you know if its workx

greetings


vince :thumbsup:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 PM

Posted 06 August 2009 - 07:11 AM

Did your anti-virus scanner provide a specific file name associated with this malware threat(s) and if so, where is it located (full file path) at on your system?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 vince73

vince73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:03:48 AM

Posted 06 August 2009 - 08:40 AM

quietman7 the exactfile path is

C:\windows\system32\drivers\ndis.sys (Win32/Protector.C Virus)

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 PM

Posted 06 August 2009 - 09:16 AM

That is not a good sign. Read this write up from PREVX which identifies it as being related to a nasty rootkit infection. As you can see, the infection is also seen with reader_s.exe which is often seen with a nasty variant of the virut virus which creates copies of itself in various locations to include %System%, %Temp% and/or %UserProfile% folders. Please see ThreatExpert's awareness of the file "reader_s.exe".

I would start by doing a search on your machine for reader_s.exe.

Also get a second opinion on ndis.sys. Go to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of that file and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 vince73

vince73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:03:48 AM

Posted 06 August 2009 - 09:23 AM

quietman7

it is a nasty one thats for sure

ill get back to you as soon as possible

havent tryd the dr. web cureit yet

thanxs anyway

vince :thumbsup:

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 PM

Posted 06 August 2009 - 09:36 AM

Not a problem. Also be aware that copies of ndis.sys can be found in several locations so you may want to investigate further (check file size, dates).

To do that you can download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • If using Windows Vista, be sure to Run As Administrator.
  • Copy and paste everything in the codebox below into the main textfield:
    :filefind
    ndis.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
Note: The log can also be found at on your Desktop entitled SystemLook.txt
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 vince73

vince73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:03:48 AM

Posted 06 August 2009 - 09:46 AM

quietman7

thanx for the extra remark

just downloaded systemlook on my usb stick

should i run it in save or normal modus ????

vince

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 PM

Posted 06 August 2009 - 09:54 AM

Normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 vince73

vince73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:03:48 AM

Posted 06 August 2009 - 05:42 PM

quietman7

i have a problem to acces the site`s you gave me for uploading the ndis file
cannot acces these sites in save mode
cannot get on the net in normal mode
what can i do ???

gr vince

#12 vince73

vince73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:03:48 AM

Posted 06 August 2009 - 05:44 PM

Budapest

here is the report list you ask for, i still have the same problems

the scanner by the way is great, it takes a long time but it misses nothing

anly the problem i have he missed or did not recognise

do you anything else i can throw at this virus ????

thanx already for trying to help


vince


reader_s.exe;c:\documents and settings\gast;Trojan.DownLoad.37236;Verwijderd.;
reader_s.exe;c:\documents and settings\vincent;Trojan.DownLoad.37236;Verwijderd.;
vincent.exe;c:\documents and settings\vincent;Trojan.DownLoad.40611;Verwijderd.;
reader_s.exe;c:\windows\system32;Trojan.DownLoad.37236;Verwijderd.;
sessmgr.exe;c:\windows\system32;Trojan.Packed.140;Verwijderd.;
abb[1].txt;C:\Documents and Settings\Gast\Local Settings\Temporary Internet Files\Content.IE5\8XYQIYHI;Trojan.DownLoad.37236;Verwijderd.;
lo[1].htm;C:\Documents and Settings\vincent\Local Settings\Temporary Internet Files\Content.IE5\2IOLISZP;Trojan.DownLoad.40611;Verwijderd.;
abb[1].txt;C:\Documents and Settings\vincent\Local Settings\Temporary Internet Files\Content.IE5\DJ4VYRQA;Trojan.DownLoad.37236;Verwijderd.;
lo[1].htm;C:\Documents and Settings\vincent\Local Settings\Temporary Internet Files\Content.IE5\GR0QA6TT;Trojan.DownLoad.40611;Verwijderd.;
abb[1].txt;C:\Documents and Settings\vincent\Local Settings\Temporary Internet Files\Content.IE5\YVF5P6JV;Trojan.DownLoad.37236;Verwijderd.;
abb[1].txt;C:\Documents and Settings\vincent\Local Settings\Temporary Internet Files\Content.IE5\ZRVJTC8M;Trojan.DownLoad.37236;Verwijderd.;
launcher.exe;C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_05.b13;Trojan.Packed.140;Verwijderd.;
rlservice.exe;C:\Program Files\RelevantKnowledge;Program.RelKnow.1;Niet repareerbaar.Verplaatst.;
A0099173.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1309;Trojan.Packed.140;Verwijderd.;
A0100100.exe\data007;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1322\A0100100.exe;Adware.Shopper;;
A0100100.exe\data008;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1322\A0100100.exe;Adware.SaveNow.128;;
A0100100.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1322;Archief bevat ge´nfecteerde objecten;Verplaatst.;
A0100101.exe\data007;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1322\A0100101.exe;Adware.Shopper;;
A0100101.exe\data008;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1322\A0100101.exe;Adware.SaveNow.128;;
A0100101.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1322;Archief bevat ge´nfecteerde objecten;Verplaatst.;
A0101646.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1339;Trojan.DownLoad.41985;Verwijderd.;
A0101754.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1341;Trojan.DownLoad.37236;Verwijderd.;
A0101880.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1342;Trojan.Packed.140;Verwijderd.;
A0101936.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1342;Trojan.DownLoad.37236;Verwijderd.;
A0101989.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1342;Trojan.DownLoad.37236;Verwijderd.;
A0102078.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1343;Trojan.Packed.140;Verwijderd.;
A0102134.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1343;Trojan.DownLoad.37236;Verwijderd.;
A0102187.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1343;Trojan.DownLoad.37236;Verwijderd.;
A0102327.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1344;Trojan.Packed.140;Verwijderd.;
A0103419.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1344;Trojan.DownLoad.37236;Verwijderd.;
A0103420.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1344;Trojan.DownLoad.37236;Verwijderd.;
A0103441.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1344;Trojan.DownLoad.37236;Verwijderd.;
A0103448.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1344;Trojan.DownLoad.37236;Verwijderd.;
A0103449.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1344;Trojan.DownLoad.37236;Verwijderd.;
A0103450.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1344;Trojan.DownLoad.40611;Verwijderd.;
A0103490.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1345;Trojan.DownLoad.37236;Verwijderd.;
A0103491.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1345;Trojan.DownLoad.37236;Verwijderd.;
A0103492.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1345;Trojan.DownLoad.40611;Verwijderd.;
A0103493.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1345;Trojan.DownLoad.37236;Verwijderd.;
A0103494.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1345;Trojan.Packed.140;Verwijderd.;
A0103495.exe;C:\System Volume Information\_restore{5CA9A1BB-1F01-4443-B26C-75389060AD6E}\RP1345;Trojan.Packed.140;Verwijderd.;
misc.exe_1036.D0DF3458_A845_11D3_8D0A_0050046416B9.exe;C:\WINDOWS\Installer\{505AFDC0-5E72-4928-8368-5DEA385E3647};Trojan.Packed.140;Verwijderd.;
iedw.exe;C:\WINDOWS\ServicePackFiles\i386;Trojan.Packed.140;Verwijderd.;
imapi.exe;C:\WINDOWS\ServicePackFiles\i386;Trojan.Packed.140;Verwijderd.;
D.tmp;C:\WINDOWS\system32;Trojan.DownLoad.40611;Verwijderd.;
dplaysvr.exe;C:\WINDOWS\system32;Trojan.Packed.140;Verwijderd.;
VRT3DF3.tmp;C:\WINDOWS\TEMP;Trojan.DownLoad.37236;Verwijderd.;
Cdvd.exe\data009;E:\programma`s\handige proggies\Cdvd.exe;Adware.SaveNow;;
Cdvd.exe;E:\programma`s\handige proggies;Archief bevat ge´nfecteerde objecten;Verplaatst.;

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:48 PM

Posted 06 August 2009 - 05:56 PM

reader_s.exe;c:\documents and settings\gast;Trojan.DownLoad.37236;Verwijderd.;
reader_s.exe;c:\documents and settings\vincent;Trojan.DownLoad.37236;Verwijderd.;
reader_s.exe;c:\windows\system32;Trojan.DownLoad.37236;Verwijderd.;


I would start by doing a search on your machine for reader_s.exe.


Read Quietman7's post and the links again

do you anything else i can throw at this virus ????


It would probably be a waste of time
Chewy

No. Try not. Do... or do not. There is no try.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:48 PM

Posted 06 August 2009 - 09:17 PM

According to VirScan.org, Trojan.DownLoad.37236 is another name (used by Dr.Web) for the Win32:Virut family of malware.

Virut is a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. According to this Norman White Paper Assessment of W32/Virut, some variants can infect the HOSTS file and block access to security related web sites. Other variants of virut can even penetrate and infect .exe files within compressed files (.zip, .cab, rar). Virux is an even more complex file infector which can embed an iframe into the body of web-related files and infect script files (.php, .asp, .htm, .html, .xml ). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair and in some instances can disable Windows File Protection. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable. The longer virut remains on a computer, the more critical system files will become infected and corrupt so the degree of infection can vary.

The virus disables Windows File Protection by injecting code into the "winlogon.exe" process that patches system code in memory.

CA Virus detail of W32/Virut

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus...Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files.

AVG Overview of W32/VirutThis kind of infection is often contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a sm÷rgňsbord of malware and a major source of system infection.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

However, the CA Security Advisor Research Blog have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:

Edited by quietman7, 06 August 2009 - 09:17 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 vince73

vince73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:netherlands
  • Local time:03:48 AM

Posted 07 August 2009 - 03:03 AM

wel i think im just goin to format and reinstall the os :thumbsup: (pitty i have run this os for 3 years with out any problems)

wil that for sure get rid of the problem, or are there things i have to know (wil it leave anything on my Harddrive)

greetz

vince




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users