Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Protector Problem


  • Please log in to reply
43 replies to this topic

#1 Captainzoo

Captainzoo

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:21 AM

Posted 27 March 2010 - 07:37 AM

Hi,

I have had a pop-up on both my desktop and laptop for the past week which says I'm in an unsafe mode for IE (I use Chrome for web browsing) and should install "Online Protection" to make it safe. I took is as suspicious and have not allowed it to run until today on my laptop (by accident). It loaded Virus Protector which now prevents me from accessing Windows. Every time I boot (Normal or Safe Mode) I cannot get past my account login screen without it running. There does not appear to be a way to stop it from running or close it down. None of my function keys work and if I press Ctrl+Alt+Del I cannot see the Task Manager tab to start it. I have tried to start in Safe Mode with Networking and with Command Prompt but cannot get to a screen whereby I can does any antivirus or antispyware scanning. Initially when I made the mistake I tried a boot scan from Avast's Free Antivirus software which is loaded. It ran and when I rebooted I have the problem mentioned above.

I am running Vista Home Premium, have Xoftspy Antispyware and Avast's free Antivirus as mentioned. Can some one help me with this very annoying malware.

Regards,
Paul Mc

Edited by Pandy, 09 May 2010 - 08:38 AM.
Moved from AII to a more appropriate forum ~Pandy


BC AdBot (Login to Remove)

 


#2 Captainzoo

Captainzoo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:21 AM

Posted 29 March 2010 - 07:18 AM

I fired up the laptop tonight and to my surprise I got access to my desktop and managed to download Malwarebytes. I am following the "Remove Virus Protector" uninstall guide and am in the middle of running a full scan. The guide mentions no more action to be taken once Malwarebytes has found and removed Virus Protector but I have noticed that some other forum help requests have suggested that it may not be that easy.

Any suggestions on what to do if this happens? I have Paretologics XoftspySE and Avast Free Antivirus active on the laptop so should I run these straight after Malwarebytes?

#3 buddynoel

buddynoel

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:21 AM

Posted 29 March 2010 - 11:19 AM

so how did you get past the program? We are having the same problem right now and there is no way that we are getting past that program.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,168 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:21 AM

Posted 29 March 2010 - 01:19 PM

@buddynoel
Follow the Automated Removal Instructions for Internet Security 2010 in this gude.
Remove Virus Protector (Uninstall Guide)
Post the Malwarebytes log.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Place this reply into a new topic,so we don't have to talk to 3 people,thanks.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,168 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:21 AM

Posted 29 March 2010 - 01:20 PM

@Captainzoo
Post the Malwarebytes log.

The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 Captainzoo

Captainzoo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:21 AM

Posted 30 March 2010 - 05:22 AM

Thanks for taking my malware problem on Boopme. Below is my log from the Malwarebytes scan. I have also downloaded ATF which is scanning the laptop as I type this reply. I cannot download SUPERAntispyware as it jumps out of the download page with the message "Oops! Google Chrome could not find downloads.superantispyware.com"???

FYI I am still receiving the infamous Windows Internet Security warning which I allowed to download and infect my laptop with the Virus Protection Malware.

Will post any issues (if any) once I have completed scanning.

Malwarebytes' Anti-Malware 1.43
Database version: 3458
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18882

29/03/2010 11:59:23 PM
mbam-log-2010-03-29 (23-59-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 243635
Time elapsed: 1 hour(s), 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#7 Captainzoo

Captainzoo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:21 AM

Posted 30 March 2010 - 05:30 AM

QUOTE(buddynoel @ Mar 30 2010, 03:19 AM) View Post
so how did you get past the program? We are having the same problem right now and there is no way that we are getting past that program.


Buddynoel,

I don't exactly know how I got access to my windows account without the Virus Protection malware tool running. I have 2 accounts on the laptop and tried several ways to access the windows desktop (as mentioned above). I persisted with intermittent power ups over the last 3 days. One thing I did do (purely by accident) is miss timed pressing the F8 key during boot up. What I mean by this is I was pressing F8 during the Windows startup process and not the post/boot process (pre Windows). Call it purely coincidental but it was the only time I did it and it was the only time I got access to the desktop and load Malwarebytes.

It may be worth a try. If it works then follow the "Remove Virus Protector (Uninstall Guide)" as mentioned by Boopme.

Good luck!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,168 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:21 AM

Posted 30 March 2010 - 02:12 PM

Hi, you may need to run RKill again to get the apps to run . Once you reboot Rkill is dead.
Your MBAm is outdated. Malwarebytes' Anti-Malware 1.43//Database version: 3458. At 1.45 and 3901 or so.

Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select FULL scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.


For the SAS:
If SUPERAntiSpyware is not currently installed, please download and run one of this alternate install package:

SUPERAntiSpyware FREE Edition Installer

If SUPERAntiSpyware is already installed but simply will not run

RUNSAS.EXE
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 Captainzoo

Captainzoo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:21 AM

Posted 31 March 2010 - 06:04 AM

No luck with the SAS link Bloopme.

Whatever is lurking inside my laptop (and it appears to be in my desktop as well now) is preventing any anti-virus, anti-spyware and anti-malware programs from running. Both links you provided bounce me to the same Oops! message mentioned in my previous post. I did manage to load an older version of SAS I had kept on an external HDD. It performed a scan ok and fixed some 50 odd threats (all cookies). However, if I click the update button SAS scans for updates and selects recommended updates to download, but when I select next it hangs at the download progress screen. Malwarebytes produces and error when I select to check for updates. Paretologics Xoftspy SE returns a not connected to the internet message when I select the update hyperlink on it's home screen. mad.gif

Is there a way around this?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,168 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:21 AM

Posted 31 March 2010 - 02:20 PM

Let's try this. Run these two then quickly try to update MBAm.. You can also try open up another user account and then run it. Also try resttint the router and then updating ..

FixExe.reg

FixExe.reg
....click Run when the box opens


RKill....

Please download Rkill by Grinler and save it to your desktop.
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.

If the computer is rebooted or a reboot occurs along the way you will need to run the application again as the malware programs will start again.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Captainzoo

Captainzoo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:21 AM

Posted 28 April 2010 - 07:36 AM

HI Boopme,

I'm sorry to dig up this old post again but it appears that the malware is still embedded in my laptop. I tried your suggestion in your last post and it appeared to have worked but I have found that Malwarebytes will not update, Antispyware will not update, Avast Antivirus will not update and Windows Update cannot check for updates. Futher to this, the annoying Virus Protection pop-up is appearing when I'm browsing the internet again.

Please let me know if you can still help or if you prefer me to start a new topic.

Thanks.

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:21 AM

Posted 09 May 2010 - 03:30 AM

Hi, Captainzoo smile.gif

welcome.gif

We will be working on the VISTA installation only. Remove all hard drives and set the hard drive with VISTA as Master, You will need another computer to communicate with us.

Lets give this a try. You will need a flash drive to move information from the sick computer to a working computer. It is the only way we can see the progress of our actions. Save these instructions in your flash drive as a text file (use notepad) so you can have access to these while in an external environment (PE).

Here is what you need to do.

Two programs to download

First

Download ISOBurner. Click Here for ISOBurner Instructions. Install the program, and follow the next set of steps.

Second
  • Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 276.7MB in size so it may take some time to download.
  • When downloaded double click and this will then open ISOBurner to burn the file to CD
  • Boot the Non working computer using the boot CD you just created.
  • In order to do so, the computer must be set to boot from the CD first
    Note : For information click here
  • Your system should now display a REATOGO-X-PE desktop.
  • Double-click on the OTLPE icon.
  • When asked "Do you wish to load the remote registry", select Yes
  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standart Registry to All
    • Under the Custom Scan box paste this in

      /md5start
      eventlog.dll
      scecli.dll
      netlogon.dll
      cngaudit.dll
      sceclt.dll
      ntelogon.dll
      logevent.dll
      iaStor.sys
      nvstor.sys
      atapi.sys
      IdeChnDr.sys
      viasraid.sys
      AGP440.sys
      vaxscsi.sys
      nvatabus.sys
      viamraid.sys
      nvata.sys
      nvgts.sys
      iastorv.sys
      ViPrt.sys
      eNetHook.dll
      ahcix86.sys
      KR10N.sys
      nvstor32.sys
      ahcix86s.sys
      nvrd32.sys
      userinit.exe
      explorer.exe
      ntoskrnl.exe
      /md5stop
      %SYSTEMDRIVE%\*.*
      %systemroot%\*. /mp /s
      %systemroot%\System32\config\*.sav
  • Press Run Scan to start the scan.
  • When finished, the file will be saved in drive C:\OTL.txt
  • Copy this file to your USB drive.
  • Please post the contents of the C:\OTL.txt file in your reply.

Edited by JSntgRvr, 09 May 2010 - 04:02 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Captainzoo

Captainzoo
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belmont, NSW
  • Local time:12:21 AM

Posted 10 May 2010 - 06:45 AM

Hi JSntgRvr,

Thanks for taking my Malware problem on. In between messaging Boopme and your post here (as late as Saturday) I managed to boot to Vista on my desktop. Sorry that I didn't post my sucess (or partial sucess) but I haven't been home.

I guess my question is, would you like me to run the OTLPE program to check the registry of the desktop? or should I try and remove the malware (from both the laptop and desktop running Vista) again? I have managed to install an up to date version of Malwarebytes and Super Antispyware and run a full scan of both. Super Antispyware and Windows Update cannot perform updates but Malwarebytes can.

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:21 AM

Posted 10 May 2010 - 02:46 PM

No. Lets Lets work one computer at a time. After the first one is clear, then we will take care of the other.

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in

    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    %SYSTEMDRIVE%\*.*
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of these files in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,538 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:09:21 AM

Posted 15 May 2010 - 01:14 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.


No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users