Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smart Protection attacked 2 clients


  • Please log in to reply
5 replies to this topic

#1 jerseyguy

jerseyguy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 19 February 2012 - 05:51 PM

I am a tech consultant in Los Angeles and have experienced a rash of clients getting Spyware infections since January 1.

I want to thank the experts bleeping computer who posted the Spyware Removal instructions for aiding me to successfully remove as many as 12 infected clients in 6 weeks.


Just this past Friday I received a call from one of my clients describing a Spyware infection that he got after opening an attachment to a FedEx email.


When I went right over & checked his system he had a Smart Protection 2012 infection on his XP desktop.

As I had doe before I used my iPad to find the solution on BleepingComputer, but after following the removal instructions step by step there were some minor anomalies and the infection came back.

I tried for 4 hours and was unable to rid the system of Smart Protection 2012.

Later that afternoon, another client contacted me explaining they opened an attachment to a FedEx email and were infected as well.

I went there and following the same steps successfully removed the Smart Protection 2012 infection.

So I will explain what the anomalies are and I hope someone can assist me with steps to follow on Monday when I return to try again to remove the infection.


Steps I followed:


Booted into Safe Mode with Networking


In Internet Explorer under Internet Options, Connections, LAN Settings - in the Proxy Server section, the checkbox labeled Use a proxy server for your LAN was NOT checked as expected.


There was no problem connecting online.


Next I downloaded and ran TDSSKiller and it found 'Zero' threats - also not as expected.

Next I downloaded and renamed RKill before running it and it reported no 'Processes Terminated' - also not as expected.


Next I downloaded, renamed and Updated Malwarebytes' Anti-Malware before running a complete scan. Each time [of the 4 times] MBAM found infections and removed them. The totals went from 53 'Objects Detected" -> 4 -> 1 -> 1 [the single object detected was the renamed RKill file].


Before rebooting as MBAM requests, I went to the final steps.


Next I ran hosts-perm.bat successfully and then replaced the Hosts file in the correct XP folder


Finally I rebooted as MBAM requested and as soon as XP booted the Smart Protection 2012 infection was back.


I need assistance from someone on Monday Pacific time to guide me through the steps to disinfect this clients computer.

Thanks to any and all that help.

JerseyGuy


--

Do not confuse Data with Information, Information with Knowledge - or Knowledge with Wisdom!



Edited by jerseyguy, 19 February 2012 - 05:52 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:26 PM

Posted 19 February 2012 - 08:23 PM

Hello, it is possible there is another rootkit is here also.. I suggest also running these.

Please Run am alternate TDSS again like this.
Download the FixTDSS.exe

Save the file to your Windows desktop.
Close all running programs.
If you are running Windows XP, turn off System Restore. How to turn off or turn on Windows XP System Restore
Double-click the FixTDSS.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer when prompted by the tool.
After the computer has started, the tool will inform you of the state of infection (make sure to let me know what it said)
If you are running Windows XP, re-enable System Restore.


>>>
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 jerseyguy

jerseyguy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 20 February 2012 - 07:23 PM

I finally got to my client.

I was able to turn off System Restore and then download FixTDSS.exe. But when FixTDSS asked to restart the computer - it went back to normal mode and started to scan for less than a minute before Smart Protection 2012 launched, killing FixTSDD in the process and again took over the desktop.

I tried a few times, but each occurrence Smart Protection 2012 took over again.

So I decided to try to see if ESET Online Scan might be able to make some progress. I downloaded it, updated and ran it. It's been running about 8 minutes and has scanned about 10,000 files and has found 2 infected files.

What do you suggest I try next?

Thanks

Gary

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:26 PM

Posted 21 February 2012 - 12:27 AM

Let ESET finish and it could be a few hours.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 jerseyguy

jerseyguy
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 21 February 2012 - 10:22 PM

Thanks.

ESET finished and by the end found 13 infections. I saved the text file and closed ESET. Next I ran FixTDSS and it reboot to Normal Mode and reported "Backdoor.Tidserv has not been found".

And the system restarted and has seemed repaired since Monday evening. Thanks again.

BUT...

my 2nd client got through the weekend with no serious issues, but late Tuesday morning SMART PROTECTION 2012 reappeared. When I got back to this Dell laptop running Win 7 I booted into Safe Mode and could not turn off System Restore because the Tab where the setting is in Win 7 wasn't there.

So I went forward with RKill just incase and then followed your link to ESET Online Scan and configured as instructed, it scanned for 1:23 hrs/mins and found 4 infected files which were removed after the txt log was saved.

I went and booted into Normal mode and tried FixTDSS and it was interupted by SMART PROTECTION 2012 again.

What do you recommend I try next, I ran RKill and TDSSKiller again in Safe Mode and I'm now scanning with MBAM, but really need experienced advice.

Please reply as soon as you can.

Thanks.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,492 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:26 PM

Posted 21 February 2012 - 10:51 PM

AS I don'r know what was removed I do not know for sure.. But I am fairly convinced the HOSTS is the issue,
Go here and do steps 22 and 23.

http://www.bleepingcomputer.com/virus-removal/remove-smart-anti-malware-protection

EDIT: BTW I'm from Jersey too.

Edited by boopme, 21 February 2012 - 10:52 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users