944,093 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Don't know what virus this is, but need help with it.
Ad:
Permalink
Mar 2nd, 2007
0

Don't know what virus this is, but need help with it.

Expand Post »
Hey all,

I'm pretty new here obviously, but I got some really... inconvienent virus on this laptop. I really am not sure what it is, but I know it has something called PROTECTOR.exe in the system32 folder (so not the real one) and I know it runs off the process 'tcpipmon.exe'. If you know what this virus is, please help me. I'm not allowing it access to the internet by firewall but it pops up a firewall window about every 5 seconds which is extremeley annoying, and I don't want it to progress.

So PLEASE help if you can. I THINK it might be New Win32, but I'm not entirely sure.

Thanks in advance,
culmor30
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
culmor30 is offline Offline
16 posts
since Mar 2007
Permalink
Mar 2nd, 2007
0

Re: Don't know what virus this is, but need help with it.

Hi and welcome to Daniweb forums .

Please download and install AVG antispyware tool
  • Close all other Applications Select language click Ok
  • Click I Agree
  • Click next
  • Click Install
  • Click Finish
  • Wait and AVG antispyware will open to the main screen automatically.
  • Wait again a few minutes and AVG antispyware Should Auto update itself. If it doesn't click update at top of screen.
  • This is very important to get updates
  • When updating has finished. Close AVG antispyware.
If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
  • Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear use arrow up to highlight
  • Select the first option, to run Windows in Safe Mode hit enter.
  • For additional help in booting into Safe Mode, see the following site: HERE

    You MUST manage to get into Safe Mode for the fix to work.
Make sure to close all open windows/programs/folders. Have nothing else open while AVG antispyware performs its scan!
  • Run AVG antispyware.
  • Click on scanner at top of AVG antispyware sceen.
  • Click on Settings.
  • Under How to Act click on Recommended Action and choose Quarantine.
  • Under How to scan all boxes should be selected.
  • Under Possibly unwanted software all boxes should be selected.
  • On right side under Reports: click on Automatically generate report after every scan.
  • Under What to scan select scan every file.
  • Click On scan Tab.
  • Click on Complete system scan.
  • Let the program scan the machine It can take awhile give it time.
  • When scan has finished at bottom of screen click Apply all Actions.
  • Click Save report
  • Click Save Report as (Save as window's screen should pop up.)
  • Click desktop.
  • Click Save.
  • Exit AVG antispyware.
Reboot back to normal mode.


Post the log here.

==

Download HijackThis self-extracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is offline Offline
12,165 posts
since Feb 2004
Permalink
Mar 3rd, 2007
0

Re: Don't know what virus this is, but need help with it.

Ok, here's the report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:    11:35:35 PM 3/2/2007

 + Scan result:    



HKLM\SOFTWARE\Classes\b3d_auto_file -> Adware.BrilliantDigital : Ignored.
HKLM\SOFTWARE\Classes\b3d_auto_file\shell -> Adware.BrilliantDigital : Ignored.
HKLM\SOFTWARE\Classes\b3d_auto_file\shell\open -> Adware.BrilliantDigital : Ignored.
HKLM\SOFTWARE\Classes\b3d_auto_file\shell\open\command -> Adware.BrilliantDigital : Ignored.
C:\WINDOWS\system32\sysrdm32.exe -> Backdoor.Bifrose.abj : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temp\Temporary Internet Files\Content.IE5\I1YLM9MR\yimcksaemj[1].txt -> Downloader.Small.ehs : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temporary Internet Files\Content.IE5\O78RSTUV\yimcksaemj[1].txt -> Downloader.Small.ehs : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temp\Temporary Internet Files\Content.IE5\I1YLM9MR\cqriqhchc[1].htm -> Hijacker.Agent.is : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temporary Internet Files\Content.IE5\D1QOFDNU\cqriqhchc[1].htm -> Hijacker.Agent.is : Ignored.
C:\WINDOWS\system32\tcpipmon.exe -> Hijacker.Agent.is : Ignored.
C:\hlvljisk.exe -> Hijacker.Agent.is : Ignored.
C:\Documents and Settings\Cullin Moran\Desktop\Cullin's Stuff\EvID4226Patch.exe -> Not-A-Virus.Hacktool.EvID : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts -> Proxy.Small : Ignored.
C:\WINDOWS\system32\protector.exe -> Proxy.Wopla.ac : Ignored.
C:\WINDOWS\system32\ntio256.sys -> Rootkit.Agent.cf : Ignored.
:mozilla.65:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.66:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.67:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.68:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.69:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@2o7[1].txt -> TrackingCookie.2o7 : Ignored.
:mozilla.88:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.89:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.20:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored.
:mozilla.21:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored.
:mozilla.90:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@advertising[1].txt -> TrackingCookie.Advertising : Ignored.
:mozilla.50:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Atdmt : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@atdmt[2].txt -> TrackingCookie.Atdmt : Ignored.
:mozilla.59:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Bluestreak : Ignored.
:mozilla.52:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.53:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.54:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.55:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.56:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.51:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Doubleclick : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@doubleclick[1].txt -> TrackingCookie.Doubleclick : Ignored.
:mozilla.22:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Falkag : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@ehg-ati.hitbox[2].txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@hitbox[2].txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.49:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Mediaplex : Ignored.
:mozilla.26:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Ignored.
:mozilla.27:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Ignored.
:mozilla.57:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Questionmarket : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@questionmarket[2].txt -> TrackingCookie.Questionmarket : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@revsci[1].txt -> TrackingCookie.Revsci : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@edge.ru4[2].txt -> TrackingCookie.Ru4 : Ignored.
:mozilla.25:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Tribalfusion : Ignored.
:mozilla.72:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Tribalfusion : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temp\Temporary Internet Files\Content.IE5\I1YLM9MR\eyrab[2].htm -> Trojan.ProcKill.DJ : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temp\Temporary Internet Files\Content.IE5\UFR52CT1\ylzqaoj[1].htm -> Trojan.ProcKill.DJ : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temporary Internet Files\Content.IE5\D1QOFDNU\ylzqaoj[1].htm -> Trojan.ProcKill.DJ : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temporary Internet Files\Content.IE5\O1OLGVWB\eyrab[1].htm -> Trojan.ProcKill.DJ : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temporary Internet Files\Content.IE5\OAQXDNRG\mlzuyupgoe[1].htm -> Trojan.ProcKill.DJ : Ignored.
C:\eibkqlk.exe -> Trojan.ProcKill.DJ : Ignored.
C:\jiyywtxq.exe -> Trojan.ProcKill.DJ : Ignored.
C:\ybaxd.exe -> Trojan.ProcKill.DJ : Ignored.


::Report end

Hope that helps. Because I really need to get rid of this thing.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
culmor30 is offline Offline
16 posts
since Mar 2007
Permalink
Mar 3rd, 2007
0

Re: Don't know what virus this is, but need help with it.

Click to Expand / Collapse  Quote originally posted by crunchie ...
Click on Settings.[*]Under How to Act click on Recommended Action and choose Quarantine.
You need to read the instructions again and quarantine what is found instead of ignoring them.
Click to Expand / Collapse  Quote originally posted by crunchie ...
Download HijackThis self-extracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.
This too.
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is offline Offline
12,165 posts
since Feb 2004
Permalink
Mar 3rd, 2007
0

Re: Don't know what virus this is, but need help with it.

Oh I quarantined that. And I think it worked actually. My only question is, is it actually GONE or is it just... supressed?
Reputation Points: 10
Solved Threads: 0
Newbie Poster
culmor30 is offline Offline
16 posts
since Mar 2007
Permalink
Mar 3rd, 2007
0

Re: Don't know what virus this is, but need help with it.

If you take a look at the logfile you posted, every entry was ignored. You need to boot into safe mode again, run AVG anti-spyware, have it scan your system after applying the settings I advised.
I need to see the log produced and a log from hijackthis, that is, if you want to clean up your system .
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is offline Offline
12,165 posts
since Feb 2004
Permalink
Mar 3rd, 2007
0

Re: Don't know what virus this is, but need help with it.

C:\WINDOWS\system32\protector.exe
C:\WINDOWS\system32\ntio256.sys

These two are a malware downloader and the FOOP Rootkit driver that protects it.

I am interested in seeing if AVG Anti-spy can remove it. The Legacy Reg Keys are a pain to remove.

Sp please do have AVG try to clean all it finds!

PP
Moderator
Reputation Points: 169
Solved Threads: 106
Central Scrutinizer
PhilliePhan is offline Offline
1,576 posts
since Dec 2006
Permalink
Mar 4th, 2007
0

Re: Don't know what virus this is, but need help with it.

I told it to clean all the stuff but the program is a demo so I don't know if it will work...
Reputation Points: 10
Solved Threads: 0
Newbie Poster
culmor30 is offline Offline
16 posts
since Mar 2007
Permalink
Mar 4th, 2007
0

Re: Don't know what virus this is, but need help with it.

Click to Expand / Collapse  Quote originally posted by culmor30 ...
I told it to clean all the stuff but the program is a demo so I don't know if it will work...
If you follow crunchie's instructions on how to Run AVG Anti-spyware (with regard to Quarantine and Apply all Actions), it will try to clean those baddies.
If it is unable to clean the rootkit components, you may need more detailed assistance.
On the plus side, if AVG is detecting the rootkit, that is cause for optimism.

PP
Moderator
Reputation Points: 169
Solved Threads: 106
Central Scrutinizer
PhilliePhan is offline Offline
1,576 posts
since Dec 2006
Permalink
Mar 4th, 2007
0

Re: Don't know what virus this is, but need help with it.

Click to Expand / Collapse  Quote originally posted by culmor30 ...
I told it to clean all the stuff but the program is a demo so I don't know if it will work...
It is a fully functional program during it's trial, that is why it is recommended. When the trial is up, all you lose is the auto update and real-time protection functions.

Make sure you run it in safe mode too.
Moderator
Featured Poster
Reputation Points: 1142
Solved Threads: 982
Most Valuable Poster
crunchie is offline Offline
12,165 posts
since Feb 2004

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Please view my HJT log
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: Generic Host Process for Win32 Error





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC