0

Hey all,

I'm pretty new here obviously, but I got some really... inconvienent virus on this laptop. I really am not sure what it is, but I know it has something called PROTECTOR.exe in the system32 folder (so not the real one) and I know it runs off the process 'tcpipmon.exe'. If you know what this virus is, please help me. I'm not allowing it access to the internet by firewall but it pops up a firewall window about every 5 seconds which is extremeley annoying, and I don't want it to progress.

So PLEASE help if you can. I THINK it might be New Win32, but I'm not entirely sure.

Thanks in advance,
culmor30

3
Contributors
9
Replies
10
Views
10 Years
Discussion Span
Last Post by crunchie
0

Hi and welcome to Daniweb forums :).

Please download and install AVG antispyware tool

  • Close all other Applications Select language click Ok
  • Click I Agree
  • Click next
  • Click Install
  • Click Finish
  • Wait and AVG antispyware will open to the main screen automatically.
  • Wait again a few minutes and AVG antispyware Should Auto update itself. If it doesn't click update at top of screen.
  • This is very important to get updates
  • When updating has finished. Close AVG antispyware.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

  • Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear use arrow up to highlight
  • Select the first option, to run Windows in Safe Mode hit enter.
  • For additional help in booting into Safe Mode, see the following site: HERE

    You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while AVG antispyware performs its scan!

  • Run AVG antispyware.
  • Click on scanner at top of AVG antispyware sceen.
  • Click on Settings.
  • Under How to Act click on Recommended Action and choose Quarantine.
  • Under How to scan all boxes should be selected.
  • Under Possibly unwanted software all boxes should be selected.
  • On right side under Reports: click on Automatically generate report after every scan.
  • Under What to scan select scan every file.
  • Click On scan Tab.
  • Click on Complete system scan.
  • Let the program scan the machine It can take awhile give it time.
  • When scan has finished at bottom of screen click Apply all Actions.
  • Click Save report
  • Click Save Report as (Save as window's screen should pop up.)
  • Click desktop.
  • Click Save.
  • Exit AVG antispyware.

Reboot back to normal mode.


Post the log here.

==

Download HijackThis self-extracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

0

Ok, here's the report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:    11:35:35 PM 3/2/2007

 + Scan result:    



HKLM\SOFTWARE\Classes\b3d_auto_file -> Adware.BrilliantDigital : Ignored.
HKLM\SOFTWARE\Classes\b3d_auto_file\shell -> Adware.BrilliantDigital : Ignored.
HKLM\SOFTWARE\Classes\b3d_auto_file\shell\open -> Adware.BrilliantDigital : Ignored.
HKLM\SOFTWARE\Classes\b3d_auto_file\shell\open\command -> Adware.BrilliantDigital : Ignored.
C:\WINDOWS\system32\sysrdm32.exe -> Backdoor.Bifrose.abj : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temp\Temporary Internet Files\Content.IE5\I1YLM9MR\yimcksaemj[1].txt -> Downloader.Small.ehs : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temporary Internet Files\Content.IE5\O78RSTUV\yimcksaemj[1].txt -> Downloader.Small.ehs : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temp\Temporary Internet Files\Content.IE5\I1YLM9MR\cqriqhchc[1].htm -> Hijacker.Agent.is : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temporary Internet Files\Content.IE5\D1QOFDNU\cqriqhchc[1].htm -> Hijacker.Agent.is : Ignored.
C:\WINDOWS\system32\tcpipmon.exe -> Hijacker.Agent.is : Ignored.
C:\hlvljisk.exe -> Hijacker.Agent.is : Ignored.
C:\Documents and Settings\Cullin Moran\Desktop\Cullin's Stuff\EvID4226Patch.exe -> Not-A-Virus.Hacktool.EvID : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts -> Proxy.Small : Ignored.
C:\WINDOWS\system32\protector.exe -> Proxy.Wopla.ac : Ignored.
C:\WINDOWS\system32\ntio256.sys -> Rootkit.Agent.cf : Ignored.
:mozilla.65:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.66:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.67:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.68:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
:mozilla.69:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@2o7[1].txt -> TrackingCookie.2o7 : Ignored.
:mozilla.88:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.89:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Adbrite : Ignored.
:mozilla.20:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored.
:mozilla.21:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Adjuggler : Ignored.
:mozilla.90:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Advertising : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@advertising[1].txt -> TrackingCookie.Advertising : Ignored.
:mozilla.50:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Atdmt : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@atdmt[2].txt -> TrackingCookie.Atdmt : Ignored.
:mozilla.59:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Bluestreak : Ignored.
:mozilla.52:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.53:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.54:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.55:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.56:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Casalemedia : Ignored.
:mozilla.51:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Doubleclick : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@doubleclick[1].txt -> TrackingCookie.Doubleclick : Ignored.
:mozilla.22:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Falkag : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@ehg-ati.hitbox[2].txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@hitbox[2].txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Ignored.
:mozilla.49:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Mediaplex : Ignored.
:mozilla.26:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Ignored.
:mozilla.27:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Ignored.
:mozilla.57:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Questionmarket : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@questionmarket[2].txt -> TrackingCookie.Questionmarket : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@revsci[1].txt -> TrackingCookie.Revsci : Ignored.
C:\Documents and Settings\Cullin Moran\Cookies\cullin moran@edge.ru4[2].txt -> TrackingCookie.Ru4 : Ignored.
:mozilla.25:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Tribalfusion : Ignored.
:mozilla.72:C:\Documents and Settings\Cullin Moran\Application Data\Mozilla\Firefox\Profiles\gqay6hyv.default\cookies.txt -> TrackingCookie.Tribalfusion : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temp\Temporary Internet Files\Content.IE5\I1YLM9MR\eyrab[2].htm -> Trojan.ProcKill.DJ : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temp\Temporary Internet Files\Content.IE5\UFR52CT1\ylzqaoj[1].htm -> Trojan.ProcKill.DJ : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temporary Internet Files\Content.IE5\D1QOFDNU\ylzqaoj[1].htm -> Trojan.ProcKill.DJ : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temporary Internet Files\Content.IE5\O1OLGVWB\eyrab[1].htm -> Trojan.ProcKill.DJ : Ignored.
C:\Documents and Settings\Cullin Moran\Local Settings\Temporary Internet Files\Content.IE5\OAQXDNRG\mlzuyupgoe[1].htm -> Trojan.ProcKill.DJ : Ignored.
C:\eibkqlk.exe -> Trojan.ProcKill.DJ : Ignored.
C:\jiyywtxq.exe -> Trojan.ProcKill.DJ : Ignored.
C:\ybaxd.exe -> Trojan.ProcKill.DJ : Ignored.


::Report end

Hope that helps. Because I really need to get rid of this thing.

0

Click on Settings.[*]Under How to Act click on Recommended Action and choose Quarantine.

You need to read the instructions again and quarantine what is found instead of ignoring them.

Download HijackThis self-extracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

This too.

0

Oh I quarantined that. And I think it worked actually. My only question is, is it actually GONE or is it just... supressed?

0

If you take a look at the logfile you posted, every entry was ignored. You need to boot into safe mode again, run AVG anti-spyware, have it scan your system after applying the settings I advised.
I need to see the log produced and a log from hijackthis, that is, if you want to clean up your system :).

0

C:\WINDOWS\system32\protector.exe
C:\WINDOWS\system32\ntio256.sys

These two are a malware downloader and the FOOP Rootkit driver that protects it.

I am interested in seeing if AVG Anti-spy can remove it. The Legacy Reg Keys are a pain to remove.

Sp please do have AVG try to clean all it finds!

PP :)

0

I told it to clean all the stuff but the program is a demo so I don't know if it will work...

0

I told it to clean all the stuff but the program is a demo so I don't know if it will work...

If you follow crunchie's instructions on how to Run AVG Anti-spyware (with regard to Quarantine and Apply all Actions), it will try to clean those baddies.
If it is unable to clean the rootkit components, you may need more detailed assistance.
On the plus side, if AVG is detecting the rootkit, that is cause for optimism.

PP :)

0

I told it to clean all the stuff but the program is a demo so I don't know if it will work...

It is a fully functional program during it's trial, that is why it is recommended. When the trial is up, all you lose is the auto update and real-time protection functions.

Make sure you run it in safe mode too.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.