eprotect.com, VirusBursters and more are eating away at my laptop

Discussion in 'Malware Help (A Specialist Will Reply)' started by gotide69, Nov 17, 2006.

  1. gotide69

    gotide69 Private E-2

    A virus, or more likely spyware has hijacked my browser on my laptop. I have scanned with Microsoft, 4 different spyware programs and Symantec. Symantec found a virus and deleted it. The other programs found various issues and deleted them. However, every time I open a browser it hijacks the homepage and goes to eprotect.com. That site says I need protection against spyware and viruses and a popup comes up to ask me if I want to download it.

    Also, VirusBursters was installed. I have uninstalled. it, but I think it is still there. They installed a toolbar which I cannot uncheck. They are on my desktop and in my favorites. I have attempted to uninstall a codec 4 program from the control panel which looks like the culprit. But it tells me every time that I have to restart my computer BEFORE uninstall. I tried to delete it from the c program files and of course it says another program is using it and it cannot be deleted.

    It is actually preventing me from going to some websites, using a fake "Internet Explorer cannot find the site" type of page with a link to their antivirus website.

    I have since followed all of the steps in the spyware removal thread. A lot of worms and such showed up. Some were deleted, others were not. But all of the issues described above still exist.

    I am thinking about resetting this computer anyway. Now that I use the desktop for all of my vital work, I don’t need the stuff that is on my laptop from way back. Is that where I am headed here, or is this fixable?

    I'll attach everything requested. Since I am a rook... I hope it's all you need the way you need it. Thanks for your efforts.
     

    Attached Files:

    gotide69, Nov 17, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You did not attach the GetRunKey and ShowNew logs requested in the READ & RUN ME. However do not attach them right now. I will ask for them at the end of the below procedure.

    Is your copy of Spyware Doctor a paid or free trial version?

    I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.


    Now attach new logs from:
    • GetRunKey
    • ShowNew
    • HJT
    How are things working now?
     
    chaslang, Nov 17, 2006
    #2
  3. gotide69

    gotide69 Private E-2

    Post coming next with HJT attachment
     

    Attached Files:

    gotide69, Nov 18, 2006
    #3
  4. gotide69

    gotide69 Private E-2

    Hello. Thank you for your help! The computer seems to be back to normal!

    You guys are amazing. I have attached the rest of the files for your review.

    To answer on of your questions, I have the pay version of spyware doctor. I've had it for 2 years. I'm wondering if I should renew or not, as adaware is catching much more the spyware doctor. Also, this infection happened with spyware doctor and symantec running, so I am wondering which programs are the best to have.

    Also, I have been a user of MajorGeeks.com for about two years, on the recommendation of my IT guy at the office. I just got a password when the computer showed up infected and I saw your forum offered the help. What a wonderful service you are doing, apparently on your free time. I don't know how to repay you.

    Thank you again!
     
    gotide69, Nov 18, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Well your version of Spyware Doctor is not current. The current version is well into the 4.0 range and your installed version appears to be 3.5 according to your log. Thus you are really out of date with it. It is a good program but like all program it does not block, find or remove many of the current forms of malware. If they did, this forum would not exist. Since you have a paid version, you should uninstall Windows Defender to avoid conflicts and excessive use of system resoures.

    We still have some more to cleanup from the infection and while we are at it we will fix some other miscellaneous non-malware issues. However you may not find some of what I list to delete since it appears you did not follow my directions in the order given. You seem to have attach ShowNew and GetRunKey logs from before running SmitFraudFix rather than after running it.


    Uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 Runtime Environment, SE v1.4.2_06
    Perfect Codec 4.0 <--- this is malware! Part of what we were fixing!

    Now locate and delete the below (if they still exist):
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
    C:\Documents and Settings\All Users\Desktop\Online Security Guide.url
    C:\Program Files\NoAdware4 <--- the whole folder since this is not installed anymore
    C:\Program Files\Perfect Codec <--- the whole folder. This is malware
    C:\Program Files\VirusBursters <--- the whole folder. This is malware
    c:\windows\STWSI <--- the whole folder. This is malware

    Now attach a new log from ShowNew
     
    chaslang, Nov 18, 2006
    #5
  6. gotide69

    gotide69 Private E-2

    I Uninstalled the below old versions of software:
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 Runtime Environment, SE v1.4.2_06

    After uninstalling J2SE update 9 a balloon came up in my lower right hand tray offering a Java update. It was J2SE Runtime Environment 5.0 Update 9. Do I reinstall?

    I could not find Perfect Codec 4.0 anywhere. When I widened my search to just codec, 83 files came up. None close to Perfect Codec 4.0

    I also could not locate these four files:

    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
    C:\Documents and Settings\All Users\Desktop\Online Security Guide.url
    C:\Program Files\Perfect Codec
    C:\Program Files\VirusBursters

    I uninstalled these two files:

    C:\Program Files\NoAdware4
    C:\windows\STWSI
     

    Attached Files:

    gotide69, Nov 19, 2006
    #6
  7. gotide69

    gotide69 Private E-2

    Also, before I uninstall Windows Defender, my Spyware Doctor yearly payment is due. Do you recommend it over Defender?
     
    gotide69, Nov 19, 2006
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry about that! I was supposed to remove the J2SE Runtime Environment 5.0 Update 9 from the middle of that list. Yes! You need to reinstall update 9 which is the current version. You can also get it here: Sun Java Runtime Environment but it looks like you aleady have it based on your newfiles.txt log.


    In my previous message I did tell you that you may not find some items since your logs were obtained in the wrong order.
     
    chaslang, Nov 19, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes uninstall Windows Defender and keep Spyware Doctor but make sure you install the current program version along with updates.
     
    chaslang, Nov 19, 2006
    #9
  10. gotide69

    gotide69 Private E-2

    I saw it. I just was confirming that those were not there. Do you have an opinion on Defender vs Spyware Doctor?

    Thank you again for all of your help.
     
    gotide69, Nov 19, 2006
    #10
  11. gotide69

    gotide69 Private E-2

    Oops! I posted the above as you replied. Thank you for your opinion... and helping me recover my laptop.
     
    gotide69, Nov 19, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    7. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    chaslang, Nov 19, 2006
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds