Help removing virprotect pop-up

Discussion in 'Malware Help (A Specialist Will Reply)' started by clozano67, Dec 9, 2007.

  1. clozano67

    clozano67 Private E-2

    SmitFraudFix v2.258

    Scan done at 23:06:05.18, Sat 12/08/2007
    Run from C:\Documents and Settings\Chris\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\windows\system\hpsysdrv.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\SVA Player\SVAPLAYER.EXE
    C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Cookie Washer\aolwasher.exe
    C:\Program Files\AWS\WeatherBug\Weather.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
    C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\Program Files\Microsoft Money\System\urlmap.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\rldyt.dll FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chris


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chris\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Chris\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{b0883848-1466-4470-a418-3fe7d36694b9}"="bemocked"

    [HKEY_CLASSES_ROOT\CLSID\{b0883848-1466-4470-a418-3fe7d36694b9}\InProcServer32]
    @="C:\WINDOWS\system32\rldyt.dll"

    [HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{b0883848-1466-4470-a418-3fe7d36694b9}\InProcServer32]
    @="C:\WINDOWS\system32\rldyt.dll"



    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Intel(R) PRO/100 VE Network Connection #2 - Packet Scheduler Miniport
    DNS Server Search Order: 15.60.103.1
    DNS Server Search Order: 15.60.103.2

    Description: Intel(R) PRO/100 VE Network Connection #2 - Packet Scheduler Miniport
    DNS Server Search Order: 68.87.76.178
    DNS Server Search Order: 68.87.78.130

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{01441227-C9EC-40A1-B872-E75B018C63DE}: DhcpNameServer=68.87.76.178 68.87.78.130
    HKLM\SYSTEM\CCS\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: DhcpNameServer=15.60.103.1 15.60.103.2
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{01441227-C9EC-40A1-B872-E75B018C63DE}: DhcpNameServer=68.87.76.178 68.87.78.130
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: DhcpNameServer=15.60.103.1 15.60.103.2
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{01441227-C9EC-40A1-B872-E75B018C63DE}: DhcpNameServer=68.87.76.178 68.87.78.130
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{01D1C6CD-6D44-46B6-BA89-10155A459FBE}: DhcpNameServer=15.60.103.1 15.60.103.2
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.78.130


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
    clozano67, Dec 9, 2007
    #1
  2. abri

    abri MajorGeek

    Hi Clozano67!
    Welcome to Major Geeks!

    SmitFraud Fix is usually run in two parts and we ask that you attach the log from the first part before running the second part. If you've finished both parts already, please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    READ & RUN ME FIRST. Malware Removal Guide


    abri
     
    abri, Dec 9, 2007
    #2
  3. clozano67

    clozano67 Private E-2

    Completed steps 1 and 2. Here is the rapport file. I had to call it rappart2 since I already had an earlier file.
     

    Attached Files:

    clozano67, Dec 10, 2007
    #3
  4. abri

    abri MajorGeek

    Hi clozano!

    Please continue with the READ & RUN ME link I posted to you in Post Number 2. SmitFraud Fix was able to remove some things, but not everything. As you work through the instructions, watch for those specific to your operating system. The scans don't take too long and the logs they produce help us to detemine how to proceed with helping you with your computer.

    abri
     
    abri, Dec 10, 2007
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds