TechSpot

Help, virus

By rpcoleman7
Mar 31, 2008
Topic Status:
Not open for further replies.
  1. I have received a virus around 4-5 days ago. here are fresh logs. please help :]
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Did you update and scan with the anti-virus program:

    Summary : Trojan.Media-Codec/V5.Process> is Trojan/Backdoor.
    Description : Software distributed with Smitfraud-type malware installations. May be responsible for downloading other software and launching pop-up advertisements for more rogue product downloads.
    Processes :
    SBMNTR.EXE (C:\Program Files\NetProject\sbmntr.exe)
    SBSM.EXE (C:\Program Files\NetProject\sbsm.exe)
    SBUN.EXE (may be hidden)
    SCIT.EXE (C:\Program Files\NetProject\scit.exe)
    WAUN.EXE (may be hidden)
    SCM.EXE (C:\Program Files\NetProject\scm.exe)
    SCU.EXE (may be hidden
    SBMDL.DLL (C:\Program Files\NetProject\sbsm.exe)
    WAMDL.DLL (C:\Program Files\NetProject\wamdl.dll) > O3 - Toolbar

    ****Netprotect is the new name of a Zlob componant installed with VirusHeat rogue. It displays a fake Security Center window, hijacks Internet Explorer with a Security Toolbar and popups fake alerts.****

    C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe
    Description: Added by the VirusHeat rogue anti-spyware program. VirusHeat is a rogue anti-spyware program installed onto your computer via Zlob Trojans without your permission.

    You also appear to have two Security Suites running:
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe> ccsetmgr.exe is a process associated with the Symantec Internet Security Suite

    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe> The ccevtmgr.exe process is installed as part of the Norton Internet Security Suite. ...
    and
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe> mcsysmon.exe. Product: McAfee VirusScan API ...

    Having two anti-virus programs results in conflict that contrary to "doubly protecting you", causes neither program to keep out infections.

    Your Java is outdated and insecure:
    C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
    You should have v6/u5 and all other versions should be uninstalled
    http://java.sun.com/javase/downloads/index.jsp

    Someone will officially review you logs and instruct you on removal. This is a head start for you.
     
  3. rpcoleman7

    rpcoleman7 TS Rookie Topic Starter

    Thanks

    Thanks man do yuo know when anyone will help me out?
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    If you look at the threads on the Security Board, you'll see some very busy people! I know they will review your log as soon as they can.

    In the meantime, there are some things you can do with what I gave you:
    Get rid of one of the security suites. You are doubled up in AV program and firewall and that causes conflicts.

    Update your Java- that is one of your most insecure programs right now. Update to the newest, then go to the Control Panel> Add/Remove Programs and uninstall the earlier versions.

    Re: NetProtect and Virus Heat:
    Start> Run> type in 'msconfig' without quotes> enter> Selective Start-up> Startup tab> uncheck any processes for both of these using the list I gave you>> Apply> OK.

    Reboot> Close the nag message after checking 'don't show this message again'
    Then go to Add/Remove Programs in the Control Panel and uninstall NetProtect and Virus Heat.

    Once done, rescan with the AV program you kept. You will have had to also stop 'the other' suite so that you can follow the uninstall direction for it also.

    This will not entirely clean the system and some of these processes make balk when you try to remove them, but do what you can, let us know the results, then we'll likely have you do another hijackthis scan.
     
  5. kritius

    kritius TS Guru Posts: 2,087

    After Bobeyes suggestions post a fresh HijackThis log for me.
     
  6. rpcoleman7

    rpcoleman7 TS Rookie Topic Starter

    Will do, i'm at work right now but when i get off ill go produce a hjt log for ya and send it. Thanks :)
     
  7. kritius

    kritius TS Guru Posts: 2,087

    No problem. Its 12.40 here now so ill look it over tomorrow for you.
     
  8. rpcoleman7

    rpcoleman7 TS Rookie Topic Starter

    Here is a fresh HJT log :]
     
  9. kritius

    kritius TS Guru Posts: 2,087

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally attach the Report.txt.

    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below(if still found after SDFix)
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O2 - BHO: (no name) - {6860A44B-5D3E-433D-A7B5-D517F810D0E7} - C:\Program Files\NetProject\sbmdl.dll (file missing)
    O3 - Toolbar: Internet Service - {DB9FBA9D-AB1B-4CC6-9745-F3B549D64E40} - C:\Program Files\NetProject\wamdl.dll (file missing)
    O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\NetProject\scit.exe
    O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)
    O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iefixgate.com/redirect.php (file missing)

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary


    Delete Files and Folders
    • Right Click on the start button and chose explore
    • Show all hidden files and folders, see how HERE
    • Navigate to the following files and folders and delete them(if still present)

    C:\Program Files\NetProject<---------This Folder

    • Empty the recycle bin.
    If that does not work then repeat the process in safe mode. See how to boot into Safe mode HERE.
    ***DO NOT USE MSCONFIG TO BOOT INTO SAFE MODE***



    Pos a fresh HijackThis log for me after.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Looks like the Java update was done. Good.

    But this wasn't: "Get rid of one of the security suites. You are doubled up in AV program and firewall and that causes conflicts."

    I still see both McAfee and Symantec.
     
  11. rpcoleman7

    rpcoleman7 TS Rookie Topic Starter

    Security Suites

    I attempted to get rid of the Symantec/Norton stuff but there were some files that would not allow me to delete them giving me some sort of error about admins [i'm at work so i cannot check right now but i can check in a few hours for you]. Is there anything specific i need to do to completely get rid of the suite?
     
     
  12. kritius

    kritius TS Guru Posts: 2,087

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Make sure all the Symantec/Norton processes are disabled on startup before you use the Removal Tool. There are also several Services set to Automatic that have to be Disabled.

    For the Services: Control Panel> Administrative Tools> Services> right click> Properties on any Norton or Symantec Service> change the Startup to Disable, And you will have to be logged on as Administrator.

    kritius, I can't remember if the Removal Tool tells the user to do that first.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.