NIS-2008 - New virus/trojan not detected? "windows-privacy-protection.com"

Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.

Hi all,

 

My main desktop WinXP SP2 system (Dell 8400) seems to have been infected by a very nasty and persistent virus or trojan (I'm not sure yet just what it is), but my NIS-2008 first started detecting some intrusions, and then I made the mistake of rebooting, which probably further activated the beast and entrenching it in my system.

 

I think I picked up the d**n thing browsing a celebrity news website, or possibly the minniedriver.com (singer/songwriter/actress) website, not sure which, but the problems began very very shortly after visiting those sites.

 

After rebooting I immediately disabled my internet connection so it would not have access to download anything else, but it was already too late for me.  The symptoms of the beast are these:

 

1. Yellow triangle pops up in the system tray saying I've been infected by spyware and should click on the triangle to "run a full system scan".

 

2. Large red-banner or blue-banner window pops up saying some virus or trojan has infected the system, window title says "Windows Security Center" for the blue-banner pop-up and "Windows Security Center system warning" for the red-banner pop-up.  There is an underlined link on each one to supposedly "remove suspected threat" (blue-banner) or "Click here to visit Windows Security Center web site..." (red-banner).  These links and the yellow triangle try to send me to "windows-privacy-protection.com", which seems to be a site selling some kind of security software (I didn't go there, just googled about it).

 

3. This thing is active even in Safe Mode! BOTH #1 and #2 continue while booted into Safe Mode (no networking).

 

Someone over on a Yahoo board reported the exact same problems as I am having, and got some good responses to help remove the beast, but everything I have tried has failed.

 

I am booted in Safe Mode, but NIS-2008 can't find anything.  Spybt S&D 1.5.2 finds a bunch of CoolWWWSearch and other register problems/browser helpers and even the disabling of Task Manager (I can't run task Manager at all now), but even when I tell S&D to get rid of them, they are still there and S&D sees them again after a reboot to safe mode and re-scan.  It's as if S&D was completely fooled that it did something but didn't actually do it.

 

I also ran SmitFraudFix, and it said it deleted a bunch of fraudulent files (the same ones that Spybot S&D found and supposed ley deleted), but they are still there after another reboot to safe mode.

 

Even changing the Registry manually to try to just re-enable Task Manager does not work.  As soon as I go away from the registry keys and come back to them, the disable value is reset to 1 again.

 

I'm at my wits end here folks.  This is a 6-year-old system with a *boatload* of software installed (both my spouse and I use the machine heavily), and I really, REALLY don't want to have to consider re-installing Windows and all that software.  I will if I have to, but if there's ANY way not to have to do that I need to try it

 

Any and all advice or info on how I can identify what this beast is and how I can get rid of it would be GREATLY appreciated.

 

Regards,

 

Peter

2 Likes

Stu wrote:

Let's try something.

  1. First go to SuperAntispyware
  2. Download and install it
  3. update and run a full scan


Than

  1.  Please download Malwarebytes. http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
  2. Install
  3. Update signatures
  4. Run a full scan
Please let us know

Stu,

 

Thanks for that response.  I actually went over to majorgeeks.com and followed their detailed malware removal process (here: http://forums.majorgeeks.com/showthread.php?t=35407) and after almost 10 hours of scanning and running and booting I *think* my machine is finally clear of this nasty beast.

 

It was so bad it disabled the Task Manager and *actively* restored the registry settings controlling that whenever I tried to re-enable it.  It even kept running itself in so-called "safe" mode.

 

Whatever this beast is, it is very virulent.  A friend of mine just told me he has exactly the same monster on his desktop machine just from reading an email (though I don't know if he uses web mail or another mail client).  I got mine just visiting a celebrity news website (celebritywonder.com) from a google search.

 

Superantispyware did seem to be the first necessary magic bullet to help kill the beast.  After that the other steps in the majorgeeks tutorial were able to do their job and finally slay it.  Malwarebytes also helped, along with a fresh install of Spybot S&D.

 

I am a bit disappointed that NIS-2008 wasn't able to block this thing from my machine, nor to even detect it when I ran a scan.  NIS-2008 did give me some warnings and popups when the infection was starting, but it didn't stop it (though the history does show it stopped some of the blast of stuff that came down).

 

Thanks again for your response.  I am going off to run a fresh backup before I get hit again.

 

Peter

Hi Peter

 

Great to hear you managed to kill the beast :smileywink:

Please don't be dissappointed at Norton. This malware is one very dangerous piece of work  which is changing rapidly. Unfortunately so rapidly that it is not easy to write all the signatures. There is no anti virus who will catch them all.

 

Today I got infected with what you are describing.  I don't remember what webpage I was on or what I clicked on. I don't recall it being anything sinister-looking.  That is one nasty piece of malware!  It hijacked my computer.  Ctrl-Alt-Delete stopped working.  It's still present in Safe Mode.  The instant the infection started, a window popped up saying some Windows files had been overwritten, and asking if I want to reinstall the original Windows Files, prompting my to insert my XP install CD.  I typed No, which in hindsight was probably not the right thing to do. It kept trying to take me to windows-privacy-protection.com

 

 

There is discussion about this at  http://answers.yahoo.com/question/index?qid=20080517175459AAqfZry

 

It appears to be called spysheriff. Or at least be similar to it.

 

I'm running XP.  I have no patience for removing nasty infections like this.  I rebooted, hit Ctrl-F11 to restore the Dell-installed Ghost partition and start over again.  It took about half an hour to reinstall all my software, but I feel safer doing that, than taking chances with all this third-party spy remover software.  I just wish I knew how I managed to get this thing, it is without question the worst hijacking I've ever had.  Never lost my Ctrl-Alt-Delete before. Holy moly.

 

 

This Post is highlighted to Users who only Update on a four-day to a weekly-and-less timescale:

 

I hope this Post highlights how important it is to Update Daily (2006/2007/2008* Products); I would adivsed Setting LiveUpdate - if you have Automatic LiveUpdate On - to Run every few hours and to Set it to Express Mode.  I also hope it highlight how important it is to Updgrade every year to the late-est Norton Product and Running Full System Scans at least twice-a-week.

 

* - 2008 Norton AntiVirus, Virus Definitions are Updated a minimum of twice-a-day

Message Edited by Floating_Red on 06-15-2008 11:29 PM
Message Edited by Floating_Red on 06-16-2008 12:29 AM

I also had this infection.  Went through all the steps in the majorgeeks solution referenced above.  Seems to have removed it but my machine is left with one lingering issue.  Whenever I login I get the error message "Error loading C:\Documents and Settings\.....\Temp\vtsqr.dll  The specified module could not be found."  Quick research found that  vtsqr.dll is a trojan backdoor.   This message was there before I was infected.  Could this be part of the problem?  What do I need to do to take care of this!

 

Thanks for any help!

 

Cathy 

i got this virus too, and i feel like an idiot for falling for it. I was deleting music i didn't need anymore and found this folder for this rap album and it had a file that said 'bonus album extracts itself' so i clicked on it and my McAffe said it detected a trojan as soon i clicked the file. Got rid of it,deleted the folder but then this report came up saying my computer was being hacked or whatever. So i followed to the site and like an idiot downloaded the file, i should of known something was up when it didn't have a price or when it didn't say where the 'top reviews' for the product came from. And it was hell trying to get rid of it. I went to the Geek forum, but after i rebooted my computer after some of the steps when i logged back on it wouldn't let me come to this forum or the Geek forum, and instead just displayed a 'page not found error' i had to go through yahoo search the URL of this site and majorgeek, and cache it from yahoo just to see the pages, and when i clicked on the URL's sometimes all these popups would come up. It just got ridicolous so i just went to my system tools and went a restore point before the file got on my computer and that seemed to have fixed everything. And now i'm running my virus scan t o make sure nothing is still on here.

 

 

Let's try something.

  1. First go to SuperAntispyware
  2. Download and install it
  3. update and run a full scan


Than

  1.  Please download Malwarebytes. http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
  2. Install
  3. Update signatures
  4. Run a full scan
Please let us know