Jump to content

Web Protect infection path


Recommended Posts

My client swears she installed nothing since I was there last and yet she had the  Web Protect (monitorsvc.exe), SearchProtect and Rocket Tabs infections.  I used Revo Uninstaller and of course they had no uninstaller programs so it had to do the work and then more work was needed to restore the machine.  One of the these installed it's own proxy and set the machine to use their server.  That's pretty nasty concept to have all her personal info sniffed upon by their servers.

 

Anyway, she plays Second Life Firestorm and so I wonder if there is any way to get the infections through playing that game?  I have no experience with it.

 

She had Avast! installed but it caught nothing of these adware/malware programs.  Their decision to uncheck PUP by default (and the detection rates an other reasons) had me leave them some years ago.  She's a loyalist but after this new install, forgot to check PUP detection.

Link to post
Share on other sites

  • Root Admin

Hello mistermarmot

 

Well difficult to say after the fact. Typically through a game I'd doubt it. As part of a game installer itself though its very possible.

 

I know it's probably over now and you may not be back out to see them but we'd need logs to know what's going on.

 

At least for next time:

 

Please read the following and post back the 3 requested logs.
 
Diagnostic Logs
 
Thank you
 

 

 

Please download Security Check by screen317 from HERE or HERE.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • If you get Unsupported operating system. Aborting now, just reboot and try again.
  • A Notepad document should open automatically called checkup.txt.
  • Please Post the contents of that document.
  • Do Not Attach It!!!


 

 

If at all possible uninstall Java and try your best not to use it or install it as it's probably the number one method of intrusion into the computer to infect it.

 

 

Also get and post back a full log from MBAM so we can see what it finds and how it's setup.

 

 

Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.
 

 

Cheers

Link to post
Share on other sites

I suspect there will be a next time as this is the second time I've cleaned Rocket Tabs off her machine.  The other two were new.

 

 

It's a matter of habit that to send a file to VirusTotal  and I sent "Security Check" and it came back with 6 infections of 54 scanners.  
All false positives from the type of software it is or does it contain some virus definitions?

https://www.virustotal.com/en/file/810f4b9d4f77b3100e4256059ae8f4c3fd0637bb0129a37b60d758ff77858a0f/analysis/1411030042/
 

Here is the AdwCleaner log after Revo removed most of it as they had no uninstallers at all.  Web Protect actually installs its own proxy .dll and sets the OS to proxy there. Having their servers sniff over her packets seems so dangerous and worse than just a PUP classification for this program.
 

# AdwCleaner v3.310 - Report created 17/09/2014 at 19:29:40
# Updated 12/09/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Julie - JULIE-PC
# Running from : C:\Users\Julie\Downloads\adwcleaner_3.310.exe
# Option : Scan
 
***** [ Services ] *****
 
Service Found : ProtectMonitor
 
***** [ Files / Folders ] *****
 
File Found : C:\monitorsvc.exe
File Found : C:\Users\Julie\AppData\Roaming\Mozilla\Firefox\Profiles\zlsxabtv.default\user.js
Folder Found : C:\Program Files (x86)\RocketTab
Folder Found : C:\Program Files (x86)\SearchProtect
Folder Found : C:\Program Files (x86)\Web Protect
Folder Found : C:\Users\Julie\AppData\Local\RocketTab
 
***** [ Scheduled Tasks ] *****
 
Task Found : RocketTab Update Task
Task Found : RocketTab
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Data Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC32Loader.dll
Data Found : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs] - C:\PROGRA~2\SearchProtect\SearchProtect\bin\SPVC64Loader.dll
Key Found : HKCU\Software\RocketTabInstalled
Key Found : [x64] HKCU\Software\RocketTabInstalled
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17280
 
 
-\\ Mozilla Firefox v32.0.1 (x86 en-US)
 
[ File : C:\Users\Julie\AppData\Roaming\Mozilla\Firefox\Profiles\zlsxabtv.default\prefs.js ]
 
 
*************************
 
AdwCleaner[R0].txt - [1503 octets] - [17/09/2014 19:29:40]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1563 octets] ##########
Link to post
Share on other sites

  • Root Admin

The "Security Check" tool is not infected. Those are just generic detections as they're not sure what it does. If you notice all the major antivirus products (aside from McAfee) don't detect it as an issue. If you search Google you'll see the tool is used quite often. I come up with 2.1 million hits for the tool.

 

The AdwCleaner tool is not enough to tell what's really going on with the computer. The Security Check will try to show if old outdated plugins are installed or not.

 

A logging tool like FRST is typically what is needed to reveal more details of what's going on with the computer.

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please copy and paste it to your reply as well.


 

Link to post
Share on other sites

The "Security Check" tool is not infected. Those are just generic detections as they're not sure what it does. If you notice all the major antivirus products (aside from McAfee) don't detect it as an issue. If you search Google you'll see the tool is used quite often. I come up with 2.1 million hits for the tool.

 

 

 

Yep, never claimed it was infected.  Just curious about the kind of code in the product that set's off false positives.

 

Thanks for the advise, Mr Lewis.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.