Jump to content

Purging System Protection


dborba

Recommended Posts

My problems began last night. I was attempting to find an program I had 5 or so years ago. Since I couldn't locate it within my backups, I turned for the web. After 30 minutes of fruitless googling, I stumbled upon it. The source was questionable, but being rather frustrated I downloaded it anyway. After a quick, warning free scan, I decided it would be okay to use it. Big mistake =\ - have never had a windows install go this bad before. (This is on a windows XP install)

Shortly after the execution of the program (which did nothing - setting off all types of alarms on my mind), I got a stand alone pop up window saying my system was under risk and requesting me to install "System Protection." The dialog had an OK & Cancel option. When I clicked the cancel, the "install" began anyway - showing a progress bar & details under it claiming it was downloading and installing system protection. I clicked cancel under the progress bar - which made the window invisible for about 2 seconds before it was restored at the same point it was before.

Shortly before the "install" is finished, spybot SD alerts me of a process that is considered a threat, so I tell it to terminate it & delete the malicious file. At this point I open the spybot main window, run an update & start googling "system protection." After the update, spybot s&d crashed & no longer would start up. At the same time, the "install" is finished & system protection claims to be scanning my system. I close it out & it warns me it found 9 problems & that I should purchase the full version to fix them - I ignore the dialog & click cancel. I open task manager & start killing all types of processes - including a number of suspicious ones like "scvhust" (not its spelled with an U instead of an O), b.exe & c.exe and a few others. This doesn't seem to help spybot s&d however.

Meanwhile, google suggested "system protection" + "virus" - which landed me on a few different oldish posts on "system protection." A few were clearly out dated, dating over a year ago & screen shots that didn't match the screens I had seen for "system protection." None the less, I looked at the files that were associated with the problem and tried to locate them on my system. The great majority of them weren't to be found, except for a "system protection" folder under %programfiles% and a start menu entry, both which I was able to delete. One of them suggested I should grab mamb, close everything out, and run it to automatically fix the problems. At that point I was able to access the mamb site, download and install the application. Upon execution, the update caused a weird error & froze the application. After that I could no longer open mamb - I'd get a system error saying the file was not accessible & that maybe I didn't have enough permission. I quickly reinstalled it, and once again it opened up - this time I tried to simply do a scan without an update - 2 seconds into the scan the program terminated, and once again I could no longer open it due to the previous error.

Getting pissed, I decided to restart the system in safemode w/ networking - figuring whatever was screwing with things would not start up & I'd be able to run spyware removal software and get rid of the thing. I tried spybot which wouldnt open. I tried mamb, got the error accessing the file, reinstalled it & once again it crashed on me during the scan. Checking the processes, nothing suspicious was visible - just the usual windows stuff. Checking the services, there were only about 10 of them, all claiming to be from microsoft. More frustrated than ever, I open firefox to try and find out more about this unexpected plague. When I tried to grab other malware removal utilities, or visit the malwarebytes forum, my browser was redirected to relatively random websites - like random youtube videos or sites for domain names for sale. Since google was working, I started using google's cached pages to access the sites indirectly. After a few queries, I started running into a few entries in this forum, and others with people whom had run into the same or similar problem.

With those posts in hand, I went to work. I tried reinstalling mamb & renaming it - which yielded the same previous results. I wasn't able to find a source on the web to download hijack this from which my browser was not blocked from - when I grabbed it through a different computer & used a pen drive - hijack this failed to run. I then tried the instructions for combofix from one of the posts - trying a few different ways, all of which ended with combofix telling me it was compromised & deleting itself.

Then I found about SDFix, following directions, I had it extracted to c:\SDFix - and ran the appropriate bat file. It closed out explorer, and began running on a command prompt as expected. I chose to proceed, and it began scanning the system. After a while, the prompt window simply closed out & the system halted. I wondered if I had missed anything it did or said, so I opened the task manager and verified it was no longer running. Since it wasn't I started explorer again. On the desktop there was a single log file - "catchme.log" with contents as follows:

file copied: C:\WINDOWS\system32\user32.dll -> C:\WINDOWS\system32\dllcache\user32.dll ( 578560 bytes )

I went back to SDFix's folder, which is now populated with a countless number of text files, a few new exes & a backup folder. This is where I am at now - it was late at night & I got pissed so I tried nothing after that. All these issues are on my laptop - conveniently it has a few different OSs on it, and I have 2 desktops at home. Currently I am using ubuntu on the infected laptop to post.

How do you guys suggest I proceed? I am not wholly opposed to reformatting except for the time consumption factor & the fact that I need the laptop for daily use - so I'd rather have a fix until I have the appropriate time to properly redo the windows install.

Hope the post isn't very confusing or overwhelming.

Thanks,

dborba

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.