Author Topic: "Privacy Protection" scam and disabling of avast,etc.  (Read 15996 times)

0 Members and 1 Guest are viewing this topic.

Offline choirgirl1

  • Jr. Member
  • **
  • Posts: 24
"Privacy Protection" scam and disabling of avast,etc.
« on: November 26, 2011, 10:15:17 AM »
I hope someone can help me.
"provacy Protection" program has invaded my laptop and has disabled Avast and MalwareBytes.When trying to open those programs it says the file is infected with a WIN32 Blaster Worm. It got rid of my Avast shortcut and replaced it with one of its own (masquerading as a windows icon) and won't even let me open the virus programs from the start menu. It has a fake firewall warning with "block" and "allow" buttons that I'm afraid to close in case I activate something. It does not show up in the programs list (though I found it interesting that, while experimenting, it would have let me remove Quicktime, but not Paretologic) and will not let me use the tskmgr either.

I tried looking it up, but the only removal advice seems hopelessly involved, and I don't trust it anyway! Is there a reasonable, reliable fix for this? Or should I take it to the Geek Squad? I have work on it quite sensitive and need to be able to safely use it as quickly as possible. My OS is Win XP Pro 64 v2003, service pack 2.

I read somewhere that, on start up, all hell breaks loose, so I'm afraid to turn my computer off. I hope you can help (Avast senior member please!) Thank you!!

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #1 on: November 26, 2011, 11:12:57 AM »
Hichoirgirl1,
 
Since it's an XP 64bit system the tools we will be able use may be limited. Let's a look at what's going on.

Download OTL to your desktop.
  • Double click on OTL.exe  to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output
  • Check the boxes beside LOP Check and Purity Check.
  • In the window under Custom Scans/Fixes copy and paste the following

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lîk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Deskuop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
%USERPROFILE%\..|smtmp;true;true;true /FP
%temp%\smtmp\*.* /s
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
/md5stop



  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

If the post seem to long you can attach them.

Offline choirgirl1

  • Jr. Member
  • **
  • Posts: 24
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #2 on: November 26, 2011, 11:06:52 PM »
Thank you for your response oldman.

I'm a little confused though - you say to download the OTL to my desktop - which is the computer I'm using now to talk to you. My laptop is the infected computer and I ended up turning it off as the viral program wouldn't allow the screensaver to run. Do I download the OTL to my laptop? And should I start it in SAFE mode? If so, can I save the OTL to a travel drive and download it in safe mode on my laptop? (I'm not familiar with using safe mode)

Thanks so much for your help!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37591
  • Not a avast user
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #3 on: November 27, 2011, 01:38:44 AM »
you must of course download and run OTL on the infected computer    ::)



Definition
desktop:  http://searchwinit.techtarget.com/definition/desktop

Definition
desktop computer:  http://searchenterprisedesktop.techtarget.com/definition/desktop-computer

Offline choirgirl1

  • Jr. Member
  • **
  • Posts: 24
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #4 on: November 27, 2011, 01:47:23 AM »
Okay...now I feel silly.  :-[ But should I go ahead and start up like normal? Or Safe mode? This program seems to debilitate everything before it gets started.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37591
  • Not a avast user
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #5 on: November 27, 2011, 01:52:28 AM »
try Normal, if no success try safe mode

Oldman and/or Essexboy will be back in here and help you tomorrow.....
well tomorrow is already 2 hours old over here  ;D

Offline choirgirl1

  • Jr. Member
  • **
  • Posts: 24
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #6 on: November 27, 2011, 02:05:21 AM »
Thanks so much. I'll try it right now  :D

Offline choirgirl1

  • Jr. Member
  • **
  • Posts: 24
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #7 on: November 27, 2011, 02:11:57 AM »
The Program is not allowinig the OTL to open or run (says it also has the worm)  :-\

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37591
  • Not a avast user
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #8 on: November 27, 2011, 02:25:22 AM »
you mean avast...right click avast tray icon and disable for 10min

Offline choirgirl1

  • Jr. Member
  • **
  • Posts: 24
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #9 on: November 27, 2011, 02:28:40 AM »
I've been trying to follow oldman's instructions with his OTL download. And one of the first things the malicious thing did was get rid of all Avast icons and won't let the program open from anywhere...

Offline choirgirl1

  • Jr. Member
  • **
  • Posts: 24
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #10 on: November 27, 2011, 02:29:44 AM »
*By "malicious thing" I mean the invading program, not OTL!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #11 on: November 27, 2011, 02:38:33 AM »
The Program is not allowinig the OTL to open or run (says it also has the worm)  :-\

you mean avast...right click avast tray icon and disable for 10min

I've been trying to follow oldman's instructions with his OTL download. And one of the first things the malicious thing did was get rid of all Avast icons and won't let the program open from anywhere...

*By "malicious thing" I mean the invading program, not OTL!

I think choirgirl1 is talking about Privacy Protection, Pondus. ;)

try Normal, if no success try safe mode
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37591
  • Not a avast user
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #12 on: November 27, 2011, 02:42:53 AM »
OK i guess you need to kill the running malware process before you can run it...and we have a program that can do that...but i suggest you wait until Oldman or Essexboy is back here to do that...


Offline choirgirl1

  • Jr. Member
  • **
  • Posts: 24
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #13 on: November 27, 2011, 02:51:36 AM »
Thanks Pondus - do you know about what time GMT he comes on? We're 8 hours ahead. I'll try to stay near the computer as late as I can. And thank you Donovansrb10 for your clarification...it's getting a bit confusing!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: "Privacy Protection" scam and disabling of avast,etc.
« Reply #14 on: November 27, 2011, 02:57:20 AM »
Thanks Pondus - do you know about what time GMT he comes on? We're 8 hours ahead. I'll try to stay near the computer as late as I can. And thank you Donovansrb10 for your clarification...it's getting a bit confusing!
No Problem. ;)
« Last Edit: November 27, 2011, 03:09:41 AM by Donovansrb10 »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."