Win32/Protector.C
Win32/Protector.C is a virus that was intentionally encrypted to conceal itself from antivirus program and intends to infect a computer without being detected. Win32/Protector.C can block Internet access of the infected computer by modifying configuration of Internet browser. The virus spreads locally by infecting system files and executable files that it can access over the shared network drives. The virus will attempt to connect to a remote computer and further download additional malware.
Damage Level: High
Systems Affected: Windows 9x, 2000, XP, Windows Vista
Characteristics
Distribution
Win32/Protector.C spreads through a number of means ordinarily employs by other similar threats. There is also an observation that some malicious links will direct victims to a Trojan download page. These links will reach user via spam email messages, instant messaging application and malicious blogs that tackle most recent issues.
Additionally, authors will deliberately spread the Trojan by uploading a copy to file-sharing network using a file name that makes the virus executable file look like it is an installer for a popular program.
How to Remove Win32/Protector.C
1. Temporarily Disable System Restore (Windows Me/XP). [how to]
2. To be able to identify even the most recent variant of Win32/Protector.C, open your antivirus application and update the virus definition file.
3. Start Windows in Safe Mode with Networking.
- From a power-off state, turn on the computer and press F8 on your keyboard repeatedly.
- Your computer will display Windows Advanced Boot Options menu. Please select Safe Mode with Networking.
- The system will now boot Windows and loads only necessary drivers and files.
4. Open your antivirus program and run a full system scan. After the scan, delete all infected items. If unable to delete, better place them in quarantine. Once the scan is complete, please proceed with the next step.
Scan with Norton Power Eraser:
Additional virus removal tool like Norton Power Eraser provides deep scanning technology to eliminate other threats not detected by a normal virus scan. Use this tool with extra caution.
5. Go to Norton Power Eraser web page and download the tool.
6. Once the download completes, double click on the file NPE.exe to run the program.
7. It will prompt for End User License Agreement, click on Accept to continue.
8. On NPE main window, click on Scan. Then select Exclude Rootkit Scan. Click on Continue to proceed.
9. Virus scanning may take some time. After running the scan, NPE will display the scan result.
Important! If there are any detected threats under Suspicious, remove the check mark. Only threats in Detected category are necessary to remove at this point. Make sure that you mark the Create System Restore Point before proceeding with the fix.
10. Now click on Fix to start removing the threats including Win32/Protector.C remnants if there are any.
11. When done, Norton Power Eraser will restart the computer. Then after a reboot, it will initialize and display the eliminated threats.
12. You may now close Norton Power Eraser.
bresgib
Oct 01, 2009 @ 23:39:32
Our company was just attacked by Win32/Protector it has taking 8 days to get rid of this virus from 200 PCs
Here is some advice from our experience
If you think you are infected with this virus first thing to do is
• Pull all servers off the network as this virus will spread through your company so fast you won’t believe it
• Ban usb thumb sticks ,usb cameras or any thing that can carry data from one pc to another
Before I recommend programs we found to be the best let me just say that the antivirus we found the worst of all the programs was ESET Nod 32
This program was useless agents this virus it was so bad that we have removed it from all are PCs and replaced it with a free antivirus
• I would recommend these programs
Malware bytes hxxp://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol
Supper anti spy hxxp://download.cnet.com/SuperAntiSpyware-Free-Edition/3000-8022_4-10523889.html?tag=mncol
AD-Aware
hxxp://download.cnet.com/Ad-Aware-Anniversary-Edition/3000-8022_4-10045910.html?tag=mncol
Spybot
hxxp://download.cnet.com/Spybot-Search-amp-Destroy/3000-8022_4-10122137.html?tag=mncol
Ccleaner
hxxp://download.cnet.com/ccleaner/?tag=mncol
And last but not lest AVG free hxxp://download.cnet.com/AVG-Anti-Virus-Free-Edition/3000-2239_4-10320142.html?tag=mncol
After you have downloaded all of the above
Install all programs on all PCs
Update all programs on all PCs
After this update windows to all the latest patches and services packs
Now you’re ready to fight this virus
• Disconnect all PCs from the network
• Turn off system restore
• Delete browsing history in IE/Firefox and so on
• Run disk clean up
• Run ccleaner (2 or 3 times till it stops cleaning files )
• Run the reg tool in ccleaner (2 or 3 times till it stops cleaning files )
• Boot into safe mode
• Scan with AVG
• Reboot the system and boot into normal mode and wait 5 to 10 minutes and give it a chance to regenerate its self
• Restart the Pc into safe mode
• Scan with adaware
• Reboot the system and boot into normal mode and wait 5 to 10 minutes and give it a chance to regenerate its self
• Restart the Pc into safe mode
• Scan with spybot
• Reboot the system and boot into normal mode and wait 5 to 10 minutes and give it a chance to regenerate its self
• Restart the Pc into safe mode
• Scan with supper anti spy
• Reboot the system and boot into normal mode and wait 5 to 10 minutes and give it a chance to regenerate its self
• Restart the Pc into safe mode
• Scan with malware bytes
• Repeat the above steeps until you get a clean scan with all programs
Remember only scan with one program at a time
After you get a clean scan with all program in safe mode
Reboot the PCs and leave for about an hour doing nothing this will allow the virus to regenerate
Run through the scans in safe mode again till you get clean scans again
If you are getting clean scans at this stage don’t let that fool you keep going till you get to scan with all programs
Then start up in normal mode and scan with all 5 programs until you get clean scans from all programs
Reboot between scans
At this stage you should be well on the way to been clean
At this stage you could connected back to the network (1 PC at a time )
Now update all 5 programs
Disconnect from network again
Scan with all programs again reboot between scans
At this stage you can connect to the network again
I would strongly recommend running 2 scans with at least 2 programs per day for about 2 weeks after you have cleaned the virus
As I have found that this virus can regenerate itself after a full week of clean scans
HOW THIS VIRUS AFFECTED OUR COMPANY
At first we had intermitting internet access problems
It also caused our Leased Line to go down intermittently
When we pinged our default gateway we lost pings intermittently
When we set up ping tests to our external address from an external address it caused pings to drop intermittently
Also the pings to the external address started to talk longer and longer to reply
It started to reply at over 100MS and after a while pings took over 1000ms to reply
Also tracrert started losing too hops before it finally reached our router (this happened so much that we blamed our ISP. sorry guys)
I hope someone found this helpful
And I don’t envy anyone faced with the job of removing this from a big network
If you are faced with this challenge brace yourself for some long days and some longer nights
And best of luck
bukoswki
Feb 22, 2010 @ 20:21:16
I’ve this virus in my eeepc ,and i’m trying your way…so i’ll tell you later what’s happen…
Thanks for this post , whatever the end for me