Hi all, my copy of windows seems to be fine now, but today SuperAntispyware detected Web Protect again, 11 files in my registry. I'm not sure how it got back in there, as I have not installed or downloaded anything since the original issue occurred two weeks ago. Malwarebytes and Adaware have not detected in the last 2 weeks...
|
My System Specs |
|
09 Oct 2014
|
#12
|
Dual Boot: Windows 8.1 & Server 2012r2 VMs: Kali Linux, Backbox, Matriux, Windows 8.1
|
I would clear your downloads and temp folders. Run CCleaner and check all boxes (minus wipe free space, it takes forever). Run CCleaners registry tool (mainly for the backup needed when trying the next step)
Check the registry for 'WebProtect' (Press Ctrl + F to search the registry once you are in it) You already have a backup of your registry from CCleaner so now Delete any and all entries that are found searching for 'Webprotect' you can do search with asterisks as wild cards. Example: *web*protect* will bring results for WebProtect and any other form of it that may have a word before web, inbetween web and protect and after protect.
Download Autoruns for Windows and delete all entries highlighted in YELLOW.
(Run as administrator)
Autoruns for Windows
Also check for any folders on your computer named with Web Protect in it.
Take note of the file Superantispyware is flagging and see if you can find the location of the file and delete it.
|
My System Specs |
|
09 Oct 2014
|
#13
|
Windows 7 Home Premium 64bit
|
Hi Gator thanks for the response. Unfortunately I deleted the entries with Superantispyware without writing down what they were. I found one entry while searching the registry, but it just looked like a shortcut and not a program. Autoruns for windows flagged 3 things in yellow, but I didn't delete them yet since I don't know what they are and if it would be safe to delete them.
They are:
HKLM\System\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\StartupPrograms
rdpclip File not found: rdpclip
HKLM\System\CurrentControlSet\Services
SBRE File not found: C:\Windows\system32\ drivers\SBREdrv.sys
WMI Database Entries
BVTConsumer File not found: KernCap.vbs
|
My System Specs |
|
09 Oct 2014
|
#14
|
Dual Boot: Windows 8.1 & Server 2012r2 VMs: Kali Linux, Backbox, Matriux, Windows 8.1
|
It is safe to delete all entries in yellow. They are typically missing files leftover from old uninstalled programs. Autoruns is also a good tool to help get rid of infections, which is the reason I had you download it in the first place. Sometimes you will completely delete malware from every place but it will still have an entry on startup and autoruns is a good tool to get rid of them.
|
My System Specs |
|
10 Oct 2014
|
#15
|
Windows 7 Home Premium 64bit
|
Ok I deleted all the yellow entries. What does it mean when an entry is red? I have quite a few of those but didn't see a description anywhere.
I forgot to list this in my last post, but CCleaner detects an obsolete software key: HKLM\Software\AVC3 just about every time I start up my computer, even though I have deleted it several times.
|
My System Specs |
|
10 Oct 2014
|
#16
|
Win 7 x64 Home Premium (and x86 VirtualBox VM)
|
Possibly a residual from BitDefender?
Have a look in Scheduled Tasks and see if there's anything there.
|
My System Specs |
|
10 Oct 2014
|
#17
|
Windows 7 Home Premium 64bit
|
I don't believe I ever had BitDefender, the only thing in red under scheduled tasks is
\Microsoft\Windows\NetTrace\GatherNetworkInfo c:\windows\system3\gathernetworkinfo.vbs
there are several entries each under Explorer flagged in red for WinRAR and WinRAR32 and two for the AdAware context menu
|
My System Specs |
|
10 Oct 2014
|
#18
|
Dual Boot: Windows 8.1 & Server 2012r2 VMs: Kali Linux, Backbox, Matriux, Windows 8.1
|
Red highlights just means there is no description or publisher or it means that verification of the digital signature failed.
In your case, these are fine and can be ignored.
|
My System Specs |
|
10 Oct 2014
|
#19
|
Windows 7 Home Premium 64bit
|
Ok cool, I will keep running my scanners probably at least once a day for awhile. Hopefully this thing is really gone for good now.
Thanks for all the help guys |
|