fvprotect.exe
I found this on the windows PC today. AVG made a valiant attempt at cleaning it off the PC but I had to resort to editing the registry and various files to actually remove the buggers. This virus scans various files on your hard drive looking for email addresses and uses the address’s it finds to email itself. This is how it spreads
If you get this virus make sure you kill the fvprotect.exe process before wiping files or they will just come back. To do this you need to open the task manager and look for the process with the same name. Kill it, then go about removing infected files.
To edit the registry click on “Start” select “Run” and type “regedit” then use the menu’s at the top to do a search for “fvprotect.exe”. I delete all entries found.
This virus managed to get onto the PC because the AVG virus database was not up to date. I hardly ever use the windows PC so wasn’t really paying attention to it very much. I recommend updating the database at least every day.
Even when logged in as the administrator the system refused to delete the offending files. This is a cock up on microsofts part that they allow this behavior. If you are in as the administrator you should be allowed to do whatever the hell you like.
NEW
Since I seem to be getting some hits about fvprotect I decided to try and provide some links for people who want to remove the virus from their machine. So:
For immediate help on removing fvprotect do the following (This is from memory I use Linux normally)
Terminate the FVPROTECT.EXE process using Windows Task Manager. This can be done by “Right Clicking” the mouse over the bottom bar on your desktop and selecting the Task Manager. Then Select the Processes Tab and sort on name. When you see fvprotect.exe or something very similar then highlight it by clicking on it and select “End Now”. This will terminate the fvprotect process. If you try and remove the files first the fvprotect process will just recreate them so YOU MUST KILL FVPROTECT FIRST.
Delete the following files from your Windows directory (typically c:\windows or c:\winnt):
* FVPROTECT.EXE
* USERCONFIG9X.DLL
* BASE64.TMP
* ZIP1.TMP
* ZIP2.TMP
* ZIP3.TMP
* ZIPPED.TMP
Files could be in UPPER or lower case or any combination so check for this. The worm will have deposited lots of files on your disk most of which will have pornographic names. You must either remove these manually or have the virus scanner updated and then let it remove them.
Edit the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Delete the key “Norton Anti virus AV” with %WinDir%\FVProtect.exe
I recommend searching the registry for all occurrences of the word “fvprotect” and removing it from the registry
For more information visit.
Sophos website:
General information about fvprotect and netskyb
Removing fvprotect.exe and netskyb
I have the same problem, and found your details when I searched for info on fvprotect. I also have not yet found a removal tool which will totally eradicate this infection.
I don’t think there is such a tool. To remove it you basically have to go through your filesystem and remove the offending files. Then edit the registry settings and hope for the best.
As with any virus infection, the only way to guarantee complete removal is to re-install the system.
I received FVProtect in an email on April 24th 2004 from a friend in Canada (who knew nothing about it – I later noticed that the e-address was different – friends name @cadvision.com).
It said…
You may be interested in this…
So like a fool I opened the attachment.
Anyway – As I couldn’t delete it, I have restored my comp to the day before and it seems to have gone.
I found FVprotect.exe in my PC (C:windowsfvprotect) and I uncheck ‘fvproteck.exe” in Startup program (klik “start”select “run”type “msconfig”select tab “startup”unchek “fvprotect.exe”)
But, after I remove it. I can’t edit again, if I enter to the “regedit”, I can’t click anything at regedit menu. And if I’ll try to enter to Startup at msconfig, i can’t click anything at msconfig menu, event thout I was try to restart my PC.
Sorry, if my english not good, b’cos Im an Indonesian.
Thanks
Jun
I WANT INFORMATION ABOUT THE USERCONF.EXE OR ANY SOLUTION ABOUT THIS
TANKS
This is the netsky virus. Go to the Symantec website and download the netsky virus removal tool (fxnetsky.exe) Save it to your desktop and run then click on the start button on the application to scan and remove the virus from your machine.
This thing is a virus that attaches itself to your outgoing emails after coming in on one. Go this website and download the fix for it. It’s called fxnetsky.exe and the website you get it from is http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w32.netsky@mm.removal.tool.html
Thanks for everyone for you help!
thanks for the info…
I used your advice and got rid of the virus..
nasty lil’ bugger
bc
Fantastic I removed you should sell your info to Mr gates as his techs did not know how to fix the problem
Thanks for the terrific instructions. Within 5 min of discovering this bugger and your website, it is totally gone! Great work@!
I agree mr gates needs tech like you.I did all you suggested except I can’t figure out the..how to: Edit registry part? Delete Key norton Antivirus? What does this mean..does it attach to my norton system?
Hi betty
A lot of the virus’s that are currently in circulation edit the computers registry for various reason ie incapacitate the current virus checker or to try and hide from certain types of software or in general just to be maliscious
Have a look at the following page for a decent run down on how to remove fvprotect.
http://www.pestpatrol.com/pestinfo/i/i-worm_netsky.asp
I have trouble with a worm. I call it Crypto.
When I want to use my TASKMGR this worm popps
into the following places :
C: Documents and Setting / all users /
/applications Data / Microsoft
and it also appears in :
WINNT / System32 . The program makes a new
Microsoft File and under it is Crypto/RSA/
S-1-5-18 and also one file:protect/S-1-5-18/user
How do I kill it ?
hi thanks for such a good n virus removal technique but i think as other nice techniques that are commented to u, u should give appropiate place to them so that people visiting ur site can do the same work in lesser time. bye