fvprotect.exe
I found this on the windows PC today. AVG made a valiant attempt at cleaning it off the PC but I had to resort to editing the registry and various files to actually remove the buggers. This virus scans various files on your hard drive looking for email addresses and uses the address’s it finds to email itself. This is how it spreads
If you get this virus make sure you kill the fvprotect.exe process before wiping files or they will just come back. To do this you need to open the task manager and look for the process with the same name. Kill it, then go about removing infected files.
To edit the registry click on “Start” select “Run” and type “regedit” then use the menu’s at the top to do a search for “fvprotect.exe”. I delete all entries found.
This virus managed to get onto the PC because the AVG virus database was not up to date. I hardly ever use the windows PC so wasn’t really paying attention to it very much. I recommend updating the database at least every day.
Even when logged in as the administrator the system refused to delete the offending files. This is a cock up on microsofts part that they allow this behavior. If you are in as the administrator you should be allowed to do whatever the hell you like.
NEW
Since I seem to be getting some hits about fvprotect I decided to try and provide some links for people who want to remove the virus from their machine. So:
For immediate help on removing fvprotect do the following (This is from memory I use Linux normally)
Terminate the FVPROTECT.EXE process using Windows Task Manager. This can be done by “Right Clicking” the mouse over the bottom bar on your desktop and selecting the Task Manager. Then Select the Processes Tab and sort on name. When you see fvprotect.exe or something very similar then highlight it by clicking on it and select “End Now”. This will terminate the fvprotect process. If you try and remove the files first the fvprotect process will just recreate them so YOU MUST KILL FVPROTECT FIRST.
Delete the following files from your Windows directory (typically c:\windows or c:\winnt):
* FVPROTECT.EXE
* USERCONFIG9X.DLL
* BASE64.TMP
* ZIP1.TMP
* ZIP2.TMP
* ZIP3.TMP
* ZIPPED.TMP
Files could be in UPPER or lower case or any combination so check for this. The worm will have deposited lots of files on your disk most of which will have pornographic names. You must either remove these manually or have the virus scanner updated and then let it remove them.
Edit the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
Delete the key “Norton Anti virus AV” with %WinDir%\FVProtect.exe
I recommend searching the registry for all occurrences of the word “fvprotect” and removing it from the registry
For more information visit.
Sophos website:
General information about fvprotect and netskyb
Removing fvprotect.exe and netskyb