Removing SmartComp Safe Network/GetPrivate virusSolved/Closed

Question

Hello, I recently downloaded malware/adware from piratebay and my anti-virus detected harmful objects which seemed to lead to a suspicious folder called "SmartComp Safe Network". I did some research on this suspicious folder and it seems that other people are having problems deleting this same folder/malware. There was some suggestions on how to fix it but they were all too confusing for someone who's not good with this kind of stuff. With the malware in my computer, I've been getting ads from "GetPrivate" on everything I click and big bolded blue words on websites on google chrome. I've been able to remove it temporarily with malwarebytes but after a day or two it comes back.

Ambucias · Accepted Answer

Hello again,

This is a dandy.  If you really give a virustotal scan to everything you download and install, it surely did not work for you. There are 50 malware infecting your computer as well as 14 useless files.

Shall we get rid of them?  I assume your answer is yes.

Here is what I wish you do.  If I ask you to delete some programs files, don't be alarmed as they really do contain malware.

Step one:

Through the add/remove program utility, remove the following:

Skillbrains

Step two

1. Close all applications

2. Go to this URL

https://nicolascoolman.eu

and download zhpfix

3. Select and copy the following bold lines:

(For any other user reading this thread, the following lines cannot be used by you, they are customized for Ezpz)

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
O42 - Logiciel: Lightshot-5.3.0.0 - (.Skillbrains.) [HKLM][64Bits] -- {30A5B3C9-2084-4063-A32A-628A98DE512B}_is1
HKLM\SOFTWARE\Wow6432Node\NpApp
HKLM\SOFTWARE\Wow6432Node\SecureWeb
HKLM\SOFTWARE\Wow6432Node\SecureWebChannel
HKLM\SOFTWARE\Wow6432Node\Skillbrains
HKLM\SOFTWARE\Wow6432Node\Systweak
HKLM\SOFTWARE\Wow6432Node\YourFileDownloader
HKCU\SOFTWARE\Skillbrains
O23 - Service: Privoxy (PrivoxyService) (PrivoxyService) . (...) - C:\Program Files (x86)\SmartComp Safe Network\privoxy.exe (.not file.)
[MD5.59F07211D52D191E465A2915EF448E0D] [APT] [Better Installer] (...) -- C:\Users\Bears\AppData\Roaming\Better Installer\Better Installer.exe   [495616]
[MD5.70D6EA378844CC762C57FA4B8AC63764] [APT] [update-S-1-5-21-863551351-428171438-3677390635-1004] (.Copyright 2009.) -- C:\Program Files (x86)\Skillbrains\Updater\Updater.exe   [105728]
[MD5.70D6EA378844CC762C57FA4B8AC63764] [APT] [update-sys] (.Copyright 2009.) -- C:\Program Files (x86)\Skillbrains\Updater\Updater.exe   [105728]
O39 - APT: update-S-1-5-21-863551351-428171438-3677390635-1004 - (.Copyright 2009.) -- C:\WINDOWS\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004.job   [408]
O39 - APT: update-sys - (.Copyright 2009.) -- C:\WINDOWS\Tasks\update-sys.job   [408]
O39 - APT: Better Installer - (...) -- C:\WINDOWS\System32\Tasks\Better Installer   [3430]
O39 - APT: update-S-1-5-21-863551351-428171438-3677390635-1004 - (.Copyright 2009.) -- C:\WINDOWS\System32\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004   [3394]
O39 - APT: update-sys - (.Copyright 2009.) -- C:\WINDOWS\System32\Tasks\update-sys   [3388]
[MD5.0B42873501A576FF6CDE35EA69EE930A] - (.Skillbrains - Lightshot.) -- C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe [477184] [PID.3996]
3 - CFD: 12/01/2015 - [0] D -- C:\Program Files (x86)\download Manager
3 - CFD: 14/03/2015 - [] D -- C:\Program Files (x86)\Skillbrains
3 - CFD: 10/08/2014 - [0] D -- C:\Program Files (x86)\TowerTilt
3 - CFD: 20/11/2015 - [] D -- C:\Users\Bears\AppData\Roaming\Better Installer
3 - CFD: 31/01/2015 - [0] D -- C:\Users\Bears\AppData\Roaming\IHlpr
3 - CFD: 13/01/2015 - [] D -- C:\Users\Bears\AppData\Roaming\SoftwareUpdater
O45 - LFCP:[MD5.1B53EA087318112317CEB4BD8B24DC64] 20/11/2015 A -- C:\WINDOWS\Prefetch\BETTER INSTALLER.EXE-096AC1ED.pf
O45 - LFCP:[MD5.72B0018C7106214CEA435A83D3761750] 26/11/2015 A -- C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
O61 - LFC: 2015/11/20 17:37:57 A . (..) -- C:\Users\Bears\AppData\Roaming\Better Installer\Better Installer.exe   [495616]
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1
HKLM\SYSTEM\CurrentControlSet\Services\PrivoxyService
C:\Users\Bears\AppData\Roaming\Better Installer\Better Installer.exe
C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
C:\WINDOWS\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004.job
C:\WINDOWS\Tasks\update-sys.job
C:\WINDOWS\System32\Tasks\Better Installer
C:\WINDOWS\System32\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004
C:\WINDOWS\System32\Tasks\update-sys
C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe
C:\Program Files (x86)\Skillbrains
C:\Program Files (x86)\TowerTilt
C:\Users\Bears\AppData\Roaming\Better Installer
C:\Users\Bears\AppData\Roaming\IHlpr
C:\WINDOWS\Prefetch\BETTER INSTALLER.EXE-096AC1ED.pf
C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
P2 - EXT FILE: (...) -- C:\Users\Bears\AppData\Roaming\Mozilla\Firefox\Profiles\7udurnxy.default\searchplugins\avg-secure-search.xml
O42 - Logiciel: Akamai NetSession Interface - (.Akamai Technologies, Inc.) [HKCU][64Bits] -- Akamai
HKCU\SOFTWARE\Akamai
[MD5.F2AD1B265908797F8A5E21E0312F2F25] - (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai
etsession_win.exe [4691384] [PID.1892] ©
[MD5.F2AD1B265908797F8A5E21E0312F2F25] - (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai
etsession_win.exe [4691384] [PID.10052] ©
O4 - HKCU\..\Run: [Akamai NetSession Interface] . (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai
etsession_win.exe ©
O4 - HKUS\S-1-5-21-863551351-428171438-3677390635-1004\..\Run: [Akamai NetSession Interface] . (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai
etsession_win.exe ©
O43 - CFD: 26/09/2015 - [0] D -- C:\ProgramData\Reprise
O43 - CFD: 14/11/2015 - [] D -- C:\Users\Bears\AppData\Local\Akamai
O87 - FAEL: "UDP Query User{527DD5B6-1909-4540-8296-DA363FA9041C}C:\games\counter-strike global offensive\csgo.exe" [In-None-P17-TRUE] .(...) -- C:\games\counter-strike global offensive\csgo.exe (.not file.)
O87 - FAEL: "TCP Query User{E91211BC-87F5-4084-A72D-E56460E940B7}C:\games\counter-strike global offensive\csgo.exe" [In-None-P6-TRUE] .(...) -- C:\games\counter-strike global offensive\csgo.exe (.not file.)
O87 - FAEL: "{4A93956D-7C85-40A0-A101-CE4F9D282F5E}" [In-None-P6-TRUE] .(...) -- C:iot games\league of legendsads\projects\lol_patchereleases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
O87 - FAEL: "{1DA55B90-969F-49AA-9D39-C35C40D7A07A}" [In-None-P17-TRUE] .(...) -- C:iot games\league of legendsads\projects\lol_patchereleases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
O87 - FAEL: "UDP Query User{ED0760EB-A3B9-4104-829D-66C50FCFF4A8}C:iot games\league of legendsads\projects\lol_patchereleases\0.0.0.14\deploy\lolpatcherux.exe" [In-None-P17-TRUE] .(...) -- C:iot games\league of legendsads\projects\lol_patchereleases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
O87 - FAEL: "TCP Query User{1FB8229F-67CD-4261-AD9E-EDF540CBFA3F}C:iot games\league of legendsads\projects\lol_patchereleases\0.0.0.14\deploy\lolpatcherux.exe" [In-None-P6-TRUE] .(...) -- C:iot games\league of legendsads\projects\lol_patchereleases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)


4. Launch ZHP Fix and click on "Import" the lines you copied will get pasted.

5. Click on Go.  A report will be generated which you can post here.

Good luck and let me know

Ambucias · Answer

To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a report. 

1. Open this link and download ZHPDiag3 : 
https://nicolascoolman.eu
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.)  Click on the download button

2. Save the file on your Desktop. 

3. Double click on ZHPDiag.exe and follow the installation instructions. 

(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right) 

4. Double click on the short cut ZHPDiag on your Destktop. 

5. Click on Full. 

Wait for the tool to finished (maybe a long time) 

6. Close ZHPDiag. 

7. To transmit the report, click on this link : 

https://authentification.site 

8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
9. Copy the url link obtained from Speedyshare and paste it here in your reply.

Ambucias
Moderator and Virus/Security Contributor

Ambucias · Answer

On ZHP Fix, After "go" did you validate the message asking you to confirm the removal or clean up?

If not, please repeat the ZHP Fix

Ambucias · Answer

Hello and thank you for the report!

Everything looks honky dory and your system is as clean as a whistle.

Your antivirus is Kaspersky, along with F-Secure they are the most efficient on the market but no antivirus is 100% safe.  In my opinion, most of the 50 malware on your computer came from torrent sites: uTorrent, Pando, Bit Torrent and Bears.  Those p2p sites most often hide malware and there are the best mode for pirates, hackers and other malicious people to infect computers.  If you invite them in, Kaspersky will not protest because you are the boss.

I suggest that your remove Malwarebyte so that it does not come in conflict with Kaspersky.  You can always get it back if necessary.

These two keys, if you wish can also be deleted:

HKLM\SOFTWARE\Wow6432Node\McAfee
HKCU\SOFTWARE\McAfee


It was a pleasure helping you.

Ezpz · Answer

Hello again, the GetPrivate virus has downloaded back to my computer, if you wouldn't mind, could you help me get rid of it so that it doesn't come back? 

Thanks,
Ezpz

Ambucias · Answer

Hello

Well, you did get infected again.

This time, we will go in what I believe to be the sources in an easy 1, 2, 3. 4

ONE

1. Open Internet Explorer

2. Click on the gear box.

3. Click on "Manage add-on and then on "Toolbars and extensions" 

4. Look for and delete all suspicious extensions. (may say "not verified)

5. Close IE.

TWO

1. Open Firefox

2. Click the menu by click on the 3 horizontal lines, top right corner.

3. Click on the puzzle piece icon and then on plug-ins

4. Look for and delete all suspicious plug-in

Important note: If you still get problems with GetPlus after the above steps, you will need to reset both browsers' to default setting.

THREE

1. Open the add/remove program utility and delete

Download Manager

FOUR

1. We will repeat our ZHP Fix trick

Here are the bold lines:

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
HKLM\SOFTWARE\Wow6432Node\SecureWebChannel
3 - CFD: 12/01/2015 - [0] D -- C:\Program Files (x86)\download Manager
3 - CFD: 13/01/2015 - [] D -- C:\Users\Bears\AppData\Roaming\SoftwareUpdater
O45 - LFCP:[MD5.E8D56F120C5EFF515F03CF3FE165FD1E] 30/11/2015 A -- C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf

Let me know

Ambucias · Answer

Please download, install and run Adwcleaner

https://ccm.net/downloads/security-and-maintenance/6911-adwcleaner/

Ambucias · Answer

Those were the adware viruses I was talking about as browser extensions.

Chrome did not show on your ZHP Diag log!!!

Folder Deleted : C:\Program Files (x86)\download Manager
[-] Folder Deleted : C:\Users\Bears\AppData\Local\Google\Chrome\User Data\Default\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm
[-] Folder Deleted : C:\Users\Bears\AppData\Local\Google\Chrome\User Data\Default\Extensions\madakpajlmcpaodhfbekojajlhbdklol
[-] Folder Deleted : C:\Users\Bears\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhoahihokddepjlegpenefeaahdkojog
Folder Deleted : C:\Users\Bears\AppData\Roaming\SoftwareUpdater

Could you please check in your Chrome extensions to see if:

lhoahihokddepjlegpenefeaahdkojog
madakpajlmcpaodhfbekojajlhbdklol
gngocbkfmikdgphklgmmehbjjlfgdemm

Are still there; if they are, we may need to remove them manually.

Did you find that the virus returned after you launched Chrome?

Take care

Ambucias · Answer

Okay, I believe we have resolved the problem.

It's getting ever popular for many to include adware or spyware in the sofware package.  Recently, in case of browser applications, they are added to the browser extensions.

Should this occur to you again, first start to disinfect with adwcleaner, it is much more efficient than malwarebyte in the case of adware and spyware where you get pop-ups or browser redirecting.

Take care in Dixieland VA.

Ezpz · Answer

Hello again, 

The the virus has come back and I followed your instructions to disinfect it with adwcleaner. However, today it came back once I opened chrome, and after I disinfected it again with adwcleaner, I checked my extensions folder for chrome and I didn't find those three extensions you mentioned about. Could it be other extensions that's making it come back after a couple of days?

Ambucias · Answer

Hi

Every time I analyse one of your reports I find new malware.

Where did you get this one?

PRIVOXY.EXE

It's a proxy hyjacker.

If you see it in your Chrome extensions, remove it.

Run ZHP Fix with this script:

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
O45 - LFCP:[MD5.1A5C72CAB3A96378BAAA227801876896] 14/12/2015 A -- C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf

Removing SmartComp Safe Network/GetPrivate virus

11 responses

Similar discussions

Subscribe To Our Newsletter!