I think Essexboy's Fix WORKED!!! "Digital Protection" Virus Infected my laptop!

Essexboy, (or anyone else out there!!!) Can you please help me with this?

On Friday, April 9, 2010, my laptop computer was infected with “Digital Protection,” which seems to be the newest rogue Anti-Virus software manace sweeping across the internet. My Professional version of Avast didn’t detect it :frowning: and it loaded itself onto my Dell Vostro, throwing tiny pornographic pictures all over its desktop and it won’t allow me access to the internet any longer! It just keeps giving me a pop-up which “warns” me that I need their “protection” because my computer is “unprotected.”

Since I can’t access the internet, I loaded MBAM onto a memory stick from my home desktop computer, and then accessed it on the laptop in “Safe” mode. MBAM found a bunch of stuff. (I have attached the file logs to this post.)

But doing this made no difference when I re-started the computer again – everything was still there… the nudie pictures, the incessant pop-ups, and the inability to get on the internet. I can post the log files if you need them… tried to include them in this post but it made the message too long.

This morning I found a previous posting of essexboy’s in this forum and ran MBAM again. It found 6 more infected objects. (This log file is also attached)

After this, I ran OTL (from Essexboy’s suggestion in the aforementioned previous post), and I have come across an error message. It reads “Access violation at address 004402F54 in module ‘OTL.exe’. Read of address FFFFFFFC”. When I hit “OK,” it continued to scan, and then it gave me the same error message again. I hit OK again, and then it continued to scan. The very LONG logfile from that scan is also attached to this post.

What do you suggest I do next?

Also, I am just wondering something… I may sound naive, but aren’t there any “authorities” out there, who investigate these kind of cyber-crimes? I mean, these jerks could probably be apprehended if someone actually gave them a working credit card number, allowing the “good guys” to figure out who the “bad guys” are are based on how they use the card number, right?

OK, that’s a separate issue. Right now, I really just need help getting my laptop back in order. I manage my business with it!

Thanks for any help you can provide!!!

Found you ;D Looks like a new rootkit

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O4 - HKCU..\Run: [davclnt.exe] C:\Documents and Settings\Liza M. Shaw\Local Settings\Temp\davclnt.exe (Microsoft Corporation)
[2010/04/10 01:32:42 | 000,000,000 | ---D | C] -- C:\WINDOWS\PRAGMAnwhpmbcrtq
[2010/04/09 23:35:50 | 000,002,096 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\fiosejgfse(2).dll
[2010/04/09 23:09:24 | 000,000,146 | ---- | M] () -- C:\WINDOWS\System32\PRAGMAcfktuvhpta.dat
[2010/04/09 21:13:30 | 000,001,165 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll
[2010/04/09 19:52:39 | 000,001,623 | ---- | M] () -- C:\Documents and Settings\Liza M. Shaw\Desktop\Digital Protection Support.lnk
[2010/04/09 19:52:39 | 000,000,711 | ---- | M] () -- C:\Documents and Settings\Liza M. Shaw\Desktop\Digital Protection.lnk
[2010/04/09 19:46:18 | 000,049,152 | ---- | M] () -- C:\WINDOWS\System32\PRAGMAcwnhhvbpmw.dll
[2010/04/09 19:46:17 | 000,049,152 | ---- | M] () -- C:\WINDOWS\System32\PRAGMAfqonahownt.dll
[2010/04/09 19:46:10 | 000,029,696 | ---- | M] () -- C:\WINDOWS\System32\PRAGMAcscfcpsder.dll

:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Also, I am just wondering something... I may sound naive, but aren't there any "authorities" out there, who investigate these kind of cyber-crimes? I mean, these jerks could probably be apprehended if someone actually gave them a working credit card number, allowing the "good guys" to figure out who the "bad guys" are are based on how they use the card number, right?
You mean like the FBI ...... ;)

Romanian police, FBI break up 70-strong eBay fraud ring
http://www.scmagazineus.com/romanian-police-fbi-break-up-70-strong-ebay-fraud-ring/article/167554/

Essexboy, you are so awesome, thank you for your quick reply! I have started the process, but I have a few important questions. The OTL took only a minute to finish and then said it needed to reboot. I am assuming you want me to reboot in “Safe” mode, right?

The OTL didn’t give me a log automatically; it only asked me to reboot. I looked in the thumb drive where I had originally saved the OTL, and it looks like there is a new folder on it now, called “OTL”. When I open it, there is another file called “Moved Files”. Inside that folder, there is another folder, entitled “04112010_181927”, and a text file entitled “04112010_181927”. I’m attaching the contents of the text file to this reply. Inside the folder with the same name, there seem to be application data or something. Do you know what this stuff is? Was this suposed to happen?

Also, you discussed downloading the Microsoft Windows Recovery Console… Doesn’t my computer need to be able to access the internet for this? As I wrote above, this malware has disabled my internet accessibility…

OK, I have tried what you suggested, but there is a problem. Avast is now detecting the malware (it’s about time!!!), but when I tell it to move to chest, it gives me the error message that “Virus Chest server is not running. RPC communication failed.” I am assuming that’s because my computer can’t connect to the internet!!!

I have also tried to disable the Avast and continue with the Combofix, but I’m not sure I am doing it correctly. The only way I know to disable the Avast is to use the little tool in the “User Interface” under “Resident Protection” that allows me to drag it down from “High” to “Disable.” But after I do this, the Combofix still tells me that Avast is running and has not been disabled. Am I suposed to completely remove the Avast software from the computer? That seems too risky, plus then I’d have to reinstall it later!

Please advise. I don’t want to do anything until I hear back!!!

Essexboy, I took a chance and turned off Avast; I was able to access the internet and I ran Combofix (after it installed the Windows Repair thing) and here is the log (attached to this post)

After I ran everything, I turned on the computer in regular mode, and LO AN DBEHOLD! It looks like the “Digital Protection” pop ups are gone! I am able to log back onto the internet with no pop ups or error messages.

Now, can I be sure it is all out of the roots, directories, etc? How can i be sure that this won’t launch some other crazy virus that could steal my passwords, bank account information, etc. Is it safe to use this computer for banking anymore?

Thank you Essex Boy! :slight_smile:

Hi again I would like one final check with OTL before I can give you a decision on that. The Otl folder is where the files I removed are quarantined soo they are quite safe there

99% of the time my information and the tools I ask you to run will cause no problems - any that are caused I will be able to recover, so have no fears on that score

It looks like the rootkit was not embeded which is good, I have also reset your Host file in case anything was hiding there

If you could now re-run OTL with a quick scan and attach the log ;D

Thank you Essexboy . İ finally got rid of digital protection knightmare.

Essexboy et al ~
I am running Combofix again right now, and will post the log file when it is complete. I have been using the computer this week, and it seems ok, other than yesterday, it seemed like the Avast software wasn’t working the way that it used to. Prior to this virus, I would see a quick scan by Avast every time I clicked on a link on the web. Now, it isn’t happeneing. I haven’t had a chance to get into the Avast menu and just see if I need to put a check in the box that assigns this kind of scan, so I will do that after the Combofix completes.

After I post the log files, can you please give me a prognosis for this pc?

And by the way, Essexboy, you DO know how wonderful you are don’t you? I am so eternally grateful for your help! Your contribution to the cyber-world is immeasurable, and I hope you really GET how grateful I am! Is this your career? For whom do you work?

Thanks again,
Liza

OK, Essexboy ~
Here is the log file. I am hoping it’s good news. Let me know!

HUGE Gratitude,
Liza

Hi Liza well that cleared all the remnants - Subject to no further problems I will remove my tools. Who do I work for ? The wife, to keep her in the manner to which she is accustomed ;D No this is just a hobby to keep my brain active

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove but it is a usefull tool to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

SPRING CLEAN

Download TFC to your desktop

[*]Open the file and close any other windows.
[*]It will close all programs itself when run, make sure to let it run uninterrupted.
[*]Click the Start button to begin the process. The program should not take long to finish its job
[*]Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: