SAVE MY LAPTOP FROM Windows XP Malware: "Digital Protection"

(Please see IMPORTANT update at end of this post…)

:frowning:
HELP! My laptop seems to be infected with malware that loaded by itself and then attempted to shut down my avast professional anti-virus software. I didn’t click “Yes,” but I tried to remove it with the “add or remove programs” tool and it will NOT go away. I get constant pop-ups claiming that there is malware on my computer, but that if I purchase “Digital Protection,” my computer will be protected. It also loaded several pornographic images onto my desktop!!!

I am about to try loading Malwarebytes with a thumb-drive onto the laptop and see what happens. But come ON Avast! I paid you guys to protect my computer! [size=10pt][size=10pt]Where’s the LOVE?!?!?![/size][/size] And by the way, it owuld be nice if your company provided a customer service phone number or email link! I mean, how much money do we need to pay in order to get support from the actual COMPANY I AM A CUSTOMER OF?!?!?!

UPDATE: So far, 14 Infected Objects have been found with MBAM. JTaylor, do you work for Avast/Alwil? Do you know how I can find someone who does?

JTaylor: I can show you the log from MBAM. How should I share it with you? It is very long…

It found a bunch of infected objects but even after it comepleted the scan and supposedly removed them all, the pop ups are still there and it is not allowing me to get onto the internet. The porno is still on my laptop. What is WRONG with people??? I don’t know what else to do. Tomorrow I plan on calling Dell, and discussing this with them, since I recently purchased an extended warranty on this computer. If they can’t help me with it, I will get a replacement. Thank God I recently backed up my documents…

UPDATE ON APRIL 11th:
Hey Y’all,
I am using Avast Professional, which apparently did not find this and prevent it… ARGHHH. I have started a ticket, and I sure hope that their tech support people will get on this FAST and help me remove it from my computer! When/if they do, I will post results.

So, here’s what I have done so far which hasn’t worked:
I ran MBAM and it found 14 Objects and suposedly deleted them, but this made no difference whatsoever. The window still pops up claiming I have to run “Digital Protection” and it doesn’t allow me to go onto the internet. I am willing to post the logfile, but do you want me to post it here, or somewhere else?

I ran Spydoctor, but unfortunately, the free version only diagnoses the problems, it doesn’t actually remove them! I have already paid for the Avast, and I do not want to have to pay for yet another program, especially if I don’t know that this problem will be fixed after paying!!! And since it seems this malware is brand new, I don’t have much faith that any current antivirus program is equipped to deal with it yet.

I tried “rkill” and it seems that it is getting interrupted in the middle of the scan every time. The logfile is below:


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\PYVMVF8P\rkill[1].com

Rkill completed on 04/11/2010 at 13:28:30.


My next step is to follow Essexboy’s guide. I’ll come back and post what happens.

I am open to trying anything if it works, but I have to admit, I am very concerned about just randomly uploading free software onto my computers simply on the recommendation of strangers on this forum! Loading Spydoctor only to discover that it only works if you pay for it was a yellow flag for me…

@Techlike99: I don’t really understand what your directions are suggesting. You wrote:
You should use HijackThis (http://go.trendmicro.com/free-tools/hijackthis/HijackThis.exe) tool and remove the following lines from the scan results: …"

What the heck does “remove the following lines from the scan results” mean? I am not in any way a techie, so you will need to be explicit.

ADDITIONAL UPDATE:
Being that the infected laptop is no longer able to connect to the internet, I am not able to download the latest version of MBAM. Do you think this might be part of why the problem hasn’t gone away??? How do I get a hold of Essexboy???

This maybe the same as Antivirus Vista 2010.

Just let me know if MBAM finds anything.

I don’t work for Alwil.

Essexboy, who usually works on rogues, is in bed.

Are you using Avast Pro or Internet Security?

Can I see your MBAM log?

I’ve also been popped by this malware and I am also an Avast! user. Windows XP SP3, with Spybot and Avast as my application layer defense. I was stunned that this thing wasn’t picked up by Avast. Also, I have no idea what the attack vector was.

This is indeed similiar to the Antivirus 2010 (I have seen it on client computers), but seems to be far more malicious with its intent and a much more agressive rootkit. It’s really a nasty one. Very stubborn rootkit here.

I booted into Safe Mode (no networking) and am running Malwarebytes Anti-Malware on the infected machine.

Again, I have no idea where this came from. I am an extremely careful “clicker”, and don’t even use IE for browsing. If anyone has specifics on the method of payload delivery, please post.

First thing I am going to do once this is gone is to change my user account settings to standard user instead of Administrator. Stupid for any of us to be running as Admin on an XP machine anyway.

These malicious files change every hour or so, so there’s only a 0-5% chance that any AV will catch them.

The only answer is to deal with the route of infection: insecure and out-of-date web-facing software- Flasj, Java, media players, PDF readers etc. etc. To check for insecure applications:-

Secunia Online Software Inspector (OSI)
Secunia Personal Software Inspector (PSI)

Man. Nasty little bot. Here’s what I did to remove:

As soon as I saw the suspicious activity, I booted into Safe Mode (with Networking).

Downloaded MalwareBytes Anti-Malware (MBAM).

Downloaded rkill.com, which kills rootkit processes: http://download.bleepingcomputer.com/grinler/rkill.com

Ran rkill.com.

Ran SpyBot S&D. It removed quite a bit of this thing, but left many parts intact.

Ran MBAM. It found 10 entries and removed them.

Booted Windows normally.

Re-ran MBAM. It found nothing.

Elements of this nasty were still in Add/Remove Programs, in Registry and had .dlls and folders out there. Downloaded and ran Revo Uninstaller to get all of those.

Here’s the log from the SafeMode MBAM run:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3973

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.13

4/9/2010 11:12:16 PM
mbam-log-2010-04-09 (23-12-16).txt

Scan type: Quick scan
Objects scanned: 125341
Time elapsed: 20 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\PRAGMAhentiyhwde.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PRAGMAkqttpakeir.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\PRAGMAtqcmwjybwj.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\6BO7YD2I\n002103807r0409J11000601R2feb2c30Xb4250108Yff9a72beZ04f02553316P000001070[1] (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.

Wow. Yep, ran OSI and found some holes I thought were patched. Gonna plug 'em and switch to standard user mode. Thanks Frank.

@Liza Shaw

But come ON Avast! I paid you guys to protect my computer! Where's the LOVE?!?!?! And by the way, it owuld be nice if your company provided a customer service phone number or email link! I mean, how much money do we need to pay in order to get support from the actual COMPANY I AM A CUSTOMER OF?!?!?!
You fiend it here ...... http://www.avast.com/en-eu/contacts

If you follow this guide from Essexboy, and post the log`s, then he will remove this for you when he enters the forum
http://forum.avast.com/index.php?topic=53253.0

Digital Protection is a fake antivirus program from the same family as Dr. Guard and User Protection. Digital Protection is a typical rogue security program that displays fake security warnings about malware infection on your computer and reports false system security threats to make you think that your PC is infected with spyware, adware and various other malicious software. Source: http://deletemalware.blogspot.com/2010/04/how-to-remove-digital-protection.html

You should use HijackThis (http://go.trendmicro.com/free-tools/hijackthis/HijackThis.exe) tool and remove the following lines from the scan results:

O1 - Hosts: 59.53.91.102 www.google.com
O1 - Hosts: 59.53.91.102 google.com
O2 - BHO: C:\WINDOWS\system32\zq5e7t.dll - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - C:\WINDOWS\system32\zq5e7t.dll
O2 - BHO: (no name) - {BF565D8B-48EB-445F-B2A2-5B3C3B4A7BE0} - c:\windows\system32\vurrozj.dll
O4 - HKCU..\Run: [hf8wefhuaihf8ewfydiujhfdsfdf] C:\DOCUME~1\Mak\LOCALS~1\Temp\np28bqj.exe
O4 - HKCU..\Run: [davclnt.exe] C:\DOCUME~1\Mak\LOCALS~1\Temp\davclnt.exe
O4 - HKCU..\Run: [hsf87efjhdsf87f3jfsdi7fhsujfd] C:\DOCUME~1\Mak\LOCALS~1\Temp\avp.exe
O4 - HKCU..\Run: [Digital Protection] “C:\Program Files\Digital Protection\digprot.exe” -noscan
O22 - SharedTaskScheduler: hasiufhiusdfjdhfudd - {A9BA40A1-74F1-52BD-F431-00B15A2C8953} - C:\WINDOWS\system32\zq5e7t.dll

Source: http://forum.malekal.com/digital-protection-t24564.html

I hope this helps! Good luck!

Hey guys, concerning the approach vector, I remember I was on oneclickmoviez and the adobe PDF initialization came up, finished loadig, and never came up with anything. I was infected wth this monstrosity, and it shut me down after about ten minutes. I used unlocker to kill the folder it was in (somewhere in temp) and was running spybot, mcafee OAS, and all the other good junk. I also used ATF cleaner and it somehow prevented my computer from shutting down. I made the mistake of installing, (clicked the wrong button) and some porn shortcuts and shortcuts to the program appeared on my desktop. I clicked find target and then it was all she wrote when mcafee and spybot had finished up. It was scary…

Yep, that’s definitely where it comes from. If you’re like me you’re once bitten twice shy with this kind of stuff, and you’re now running in user mode (instead of admin).

@ Liza Shaw

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop (Firefox users right click and select save as )

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Under Additional Scans check the following:
[*]Reg - Shell Spawning
[*]File - Lop Check
[*]File - Purity Scan
[*]Evnt - EvtViewer (last 10)
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32*.dll /lockedfiles
%systemroot%\Tasks*.job /lockedfiles
%systemroot%\system32\drivers*.sys /lockedfiles
%systemroot%\System32\config*.sav

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

HELP, done the above as suggested by essexboy even tried the secunia to no avail! have attached :frowning:

Could you ensure that the logs are saved as ANSI and not unicode please

http://www.geekstogo.com/misc/guide_icons/gmer.png
GMER Rootkit Scanner - Download - Homepage
[] Download GMER
[
] Extract the contents of the zipped file to desktop.
[*] Double click GMER.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

[*] If it gives you a warning about rootkit activity and asks if you want to run a full scan…click on NO, then use the following settings for a more complete scan…
[*] In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED
[] IAT/EAT
[
] Drives/Partition other than Systemdrive (typically C:)
[*] Show All (don’t miss this one)

http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg

Click the image to enlarge it

[*] Then click the Scan button & wait for it to finish.
[*] Once done click on the [Save…] button, and in the File name area, type in “ark.txt”
[*]Save the log where you can easily find it, such as your desktop.
CautionRootkit scans often produce false positives. Do NOT take any action on any “<— ROOKIT” entries
Please copy and paste the report into your Post.