WiredWX Hobby Weather ToolsLog in

 


Digital Protection Virus

2 posters

descriptionDigital Protection Virus EmptyDigital Protection Virus

more_horiz
I have been infected with the Digital Protection Virus. I tried logging in under safe mode as instructed. Whenever I try to hit Ctrl-Shift-Esc or Cntl-Alt-Del to get to the Task Manager, it tells me "The administrator has disabled the Task Manager". How can I end the processes digprot.exe or ave.exe if I can't even get to the Task Manager? Any advice? I'm trying to run the AntiMalwarePro but it isn't pulling up this virus.

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Hello! We need to do some diagnostics to get started.

1. Please download Profiles by noahdfear.
  • Save it to your desktop.
  • Double-click profiles.exe and post its log when you reply


2. Download Win32kDiag by ad13 and save it to your Desktop.
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


3. Please download Cheetah-Anti-Rogue by me, and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.


4. In your next reply, please post the following logs for my review:
  • Profiles log (1)
  • Win32kDiag log (2)
  • Cheetah log (3)


Thanks! Smile...

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Hi DragonMaster Jay-

Thanks for your help. This virus is brutal.

See the logs below.

The Profiles log:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
DefaultUserProfile REG_SZ Default User
AllUsersProfile REG_SZ All Users

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
ProfileImagePath REG_EXPAND_SZ %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-854245398-1060284298-682003330-500
ProfileImagePath REG_EXPAND_SZ %SystemDrive%\Documents and Settings\Administrator

SystemRoot REG_SZ C:\WINDOWS

Win32kDiag Log:
Running from: C:\Documents and Settings\Administrator\Desktop\Win32kDiag2.exe

Log file at : C:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

I had to run this twice because I don't think I let it run long enough the first time but only got one text box. Let me know if you need me to delete these and run this one again.





Finished!

Cheetah Log:
Cheetah-Anti-Rogue v1.4.1
by DragonMaster Jay

Microsoft Windows XP [Version 5.1.2600]
Date: 04/10/2010 - Time: 21:43:44 - Arch.: x86


-- Malware removal tools check --


-- Known infection --

C:\Documents and Settings\All Users\Application Data\fiosejgfse.dll (User Protection.RGE)


Extra message: Detection only.


EOF

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Nah, it's fine.

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Hi DragonMaster Jay-

I ran combofix and the log is below.
The computer is already faster, the little inappropriate images are gone from the desktop, and the images are gone from my toolbar. I still have 2 icons on the desktop (both saying digital protection with 2 different pictures) but am not getting the annoying popups asking me to purchase an updated version because my system is at risk.
I had delete my avira antivirus software because even though I had disabled it, it still thought it was active. Am I safe to download this again? Avira didn't protect me from this nasty virus-is there a better free anti viral program that you would recommend?
Am I safe to start using the internet again?
Do people know yet where this virus is coming from and how can I prevent myself from getting it again?
Thanks for all your help and sorry for all the questions!
Jessica

The combofix log:
ComboFix 10-04-11.02 - Administrator 04/11/2010 22:24:25.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.118 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\fiosejgfse.dll
c:\documents and settings\All Users\Desktop\AntiMalwarePro.lnk
c:\documents and settings\All Users\Desktop\nudetube.com.lnk
c:\documents and settings\All Users\Desktop\pornotube.com.lnk
c:\documents and settings\All Users\Desktop\youporn.com.lnk
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\program files\Smart-Shopper
c:\program files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll
c:\program files\Smart-Shopper\cs\antiphishing\antiphishing.html
c:\program files\Smart-Shopper\cs\antiphishing\phishAlert.gif
c:\program files\Smart-Shopper\cs\antiphishing\x.gif
c:\program files\Smart-Shopper\cs\antiphishing\xActive.gif
c:\program files\Smart-Shopper\Uninst.exe
c:\windows\eSellerateEngine.dll
c:\windows\system32\MSVolumeAMP.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-10 06:21 . 2010-04-12 05:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVP 2009
2010-04-10 06:21 . 2010-04-10 06:21 -------- d-----w- c:\program files\AntiMalware Pro
2010-04-10 05:09 . 2010-04-10 05:09 -------- d-----w- c:\documents and settings\Administrator\Application Data\everythingytb
2010-04-10 03:49 . 2010-04-10 06:47 -------- d-----w- c:\program files\Digital Protection
2010-03-23 01:01 . 2010-03-23 01:01 -------- d-----w- c:\documents and settings\Administrator\cs
2010-03-18 15:55 . 2010-03-18 15:55 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-03-18 15:51 . 2010-03-18 15:51 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-18 15:51 . 2010-03-18 15:51 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-18 04:51 . 2010-03-18 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\EmailNotifier
2010-03-18 04:50 . 2010-03-18 04:50 -------- d--h--w- c:\windows\msdownld.tmp
2010-03-18 04:47 . 2010-03-18 04:50 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-12 05:00 . 2009-12-30 03:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Smart-Shopper
2010-04-09 04:52 . 2009-07-10 05:36 256 ----a-w- c:\windows\system32\pool.bin
2010-03-27 16:32 . 2008-06-04 07:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-15 15:33 . 2009-11-15 14:48 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-08 04:25 . 2010-03-08 04:25 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe
2010-03-08 04:25 . 2010-03-08 04:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook
2010-03-08 04:14 . 2008-07-15 04:46 -------- d-----w- c:\program files\Picasa
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-03 04:30 . 2010-02-03 04:30 144160 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe
2010-02-03 04:30 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-01-27 04:42 . 2009-07-30 04:37 1924744 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa\PicasaMediaDetector.exe" [2008-02-26 443968]
"QuickPhrase"="c:\program files\TypingMaster\quickphrase\quickphrase.exe" [2008-05-12 638480]
"Universal Installer"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]
"Desktop Software"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]
"Digital Protection"="c:\program files\Digital Protection\digprot.exe" [2010-04-10 1712128]
"PMA_ENT"="c:\program files\AntiMalware Pro\AntiMalwarePro.exe" [2010-04-09 15756432]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-19 148888]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-12 02:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [12/27/2007 8:23 PM 64160]
R1 NEOFLTR_630_14121;Juniper Networks TDI Filter Driver (NEOFLTR_630_14121);c:\windows\system32\drivers\NEOFLTR_630_14121.sys [3/26/2009 8:02 PM 64480]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [3/15/2010 1:47 PM 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [3/15/2010 1:47 PM 116328]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [3/15/2010 1:47 PM 779496]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [10/16/2008 12:06 PM 20160]

--- Other Services/Drivers In Memory ---

*Deregistered* - PRAGMAxtyexuecbv
.
Contents of the 'Scheduled Tasks' folder

2010-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-04-05 c:\windows\Tasks\Backup.job
- c:\windows\system32\ntbackup.exe [2004-08-04 12:42]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\f3wsjfsf.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://urlseek10.vmn.net/search.php?type=dns&tbn=everyt2_0dn&q=
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Picasa\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Digital Protection - c:\program files\Digital Protection\Pklkvqdii+`}`
AddRemove-Smart-Shopper - c:\program files\Smart-Shopper\Uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 22:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\PRAGMAxtyexuecbv
c:\docume~1\ADMINI~1\LOCALS~1\Temp\PRAGMA3e02.tmp 343040 bytes executable
c:\docume~1\ADMINI~1\LOCALS~1\Temp\pragmamainqt.dll 10358 bytes
c:\windows\TEMP\PRAGMAfebe.tmp 146 bytes
c:\windows\system32\PRAGMAamdxjtobfk.dll 49152 bytes executable
c:\windows\system32\PRAGMAdoucrmkxsm.dat 146 bytes
c:\windows\system32\PRAGMAigsbqsfmoc.dll 49152 bytes executable
c:\windows\system32\PRAGMAordgeiuhal.dll 29696 bytes executable

scan completed successfully
hidden files: 8

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PRAGMAd.sys]
"imagepath"="\systemroot\system32\drivers\PRAGMAoysvamvmeu.sys"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PRAGMAxtyexuecbv]
"imagepath"="\systemroot\PRAGMAxtyexuecbv\PRAGMAd.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1060284298-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6b,92,aa,ac,3b,53,7c,4e,9f,1a,9e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6b,92,aa,ac,3b,53,7c,4e,9f,1a,9e,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-04-11 22:41:11
ComboFix-quarantined-files.txt 2010-04-12 05:41

Pre-Run: 54,858,661,888 bytes free
Post-Run: 57,247,404,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 357A495CEDC7825D70160EBEE2EEF42E

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Not yet on Avira.

Re-running ComboFix to remove infections:

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the box below into it:
    killall::

    Folder::
    c:\documents and settings\Administrator\Application Data\AVP 2009
    c:\program files\AntiMalware Pro
    c:\documents and settings\Administrator\Application Data\everythingytb
    c:\program files\Digital Protection
    c:\documents and settings\Administrator\Application Data\Smart-Shopper

    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Digital Protection"=-
    "PMA_ENT"=-

    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PRAGMAd.sys]

    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PRAGMAxtyexuecbv]

    NetSvc::
    PRAGMAxtyexuecbv

    File::
    c:\windows\PRAGMAxtyexuecbv
    c:\documents and settings\administrator\local settings\Temp\PRAGMA3e02.tmp
    c:\documents and settings\administrator\local settings\Temp\pragmamainqt.dll
    c:\windows\TEMP\PRAGMAfebe.tmp 146 bytes
    c:\windows\system32\PRAGMAamdxjtobfk.dll
    c:\windows\system32\PRAGMAdoucrmkxsm.dat
    c:\windows\system32\PRAGMAigsbqsfmoc.dll
    c:\windows\system32\PRAGMAordgeiuhal.dll

    Rootkit::

    Reboot::
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    Digital Protection Virus 2v3rg44

  • Referring to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt
  • Please post the contents of the log in your next reply.


===================================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:


    :filefind
    pragma*.*
    *pragma*

    :folderfind
    *pragma*

    :regfind
    pragma


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Please include the ComboFix and SystemLook logs in your next reply.

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Hi DragonMaster Jay-

Here are the logs.

combofix log:
ComboFix 10-04-11.02 - Administrator 04/12/2010 19:10:18.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.178 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\administrator\local settings\Temp\PRAGMA3e02.tmp"
"c:\documents and settings\administrator\local settings\Temp\pragmamainqt.dll"
"c:\windows\PRAGMAxtyexuecbv"
"c:\windows\system32\PRAGMAamdxjtobfk.dll"
"c:\windows\system32\PRAGMAdoucrmkxsm.dat"
"c:\windows\system32\PRAGMAigsbqsfmoc.dll"
"c:\windows\system32\PRAGMAordgeiuhal.dll"
"c:\windows\TEMP\PRAGMAfebe.tmp 146 bytes"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\AVP 2009
c:\documents and settings\Administrator\Application Data\AVP 2009\1.dat
c:\documents and settings\Administrator\Application Data\everythingytb
c:\documents and settings\Administrator\Application Data\Smart-Shopper
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\Config.xml
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\db\Aliases.dbs
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\db\Sites.dbs
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\dwld\WhiteList.xip
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\report\aggr_storage.xml
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\report\send_storage.xml
c:\documents and settings\Administrator\Application Data\Smart-Shopper\cs\res1\WhiteList.dbs
c:\documents and settings\administrator\local settings\Temp\PRAGMA3e02.tmp
c:\documents and settings\administrator\local settings\Temp\pragmamainqt.dll
c:\documents and settings\All Users\Application Data\fiosejgfse.dll
c:\program files\AntiMalware Pro
c:\program files\AntiMalware Pro\AntiMalwarePro.exe
c:\program files\AntiMalware Pro\Cl.exe
c:\program files\AntiMalware Pro\definitions\200812.cab
c:\program files\AntiMalware Pro\EngineAP.dll
c:\program files\AntiMalware Pro\FolderPaths.txt
c:\program files\AntiMalware Pro\ScheduleAP.txt
c:\program files\AntiMalware Pro\Task.dat
c:\program files\AntiMalware Pro\unins000.dat
c:\program files\AntiMalware Pro\unins000.exe
c:\program files\Digital Protection
c:\program files\Digital Protection\about.ico
c:\program files\Digital Protection\activate.ico
c:\program files\Digital Protection\buy.ico
c:\program files\Digital Protection\dig.db
c:\program files\Digital Protection\digext.dll
c:\program files\Digital Protection\dighook.dll
c:\program files\Digital Protection\digprot.exe
c:\program files\Digital Protection\help.ico
c:\program files\Digital Protection\scan.ico
c:\program files\Digital Protection\settings.ico
c:\program files\Digital Protection\splash.mp3
c:\program files\Digital Protection\Uninstall.exe
c:\program files\Digital Protection\update.ico
c:\program files\Digital Protection\virus.mp3
c:\windows\system32\MSVolumeAMP.dll
c:\windows\system32\PRAGMAamdxjtobfk.dll
c:\windows\system32\PRAGMAdoucrmkxsm.dat
c:\windows\system32\PRAGMAigsbqsfmoc.dll
c:\windows\system32\PRAGMAordgeiuhal.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-09 23:00 . 2010-04-09 23:00 -------- d-----w- c:\windows\PRAGMAxtyexuecbv
2010-03-23 01:01 . 2010-03-23 01:01 -------- d-----w- c:\documents and settings\Administrator\cs
2010-03-18 15:55 . 2010-03-18 15:55 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-03-18 15:51 . 2010-03-18 15:51 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-03-18 15:51 . 2010-03-18 15:51 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-03-18 04:51 . 2010-03-18 04:51 -------- d-----w- c:\documents and settings\All Users\Application Data\EmailNotifier
2010-03-18 04:50 . 2010-03-18 04:50 -------- d--h--w- c:\windows\msdownld.tmp
2010-03-18 04:47 . 2010-03-18 04:50 -------- dc-h--w- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 01:59 . 2010-04-09 23:01 1181 ----a-w- c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
2010-04-13 01:59 . 2010-04-09 23:01 1181 ----a-w- c:\documents and settings\All Users\Application Data\pragmamfeklnmal.dll
2010-04-09 04:52 . 2009-07-10 05:36 256 ----a-w- c:\windows\system32\pool.bin
2010-03-27 16:32 . 2008-06-04 07:11 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-15 15:33 . 2009-11-15 14:48 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-08 04:25 . 2010-03-08 04:25 50354 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\uninstall.exe
2010-03-08 04:25 . 2010-03-08 04:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Facebook
2010-03-08 04:14 . 2008-07-15 04:46 -------- d-----w- c:\program files\Picasa
2010-03-06 05:30 . 2010-03-06 05:30 847040 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\axfbootloader.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
2010-02-19 23:47 . 2010-02-19 23:47 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-03 04:30 . 2010-02-03 04:30 144160 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\uninstall.exe
2010-02-03 04:30 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-01-27 04:42 . 2009-07-30 04:37 1924744 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-04-12_05.36.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-13 02:18 . 2010-04-13 02:18 16384 c:\windows\Temp\Perflib_Perfdata_6dc.dat
+ 2010-04-09 23:00 . 2010-04-09 23:00 44544 c:\windows\PRAGMAxtyexuecbv\PRAGMAd.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa\PicasaMediaDetector.exe" [2008-02-26 443968]
"QuickPhrase"="c:\program files\TypingMaster\quickphrase\quickphrase.exe" [2008-05-12 638480]
"Universal Installer"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]
"Desktop Software"="c:\program files\ComcastUI\Universal Installer\uinstaller.exe" [2008-03-18 984616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-12 623992]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-19 148888]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-01-12 02:54 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:42 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 17:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [12/27/2007 8:23 PM 64160]
R1 NEOFLTR_630_14121;Juniper Networks TDI Filter Driver (NEOFLTR_630_14121);c:\windows\system32\drivers\NEOFLTR_630_14121.sys [3/26/2009 8:02 PM 64480]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [3/15/2010 1:47 PM 58984]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [3/15/2010 1:47 PM 116328]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [3/15/2010 1:47 PM 779496]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [10/16/2008 12:06 PM 20160]
.
Contents of the 'Scheduled Tasks' folder

2010-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-04-05 c:\windows\Tasks\Backup.job
- c:\windows\system32\ntbackup.exe [2004-08-04 12:42]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {A1662FB6-39BE-41BB-ACDC-0448FB1B5817} - hxxp://images3.pnimedia.com/ProductAssets/costcous/activex/v3_0_0_5/PhotoCenter_ActiveX_Control.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\f3wsjfsf.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://urlseek10.vmn.net/search.php?type=dns&tbn=everyt2_0dn&q=
FF - plugin: c:\documents and settings\Administrator\Application Data\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Picasa\npPicasa3.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 19:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PRAGMAd.sys]
"imagepath"="\systemroot\system32\drivers\PRAGMApvqqbjtlwf.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1060284298-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6b,92,aa,ac,3b,53,7c,4e,9f,1a,9e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6b,92,aa,ac,3b,53,7c,4e,9f,1a,9e,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PRAGMAd.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\PRAGMApvqqbjtlwf.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5564)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\WgaTray.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2010-04-12 19:28:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-13 02:28
ComboFix2.txt 2010-04-12 05:41

Pre-Run: 57,263,398,912 bytes free
Post-Run: 57,233,993,728 bytes free

- - End Of File - - 8E2F708765303C3C7DF7766FB77DBA03

Systemlook log:
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 19:31 on 12/04/2010 by Administrator (Administrator - Elevation successful)

No Context: Code:

No Context: :filefind

No Context: pragma*.*

No Context: *pragma*

No Context: :folderfind

No Context: *pragma*

No Context: :regfind

No Context: pragma

-=End Of File=-

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Digital Protection Virus Mbamicontw5 Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  • Copy and paste the entire report in your next reply.

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Hi DragonMaster Jay-

Here is the log. I still have an icon for digital protection on the desktop...

Thanks!

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3983

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/12/2010 11:05:43 PM
mbam-log-2010-04-12 (23-05-43).txt

Scan type: Full scan (C:\|)
Objects scanned: 239931
Time elapsed: 1 hour(s), 42 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 21
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4cf088bd-be95-40a5-be9b-677f8683edea} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6fac4823-815e-4361-836e-46d65ed2550b} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{911f251e-34fd-465e-b6ce-df00ff49a6be} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fe4f1649-8909-49c0-87ba-24d65120db46} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{022c671f-6cba-4a03-a8f9-3b3a361b235a} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{8ad815fc-607b-419f-8b70-d345a507a54e} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Digital Protection (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Smart-Shopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Smart-Shopper (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.hbax (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.hbax.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.iebutton (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.iebutton.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.iebuttona (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.iebuttona.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.iebuttonb (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\smart-shopper.iebuttonb.1 (Adware.SmartShopper) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Administrator\Start Menu\Programs\Digital Protection (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAxtyexuecbv (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\f3wsjfsf.default\Cache\2380C870d01 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\AntiMalware Pro\AntiMalwarePro.exe.vir (Rogue.AntivirusDoktor) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\AntiMalware Pro\Cl.exe.vir (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Digital Protection\digext.dll.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Digital Protection\dighook.dll.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Digital Protection\digprot.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Digital Protection\Uninstall.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Smart-Shopper\Bin\2.5.1\Smrt-Shpr.dll.vir (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAxtyexuecbv\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Digital Protection\About.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Digital Protection\Activate.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Digital Protection\Buy.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Digital Protection\Digital Protection Support.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Digital Protection\Digital Protection.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Digital Protection\Scan.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Digital Protection\Settings.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Digital Protection\Update.lnk (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Digital Protection.LNK (Rogue.DigitalProtection) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\Digital Protection.LNK (Rogue.DigitalProtection) -> Quarantined and deleted successfully.

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Hi DragonMaster Jay-

The quick scan log:
Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3984

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/13/2010 6:56:29 AM
mbam-log-2010-04-13 (06-56-29).txt

Scan type: Quick scan
Objects scanned: 101868
Time elapsed: 4 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Please download RootRepeal from GooglePages.com.

  • Extract the program file to your Desktop.
  • Run the program RootRepeal.exe.
  • Click Settings > Options. Drag the slider to High Level. Then, click the Red X.
  • Go to the Report tab and click on the Scan button.
    Digital Protection Virus Nclahc

  • Select ALL of the checkboxes and then click OK and it will start scanning your system.
    Digital Protection Virus 2j5lb6
  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  • When done, click on Save Report
  • Save it to the Desktop.
  • Please copy/paste the contents of the report in your next reply.

Please remove any e-mail address in the RootRepeal report (if present).

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/04/13 21:34
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEED06000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A97000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEDB73000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee54d82

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee5548e

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee555da

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee58d54

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee58d86

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee5553e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee54ec6

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee550b8

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee551ea

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee58e5e

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee58dc8

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee58dfa

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee58e2c

#: 213 Function Name: NtSetContextThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee54d30

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee5563a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee58cec

#: 254 Function Name: NtSuspendThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee54cd4

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee54c30

#: 258 Function Name: NtTerminateThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee54c78

Shadow SSDT
-------------------
#: 013 Function Name: NtGdiBitBlt
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee5a384

#: 292 Function Name: NtGdiStretchBlt
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee5a3d2

#: 378 Function Name: NtUserFindWindowEx
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee55962

#: 477 Function Name: NtUserPrintWindow
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee5a42c

#: 483 Function Name: NtUserQueryWindow
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xeee558d6

==EOF==

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Looks safe to me. Any more issues like popups, etc?

If not, then we will proceed to cleanup.

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
Hi DragonMaster Jay-

No more popups. There is still an icon for digital protection on the desktop though. Is that a problem?

Thanks so much for all of your help.

Jessica

descriptionDigital Protection Virus EmptyRe: Digital Protection Virus

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum