GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

Infected with numerous trojans and Digital Protection...

View previous topic View next topic Go down

Infected with numerous trojans and Digital Protection...

Post by ormelody4751 on Fri Apr 30, 2010 11:46 am

Hi Geek Police, I've a horrible issue at hand that I feel has pretty much reached beyond my control.

Yesterday while browsing Facebook, a program Digital Protection had somehow installed itself onto my computer. I put my computer into safemode, ran antimalware software and was able to get rid of them. I thought that was the end of my problems.
Well turns out later on in the evening my browser reverts to a page from my isp Qwest that the admins' account email address was acting as an open proxy to forward spam to others.

This HORRENDOUSLY frightened me, so I turned off my computer, and now it is running in safe mode as I am unsure what to do now. My malwarebyte anti malware protection still shows trojan and root.agentkit viruses that are stubborn to removal. I tried calling customer service, but it's 4:45 am here and I didn't want to disturb those in my house who are asleep, which lead me here.


Any help on what to do would be very much so appreciated.

ormelody4751
Beginner
Beginner

Status :
Online
Offline

Posts : 4
Joined : 2010-04-30
Gender : Female
OS : 7
Points : 24114
# Likes : 0

View user profile

Back to top Go down

Re: Infected with numerous trojans and Digital Protection...

Post by Kenny94 on Fri Apr 30, 2010 1:50 pm

Hi ormelody4751 And Welcome to GP.

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.


Please do the following in NORMAL Mode:

DeFogger
Download DeFogger by jpshortstuff from [You must be registered and logged in to see this link.] & save it to your desktop.

  • Right click DeFogger then choose Run as Administrator Or you can double-click to run the tool
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A Finished! message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.
Do not re-enable these drivers until otherwise instructed.


Next


Download the [You must be registered and logged in to see this link.]. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

  • Double click GMER.exe.

  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...

    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
      [You must be registered and logged in to see this link.]
      Click the image to enlarge it

  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
  • Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Please copy and paste the report into your Post.

Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7
Points : 33471
# Likes : 0

View user profile

Back to top Go down

Re: Infected with numerous trojans and Digital Protection...

Post by ormelody4751 on Fri Apr 30, 2010 9:29 pm

THANKS FOR THE RESPONSE!


Well I tried running everything in normal mode but after five minutes my computers' mouse becomes unable to maneuver and the computers' screen turns to black..I'm in safe mode now.


Anyway I downloaded that stuff and disabled the drivers.


R 1.0.15.15281 - [You must be registered and logged in to see this link.]
Rootkit scan 2010-04-30 14:28:42
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\COMPUT~1\AppData\Local\Temp\kgliquob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8B6C97FE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x8B6E809E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x8B6E4608]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x8B6E4A30]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x8B6EC98E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x8B6E4EA4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x8B6CA6CA]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x8B6E9ABE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x8B6E93B2]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x8B6E3442]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x8B6EA48C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x8B6EA6CA]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x8B6EAB7C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x8B6CA1B8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x8B6E6666]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x8B6EB926]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x8B6EAE46]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x8B6EB564]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x8B6D050C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x8B6CAAD6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0x8B6EBEB0]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x8B6E8AD2]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x8B6E572E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0x8B6E545E]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E36AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E36104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E363F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E1E634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E1E898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E361DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E36958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E366F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E36F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 81E371A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 81E96599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81EBAF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 2F8 81EC2808 4 Bytes [FE, 97, 6C, 8B]
.text ntkrnlpa.exe!RtlSidHashLookup + 308 81EC2818 4 Bytes [9E, 80, 6E, 8B]
.text ntkrnlpa.exe!RtlSidHashLookup + 32C 81EC283C 8 Bytes [08, 46, 6E, 8B, 30, 4A, 6E, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 340 81EC2850 4 Bytes [8E, C9, 6E, 8B]
.text ntkrnlpa.exe!RtlSidHashLookup + 364 81EC2874 4 Bytes [A4, 4E, 6E, 8B]
.text ...
? C:\windows\System32\Drivers\iyjee.sys A device attached to the system is not functioning. !
.text C:\windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x87B29000, 0x3C849, 0xE8000020]
.dsrt C:\windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x87B6E000, 0x3DC, 0x48000040]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84D1FD90

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000057 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\iyjee@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\iyjee@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\iyjee@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\iyjee@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\iyjee@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\iyjee@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\iyjee@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\iyjee@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----

ormelody4751
Beginner
Beginner

Status :
Online
Offline

Posts : 4
Joined : 2010-04-30
Gender : Female
OS : 7
Points : 24114
# Likes : 0

View user profile

Back to top Go down

Re: Infected with numerous trojans and Digital Protection...

Post by Kenny94 on Fri Apr 30, 2010 9:44 pm

This tool will help you stay in normal mode ormelody4751:

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

  1. [You must be registered and logged in to see this link.]
  2. [You must be registered and logged in to see this link.]
  3. [You must be registered and logged in to see this link.]
  4. [You must be registered and logged in to see this link.]



Once you've gotten one of them to run then try to immediately Download/run the following:



  1. Download ComboFix from below:

    [You must be registered and logged in to see this link.]


    * IMPORTANT !!! Place combofix.exe on your Desktop

  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.


    You can get help on disabling your protection programs [You must be registered and logged in to see this link.]

  3. Double click on combofix.exe & follow the prompts.

  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

    The Recovery Console was successfully installed.



    Click on Yes, to continue scanning for malware.

  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

  6. When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------

  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7
Points : 33471
# Likes : 0

View user profile

Back to top Go down

Re: Infected with numerous trojans and Digital Protection...

Post by ormelody4751 on Fri Apr 30, 2010 10:26 pm

right well combofix didnt work - I was sure to disable the anti spyware programs I had running to. I ran it then got an error message. I tried a second time just now - same error.

ormelody4751
Beginner
Beginner

Status :
Online
Offline

Posts : 4
Joined : 2010-04-30
Gender : Female
OS : 7
Points : 24114
# Likes : 0

View user profile

Back to top Go down

Re: Infected with numerous trojans and Digital Protection...

Post by Kenny94 on Fri Apr 30, 2010 10:38 pm

What was the error message?

Can you rename Combofix.exe to Firefox.com
Then try again.

Kenny94
Tech Officer
Tech Officer

Status :
Online
Offline

Posts : 2019
Joined : 2010-04-22
Gender : Male
OS : Windows 7
Points : 33471
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum