Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google Hijacked ? [Solved]

Started by Emma_uk , Dec 11 2008 05:19 AM

  • This topic is locked This topic is locked

#31
Emma_uk
Posted 12 December 2008 - 03:09 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
the driver file dgmmqlt.sys isnt there either :)
  • 0

Advertisements

#32
RatHat
Posted 12 December 2008 - 03:20 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK they are well hidden. Lets continue on with SDFix and Combofix.
  • 0

#33
Emma_uk
Posted 12 December 2008 - 03:22 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
ive got to go to work no. but will complete when i get back

many thanks RatHat :)
  • 0

#34
RatHat
Posted 12 December 2008 - 03:28 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK Emma, don't work too hard! :)
  • 0

#35
RatHat
Posted 12 December 2008 - 05:37 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi Emma,

Hope you had a good day!

Lets save those suspicious files and upload them to the Spykiller before running SDFix and Combofix
  • Firstly we'll use GMER to save the files to your desktop
  • Open the gmer folder and double click gmer.exe to run the program
  • On starting GMER will run a short scan, allow it to complete this.

Posted Image
  • Click on the > > > tab to open the menus

Posted Image
  • Click on the Files tab

Posted Image
  • On the left hand side, Navigate to C:\Windows\System32\Drivers

Posted Image
  • Now on the right hand side, locate the file dgmmqlt.sys
    Note: It may help to check the Only Hidden check box on the right
  • After selecting the file, click the Copy button

Posted Image
  • In the Save As dialog, click on the Desktop button to ensure the file is saved there

Posted Image
  • In the File Name box, type in dgmmqlt.sys.vir
    Note: The filename should have .vir at the end so as to render it harmless

Now do the same for these two files (Remember that they are in the System32 Folder, not the Drivers folder):

C:\WINDOWS\system32\dgmoiqh.dll
C:\WINDOWS\system32\dgmmhct.dll

Naming them as dgmoiqh.dll.vir and dgmmhct.dll.vir, then zip all three files and upload them to The Spy Killer
  • Read the post named Instructions for uploading files
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: Files - For RatHat
  • Put a link to this Geeks to Go topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to the zipped file you have just made.
  • Click Open
  • Then click Post
Let me know here when you have uploaded the file.

Next continue on with running SDFix and Combofix, and post me the logs.

Regards,
RatHat
  • 0

#36
Emma_uk
Posted 12 December 2008 - 02:44 PM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
Didnt work too hard

guess your a sleep now

speak later

:)




ComboFix 08-12-11.04 - admin 2008-12-12 20:30:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1574 [GMT 0:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt

----- BITS: Possible infected sites -----

hxxp://speedytorrents.net
.
((((((((((((((((((((((((( Files Created from 2008-11-12 to 2008-12-12 )))))))))))))))))))))))))))))))
.

2008-12-12 09:36 . 2008-12-12 09:36 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-12 09:34 . 2008-12-12 09:34 <DIR> d-------- c:\windows\ERUNT
2008-12-12 09:29 . 2008-12-12 09:48 <DIR> d-------- C:\SDFix
2008-12-11 19:39 . 2008-12-11 19:39 268 --ah----- C:\sqmdata00.sqm
2008-12-11 19:39 . 2008-12-11 19:39 244 --ah----- C:\sqmnoopt00.sqm
2008-12-11 16:34 . 2008-12-11 16:34 0 --a------ c:\windows\nsreg.dat
2008-12-11 16:16 . 2008-12-11 19:22 <DIR> d-------- c:\program files\Opera
2008-12-11 11:02 . 2008-12-11 11:02 <DIR> d-------- c:\program files\Trend Micro
2008-12-11 07:43 . 2008-06-08 12:44 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-11 07:43 . 2008-12-11 07:43 <DIR> d-------- c:\documents and settings\Administrator
2008-12-10 19:24 . 2008-12-10 19:24 <DIR> d-------- c:\documents and settings\admin\Application Data\Malwarebytes
2008-12-10 19:22 . 2008-12-10 19:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-10 19:22 . 2008-12-10 19:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-10 19:22 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-10 19:22 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-10 18:37 . 2008-12-11 16:57 250 --a------ c:\windows\gmer.ini
2008-12-10 17:58 . 2008-12-10 17:57 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-10 13:47 . 2008-12-10 13:47 0 --a------ c:\windows\system32\8104297.jun
2008-12-09 19:30 . 2006-02-28 12:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
2008-12-09 19:30 . 2006-02-28 12:00 4,224 --a--c--- c:\windows\system32\dllcache\beep.sys
2008-12-09 18:40 . 2008-12-09 18:40 <DIR> d-------- C:\Binaries
2008-12-09 18:25 . 2008-12-10 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 18:54 . 2006-01-04 01:00 65,536 --a------ c:\windows\system32\ICE_JNIRegistry.dll
2008-12-06 14:25 . 2008-12-06 14:40 <DIR> d-------- c:\documents and settings\admin\Application Data\GrabPro
2008-12-06 14:24 . 2008-12-06 17:52 <DIR> d-------- c:\documents and settings\admin\Application Data\Orbit
2008-12-06 14:11 . 2008-12-06 14:16 237,568 --a------ c:\windows\system32\rmc_rtspdl.dll
2008-12-06 14:11 . 2008-12-06 14:16 156,672 --a------ c:\windows\system32\rmc_fixasf.exe
2008-12-06 14:09 . 2008-12-06 14:16 323,584 --a------ c:\windows\system32\AUDIOGENIE2.DLL
2008-12-06 14:08 . 2008-12-06 14:08 <DIR> d-------- c:\windows\Replay Media Catcher
2008-12-04 16:19 . 2008-12-11 08:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ulead Systems
2008-12-01 19:12 . 2008-12-03 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\River Past G5
2008-12-01 19:12 . 2008-12-01 19:12 <DIR> d-------- c:\documents and settings\admin\Application Data\River Past G5
2008-12-01 14:54 . 2008-12-01 14:54 <DIR> d-------- c:\documents and settings\admin\Application Data\dvdcss
2008-11-30 20:16 . 2008-11-30 20:19 20,358 --a------ c:\windows\vgirl.prf
2008-11-27 09:41 . 2008-12-11 17:53 <DIR> d-------- c:\documents and settings\admin\Application Data\Apple Computer
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\program files\Apple Software Update
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-26 17:28 . 2008-11-26 17:33 <DIR> d-------- c:\program files\QuickTime
2008-11-24 16:30 . 2000-04-30 18:12 92,160 --a------ c:\windows\system32\BarCod32.OCX
2008-11-24 11:10 . 2008-11-24 11:10 <DIR> d-------- c:\documents and settings\admin\Application Data\vlc
2008-11-22 17:39 . 2008-11-22 17:39 0 --a------ c:\documents and settings\admin\Application Data\wklnhst.dat
2008-11-13 23:11 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 23:11 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 11:37 . 2008-11-12 11:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\13242
2008-11-12 11:34 . 2008-09-25 13:20 483,328 --a------ c:\windows\system32\actskn45.ocx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 20:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-11 08:16 --------- d-----w c:\documents and settings\admin\Application Data\DMCache
2008-12-11 08:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 08:11 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-11 08:11 --------- d-----w c:\documents and settings\admin\Application Data\Uniblue
2008-12-10 17:57 --------- d-----w c:\program files\Java
2008-12-09 15:36 --------- d-----w c:\program files\Your Uninstaller 2008
2008-12-09 11:08 --------- d-----w c:\documents and settings\admin\Application Data\VSO
2008-12-04 19:14 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-04 16:03 --------- d-----w c:\documents and settings\admin\Application Data\Canon
2008-11-17 20:40 --------- d-----w c:\documents and settings\admin\Application Data\LimeWire
2008-11-16 17:44 --------- d-----w c:\program files\McAfee
2008-11-05 08:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-29 16:47 --------- d-----w c:\documents and settings\admin\Application Data\CyberLink
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 20:45 --------- d-----w c:\program files\MSBuild
2008-10-23 20:44 --------- d-----w c:\program files\Reference Assemblies
2008-10-23 19:49 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-10-23 19:49 --------- d-----w c:\documents and settings\admin\Application Data\ATI
2008-10-23 18:56 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-10-23 18:51 --------- d-----w c:\program files\ATI Technologies
2008-10-23 18:34 --------- dc-h--w c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-06 16:02 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-04 203280]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2008-06-02 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2008-06-02 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2008-06-02 32000]
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;c:\windows\system32\drivers\UsbMicfilt.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb2a7764-e932-11db-a0f9-00508d9d5209}]
\Shell\AutoRun\command - F:\autorun.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-14 00:12]

2007-04-12 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\81z54s7r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 20:31:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\dgmserv.sys]
"imagepath"="\systemroot\system32\drivers\dgmmqlt.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-12 20:32:13
ComboFix-quarantined-files.txt 2008-12-12 20:32:10

Pre-Run: 228,955,895,808 bytes free
Post-Run: 229,024,180,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

182 --- E O F --- 2008-12-11 07:18:36



SDFix: Version 1.240
Run by admin on 12/12/2008 at 09:37

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :

C:\WINDOWS
:BE7C6D2608799A69 24
Total size: 24 bytes.
WINDOWS: deleted 24 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS
No streams found.



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-12 09:41:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\admin\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :



Files with Hidden Attributes :

Mon 27 Oct 2008 24 A.SH. --- "C:\WINDOWS\S5A5684F0.tmp"
Mon 2 Jun 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 7 Feb 2006 299,008 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\Maint.exe"
Mon 19 Dec 2005 61,440 A..H. --- "C:\Program Files\Canon\MP Navigator 3.0\uinstrsc.dll"
Fri 14 Nov 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Fri 14 Nov 2008 265 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Tue 4 Nov 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!
  • 0

#37
Emma_uk
Posted 12 December 2008 - 03:01 PM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
Tried to extract the files to desktop with gmer
I completes the scan i follow you instructions go to files i see C: drive but it wont open ?
so i cant navigate to the files . I dont know why ?
  • 0

#38
RatHat
Posted 12 December 2008 - 05:01 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
This could be a tricky one Emma. Lets see if this gets us underway:

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\dgmserv.sys]

Driver::
dgmserv.sys

Rootkit::
C:\Windows\System32\Drivers\dgmmqlt.sys
C:\WINDOWS\system32\dgmoiqh.dll
C:\WINDOWS\system32\dgmmhct.dll

Collect::
C:\Windows\System32\Drivers\dgmmqlt.sys
C:\WINDOWS\system32\dgmoiqh.dll
C:\WINDOWS\system32\dgmmhct.dll


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.


Now open GMER again, and see if you can open the C: Drive. Hopefully, the files will now have been removed by Combofix, so they won't be there but lets see.
  • 0

#39
Emma_uk
Posted 12 December 2008 - 06:47 PM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
put notepad into combifix and recieved this PUP warning so blocked it

this Potentially Unwanted Program
Name: RemAdm-ProcLaunch!171

wanted to talk to you before i accepted it .
  • 0

#40
RatHat
Posted 12 December 2008 - 08:32 PM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
That is to be expected with Combofix Emma. The best thing is to disable your AntiVirus before running Combofix. Have a look at this page for details on how to do this.
  • 0

Advertisements

#41
Emma_uk
Posted 13 December 2008 - 03:40 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
ComboFix 08-12-11.04 - admin 2008-12-13 9:33:23.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1539 [GMT 0:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dgmmhct.dll
c:\windows\system32\dgmoiqh.dll
c:\windows\System32\Drivers\dgmmqlt.sys

.
((((((((((((((((((((((((( Files Created from 2008-11-13 to 2008-12-13 )))))))))))))))))))))))))))))))
.

2008-12-12 09:36 . 2008-12-12 09:36 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2008-12-12 09:34 . 2008-12-12 09:34 <DIR> d-------- c:\windows\ERUNT
2008-12-12 09:29 . 2008-12-12 09:48 <DIR> d-------- C:\SDFix
2008-12-11 19:39 . 2008-12-11 19:39 268 --ah----- C:\sqmdata00.sqm
2008-12-11 19:39 . 2008-12-11 19:39 244 --ah----- C:\sqmnoopt00.sqm
2008-12-11 16:34 . 2008-12-11 16:34 0 --a------ c:\windows\nsreg.dat
2008-12-11 16:16 . 2008-12-11 19:22 <DIR> d-------- c:\program files\Opera
2008-12-11 11:02 . 2008-12-11 11:02 <DIR> d-------- c:\program files\Trend Micro
2008-12-11 07:43 . 2008-06-08 12:44 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS
2008-12-11 07:43 . 2008-12-11 07:43 <DIR> d-------- c:\documents and settings\Administrator
2008-12-10 19:24 . 2008-12-10 19:24 <DIR> d-------- c:\documents and settings\admin\Application Data\Malwarebytes
2008-12-10 19:22 . 2008-12-10 19:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-10 19:22 . 2008-12-10 19:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-10 19:22 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-10 19:22 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-10 18:37 . 2008-12-12 20:55 250 --a------ c:\windows\gmer.ini
2008-12-10 17:58 . 2008-12-10 17:57 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-10 13:47 . 2008-12-10 13:47 0 --a------ c:\windows\system32\8104297.jun
2008-12-09 19:30 . 2006-02-28 12:00 4,224 --a------ c:\windows\system32\drivers\beep.sys
2008-12-09 19:30 . 2006-02-28 12:00 4,224 --a--c--- c:\windows\system32\dllcache\beep.sys
2008-12-09 18:40 . 2008-12-09 18:40 <DIR> d-------- C:\Binaries
2008-12-09 18:25 . 2008-12-10 14:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-08 18:54 . 2006-01-04 01:00 65,536 --a------ c:\windows\system32\ICE_JNIRegistry.dll
2008-12-06 14:25 . 2008-12-06 14:40 <DIR> d-------- c:\documents and settings\admin\Application Data\GrabPro
2008-12-06 14:24 . 2008-12-06 17:52 <DIR> d-------- c:\documents and settings\admin\Application Data\Orbit
2008-12-06 14:11 . 2008-12-06 14:16 237,568 --a------ c:\windows\system32\rmc_rtspdl.dll
2008-12-06 14:11 . 2008-12-06 14:16 156,672 --a------ c:\windows\system32\rmc_fixasf.exe
2008-12-06 14:09 . 2008-12-06 14:16 323,584 --a------ c:\windows\system32\AUDIOGENIE2.DLL
2008-12-06 14:08 . 2008-12-06 14:08 <DIR> d-------- c:\windows\Replay Media Catcher
2008-12-04 16:19 . 2008-12-11 08:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Ulead Systems
2008-12-01 19:12 . 2008-12-03 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\River Past G5
2008-12-01 19:12 . 2008-12-01 19:12 <DIR> d-------- c:\documents and settings\admin\Application Data\River Past G5
2008-12-01 14:54 . 2008-12-01 14:54 <DIR> d-------- c:\documents and settings\admin\Application Data\dvdcss
2008-11-30 20:16 . 2008-11-30 20:19 20,358 --a------ c:\windows\vgirl.prf
2008-11-27 09:41 . 2008-12-11 17:53 <DIR> d-------- c:\documents and settings\admin\Application Data\Apple Computer
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\program files\Apple Software Update
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-26 17:32 . 2008-11-26 17:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-26 17:28 . 2008-11-26 17:33 <DIR> d-------- c:\program files\QuickTime
2008-11-24 16:30 . 2000-04-30 18:12 92,160 --a------ c:\windows\system32\BarCod32.OCX
2008-11-24 11:10 . 2008-11-24 11:10 <DIR> d-------- c:\documents and settings\admin\Application Data\vlc
2008-11-22 17:39 . 2008-11-22 17:39 0 --a------ c:\documents and settings\admin\Application Data\wklnhst.dat
2008-11-13 23:11 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 23:11 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 20:04 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-11 08:16 --------- d-----w c:\documents and settings\admin\Application Data\DMCache
2008-12-11 08:14 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 08:11 --------- d-----w c:\documents and settings\All Users\Application Data\DriverScanner
2008-12-11 08:11 --------- d-----w c:\documents and settings\admin\Application Data\Uniblue
2008-12-10 17:57 --------- d-----w c:\program files\Java
2008-12-09 15:36 --------- d-----w c:\program files\Your Uninstaller 2008
2008-12-09 11:08 --------- d-----w c:\documents and settings\admin\Application Data\VSO
2008-12-04 19:14 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2008-12-04 16:03 --------- d-----w c:\documents and settings\admin\Application Data\Canon
2008-11-17 20:40 --------- d-----w c:\documents and settings\admin\Application Data\LimeWire
2008-11-16 17:44 --------- d-----w c:\program files\McAfee
2008-11-12 11:37 --------- d-----w c:\documents and settings\All Users\Application Data\13242
2008-11-05 08:30 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-29 16:47 --------- d-----w c:\documents and settings\admin\Application Data\CyberLink
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 20:45 --------- d-----w c:\program files\MSBuild
2008-10-23 20:44 --------- d-----w c:\program files\Reference Assemblies
2008-10-23 19:49 --------- d-----w c:\documents and settings\All Users\Application Data\ATI
2008-10-23 19:49 --------- d-----w c:\documents and settings\admin\Application Data\ATI
2008-10-23 18:56 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-10-23 18:51 --------- d-----w c:\program files\ATI Technologies
2008-10-23 18:34 --------- dc-h--w c:\documents and settings\All Users\Application Data\{D5ABFFAD-D592-4F98-B02B-587125B4801F}
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-06 16:02 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-12_20.31.53.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 20:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2008-12-12 17:07:26 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-12-13 09:27:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-12 17:07:26 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-12-13 09:27:18 32,768 -c--a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-26 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" [2008-10-04 203280]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2008-06-02 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2008-06-02 12672]
S3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2008-06-02 32000]
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;c:\windows\system32\drivers\UsbMicfilt.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb2a7764-e932-11db-a0f9-00508d9d5209}]
\Shell\AutoRun\command - F:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\windows\system32\defrag.exe [2008-04-14 00:12]

2007-04-12 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2008-07-09 17:10]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
FF - ProfilePath - c:\documents and settings\admin\Application Data\Mozilla\Firefox\Profiles\81z54s7r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-13 09:36:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\Common Files\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-13 9:38:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-13 09:38:07
ComboFix2.txt 2008-12-13 00:37:01
ComboFix3.txt 2008-12-12 20:32:14

Pre-Run: 228,955,537,408 bytes free
Post-Run: 228,951,691,264 bytes free

192 --- E O F --- 2008-12-11 07:18:36
  • 0

#42
Emma_uk
Posted 13 December 2008 - 03:47 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
Ran gmer again and the dg sys files are not there
  • 0

#43
RatHat
Posted 13 December 2008 - 03:55 AM

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts

Ran gmer again and the dg sys files are not there

Yes, it looks like Combofix got them out :)

OK, lets run another check. Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please save that report to your desktop as Smitfraud.txt, and copy/paste the content into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#44
Emma_uk
Posted 13 December 2008 - 03:58 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
RatHat you are a genius :) . Ive just done 50 google searches for BBC news and they all came out postive :)

Think we can call this problem resolved

If it appears again i'll be in touch

Many many thnaks

Emma
x
  • 0

#45
Emma_uk
Posted 13 December 2008 - 03:59 AM

Emma_uk

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 135 posts
ill run the smifraud fix first :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP