[Emma_uk]

SmitFraudFix v2.385

Scan done at 10:01:25.98, 13/12/2008
Run from C:\Documents and Settings\admin\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\admin


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\admin\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\admin\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\admin\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3B652397-D1A2-4820-A14F-74BD2C9CD374}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5B83674E-5E6A-4369-8F38-ED49CE2588ED}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3B652397-D1A2-4820-A14F-74BD2C9CD374}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5B83674E-5E6A-4369-8F38-ED49CE2588ED}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3B652397-D1A2-4820-A14F-74BD2C9CD374}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5B83674E-5E6A-4369-8F38-ED49CE2588ED}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[Advertisements]

Please stick with me for a little longer Emma, I want to make sure that your machine is really clean, and then get those files out of quarantine and uploaded for some of the real geniuses to examine and include in their removal tools!

[RatHat]

Please stick with me for a little longer Emma, I want to make sure that your machine is really clean, and then get those files out of quarantine and uploaded for some of the real geniuses to examine and include in their removal tools!

[Emma_uk]

Thats fine RatHat I want to help as you helped me

[Emma_uk]

I have external drives that are currently not connected is it possible the virus may be sitting on one of those waiting to attack again ?

[RatHat]

OK Emma, looks pretty clean!

I need to get a list of the contents of the Combofix Quarantine folder first.

Please download DirLook by jpshortstuff from here.

• Double-click DirLook.exe to run it.
• Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
• Copy the content of the following codebox into the main textfield:
  
  

  C:\Qoobox\Quarantine

• Click the DirLook button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\dl_log.txt)

Note: Scanning may take longer for large folders.

[Emma_uk]

DirLook.exe v2.0 by jpshortstuff
Log created at 10:21 on 13/12/2008
==================================
Contents of "C:\Qoobox\Quarantine"

---FOLDERS---

C (Created on 12/12/2008 at 20:30) d-----
Registry_backups (Created on 12/12/2008 at 20:27) d-----

---FILES---

catchme.log (452 bytes - created on 12/12/2008 at 20:27, modified on 13/12/2008 at 09:34) --a---
catchme.txt (802 bytes - created on 13/12/2008 at 00:32, modified on 13/12/2008 at 09:33) --a---

==================================
=EOF=

[RatHat]

Can you run it once more please Emma, I forgot to add a switch to include all folders.

• Double-click DirLook.exe to run it.
• Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
• Copy the content of the following codebox into the main textfield:
  
  

  C:\Qoobox\Quarantine /s

• Click the DirLook button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\dl_log.txt)

Note: Scanning may take longer for large folders.

[Emma_uk]

DirLook.exe v2.0 by jpshortstuff
Log created at 10:30 on 13/12/2008
==================================
Contents of "C:\Qoobox\Quarantine"

---FOLDERS---

C (Created on 12/12/2008 at 20:30) d-----
Registry_backups (Created on 12/12/2008 at 20:27) d-----

---FILES---

catchme.log (452 bytes - created on 12/12/2008 at 20:27, modified on 13/12/2008 at 09:34) --a---
catchme.txt (802 bytes - created on 13/12/2008 at 00:32, modified on 13/12/2008 at 09:33) --a---

---Sub-Directories---

C:\Qoobox\Quarantine\C

C:\Qoobox\Quarantine\C\Documents and Settings (Created on 12/12/2008 at 20:31) d-----

C:\Qoobox\Quarantine\C\Documents and Settings\All Users (Created on 12/12/2008 at 20:31) d-----

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data (Created on 12/12/2008 at 20:31) d-----

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft (Created on 12/12/2008 at 20:31) d-----

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network (Created on 12/12/2008 at 20:31) d-----

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader (Created on 12/12/2008 at 20:31) d-----

qmgr0.dat.vir (9062 bytes - created on 22/01/2003 at 03:32, modified on 12/12/2008 at 09:49) --a---
qmgr1.dat.vir (9062 bytes - created on 22/01/2003 at 03:32, modified on 12/12/2008 at 09:49) --a---

C:\Qoobox\Quarantine\C\WINDOWS (Created on 12/12/2008 at 20:30) d-----

IE4 Error Log.txt.vir (505 bytes - created on 28/05/2008 at 14:33, modified on 28/05/2008 at 14:33) --a---

C:\Qoobox\Quarantine\C\WINDOWS\system32 (Created on 13/12/2008 at 00:32) d-----

dgmmhct.dll.vir (31232 bytes - created on 09/12/2008 at 20:34, modified on 13/12/2008 at 00:29) --a---
dgmoiqh.dll.vir (34816 bytes - created on 09/12/2008 at 19:30, modified on 09/12/2008 at 19:30) --a---

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers (Created on 13/12/2008 at 00:32) d-----

dgmmqlt.sys.vir (52224 bytes - created on 09/12/2008 at 19:30, modified on 09/12/2008 at 19:30) --a---

C:\Qoobox\Quarantine\Registry_backups

HKLM-Run-CFSServ.exe.reg.dat (0 bytes - created on 12/12/2008 at 20:31, modified on 12/12/2008 at 20:31) --a---
HKLM-Run-NDSTray.exe.reg.dat (0 bytes - created on 12/12/2008 at 20:31, modified on 12/12/2008 at 20:31) --a---
HKLM-Run-SunJavaUpdateSched.reg.dat (156 bytes - created on 12/12/2008 at 20:31, modified on 12/12/2008 at 20:31) --a---
HKLM-Run-TFncKy.reg.dat (0 bytes - created on 12/12/2008 at 20:31, modified on 12/12/2008 at 20:31) --a---
Legacy_DGMSERV.SYS.reg.dat (1318 bytes - created on 13/12/2008 at 00:33, modified on 13/12/2008 at 00:33) --a---
tcpip.reg (7460 bytes - created on 12/12/2008 at 20:31, modified on 13/12/2008 at 09:34) --a---

==================================
=EOF=

[RatHat]

OK, lets get those files uploaded to the Spykiller

Please download ZipIt from here:
Download 1
Download 2

• Double-click ZipIt! to run it.
• Then copy the content of the following codebox into the textfield:
  
  

  ::info::Emma_UK
  ::info::http://www.geekstogo.com/forum/Google-Hijacked-t220403.html
  ::info::Possible TDSS Variants
  
  C:\Qoobox\Quarantine\C\WINDOWS\system32\dgmmhct.dll.vir
  C:\Qoobox\Quarantine\C\WINDOWS\system32\dgmoiqh.dll.vir
  C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\dgmmqlt.sys.vir
  C:\Qoobox\Quarantine\Registry_backups\Legacy_DGMSERV.SYS.reg.dat
  C:\Qoobox\Quarantine\Registry_backups\tcpip.reg

• Then, just click the Zip button.
• When finished, and if successful, a new file will have been created on your Desktop. You will be notified of what the file name is when the process has been completed.

Now lets get them uploaded. Go to The Spy Killer

• Read the post named Instructions for uploading files
• Click on "New Topic"
• Put your name, e-mail address, and this as the title: Files - For RatHat
• Put a link to this Geeks to Go topic in the description box.
• Then next to the file box, at the bottom, click the browse button, then navigate to the newly created Zip file
• Click Open
• Then click Post

Let me know here when you have uploaded the file.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets check those other drives to make sure they are clean. Connect them in to your computer, but don't open anything on them.

Now run an online scan with Kaspersky WebScanner.
Note: You must use Internet Explorer to run this scan, and you must disable your Anti Virus program during the scan.

Click the Accept button.

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display the results if your system has been infected.
  
  • Now click on the View scan report link:
• Click the Save report as button
• Under Save as type, choose Text file (*.txt)
• Save the file to your desktop as Kaspersky.txt
• Copy and paste that information in your next post.

[Emma_uk]

for some reason having problems with Java . kapersky says its not installed however when i try to install it it says i have it already

Will my problems never end

[RatHat]

OK, lets sort that out.

Please download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.
• Open JavaRa.exe again and select Search For Updates.
• Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version (Java Runtime Environment (JRE) 6 Update 11) for your computer.

Install it, then try running Kaspersky again.

[Emma_uk]

got to nip out for lunch with my parents ill be back in an hour or so. then will try scan again.

thanks

[RatHat]

Oh, and thanks for the files. I got them and will make sure they get to the right people.

[Emma_uk]

uninstalled with tool you sent but java website still says i have it installed ?

will look at it after lunch

thanks

[RatHat]

Enjoy your lunch.

When you get back download Java Runtime Environment (JRE) 6 Update 11 again and re-install it. See if that works. If not we will try an F-Secure online scan again.

Sometimes Kaspersky can be fussy and wont run on some machines, it's just one of those things.