Ketsuban Posted October 3, 2011 ID:481834 Share Posted October 3, 2011 I am being redirected on google searches and have IE ads popping up even when I am not running it. When I try to run a quick scan or scan with malwarebytes, it closes immediately. Thanks.I am having the same problem. Tried running in safe mode for the heck of it and got the same thing. Also my pc eventually seizes on my and I have to do a cold restart. Link to post Share on other sites More sharing options...
Ketsuban Posted October 3, 2011 Author ID:481882 Share Posted October 3, 2011 here are the logs from a combofix.exe run.ComboFix 11-10-03.01 - speccoll 10/03/2011 14:18:49.1.2 - x86Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2905 [GMT -5:00]Running from: c:\documents and settings\speccoll\Desktop\ComboFix.exeAV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}..((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))..c:\documents and settings\All Users\Application Data\Tarma Installerc:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dllc:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dllc:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.datc:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exec:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.icoc:\documents and settings\speccoll\Start Menu\Internet Explorer.lnkc:\windows\$NtUninstallKB31180$c:\windows\$NtUninstallKB31180$\3476779920c:\windows\$NtUninstallKB31180$\730443194\@c:\windows\$NtUninstallKB31180$\730443194\bckfg.tmpc:\windows\$NtUninstallKB31180$\730443194\cfg.inic:\windows\$NtUninstallKB31180$\730443194\Desktop.inic:\windows\$NtUninstallKB31180$\730443194\keywordsc:\windows\$NtUninstallKB31180$\730443194\kwrd.dllc:\windows\$NtUninstallKB31180$\730443194\L\amekgyykc:\windows\$NtUninstallKB31180$\730443194\lsflt7.verc:\windows\$NtUninstallKB31180$\730443194\U\00000001.@c:\windows\$NtUninstallKB31180$\730443194\U\00000002.@c:\windows\$NtUninstallKB31180$\730443194\U\80000000.@c:\windows\$NtUninstallKB31180$\730443194\U\80000032.@c:\windows\$xntuninstall643$c:\windows\$xntuninstall643$\apUninstall.exec:\windows\system32\comct332.ocxc:\windows\system32\d3d9caps.dat.Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected Restored copy from - The cat found it .((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))..-------\Service_2b89adba..((((((((((((((((((((((((( Files Created from 2011-09-03 to 2011-10-03 )))))))))))))))))))))))))))))))..2011-10-03 17:34 . 2008-04-14 06:51 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys2011-10-03 17:34 . 2008-04-14 06:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys2011-10-03 16:56 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys2011-09-29 20:35 . 2011-06-07 17:35 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll2011-09-26 21:50 . 2011-09-26 21:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache2011-09-26 20:50 . 2011-09-26 20:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache2011-09-14 14:49 . 2011-09-14 14:49 -------- d-----w- c:\documents and settings\speccoll\Application Data\OpenOffice.org2011-09-14 14:45 . 2011-09-14 14:46 -------- d-----w- c:\program files\OpenOffice.org 32011-09-14 14:45 . 2011-05-04 09:52 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll2011-09-14 14:45 . 2011-05-04 09:52 472808 ----a-w- c:\windows\system32\deployJava1.dll...(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2011-09-22 16:07 . 2011-06-06 17:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl..((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4.[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]2011-07-15 04:46 195360 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient_2.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\documents and settings\speccoll\Application Data\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\documents and settings\speccoll\Application Data\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\documents and settings\speccoll\Application Data\Dropbox\bin\DropboxExt.14.dll.[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]2011-02-18 05:12 94208 ----a-w- c:\documents and settings\speccoll\Application Data\Dropbox\bin\DropboxExt.14.dll.[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624].[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 141848]"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162328]"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 137752]"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-12 408344]"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2011-05-02 494616]"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-06-23 273544]"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]"Malwarebytes' Anti-Malware"="c:\documents and settings\speccoll\Desktop\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608].[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]@="service".[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]"DisableMonitoring"=dword:00000001.[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=.R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [11/14/2008 8:31 AM 153728]R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [11/14/2008 8:31 AM 24192]R1 SKMScan;SKMScan;c:\windows\system32\drivers\skmscan.sys [5/2/2011 12:37 PM 31736]R2 MBAMService;MBAMService;c:\documents and settings\speccoll\Desktop\Malwarebytes' Anti-Malware\mbamservice.exe [10/3/2011 11:56 AM 366152]R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [5/2/2011 12:36 PM 167960]R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [5/2/2011 12:36 PM 1543192]R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [2/17/2009 4:50 PM 2521880]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/3/2011 11:56 AM 22216]S2 BelkinAPM;BelkinAPM;c:\progra~1\BELKIN~1\BELKIN~1.EXE -zglaxservice BelkinAPM --> c:\progra~1\BELKIN~1\BELKIN~1.EXE -zglaxservice BelkinAPM [?]S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/11/2010 2:07 PM 135664]S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [5/2/2011 12:38 PM 99864]S3 BelkinAPMmanager;BelkinAPMmanager;c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager --> c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager [?]S3 BelkinAPMmonitor;BelkinAPMmonitor;c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor --> c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor [?]S3 BelkinAPMRMI;BelkinAPMRMI;c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI --> c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI [?]S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/11/2010 2:07 PM 135664]S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [4/5/2011 3:05 PM 24312]S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/14/2008 8:12 AM 14336]S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [4/5/2011 3:05 PM 14976].[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]WINRM REG_MULTI_SZ WINRM.Contents of the 'Scheduled Tasks' folder.2011-09-23 c:\windows\Tasks\9 pm scan.job- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2011-05-02 17:36].2011-09-23 c:\windows\Tasks\Auto Shutdown.job- c:\windows\system32\shutdown.exe [2008-11-14 11:42].2011-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 19:07].2011-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 19:07].2011-10-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1980189103-3647563401-2465023036-3817.job- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47].2011-10-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1980189103-3647563401-2465023036-77483.job- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47].2011-06-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1980189103-3647563401-2465023036-3817.job- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47].2011-10-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1980189103-3647563401-2465023036-77483.job- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]..------- Supplementary Scan -------.uStart Page = hxxp://library.ecok.edu/IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.htmlTCP: DhcpNameServer = 172.16.1.20 172.16.1.21FF - ProfilePath - c:\documents and settings\speccoll\Application Data\Mozilla\Firefox\Profiles\jriohydc.default\FF - prefs.js: browser.startup.homepage - hxxp://library.ecok.edu/FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ffFF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtensionFF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\ExtFF - Ext: Save Images: LDSI_plashcor@gmail.com - %profile%\extensions\LDSI_plashcor@gmail.comFF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.comFF - user.js: extentions.y2layers.installId - 79a441a6-7aab-45fa-ac04-849d9e2b9548FF - user.js: extentions.y2layers.installId - d801cc05-4fee-455e-9dbe-97dea0f2ff63.- - - - ORPHANS REMOVED - - - -.WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)AddRemove-$XNTUninstall643$ - c:\windows\$XNTUninstall643$\apUninstall.exeAddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe...**************************************************************************.catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2011-10-03 14:34Windows 5.1.2600 Service Pack 3 NTFS.scanning hidden processes ... .scanning hidden autostart entries ... .scanning hidden files ... .scan completed successfullyhidden files: 0.**************************************************************************.[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Sophos Message Router]"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194".--------------------- DLLs Loaded Under Running Processes ---------------------.- - - - - - - > 'explorer.exe'(144)c:\windows\system32\WININET.dllc:\documents and settings\speccoll\Application Data\Dropbox\bin\DropboxExt.14.dllc:\windows\system32\ieframe.dllc:\windows\system32\webcheck.dllc:\windows\system32\WPDShServiceObj.dllc:\program files\Roxio\Drag-to-Disc\Shellex.dllc:\windows\system32\DLAAPI_W.DLLc:\windows\system32\CDRTC.DLLc:\program files\Roxio\Drag-to-Disc\ShellRes.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\Ati2evxx.exec:\program files\Intel\AMT\atchksrv.exec:\program files\Java\jre6\bin\jqs.exec:\program files\Intel\AMT\LMS.exec:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exec:\program files\Sophos\Remote Management System\ManagementAgentNT.exec:\program files\Sophos\AutoUpdate\ALsvc.exec:\program files\Sophos\Remote Management System\RouterNT.exec:\program files\ATI Technologies\ATI.ACE\CLI.EXEc:\program files\ATI Technologies\ATI.ACE\cli.exe.**************************************************************************.Completion time: 2011-10-03 14:38:38 - machine was rebootedComboFix-quarantined-files.txt 2011-10-03 19:38.Pre-Run: 111,863,721,984 bytes freePost-Run: 113,939,263,488 bytes free.WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsUnsupportedDebug="do not select this" /debugmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect.- - End Of File - - 84FD10839EA3B7BC194D7996571A1F3D Link to post Share on other sites More sharing options...
Ketsuban Posted October 3, 2011 Author ID:481885 Share Posted October 3, 2011 after the combofix i ran a malewarebytes quick scan. here is the log:Malwarebytes' Anti-Malware 1.51.2.1300www.malwarebytes.orgDatabase version: 7858Windows 5.1.2600 Service Pack 3Internet Explorer 8.0.6001.1870210/3/2011 2:51:33 PMmbam-log-2011-10-03 (14-51-33).txtScan type: Quick scanObjects scanned: 318950Time elapsed: 3 minute(s), 6 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\program files\mozilla firefox\0.4522532382021476.exe (Exploit.Dropper) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
Ketsuban Posted October 3, 2011 Author ID:481886 Share Posted October 3, 2011 Umm, never posted here before. Im seeing my topic title as my user name and i dont know why, so im sorry if thats throwing anyone off. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 8, 2011 Staff ID:483217 Share Posted October 8, 2011 Hi and welcome to Malwarebytes. Please update MBAM, run a Quick Scan, and post its log. Next, download DDS by sUBs and save it to your Desktop. Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post only DDS.txt directly into your reply. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 12, 2011 Root Admin ID:484848 Share Posted October 12, 2011 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts