Jump to content

Ketsuban


Recommended Posts

I am being redirected on google searches and have IE ads popping up even when I am not running it. When I try to run a quick scan or scan with malwarebytes, it closes immediately. Thanks.

I am having the same problem. Tried running in safe mode for the heck of it and got the same thing. Also my pc eventually seizes on my and I have to do a cold restart.

Link to post
Share on other sites

here are the logs from a combofix.exe run.

ComboFix 11-10-03.01 - speccoll 10/03/2011 14:18:49.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2905 [GMT -5:00]

Running from: c:\documents and settings\speccoll\Desktop\ComboFix.exe

AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\Tarma Installer

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setupx.dll

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe

c:\documents and settings\All Users\Application Data\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico

c:\documents and settings\speccoll\Start Menu\Internet Explorer.lnk

c:\windows\$NtUninstallKB31180$

c:\windows\$NtUninstallKB31180$\3476779920

c:\windows\$NtUninstallKB31180$\730443194\@

c:\windows\$NtUninstallKB31180$\730443194\bckfg.tmp

c:\windows\$NtUninstallKB31180$\730443194\cfg.ini

c:\windows\$NtUninstallKB31180$\730443194\Desktop.ini

c:\windows\$NtUninstallKB31180$\730443194\keywords

c:\windows\$NtUninstallKB31180$\730443194\kwrd.dll

c:\windows\$NtUninstallKB31180$\730443194\L\amekgyyk

c:\windows\$NtUninstallKB31180$\730443194\lsflt7.ver

c:\windows\$NtUninstallKB31180$\730443194\U\00000001.@

c:\windows\$NtUninstallKB31180$\730443194\U\00000002.@

c:\windows\$NtUninstallKB31180$\730443194\U\80000000.@

c:\windows\$NtUninstallKB31180$\730443194\U\80000032.@

c:\windows\$xntuninstall643$

c:\windows\$xntuninstall643$\apUninstall.exe

c:\windows\system32\comct332.ocx

c:\windows\system32\d3d9caps.dat

.

Infected copy of c:\windows\system32\drivers\netbt.sys was found and disinfected

Restored copy from - The cat found it :)

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Service_2b89adba

.

.

((((((((((((((((((((((((( Files Created from 2011-09-03 to 2011-10-03 )))))))))))))))))))))))))))))))

.

.

2011-10-03 17:34 . 2008-04-14 06:51 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys

2011-10-03 17:34 . 2008-04-14 06:51 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-10-03 16:56 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-09-29 20:35 . 2011-06-07 17:35 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll

2011-09-26 21:50 . 2011-09-26 21:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2011-09-26 20:50 . 2011-09-26 20:50 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2011-09-14 14:49 . 2011-09-14 14:49 -------- d-----w- c:\documents and settings\speccoll\Application Data\OpenOffice.org

2011-09-14 14:45 . 2011-09-14 14:46 -------- d-----w- c:\program files\OpenOffice.org 3

2011-09-14 14:45 . 2011-05-04 09:52 476904 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

2011-09-14 14:45 . 2011-05-04 09:52 472808 ----a-w- c:\windows\system32\deployJava1.dll

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-09-22 16:07 . 2011-06-06 17:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]

2011-07-15 04:46 195360 ----a-w- c:\program files\Yontoo Layers Runtime\YontooIEClient_2.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\speccoll\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\speccoll\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\speccoll\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]

@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\documents and settings\speccoll\Application Data\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-06 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-06 162328]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-06 137752]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-26 282624]

"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-08-01 1036288]

"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-12 408344]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-09-07 40376]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]

"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2011-05-02 494616]

"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-06-23 273544]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]

"Malwarebytes' Anti-Malware"="c:\documents and settings\speccoll\Desktop\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]

@="service"

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

.

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [11/14/2008 8:31 AM 153728]

R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [11/14/2008 8:31 AM 24192]

R1 SKMScan;SKMScan;c:\windows\system32\drivers\skmscan.sys [5/2/2011 12:37 PM 31736]

R2 MBAMService;MBAMService;c:\documents and settings\speccoll\Desktop\Malwarebytes' Anti-Malware\mbamservice.exe [10/3/2011 11:56 AM 366152]

R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [5/2/2011 12:36 PM 167960]

R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [5/2/2011 12:36 PM 1543192]

R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [2/17/2009 4:50 PM 2521880]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/3/2011 11:56 AM 22216]

S2 BelkinAPM;BelkinAPM;c:\progra~1\BELKIN~1\BELKIN~1.EXE -zglaxservice BelkinAPM --> c:\progra~1\BELKIN~1\BELKIN~1.EXE -zglaxservice BelkinAPM [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/11/2010 2:07 PM 135664]

S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [5/2/2011 12:38 PM 99864]

S3 BelkinAPMmanager;BelkinAPMmanager;c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager --> c:\progra~1\BELKIN~1\BE8806~1.EXE -zglaxservice BelkinAPMmanager [?]

S3 BelkinAPMmonitor;BelkinAPMmonitor;c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor --> c:\progra~1\BELKIN~1\BELKIN~4.EXE -zglaxservice BelkinAPMmonitor [?]

S3 BelkinAPMRMI;BelkinAPMRMI;c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI --> c:\progra~1\BELKIN~1\BELKIN~3.EXE -zglaxservice BelkinAPMRMI [?]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/11/2010 2:07 PM 135664]

S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [4/5/2011 3:05 PM 24312]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [11/14/2008 8:12 AM 14336]

S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [4/5/2011 3:05 PM 14976]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

.

2011-09-23 c:\windows\Tasks\9 pm scan.job

- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2011-05-02 17:36]

.

2011-09-23 c:\windows\Tasks\Auto Shutdown.job

- c:\windows\system32\shutdown.exe [2008-11-14 11:42]

.

2011-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 19:07]

.

2011-10-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-11 19:07]

.

2011-10-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1980189103-3647563401-2465023036-3817.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]

.

2011-10-03 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1980189103-3647563401-2465023036-77483.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]

.

2011-06-06 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1980189103-3647563401-2465023036-3817.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]

.

2011-10-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1980189103-3647563401-2465023036-77483.job

- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-03-29 15:47]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://library.ecok.edu/

IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html

TCP: DhcpNameServer = 172.16.1.20 172.16.1.21

FF - ProfilePath - c:\documents and settings\speccoll\Application Data\Mozilla\Firefox\Profiles\jriohydc.default\

FF - prefs.js: browser.startup.homepage - hxxp://library.ecok.edu/

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension

FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext

FF - Ext: Save Images: LDSI_plashcor@gmail.com - %profile%\extensions\LDSI_plashcor@gmail.com

FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com

FF - user.js: extentions.y2layers.installId - 79a441a6-7aab-45fa-ac04-849d9e2b9548

FF - user.js: extentions.y2layers.installId - d801cc05-4fee-455e-9dbe-97dea0f2ff63

.

- - - - ORPHANS REMOVED - - - -

.

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

AddRemove-$XNTUninstall643$ - c:\windows\$XNTUninstall643$\apUninstall.exe

AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\docume~1\ALLUSE~1\APPLIC~1\TARMAI~1\{889DF~1\Setup.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2011-10-03 14:34

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Sophos Message Router]

"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'explorer.exe'(144)

c:\windows\system32\WININET.dll

c:\documents and settings\speccoll\Application Data\Dropbox\bin\DropboxExt.14.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Roxio\Drag-to-Disc\Shellex.dll

c:\windows\system32\DLAAPI_W.DLL

c:\windows\system32\CDRTC.DLL

c:\program files\Roxio\Drag-to-Disc\ShellRes.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Intel\AMT\atchksrv.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Intel\AMT\LMS.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe

c:\program files\Sophos\Remote Management System\ManagementAgentNT.exe

c:\program files\Sophos\AutoUpdate\ALsvc.exe

c:\program files\Sophos\Remote Management System\RouterNT.exe

c:\program files\ATI Technologies\ATI.ACE\CLI.EXE

c:\program files\ATI Technologies\ATI.ACE\cli.exe

.

**************************************************************************

.

Completion time: 2011-10-03 14:38:38 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-03 19:38

.

Pre-Run: 111,863,721,984 bytes free

Post-Run: 113,939,263,488 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

.

- - End Of File - - 84FD10839EA3B7BC194D7996571A1F3D

Link to post
Share on other sites

after the combofix i ran a malewarebytes quick scan. here is the log:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 7858

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/3/2011 2:51:33 PM

mbam-log-2011-10-03 (14-51-33).txt

Scan type: Quick scan

Objects scanned: 318950

Time elapsed: 3 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\program files\mozilla firefox\0.4522532382021476.exe (Exploit.Dropper) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.