TechSpot

Malware playing ads & trying to connect to the net

By ussyless
Aug 10, 2010
  1. ok, so i've run about 4 or 5 different antimalware programs to try and find out what it is, including mbam, malwarebytes, avast, ss&d
    anyways i know there is still something running on my system, as avast keeps detecting (but not detecting it as malware) network connection attempts to the ip address 178.17.162.242, and when i have my internet connection enabled, it detects my computer trying to connect to the adyieldmanager website
    sometimes it plays random ads in the background, without me having ie, or firefox open (i even have uninstalled ie), though it was opening ie processes before i did
    below are my hijackthis log, gmer, otl and dds logs
    im currently running puppy linux to hopefully minimise any damage this thing might do

    i should also mention i have been uninstalling and reinstalling alot of drivers lately

    Logfile of Trend Micro HijackThis v2.0.2

    Scan saved at 5:51:59 AM, on 8/9/2010

    Platform: Windows XP SP3 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

    Boot mode: Normal



    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\system32\Wacom_Tablet.exe

    C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe

    C:\WINDOWS\system32\Wacom_Tablet.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

    C:\Program Files\gigabyte\RCApp\RCApp.exe

    C:\Program Files\Java\jre6\bin\jusched.exe

    C:\WINDOWS\system32\RUNDLL32.EXE

    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\GIGABYTE\Gamer HUD Lite\HUD.exe

    C:\WINDOWS\system32\wuauclt.exe

    C:\WINDOWS\System32\svchost.exe

    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runescape.com/

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

    O1 - Hosts: 65.54.239.80 messenger.hotmail.com

    O1 - Hosts: 65.54.239.80 dp.msnmessenger.akadns.net

    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    O4 - HKLM\..\Run: [RCApp] C:\Program Files\gigabyte\RCApp\RCApp.exe

    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

    O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet

    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

    O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08ae -f video -m logitech -d 11.0.0.1213 (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08ae -f video -m logitech -d 11.0.0.1213 (User 'Default user')

    O4 - Startup: GIGABYTE Gamer HUD Lite.lnk = C:\Program Files\GIGABYTE\Gamer HUD Lite\HUD.exe

    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1229773718875

    O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab

    O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab

    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

    O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

    O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe



    --

    End of file - 5672 bytes


    END OF LOG
     
  2. ussyless

    ussyless TS Rookie Topic Starter Posts: 33

    ok now
    GMER log
    GMER 1.0.15.15281 - http://www.gmer.net

    Rootkit scan 2010-08-10 00:37:16

    Windows 5.1.2600 Service Pack 3

    Running: l0jmo11c.exe; Driver: C:\DOCUME~1\kieran\LOCALS~1\Temp\uglcafog.sys





    ---- System - GMER 1.0.15 ----



    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB4877CD2]

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB4877B8E]

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB4878142]

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB487806C]

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB4877764]

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB4877C68]

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB48776A4]

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB4877708]

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB4877D88]

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB4878210]

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB4877D48]

    SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB4877EC8]



    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB4884B9C]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB48849C0]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB4884AFA]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject



    ---- Kernel code sections - GMER 1.0.15 ----



    PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP B4884AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

    PAGE ntkrnlpa.exe!NtCreateSection 805AB38E 7 Bytes JMP B48849C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC502 5 Bytes JMP B48805B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

    PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP B4881F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

    PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP B4884BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

    .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6E423A0, 0x59FFE5, 0xE8000020]

    init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB4B11280]



    ---- User IAT/EAT - GMER 1.0.15 ----



    IAT C:\WINDOWS\system32\services.exe[668] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002

    IAT C:\WINDOWS\system32\services.exe[668] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000



    ---- Devices - GMER 1.0.15 ----



    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)



    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)



    Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)



    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)



    Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)



    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)



    ---- EOF - GMER 1.0.15 ----

    END OF LOG
    i've also attached "attach.txt" produced by gmer
     
  3. ussyless

    ussyless TS Rookie Topic Starter Posts: 33

    the otl log was too long to put here so i've attached it, dds log is below

    DDS (Ver_10-03-17.01) - NTFSx86

    Run by kieran at 0:40:13.56 on Tue 08/10/2010

    Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15

    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2495 [GMT 10:00]



    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}



    ============== Running Processes ===============



    C:\WINDOWS\system32\nvsvc32.exe

    C:\WINDOWS\system32\svchost -k DcomLaunch

    svchost.exe

    C:\WINDOWS\System32\svchost.exe -k netsvcs

    svchost.exe

    svchost.exe

    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

    svchost.exe 4

    C:\WINDOWS\system32\spoolsv.exe

    svchost.exe

    C:\WINDOWS\system32\Wacom_Tablet.exe

    C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe

    C:\WINDOWS\system32\Wacom_Tablet.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

    C:\Program Files\gigabyte\RCApp\RCApp.exe

    C:\Program Files\Java\jre6\bin\jusched.exe

    C:\WINDOWS\system32\RUNDLL32.EXE

    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    C:\WINDOWS\system32\ctfmon.exe

    C:\Program Files\GIGABYTE\Gamer HUD Lite\HUD.exe

    C:\WINDOWS\system32\wscntfy.exe

    C:\WINDOWS\System32\svchost.exe -k imgsvc

    C:\WINDOWS\system32\wuauclt.exe

    C:\Program Files\Notepad++\notepad++.exe

    E:\dds.scr



    ============== Pseudo HJT Report ===============



    uStart Page = hxxp://www.runescape.com/

    uInternet Settings,ProxyOverride = *.local

    mURLSearchHooks: H - No File

    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

    TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

    uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

    mRun: [RCApp] c:\program files\gigabyte\rcapp\RCApp.exe

    mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

    mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

    dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08ae -f video -m logitech -d 11.0.0.1213

    StartupFolder: c:\docume~1\kieran\startm~1\programs\startup\gigaby~1.lnk - c:\program files\gigabyte\gamer hud lite\HUD.exe

    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229773718875

    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

    DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab

    DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab

    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

    DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

    DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

    DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

    LSA: Notification Packages = scecli scecli scecli

    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

    Hosts: 127.0.0.1 www.spywareinfo.com

    Hosts: 65.54.239.80 messenger.hotmail.com

    Hosts: 65.54.239.80 dp.msnmessenger.akadns.net



    ================= FIREFOX ===================



    FF - ProfilePath - c:\docume~1\kieran\applic~1\mozilla\firefox\profiles\n7e7md9l.default\

    FF - prefs.js: browser.startup.homepage - hxxp://www.runescape.com/

    FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=

    FF - plugin: c:\documents and settings\kieran\application data\facebook\npfbplugin_1_0_3.dll

    FF - plugin: c:\documents and settings\kieran\application data\mozilla\firefox\profiles\n7e7md9l.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll

    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

    FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

    FF - plugin: c:\program files\tabletplugins\npwacom.dll

    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

    FF - plugin: e:\program files\adobe\reader 9.0\reader\browser\nppdf32.dll

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}



    ---- FIREFOX POLICIES ----

    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

    c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

    c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

    c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

    c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

    c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

    c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

    c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

    c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);



    ============= SERVICES / DRIVERS ===============



    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-8 165456]

    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-8 17744]

    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-8 40384]

    R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-8-8 4949288]

    R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-12-20 238080]

    R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-5 16168]

    S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-8 40384]

    S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-8 40384]



    ============== File Associations ===============



    .txt=GetDiz.Document



    =============== Created Last 30 ================



    2010-08-08 16:10:54 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
     

    Attached Files:

    • OTL.Txt
      File size:
      141.9 KB
      Views:
      1
  4. ussyless

    ussyless TS Rookie Topic Starter Posts: 33

    rest of DDS log


    2010-08-08 16:10:53 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

    2010-08-08 16:10:53 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll

    2010-08-08 16:10:53 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

    2010-08-08 16:10:53 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

    2010-08-08 16:10:53 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

    2010-08-08 16:10:53 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll

    2010-08-08 16:10:50 0 d-----w- c:\windows\ie8updates

    2010-08-08 16:10:10 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll

    2010-08-08 16:08:46 81920 ----a-w- c:\windows\system32\ieencode.dll

    2010-08-08 16:08:46 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll

    2010-08-08 12:24:09 512000 -c--a-w- c:\windows\system32\dllcache\jscript.dll

    2010-08-08 10:50:26 87040 -c----w- c:\windows\system32\dllcache\drmstor.dll

    2010-08-08 10:48:55 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys

    2010-08-08 10:48:10 19569 ----a-w- c:\windows\004951_.tmp

    2010-08-08 08:15:45 0 d-----w- c:\program files\Trend Micro

    2010-08-07 21:53:18 38848 ----a-w- c:\windows\avastSS.scr

    2010-08-07 21:53:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

    2010-08-07 21:50:15 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

    2010-08-07 21:50:13 0 d-----w- c:\windows\SxsCaPendDel

    2010-08-07 20:56:53 0 d-----w- c:\program files\Realtek

    2010-08-07 20:56:45 540672 ----a-w- c:\windows\RtlExUpd.dll

    2010-08-07 20:56:42 1769 ----a-w- c:\windows\Language_trs.ini

    2010-08-07 20:04:33 7731496 ----a-w- c:\windows\system32\WacomTablet.cpl

    2010-08-07 20:04:33 1744515 ----a-w- c:\windows\system32\WacomTablet.znc

    2010-08-07 20:04:31 4949288 ----a-w- c:\windows\system32\Wacom_Tablet.exe

    2010-08-07 20:04:31 409896 ----a-w- c:\windows\system32\Wacom_Tablet.dll

    2010-08-07 18:44:43 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin

    2010-08-07 18:44:39 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin

    2010-08-07 18:44:39 1 ----a-w- c:\windows\system32\nvdrssel.bin

    2010-08-07 18:44:39 0 ----a-w- c:\windows\system32\nvdrswr.lk

    2010-08-07 17:20:55 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat

    2010-08-07 17:20:45 128512 -c--a-w- c:\windows\system32\dllcache\dhtmled.ocx

    2010-08-07 17:13:03 353792 -c----w- c:\windows\system32\dllcache\srv.sys

    2010-08-07 17:11:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

    2010-08-07 17:11:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

    2010-08-07 17:10:54 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

    2010-08-07 17:10:53 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll

    2010-08-07 17:10:53 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

    2010-08-07 17:10:53 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

    2010-08-07 17:10:53 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

    2010-08-07 17:10:53 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

    2010-08-07 17:10:53 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

    2010-08-07 17:10:53 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

    2010-08-07 17:10:53 110592 -c----w- c:\windows\system32\dllcache\services.exe

    2010-08-07 16:46:21 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

    2010-08-07 16:43:47 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

    2010-08-07 16:43:22 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

    2010-08-07 16:23:06 153088 -c--a-w- c:\windows\system32\dllcache\triedit.dll

    2010-08-07 16:22:51 3558912 -c--a-w- c:\windows\system32\dllcache\moviemk.exe

    2010-08-07 16:19:43 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

    2010-08-07 16:19:03 331776 -c--a-w- c:\windows\system32\dllcache\msadce.dll

    2010-08-07 16:05:34 2066432 -c--a-w- c:\windows\system32\dllcache\mstscax.dll

    2010-08-07 16:04:03 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

    2010-08-07 16:03:51 1172480 -c--a-w- c:\windows\system32\dllcache\msxml3.dll

    2010-08-07 16:02:00 2560 ------w- c:\windows\system32\xpsp4res.dll

    2010-08-07 16:01:59 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

    2010-08-07 16:01:59 1206508 -c--a-w- c:\windows\system32\dllcache\sysmain.sdb

    2010-08-07 15:48:18 0 d-----w- c:\program files\CCleaner

    2010-08-07 13:35:13 0 d-----w- c:\windows\ServicePackFiles

    2010-08-07 13:34:24 2897920 ----a-w- c:\windows\system32\xpsp2res.dll

    2010-08-07 13:34:04 19528 ----a-w- c:\windows\002071_.tmp

    2010-08-07 11:17:43 0 d-----w- c:\program files\Broadcom

    2010-08-06 21:32:48 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation

    2010-08-06 21:31:21 7959 ----a-w- c:\windows\system32\nvinfo.pb

    2010-07-15 07:51:42 0 d-----w- c:\program files\Sony



    ==================== Find3M ====================



    2010-07-25 21:09:31 46 ----a-w- c:\documents and settings\kieran\jagex_runescape_preferences.dat

    2010-07-25 21:09:08 99 ----a-w- c:\documents and settings\kieran\jagex_runescape_preferences2.dat

    2010-07-09 22:38:00 6343040 ----a-w- c:\windows\system32\nv4_disp.dll

    2010-07-09 22:38:00 61440 ----a-w- c:\windows\system32\OpenCL.dll

    2010-07-09 22:38:00 4595712 ----a-w- c:\windows\system32\nvcuda.dll

    2010-07-09 22:38:00 2914408 ----a-w- c:\windows\system32\nvcuvid.dll

    2010-07-09 22:38:00 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll

    2010-07-09 22:38:00 236136 ----a-w- c:\windows\system32\nvcodins.dll

    2010-07-09 22:38:00 236136 ----a-w- c:\windows\system32\nvcod.dll

    2010-07-09 22:38:00 2195030 ----a-w- c:\windows\system32\nvdata.bin

    2010-07-09 22:38:00 1388544 ----a-w- c:\windows\system32\nvapi.dll

    2010-07-09 22:38:00 13549568 ----a-w- c:\windows\system32\nvoglnt.dll

    2010-07-09 22:38:00 10604128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

    2010-07-09 22:38:00 10260480 ----a-w- c:\windows\system32\nvcompiler.dll

    2010-07-09 06:24:26 81920 ----a-w- c:\windows\system32\nvwddi.dll

    2010-07-09 06:24:18 277608 ----a-w- c:\windows\system32\nvmccs.dll

    2010-07-09 06:24:18 110696 ----a-w- c:\windows\system32\nvmctray.dll

    2010-07-09 06:24:16 155752 ----a-w- c:\windows\system32\nvsvc32.exe

    2010-07-09 06:24:16 145000 ----a-w- c:\windows\system32\nvcolor.exe

    2010-07-09 06:24:16 13923432 ----a-w- c:\windows\system32\nvcpl.dll

    2010-05-27 13:21:56 3699 ----a-w- c:\windows\system32\Wacom_Tablet.dat

    2010-05-20 08:13:54 2880 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys

    2009-09-18 04:58:14 4706488 ----a-w- c:\program files\Game_Maker6.zip

    2010-03-22 05:33:15 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat



    ============= FINISH: 0:41:02.35 ============
     
  5. crunchie

    crunchie Malware Helper Posts: 728

    Hi and welcome to TechSpot forums :).

    Would you mind removing the code tags from your post please. They are an absolute pain to try and read the logs like that.
     
  6. ussyless

    ussyless TS Rookie Topic Starter Posts: 33

    sorry about that, i've removed all the tags
     
  7. crunchie

    crunchie Malware Helper Posts: 728

    Better :).

    Please post your latest MBA_M log.

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  8. ussyless

    ussyless TS Rookie Topic Starter Posts: 33

    i thought i did O_O
    i've attached mbam log to this post along with extras and attach from the respective scanners
    im going to go run the bootkit remover scan and then ill be back (i have to restart computer into windows to run it, then back into puppy linux to upload it)
     

    Attached Files:

  9. ussyless

    ussyless TS Rookie Topic Starter Posts: 33

    below is the text from bootkit remover


    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 9a0d214327ebf3a180134c29c99496eb

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 Unknown boot code

    Unknown boot code has been found on some of your physical disks.
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>


    Done;
    Press any key to quit...
     
  10. crunchie

    crunchie Malware Helper Posts: 728

    MBA_M is way out of date. You should update and run it again.

    ===

    Open Notepad
    Copy and paste following text into Notepad:
    Code:
    @ECHO OFF
    START remover.exe fix \\.\PhysicalDrive0
    EXIT
    Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
    Then in the FILE NAME box type fix.bat.
    Save fix.bat to your Desktop.

    Run fix.bat by double clicking.
    You may see a black box appear; this is normal.

    When done, run remover.exe again and post its output.

    =========

    How are things now?
     
  11. ussyless

    ussyless TS Rookie Topic Starter Posts: 33

    mbam isnt out of date actually, i just manually downloaded the definitions so i dont think the update registered ( i downloaded the defs on linux and installed them from windows )
    ill follow the directions within the next half hour and post results
     
  12. ussyless

    ussyless TS Rookie Topic Starter Posts: 33

    Ok' i've run the test, the batch file, the results are as follows

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  13. crunchie

    crunchie Malware Helper Posts: 728

    How is it now?

    As far as MBA-M is concerned, I can only go on what I can see.
     
  14. ussyless

    ussyless TS Rookie Topic Starter Posts: 33

    hold on, ill boot into windows and see if it tries to connect to the ip again
     
  15. ussyless

    ussyless TS Rookie Topic Starter Posts: 33

    Crunchie, thank you very much, it appears that my pc is no longer trying to connect to the site (according to avast) and its no longer playing ads, if you could leave this thread open for another day just to make sure, i'd appreciate it

    i'll be sure to make sure mbam is updated right away
    also hahaha the "how are things now" thing, i thought it was your signature <,<
     
  16. crunchie

    crunchie Malware Helper Posts: 728

    No worries. You may also want to do an online scan.

    Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
    • You will need to use Internet Explorer to complete this scan.
    • You will need to temporarily Disable your current Anti-virus program.
    • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
    • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.
     
  17. ussyless

    ussyless TS Rookie Topic Starter Posts: 33

    will firefox work? i've uninstalled internet explorer
    anyway, i gotta go to bed now, ill give it a try tomorrow and post my results
     
  18. crunchie

    crunchie Malware Helper Posts: 728

    It may work. Not sure as I do not use it.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...