Solved Malware playing ads & trying to connect to the net

[ussyless]

ok, so i've run about 4 or 5 different antimalware programs to try and find out what it is, including mbam, malwarebytes, avast, ss&d
anyways i know there is still something running on my system, as avast keeps detecting (but not detecting it as malware) network connection attempts to the ip address 178.17.162.242, and when i have my internet connection enabled, it detects my computer trying to connect to the adyieldmanager website
sometimes it plays random ads in the background, without me having ie, or firefox open (i even have uninstalled ie), though it was opening ie processes before i did
below are my hijackthis log, gmer, otl and dds logs
im currently running puppy linux to hopefully minimise any damage this thing might do

i should also mention i have been uninstalling and reinstalling alot of drivers lately

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:51:59 AM, on 8/9/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\gigabyte\RCApp\RCApp.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\GIGABYTE\Gamer HUD Lite\HUD.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.runescape.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O1 - Hosts: 65.54.239.80 messenger.hotmail.com

O1 - Hosts: 65.54.239.80 dp.msnmessenger.akadns.net

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [RCApp] C:\Program Files\gigabyte\RCApp\RCApp.exe

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08ae -f video -m logitech -d 11.0.0.1213 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08ae -f video -m logitech -d 11.0.0.1213 (User 'Default user')

O4 - Startup: GIGABYTE Gamer HUD Lite.lnk = C:\Program Files\GIGABYTE\Gamer HUD Lite\HUD.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1229773718875

O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab

O16 - DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} (BatchDownloader Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe



--

End of file - 5672 bytes


END OF LOG

 

[ussyless]

ok now
GMER log
GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-08-10 00:37:16

Windows 5.1.2600 Service Pack 3

Running: l0jmo11c.exe; Driver: C:\DOCUME~1\kieran\LOCALS~1\Temp\uglcafog.sys





---- System - GMER 1.0.15 ----



SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB4877CD2]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB4877B8E]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB4878142]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB487806C]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB4877764]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB4877C68]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB48776A4]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB4877708]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB4877D88]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB4878210]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB4877D48]

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB4877EC8]



Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB4884B9C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB48849C0]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB4884AFA]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject



---- Kernel code sections - GMER 1.0.15 ----



PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP B4884AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!NtCreateSection 805AB38E 7 Bytes JMP B48849C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC502 5 Bytes JMP B48805B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ObInsertObject 805C2F86 5 Bytes JMP B4881F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1134 7 Bytes JMP B4884BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6E423A0, 0x59FFE5, 0xE8000020]

init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB4B11280]



---- User IAT/EAT - GMER 1.0.15 ----



IAT C:\WINDOWS\system32\services.exe[668] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002

IAT C:\WINDOWS\system32\services.exe[668] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000



---- Devices - GMER 1.0.15 ----



Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)



AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)



Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software)



AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)



Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software)



AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)



---- EOF - GMER 1.0.15 ----

END OF LOG
i've also attached "attach.txt" produced by gmer

 

[ussyless]

The otl log was too long to put here so I've attached it, dds log is below

DDS (Ver_10-03-17.01) - NTFSx86

Run by kieran at 0:40:13.56 on Tue 08/10/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3071.2495 [GMT 10:00]



AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}



============== Running Processes ===============



C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

svchost.exe 4

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe

C:\WINDOWS\system32\Wacom_Tablet.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TortoiseSVN\bin\TSVNCache.exe

C:\Program Files\gigabyte\RCApp\RCApp.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\GIGABYTE\Gamer HUD Lite\HUD.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Notepad++\notepad++.exe

E:\dds.scr



============== Pseudo HJT Report ===============



uStart Page = hxxp://www.runescape.com/

uInternet Settings,ProxyOverride = *.local

mURLSearchHooks: H - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [RCApp] c:\program files\gigabyte\rcapp\RCApp.exe

mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe

mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08ae -f video -m logitech -d 11.0.0.1213

StartupFolder: c:\docume~1\kieran\startm~1\programs\startup\gigaby~1.lnk - c:\program files\gigabyte\gamer hud lite\HUD.exe

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229773718875

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab

DPF: {A1F2F2CE-06AF-483C-9F12-D3BAA72477D6} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/DigWXMSN.cab

DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab

DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli scecli scecli

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

Hosts: 127.0.0.1 www.spywareinfo.com

Hosts: 65.54.239.80 messenger.hotmail.com

Hosts: 65.54.239.80 dp.msnmessenger.akadns.net



================= FIREFOX ===================



FF - ProfilePath - c:\docume~1\kieran\applic~1\mozilla\firefox\profiles\n7e7md9l.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.runescape.com/

FF - prefs.js: keyword.URL - hxxp://au.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_au&p=

FF - plugin: c:\documents and settings\kieran\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\kieran\application data\mozilla\firefox\profiles\n7e7md9l.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll

FF - plugin: c:\program files\tabletplugins\npwacom.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

FF - plugin: e:\program files\adobe\reader 9.0\reader\browser\nppdf32.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}



---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);



============= SERVICES / DRIVERS ===============



R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-8 165456]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-8 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-8 40384]

R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-8-8 4949288]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-12-20 238080]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2010-3-5 16168]

S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-8 40384]

S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-8 40384]



============== File Associations ===============



.txt=GetDiz.Document



=============== Created Last 30 ================



2010-08-08 16:10:54 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

 

[ussyless]

rest of DDS log


2010-08-08 16:10:53 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-08-08 16:10:53 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2010-08-08 16:10:53 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2010-08-08 16:10:53 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2010-08-08 16:10:53 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2010-08-08 16:10:53 11076096 -c----w- c:\windows\system32\dllcache\ieframe.dll

2010-08-08 16:10:50 0 d-----w- c:\windows\ie8updates

2010-08-08 16:10:10 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll

2010-08-08 16:08:46 81920 ----a-w- c:\windows\system32\ieencode.dll

2010-08-08 16:08:46 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll

2010-08-08 12:24:09 512000 -c--a-w- c:\windows\system32\dllcache\jscript.dll

2010-08-08 10:50:26 87040 -c----w- c:\windows\system32\dllcache\drmstor.dll

2010-08-08 10:48:55 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys

2010-08-08 10:48:10 19569 ----a-w- c:\windows\004951_.tmp

2010-08-08 08:15:45 0 d-----w- c:\program files\Trend Micro

2010-08-07 21:53:18 38848 ----a-w- c:\windows\avastSS.scr

2010-08-07 21:53:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-08-07 21:50:15 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9

2010-08-07 21:50:13 0 d-----w- c:\windows\SxsCaPendDel

2010-08-07 20:56:53 0 d-----w- c:\program files\Realtek

2010-08-07 20:56:45 540672 ----a-w- c:\windows\RtlExUpd.dll

2010-08-07 20:56:42 1769 ----a-w- c:\windows\Language_trs.ini

2010-08-07 20:04:33 7731496 ----a-w- c:\windows\system32\WacomTablet.cpl

2010-08-07 20:04:33 1744515 ----a-w- c:\windows\system32\WacomTablet.znc

2010-08-07 20:04:31 4949288 ----a-w- c:\windows\system32\Wacom_Tablet.exe

2010-08-07 20:04:31 409896 ----a-w- c:\windows\system32\Wacom_Tablet.dll

2010-08-07 18:44:43 232968 ----a-w- c:\windows\system32\nvdrsdb0.bin

2010-08-07 18:44:39 232968 ----a-w- c:\windows\system32\nvdrsdb1.bin

2010-08-07 18:44:39 1 ----a-w- c:\windows\system32\nvdrssel.bin

2010-08-07 18:44:39 0 ----a-w- c:\windows\system32\nvdrswr.lk

2010-08-07 17:20:55 1089593 -c----w- c:\windows\system32\dllcache\ntprint.cat

2010-08-07 17:20:45 128512 -c--a-w- c:\windows\system32\dllcache\dhtmled.ocx

2010-08-07 17:13:03 353792 -c----w- c:\windows\system32\dllcache\srv.sys

2010-08-07 17:11:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll

2010-08-07 17:11:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll

2010-08-07 17:10:54 284160 -c----w- c:\windows\system32\dllcache\pdh.dll

2010-08-07 17:10:53 730112 -c----w- c:\windows\system32\dllcache\lsasrv.dll

2010-08-07 17:10:53 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll

2010-08-07 17:10:53 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll

2010-08-07 17:10:53 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll

2010-08-07 17:10:53 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll

2010-08-07 17:10:53 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll

2010-08-07 17:10:53 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe

2010-08-07 17:10:53 110592 -c----w- c:\windows\system32\dllcache\services.exe

2010-08-07 16:46:21 272128 -c----w- c:\windows\system32\dllcache\bthport.sys

2010-08-07 16:43:47 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

2010-08-07 16:43:22 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-08-07 16:23:06 153088 -c--a-w- c:\windows\system32\dllcache\triedit.dll

2010-08-07 16:22:51 3558912 -c--a-w- c:\windows\system32\dllcache\moviemk.exe

2010-08-07 16:19:43 203136 -c----w- c:\windows\system32\dllcache\rmcast.sys

2010-08-07 16:19:03 331776 -c--a-w- c:\windows\system32\dllcache\msadce.dll

2010-08-07 16:05:34 2066432 -c--a-w- c:\windows\system32\dllcache\mstscax.dll

2010-08-07 16:04:03 337408 -c----w- c:\windows\system32\dllcache\netapi32.dll

2010-08-07 16:03:51 1172480 -c--a-w- c:\windows\system32\dllcache\msxml3.dll

2010-08-07 16:02:00 2560 ------w- c:\windows\system32\xpsp4res.dll

2010-08-07 16:01:59 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe

2010-08-07 16:01:59 1206508 -c--a-w- c:\windows\system32\dllcache\sysmain.sdb

2010-08-07 15:48:18 0 d-----w- c:\program files\CCleaner

2010-08-07 13:35:13 0 d-----w- c:\windows\ServicePackFiles

2010-08-07 13:34:24 2897920 ----a-w- c:\windows\system32\xpsp2res.dll

2010-08-07 13:34:04 19528 ----a-w- c:\windows\002071_.tmp

2010-08-07 11:17:43 0 d-----w- c:\program files\Broadcom

2010-08-06 21:32:48 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation

2010-08-06 21:31:21 7959 ----a-w- c:\windows\system32\nvinfo.pb

2010-07-15 07:51:42 0 d-----w- c:\program files\Sony



==================== Find3M ====================



2010-07-25 21:09:31 46 ----a-w- c:\documents and settings\kieran\jagex_runescape_preferences.dat

2010-07-25 21:09:08 99 ----a-w- c:\documents and settings\kieran\jagex_runescape_preferences2.dat

2010-07-09 22:38:00 6343040 ----a-w- c:\windows\system32\nv4_disp.dll

2010-07-09 22:38:00 61440 ----a-w- c:\windows\system32\OpenCL.dll

2010-07-09 22:38:00 4595712 ----a-w- c:\windows\system32\nvcuda.dll

2010-07-09 22:38:00 2914408 ----a-w- c:\windows\system32\nvcuvid.dll

2010-07-09 22:38:00 2506344 ----a-w- c:\windows\system32\nvcuvenc.dll

2010-07-09 22:38:00 236136 ----a-w- c:\windows\system32\nvcodins.dll

2010-07-09 22:38:00 236136 ----a-w- c:\windows\system32\nvcod.dll

2010-07-09 22:38:00 2195030 ----a-w- c:\windows\system32\nvdata.bin

2010-07-09 22:38:00 1388544 ----a-w- c:\windows\system32\nvapi.dll

2010-07-09 22:38:00 13549568 ----a-w- c:\windows\system32\nvoglnt.dll

2010-07-09 22:38:00 10604128 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2010-07-09 22:38:00 10260480 ----a-w- c:\windows\system32\nvcompiler.dll

2010-07-09 06:24:26 81920 ----a-w- c:\windows\system32\nvwddi.dll

2010-07-09 06:24:18 277608 ----a-w- c:\windows\system32\nvmccs.dll

2010-07-09 06:24:18 110696 ----a-w- c:\windows\system32\nvmctray.dll

2010-07-09 06:24:16 155752 ----a-w- c:\windows\system32\nvsvc32.exe

2010-07-09 06:24:16 145000 ----a-w- c:\windows\system32\nvcolor.exe

2010-07-09 06:24:16 13923432 ----a-w- c:\windows\system32\nvcpl.dll

2010-05-27 13:21:56 3699 ----a-w- c:\windows\system32\Wacom_Tablet.dat

2010-05-20 08:13:54 2880 --sha-w- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys

2009-09-18 04:58:14 4706488 ----a-w- c:\program files\Game_Maker6.zip

2010-03-22 05:33:15 16384 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat



============= FINISH: 0:41:02.35 ============

 

[crunchie]

Hi and welcome to TechSpot forums .

Would you mind removing the code tags from your post please. They are an absolute pain to try and read the logs like that.

 

[ussyless]

sorry about that, i've removed all the tags

 

[crunchie]

Better .

Please post your latest MBA_M log.

Download Bootkit Remover to your Desktop.

• You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
• After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[ussyless]

I thought I did O_O
I've attached mbam log to this post along with extras and attach from the respective scanners
im going to go run the bootkit remover scan and then ill be back (I have to restart computer into windows to run it, then back into puppy linux to upload it)

 

[ussyless]

below is the text from bootkit remover


Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 9a0d214327ebf3a180134c29c99496eb

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

 

[crunchie]

MBA_M is way out of date. You should update and run it again.

===

Open Notepad
Copy and paste following text into Notepad:

@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT

Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.

=========

How are things now?

 

[ussyless]

mbam isnt out of date actually, i just manually downloaded the definitions so i dont think the update registered ( i downloaded the defs on linux and installed them from windows )
ill follow the directions within the next half hour and post results

 

[ussyless]

Ok' i've run the test, the batch file, the results are as follows

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

 

[crunchie]

How are things now?

How is it now?

As far as MBA-M is concerned, I can only go on what I can see.

 

[ussyless]

hold on, ill boot into windows and see if it tries to connect to the ip again

 

[ussyless]

Crunchie, thank you very much, it appears that my pc is no longer trying to connect to the site (according to avast) and its no longer playing ads, if you could leave this thread open for another day just to make sure, i'd appreciate it

i'll be sure to make sure mbam is updated right away
also hahaha the "how are things now" thing, i thought it was your signature <,<

 

[crunchie]

No worries. You may also want to do an online scan.

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

• You will need to use Internet Explorer to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

 

[ussyless]

will firefox work? i've uninstalled internet explorer
anyway, i gotta go to bed now, ill give it a try tomorrow and post my results

 

[crunchie]

It may work. Not sure as I do not use it.