Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sudden malware after Ovoo??


  • This topic is locked This topic is locked
2 replies to this topic

#1 40cooper

40cooper

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 11 May 2010 - 01:37 AM

Hello. Names Jason. Hopefully someone can help me with this. I downloaded a video chat program called Ovoo the other day, my fiance lives 1600 miles from me, she did the same and we both began finding viruses through avast. Removed the viruses and thought we were fine. I noticed though that my internet seemed slower so I checked the task manager and found Bjb.exe which I had never seen before. Researched, ran hjt and the logfile also found some weird things. It showed some entries of nameservers related to domain hijacking. Which I removed. I also removed the Bjb.exe with avast before this and it came back after restart. I researched the IP's listed with the nameserver entries and they led me back to a very suspicious Ukraine based company, ukrtelegroup.com.ua. Not sure what's going on, but I own a few websites so the 'domain hijacking' bit is scary. Any help would be great. Oh ya, forgot something. When I restarted my machine a bit ago avast network shield blocked access to gamecetera.com, never done that before. I wasn't even getting online, I had just restarted. I can paste the hjt logfile if you guys like as well, but for now here's the dds:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Jason at 22:31:58.57 on Mon 05/10/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2529 [GMT -5:00]

AV: avast! antivirus 4.8.1368 [VPS 100510-1] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

E:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
E:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
E:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
E:\Program Files\Alwil Software\Avast4\ashServ.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe
E:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
E:\Program Files\Common Files\Java\Java Update\jusched.exe
E:\WINDOWS\system32\spoolsv.exe
svchost.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Java\jre6\bin\jqs.exe
E:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
E:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
E:\Program Files\REALTEK\USB Wireless LAN Utility\RtlService.exe
E:\WINDOWS\system32\svchost.exe -k imgsvc
E:\WINDOWS\System32\vssvc.exe
E:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
E:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
E:\Program Files\Alwil Software\Avast4\ashWebSv.exe
E:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
E:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
E:\WINDOWS\System32\svchost.exe -k HTTPFilter
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Skype\Phone\Skype.exe
E:\Program Files\Skype\Toolbars\Shared\SkypeNames.exe
E:\Documents and Settings\Jason\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - e:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - e:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - e:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - e:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - e:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - e:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - e:\program files\yahoo!\companion\installs\cpn0\yt.dll
uRun: [IBP]
uRun: [M5T8QL3YW3] e:\docume~1\jason\locals~1\temp\Bjb.exe
mRun: [avast!] e:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [HDAudDeck] e:\program files\via\viaudioi\hdadeck\HDeck.exe 1
mRun: [QuickTime Task] "e:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogitechCommunicationsManager] "e:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "e:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [Adobe Reader Speed Launcher] "e:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "e:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "e:\program files\common files\java\java update\jusched.exe"
StartupFolder: e:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - e:\program files\realtek\usb wireless lan utility\ReStart.exe
IE: E&xport to Microsoft Excel - e:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - e:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249709662625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - e:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: ADsPostalAddress - {a55f6b8e-1cd0-48ab-a3d4-44b457e1b465} - e:\program files\common files\ads\ADsPostalAddress.dll

================= FIREFOX ===================

FF - ProfilePath - e:\docume~1\jason\applic~1\mozilla\firefox\profiles\k8qoirmd.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mystart.com?pr=oovoo2_2
FF - plugin: e:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - e:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - e:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truee:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
e:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
e:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
e:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
e:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
e:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
e:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
e:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
e:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;e:\windows\system32\drivers\aswSP.sys [2009-7-31 114768]
R2 aswFsBlk;aswFsBlk;e:\windows\system32\drivers\aswFsBlk.sys [2009-7-31 20560]
R2 avast! Antivirus;avast! Antivirus;e:\program files\alwil software\avast4\ashServ.exe [2009-7-31 138680]
R2 RealtekUSB;RealtekUSB;e:\program files\realtek\usb wireless lan utility\RtlService.exe [2009-7-31 36864]
R3 avast! Mail Scanner;avast! Mail Scanner;e:\program files\alwil software\avast4\ashMaiSv.exe [2009-7-31 254040]
R3 avast! Web Scanner;avast! Web Scanner;e:\program files\alwil software\avast4\ashWebSv.exe [2009-7-31 352920]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;e:\windows\system32\drivers\viahduaa.sys [2009-8-8 1358720]
S2 EAPPkt;Realtek EAPPkt Protocol;e:\windows\system32\drivers\eappkt.sys --> e:\windows\system32\drivers\EAPPkt.sys [?]
S3 RT80x86;Ralink 802.11n Wireless Driver;e:\windows\system32\drivers\rt2860.sys [2007-11-15 572416]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;e:\windows\system32\drivers\RTL8187B.sys [2009-7-31 264576]
S3 RTL8192u;Realtek RTL8192U Wireless LAN 802.11n USB 2.0 Network Adapter;e:\windows\system32\drivers\rtl8192u.sys --> e:\windows\system32\drivers\RTL8192u.sys [?]

=============== Created Last 30 ================

2010-05-11 03:25:01 0 ----a-w- e:\documents and settings\jason\defogger_reenable
2010-05-09 07:12:12 0 d-----w- e:\program files\Trend Micro
2010-05-09 01:15:18 0 d-----w- e:\docume~1\jason\applic~1\oovootb
2010-05-08 07:53:06 0 d-----w- e:\program files\common files\ADs
2010-05-07 08:33:55 2389 ----a-w- e:\documents and settings\jason\.recently-used.xbel
2010-05-06 09:46:27 0 d-----w- e:\program files\Conduit
2010-05-06 07:58:38 0 d-----w- e:\docume~1\jason\applic~1\ooVoo Details
2010-05-06 07:58:31 0 d-----w- e:\docume~1\alluse~1\applic~1\EmailNotifier
2010-04-30 12:00:12 552 ----a-w- e:\windows\system32\d3d8caps.dat
2010-04-30 12:00:10 0 d-----w- e:\program files\SystemRequirementsLab
2010-04-30 11:12:49 0 d-----w- e:\docume~1\jason\applic~1\LucasArts
2010-04-30 09:27:10 0 d-----w- e:\docume~1\jason\applic~1\InstantAction
2010-04-22 21:23:18 0 d--h--w- e:\windows\PIF
2010-04-16 12:32:25 73728 ----a-w- e:\windows\system32\javacpl.cpl
2010-04-16 12:32:25 411368 ----a-w- e:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-05-09 13:13:11 0 ----a-w- e:\windows\system32\drivers\logiflt.iad
2010-04-29 18:47:25 0 ----a-w- e:\windows\system32\drivers\lvuvc.hs
2010-03-09 11:09:18 430080 ----a-w- e:\windows\system32\vbscript.dll
2010-02-16 14:08:49 2146304 ----a-w- e:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ----a-w- e:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- e:\windows\system32\6to4svc.dll

============= FINISH: 22:32:15.93 ===============

Sometimes my pc lags quite a bit and this is defiantly not the norm. It's a fairly new, custom machine. Always been very fast. Like I said, no trouble until I downloaded Ovoo the other day. Any help would be great. Thanks!!

Jason

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:36 PM

Posted 12 May 2010 - 06:56 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:11:36 PM

Posted 17 May 2010 - 07:43 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users