AdrianLMorey

Members

View Profile See their activity

Posts
1
Joined
May 7, 2012
Last visited
May 7, 2012

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by AdrianLMorey

Persistant rootkits (annoying!)

AdrianLMorey posted a topic in Resolved Malware Removal Logs

Hello, I've been having troubles trying to keep these notifications of software trying to access malicious websites and along with these pop-ups Malwarebytes has been informing of, I keep seeing rootkit quarantines every once in a blue while even after running multiple full system scans with Malwarebytes and have since made logs of them through DDS. Here's the DDS log. . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31 Run by Adrian at 21:15:13 on 2012-05-06 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1094 [GMT -7:00] . . ============== Running Processes =============== . C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\spoolsv.exe C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\IObit\Game Booster 3\gbtray.exe svchost.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Real\RealPlayer\update\realsched.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\Program Files\AVG Secure Search\vprot.exe C:\Program Files\Common Files\AOL\1329669165\ee\AOLSoftware.exe C:\WINDOWS\system32\RunDLL32.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AVG\AVG2012\avgwdsvc.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\AVG\AVG2012\avgnsx.exe C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Opera\Opera.exe C:\WINDOWS\system32\wuauclt.exe . ============== Pseudo HJT Report =============== . uStart Page = hxxp://www.google.com/ uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll mURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll BHO: SearchPredictObj Class: {389943b0-c3a2-4e69-82cb-8596a84cb3dc} - c:\program files\searchpredict\SearchPredict.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: SBCONVERT Class: {92a9acf4-9333-43ae-9698-db283326f87f} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll BHO: AOL Messaging Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\program files\speedbit video downloader\toolbar\grabber.dll TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll TB: Retrogamer: {3392cfec-56f8-41ee-bdb4-4e301efd2c93} - c:\program files\retrogamer_4w\bar\1.bin\4wbar.dll TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll TB: AOL Messaging Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll {e7df6bff-55a5-4eb7-a673-4ed3e9456d39} uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe" mRun: [vProt] "c:\program files\avg secure search\vprot.exe" mRun: [HostManager] c:\program files\common files\aol\1329669165\ee\AOLSoftware.exe mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray IE: &Search - http://tbedits.retrogamer.com/one-toolbaredits/menusearch.jhtml?s=206140027&p=RGxdm025AUus&si=19700&a=6DE42E28-E0F9-4E3D-9633-3EF81756F429&n=2012012219 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll LSP: c:\program files\speedbit video accelerator\SBLSP.dll LSP: mswsock.dll DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 TCP: Interfaces\{7419516B-A83A-4F9B-9318-E8F824336176} : DhcpNameServer = 75.75.75.75 75.75.76.76 Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.2.0\ViProtocol.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\documents and settings\adrian\application data\mozilla\firefox\profiles\i1k97sho.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aimright-chromesbox-en-us&tb_uuid=20120307150850875&tb_oid=07-03-2012&tb_mrud=07-03-2012 FF - prefs.js: browser.startup.homepage - google.com FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B979406b6-b955-4093-a2a9-5ccece112d82%7D&mid=d49d1aea584747d18168d14acce4e9e6-804fe5ab5254b4e928d0587271c17b711ef1ed88&ds=AVG&v=10.2.0.3〈=en&pr=fr&d=2012-03-22%2023%3A36%3A35&sap=ku&q= FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll FF - plugin: c:\program files\retrogamer_4w\bar\1.bin\NP4wStub.dll FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll . ---- FIREFOX POLICIES ---- FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false ============= SERVICES / DRIVERS =============== . R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120] R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2012-1-12 14776] R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248] R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776] R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2012-1-12 820568] R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-26 654408] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-4-15 2348352] R2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-10-25 244960] R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\10.2.0\ToolbarUpdater.exe [2012-3-12 918880] R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-26 22344] R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-6 40776] S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384] S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-2-19 136176] S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-15 158856] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-28 253088] S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-2-19 136176] S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504] S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~2\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~2\VideoAcceleratorService.exe -start -scm [?] . =============== Created Last 30 ================ . 2012-05-07 03:50:58 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-05-06 03:58:16 -------- d-----w- c:\documents and settings\adrian\application data\yang 2012-05-06 03:57:21 -------- d-----w- c:\program files\YANG 2012-05-06 02:21:42 0 --sha-w- c:\windows\system32\dds_trash_log.cmd 2012-04-28 10:44:34 40960 ----a-r- c:\documents and settings\adrian\application data\microsoft\installer\{9559f7ca-5e34-4237-a2d9-d856464ad727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe 2012-04-28 10:44:34 40960 ----a-r- c:\documents and settings\adrian\application data\microsoft\installer\{9559f7ca-5e34-4237-a2d9-d856464ad727}\ARPPRODUCTICON.exe 2012-04-26 14:25:09 -------- d-----w- c:\documents and settings\adrian\application data\Malwarebytes 2012-04-26 14:24:59 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-04-26 14:24:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2012-04-26 14:24:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes 2012-04-16 09:32:30 -------- d-----w- c:\program files\GoldWave 2012-04-16 09:31:02 -------- d-----w- c:\documents and settings\all users\application data\Syncrosoft 2012-04-16 09:30:54 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys 2012-04-16 09:30:43 -------- d-----w- c:\program files\common files\Steinberg 2012-04-16 09:30:43 -------- d-----w- c:\documents and settings\adrian\application data\Steinberg 2012-04-16 09:29:48 -------- d-----w- c:\documents and settings\all users\application data\eLicenser 2012-04-16 09:29:47 -------- d-----w- c:\program files\Syncrosoft 2012-04-16 09:29:47 -------- d-----w- c:\program files\eLicenser 2012-04-16 09:29:44 1277952 ----a-w- c:\windows\system32\SYNSOACC.dll 2012-04-16 09:29:43 86016 ----a-w- c:\windows\system32\SYNSOPOS.exe 2012-04-16 09:29:42 -------- d-----w- c:\program files\Steinberg 2012-04-14 11:15:22 -------- d-----w- c:\program files\World of Warcraft Beta 2012-04-14 11:14:20 -------- d-----w- c:\documents and settings\all users\application data\Battle.net . ==================== Find3M ==================== . 2012-04-20 14:02:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-04-20 14:02:55 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-04-18 11:17:32 294604 ----a-w- c:\windows\system32\nvdrsdb1.bin 2012-04-18 11:17:32 1 ----a-w- c:\windows\system32\nvdrssel.bin 2012-04-18 11:15:59 294604 ----a-w- c:\windows\system32\nvdrsdb0.bin 2012-03-07 20:01:05 716153 ----a-w- c:\windows\system32\unins000.exe 2012-03-04 20:43:01 73728 ----a-w- c:\windows\system32\javacpl.cpl 2012-03-04 20:43:00 472808 ----a-w- c:\windows\system32\deployJava1.dll 2012-02-29 23:58:00 881984 ----a-w- c:\windows\system32\nvgenco32.dll 2012-02-29 23:58:00 65536 ----a-w- c:\windows\system32\OpenCL.dll 2012-02-29 23:58:00 5918720 ----a-w- c:\windows\system32\nvcuda.dll 2012-02-29 23:58:00 4309760 ----a-w- c:\windows\system32\nv4_disp.dll 2012-02-29 23:58:00 2522944 ----a-w- c:\windows\system32\nvcuvid.dll 2012-02-29 23:58:00 2437440 ----a-w- c:\windows\system32\nvcuvenc.dll 2012-02-29 23:58:00 2291712 ----a-w- c:\windows\system32\nvapi.dll 2012-02-29 23:58:00 18624512 ----a-w- c:\windows\system32\nvoglnt.dll 2012-02-29 23:58:00 17534976 ----a-w- c:\windows\system32\nvcompiler.dll 2012-02-29 23:58:00 13417632 ----a-w- c:\windows\system32\drivers\nv4_mini.sys 2012-02-29 23:58:00 1000256 ----a-w- c:\windows\system32\nvdispco32.dll 2012-02-29 20:30:31 54272 ----a-w- c:\windows\system32\nvwddi.dll 2012-02-29 20:30:24 15494464 ----a-w- c:\windows\system32\nvcpl.dll 2012-02-29 20:30:24 143680 ----a-w- c:\windows\system32\nvcolor.exe 2012-02-29 20:30:23 164160 ----a-w- c:\windows\system32\nvsvc32.exe 2012-02-29 20:30:23 108352 ----a-w- c:\windows\system32\nvmctray.dll 2012-02-14 01:13:41 58696 ----a-w- c:\windows\system32\AOLParconLink.exe 2008-03-09 15:25:10 236 ----a-w- c:\program files\common files\dx.reg . ============= FINISH: 21:16:12.31 ===============

Sign In

AdrianLMorey

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Everything posted by AdrianLMorey

Persistant rootkits (annoying!)

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information