"Malwarebytes has Successfully Blocked Malicious...."

[xwhackojacko]

So my computer was infected with the SystemScan trojan, or something along those lines, and I was able to successfully remove it. However, now, I get MalwareBytes yelling at me every 4-5 seconds about blocking a malicious site. The IPs vary. After a couple full scans through MalwareBytes and Avira (both updated), it happened to go away. But it's back again, and doing it even more frequently (and driving me nuts). Please help! the DDS and ATTACH are below

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29

Run by Bouchie at 12:12:50 on 2012-04-02

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.1993 [GMT -4:00]

.

AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\DeviceVM\Browser Configuration Utility\BCU.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Adobe\Acrobat 10.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\DeviceVM\Browser Configuration Utility\BCUService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Documents and Settings\Bouchie\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe

I:\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Mumble\mumble.exe

C:\Documents and Settings\Bouchie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Bouchie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Bouchie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Bouchie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Bouchie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Bouchie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Bouchie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Bouchie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uURLSearchHooks: SearchHook Class: {bc86e1ab-eda5-4059-938f-ce307b0c6f0a} - c:\program files\devicevm\browser configuration utility\AddressBarSearch.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~3\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [Google Update] "c:\documents and settings\bouchie\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [AdobeBridge]

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED

mRun: [bCU] "c:\program files\devicevm\browser configuration utility\BCU.exe"

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"

mRun: [switchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe

mRun: [<NO NAME>]

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [AdobeCS5.5ServiceManager] "c:\program files\common files\adobe\cs5.5servicemanager\CS5.5ServiceManager.exe" -launchedbylogin

mRun: [FPCCSMiddleware] c:\program files\fisher-price\computer cool school\FPCCSMiddleware.exe

mRun: [Malwarebytes' Anti-Malware] "i:\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 66.189.0.100 24.159.64.23 24.247.24.53

TCP: Interfaces\{607CA42E-D837-40E2-BADC-2526D1EF283B} : DhcpNameServer = 66.189.0.100 24.159.64.23 24.247.24.53

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\bouchie\application data\mozilla\firefox\profiles\ap9blpw6.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - www.google.com

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ytff-devicevm&type=IEBD&p=

FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll

FF - plugin: c:\documents and settings\bouchie\local settings\application data\google\update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-3-20 36000]

R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-3-20 86224]

R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-3-20 110032]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-3-20 74640]

R2 BCUService;Browser Configuration Utility Service;c:\program files\devicevm\browser configuration utility\BCUService.exe [2009-10-15 223464]

R2 MBAMService;MBAMService;i:\malwarebytes' anti-malware\mbamservice.exe [2012-3-17 652360]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-2-28 2348352]

R2 PassThru Service;Internet Pass-Through Service;c:\program files\htc\internet pass-through\PassThruSvr.exe [2011-8-12 87040]

R3 busenum;SteelBusSvc;c:\windows\system32\drivers\SteelBus.sys [2011-9-16 88960]

R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2010-10-16 44032]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-10-27 20464]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-10-16 1691480]

S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2011-8-15 24576]

S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [2010-6-22 21248]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 SAlphamHid;SteelHIDSvc;c:\windows\system32\drivers\SAlpham.sys [2011-9-16 31616]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-03-31 13:52:24 413696 ----a-w- c:\windows\system32\wrap_oal.dll

2012-03-31 13:52:24 110592 ----a-w- c:\windows\system32\OpenAL32.dll

2012-03-31 13:52:24 -------- d-----w- c:\program files\OpenAL

2012-03-30 10:04:05 221184 ----a-w- c:\windows\system32\wmpns.dll

2012-03-30 10:03:59 -------- d-----w- c:\program files\Windows Media Connect 2

2012-03-30 10:03:29 -------- d-----w- c:\documents and settings\bouchie\application data\FLAC to MP3 Converter

2012-03-30 10:02:53 -------- d-----w- c:\windows\system32\LogFiles

2012-03-20 10:47:27 -------- d-----w- c:\documents and settings\bouchie\application data\Avira

2012-03-20 10:42:19 74640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2012-03-20 10:42:19 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2012-03-20 10:42:16 -------- d-----w- c:\program files\Avira

2012-03-20 10:42:16 -------- d-----w- c:\documents and settings\all users\application data\Avira

2012-03-19 01:32:52 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll

2012-03-19 01:32:52 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll

2012-03-09 16:59:13 -------- d-----w- c:\documents and settings\all users\application data\EA Core

2012-03-09 16:59:08 -------- d-----w- c:\documents and settings\all users\application data\EA Logs

2012-03-09 16:44:45 -------- d-----w- c:\program files\common files\EAInstaller

2012-03-09 15:04:18 -------- d-----w- c:\documents and settings\bouchie\local settings\application data\Origin

2012-03-09 15:04:17 -------- d-----w- c:\documents and settings\all users\application data\Origin

2012-03-09 15:03:46 -------- d-----w- c:\documents and settings\bouchie\application data\Origin

2012-03-09 15:03:46 -------- d-----w- c:\documents and settings\all users\application data\Electronic Arts

.

==================== Find3M ====================

.

2012-03-20 10:07:30 293992 ----a-w- c:\windows\system32\nvdrsdb0.bin

2012-03-20 10:07:30 1 ----a-w- c:\windows\system32\nvdrssel.bin

2012-03-20 10:07:29 293992 ----a-w- c:\windows\system32\nvdrsdb1.bin

2012-02-29 23:58:00 881984 ----a-w- c:\windows\system32\nvgenco32.dll

2012-02-29 23:58:00 65536 ----a-w- c:\windows\system32\OpenCL.dll

2012-02-29 23:58:00 5918720 ----a-w- c:\windows\system32\nvcuda.dll

2012-02-29 23:58:00 4309760 ----a-w- c:\windows\system32\nv4_disp.dll

2012-02-29 23:58:00 2522944 ----a-w- c:\windows\system32\nvcuvid.dll

2012-02-29 23:58:00 2437440 ----a-w- c:\windows\system32\nvcuvenc.dll

2012-02-29 23:58:00 2291712 ----a-w- c:\windows\system32\nvapi.dll

2012-02-29 23:58:00 18624512 ----a-w- c:\windows\system32\nvoglnt.dll

2012-02-29 23:58:00 17534976 ----a-w- c:\windows\system32\nvcompiler.dll

2012-02-29 23:58:00 13417632 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2012-02-29 23:58:00 1000256 ----a-w- c:\windows\system32\nvdispco32.dll

2012-02-29 20:30:31 54272 ----a-w- c:\windows\system32\nvwddi.dll

2012-02-29 20:30:24 15494464 ----a-w- c:\windows\system32\nvcpl.dll

2012-02-29 20:30:24 143680 ----a-w- c:\windows\system32\nvcolor.exe

2012-02-29 20:30:23 164160 ----a-w- c:\windows\system32\nvsvc32.exe

2012-02-29 20:30:23 108352 ----a-w- c:\windows\system32\nvmctray.dll

2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys

2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll

2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys

.

============= FINISH: 12:13:17.11 ===============

dds.txt

attach.txt

[Larusso]

Hy

my name is Daniel and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully.

• First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  
• Perform everything in the correct order. Sometimes one step requires the previous one.
  
• If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  
• Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  
• Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.
  
• Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.
  
• My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.

Please download Gmer from here and save it to your Desktop.

• Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  Click the image to enlarge it
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
    
  • IAT/EAT
    
  • Drives/Partition other than Systemdrive (typically C:\)
    
  • Show All (don't miss this one)

  [*] Then click the Scan button & wait for it to finish.

  [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.

  [*]Save it where you can easily find it, such as your desktop

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

[Larusso]

Hy there.

Are you still with us ? If I do not hear from you within 24 hours, this topic will be closed

[LDTate]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!