Persistant rootkits (annoying!)

[AdrianLMorey]

Hello, I've been having troubles trying to keep these notifications of software trying to access malicious websites and along with these pop-ups Malwarebytes has been informing of, I keep seeing rootkit quarantines every once in a blue while even after running multiple full system scans with Malwarebytes and have since made logs of them through DDS.

Here's the DDS log.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31

Run by Adrian at 21:15:13 on 2012-05-06

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1094 [GMT -7:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\IObit\Game Booster 3\gbtray.exe

svchost.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Analog Devices\SoundMAX\Smax4.exe

C:\Program Files\Real\RealPlayer\update\realsched.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\AVG Secure Search\vprot.exe

C:\Program Files\Common Files\AOL\1329669165\ee\AOLSoftware.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AVG\AVG2012\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\AVG\AVG2012\avgnsx.exe

C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe

c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Opera\Opera.exe

C:\WINDOWS\system32\wuauclt.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

mURLSearchHooks: AOL Messaging Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll

BHO: SearchPredictObj Class: {389943b0-c3a2-4e69-82cb-8596a84cb3dc} - c:\program files\searchpredict\SearchPredict.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll

BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: SBCONVERT Class: {92a9acf4-9333-43ae-9698-db283326f87f} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll

BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll

BHO: AOL Messaging Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: GrabberObj Class: {ff7c3cf0-4b15-11d1-abed-709549c10000} - c:\program files\speedbit video downloader\toolbar\grabber.dll

TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll

TB: SpeedBit Video Downloader: {0329e7d6-6f54-462d-93f6-f5c3118badf2} - c:\program files\speedbit video downloader\toolbar\tbcore3.dll

TB: Retrogamer: {3392cfec-56f8-41ee-bdb4-4e301efd2c93} - c:\program files\retrogamer_4w\bar\1.bin\4wbar.dll

TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll

TB: AOL Messaging Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [soundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray

mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [vProt] "c:\program files\avg secure search\vprot.exe"

mRun: [HostManager] c:\program files\common files\aol\1329669165\ee\AOLSoftware.exe

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

IE: &Search - http://tbedits.retrogamer.com/one-toolbaredits/menusearch.jhtml?s=206140027&p=RGxdm025AUus&si=19700&a=6DE42E28-E0F9-4E3D-9633-3EF81756F429&n=2012012219

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

LSP: c:\program files\speedbit video accelerator\SBLSP.dll

LSP: mswsock.dll

DPF: {4F29DE54-5EB7-4D76-B610-A86B5CD2A234} - hxxp://archives.gametap.com/static/cab_headless/GameTapWebPlayer.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: DhcpNameServer = 75.75.75.75 75.75.76.76

TCP: Interfaces\{7419516B-A83A-4F9B-9318-E8F824336176} : DhcpNameServer = 75.75.75.75 75.75.76.76

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.2.0\ViProtocol.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\adrian\application data\mozilla\firefox\profiles\i1k97sho.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aimright-chromesbox-en-us&tb_uuid=20120307150850875&tb_oid=07-03-2012&tb_mrud=07-03-2012

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B979406b6-b955-4093-a2a9-5ccece112d82%7D&mid=d49d1aea584747d18168d14acce4e9e6-804fe5ab5254b4e928d0587271c17b711ef1ed88&ds=AVG&v=10.2.0.3〈=en&pr=fr&d=2012-03-22%2023%3A36%3A35&sap=ku&q=

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll

FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll

FF - plugin: c:\program files\microsoft\web platform installer\NPWPIDetector.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

FF - plugin: c:\program files\retrogamer_4w\bar\1.bin\NP4wStub.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_233.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]

R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2012-1-12 14776]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]

R2 IMFservice;IMF Service;c:\program files\iobit\iobit malware fighter\IMFsrv.exe [2012-1-12 820568]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-4-26 654408]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-4-15 2348352]

R2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-10-25 244960]

R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\10.2.0\ToolbarUpdater.exe [2012-3-12 918880]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-4-26 22344]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-5-6 40776]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-2-19 136176]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-15 158856]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-28 253088]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-2-19 136176]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~2\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~2\VideoAcceleratorService.exe -start -scm [?]

.

=============== Created Last 30 ================

.

2012-05-07 03:50:58 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-05-06 03:58:16 -------- d-----w- c:\documents and settings\adrian\application data\yang

2012-05-06 03:57:21 -------- d-----w- c:\program files\YANG

2012-05-06 02:21:42 0 --sha-w- c:\windows\system32\dds_trash_log.cmd

2012-04-28 10:44:34 40960 ----a-r- c:\documents and settings\adrian\application data\microsoft\installer\{9559f7ca-5e34-4237-a2d9-d856464ad727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe

2012-04-28 10:44:34 40960 ----a-r- c:\documents and settings\adrian\application data\microsoft\installer\{9559f7ca-5e34-4237-a2d9-d856464ad727}\ARPPRODUCTICON.exe

2012-04-26 14:25:09 -------- d-----w- c:\documents and settings\adrian\application data\Malwarebytes

2012-04-26 14:24:59 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-04-26 14:24:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2012-04-26 14:24:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2012-04-16 09:32:30 -------- d-----w- c:\program files\GoldWave

2012-04-16 09:31:02 -------- d-----w- c:\documents and settings\all users\application data\Syncrosoft

2012-04-16 09:30:54 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2012-04-16 09:30:43 -------- d-----w- c:\program files\common files\Steinberg

2012-04-16 09:30:43 -------- d-----w- c:\documents and settings\adrian\application data\Steinberg

2012-04-16 09:29:48 -------- d-----w- c:\documents and settings\all users\application data\eLicenser

2012-04-16 09:29:47 -------- d-----w- c:\program files\Syncrosoft

2012-04-16 09:29:47 -------- d-----w- c:\program files\eLicenser

2012-04-16 09:29:44 1277952 ----a-w- c:\windows\system32\SYNSOACC.dll

2012-04-16 09:29:43 86016 ----a-w- c:\windows\system32\SYNSOPOS.exe

2012-04-16 09:29:42 -------- d-----w- c:\program files\Steinberg

2012-04-14 11:15:22 -------- d-----w- c:\program files\World of Warcraft Beta

2012-04-14 11:14:20 -------- d-----w- c:\documents and settings\all users\application data\Battle.net

.

==================== Find3M ====================

.

2012-04-20 14:02:55 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-04-20 14:02:55 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-04-18 11:17:32 294604 ----a-w- c:\windows\system32\nvdrsdb1.bin

2012-04-18 11:17:32 1 ----a-w- c:\windows\system32\nvdrssel.bin

2012-04-18 11:15:59 294604 ----a-w- c:\windows\system32\nvdrsdb0.bin

2012-03-07 20:01:05 716153 ----a-w- c:\windows\system32\unins000.exe

2012-03-04 20:43:01 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-03-04 20:43:00 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-02-29 23:58:00 881984 ----a-w- c:\windows\system32\nvgenco32.dll

2012-02-29 23:58:00 65536 ----a-w- c:\windows\system32\OpenCL.dll

2012-02-29 23:58:00 5918720 ----a-w- c:\windows\system32\nvcuda.dll

2012-02-29 23:58:00 4309760 ----a-w- c:\windows\system32\nv4_disp.dll

2012-02-29 23:58:00 2522944 ----a-w- c:\windows\system32\nvcuvid.dll

2012-02-29 23:58:00 2437440 ----a-w- c:\windows\system32\nvcuvenc.dll

2012-02-29 23:58:00 2291712 ----a-w- c:\windows\system32\nvapi.dll

2012-02-29 23:58:00 18624512 ----a-w- c:\windows\system32\nvoglnt.dll

2012-02-29 23:58:00 17534976 ----a-w- c:\windows\system32\nvcompiler.dll

2012-02-29 23:58:00 13417632 ----a-w- c:\windows\system32\drivers\nv4_mini.sys

2012-02-29 23:58:00 1000256 ----a-w- c:\windows\system32\nvdispco32.dll

2012-02-29 20:30:31 54272 ----a-w- c:\windows\system32\nvwddi.dll

2012-02-29 20:30:24 15494464 ----a-w- c:\windows\system32\nvcpl.dll

2012-02-29 20:30:24 143680 ----a-w- c:\windows\system32\nvcolor.exe

2012-02-29 20:30:23 164160 ----a-w- c:\windows\system32\nvsvc32.exe

2012-02-29 20:30:23 108352 ----a-w- c:\windows\system32\nvmctray.dll

2012-02-14 01:13:41 58696 ----a-w- c:\windows\system32\AOLParconLink.exe

2008-03-09 15:25:10 236 ----a-w- c:\program files\common files\dx.reg

.

============= FINISH: 21:16:12.31 ===============

[Maniac]

Hello AdrianLMorey and ! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at support@malwarebytes.org or here (http://helpdesk.malwarebytes.org/home). If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  

What about Attach.txt?

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!