[Solved] Google hijack - logs attached

Ryan250 · Aug 11, 2010

I ran over 5 well known anti-virus/anti-spyware programs (Webroot, SAS, MalwareBytes, AVG, AdAware - even in safe mode), still no luck. Google searches are still HiJacked. Flushed my DNS too. Cleared all temp files. The works folks. Never dealt with something this stubborn before.

Here are the logs...

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-10 23:08:00
Windows 6.1.7600
Running: w1t5j3ue.exe; Driver: C:\Users\Ryan\AppData\Local\Temp\kxldrpog.sys

---- System - GMER 1.0.15 ----

SSDT 85CBFDC8 ZwAllocateVirtualMemory
SSDT 85C805B8 ZwCreateProcess
SSDT 85C803B0 ZwCreateProcessEx
SSDT 85C801D0 ZwCreateThread
SSDT 85CBFBE8 ZwCreateThreadEx
SSDT 85CBFC60 ZwCreateUserProcess
SSDT 85CBFE40 ZwQueueApcThread
SSDT 85CBFCD8 ZwReadVirtualMemory
SSDT 85CBFF30 ZwSetContextThread
SSDT 89750E90 ZwSetDefaultHardErrorPort
SSDT 85C802C0 ZwSetInformationProcess
SSDT 85CBFFA8 ZwSetInformationThread
SSDT 85C80248 ZwSuspendProcess
SSDT 85CBFEB8 ZwSuspendThread
SSDT 85C80338 ZwTerminateProcess
SSDT 85CBF020 ZwTerminateThread
SSDT 85CBFD50 ZwWriteVirtualMemory

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A323F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1B2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1A898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A321DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A326F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A331A8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A92599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB6F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82ABE74C 4 Bytes [C8, FD, CB, 85] {ENTER 0xcbfd, 0x85}
.text ntkrnlpa.exe!RtlSidHashLookup + 32C 82ABE83C 8 Bytes [B8, 05, C8, 85, B0, 03, C8, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 34C 82ABE85C 8 Bytes [D0, 01, C8, 85, E8, FB, CB, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 364 82ABE874 4 Bytes [60, FC, CB, 85]
.text ntkrnlpa.exe!RtlSidHashLookup + 624 82ABEB34 4 Bytes [40, FE, CB, 85]
.text ...
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x91416340, 0x39BD97, 0xE8000020]
.text peauth.sys 9C4B3C9D 28 Bytes [C4, BA, 41, 9C, 78, F2, 41, ...]
.text peauth.sys 9C4B3CC1 28 Bytes [C4, BA, 41, 9C, 78, F2, 41, ...]
PAGE peauth.sys 9C4B9E20 101 Bytes [C9, 79, D4, 5E, 1C, DF, 97, ...]
PAGE peauth.sys 9C4BA02C 102 Bytes [50, F6, 57, F7, EF, 84, F4, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtProtectVirtualMemory 77665380 5 Bytes JMP 001D000A
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtWriteVirtualMemory 77665F00 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!KiUserExceptionDispatcher 77666448 5 Bytes JMP 001C000A
.text C:\Windows\system32\svchost.exe[1372] ole32.dll!CoCreateInstance 766957FC 5 Bytes JMP 0041000A
.text C:\Windows\explorer.exe[5936] ntdll.dll!NtProtectVirtualMemory 77665380 5 Bytes JMP 0062000A
.text C:\Windows\explorer.exe[5936] ntdll.dll!NtWriteVirtualMemory 77665F00 5 Bytes JMP 0063000A
.text C:\Windows\explorer.exe[5936] ntdll.dll!KiUserExceptionDispatcher 77666448 5 Bytes JMP 0061000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\BTHUSB \Device\0000007c bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000007e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86915EC5

---- Threads - GMER 1.0.15 ----

Thread System [4:2500] 9C2C4F2E

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e4ceabb29
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e4ceabb29 (not active ControlSet)
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Ryans Programs\FlashCS3Proressional\Adobe\xae Flash\xae CS3 Professional 5-5\Adobe CS3\Setup.exe 1

---- EOF - GMER 1.0.15 ----

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4412

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/9/2010 11:34:51 PM
mbam-log-2010-08-09 (23-34-51).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 238511
Time elapsed: 1 hour(s), 22 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\chgputil.dll (Spyware.Passwords) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\chgputil.dll (Spyware.Passwords) -> Delete on reboot.
C:\Windows\Temp\svchost.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.

END OF MALWAREBYTES LOG
---------------------------------------------------------------------------

Thanks guys/gals!!!

Ryan250 · Aug 11, 2010

Not sure if this will help, but here is my protection log.

21:09:32 Ryan MESSAGE Protection started successfully
21:09:36 Ryan MESSAGE IP Protection started successfully
21:11:26 Ryan MESSAGE IP Protection stopped
21:11:33 Ryan MESSAGE Database updated successfully
21:11:34 Ryan MESSAGE IP Protection started successfully
21:21:58 Ryan MESSAGE IP Protection stopped
21:21:59 Ryan MESSAGE IP Protection started successfully
21:23:32 Ryan MESSAGE IP Protection stopped
21:23:34 Ryan MESSAGE IP Protection started successfully
21:51:52 Ryan IP-BLOCK 213.174.140.175
21:55:22 Ryan IP-BLOCK 208.87.33.151
21:55:38 Ryan IP-BLOCK 68.169.84.155
21:55:46 Ryan IP-BLOCK 208.87.33.151
21:55:46 Ryan IP-BLOCK 74.205.26.220
21:55:55 Ryan IP-BLOCK 74.205.26.220
21:55:55 Ryan IP-BLOCK 74.205.26.220
22:02:37 Ryan IP-BLOCK 91.212.226.59
22:23:43 Ryan MESSAGE Protection started successfully
22:23:47 Ryan MESSAGE IP Protection started successfully
22:24:35 Ryan IP-BLOCK 91.212.226.59
22:24:51 Ryan IP-BLOCK 94.228.209.202
22:25:39 Ryan IP-BLOCK 94.228.209.202
22:25:47 Ryan IP-BLOCK 94.228.209.202
22:26:03 Ryan IP-BLOCK 94.228.209.202
22:26:19 Ryan IP-BLOCK 94.228.209.202
22:28:28 Ryan IP-BLOCK 94.228.209.202
22:32:53 Ryan IP-BLOCK 94.228.209.200
22:33:01 Ryan IP-BLOCK 208.87.33.151
22:33:01 Ryan IP-BLOCK 208.87.33.151
22:33:09 Ryan IP-BLOCK 208.87.33.151
22:33:09 Ryan IP-BLOCK 208.87.33.151
22:33:09 Ryan IP-BLOCK 208.87.33.151
22:33:09 Ryan IP-BLOCK 208.87.33.151
22:33:09 Ryan IP-BLOCK 208.87.33.151
22:34:38 Ryan IP-BLOCK 91.212.226.67
22:44:31 Ryan IP-BLOCK 91.212.226.5
22:45:43 Ryan IP-BLOCK 208.94.233.125
22:52:57 Ryan MESSAGE Protection started successfully
22:53:01 Ryan MESSAGE IP Protection started successfully
22:53:08 Ryan IP-BLOCK 208.94.233.125
22:54:20 Ryan IP-BLOCK 91.212.226.59
22:54:20 Ryan IP-BLOCK 208.94.233.125
22:55:49 Ryan IP-BLOCK 64.74.223.35
23:00:46 Ryan IP-BLOCK 94.228.209.200
23:01:42 Ryan IP-BLOCK 94.228.209.200
23:14:06 Ryan MESSAGE Protection started successfully
23:14:09 Ryan MESSAGE IP Protection started successfully
23:14:41 Ryan IP-BLOCK 208.94.233.125
23:14:57 Ryan IP-BLOCK 91.212.226.59
23:18:50 Ryan MESSAGE IP Protection stopped
23:18:51 Ryan MESSAGE IP Protection started successfully
23:24:35 Ryan IP-BLOCK 208.87.33.151
23:24:43 Ryan IP-BLOCK 208.87.33.151
23:24:51 Ryan IP-BLOCK 91.212.226.67

Note: This started to happen a day after I downloaded numerous songs off of LimeWire.

crunchie · Aug 11, 2010

Hi and welcome to TechSpot forums

==

Please download ComboFix by sUBs from HERE or HERE

You must download it to and run it from your Desktop

Physically disconnect from the internet.

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

Double click combofix.exe & follow the prompts.

When finished, it will produce a log. Please save that log to post in your next reply.

Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Ryan250 · Aug 11, 2010

ComboFix 10-08-10.03 - Ryan 08/10/2010 23:49:53.1.2 - x86
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3070.2210 [GMT -5:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\rdprefmp.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
.

2010-08-11 07:10 . 2009-07-14 01:26 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-08-11 04:57 . 2010-08-11 04:58 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2010-08-11 04:57 . 2010-08-11 04:57 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-11 04:48 . 2010-08-11 04:48 -------- d-----w- C:\Device
2010-08-10 11:44 . 2010-08-10 11:44 -------- d-----w- c:\users\Ryan\AppData\Roaming\AVG9
2010-08-10 11:39 . 2010-08-10 11:39 -------- d-----w- c:\program files\MSSOAP
2010-08-10 11:39 . 2010-08-10 11:45 -------- d-----w- c:\programdata\Webroot
2010-08-10 11:39 . 2010-08-10 11:39 -------- d-----w- c:\users\Ryan\AppData\Roaming\Webroot
2010-08-10 11:39 . 2010-08-10 11:39 -------- d-----w- c:\program files\Webroot
2010-08-10 11:39 . 2009-05-13 20:39 1563008 ----a-w- c:\windows\WRSetup.dll
2010-08-10 02:24 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 02:24 . 2010-08-11 03:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-10 02:24 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-07 17:38 . 2010-08-07 17:39 -------- d-----w- c:\program files\LimeWire
2010-07-21 22:32 . 2010-07-21 22:32 4368224 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
2010-07-21 22:32 . 2010-07-21 22:32 1615200 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
2010-07-21 22:32 . 2010-07-21 22:32 1373536 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
2010-07-21 22:32 . 2010-07-21 22:32 1107296 ----a-w- c:\programdata\avg9\update\backup\avgxpl.dll
2010-07-19 06:38 . 2010-07-19 06:38 -------- d-----w- c:\program files\iPod
2010-07-19 06:38 . 2010-07-19 06:39 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-07-19 06:38 . 2010-07-19 06:39 -------- d-----w- c:\program files\iTunes
2010-07-19 06:36 . 2010-07-19 06:36 -------- d-----w- c:\program files\QuickTime
2010-07-19 06:34 . 2010-07-19 06:34 -------- d-----w- c:\program files\Bonjour
2010-07-19 06:30 . 2010-07-19 06:30 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-07-15 16:03 . 2010-07-15 16:03 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
2010-07-15 16:03 . 2010-07-15 16:03 216200 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
2010-07-15 16:03 . 2010-07-15 16:03 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 16:01 . 2010-07-15 16:01 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
2010-07-15 16:01 . 2010-07-15 16:01 1690464 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
2010-07-15 16:01 . 2010-07-15 16:01 1038688 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
2010-07-15 16:01 . 2010-07-15 16:01 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-11 04:32 . 2010-03-16 23:36 -------- d-----w- c:\program files\Java
2010-08-11 02:44 . 2010-08-07 17:41 -------- d-----w- c:\users\Ryan\AppData\Roaming\LimeWire
2010-08-11 01:08 . 2010-03-12 01:33 -------- d-----w- c:\program files\Steam
2010-08-10 05:10 . 2010-03-17 00:35 -------- d-----w- c:\programdata\avg9
2010-08-10 05:08 . 2010-03-14 06:02 89240 ----a-w- c:\users\Ryan\AppData\Roaming\nvModes.dat
2010-08-10 03:51 . 2010-03-18 08:42 117760 ----a-w- c:\users\Ryan\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-03 04:19 . 2010-06-05 06:38 -------- d-----w- c:\users\Ryan\AppData\Roaming\vlc
2010-07-19 06:38 . 2010-03-21 23:42 -------- d-----w- c:\program files\Common Files\Apple
2010-07-15 16:03 . 2010-03-17 00:35 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 16:02 . 2010-03-17 00:35 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-25 08:01 . 2010-03-09 18:11 -------- d-----w- c:\program files\Microsoft.NET
2010-06-23 01:39 . 2010-06-23 01:03 -------- d-----w- c:\users\Ryan\AppData\Roaming\dvdcss
2010-06-18 22:53 . 2010-06-18 22:53 -------- d-----w- c:\program files\MSXML 4.0
2010-06-18 01:40 . 2010-06-18 01:40 -------- d-----w- c:\program files\InstallShield Installation Information
2010-06-18 01:36 . 2010-06-18 01:36 -------- d-----w- c:\program files\Microsoft Games
2010-06-18 01:31 . 2010-03-10 02:35 -------- d-----w- c:\program files\Common Files\InstallShield
2010-06-18 01:28 . 2010-06-18 01:27 -------- d-----w- c:\program files\MagicDisc
2010-06-18 01:22 . 2010-06-18 01:21 -------- d-----w- c:\program files\MagicISO
2010-06-15 02:44 . 2010-04-09 06:27 95744 ----a-w- c:\programdata\SpeedBit\DAP\SDCondition.dll
2010-06-03 04:38 . 2010-03-17 00:35 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-05-27 07:24 . 2010-06-09 04:07 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49 . 2010-06-09 04:07 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 05:18 . 2010-06-09 04:07 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-19 01:40 . 2010-05-19 01:40 1063320 ----a-w- c:\users\Ryan\gotomypc_533.exe
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2010-04-09 2815488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-16 857648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-16 8534560]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-05-13 6345840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Users^Ryan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Ryan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisplayFusion]
2009-10-14 17:52 631984 ----a-w- c:\program files\DisplayFusion\DisplayFusion.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
2010-04-09 05:53 2815488 ----a-w- c:\program files\DAP\DAP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
2009-12-21 22:15 818288 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-18 08:30 136176 ----atw- c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 21:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-11-16 08:33 81920 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
2007-11-16 08:33 86016 ----a-w- c:\windows\System32\nvsvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 03:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2010-05-07 03:18 1238352 ----a-w- c:\program files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-18 23:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

R2 .1268156579SsTR;1268156579SsTR;c:\programdata\Webroot\Ryan612106.exe [2009-06-01 343435]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [x]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-09 1343400]
S0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\DRIVERS\Si3531.sys [2009-02-06 212520]
S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2009-04-21 29808]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-15 243024]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [2009-11-07 239336]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-05-21 173352]
S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2010-08-10 1205760]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]
S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-03-04 277536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
iissvcs REG_MULTI_SZ w3svc was
apphost REG_MULTI_SZ apphostsvc
.
Contents of the 'Scheduled Tasks' folder

2010-08-10 c:\windows\Tasks\ASOService.job
- c:\program files\Advanced System Optimizer 3\ASO3.exe [2010-03-18 22:57]

2010-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1273913578-3771317205-1214252594-1000Core.job
- c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-18 08:30]

2010-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1273913578-3771317205-1214252594-1000UA.job
- c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-18 08:30]

2010-08-10 c:\windows\Tasks\wrSpySweeper_L296DE3A33A8241E8B472AD6D4768D1D9.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-08-10 20:39]

2010-08-10 c:\windows\Tasks\wrSpySweeper_L296DE3A33A8241E8B472AD6D4768D1D9.job
- c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-08-10 20:39]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.speedbit.com/?aff=205
uInternet Settings,ProxyOverride = *.local
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\adyp6va2.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2|http://bodybuilding.com/|http://www.facebook.com/|http://www.youtube.com/google.com
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\users\Ryan\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\system32\taskhost.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\conhost.exe
c:\windows\system32\WUDFHost.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgtray.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Webroot\WebrootSecurity\SSU.EXE
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2010-08-11 00:03:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-11 05:03

Pre-Run: 279,296,266,240 bytes free
Post-Run: 279,021,432,832 bytes free

- - End Of File - - 03B29F0355A7DACF127AD286CDBAB5FC

crunchie · Aug 11, 2010

All P2P programs like LimeWire open up your computer to attack. The firewall is left open to those ports allowing the file sharing and any infection can get in.
It is probably one of the top ways of getting infected.

==

That log looks ok. How is the pc?

Ryan250 · Aug 11, 2010

Other then completely removing Limewire, is there anything I can do to reduce this from happening?

crunchie · Aug 11, 2010

You have to keep your security programs up-to-date, as well as keeping Windows updated too. Be careful where you surf and use a secure browser.
[Hint]Opera[/Hint]

How is the PC?

Ryan250 · Aug 11, 2010

PC seems fine now, thanks so much.

crunchie · Aug 11, 2010

No worries .

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

TechSpot

[Solved] Google hijack - logs attached

Ryan250 Newcomer, in training

Attached Files:

Attach.txt

DDS.txt

Ryan250 Newcomer, in training

crunchie Malware Helper

Ryan250 Newcomer, in training

crunchie Malware Helper

Ryan250 Newcomer, in training

crunchie Malware Helper

Ryan250 Newcomer, in training

crunchie Malware Helper