TechSpot

Google hijack - logs attached

By Ryan250
Aug 11, 2010
  1. I ran over 5 well known anti-virus/anti-spyware programs (Webroot, SAS, MalwareBytes, AVG, AdAware - even in safe mode), still no luck. Google searches are still HiJacked. Flushed my DNS too. Cleared all temp files. The works folks. Never dealt with something this stubborn before.

    Here are the logs...

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-10 23:08:00
    Windows 6.1.7600
    Running: w1t5j3ue.exe; Driver: C:\Users\Ryan\AppData\Local\Temp\kxldrpog.sys


    ---- System - GMER 1.0.15 ----

    SSDT 85CBFDC8 ZwAllocateVirtualMemory
    SSDT 85C805B8 ZwCreateProcess
    SSDT 85C803B0 ZwCreateProcessEx
    SSDT 85C801D0 ZwCreateThread
    SSDT 85CBFBE8 ZwCreateThreadEx
    SSDT 85CBFC60 ZwCreateUserProcess
    SSDT 85CBFE40 ZwQueueApcThread
    SSDT 85CBFCD8 ZwReadVirtualMemory
    SSDT 85CBFF30 ZwSetContextThread
    SSDT 89750E90 ZwSetDefaultHardErrorPort
    SSDT 85C802C0 ZwSetInformationProcess
    SSDT 85CBFFA8 ZwSetInformationThread
    SSDT 85C80248 ZwSuspendProcess
    SSDT 85CBFEB8 ZwSuspendThread
    SSDT 85C80338 ZwTerminateProcess
    SSDT 85CBF020 ZwTerminateThread
    SSDT 85CBFD50 ZwWriteVirtualMemory

    INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32AF8
    INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32104
    INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A323F4
    INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1B2D8
    INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1A898
    INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A321DC
    INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32958
    INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A326F8
    INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32F2C
    INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A331A8

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A92599 1 Byte [06]
    .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB6F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
    .text ntkrnlpa.exe!RtlSidHashLookup + 23C 82ABE74C 4 Bytes [C8, FD, CB, 85] {ENTER 0xcbfd, 0x85}
    .text ntkrnlpa.exe!RtlSidHashLookup + 32C 82ABE83C 8 Bytes [B8, 05, C8, 85, B0, 03, C8, ...]
    .text ntkrnlpa.exe!RtlSidHashLookup + 34C 82ABE85C 8 Bytes [D0, 01, C8, 85, E8, FB, CB, ...]
    .text ntkrnlpa.exe!RtlSidHashLookup + 364 82ABE874 4 Bytes [60, FC, CB, 85]
    .text ntkrnlpa.exe!RtlSidHashLookup + 624 82ABEB34 4 Bytes [40, FE, CB, 85]
    .text ...
    .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x91416340, 0x39BD97, 0xE8000020]
    .text peauth.sys 9C4B3C9D 28 Bytes [C4, BA, 41, 9C, 78, F2, 41, ...]
    .text peauth.sys 9C4B3CC1 28 Bytes [C4, BA, 41, 9C, 78, F2, 41, ...]
    PAGE peauth.sys 9C4B9E20 101 Bytes [C9, 79, D4, 5E, 1C, DF, 97, ...]
    PAGE peauth.sys 9C4BA02C 102 Bytes [50, F6, 57, F7, EF, 84, F4, ...]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtProtectVirtualMemory 77665380 5 Bytes JMP 001D000A
    .text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtWriteVirtualMemory 77665F00 5 Bytes JMP 001E000A
    .text C:\Windows\system32\svchost.exe[1372] ntdll.dll!KiUserExceptionDispatcher 77666448 5 Bytes JMP 001C000A
    .text C:\Windows\system32\svchost.exe[1372] ole32.dll!CoCreateInstance 766957FC 5 Bytes JMP 0041000A
    .text C:\Windows\explorer.exe[5936] ntdll.dll!NtProtectVirtualMemory 77665380 5 Bytes JMP 0062000A
    .text C:\Windows\explorer.exe[5936] ntdll.dll!NtWriteVirtualMemory 77665F00 5 Bytes JMP 0063000A
    .text C:\Windows\explorer.exe[5936] ntdll.dll!KiUserExceptionDispatcher 77666448 5 Bytes JMP 0061000A

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
    AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
    AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

    Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

    AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\BTHUSB \Device\0000007c bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
    Device \Driver\BTHUSB \Device\0000007e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
    Device -> \Driver\atapi \Device\Harddisk0\DR0 86915EC5

    ---- Threads - GMER 1.0.15 ----

    Thread System [4:2500] 9C2C4F2E

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e4ceabb29
    Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e4ceabb29 (not active ControlSet)
    Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Ryans Programs\FlashCS3Proressional\Adobe\xae Flash\xae CS3 Professional 5-5\Adobe CS3\Setup.exe 1

    ---- EOF - GMER 1.0.15 ----

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4412

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    8/9/2010 11:34:51 PM
    mbam-log-2010-08-09 (23-34-51).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 238511
    Time elapsed: 1 hour(s), 22 minute(s), 14 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\Windows\System32\chgputil.dll (Spyware.Passwords) -> Delete on reboot.

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\System32\chgputil.dll (Spyware.Passwords) -> Delete on reboot.
    C:\Windows\Temp\svchost.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.

    END OF MALWAREBYTES LOG
    ---------------------------------------------------------------------------


    Thanks guys/gals!!!
     

    Attached Files:

  2. Ryan250

    Ryan250 TS Rookie Topic Starter

    Not sure if this will help, but here is my protection log.

    21:09:32 Ryan MESSAGE Protection started successfully
    21:09:36 Ryan MESSAGE IP Protection started successfully
    21:11:26 Ryan MESSAGE IP Protection stopped
    21:11:33 Ryan MESSAGE Database updated successfully
    21:11:34 Ryan MESSAGE IP Protection started successfully
    21:21:58 Ryan MESSAGE IP Protection stopped
    21:21:59 Ryan MESSAGE IP Protection started successfully
    21:23:32 Ryan MESSAGE IP Protection stopped
    21:23:34 Ryan MESSAGE IP Protection started successfully
    21:51:52 Ryan IP-BLOCK 213.174.140.175
    21:55:22 Ryan IP-BLOCK 208.87.33.151
    21:55:38 Ryan IP-BLOCK 68.169.84.155
    21:55:46 Ryan IP-BLOCK 208.87.33.151
    21:55:46 Ryan IP-BLOCK 74.205.26.220
    21:55:55 Ryan IP-BLOCK 74.205.26.220
    21:55:55 Ryan IP-BLOCK 74.205.26.220
    22:02:37 Ryan IP-BLOCK 91.212.226.59
    22:23:43 Ryan MESSAGE Protection started successfully
    22:23:47 Ryan MESSAGE IP Protection started successfully
    22:24:35 Ryan IP-BLOCK 91.212.226.59
    22:24:51 Ryan IP-BLOCK 94.228.209.202
    22:25:39 Ryan IP-BLOCK 94.228.209.202
    22:25:47 Ryan IP-BLOCK 94.228.209.202
    22:26:03 Ryan IP-BLOCK 94.228.209.202
    22:26:19 Ryan IP-BLOCK 94.228.209.202
    22:28:28 Ryan IP-BLOCK 94.228.209.202
    22:32:53 Ryan IP-BLOCK 94.228.209.200
    22:33:01 Ryan IP-BLOCK 208.87.33.151
    22:33:01 Ryan IP-BLOCK 208.87.33.151
    22:33:09 Ryan IP-BLOCK 208.87.33.151
    22:33:09 Ryan IP-BLOCK 208.87.33.151
    22:33:09 Ryan IP-BLOCK 208.87.33.151
    22:33:09 Ryan IP-BLOCK 208.87.33.151
    22:33:09 Ryan IP-BLOCK 208.87.33.151
    22:34:38 Ryan IP-BLOCK 91.212.226.67
    22:44:31 Ryan IP-BLOCK 91.212.226.5
    22:45:43 Ryan IP-BLOCK 208.94.233.125
    22:52:57 Ryan MESSAGE Protection started successfully
    22:53:01 Ryan MESSAGE IP Protection started successfully
    22:53:08 Ryan IP-BLOCK 208.94.233.125
    22:54:20 Ryan IP-BLOCK 91.212.226.59
    22:54:20 Ryan IP-BLOCK 208.94.233.125
    22:55:49 Ryan IP-BLOCK 64.74.223.35
    23:00:46 Ryan IP-BLOCK 94.228.209.200
    23:01:42 Ryan IP-BLOCK 94.228.209.200
    23:14:06 Ryan MESSAGE Protection started successfully
    23:14:09 Ryan MESSAGE IP Protection started successfully
    23:14:41 Ryan IP-BLOCK 208.94.233.125
    23:14:57 Ryan IP-BLOCK 91.212.226.59
    23:18:50 Ryan MESSAGE IP Protection stopped
    23:18:51 Ryan MESSAGE IP Protection started successfully
    23:24:35 Ryan IP-BLOCK 208.87.33.151
    23:24:43 Ryan IP-BLOCK 208.87.33.151
    23:24:51 Ryan IP-BLOCK 91.212.226.67

    Note: This started to happen a day after I downloaded numerous songs off of LimeWire.
     
  3. crunchie

    crunchie Malware Helper Posts: 728

    Hi and welcome to TechSpot forums :)

    ==

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
  4. Ryan250

    Ryan250 TS Rookie Topic Starter

    ComboFix 10-08-10.03 - Ryan 08/10/2010 23:49:53.1.2 - x86
    Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.3070.2210 [GMT -5:00]
    Running from: c:\users\Ryan\Desktop\ComboFix.exe
    SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    Infected copy of c:\windows\system32\drivers\rdprefmp.sys was found and disinfected
    Restored copy from - Kitty ate it :p
    .
    ((((((((((((((((((((((((( Files Created from 2010-07-11 to 2010-08-11 )))))))))))))))))))))))))))))))
    .

    2010-08-11 07:10 . 2009-07-14 01:26 21584 ----a-w- c:\windows\system32\drivers\atapi.sys
    2010-08-11 04:57 . 2010-08-11 04:58 -------- d-----w- c:\users\Ryan\AppData\Local\temp
    2010-08-11 04:57 . 2010-08-11 04:57 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-08-11 04:48 . 2010-08-11 04:48 -------- d-----w- C:\Device
    2010-08-10 11:44 . 2010-08-10 11:44 -------- d-----w- c:\users\Ryan\AppData\Roaming\AVG9
    2010-08-10 11:39 . 2010-08-10 11:39 -------- d-----w- c:\program files\MSSOAP
    2010-08-10 11:39 . 2010-08-10 11:45 -------- d-----w- c:\programdata\Webroot
    2010-08-10 11:39 . 2010-08-10 11:39 -------- d-----w- c:\users\Ryan\AppData\Roaming\Webroot
    2010-08-10 11:39 . 2010-08-10 11:39 -------- d-----w- c:\program files\Webroot
    2010-08-10 11:39 . 2009-05-13 20:39 1563008 ----a-w- c:\windows\WRSetup.dll
    2010-08-10 02:24 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-10 02:24 . 2010-08-11 03:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-10 02:24 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-07 17:38 . 2010-08-07 17:39 -------- d-----w- c:\program files\LimeWire
    2010-07-21 22:32 . 2010-07-21 22:32 4368224 ----a-w- c:\programdata\avg9\update\backup\avgcorex.dll
    2010-07-21 22:32 . 2010-07-21 22:32 1615200 ----a-w- c:\programdata\avg9\update\backup\avgssie.dll
    2010-07-21 22:32 . 2010-07-21 22:32 1373536 ----a-w- c:\programdata\avg9\update\backup\avgssff.dll
    2010-07-21 22:32 . 2010-07-21 22:32 1107296 ----a-w- c:\programdata\avg9\update\backup\avgxpl.dll
    2010-07-19 06:38 . 2010-07-19 06:38 -------- d-----w- c:\program files\iPod
    2010-07-19 06:38 . 2010-07-19 06:39 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    2010-07-19 06:38 . 2010-07-19 06:39 -------- d-----w- c:\program files\iTunes
    2010-07-19 06:36 . 2010-07-19 06:36 -------- d-----w- c:\program files\QuickTime
    2010-07-19 06:34 . 2010-07-19 06:34 -------- d-----w- c:\program files\Bonjour
    2010-07-19 06:30 . 2010-07-19 06:30 72504 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
    2010-07-15 16:03 . 2010-07-15 16:03 242896 ----a-w- c:\programdata\avg9\update\backup\avgtdix.sys
    2010-07-15 16:03 . 2010-07-15 16:03 216200 ----a-w- c:\programdata\avg9\update\backup\avgldx86.sys
    2010-07-15 16:03 . 2010-07-15 16:03 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-15 16:01 . 2010-07-15 16:01 624920 ----a-w- c:\programdata\avg9\update\backup\avgiproxy.exe
    2010-07-15 16:01 . 2010-07-15 16:01 1690464 ----a-w- c:\programdata\avg9\update\backup\avgupd.dll
    2010-07-15 16:01 . 2010-07-15 16:01 1038688 ----a-w- c:\programdata\avg9\update\backup\avgupd.exe
    2010-07-15 16:01 . 2010-07-15 16:01 813336 ----a-w- c:\programdata\avg9\update\backup\avginet.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-11 04:32 . 2010-03-16 23:36 -------- d-----w- c:\program files\Java
    2010-08-11 02:44 . 2010-08-07 17:41 -------- d-----w- c:\users\Ryan\AppData\Roaming\LimeWire
    2010-08-11 01:08 . 2010-03-12 01:33 -------- d-----w- c:\program files\Steam
    2010-08-10 05:10 . 2010-03-17 00:35 -------- d-----w- c:\programdata\avg9
    2010-08-10 05:08 . 2010-03-14 06:02 89240 ----a-w- c:\users\Ryan\AppData\Roaming\nvModes.dat
    2010-08-10 03:51 . 2010-03-18 08:42 117760 ----a-w- c:\users\Ryan\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-08-03 04:19 . 2010-06-05 06:38 -------- d-----w- c:\users\Ryan\AppData\Roaming\vlc
    2010-07-19 06:38 . 2010-03-21 23:42 -------- d-----w- c:\program files\Common Files\Apple
    2010-07-15 16:03 . 2010-03-17 00:35 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-15 16:02 . 2010-03-17 00:35 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-06-25 08:01 . 2010-03-09 18:11 -------- d-----w- c:\program files\Microsoft.NET
    2010-06-23 01:39 . 2010-06-23 01:03 -------- d-----w- c:\users\Ryan\AppData\Roaming\dvdcss
    2010-06-18 22:53 . 2010-06-18 22:53 -------- d-----w- c:\program files\MSXML 4.0
    2010-06-18 01:40 . 2010-06-18 01:40 -------- d-----w- c:\program files\InstallShield Installation Information
    2010-06-18 01:36 . 2010-06-18 01:36 -------- d-----w- c:\program files\Microsoft Games
    2010-06-18 01:31 . 2010-03-10 02:35 -------- d-----w- c:\program files\Common Files\InstallShield
    2010-06-18 01:28 . 2010-06-18 01:27 -------- d-----w- c:\program files\MagicDisc
    2010-06-18 01:22 . 2010-06-18 01:21 -------- d-----w- c:\program files\MagicISO
    2010-06-15 02:44 . 2010-04-09 06:27 95744 ----a-w- c:\programdata\SpeedBit\DAP\SDCondition.dll
    2010-06-03 04:38 . 2010-03-17 00:35 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
    2010-05-27 07:24 . 2010-06-09 04:07 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-27 03:49 . 2010-06-09 04:07 293888 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-21 05:18 . 2010-06-09 04:07 977920 ----a-w- c:\windows\system32\wininet.dll
    2010-05-19 01:40 . 2010-05-19 01:40 1063320 ----a-w- c:\users\Ryan\gotomypc_533.exe
    2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
    2010-05-18 21:35 . 2010-05-18 21:35 197920 ----a-w- c:\windows\system32\dnssdX.dll
    2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
    2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
    2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF6C3CF0-4B15-11D1-ABED-709549C10000}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DownloadAccelerator"="c:\program files\DAP\DAP.EXE" [2010-04-09 2815488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-16 857648]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-16 8534560]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
    "SpySweeper"="c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe" [2009-05-13 6345840]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorAdmin"= 0 (0x0)
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)
    "PromptOnSecureDesktop"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
    @="FSFilter System Recovery"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
    @="Service"

    [HKLM\~\startupfolder\C:^Users^Ryan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
    path=c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
    backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
    backupExtension=.Startup

    [HKLM\~\startupfolder\C:^Users^Ryan^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MagicDisc.lnk]
    path=c:\users\Ryan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk
    backup=c:\windows\pss\MagicDisc.lnk.Startup
    backupExtension=.Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-04-04 05:42 36272 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DisplayFusion]
    2009-10-14 17:52 631984 ----a-w- c:\program files\DisplayFusion\DisplayFusion.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
    2010-04-09 05:53 2815488 ----a-w- c:\program files\DAP\DAP.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6]
    2009-12-21 22:15 818288 ----a-w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
    2010-03-18 08:30 136176 ----atw- c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2010-06-15 21:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2007-11-16 08:33 81920 ----a-w- c:\windows\System32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvSvc]
    2007-11-16 08:33 86016 ----a-w- c:\windows\System32\nvsvc.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-03-19 03:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
    2010-05-07 03:18 1238352 ----a-w- c:\program files\Steam\Steam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2010-02-18 23:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

    R2 .1268156579SsTR;1268156579SsTR;c:\programdata\Webroot\Ryan612106.exe [2009-06-01 343435]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [x]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-03-09 1343400]
    S0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\DRIVERS\Si3531.sys [2009-02-06 212520]
    S0 ssfs0bbc;ssfs0bbc;c:\windows\system32\DRIVERS\ssfs0bbc.sys [2009-04-21 29808]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-07-15 216400]
    S1 AvgTdiX;AVG Free Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-07-15 243024]
    S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
    S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
    S2 ASO3DiskOptimizer;ASO3DiskOptimizer;c:\program files\Advanced System Optimizer 3\ASO3DefragSrv.exe [2009-11-07 239336]
    S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
    S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-05-21 173352]
    S2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\WebrootSecurity\WRConsumerService.exe [2010-08-10 1205760]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]
    S3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\netw5v32.sys [2009-07-13 4231168]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2010-03-04 277536]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    iissvcs REG_MULTI_SZ w3svc was
    apphost REG_MULTI_SZ apphostsvc
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-10 c:\windows\Tasks\ASOService.job
    - c:\program files\Advanced System Optimizer 3\ASO3.exe [2010-03-18 22:57]

    2010-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1273913578-3771317205-1214252594-1000Core.job
    - c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-18 08:30]

    2010-08-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1273913578-3771317205-1214252594-1000UA.job
    - c:\users\Ryan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-18 08:30]

    2010-08-10 c:\windows\Tasks\wrSpySweeper_L296DE3A33A8241E8B472AD6D4768D1D9.job
    - c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-08-10 20:39]

    2010-08-10 c:\windows\Tasks\wrSpySweeper_L296DE3A33A8241E8B472AD6D4768D1D9.job
    - c:\program files\Webroot\WebrootSecurity\SpySweeperUI.exe [2010-08-10 20:39]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://home.speedbit.com/?aff=205
    uInternet Settings,ProxyOverride = *.local
    IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
    IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
    IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
    FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\adyp6va2.default\
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=zpwhtygjntrz&scc=1&ltmpl=default&ltmplcache=2|http://bodybuilding.com/|http://www.facebook.com/|http://www.youtube.com/google.com
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\users\Ryan\AppData\Local\Google\Update\1.2.183.29\npGoogleOneClick8.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    SafeBoot-dmboot.sys
    SafeBoot-dmio.sys
    SafeBoot-dmload.sys
    SafeBoot-dmadmin
    SafeBoot-dmserver
    SafeBoot-SRService


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    "MSCurrentCountry"=dword:000000b5

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    @Denied: (Full) (Everyone)
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
    c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
    c:\windows\system32\taskhost.exe
    c:\program files\AVG\AVG9\avgnsx.exe
    c:\windows\system32\conhost.exe
    c:\windows\system32\WUDFHost.exe
    c:\program files\AVG\AVG9\avgchsvx.exe
    c:\program files\AVG\AVG9\avgrsx.exe
    c:\program files\AVG\AVG9\avgcsrvx.exe
    c:\program files\AVG\AVG9\avgtray.exe
    c:\program files\Windows Media Player\wmpnetwk.exe
    c:\program files\Webroot\WebrootSecurity\SSU.EXE
    c:\windows\system32\sppsvc.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-11 00:03:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-11 05:03

    Pre-Run: 279,296,266,240 bytes free
    Post-Run: 279,021,432,832 bytes free

    - - End Of File - - 03B29F0355A7DACF127AD286CDBAB5FC
     
  5. crunchie

    crunchie Malware Helper Posts: 728

    All P2P programs like LimeWire open up your computer to attack. The firewall is left open to those ports allowing the file sharing and any infection can get in.
    It is probably one of the top ways of getting infected.

    ==

    That log looks ok. How is the pc?
     
  6. Ryan250

    Ryan250 TS Rookie Topic Starter

    Other then completely removing Limewire, is there anything I can do to reduce this from happening?
     
  7. crunchie

    crunchie Malware Helper Posts: 728

    You have to keep your security programs up-to-date, as well as keeping Windows updated too. Be careful where you surf and use a secure browser.
    [Hint]Opera[/Hint] :D

    How is the PC?
     
  8. Ryan250

    Ryan250 TS Rookie Topic Starter

    PC seems fine now, thanks so much.
     
  9. crunchie

    crunchie Malware Helper Posts: 728

    No worries :).

    To remove all of the tools we used and the files and folders they created, please do the following:
    Please download OTC by OldTimer:
    Save it to your Desktop.
    Double click OTC.exe.
    Click the CleanUp! button.
    If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...