I ran over 5 well known anti-virus/anti-spyware programs (Webroot, SAS, MalwareBytes, AVG, AdAware - even in safe mode), still no luck. Google searches are still HiJacked. Flushed my DNS too. Cleared all temp files. The works folks. Never dealt with something this stubborn before.
Here are the logs...
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-10 23:08:00
Windows 6.1.7600
Running: w1t5j3ue.exe; Driver: C:\Users\Ryan\AppData\Local\Temp\kxldrpog.sys
---- System - GMER 1.0.15 ----
SSDT 85CBFDC8 ZwAllocateVirtualMemory
SSDT 85C805B8 ZwCreateProcess
SSDT 85C803B0 ZwCreateProcessEx
SSDT 85C801D0 ZwCreateThread
SSDT 85CBFBE8 ZwCreateThreadEx
SSDT 85CBFC60 ZwCreateUserProcess
SSDT 85CBFE40 ZwQueueApcThread
SSDT 85CBFCD8 ZwReadVirtualMemory
SSDT 85CBFF30 ZwSetContextThread
SSDT 89750E90 ZwSetDefaultHardErrorPort
SSDT 85C802C0 ZwSetInformationProcess
SSDT 85CBFFA8 ZwSetInformationThread
SSDT 85C80248 ZwSuspendProcess
SSDT 85CBFEB8 ZwSuspendThread
SSDT 85C80338 ZwTerminateProcess
SSDT 85CBF020 ZwTerminateThread
SSDT 85CBFD50 ZwWriteVirtualMemory
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A323F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1B2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1A898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A321DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A326F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A331A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A92599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB6F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82ABE74C 4 Bytes [C8, FD, CB, 85] {ENTER 0xcbfd, 0x85}
.text ntkrnlpa.exe!RtlSidHashLookup + 32C 82ABE83C 8 Bytes [B8, 05, C8, 85, B0, 03, C8, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 34C 82ABE85C 8 Bytes [D0, 01, C8, 85, E8, FB, CB, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 364 82ABE874 4 Bytes [60, FC, CB, 85]
.text ntkrnlpa.exe!RtlSidHashLookup + 624 82ABEB34 4 Bytes [40, FE, CB, 85]
.text ...
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x91416340, 0x39BD97, 0xE8000020]
.text peauth.sys 9C4B3C9D 28 Bytes [C4, BA, 41, 9C, 78, F2, 41, ...]
.text peauth.sys 9C4B3CC1 28 Bytes [C4, BA, 41, 9C, 78, F2, 41, ...]
PAGE peauth.sys 9C4B9E20 101 Bytes [C9, 79, D4, 5E, 1C, DF, 97, ...]
PAGE peauth.sys 9C4BA02C 102 Bytes [50, F6, 57, F7, EF, 84, F4, ...]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtProtectVirtualMemory 77665380 5 Bytes JMP 001D000A
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtWriteVirtualMemory 77665F00 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!KiUserExceptionDispatcher 77666448 5 Bytes JMP 001C000A
.text C:\Windows\system32\svchost.exe[1372] ole32.dll!CoCreateInstance 766957FC 5 Bytes JMP 0041000A
.text C:\Windows\explorer.exe[5936] ntdll.dll!NtProtectVirtualMemory 77665380 5 Bytes JMP 0062000A
.text C:\Windows\explorer.exe[5936] ntdll.dll!NtWriteVirtualMemory 77665F00 5 Bytes JMP 0063000A
.text C:\Windows\explorer.exe[5936] ntdll.dll!KiUserExceptionDispatcher 77666448 5 Bytes JMP 0061000A
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\BTHUSB \Device\0000007c bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000007e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86915EC5
---- Threads - GMER 1.0.15 ----
Thread System [4:2500] 9C2C4F2E
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e4ceabb29
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e4ceabb29 (not active ControlSet)
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Ryans Programs\FlashCS3Proressional\Adobe\xae Flash\xae CS3 Professional 5-5\Adobe CS3\Setup.exe 1
---- EOF - GMER 1.0.15 ----
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4412
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
8/9/2010 11:34:51 PM
mbam-log-2010-08-09 (23-34-51).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 238511
Time elapsed: 1 hour(s), 22 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Windows\System32\chgputil.dll (Spyware.Passwords) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\System32\chgputil.dll (Spyware.Passwords) -> Delete on reboot.
C:\Windows\Temp\svchost.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
END OF MALWAREBYTES LOG
---------------------------------------------------------------------------
Thanks guys/gals!!!
Here are the logs...
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-10 23:08:00
Windows 6.1.7600
Running: w1t5j3ue.exe; Driver: C:\Users\Ryan\AppData\Local\Temp\kxldrpog.sys
---- System - GMER 1.0.15 ----
SSDT 85CBFDC8 ZwAllocateVirtualMemory
SSDT 85C805B8 ZwCreateProcess
SSDT 85C803B0 ZwCreateProcessEx
SSDT 85C801D0 ZwCreateThread
SSDT 85CBFBE8 ZwCreateThreadEx
SSDT 85CBFC60 ZwCreateUserProcess
SSDT 85CBFE40 ZwQueueApcThread
SSDT 85CBFCD8 ZwReadVirtualMemory
SSDT 85CBFF30 ZwSetContextThread
SSDT 89750E90 ZwSetDefaultHardErrorPort
SSDT 85C802C0 ZwSetInformationProcess
SSDT 85CBFFA8 ZwSetInformationThread
SSDT 85C80248 ZwSuspendProcess
SSDT 85CBFEB8 ZwSuspendThread
SSDT 85C80338 ZwTerminateProcess
SSDT 85CBF020 ZwTerminateThread
SSDT 85CBFD50 ZwWriteVirtualMemory
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A323F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1B2D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A1A898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A321DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A326F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A32F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82A331A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A92599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB6F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82ABE74C 4 Bytes [C8, FD, CB, 85] {ENTER 0xcbfd, 0x85}
.text ntkrnlpa.exe!RtlSidHashLookup + 32C 82ABE83C 8 Bytes [B8, 05, C8, 85, B0, 03, C8, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 34C 82ABE85C 8 Bytes [D0, 01, C8, 85, E8, FB, CB, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 364 82ABE874 4 Bytes [60, FC, CB, 85]
.text ntkrnlpa.exe!RtlSidHashLookup + 624 82ABEB34 4 Bytes [40, FE, CB, 85]
.text ...
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x91416340, 0x39BD97, 0xE8000020]
.text peauth.sys 9C4B3C9D 28 Bytes [C4, BA, 41, 9C, 78, F2, 41, ...]
.text peauth.sys 9C4B3CC1 28 Bytes [C4, BA, 41, 9C, 78, F2, 41, ...]
PAGE peauth.sys 9C4B9E20 101 Bytes [C9, 79, D4, 5E, 1C, DF, 97, ...]
PAGE peauth.sys 9C4BA02C 102 Bytes [50, F6, 57, F7, EF, 84, F4, ...]
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtProtectVirtualMemory 77665380 5 Bytes JMP 001D000A
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!NtWriteVirtualMemory 77665F00 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[1372] ntdll.dll!KiUserExceptionDispatcher 77666448 5 Bytes JMP 001C000A
.text C:\Windows\system32\svchost.exe[1372] ole32.dll!CoCreateInstance 766957FC 5 Bytes JMP 0041000A
.text C:\Windows\explorer.exe[5936] ntdll.dll!NtProtectVirtualMemory 77665380 5 Bytes JMP 0062000A
.text C:\Windows\explorer.exe[5936] ntdll.dll!NtWriteVirtualMemory 77665F00 5 Bytes JMP 0063000A
.text C:\Windows\explorer.exe[5936] ntdll.dll!KiUserExceptionDispatcher 77666448 5 Bytes JMP 0061000A
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\BTHUSB \Device\0000007c bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device \Driver\BTHUSB \Device\0000007e bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device -> \Driver\atapi \Device\Harddisk0\DR0 86915EC5
---- Threads - GMER 1.0.15 ----
Thread System [4:2500] 9C2C4F2E
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e4ceabb29
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e4ceabb29 (not active ControlSet)
Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Ryans Programs\FlashCS3Proressional\Adobe\xae Flash\xae CS3 Professional 5-5\Adobe CS3\Setup.exe 1
---- EOF - GMER 1.0.15 ----
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4412
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
8/9/2010 11:34:51 PM
mbam-log-2010-08-09 (23-34-51).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 238511
Time elapsed: 1 hour(s), 22 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Windows\System32\chgputil.dll (Spyware.Passwords) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\System32\chgputil.dll (Spyware.Passwords) -> Delete on reboot.
C:\Windows\Temp\svchost.exe (Heuristics.Shuriken) -> Quarantined and deleted successfully.
END OF MALWAREBYTES LOG
---------------------------------------------------------------------------
Thanks guys/gals!!!