Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RootKit.Agent Trojan


  • This topic is locked This topic is locked
4 replies to this topic

#1 malomalo

malomalo

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 08 April 2010 - 11:29 PM

I'm very sorry for posting all the reports you wanted as I have withoug attachments. I know you wanted files for most, but my laptop is crashing and freezing ..so I am scrambling to get info to you before it freezes up or crashes again. I think
I have done everything required ..except for sending most as attachments ....sorry again. PLEASE!!!

I will try to send again as you requested by sending attachments after rebooting ..wish me luck.....


My laptop is infected with the RootKit.Agent Trojan. The below Malwarebytes log says it was quarantined
and deleted ..but HijackThis shows it's still there (have run HJT twice). Whe I try to manually delete, I get
"A device attached to the system is not funtioning" message

laptop has crashed once and froze up and auto reboot once ..so I'm getting as much as I can in a message
with notepad and saving often to prevent too much loss. Sorry, I didn't write down the exact message ..but
will if it crashes again.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/8/2010 3:06:11 PM
mbam-log-2010-04-08 (15-06-11).txt

Scan type: Quick scan
Objects scanned: 107646
Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:Windowssystem32Driverszuxgwfml.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

..............

Symptoms:

Some desktop icons switch images ..and show up in address bar too
The main symptom is all functions work very slow
misdirected browser (internet explorer) to Gateway Computer pg (I have Gateway laptop)
previously mentioned crash
It seems to be getting slower

..................................

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-08 19:14:21
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:UsersMikeAppDataLocalTempkwldypow.sys


---- System - GMER 1.0.15 ----

SSDT ??C:Windowssystem32driverssp_rsdrv2.sys ZwClose [0x8E0BDA74] <-- ROOTKIT !!!
SSDT ??C:Windowssystem32driverssp_rsdrv2.sys ZwCreateFile [0x8E0BD48E] <-- ROOTKIT !!!
SSDT ??C:Windowssystem32driverssp_rsdrv2.sys ZwCreateKey [0x8E0BD16A] <-- ROOTKIT !!!
SSDT ??C:Windowssystem32driverssp_rsdrv2.sys ZwCreateSection [0x8E0BEB10] <-- ROOTKIT !!!
SSDT A90F88CC ZwCreateThread
SSDT ??C:Windowssystem32driverssp_rsdrv2.sys ZwDeleteKey [0x8E0BD286] <-- ROOTKIT !!!
SSDT ??C:Windowssystem32driverssp_rsdrv2.sys ZwDeleteValueKey [0x8E0BD36C] <-- ROOTKIT !!!
SSDT ??C:Windowssystem32driverssp_rsdrv2.sys ZwLoadDriver [0x8E0BDD38] <-- ROOTKIT !!!
SSDT ??C:Windowssystem32driverssp_rsdrv2.sys ZwOpenFile [0x8E0BD7D0] <-- ROOTKIT !!!
SSDT A90F88B8 ZwOpenProcess
SSDT A90F88BD ZwOpenThread
SSDT ??C:Windowssystem32driverssp_rsdrv2.sys ZwSetValueKey [0x8E0BCFDA] <-- ROOTKIT !!!
SSDT ??C:Windowssystem32driverssp_rsdrv2.sys ZwTerminateProcess [0x8E0BDC76] <-- ROOTKIT !!!
SSDT ??C:Windowssystem32driverssp_rsdrv2.sys ZwWriteFile [0x8E0BD8FC] <-- ROOTKIT !!!

---- Devices - GMER 1.0.15 ----

Device FileSystemNtfs Ntfs 86A43D40

AttachedDevice Driverkbdclass DeviceKeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice Driverkbdclass DeviceKeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice Drivertdx DeviceTcp Lbd.sys (Boot Driver/Lavasoft AB)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] zuxgwfml <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLMSYSTEMCurrentControlSetServiceszuxgwfml@Type 1
Reg HKLMSYSTEMCurrentControlSetServiceszuxgwfml@Start 0
Reg HKLMSYSTEMCurrentControlSetServiceszuxgwfml@ErrorControl 0
Reg HKLMSYSTEMCurrentControlSetServiceszuxgwfml@Group Boot Bus Extender
Reg HKLMSYSTEMControlSet003Serviceszuxgwfml@Type 1
Reg HKLMSYSTEMControlSet003Serviceszuxgwfml@Start 0
Reg HKLMSYSTEMControlSet003Serviceszuxgwfml@ErrorControl 0
Reg HKLMSYSTEMControlSet003Serviceszuxgwfml@Group Boot Bus Extender
Reg HKLMSOFTWAREClassesCLSID{47629D4B-2AD3-4e50-B716-A66C15C63153}InprocServer32
Reg HKLMSOFTWAREClassesCLSID{47629D4B-2AD3-4e50-B716-A66C15C63153}InprocServer32@ThreadingModel Apartment
Reg HKLMSOFTWAREClassesCLSID{47629D4B-2AD3-4e50-B716-A66C15C63153}InprocServer32@ C:Windowssystem32OLE32.DLL
Reg HKLMSOFTWAREClassesCLSID{47629D4B-2AD3-4e50-B716-A66C15C63153}InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLMSOFTWAREClassesCLSID{604BB98A-A94F-4a5c-A67C-D8D3582C741C}InprocServer32
Reg HKLMSOFTWAREClassesCLSID{604BB98A-A94F-4a5c-A67C-D8D3582C741C}InprocServer32@ThreadingModel Apartment
Reg HKLMSOFTWAREClassesCLSID{604BB98A-A94F-4a5c-A67C-D8D3582C741C}InprocServer32@ C:Windowssystem32OLE32.DLL
Reg HKLMSOFTWAREClassesCLSID{604BB98A-A94F-4a5c-A67C-D8D3582C741C}InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ...
Reg HKLMSOFTWAREClassesCLSID{684373FB-9CD8-4e47-B990-5A4466C16034}InprocServer32
Reg HKLMSOFTWAREClassesCLSID{684373FB-9CD8-4e47-B990-5A4466C16034}InprocServer32@ThreadingModel Apartment
Reg HKLMSOFTWAREClassesCLSID{684373FB-9CD8-4e47-B990-5A4466C16034}InprocServer32@ C:Windowssystem32OLE32.DLL
Reg HKLMSOFTWAREClassesCLSID{684373FB-9CD8-4e47-B990-5A4466C16034}InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ...
Reg HKLMSOFTWAREClassesCLSID{74554CCD-F60F-4708-AD98-D0152D08C8B9}InprocServer32
Reg HKLMSOFTWAREClassesCLSID{74554CCD-F60F-4708-AD98-D0152D08C8B9}InprocServer32@ThreadingModel Apartment
Reg HKLMSOFTWAREClassesCLSID{74554CCD-F60F-4708-AD98-D0152D08C8B9}InprocServer32@ C:Windowssystem32OLE32.DLL
Reg HKLMSOFTWAREClassesCLSID{74554CCD-F60F-4708-AD98-D0152D08C8B9}InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLMSOFTWAREClassesCLSID{7EB537F9-A916-4339-B91B-DED8E83632C0}InprocServer32
Reg HKLMSOFTWAREClassesCLSID{7EB537F9-A916-4339-B91B-DED8E83632C0}InprocServer32@ThreadingModel Apartment
Reg HKLMSOFTWAREClassesCLSID{7EB537F9-A916-4339-B91B-DED8E83632C0}InprocServer32@ C:Windowssystem32OLE32.DLL
Reg HKLMSOFTWAREClassesCLSID{7EB537F9-A916-4339-B91B-DED8E83632C0}InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xE9 0x02 0x6C 0xFA ...
Reg HKLMSOFTWAREClassesCLSID{948395E8-7A56-4fb1-843B-3E52D94DB145}InprocServer32
Reg HKLMSOFTWAREClassesCLSID{948395E8-7A56-4fb1-843B-3E52D94DB145}InprocServer32@ThreadingModel Apartment
Reg HKLMSOFTWAREClassesCLSID{948395E8-7A56-4fb1-843B-3E52D94DB145}InprocServer32@ C:Windowssystem32OLE32.DLL
Reg HKLMSOFTWAREClassesCLSID{948395E8-7A56-4fb1-843B-3E52D94DB145}InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLMSOFTWAREClassesCLSID{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}InprocServer32
Reg HKLMSOFTWAREClassesCLSID{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}InprocServer32@ThreadingModel Apartment
Reg HKLMSOFTWAREClassesCLSID{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}InprocServer32@ C:Windowssystem32OLE32.DLL
Reg HKLMSOFTWAREClassesCLSID{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLMSOFTWAREClassesCLSID{DE5654CA-EB84-4df9-915B-37E957082D6D}InprocServer32
Reg HKLMSOFTWAREClassesCLSID{DE5654CA-EB84-4df9-915B-37E957082D6D}InprocServer32@ThreadingModel Apartment
Reg HKLMSOFTWAREClassesCLSID{DE5654CA-EB84-4df9-915B-37E957082D6D}InprocServer32@ C:Windowssystem32OLE32.DLL
Reg HKLMSOFTWAREClassesCLSID{DE5654CA-EB84-4df9-915B-37E957082D6D}InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLMSOFTWAREClassesCLSID{E39C35E8-7488-4926-92B2-2F94619AC1A5}InprocServer32
Reg HKLMSOFTWAREClassesCLSID{E39C35E8-7488-4926-92B2-2F94619AC1A5}InprocServer32@ThreadingModel Apartment
Reg HKLMSOFTWAREClassesCLSID{E39C35E8-7488-4926-92B2-2F94619AC1A5}InprocServer32@ C:Windowssystem32OLE32.DLL
Reg HKLMSOFTWAREClassesCLSID{E39C35E8-7488-4926-92B2-2F94619AC1A5}InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ...
Reg HKLMSOFTWAREClassesCLSID{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}InprocServer32
Reg HKLMSOFTWAREClassesCLSID{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}InprocServer32@ThreadingModel Apartment
Reg HKLMSOFTWAREClassesCLSID{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}InprocServer32@ C:Windowssystem32OLE32.DLL
Reg HKLMSOFTWAREClassesCLSID{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLMSOFTWAREClassesCLSID{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}InprocServer32
Reg HKLMSOFTWAREClassesCLSID{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}InprocServer32@ThreadingModel Apartment
Reg HKLMSOFTWAREClassesCLSID{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}InprocServer32@ C:Windowssystem32OLE32.DLL
Reg HKLMSOFTWAREClassesCLSID{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLMSOFTWAREClassesCLSID{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}InprocServer32
Reg HKLMSOFTWAREClassesCLSID{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}InprocServer32@ThreadingModel Apartment
Reg HKLMSOFTWAREClassesCLSID{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}InprocServer32@ C:Windowssystem32OLE32.DLL
Reg HKLMSOFTWAREClassesCLSID{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...

---- Disk sectors - GMER 1.0.15 ----

Disk DeviceHarddisk0DR0 sector 31: copy of MBR

---- EOF - GMER 1.0.15 ----


DDS (Ver_10-03-17.01) - NTFSx86
Run by Mike at 22:42:16.92 on Wed 04/07/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.2038.851 [GMT -7:00]

SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k secsvcs
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:Program FilesLavasoftAd-AwareAAWService.exe
C:WindowsSystem32spoolsv.exe
C:Program FilesAviraAntiVir Desktopsched.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Windowssystem32agrsmsvc.exe
C:Program FilesAviraAntiVir Desktopavguard.exe
C:Program FilesCommon FilesAOLACSAOLAcsd.exe
C:Windowssystem32svchost.exe -k apphost
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
c:Program FilesMicrosoft SQL ServerMSSQL10.SQLEXPRESSMSSQLBinnsqlservr.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesCyberLinkShared FilesRichVideo.exe
C:Program FilesSpyware Terminatorsp_rsser.exe
c:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:Windowssystem32svchost.exe -k imgsvc
C:Windowssystem32svchost.exe -k iissvcs
C:Program FilesGoogleUpdate1.2.183.23GoogleCrashHandler.exe
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:Program FilesSpybot - Search & DestroySDWinSec.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32wbemunsecapp.exe
C:Windowssystem32wbemwmiprvse.exe
C:Program FilesCommon FilesIntuitUpdate ServiceIntuitUpdateService.exe
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32Dwm.exe
C:Windowssystem32taskeng.exe
C:WindowsExplorer.EXE
C:WindowsSystem32igfxpers.exe
C:Windowssystem32igfxsrvc.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe
C:Program FilesCommon FilesAOL1185154806eeaolsoftware.exe
C:Program FilesCyberLinkPCM4EverioEverioService.exe
C:Program FilesAviraAntiVir Desktopavgnt.exe
C:Windowssttray.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Program FilesAOL 9.0bwaol.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesAOL 9.0bshellmon.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesGoogleGoogle ToolbarGoogleToolbarUser_32.exe
C:Windowssystem32FirewallControlPanel.exe
C:UsersMikeAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5KSK8D4LCDefogger[1].exe
C:Program FilesInternet Exploreriexplore.exe
C:Windowssystem32DllHost.exe
C:Windowssystem32DllHost.exe
C:UsersMikeAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE57PJ90M1Mdds[1].scr
C:Windowssystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.msn.com
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6816
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0_01binssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.5.4723.1820swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:googleBAE.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:program filesgooglegoogle gearsinternet explorer0.5.36.0gears.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
uRun: [AOL Fast Start] "c:program filesaol 9.0bAOL.EXE" -b
mRun: [NWEReboot]
mRun: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [NapsterShell] c:program filesnapsternapster.exe /systray
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [IAAnotif] "c:program filesintelintel matrix storage managerIaanotif.exe"
mRun: [HostManager] c:program filescommon filesaol1185154806eeAOLSoftware.exe
mRun: [F5D8051v3] c:program filesbelkinf5d8051v3Belkinwcui.exe
mRun: [EverioService] "c:program filescyberlinkpcm4everioEverioService.exe"
mRun: [BigFix] c:program filesbigfixbigfix.exe /atstartup
mRun: [avgnt] "c:program filesaviraantivir desktopavgnt.exe" /min
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:program filesgooglegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_01binssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:program filesgooglegoogle gearsinternet explorer0.5.36.0gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
Trusted Zone: turbotax.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1270135792306
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:progra~1googlegoogle~1GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2010-2-24 64288]
R1 avgio;avgio;c:program filesaviraantivir desktopavgio.sys [2009-6-24 11608]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:windowssystem32driverssp_rsdrv2.sys [2008-2-20 138624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:program filesaviraantivir desktopsched.exe [2009-6-24 108289]
R2 AntiVirService;Avira AntiVir Guard;c:program filesaviraantivir desktopavguard.exe [2009-6-24 185089]
R2 avgntflt;avgntflt;c:windowssystem32driversavgntflt.sys [2009-6-24 56816]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2010-2-4 1265264]
R2 SBSDWSCService;SBSD Security Center Service;c:program filesspybot - search & destroySDWinSec.exe [2009-10-6 1153368]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-1-20 135664]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:program filesgooglegoogle desktop searchGoogleDesktop.exe [2007-5-31 29744]
S3 MsDepSvc;Web Deployment Agent Service;c:program filesiismicrosoft web deployMsDepSvc.exe [2010-1-19 55184]
S3 netr28u;Belkin N1 Wireless USB Adapter Driver for Vista;c:windowssystem32driversnetr28u.sys [2008-10-18 552448]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:windowssystem32driversNETw2v32.sys [2006-11-2 2589184]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:program filesmicrosoft sql server100sharedsqladhlp.exe [2009-3-31 47128]
S4 RsFx0103;RsFx0103 Driver;c:windowssystem32driversRsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:program filesmicrosoft sql servermssql10.sqlexpressmssqlbinnSQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2010-04-07 23:51:10 0 ----a-w- c:usersmikedefogger_reenable
2010-04-07 22:36:39 0 d-----w- c:program filesGiPo@Utilities
2010-04-07 22:36:39 0 d-----w- c:program filescommon filesGibinsoft Shared
2010-04-07 17:46:24 0 d-----w- c:usersmikeappdataroamingUniblue
2010-04-07 06:54:27 823808 ----a-w- c:windowssystem32driverszuxgwfml.sys
2010-04-01 17:41:23 0 ----a-w- c:windowscedt.INI
2010-04-01 17:39:46 0 d-----w- c:program filesEmerald Editor Community
2010-03-31 21:28:31 50200 ----a-w- c:windowssystem32perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2010-03-31 21:28:11 79896 ----a-w- c:windowssystem32perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2010-03-31 21:26:25 0 d-----w- c:windowssystem32RsFx
2010-03-31 21:24:22 0 d-----w- c:windowssystem321033
2010-03-31 21:20:44 0 d-----w- c:program filesMicrosoft SQL Server
2010-03-31 21:04:24 0 d-----w- c:program filesMicrosoft
2010-03-31 20:03:46 0 d-----w- c:program filesWinNetstat
2010-03-31 08:48:33 0 d-----w- c:program filesIIS
2010-03-30 18:58:25 22 ----a-w- c:windowsVFO.INI
2010-03-30 18:03:01 0 d-----w- C:wamp
2010-03-30 16:17:56 0 d-----w- C:memorial
2010-03-30 04:39:35 0 d-----w- C:wordpress
2010-03-29 20:16:21 0 d-----w- c:programdataMySQL
2010-03-29 20:15:34 0 d-----w- c:program filesPHP
2010-03-29 20:11:58 0 d-----w- c:program filesMySQL
2010-03-29 20:10:01 0 d-----w- C:inetpub
2010-03-10 11:03:09 0 d-sh--w- c:windowssystem32%APPDATA%
2010-03-10 11:01:05 14848 ----a-w- c:windowssystem32iisreset.exe
2010-03-10 11:01:04 8192 ----a-w- c:windowssystem32iisrstap.dll
2010-03-10 11:01:04 24064 ----a-w- c:windowssystem32nshhttp.dll
2010-03-10 11:01:04 153600 ----a-w- c:windowssystem32iisRtl.dll
2010-03-10 11:01:03 51712 ----a-w- c:windowssystem32admwprox.dll
2010-03-10 11:01:02 411648 ----a-w- c:windowssystem32drivershttp.sys
2010-03-10 11:01:02 27136 ----a-w- c:windowssystem32ahadmin.dll
2010-03-10 11:01:01 30720 ----a-w- c:windowssystem32httpapi.dll
2010-03-10 11:00:59 10752 ----a-w- c:windowssystem32wamregps.dll

==================== Find3M ====================

2010-03-30 07:46:30 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:windowssystem32driversmbam.sys
2010-02-27 16:13:11 342 ----a-w- c:usersmikeappdataroamingwklnhst.dat
2010-02-24 17:16:06 181632 ------w- c:windowssystem32MpSigStub.exe
2010-02-24 16:34:39 95024 ----a-w- c:windowssystem32driversSBREDrv.sys
2010-02-24 16:34:31 15880 ----a-w- c:windowssystem32lsdelete.exe
2010-02-23 06:39:13 916480 ----a-w- c:windowssystem32wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:windowssystem32iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:windowssystem32iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:windowssystem32ieUnatt.exe
2010-02-04 15:12:47 86016 ----a-w- c:windowsinfinfstor.dat
2010-02-04 15:12:47 51200 ----a-w- c:windowsinfinfpub.dat
2010-02-04 15:12:47 143360 ----a-w- c:windowsinfinfstrng.dat
2010-01-23 09:26:13 2048 ----a-w- c:windowssystem32tzres.dll
2009-11-19 11:17:57 665600 ----a-w- c:windowsinfdrvindex.dat
2008-12-17 14:42:56 174 --sha-w- c:program filesdesktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfc.dat
2009-10-18 18:37:05 16384 --sha-w- c:windowsserviceprofilesnetworkserviceappdatalocalmicrosoftwindowshistoryhistory.ie5index.dat
2009-10-18 18:37:05 32768 --sha-w- c:windowsserviceprofilesnetworkserviceappdatalocalmicrosoftwindowstemporary internet filescontent.ie5index.dat
2009-10-18 18:37:05 16384 --sha-w- c:windowsserviceprofilesnetworkserviceappdataroamingmicrosoftwindowscookiesindex.dat
2009-10-18 18:37:05 245760 --sha-w- c:windowsserviceprofilesnetworkserviceappdataroamingmicrosoftwindowsietldcacheindex.dat

============= FINISH: 22:43:44.94 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft® Windows Vistaâ„¢ Home Premium
Boot Device: DeviceHarddiskVolume2
Install Date: 5/31/2007 10:16:43 PM
System Uptime: 4/7/2010 5:06:42 PM (5 hours ago)

Motherboard: Gateway | |
Processor: Intel® Core™2 Duo CPU T5250 @ 1.50GHz | U2E1 | 1500/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 138 GiB total, 25.864 GiB free.
D: is FIXED (NTFS) - 11 GiB total, 4.415 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1054: 4/5/2010 10:29:12 AM - Windows Update
RP1055: 4/6/2010 5:52:06 PM - Scheduled Checkpoint
RP1056: 4/7/2010 7:24:42 AM - Scheduled Checkpoint
RP1057: 4/7/2010 11:03:09 AM - Removed StartupMonitor
RP1058: 4/7/2010 3:36:05 PM - Installed GiPo@MoveOnBoot 1.9.5

==== Installed Programs ======================


Activation Assistant for the 2007 Microsoft Office suites
Ad-Aware
Ad-Aware Email Scanner for Outlook
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.3
Agere Systems HDA Modem
AnswerWorks 5.0 English Runtime
AOL Uninstaller (Choose which Products to Remove)
Apophysis 2.0
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AutoUpdate
avi.NET v2.5.6.0
Avira AntiVir Personal - Free Antivirus
AviSynth 2.5
Bejeweled 2 Deluxe
Belkin N1 Wireless USB Adapter
Blackhawk Striker 2
Blasterball 3
Bonjour
Browser Address Error Redirector
Camera Assistant Software for Gateway
Canon Digital Camera Solution Disk 40-46 Software Starter Guide
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon Personal Printing Guide
Canon PowerShot SD1200 IS_IXUS 95 IS Camera User Guide
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Comcast High-Speed Internet Install Wizard
Crimson Editor SVN263
Digital Photo Navigator 1.5
Diner Dash - Flo on the Go
DVD Shrink 3.2
DVD To AVI Converter 1.10
Facebook Plug-In
FairUse Wizard 2.6
Family Feud 2
FATE
Free Create-Burn ISO Image v2.0
Gateway Connect
Gateway Game Console
Gateway Recovery Center Installer
GiPo@MoveOnBoot 1.9.5
Google Desktop
Google Earth
Google Gears
Google SketchUp 6
Google Toolbar for Internet Explorer
Google Update Helper
Google Video Uploader
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
IIS URL Rewrite Module 2
Imagicon
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
Internet Information Services (IIS) 7 Manager
iTunes
Java™ SE Runtime Environment 6 Update 1
Linkit_eBay
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Digital Image Library 9 - Blocker
Microsoft Digital Image Starter Edition 2006
Microsoft Digital Image Starter Edition 2006 Editor
Microsoft Digital Image Starter Edition 2006 Library
Microsoft Money 2006
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft SQL Server 2008
Microsoft SQL Server 2008 Browser
Microsoft SQL Server 2008 Common Files
Microsoft SQL Server 2008 Database Engine Services
Microsoft SQL Server 2008 Database Engine Shared
Microsoft SQL Server 2008 Native Client
Microsoft SQL Server 2008 RsFx Driver
Microsoft SQL Server 2008 Setup Support Files
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Web Platform Installer 2.0
Microsoft Works
Move Media Player
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MySQL Connector Net 5.2.5
MySQL Server 5.1
neroxml
OGA Notifier 2.0.0048.0
PCsync
Penguins!
PhotoNow!
PHP 5.2.13
Pinnacle Instant DVD Recorder
Pinnacle USB device drivers 2
Polar Bowler
Polar Golfer
Power2Go 5.0
PowerCinema NE for Everio
PowerDirector
PowerDirector Express
PowerProducer
proDAD Heroglyph 2.5
QuickTime
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista
Realtek USB 2.0 Card Reader
RTC Client API v1.2
Safari
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB969604)
Service Pack 1 for SQL Server 2008 (KB968369)
SigmaTel Audio
Spybot - Search & Destroy
Spyware Terminator
Sql Server Customer Experience Improvement Program
Studio 10.8 Patch
Sweet Home 3D version 1.4
Synaptics Pointing Device Driver
Tradewinds
TurboTax 2008
TurboTax 2008 wcaiper
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
TurboTax Home & Business 2007
Update for 2007 Microsoft Office System (KB967642)
Update for 2007 Microsoft Office System (KB977724)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Veoh Video Uploader
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VobSub v2.23 (Remove Only)
Web Deployment Tool
Windows Cache Extension 1.0 for PHP 5.2
WinNetstat
YouTube Uploader

==== Event Viewer Messages From Past Week ========

4/7/2010 5:07:32 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
4/7/2010 5:07:19 PM, Error: Microsoft-Windows-WAS [1174] - The World Wide Web Publishing Service (WWW Service) failed to create binding string for site 2. Please verify that site binding (*:80: ) is in correct format and do not contain any invalid characters.
4/7/2010 4:08:31 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
4/7/2010 4:08:30 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the iPod Service service to connect.
4/7/2010 4:08:30 AM, Error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/7/2010 10:08:53 AM, Error: Service Control Manager [7022] - The Windows Update service hung on starting.
4/7/2010 10:07:34 AM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
4/7/2010 10:07:34 AM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/7/2010 10:07:34 AM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
4/7/2010 10:06:23 PM, Error: Schannel [36874] - An SSL connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
4/7/2010 10:02:46 AM, Error: EventLog [6008] - The previous system shutdown at 10:00:35 AM on 4/7/2010 was unexpected.
4/6/2010 11:54:30 PM, Error: Service Control Manager [7000] - The Intel® 82801 Audio Driver Install Service (WDM) service failed to start due to the following error: A device attached to the system is not functioning.
4/6/2010 11:33:17 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {9BA05972-F6A8-11CF-A442-00A0C90A8F39} to the user Mike-PCMike SID (S-1-5-21-1306207695-4147886383-1349228797-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
4/6/2010 11:30:41 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} to the user Mike-PCMike SID (S-1-5-21-1306207695-4147886383-1349228797-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
4/6/2010 11:30:31 PM, Error: Microsoft-Windows-DistributedCOM [10016] - The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {682159D9-C321-47CA-B3F1-30E36B2EC8B9} to the user Mike-PCMike SID (S-1-5-21-1306207695-4147886383-1349228797-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
4/1/2010 8:39:44 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {E60687F7-01A1-40AA-86AC-DB1CBF673334} to the user Mike-PCMike SID (S-1-5-21-1306207695-4147886383-1349228797-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
3/31/2010 11:55:14 AM, Error: Service Control Manager [7024] - The Apache2.2 service terminated with service-specific error 1 (0x1).

==== End Of File ===========================

Seems to be working OK now. Can't figure it out. Don't know if it matters, but here's the post with attachments.

Symptoms:

Some desktop icons switch images ..and show up in address bar too
The main symptom is all functions work very slow
misdirected browser (internet explorer) to Gateway Computer pg (I have Gateway laptop)
previously mentioned crash
It seems to be getting slower



DDS (Ver_10-03-17.01) - NTFSx86
Run by Mike at 22:42:16.92 on Wed 04/07/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.1.1033.18.2038.851 [GMT -7:00]

SP: Avira AntiVir PersonalEdition *enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k secsvcs
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:Program FilesLavasoftAd-AwareAAWService.exe
C:WindowsSystem32spoolsv.exe
C:Program FilesAviraAntiVir Desktopsched.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Windowssystem32agrsmsvc.exe
C:Program FilesAviraAntiVir Desktopavguard.exe
C:Program FilesCommon FilesAOLACSAOLAcsd.exe
C:Windowssystem32svchost.exe -k apphost
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesBonjourmDNSResponder.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
c:Program FilesMicrosoft SQL ServerMSSQL10.SQLEXPRESSMSSQLBinnsqlservr.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesCyberLinkShared FilesRichVideo.exe
C:Program FilesSpyware Terminatorsp_rsser.exe
c:Program FilesMicrosoft SQL Server90Sharedsqlwriter.exe
C:Windowssystem32svchost.exe -k imgsvc
C:Windowssystem32svchost.exe -k iissvcs
C:Program FilesGoogleUpdate1.2.183.23GoogleCrashHandler.exe
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:Program FilesSpybot - Search & DestroySDWinSec.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32wbemunsecapp.exe
C:Windowssystem32wbemwmiprvse.exe
C:Program FilesCommon FilesIntuitUpdate ServiceIntuitUpdateService.exe
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32Dwm.exe
C:Windowssystem32taskeng.exe
C:WindowsExplorer.EXE
C:WindowsSystem32igfxpers.exe
C:Windowssystem32igfxsrvc.exe
C:Program FilesIntelIntel Matrix Storage ManagerIAAnotif.exe
C:Program FilesCommon FilesAOL1185154806eeaolsoftware.exe
C:Program FilesCyberLinkPCM4EverioEverioService.exe
C:Program FilesAviraAntiVir Desktopavgnt.exe
C:Windowssttray.exe
C:Program FilesiTunesiTunesHelper.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesLavasoftAd-AwareAAWTray.exe
C:Program FilesAOL 9.0bwaol.exe
C:Program FilesiPodbiniPodService.exe
C:Program FilesAOL 9.0bshellmon.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesGoogleGoogle ToolbarGoogleToolbarUser_32.exe
C:Windowssystem32FirewallControlPanel.exe
C:UsersMikeAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE5KSK8D4LCDefogger[1].exe
C:Program FilesInternet Exploreriexplore.exe
C:Windowssystem32DllHost.exe
C:Windowssystem32DllHost.exe
C:UsersMikeAppDataLocalMicrosoftWindowsTemporary Internet FilesContent.IE57PJ90M1Mdds[1].scr
C:Windowssystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.msn.com
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=M-6816
uInternet Settings,ProxyOverride = <local>;*.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filescommon filesadobeacrobatactivexAcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:progra~1spybot~1SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0_01binssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.5.4723.1820swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:googleBAE.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:program filesgooglegoogle gearsinternet explorer0.5.36.0gears.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar_32.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [swg] "c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe"
uRun: [AOL Fast Start] "c:program filesaol 9.0bAOL.EXE" -b
mRun: [NWEReboot]
mRun: [Windows Defender] %ProgramFiles%Windows DefenderMSASCui.exe -hide
mRun: [Persistence] c:windowssystem32igfxpers.exe
mRun: [NapsterShell] c:program filesnapsternapster.exe /systray
mRun: [IgfxTray] c:windowssystem32igfxtray.exe
mRun: [IAAnotif] "c:program filesintelintel matrix storage managerIaanotif.exe"
mRun: [HostManager] c:program filescommon filesaol1185154806eeAOLSoftware.exe
mRun: [F5D8051v3] c:program filesbelkinf5d8051v3Belkinwcui.exe
mRun: [EverioService] "c:program filescyberlinkpcm4everioEverioService.exe"
mRun: [BigFix] c:program filesbigfixbigfix.exe /atstartup
mRun: [avgnt] "c:program filesaviraantivir desktopavgnt.exe" /min
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [QuickTime Task] "c:program filesquicktimeQTTask.exe" -atboottime
mRun: [iTunesHelper] "c:program filesitunesiTunesHelper.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:program filesmalwarebytes' anti-malwarembam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:program filesadobereader 8.0readerReader_sl.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:program filesgooglegoogle toolbarcomponentGoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:program filesjavajre1.6.0_01binssv.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:program filesgooglegoogle gearsinternet explorer0.5.36.0gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:progra~1micros~2office12ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office12REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:progra~1spybot~1SDHelper.dll
Trusted Zone: turbotax.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1270135792306
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:progra~1googlegoogle~1GOEC62~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:windowssystem32driversLbd.sys [2010-2-24 64288]
R1 avgio;avgio;c:program filesaviraantivir desktopavgio.sys [2009-6-24 11608]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:windowssystem32driverssp_rsdrv2.sys [2008-2-20 138624]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:program filesaviraantivir desktopsched.exe [2009-6-24 108289]
R2 AntiVirService;Avira AntiVir Guard;c:program filesaviraantivir desktopavguard.exe [2009-6-24 185089]
R2 avgntflt;avgntflt;c:windowssystem32driversavgntflt.sys [2009-6-24 56816]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:program fileslavasoftad-awareAAWService.exe [2010-2-4 1265264]
R2 SBSDWSCService;SBSD Security Center Service;c:program filesspybot - search & destroySDWinSec.exe [2009-10-6 1153368]
S2 gupdate;Google Update Service (gupdate);c:program filesgoogleupdateGoogleUpdate.exe [2010-1-20 135664]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:program filesgooglegoogle desktop searchGoogleDesktop.exe [2007-5-31 29744]
S3 MsDepSvc;Web Deployment Agent Service;c:program filesiismicrosoft web deployMsDepSvc.exe [2010-1-19 55184]
S3 netr28u;Belkin N1 Wireless USB Adapter Driver for Vista;c:windowssystem32driversnetr28u.sys [2008-10-18 552448]
S3 NETw2v32;Intel® PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:windowssystem32driversNETw2v32.sys [2006-11-2 2589184]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:program filesmicrosoft sql server100sharedsqladhlp.exe [2009-3-31 47128]
S4 RsFx0103;RsFx0103 Driver;c:windowssystem32driversRsFx0103.sys [2009-3-30 239336]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:program filesmicrosoft sql servermssql10.sqlexpressmssqlbinnSQLAGENT.EXE [2009-3-30 366936]

=============== Created Last 30 ================

2010-04-07 23:51:10 0 ----a-w- c:usersmikedefogger_reenable
2010-04-07 22:36:39 0 d-----w- c:program filesGiPo@Utilities
2010-04-07 22:36:39 0 d-----w- c:program filescommon filesGibinsoft Shared
2010-04-07 17:46:24 0 d-----w- c:usersmikeappdataroamingUniblue
2010-04-07 06:54:27 823808 ----a-w- c:windowssystem32driverszuxgwfml.sys
2010-04-01 17:41:23 0 ----a-w- c:windowscedt.INI
2010-04-01 17:39:46 0 d-----w- c:program filesEmerald Editor Community
2010-03-31 21:28:31 50200 ----a-w- c:windowssystem32perf-SQLAgent$SQLEXPRESS-sqlagtctr10.1.2531.0.dll
2010-03-31 21:28:11 79896 ----a-w- c:windowssystem32perf-MSSQL$SQLEXPRESS-sqlctr10.1.2531.0.dll
2010-03-31 21:26:25 0 d-----w- c:windowssystem32RsFx
2010-03-31 21:24:22 0 d-----w- c:windowssystem321033
2010-03-31 21:20:44 0 d-----w- c:program filesMicrosoft SQL Server
2010-03-31 21:04:24 0 d-----w- c:program filesMicrosoft
2010-03-31 20:03:46 0 d-----w- c:program filesWinNetstat
2010-03-31 08:48:33 0 d-----w- c:program filesIIS
2010-03-30 18:58:25 22 ----a-w- c:windowsVFO.INI
2010-03-30 18:03:01 0 d-----w- C:wamp
2010-03-30 16:17:56 0 d-----w- C:memorial
2010-03-30 04:39:35 0 d-----w- C:wordpress
2010-03-29 20:16:21 0 d-----w- c:programdataMySQL
2010-03-29 20:15:34 0 d-----w- c:program filesPHP
2010-03-29 20:11:58 0 d-----w- c:program filesMySQL
2010-03-29 20:10:01 0 d-----w- C:inetpub
2010-03-10 11:03:09 0 d-sh--w- c:windowssystem32%APPDATA%
2010-03-10 11:01:05 14848 ----a-w- c:windowssystem32iisreset.exe
2010-03-10 11:01:04 8192 ----a-w- c:windowssystem32iisrstap.dll
2010-03-10 11:01:04 24064 ----a-w- c:windowssystem32nshhttp.dll
2010-03-10 11:01:04 153600 ----a-w- c:windowssystem32iisRtl.dll
2010-03-10 11:01:03 51712 ----a-w- c:windowssystem32admwprox.dll
2010-03-10 11:01:02 411648 ----a-w- c:windowssystem32drivershttp.sys
2010-03-10 11:01:02 27136 ----a-w- c:windowssystem32ahadmin.dll
2010-03-10 11:01:01 30720 ----a-w- c:windowssystem32httpapi.dll
2010-03-10 11:00:59 10752 ----a-w- c:windowssystem32wamregps.dll

==================== Find3M ====================

2010-03-30 07:46:30 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-03-30 07:45:52 20824 ----a-w- c:windowssystem32driversmbam.sys
2010-02-27 16:13:11 342 ----a-w- c:usersmikeappdataroamingwklnhst.dat
2010-02-24 17:16:06 181632 ------w- c:windowssystem32MpSigStub.exe
2010-02-24 16:34:39 95024 ----a-w- c:windowssystem32driversSBREDrv.sys
2010-02-24 16:34:31 15880 ----a-w- c:windowssystem32lsdelete.exe
2010-02-23 06:39:13 916480 ----a-w- c:windowssystem32wininet.dll
2010-02-23 06:33:45 71680 ----a-w- c:windowssystem32iesetup.dll
2010-02-23 06:33:45 109056 ----a-w- c:windowssystem32iesysprep.dll
2010-02-23 04:55:36 133632 ----a-w- c:windowssystem32ieUnatt.exe
2010-02-04 15:12:47 86016 ----a-w- c:windowsinfinfstor.dat
2010-02-04 15:12:47 51200 ----a-w- c:windowsinfinfpub.dat
2010-02-04 15:12:47 143360 ----a-w- c:windowsinfinfstrng.dat
2010-01-23 09:26:13 2048 ----a-w- c:windowssystem32tzres.dll
2009-11-19 11:17:57 665600 ----a-w- c:windowsinfdrvindex.dat
2008-12-17 14:42:56 174 --sha-w- c:program filesdesktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfc.dat
2009-10-18 18:37:05 16384 --sha-w- c:windowsserviceprofilesnetworkserviceappdatalocalmicrosoftwindowshistoryhistory.ie5index.dat
2009-10-18 18:37:05 32768 --sha-w- c:windowsserviceprofilesnetworkserviceappdatalocalmicrosoftwindowstemporary internet filescontent.ie5index.dat
2009-10-18 18:37:05 16384 --sha-w- c:windowsserviceprofilesnetworkserviceappdataroamingmicrosoftwindowscookiesindex.dat
2009-10-18 18:37:05 245760 --sha-w- c:windowsserviceprofilesnetworkserviceappdataroamingmicrosoftwindowsietldcacheindex.dat

============= FINISH: 22:43:44.94 ===============

Attached Files


Edited by Budapest, 09 April 2010 - 05:01 PM.
Posts merged ~BP


BC AdBot (Login to Remove)

 


#2 malomalo

malomalo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 11 April 2010 - 08:27 PM

I am withdrawing my request for help. Getting help elsewhere as time is running out and I need my laptop to complete my taxes before the deadline. Thanks anyway and best to you....

Mike

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:30 AM

Posted 12 April 2010 - 09:58 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 malomalo

malomalo
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 13 April 2010 - 03:01 PM

Hi Myrti,

Thank you for getting back to me.

I have already had this RootKit.Agent Trojan removed. Take care...

..Mike

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,784 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:30 AM

Posted 14 April 2010 - 01:11 PM

Since this topic appears to be resolved, I will now close it.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

animinionsmalltext.gif

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users