BleepingComputer.com: Vista Randomly Shutting Down: Possible Blaster Worm?

After logging in to Vista I get an error message that reads:

"Windows has had a critical error, and will shutdown in 1 minute. Please save all of your work"

It has happened while connected and disconnected to the internet, after varying intervals of time (as soon as in seconds, or could run seemingly 'stable' for hours), and while running different programs (I can't narrow down exactly which program may or may not be causing the error/corruption...but so far has only happened while booted into normal mode. Only way I have been able to consistently cause the erro is by opening Symantec, and forcing a LiveUpdate. Also Microsoft/Windows Update, and Windows Defender have been disabled. Will not allow update or re-enable.

Vista Home Premium Service Pack 2

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Mansur at 18:00:57.14 on Thu 04/07/2011
Internet Explorer: 8.0.6001.18975
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.894.138 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Outdated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Outdated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\mcupdate.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Mansur\Desktop\dds.scr
C:\Windows\System32\wsqmcons.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://www.ehsbr.org/podium/default.aspx?rc=1
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=userinit.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [<NO NAME>]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 2 (0x2)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\windows\system32\wpclsp.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1302014115229
DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://secure.mcdean.com/dana-cached/sc/JuniperSetupClient.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
IFEO: image file execution options - svchost.exe
Hosts: 67.215.240.115 google.com
Hosts: 67.215.240.115 google.com.au
Hosts: 67.215.240.115 www.google.com.au
Hosts: 67.215.240.115 google.be
Hosts: 67.215.240.115 www.google.be
.
Note: multiple HOSTS entries found. Please refer to Attach.txt
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-3-29 1153368]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-10-14 1956552]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-4-5 102448]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-30 135664]
S3 CASprint;Sprint Con App Svc;c:\program files\sprint\sprint smartview\ConAppsSvc.exe [2008-3-5 118784]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-2-26 21504]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-10-14 122056]
S3 VST_DPV;VST_DPV;c:\windows\system32\drivers\VSTDPV3.SYS [2006-11-2 987648]
S3 VSTHWBS2;VSTHWBS2;c:\windows\system32\drivers\VSTBS23.SYS [2006-11-2 251904]
.
=============== Created Last 30 ================
.
2011-04-05 21:16:15 -------- d-----w- c:\progra~2\ErrorEND
2011-04-05 20:48:42 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-05 20:42:30 6273872 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{8c5146a5-580a-4b78-a276-c286ea461e3d}\mpengine.dll
2011-04-05 20:41:36 -------- d-----w- C:\76b20047533b0910f96e73c914ef36
2011-04-05 20:35:13 -------- d-----w- C:\5e9db54071aae2fda39aeff65f5e22
2011-04-04 14:59:00 -------- d-----w- c:\users\mansur\appdata\local\Sprint
2011-04-04 13:27:03 27072 ----a-w- c:\windows\system32\drivers\PCASp50.sys
2011-04-04 13:24:05 26496 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2011-04-04 13:10:28 -------- d-----w- c:\program files\common files\Motorola Shared
2011-04-04 13:10:26 -------- d-----w- C:\Research in Motion
2011-04-04 13:10:25 -------- d-----w- c:\program files\common files\Research in Motion
2011-04-04 13:10:23 -------- d-----w- c:\program files\Sierra Wireless
2011-04-04 13:09:43 -------- d-----w- c:\program files\common files\PctelEapPeer Authentication
2011-04-04 13:09:31 -------- d-----w- c:\program files\Novatel Wireless
2011-04-04 13:09:30 -------- d-----w- c:\program files\Sprint
2011-04-04 13:09:30 -------- d-----w- c:\progra~2\Sprint
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.0.6002 Disk: ST310003 rev.SD35 -> Harddisk0\DR0 ->
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x85B8B566]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x85b91624]; MOV EAX, [0x85b916a0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x81E87962] -> \Device\Harddisk0\DR0[0x855F8778]
3 CLASSPNP[0x865A08B3] -> ntkrnlpa!IofCallDriver[0x81E87962] -> [0x846F2E70]
5 acpi[0x824176BC] -> ntkrnlpa!IofCallDriver[0x81E87962] -> [0x846F2AB8]
\Driver\nvstor32[0x85A04158] -> IRP_MJ_CREATE -> 0x85B8B566
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
\Device\0000005f -> \??\SCSI#Disk&Ven_ST310003&Prod_33AS#4&1cb7b9bd&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 18:05:35.27 ===============




GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-07 18:40:59
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\00000032 ST310003 rev.SD35
Running: gmer.exe; Driver: C:\Users\Mansur\AppData\Local\Temp\pfdiypoc.sys


---- System - GMER 1.0.15 ----

SSDT 85BCCB08 ZwAlertResumeThread
SSDT 85BCCBC8 ZwAlertThread
SSDT 85BCB4A8 ZwAllocateVirtualMemory
SSDT 8C5A1298 ZwConnectPort
SSDT 85BCC8C8 ZwCreateMutant
SSDT 85BCB638 ZwCreateThread
SSDT 85BCB318 ZwFreeVirtualMemory
SSDT 85BCC988 ZwImpersonateAnonymousToken
SSDT 85BCCA48 ZwImpersonateThread
SSDT 85BCB238 ZwMapViewOfSection
SSDT 85BCC808 ZwOpenEvent
SSDT 85BCB578 ZwOpenProcessToken
SSDT 85BCCFD0 ZwOpenThreadToken
SSDT 8C5A1368 ZwResumeThread
SSDT 85BCCF10 ZwSetContextThread
SSDT 85BCB0B8 ZwSetInformationProcess
SSDT 85BCCE50 ZwSetInformationThread
SSDT 85BCC748 ZwSuspendProcess
SSDT 85BCCCD0 ZwSuspendThread
SSDT 85BCB708 ZwTerminateProcess
SSDT 85BCCD90 ZwTerminateThread
SSDT 85BCB178 ZwUnmapViewOfSection
SSDT 85BCB3D8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 81EEF880 8 Bytes [08, CB, BC, 85, C8, CB, BC, ...]
.text ntkrnlpa.exe!KeSetEvent + 131 81EEF894 4 Bytes [A8, B4, BC, 85]
.text ntkrnlpa.exe!KeSetEvent + 1C1 81EEF924 4 Bytes [98, 12, 5A, 8C] {CWDE ; ADC BL, [EDX-0x74]}
.text ntkrnlpa.exe!KeSetEvent + 1F5 81EEF958 4 Bytes [C8, C8, BC, 85] {ENTER 0xbcc8, 0x85}
.text ntkrnlpa.exe!KeSetEvent + 221 81EEF984 4 Bytes [38, B6, BC, 85]
.text ...
? System32\Drivers\lzgkocmvv.sys A device attached to the system is not functioning. !
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8A806340, 0x3DA8C7, 0xE8000020]
? C:\Users\Mansur\AppData\Local\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1304] ntdll.dll!NtProtectVirtualMemory 77294D34 5 Bytes JMP 0082000A
.text C:\Windows\system32\svchost.exe[1304] ntdll.dll!NtWriteVirtualMemory 77295674 5 Bytes JMP 0083000A
.text C:\Windows\system32\svchost.exe[1304] ntdll.dll!KiUserExceptionDispatcher 77295DC8 5 Bytes JMP 0081000A
.text C:\Windows\system32\svchost.exe[1304] ole32.dll!CoCreateInstance 76A19F3E 5 Bytes JMP 0095000A
.text C:\Windows\system32\svchost.exe[1304] USER32.dll!WindowFromPoint 76CB884F 5 Bytes JMP 01F8000A
.text C:\Windows\system32\svchost.exe[1304] USER32.dll!GetForegroundWindow 76CC32C4 5 Bytes JMP 0200000A
.text C:\Windows\system32\svchost.exe[1304] USER32.dll!GetCursorPos 76CD0B88 5 Bytes JMP 01EF000A
.text C:\Windows\Explorer.EXE[3308] ntdll.dll!NtProtectVirtualMemory 77294D34 5 Bytes JMP 01DB000A
.text C:\Windows\Explorer.EXE[3308] ntdll.dll!NtWriteVirtualMemory 77295674 5 Bytes JMP 01DC000A
.text C:\Windows\Explorer.EXE[3308] ntdll.dll!KiUserExceptionDispatcher 77295DC8 5 Bytes JMP 01DA000A

---- Devices - GMER 1.0.15 ----

Device 84F90DF0
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\nvstor32 -> DriverStartIo \Device\RaidPort0 85B8B3B2

AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\nvstor32 -> DriverStartIo \Device\RaidPort1 85B8B3B2

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Device\0000005f -> \??\SCSI#Disk&Ven_ST310003&Prod_33AS#4&1cb7b9bd&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] lzgkocmvv <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\lzgkocmvv@bnngc -804980748
Reg HKLM\SYSTEM\CurrentControlSet\Services\lzgkocmvv@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\lzgkocmvv@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\lzgkocmvv@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\lzgkocmvv@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\lzgkocmvv@bnngc -804980748
Reg HKLM\SYSTEM\ControlSet002\Services\lzgkocmvv@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\lzgkocmvv@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\lzgkocmvv@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\lzgkocmvv@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

• Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  
  
• Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  
  
• If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  
  
• In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  
  
• Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  
  
• Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  
  
• I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
  Because of this, you must reply within three days failure to reply will result in the topic being closed!
  
  
• Please do not PM me directly for help. If you have any questions, post them in this topic.
  
  
• Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
  Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________


One or more of the identified infections is a backdoor trojan and password stealer.



I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
  
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
  
  
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
  
  
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
  
  
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

NEXT:



Running OTL

We need to create an OTL Report

• Please download OTL from one of the following mirrors:
  • This is THE Mirror
  
  
• Save it to your desktop.
  
• Double click on the icon on your desktop.
  
• Click the "Scan All Users" checkbox.
  
• Push the button.
  
• Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
    
  • Extra.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.

ST,

Thanks for the response. Let me read up on the documentation you've included, and then I will get right on the procedure you laid out.
I'm working on my parent's computer for them, so it will ultimately be their decision as to whether to reformat due to the security issues.

Thanks,
Blake

1. Ask what the computer is used for: mainly web surfing. Occasional personaly banking.

2. Ask if there is any confidential information about patients, customers or clients on the computer, or accessible through the computer (say through an employer's network that the computer connects to via dialup or VPN): No

3. Ask if their own banking or personal information is on the computer: their personal banking information has been accessed via this computer, but passwords are being changed today, I the information was not puposely stored by any password reminder of any sort.



A/The Hacker did not have direct access to the computer, and to date they have not experienced any anomalies in their financial/banking accounts. They've decided to change their passwords on their accounts, attempt to have me (with your help of course) clean the computer; and monitor it moving forward. If we can't get it cleaned or it becomes evident that the computer can not be secured to an acceptable percentage I will reformat.


Unless you have an objection, I will begin the process of running the tools you've listed, and report back when done. With the intermittent shutdown issues, this may take me a while, as the OS is very unstable. I have tried to stabilize with the shutdown /a key; with no success.

I'll report back with either the logs, or an issue i've encountered. Thanks again for helping, I'm looking forward in assisting you in the clean up of their computer, and learning some things for myself along the way.


Thanks,
Blake

No objections here.

I'll await your response with the requested logs.

do I need an internet connection to run TDSSkiller and OTL?

or would it be sufficient for me download them to a jump drive, and transfer them to the PC?

I don't think you need an internet connection to run the tools, but you will need to download the tools to the infected computer.

understood...I know they need to be run from the desktop of the infected, just wanted to make sure transferring them there via jump drive was sufficient.

Running TDSSkiller now, will let you know of any hiccups (if any) along the way to providing the requested logs.

Successfully ran TDSSkiller, however OTL is producing the following error:

[attachment=93141:OTL - No Disk error.jpg]

Do I:
Cancel?
Try Again?
Continue?

Click on Continue.

No change to the status of the computer. Still randomly shutting down. Rand TDSSkiller fine, OTL encountered and error as shown in my last post. Computer then shutdown and rebooted via the aforementioned error. Logs....




2011/04/11 11:25:35.0645 0896 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/11 11:25:35.0739 0896 ================================================================================
2011/04/11 11:25:35.0739 0896 SystemInfo:
2011/04/11 11:25:35.0739 0896
2011/04/11 11:25:35.0739 0896 OS Version: 6.0.6002 ServicePack: 2.0
2011/04/11 11:25:35.0739 0896 Product type: Workstation
2011/04/11 11:25:35.0739 0896 ComputerName: MANSUR-PC
2011/04/11 11:25:35.0739 0896 UserName: Mansur
2011/04/11 11:25:35.0739 0896 Windows directory: C:\Windows
2011/04/11 11:25:35.0739 0896 System windows directory: C:\Windows
2011/04/11 11:25:35.0739 0896 Processor architecture: Intel x86
2011/04/11 11:25:35.0739 0896 Number of processors: 2
2011/04/11 11:25:35.0739 0896 Page size: 0x1000
2011/04/11 11:25:35.0739 0896 Boot type: Normal boot
2011/04/11 11:25:35.0739 0896 ================================================================================
2011/04/11 11:25:37.0111 0896 Initialize success
2011/04/11 11:26:03.0803 1980 ================================================================================
2011/04/11 11:26:03.0803 1980 Scan started
2011/04/11 11:26:03.0803 1980 Mode: Manual;
2011/04/11 11:26:03.0803 1980 ================================================================================
2011/04/11 11:26:06.0221 1980 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/04/11 11:26:06.0315 1980 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/04/11 11:26:06.0393 1980 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/04/11 11:26:06.0471 1980 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/04/11 11:26:06.0564 1980 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/04/11 11:26:06.0783 1980 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/04/11 11:26:06.0876 1980 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/04/11 11:26:06.0985 1980 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/04/11 11:26:07.0095 1980 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/04/11 11:26:07.0188 1980 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/04/11 11:26:07.0297 1980 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/04/11 11:26:07.0344 1980 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/04/11 11:26:07.0469 1980 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\DRIVERS\amdk8.sys
2011/04/11 11:26:07.0531 1980 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/04/11 11:26:07.0609 1980 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/04/11 11:26:07.0703 1980 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/04/11 11:26:07.0843 1980 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/04/11 11:26:07.0921 1980 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/04/11 11:26:08.0077 1980 bowser (74b442b2be1260b7588c136177ceac66) C:\Windows\system32\DRIVERS\bowser.sys
2011/04/11 11:26:08.0124 1980 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/04/11 11:26:08.0187 1980 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/04/11 11:26:08.0233 1980 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/04/11 11:26:08.0280 1980 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/04/11 11:26:08.0311 1980 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/04/11 11:26:08.0343 1980 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/04/11 11:26:08.0374 1980 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/04/11 11:26:08.0467 1980 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/04/11 11:26:08.0514 1980 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/04/11 11:26:08.0561 1980 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/04/11 11:26:08.0655 1980 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/04/11 11:26:08.0764 1980 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/04/11 11:26:08.0795 1980 Compbatt (82b8c91d327cfecf76cb58716f7d4997) C:\Windows\system32\drivers\compbatt.sys
2011/04/11 11:26:08.0873 1980 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/04/11 11:26:08.0967 1980 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/04/11 11:26:09.0076 1980 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/04/11 11:26:09.0201 1980 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/04/11 11:26:09.0481 1980 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
2011/04/11 11:26:09.0528 1980 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
2011/04/11 11:26:09.0591 1980 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
2011/04/11 11:26:09.0637 1980 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/04/11 11:26:09.0778 1980 DXGKrnl (5c7e2097b91d689ded7a6ff90f0f3a25) C:\Windows\System32\drivers\dxgkrnl.sys
2011/04/11 11:26:09.0856 1980 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/04/11 11:26:09.0934 1980 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/04/11 11:26:10.0059 1980 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/04/11 11:26:10.0199 1980 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/04/11 11:26:10.0371 1980 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2011/04/11 11:26:10.0449 1980 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/04/11 11:26:10.0527 1980 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/04/11 11:26:10.0573 1980 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/04/11 11:26:10.0636 1980 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/04/11 11:26:10.0807 1980 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/04/11 11:26:10.0854 1980 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/04/11 11:26:10.0917 1980 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/04/11 11:26:10.0995 1980 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/04/11 11:26:11.0041 1980 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/04/11 11:26:11.0119 1980 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
2011/04/11 11:26:11.0182 1980 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
2011/04/11 11:26:11.0275 1980 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/04/11 11:26:11.0322 1980 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/04/11 11:26:11.0369 1980 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/04/11 11:26:11.0447 1980 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/04/11 11:26:11.0494 1980 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/04/11 11:26:11.0603 1980 HSF_DP (88749fbf8beb18c90e7d6626c8c1910b) C:\Windows\system32\DRIVERS\HSX_DP.sys
2011/04/11 11:26:11.0681 1980 HSXHWBS2 (fe440536bd98af772130dc3a6fe1915f) C:\Windows\system32\DRIVERS\HSXHWBS2.sys
2011/04/11 11:26:11.0806 1980 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/04/11 11:26:11.0884 1980 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/04/11 11:26:11.0977 1980 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/04/11 11:26:12.0040 1980 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/04/11 11:26:12.0087 1980 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/04/11 11:26:12.0289 1980 IntcAzAudAddService (edc37b918e583a5a813c53d4f5588255) C:\Windows\system32\drivers\RTKVHDA.sys
2011/04/11 11:26:12.0523 1980 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
2011/04/11 11:26:12.0586 1980 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
2011/04/11 11:26:12.0633 1980 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/04/11 11:26:12.0711 1980 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/04/11 11:26:12.0789 1980 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/04/11 11:26:12.0851 1980 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/04/11 11:26:12.0898 1980 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/04/11 11:26:12.0976 1980 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/04/11 11:26:13.0023 1980 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/04/11 11:26:13.0054 1980 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/04/11 11:26:13.0132 1980 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/04/11 11:26:13.0194 1980 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/04/11 11:26:13.0288 1980 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/04/11 11:26:13.0397 1980 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/04/11 11:26:13.0444 1980 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/04/11 11:26:13.0537 1980 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/04/11 11:26:13.0615 1980 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/04/11 11:26:13.0709 1980 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/04/11 11:26:13.0756 1980 Suspicious service (NoAccess): lzgkocmvv
2011/04/11 11:26:13.0959 1980 lzgkocmvv (d1516dd1733585747d9cc7da750a63e3) C:\Windows\system32\drivers\lzgkocmvv.sys
2011/04/11 11:26:13.0959 1980 Suspicious file (NoAccess): C:\Windows\system32\drivers\lzgkocmvv.sys. md5: d1516dd1733585747d9cc7da750a63e3
2011/04/11 11:26:13.0959 1980 lzgkocmvv - detected Locked service (1)
2011/04/11 11:26:14.0021 1980 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
2011/04/11 11:26:14.0083 1980 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/04/11 11:26:14.0193 1980 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/04/11 11:26:14.0271 1980 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/04/11 11:26:14.0302 1980 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/04/11 11:26:14.0380 1980 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/04/11 11:26:14.0567 1980 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/04/11 11:26:14.0676 1980 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\Windows\system32\DRIVERS\MpFilter.sys
2011/04/11 11:26:14.0754 1980 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/04/11 11:26:14.0817 1980 MpNWMon (f32e2d6a1640a469a9ed4f1929a4a861) C:\Windows\system32\DRIVERS\MpNWMon.sys
2011/04/11 11:26:14.0879 1980 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/04/11 11:26:14.0973 1980 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/04/11 11:26:15.0082 1980 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/04/11 11:26:15.0160 1980 mrxsmb (454341e652bdf5e01b0f2140232b073e) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/04/11 11:26:15.0207 1980 mrxsmb10 (2a4901aff069944fa945ed5bbf4dcde3) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/04/11 11:26:15.0253 1980 mrxsmb20 (28b3f1ab44bdd4432c041581412f17d9) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/04/11 11:26:15.0285 1980 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
2011/04/11 11:26:15.0363 1980 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/04/11 11:26:15.0487 1980 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/04/11 11:26:15.0534 1980 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/04/11 11:26:15.0706 1980 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/04/11 11:26:15.0815 1980 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/04/11 11:26:15.0909 1980 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/04/11 11:26:15.0987 1980 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/04/11 11:26:16.0065 1980 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/04/11 11:26:16.0080 1980 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/04/11 11:26:16.0127 1980 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/04/11 11:26:16.0252 1980 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/04/11 11:26:16.0501 1980 NAVENG (c34e2a884ccca8b5567d0c2752527073) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110404.002\NAVENG.SYS
2011/04/11 11:26:16.0564 1980 NAVEX15 (b3916eeec738dd4178f4fd6a44a32e36) C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20110404.002\NAVEX15.SYS
2011/04/11 11:26:16.0704 1980 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/04/11 11:26:16.0767 1980 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/04/11 11:26:16.0829 1980 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/04/11 11:26:16.0907 1980 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/04/11 11:26:16.0969 1980 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/04/11 11:26:17.0110 1980 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/04/11 11:26:17.0203 1980 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/04/11 11:26:17.0313 1980 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/04/11 11:26:17.0391 1980 NisDrv (17e2c08c5ecfbe94a7c67b1c275ee9d9) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
2011/04/11 11:26:17.0578 1980 Nmea (b0d5188e282dc4edae7020f333427bc8) C:\Windows\system32\DRIVERS\pctnullport.sys
2011/04/11 11:26:17.0687 1980 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/04/11 11:26:17.0765 1980 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/04/11 11:26:17.0859 1980 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/04/11 11:26:18.0046 1980 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/04/11 11:26:18.0108 1980 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\Windows\system32\DRIVERS\NuidFltr.sys
2011/04/11 11:26:18.0155 1980 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/04/11 11:26:18.0311 1980 NVENETFD (74c825c573aa6e115590d94e7bf86901) C:\Windows\system32\DRIVERS\nvmfdx32.sys
2011/04/11 11:26:18.0654 1980 nvlddmkm (fbba09782f2fac5a57619df378ba9372) C:\Windows\system32\DRIVERS\nvlddmkm.sys
2011/04/11 11:26:19.0528 1980 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/04/11 11:26:19.0559 1980 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/04/11 11:26:19.0637 1980 nvstor32 (7eba6c9a0a295b1559efb9062e701218) C:\Windows\system32\DRIVERS\nvstor32.sys
2011/04/11 11:26:19.0793 1980 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/04/11 11:26:19.0933 1980 NWADI (67fb86eeb94059177642050718d57460) C:\Windows\system32\DRIVERS\NWADIenum.sys
2011/04/11 11:26:20.0089 1980 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/04/11 11:26:20.0136 1980 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/04/11 11:26:20.0214 1980 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/04/11 11:26:20.0308 1980 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/04/11 11:26:20.0417 1980 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\Windows\system32\Drivers\PCASp50.sys
2011/04/11 11:26:20.0511 1980 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/04/11 11:26:20.0604 1980 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
2011/04/11 11:26:20.0651 1980 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/04/11 11:26:20.0729 1980 PCTINDIS5 (d6da0b85889d8236e2a3e80826ad104b) C:\Windows\system32\PCTINDIS5.SYS
2011/04/11 11:26:20.0838 1980 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/04/11 11:26:21.0057 1980 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/04/11 11:26:21.0103 1980 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/04/11 11:26:21.0181 1980 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/04/11 11:26:21.0259 1980 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/04/11 11:26:21.0369 1980 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/04/11 11:26:21.0478 1980 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/04/11 11:26:21.0525 1980 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/04/11 11:26:21.0587 1980 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/04/11 11:26:21.0665 1980 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/04/11 11:26:21.0727 1980 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/04/11 11:26:21.0805 1980 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/04/11 11:26:21.0883 1980 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/04/11 11:26:21.0930 1980 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/04/11 11:26:21.0961 1980 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/04/11 11:26:22.0071 1980 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/04/11 11:26:22.0180 1980 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\Windows\system32\DRIVERS\RimSerial.sys
2011/04/11 11:26:22.0211 1980 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
2011/04/11 11:26:22.0305 1980 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/04/11 11:26:22.0367 1980 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/04/11 11:26:22.0476 1980 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/04/11 11:26:22.0539 1980 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/04/11 11:26:22.0632 1980 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/04/11 11:26:22.0726 1980 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/04/11 11:26:22.0804 1980 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
2011/04/11 11:26:22.0835 1980 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/04/11 11:26:22.0866 1980 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
2011/04/11 11:26:22.0913 1980 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/04/11 11:26:22.0960 1980 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/04/11 11:26:23.0053 1980 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/04/11 11:26:23.0131 1980 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/04/11 11:26:23.0241 1980 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/04/11 11:26:23.0412 1980 SPBBCDrv (905782bcf15b6e5af9905b77923c7fa2) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/04/11 11:26:23.0506 1980 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/04/11 11:26:23.0631 1980 SRTSP (8b938345e1d2e49465cc9c11ae410438) C:\Windows\system32\Drivers\SRTSP.SYS
2011/04/11 11:26:23.0724 1980 SRTSPL (f1eb4f77241ddf0bc11f5d638402a788) C:\Windows\system32\Drivers\SRTSPL.SYS
2011/04/11 11:26:23.0802 1980 SRTSPX (be24052f4173bb6fe5badc032b6bc978) C:\Windows\system32\Drivers\SRTSPX.SYS
2011/04/11 11:26:23.0989 1980 srv (ff3cbc13db84d81f56931bc922cc37c4) C:\Windows\system32\DRIVERS\srv.sys
2011/04/11 11:26:24.0130 1980 srv2 (d15959d9f69f0d39a0153e9c244f20dd) C:\Windows\system32\DRIVERS\srv2.sys
2011/04/11 11:26:24.0192 1980 srvnet (faa0d553a49e85008c6bb3781987c574) C:\Windows\system32\DRIVERS\srvnet.sys
2011/04/11 11:26:24.0301 1980 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/04/11 11:26:24.0442 1980 swmsflt (e6c797b33a454840245c0c96e7f08b0a) C:\Windows\System32\drivers\swmsflt.sys
2011/04/11 11:26:24.0535 1980 swmx00 (a56848914c78093a1ec84a6ce424c7bf) C:\Windows\system32\DRIVERS\swmx00.sys
2011/04/11 11:26:24.0629 1980 SWNC5E00 (f797787d579e1a9396d2e416240a2259) C:\Windows\system32\DRIVERS\SWNC5E00.sys
2011/04/11 11:26:24.0769 1980 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/04/11 11:26:24.0925 1980 SymEvent (d430a5fa6a82d0b53db969067535c92b) C:\Program Files\Symantec\SYMEVENT.SYS
2011/04/11 11:26:25.0035 1980 SYMREDRV (90a15cd58994ceaf7697f03ab4b304a0) C:\Windows\System32\Drivers\SYMREDRV.SYS
2011/04/11 11:26:25.0081 1980 SYMTDI (169cc67cc03c1c7195787c49d200e232) C:\Windows\System32\Drivers\SYMTDI.SYS
2011/04/11 11:26:25.0128 1980 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/04/11 11:26:25.0206 1980 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/04/11 11:26:25.0347 1980 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/04/11 11:26:25.0487 1980 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/04/11 11:26:25.0565 1980 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/04/11 11:26:25.0627 1980 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/04/11 11:26:25.0674 1980 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/04/11 11:26:25.0783 1980 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/04/11 11:26:25.0861 1980 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/04/11 11:26:26.0049 1980 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/04/11 11:26:26.0111 1980 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/04/11 11:26:26.0189 1980 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/04/11 11:26:26.0236 1980 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/04/11 11:26:26.0314 1980 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/04/11 11:26:26.0423 1980 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/04/11 11:26:26.0470 1980 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/04/11 11:26:26.0532 1980 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/04/11 11:26:26.0579 1980 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/04/11 11:26:26.0673 1980 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/04/11 11:26:26.0751 1980 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
2011/04/11 11:26:26.0813 1980 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/04/11 11:26:26.0860 1980 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/04/11 11:26:27.0047 1980 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/04/11 11:26:27.0125 1980 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/04/11 11:26:27.0172 1980 usbohci (ce697fee0d479290d89bec80dfe793b7) C:\Windows\system32\DRIVERS\usbohci.sys
2011/04/11 11:26:27.0234 1980 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/04/11 11:26:27.0281 1980 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/04/11 11:26:27.0328 1980 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/04/11 11:26:27.0375 1980 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/04/11 11:26:27.0484 1980 usb_rndisx (35c9095fa7076466afbfc5b9ec4b779e) C:\Windows\system32\DRIVERS\usb8023x.sys
2011/04/11 11:26:27.0562 1980 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/04/11 11:26:27.0671 1980 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/04/11 11:26:27.0874 1980 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/04/11 11:26:27.0983 1980 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/04/11 11:26:28.0077 1980 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/04/11 11:26:28.0170 1980 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/04/11 11:26:28.0264 1980 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/04/11 11:26:28.0357 1980 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/04/11 11:26:28.0560 1980 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/04/11 11:26:28.0685 1980 VSTHWBS2 (c466021d31ff6c0a6069d12299d80c0b) C:\Windows\system32\DRIVERS\VSTBS23.SYS
2011/04/11 11:26:28.0779 1980 VST_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2011/04/11 11:26:28.0872 1980 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/04/11 11:26:28.0935 1980 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/04/11 11:26:29.0075 1980 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/04/11 11:26:29.0137 1980 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/04/11 11:26:29.0247 1980 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/04/11 11:26:29.0403 1980 winachsf (72cc6a8ca7891031d6380db5025c773c) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
2011/04/11 11:26:29.0621 1980 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
2011/04/11 11:26:29.0730 1980 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/04/11 11:26:29.0793 1980 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/04/11 11:26:29.0917 1980 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/04/11 11:26:29.0980 1980 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
2011/04/11 11:26:30.0089 1980 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/11 11:26:30.0183 1980 ================================================================================
2011/04/11 11:26:30.0183 1980 Scan finished
2011/04/11 11:26:30.0183 1980 ================================================================================
2011/04/11 11:26:30.0198 3820 Detected object count: 2
2011/04/11 11:33:14.0524 3820 Locked service(lzgkocmvv) - User select action: Skip
2011/04/11 11:33:14.0633 3820 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/11 11:33:14.0633 3820 \HardDisk0 - ok
2011/04/11 11:33:14.0743 3820 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/04/11 11:33:20.0437 2256 Deinitialize success




OTL logfile created on: 4/11/2011 2:17:01 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Mansur\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 201.00 Mb Available Physical Memory | 23.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 53.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 931.51 Gb Total Space | 753.21 Gb Free Space | 80.86% Space Free | Partition Type: NTFS

Computer Name: MANSUR-PC | User Name: Mansur | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/11 11:20:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Mansur\Desktop\OTL.exe
PRC - [2010/11/30 13:20:36 | 000,997,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Client\msseces.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2008/03/10 09:09:00 | 000,017,672 | ---- | M] (Sprint) -- C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe
PRC - [2008/03/05 15:45:28 | 000,106,496 | ---- | M] (PCTEL) -- C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
PRC - [2006/10/14 07:02:30 | 000,134,856 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\VPTray.exe
PRC - [2006/10/14 07:02:14 | 001,956,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
PRC - [2006/10/14 07:02:04 | 000,030,920 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
PRC - [2006/10/13 21:44:40 | 000,095,848 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2006/10/13 21:44:22 | 000,107,624 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe


========== Modules (SafeList) ==========

MOD - [2011/04/11 11:20:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Mansur\Desktop\OTL.exe
MOD - [2010/08/31 10:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/11/11 12:26:42 | 000,206,360 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe -- (NisSrv)
SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2008/03/05 15:45:28 | 000,106,496 | ---- | M] (PCTEL) [On_Demand | Running] -- C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe -- (SprintRcAppSvc)
SRV - [2008/03/05 15:45:26 | 000,118,784 | ---- | M] (PCTEL) [On_Demand | Stopped] -- C:\Program Files\Sprint\Sprint SmartView\ConAppsSvc.exe -- (CASprint)
SRV - [2008/01/19 02:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/19 02:36:49 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm)
SRV - [2008/01/19 02:36:15 | 000,167,936 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr)
SRV - [2006/10/14 07:02:20 | 000,122,056 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
SRV - [2006/10/14 07:02:14 | 001,956,552 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2006/10/14 07:02:04 | 000,030,920 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
SRV - [2006/10/13 21:44:22 | 000,107,624 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2006/10/13 21:44:22 | 000,107,624 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2006/10/12 13:57:43 | 002,541,248 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)


========== Driver Services (SafeList) ==========

DRV - [2011/04/04 01:00:00 | 001,393,144 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20110404.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2011/04/04 01:00:00 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/04/04 01:00:00 | 000,086,136 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20110404.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/12/17 10:49:38 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/10/24 21:25:38 | 000,054,144 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NisDrvWFP.sys -- (NisDrv)
DRV - [2010/10/24 21:25:38 | 000,043,392 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\MpNWMon.sys -- (MpNWMon)
DRV - [2008/05/22 22:49:00 | 007,465,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2008/05/08 06:05:18 | 000,266,752 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWBS2.sys -- (HSXHWBS2)
DRV - [2008/05/08 06:03:18 | 000,980,992 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DP.sys -- (HSF_DP)
DRV - [2008/03/05 15:41:58 | 000,164,480 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SWNC5E00.sys -- (SWNC5E00) Sierra Wireless MUX NDIS Driver (#00)
DRV - [2008/03/05 15:41:58 | 000,149,000 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\swmx00.sys -- (swmx00) Sierra Wireless USB MUX Driver (#00)
DRV - [2008/03/05 15:41:58 | 000,024,840 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\swmsflt.sys -- (swmsflt)
DRV - [2008/03/05 15:41:48 | 000,038,680 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\pctnullport.sys -- (Nmea)
DRV - [2008/03/05 15:36:22 | 000,032,408 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\PCTINDIS5.sys -- (PCTINDIS5)
DRV - [2007/10/26 19:51:24 | 000,110,624 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\nvstor32.sys -- (nvstor32)
DRV - [2007/10/18 08:36:54 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2007/10/12 17:04:40 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2007/09/06 16:30:24 | 000,194,048 | ---- | M] (Novatel Wireless Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NWADIenum.sys -- (NWADI)
DRV - [2007/05/04 02:29:10 | 001,065,384 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvmfdx32.sys -- (NVENETFD)
DRV - [2006/11/02 02:41:53 | 000,251,904 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VSTBS23.SYS -- (VSTHWBS2)
DRV - [2006/10/12 21:00:50 | 000,185,744 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\SYMTDI.SYS -- (SYMTDI)
DRV - [2006/10/12 21:00:44 | 000,026,384 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\Drivers\SYMREDRV.SYS -- (SYMREDRV)
DRV - [2006/10/11 21:29:20 | 000,275,064 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2006/10/11 21:29:18 | 000,024,184 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2006/10/11 21:29:14 | 000,245,368 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP)
DRV - [2006/10/09 19:47:58 | 000,110,256 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
DRV - [2006/10/06 15:26:16 | 000,406,672 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore =
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8893

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/?pc=Z007&form=ZGAPHP
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore =
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8893



IE - HKU\S-1-5-21-1332280451-3487225366-4135253625-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = https://www.ehsbr.org/podium/default.aspx?rc=1
IE - HKU\S-1-5-21-1332280451-3487225366-4135253625-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1332280451-3487225366-4135253625-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1332280451-3487225366-4135253625-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2010/03/17 18:31:58 | 000,002,076 | RHS- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 67.215.240.115 google.com
O1 - Hosts: 67.215.240.115 google.com.au
O1 - Hosts: 67.215.240.115 www.google.com.au
O1 - Hosts: 67.215.240.115 google.be
O1 - Hosts: 67.215.240.115 www.google.be
O1 - Hosts: 67.215.240.115 google.com.br
O1 - Hosts: 67.215.240.115 www.google.com.br
O1 - Hosts: 67.215.240.115 google.ca
O1 - Hosts: 67.215.240.115 www.google.ca
O1 - Hosts: 67.215.240.115 google.ch
O1 - Hosts: 67.215.240.115 www.google.ch
O1 - Hosts: 67.215.240.115 google.de
O1 - Hosts: 67.215.240.115 www.google.de
O1 - Hosts: 67.215.240.115 google.dk
O1 - Hosts: 67.215.240.115 www.google.dk
O1 - Hosts: 67.215.240.115 google.fr
O1 - Hosts: 67.215.240.115 www.google.fr
O1 - Hosts: 67.215.240.115 google.ie
O1 - Hosts: 67.215.240.115 www.google.ie
O1 - Hosts: 67.215.240.115 google.it
O1 - Hosts: 67.215.240.115 www.google.it
O1 - Hosts: 67.215.240.115 google.co.jp
O1 - Hosts: 67.215.240.115 www.google.co.jp
O1 - Hosts: 23 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1332280451-3487225366-4135253625-1000\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Sprint SmartView] C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe (Sprint)
O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 2
O7 - HKU\S-1-5-21-1332280451-3487225366-4135253625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1332280451-3487225366-4135253625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKU\S-1-5-21-1332280451-3487225366-4135253625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1302014115229 (MUWebControl Class)
O16 - DPF: {80AEEC0E-A2BE-4B8D-985F-350FE869DC40} http://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsVista.cab (HPDDClientExec Class)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://secure.mcdean.com/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{09413ebc-383c-11df-9b61-001a92232baf}\Shell - "" = AutoRun
O33 - MountPoints2\{09413ebc-383c-11df-9b61-001a92232baf}\Shell\AutoRun\command - "" = I:\LaunchU3.exe
O33 - MountPoints2\{3f8e5bee-5ebb-11e0-9209-001a92232baf}\Shell - "" = AutoRun
O33 - MountPoints2\{3f8e5bee-5ebb-11e0-9209-001a92232baf}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL I:\AppLaunch.exe AUTORUN=1
O33 - MountPoints2\{ec7504c4-09af-11de-a271-001a92232baf}\Shell - "" = AutoRun
O33 - MountPoints2\{ec7504c4-09af-11de-a271-001a92232baf}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/04/11 11:25:00 | 000,000,000 | ---D | C] -- C:\Users\Mansur\Desktop\tdsskiller
[2011/04/11 11:24:47 | 000,580,608 | ---- | C] (OldTimer Tools) -- C:\Users\Mansur\Desktop\OTL.exe
[2011/04/07 18:09:59 | 000,000,000 | ---D | C] -- C:\Users\Mansur\Desktop\gmer
[2011/04/05 16:16:15 | 000,000,000 | ---D | C] -- C:\ProgramData\ErrorEND
[2011/04/05 15:48:42 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[2011/04/05 15:41:36 | 000,000,000 | ---D | C] -- C:\76b20047533b0910f96e73c914ef36
[2011/04/05 15:35:13 | 000,000,000 | ---D | C] -- C:\5e9db54071aae2fda39aeff65f5e22
[2011/04/05 11:50:16 | 000,000,000 | ---D | C] -- C:\Users\Mansur\Desktop\rkill
[2011/04/04 09:59:00 | 000,000,000 | ---D | C] -- C:\Users\Mansur\AppData\Local\Sprint
[2011/04/04 08:27:03 | 000,027,072 | ---- | C] (Printing Communications Assoc., Inc. (PCAUSA)) -- C:\Windows\System32\drivers\PCASp50.sys
[2011/04/04 08:10:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sprint
[2011/04/04 08:10:28 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Motorola Shared
[2011/04/04 08:10:26 | 000,000,000 | ---D | C] -- C:\Research in Motion
[2011/04/04 08:10:25 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Research in Motion
[2011/04/04 08:10:23 | 000,000,000 | ---D | C] -- C:\Program Files\Sierra Wireless
[2011/04/04 08:09:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\PctelEapPeer Authentication
[2011/04/04 08:09:31 | 000,000,000 | ---D | C] -- C:\Program Files\Novatel Wireless
[2011/04/04 08:09:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Sprint
[2011/04/04 08:09:30 | 000,000,000 | ---D | C] -- C:\Program Files\Sprint
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/04/11 14:21:29 | 000,764,928 | ---- | M] () -- C:\Windows\System32\drivers\lzgkocmvv.sys
[2011/04/11 13:57:07 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/11 13:53:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/11 12:43:49 | 000,606,364 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/11 12:43:49 | 000,104,964 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/11 12:40:00 | 000,004,928 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/11 12:39:59 | 000,004,928 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/11 12:39:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/11 12:37:39 | 938,008,576 | -HS- | M] () -- C:\hiberfil.sys
[2011/04/11 11:53:15 | 000,085,659 | ---- | M] () -- C:\Users\Mansur\Desktop\OTL - No Disk error.jpg
[2011/04/11 11:20:46 | 001,263,721 | ---- | M] () -- C:\Users\Mansur\Desktop\tdsskiller.zip
[2011/04/11 11:20:22 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\Mansur\Desktop\OTL.exe
[2011/04/07 17:50:04 | 000,293,019 | ---- | M] () -- C:\Users\Mansur\Desktop\gmer.zip
[2011/04/07 17:47:14 | 000,625,664 | ---- | M] () -- C:\Users\Mansur\Desktop\dds.scr
[2011/04/06 15:18:14 | 205,448,673 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/04/05 17:01:34 | 000,000,384 | ---- | M] () -- C:\Windows\tasks\ErrorEND.job
[2011/04/05 15:42:14 | 000,002,125 | ---- | M] () -- C:\Windows\epplauncher.mif
[2011/04/04 08:10:31 | 000,001,903 | ---- | M] () -- C:\Users\Public\Desktop\Sprint SmartView.lnk
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/04/11 11:53:12 | 000,085,659 | ---- | C] () -- C:\Users\Mansur\Desktop\OTL - No Disk error.jpg
[2011/04/11 11:24:45 | 001,263,721 | ---- | C] () -- C:\Users\Mansur\Desktop\tdsskiller.zip
[2011/04/07 17:53:04 | 000,625,664 | ---- | C] () -- C:\Users\Mansur\Desktop\dds.scr
[2011/04/07 17:53:01 | 000,293,019 | ---- | C] () -- C:\Users\Mansur\Desktop\gmer.zip
[2011/04/07 17:48:59 | 938,008,576 | -HS- | C] () -- C:\hiberfil.sys
[2011/04/05 16:16:16 | 000,000,384 | ---- | C] () -- C:\Windows\tasks\ErrorEND.job
[2011/04/05 15:49:21 | 000,001,808 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Security Essentials.lnk
[2011/04/05 15:42:13 | 000,002,125 | ---- | C] () -- C:\Windows\epplauncher.mif
[2011/04/04 08:10:31 | 000,001,903 | ---- | C] () -- C:\Users\Public\Desktop\Sprint SmartView.lnk
[2011/01/16 16:00:06 | 000,000,058 | -HS- | C] () -- C:\Windows\System32\User.ini
[2011/01/16 16:00:01 | 000,764,928 | ---- | C] () -- C:\Windows\System32\drivers\lzgkocmvv.sys
[2010/03/31 08:04:15 | 000,000,680 | ---- | C] () -- C:\Users\Mansur\AppData\Local\d3d9caps.dat
[2009/09/23 23:51:31 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/09/23 23:51:30 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/03/03 04:01:37 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/03/02 10:55:35 | 000,008,192 | ---- | C] () -- C:\Users\Mansur\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/02/26 08:32:16 | 000,012,054 | R--- | C] () -- C:\Windows\hpwscr20.dat
[2009/02/26 08:29:53 | 000,178,639 | ---- | C] () -- C:\Windows\hpwins20.dat
[2009/02/26 08:29:53 | 000,002,428 | R--- | C] () -- C:\Windows\hpwmdl20.dat
[2009/02/24 03:39:47 | 000,001,732 | ---- | C] () -- C:\Windows\System32\drivers\nvphy.bin
[2008/03/05 15:41:58 | 000,024,840 | ---- | C] () -- C:\Windows\System32\drivers\swmsflt.sys
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,415,264 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,606,364 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,104,964 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat

< End of report >




OTL Extras logfile created on: 4/11/2011 2:17:01 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Users\Mansur\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18975)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

894.00 Mb Total Physical Memory | 201.00 Mb Available Physical Memory | 23.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 53.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 931.51 Gb Total Space | 753.21 Gb Free Space | 80.86% Space Free | Partition Type: NTFS

Computer Name: MANSUR-PC | User Name: Mansur | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{B70D33C8-C761-43BA-9612-EF5B8886BAFE}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{CB8052D4-8CC1-4957-AF74-587654D6EE54}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{E42509C1-8BEE-4496-8A17-07D55CCB8E1D}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{E9F50593-A0AB-4CC3-92A7-FB4C18E0B8C0}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe |
"{F93E07E8-6D31-48DD-AAD9-0D27F5C292C8}" = lport=6004 | protocol=17 | dir=in | app=c:\program files\microsoft office\office12\outlook.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0979CE71-500C-44F6-B791-50F020A11F1E}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{228156BD-4F64-4854-8962-81ECA6EEC3D1}" = protocol=17 | dir=in | app=c:\program files\symantec antivirus\rtvscan.exe |
"{31B19D1C-05D5-4E8C-85DC-44108C9CA6C2}" = protocol=17 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
"{5AAF3581-14FA-4F13-A15C-0BF874F60277}" = protocol=6 | dir=in | app=c:\program files\symantec antivirus\rtvscan.exe |
"{5E60DB79-6AFC-46A6-B535-39D025296A36}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{5EB1E394-11EB-448E-9170-F92B7B7F4B4A}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{6C0F347D-5D7F-4867-959A-C85892BFC419}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{8B18FF1C-AB2F-4908-91A1-E9BB42942BC6}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{971F6ADC-452E-4FA8-839C-33B1096F0D75}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"{A7ACBE6A-B0F8-469B-B93A-33D5837E4070}" = protocol=6 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe |
"{AAF4CC04-402F-4B5C-90F8-E114F634859B}" = protocol=6 | dir=in | app=c:\program files\microsoft office\office12\onenote.exe |
"{AE6686A6-7943-4427-AEA3-2224F48BE690}" = protocol=17 | dir=in | app=c:\program files\microsoft office\office12\groove.exe |
"TCP Query User{8477F1FA-C560-4B99-ABA2-50062153D529}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{A0D2A371-BA35-42ED-98F3-65B2B6F4F45D}C:\programdata\4545bd7\cu4545.exe" = protocol=6 | dir=in | app=c:\programdata\4545bd7\cu4545.exe |
"TCP Query User{EB834802-871F-44F3-8035-9B384A761D3F}C:\programdata\4545bd7\cu4545.exe" = protocol=6 | dir=in | app=c:\programdata\4545bd7\cu4545.exe |
"UDP Query User{2EC4B619-9F63-430D-8144-2F13393FA13E}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{6E827A97-F0B1-466D-A9A2-27BC1615ADBB}C:\programdata\4545bd7\cu4545.exe" = protocol=17 | dir=in | app=c:\programdata\4545bd7\cu4545.exe |
"UDP Query User{E153F087-D86B-4B8E-8164-78DF3BDFF2B2}C:\programdata\4545bd7\cu4545.exe" = protocol=17 | dir=in | app=c:\programdata\4545bd7\cu4545.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0E549A13-2B3D-4633-BA41-DC88C2D6F9A3}" = ProductContext
"{0EC7C406-B592-4686-BAC1-AD29A85EAE6A}" = HP Driver Diagnostics
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{1147FF9A-D576-4cb5-B5E7-FCA21D1E7D26}" = J4680
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{188C0E25-3D65-4DAC-9C00-7483FBA4C7EB}" = Status
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2614F54E-A828-49FA-93BA-45A3F756BFAA}" = 32 Bit HP CIO Components Installer
"{34BFB099-07B2-4E95-A673-7362D60866A2}" = PSSWCORE
"{3825B383-7880-48C8-AADD-49B0D764B151}" = 4660_4680_Help
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{50802F8E-03B4-479D-A643-16DE5A3586CB}" = BPDSoftware_Ini
"{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
"{52A69E11-7CEB-4a7d-9607-68BA4F39A89B}" = DeviceDiscovery
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{5ACE69F0-A3E8-44eb-88C1-0A841E700180}" = TrayApp
"{5BB4D7C1-52F2-4BFD-9E40-0D419E2E3021}" = bpd_scan
"{67335AB1-6341-4f87-A5B4-7FA92CEB77A4}" = HP Officejet All-In-One Series
"{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C28BDA4-6D99-4DD0-9F22-6A90A445E982}" = Symantec AntiVirus
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{774088D4-0777-4D78-904D-E435B318F5D2}" = Microsoft Antimalware
"{77A776C4-D10F-416D-88F0-53F2D9DCD9B3}" = Microsoft Security Client
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}" = iTunes
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93944F2-D2D4-4750-BFE7-9A288FEAF2CF}" = Apple Application Support
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{ABA00898-9467-4689-9F40-DE7F58C8429C}" = Fax
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B8DBED1E-8BC3-4d08-B94A-F9D7D88E9BBF}" = HPSSupply
"{BAD0FA60-09CF-4411-AE6A-C2844C8812FA}" = HP Photosmart Essential 2.5
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D142FE39-3386-4d82-9AD3-36D4A92AC3C2}" = DocMgr
"{D2E0F0CC-6BE0-490b-B08B-9267083E34C9}" = MarketResearch
"{D3737952-FF6E-4E72-BDEE-B0DC1C69F80B}" = BPD_HPSU
"{D99A8E3A-AE5A-4692-8B19-6F16D454E240}" = Destination Component
"{E08DC77E-D09A-4e36-8067-D6DBBCC5F8DC}" = VideoToolkit01
"{E7112940-5F8E-4918-B9FE-251F2F8DC81F}" = AIO_CDB_ProductContext
"{EAFEF30E-3789-49C7-A6D9-77C12E005BAC}" = Safari
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4EAEBEA-3E46-43b8-A63C-AD180AE86918}" = BPDSoftware
"{FC516A10-B335-4FB5-8EA2-0DB8E57E044C}" = Sprint SmartView
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200C14F1" = Soft Data Fax Modem with SmartCP
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ENTERPRISE" = Microsoft Office Enterprise 2007
"HP Document Manager" = HP Document Manager 1.0
"HP Imaging Device Functions" = HP Imaging Device Functions 10.0
"HP Photosmart Essential" = HP Photosmart Essential 2.5
"HP Smart Web Printing" = HP Smart Web Printing
"HPExtendedCapabilities" = HP Customer Participation Program 10.0
"HPOCR" = OCR Software by I.R.I.S. 10.0
"LiveUpdate" = LiveUpdate 3.2 (Symantec Corporation)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft Security Client" = Microsoft Security Essentials
"MVApplication1" = Memorex exPressit Label Design Studio
"NVIDIA Drivers" = NVIDIA Drivers
"Shop for HP Supplies" = Shop for HP Supplies
"Walmart MP3 Music Downloads" = Walmart MP3 Music Downloads
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Toolbar" = Yahoo! Toolbar

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1332280451-3487225366-4135253625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Yahoo! BrowserPlus" = Yahoo! BrowserPlus

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/7/2011 7:14:30 PM | Computer Name = Mansur-PC | Source = Perflib | ID = 1010
Description =

Error - 4/7/2011 8:24:04 PM | Computer Name = Mansur-PC | Source = SPP | ID = 16387
Description =

Error - 4/7/2011 8:24:05 PM | Computer Name = Mansur-PC | Source = System Restore | ID = 8193
Description =

Error - 4/7/2011 8:24:05 PM | Computer Name = Mansur-PC | Source = System Restore | ID = 8210
Description =

Error - 4/8/2011 1:00:29 AM | Computer Name = Mansur-PC | Source = SPP | ID = 16387
Description =

Error - 4/8/2011 1:00:29 AM | Computer Name = Mansur-PC | Source = System Restore | ID = 8193
Description =

Error - 4/8/2011 1:00:29 AM | Computer Name = Mansur-PC | Source = System Restore | ID = 8210
Description =

Error - 4/8/2011 4:34:01 AM | Computer Name = Mansur-PC | Source = Symantec AntiVirus | ID = 16711726
Description = Security Risk Found!Risk: Trojan.Gen in File: C:\Windows\System32\drivers\LZGKOC~1.SYS
by: Scheduled scan. Action: Clean failed : Quarantine failed. Action Description:
The file was left unchanged.

Error - 4/8/2011 4:36:16 AM | Computer Name = Mansur-PC | Source = Symantec AntiVirus | ID = 16711731
Description = Security Risk Found!Risk: Trojan.Gen in File: C:\Windows\System32\drivers\LZGKOC~1.SYS
by: Scheduled scan. Action: Clean failed : Quarantine failed. Action Description:
Risk was partially removed.

Error - 4/8/2011 5:11:11 AM | Computer Name = Mansur-PC | Source = Symantec AntiVirus | ID = 16711685
Description = Risk: in File: lzgkocmvv by: Scheduled scan. Action: Clean failed
: Quarantine failed. Action Description: The file was left unchanged. Risk: in
File: Internet browser temporary file cache by: Scheduled scan. Action: Clean
failed : Quarantine failed. Action Description: The file was deleted successfully.



[ OSession Events ]
Error - 3/4/2010 11:33:13 PM | Computer Name = Mansur-PC | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6514.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 3776
seconds with 2880 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 4/11/2011 2:41:40 PM | Computer Name = Mansur-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%851 Update Stage: %%852

Source
Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server
name or address could not be resolved

Error - 4/11/2011 2:41:40 PM | Computer Name = Mansur-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%851 Update Stage: %%852

Source
Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server
name or address could not be resolved

Error - 4/11/2011 2:41:40 PM | Computer Name = Mansur-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%851 Update Stage: %%852

Source
Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server
name or address could not be resolved

Error - 4/11/2011 2:41:40 PM | Computer Name = Mansur-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%851 Update Stage: %%852

Source
Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server
name or address could not be resolved

Error - 4/11/2011 2:41:40 PM | Computer Name = Mansur-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%851 Update Stage: %%852

Source
Path: http://go.microsoft.com/fwlink/?LinkID=121721&clcid=0x409&arch=x86&eng=0.0.0.0&avdelta=0.0.0.0&asdelta=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server
name or address could not be resolved

Error - 4/11/2011 2:41:40 PM | Computer Name = Mansur-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%851 Update Stage: %%852

Source
Path: http://go.microsoft.com/fwlink/?LinkID=187316&clcid=0x409&arch=x86&eng=0.0.0.0&sig=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server
name or address could not be resolved

Error - 4/11/2011 2:41:40 PM | Computer Name = Mansur-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%851 Update Stage: %%852

Source
Path: http://go.microsoft.com/fwlink/?LinkID=187316&clcid=0x409&arch=x86&eng=0.0.0.0&sig=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server
name or address could not be resolved

Error - 4/11/2011 2:41:40 PM | Computer Name = Mansur-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%851 Update Stage: %%852

Source
Path: http://go.microsoft.com/fwlink/?LinkID=187316&clcid=0x409&arch=x86&eng=0.0.0.0&sig=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server
name or address could not be resolved

Error - 4/11/2011 2:41:40 PM | Computer Name = Mansur-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%851 Update Stage: %%852

Source
Path: http://go.microsoft.com/fwlink/?LinkID=187316&clcid=0x409&arch=x86&eng=0.0.0.0&sig=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server
name or address could not be resolved

Error - 4/11/2011 2:41:40 PM | Computer Name = Mansur-PC | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 0.0.0.0 Update Source: %%851 Update Stage: %%852

Source
Path: http://go.microsoft.com/fwlink/?LinkID=187316&clcid=0x409&arch=x86&eng=0.0.0.0&sig=0.0.0.0&prod=EDB4FA23-53B8-4AFA-8C5D-99752CCA7094

Signature
Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 0.0.0.0 Error code: 0x80072ee7 Error description: The server
name or address could not be resolved


< End of report >

Hi Blake,

I can see that you're still infected. Your host file has become hijacked with malicious entries that are causing your computer to redirect your google searches to a malicious site. I'll fix this issue shortly.


____________________________________________________



Questions:


Do you plan on using Symantec or Microsoft Security Essentials as your Anti-Virus program?

Do you recognize this file?

[2011/04/05 17:01:34 | 000,000,384 | ---- | M] () -- C:\Windows\tasks\ErrorEND.job


____________________________________________________

The main infection that you were infected with is called TDL4.

See the snippet of text below:

Quote

You can read more about this infection here:

• TDL4 Rootkit - Bootkit
  
• TDSS: Rootkit technologies from the beginning
  
• TDL3: The Rootkit of All Evil?
  
• Backdoor.Tdss.565
  
• TDL3: Part I A detailed analysis of TDL rootkit 3rd generation

Special thanks to quietman7 for providing the above links.



NEXT:



OTL Fix

We need to run an OTL Fix

• Please reopen on your desktop.
  
• Copy and Paste the following code into the textbox.
  
  

  :Services
  :OTL
  IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
  IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8893
  IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
  IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8893
  O4 - HKLM..\Run: [] File not found
  O33 - MountPoints2\{09413ebc-383c-11df-9b61-001a92232baf}\Shell - "" = AutoRun
  O33 - MountPoints2\{09413ebc-383c-11df-9b61-001a92232baf}\Shell\AutoRun\command - "" = I:\LaunchU3.exe
  O33 - MountPoints2\{3f8e5bee-5ebb-11e0-9209-001a92232baf}\Shell - "" = AutoRun
  O33 - MountPoints2\{3f8e5bee-5ebb-11e0-9209-001a92232baf}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL I:\AppLaunch.exe AUTORUN=1
  O33 - MountPoints2\{ec7504c4-09af-11de-a271-001a92232baf}\Shell - "" = AutoRun
  O33 - MountPoints2\{ec7504c4-09af-11de-a271-001a92232baf}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
  [1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
  [1 C:\*.tmp files -> C:\*.tmp -> ]
  [2011/04/11 14:21:29 | 000,764,928 | ---- | M] () -- C:\Windows\System32\drivers\lzgkocmvv.sys
  [2011/01/16 16:00:06 | 000,000,058 | -HS- | C] () -- C:\Windows\System32\User.ini
  [2011/01/16 16:00:01 | 000,764,928 | ---- | C] () -- C:\Windows\System32\drivers\lzgkocmvv.sys
  :Reg
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
  "TCP Query User{A0D2A371-BA35-42ED-98F3-65B2B6F4F45D}C:\programdata\4545bd7\cu4545.exe"=-
  "TCP Query User{EB834802-871F-44F3-8035-9B384A761D3F}C:\programdata\4545bd7\cu4545.exe"=-
  "UDP Query User{6E827A97-F0B1-466D-A9A2-27BC1615ADBB}C:\programdata\4545bd7\cu4545.exe"=-
  "UDP Query User{E153F087-D86B-4B8E-8164-78DF3BDFF2B2}C:\programdata\4545bd7\cu4545.exe"=-
  :Files
  c:\programdata\4545bd7\
  ipconfig /flushdns /c
  :Commands
  [purity]
  [resethosts]
  [CreateRestorePoint]
  [emptytemp]
  [EMPTYFLASH]
  

  
  
  
• Push
  
• OTL may ask to reboot the machine. Please do so if asked.
  
• Click .
  
• A report will open. Copy and Paste that report in your next reply.
  
• If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

NEXT:



Running ComboFix
Download Combofix from either of the links below, and save it to your desktop.

Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

Note: If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If for some reason these applications will not uninstall, try uninstalling with AppRemover by Opswat.
--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.

• Please post the C:\ComboFix.txt for further review.

Running scans/fixes requested:

SweetTech, on 12 April 2011 - 03:31 PM, said:

Not sure. It's my parents computer, so it really comes down to the easiest interface with the best protection. Do you have a recommendation? I've always used Symantec, however I was trying to install MS Sec Ess to see how it ran while attempting to clean on my own. I don't know enough about MS Sec Ess to make an informed decision.

SweetTech, on 12 April 2011 - 03:31 PM, said:

No, I was wondering what that file was as well.

I think Microsoft Security Essentials might be easier to navigate for your parents and lighter on the resources.

Quote

Okay, I'll try and get a closer look at it a little later.

Sounds good to me. Let me know when you want me to uninstall Symantec.




All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable|dword:0 /E : value set successfully!
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{09413ebc-383c-11df-9b61-001a92232baf}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09413ebc-383c-11df-9b61-001a92232baf}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{09413ebc-383c-11df-9b61-001a92232baf}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09413ebc-383c-11df-9b61-001a92232baf}\ not found.
File I:\LaunchU3.exe not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f8e5bee-5ebb-11e0-9209-001a92232baf}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f8e5bee-5ebb-11e0-9209-001a92232baf}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3f8e5bee-5ebb-11e0-9209-001a92232baf}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3f8e5bee-5ebb-11e0-9209-001a92232baf}\ not found.
File C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL I:\AppLaunch.exe AUTORUN=1 not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec7504c4-09af-11de-a271-001a92232baf}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ec7504c4-09af-11de-a271-001a92232baf}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ec7504c4-09af-11de-a271-001a92232baf}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{ec7504c4-09af-11de-a271-001a92232baf}\ not found.
File E:\LaunchU3.exe -a not found.
C:\Windows\System32\SETE96C.tmp deleted successfully.
C:\DFR72D0.tmp deleted successfully.
File C:\Windows\System32\drivers\lzgkocmvv.sys not found.
C:\Windows\System32\User.ini moved successfully.
File C:\Windows\System32\drivers\lzgkocmvv.sys not found.
========== REGISTRY ==========
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{A0D2A371-BA35-42ED-98F3-65B2B6F4F45D}C:\programdata\4545bd7\cu4545.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\TCP Query User{EB834802-871F-44F3-8035-9B384A761D3F}C:\programdata\4545bd7\cu4545.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{6E827A97-F0B1-466D-A9A2-27BC1615ADBB}C:\programdata\4545bd7\cu4545.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\UDP Query User{E153F087-D86B-4B8E-8164-78DF3BDFF2B2}C:\programdata\4545bd7\cu4545.exe deleted successfully.
========== FILES ==========
c:\programdata\4545bd7\Quarantine Items folder moved successfully.
c:\programdata\4545bd7\CUASys folder moved successfully.
c:\programdata\4545bd7\BackUp folder moved successfully.
c:\programdata\4545bd7 folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Mansur\Desktop\cmd.bat deleted successfully.
C:\Users\Mansur\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully


[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mansur
->Temp folder emptied: 710903716 bytes
->Temporary Internet Files folder emptied: 115717875 bytes
->Flash cache emptied: 2090916 bytes

User: Mark
->Temp folder emptied: 17450484 bytes
->Temporary Internet Files folder emptied: 121146866 bytes
->Flash cache emptied: 26012 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 9505301 bytes
RecycleBin emptied: 1149203721 bytes

Total Files Cleaned = 2,028.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: Mansur
->Flash cache emptied: 0 bytes

User: Mark
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.22.3 log created on 04132011_091937

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\MpCmdRun.log scheduled to be moved on reboot.
File\Folder C:\Windows\temp\TMP00000026D7B38E24F839335E not found!

Registry entries deleted on Reboot...




ComboFix 11-04-12.02 - Mansur 04/13/2011 10:05:43.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.894.192 [GMT -5:00]
Running from: c:\users\Mansur\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Enabled/Outdated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Outdated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Adobe Systems
c:\programdata\Adobe Systems\Product licenses\B2896000.dat
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.dll
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\ANTIGEN.drv
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\CLSV.dll
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\CLSV.sys
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\eb.dll
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\eb.exe
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\energy.tmp
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\exec.dll
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\exec.drv
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\exec.exe
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\fan.sys
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\FS.dll
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\FW.tmp
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\gid.sys
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\grid.drv
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\hymt.dll
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\hymt.drv
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\kernel32.dll
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\kernel32.exe
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\kernel32.sys
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\PE.dll
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\PE.drv
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\ppal.sys
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\runddl.tmp
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\SICKBOY.exe
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\std.sys
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\tjd.dll
c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Recent\tjd.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-03-13 to 2011-04-13 )))))))))))))))))))))))))))))))
.
.
2011-04-13 15:15 . 2011-04-13 15:15 -------- d-----w- c:\users\Mansur\AppData\Local\temp
2011-04-13 14:19 . 2011-04-13 14:19 -------- d-----w- C:\_OTL
2011-04-12 08:13 . 2011-04-12 08:13 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2011-04-11 19:08 . 2010-10-12 15:53 33280 ----a-w- c:\program files\Windows Mail\wabfind.dll
2011-04-11 19:08 . 2010-10-12 13:41 66048 ----a-w- c:\program files\Windows Mail\wabmig.exe
2011-04-11 19:08 . 2010-10-12 13:41 515584 ----a-w- c:\program files\Windows Mail\wab.exe
2011-04-11 19:08 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
2011-04-11 19:08 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2011-04-11 19:08 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
2011-04-11 19:08 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
2011-04-11 19:08 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
2011-04-11 19:08 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
2011-04-11 19:06 . 2010-10-19 04:27 7680 ----a-w- c:\program files\Internet Explorer\iecompat.dll
2011-04-11 17:31 . 2010-12-29 18:28 429056 ----a-w- c:\windows\system32\EncDec.dll
2011-04-11 17:31 . 2010-12-29 18:28 322560 ----a-w- c:\windows\system32\sbe.dll
2011-04-11 17:31 . 2010-12-29 18:28 153088 ----a-w- c:\windows\system32\sbeio.dll
2011-04-11 17:31 . 2010-12-29 18:26 177664 ----a-w- c:\windows\system32\mpg2splt.ax
2011-04-11 17:31 . 2010-11-04 18:55 352768 ----a-w- c:\windows\system32\taskschd.dll
2011-04-11 17:31 . 2010-11-04 18:55 601600 ----a-w- c:\windows\system32\schedsvc.dll
2011-04-11 17:31 . 2010-11-04 18:56 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
2011-04-11 17:31 . 2010-11-04 18:55 270336 ----a-w- c:\windows\system32\taskcomp.dll
2011-04-11 17:31 . 2010-11-04 16:34 171520 ----a-w- c:\windows\system32\taskeng.exe
2011-04-11 17:31 . 2010-10-18 13:37 81920 ----a-w- c:\windows\system32\consent.exe
2011-04-11 17:29 . 2010-10-28 13:20 2048 ----a-w- c:\windows\system32\tzres.dll
2011-04-11 17:28 . 2011-01-08 06:28 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-04-11 17:28 . 2011-01-08 08:47 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-04-11 17:28 . 2010-06-16 15:30 72704 ----a-w- c:\windows\system32\fontsub.dll
2011-04-11 17:28 . 2010-12-17 15:45 2067968 ----a-w- c:\windows\system32\mstscax.dll
2011-04-11 17:28 . 2010-12-17 13:54 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-04-05 21:16 . 2011-04-05 21:16 -------- d-----w- c:\programdata\ErrorEND
2011-04-05 20:48 . 2011-04-05 20:50 -------- d-----w- c:\program files\Microsoft Security Client
2011-04-05 20:42 . 2010-11-16 17:01 6273872 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{8C5146A5-580A-4B78-A276-C286EA461E3D}\mpengine.dll
2011-04-05 20:41 . 2011-04-05 20:41 -------- d-----w- C:\76b20047533b0910f96e73c914ef36
2011-04-05 20:35 . 2011-04-05 20:35 -------- d-----w- C:\5e9db54071aae2fda39aeff65f5e22
2011-04-04 14:59 . 2011-04-04 14:59 -------- d-----w- c:\users\Mansur\AppData\Local\Sprint
2011-04-04 13:27 . 2007-10-12 22:04 27072 ----a-w- c:\windows\system32\drivers\PCASp50.sys
2011-04-04 13:24 . 2007-01-18 16:24 26496 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2011-04-04 13:10 . 2011-04-04 13:10 -------- d-----w- c:\program files\Common Files\Motorola Shared
2011-04-04 13:10 . 2011-04-04 13:10 -------- d-----w- C:\Research in Motion
2011-04-04 13:10 . 2011-04-04 13:10 -------- d-----w- c:\program files\Common Files\Research in Motion
2011-04-04 13:10 . 2011-04-04 13:10 -------- d-----w- c:\program files\Sierra Wireless
2011-04-04 13:09 . 2011-04-04 13:09 -------- d-----w- c:\program files\Common Files\PctelEapPeer Authentication
2011-04-04 13:09 . 2011-04-04 13:09 -------- d-----w- c:\program files\Novatel Wireless
2011-04-04 13:09 . 2011-04-04 13:09 -------- d-----w- c:\programdata\Sprint
2011-04-04 13:09 . 2011-04-04 13:09 -------- d-----w- c:\program files\Sprint
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-18 17:47 . 2011-02-18 17:47 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-03 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-10-14 95848]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-10-14 134856]
"Sprint SmartView"="c:\program files\Sprint\Sprint SmartView\SprintSV.exe" [2008-03-10 17672]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
.
c:\users\Mark\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 2 (0x2)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Mansur^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Mansur\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2008-04-23 08:08 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-09-04 18:08 935288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 10:08 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 16:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2008-06-02 07:55 80896 ----a-w- c:\program files\Hp\Digital Imaging\bin\HpqSRmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-12-21 00:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-05-23 03:49 13539872 ----a-w- c:\windows\System32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-05-23 03:49 92704 ----a-w- c:\windows\System32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2008-01-15 16:26 4874240 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2009-04-11 06:28 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-03-03 12:40 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 21:45 313472 ------w- c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile-based device management]
2006-11-02 09:45 215552 ----a-w- c:\windows\WindowsMobile\wmdSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WPCUMI]
2006-11-02 12:35 176128 ----a-w- c:\windows\System32\wpcumi.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 135664]
R3 CASprint;Sprint Con App Svc;c:\program files\Sprint\Sprint SmartView\ConAppsSvc.exe [2008-03-05 118784]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-10-14 122056]
R3 VST_DPV;VST_DPV;c:\windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\system32\DRIVERS\VSTBS23.SYS [2006-11-02 251904]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2011-04-04 102448]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - lzgkocmvv
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 04:28]
.
2011-04-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 04:28]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.ehsbr.org/podium/default.aspx?rc=1
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: c:\windows\system32\wpclsp.dll
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-CleanUp Antivirus - c:\programdata\4545bd7\CU4545.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-13 10:15
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
[0] 0x034FBEE8
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lzgkocmvv]
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-04-13 10:19:49
ComboFix-quarantined-files.txt 2011-04-13 15:19
.
Pre-Run: 812,382,609,408 bytes free
Post-Run: 812,299,251,712 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 2107E4ADCDCC3689CFAF1544202EE5E7