WinXPsys44 (Rootkit.ADS) Removal

lehorton · March 17, 2010

Malwarebyte has detected this rootkit but seems unable to remove it.

Malwarebytes' Anti-Malware 1.44

Database version: 3876

Windows 6.0.6002 Service Pack 2

Internet Explorer 7.0.6002.18005

3/17/2010 9:11:47 AM

mbam-log-2010-03-17 (09-11-28).txt

Scan type: Quick Scan

Objects scanned: 133941

Time elapsed: 4 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32:WinXPsys44 (Rootkit.ADS) -> No action taken.

attach.zip

screen317 · March 20, 2010

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

After you post that log, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

lehorton · March 21, 2010

Malwarebytes' Anti-Malware 1.44

Database version: 3889

Windows 6.0.6002 Service Pack 2

Internet Explorer 7.0.6002.18005

3/20/2010 9:44:25 PM

mbam-log-2010-03-20 (21-44-21).txt

Scan type: Quick Scan

Objects scanned: 134884

Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\system32:WinXPsys44 (Rootkit.ADS) -> No action taken.

DDS.txt

lehorton · March 21, 2010

Combofix errors out with:

Incompatible OS. Combofix only works for workstations with Windows 2000 and XP.

OS is Vista Ultimate 64-Bit

screen317 · March 22, 2010

Hi,

Download OTL.exe by OldTimer to your Desktop.

Close all windows and double click OTL.exe.
Click Run Scan and let the program run uninterrupted.
It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
You may need to use two posts to get it all.

lehorton · March 23, 2010

OTL.Txt

OTL logfile created on: 3/22/2010 11:42:57 PM - Run 1

OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\lhorton\Desktop

64bit-Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6002.18005)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 41.00% Memory free

8.00 Gb Paging File | 6.00 Gb Available in Paging File | 70.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 698.63 Gb Total Space | 225.94 Gb Free Space | 32.34% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 225.16 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: LOU001

Current User Name: lhorton

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Include 64bit Scans

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/22 23:42:02 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\lhorton\Desktop\OTL.exe

PRC - [2010/03/18 01:19:04 | 000,136,176 | ---- | M] (Google Inc.) -- C:\Program Files (x86)\Google\Update\1.2.183.23\GoogleCrashHandler.exe

PRC - [2010/01/07 16:07:10 | 000,429,392 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2010/01/07 16:07:10 | 000,236,368 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2010/01/05 10:48:16 | 000,472,568 | ---- | M] (Turbine, Inc.) -- C:\Program Files (x86)\Turbine\Turbine Download Manager - Lamannia\TurbineDownloadManagerIcon.exe

PRC - [2010/01/05 10:48:16 | 000,271,856 | ---- | M] (Turbine, Inc.) -- C:\Program Files (x86)\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe

PRC - [2010/01/05 10:48:16 | 000,218,608 | ---- | M] (Turbine, Inc.) -- C:\Program Files (x86)\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe

PRC - [2009/12/16 22:02:16 | 000,045,056 | ---- | M] (Intuit) -- c:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

PRC - [2009/10/20 16:27:34 | 000,057,344 | ---- | M] (Apache Software Foundation) -- C:\Program Files (x86)\VMware\VMware Server\tomcat\bin\tomcat6.exe

PRC - [2009/10/20 16:22:06 | 000,399,920 | ---- | M] (VMware, Inc.) -- C:\Windows\SysWOW64\vmnat.exe

PRC - [2009/10/20 16:21:56 | 000,326,192 | ---- | M] (VMware, Inc.) -- C:\Windows\SysWOW64\vmnetdhcp.exe

PRC - [2009/10/20 16:21:20 | 000,322,096 | ---- | M] () -- C:\Program Files (x86)\VMware\VMware Server\vmware-hostd.exe

PRC - [2009/10/20 16:21:20 | 000,121,392 | ---- | M] (VMware, Inc.) -- C:\Program Files (x86)\VMware\VMware Server\vmware-authd.exe

PRC - [2009/10/13 14:00:00 | 000,495,432 | R--- | M] (WinZip Computing, S.L.) -- C:\Program Files (x86)\WinZip\WZQKPICK.EXE

PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe

PRC - [2009/09/22 13:40:36 | 000,884,736 | ---- | M] () -- C:\Users\lhorton\AppData\Local\TVersity\Media Server\MediaServer.exe

PRC - [2009/02/23 20:43:12 | 000,576,000 | ---- | M] (MagicISO, Inc.) -- C:\Program Files (x86)\MagicDisc\MagicDisc.exe

PRC - [2008/09/19 07:30:34 | 003,674,112 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files (x86)\PostgreSQL\8.3\bin\postgres.exe

PRC - [2008/09/19 03:03:58 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) -- C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe

PRC - [2007/10/25 16:33:22 | 000,563,984 | ---- | M] () -- C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

PRC - [2007/10/25 16:32:58 | 000,407,824 | ---- | M] (Logitech Inc.) -- C:\Program Files (x86)\Common Files\LogiShrd\LQCVFX\COCIManager.exe

PRC - [2007/10/19 13:18:48 | 000,113,176 | ---- | M] (Logitech Inc.) -- c:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrS64H.exe

PRC - [2007/07/31 11:20:12 | 000,200,704 | ---- | M] () -- C:\Program Files (x86)\Schmads Inc\G15_TeamSpeak\G15_TeamSpeak.exe

PRC - [2007/06/27 20:04:00 | 001,213,736 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

PRC - [2007/06/27 20:03:40 | 000,152,872 | ---- | M] (Nero AG) -- C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe

PRC - [2007/06/06 17:35:18 | 001,261,568 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe

PRC - [2007/05/21 17:53:42 | 000,049,152 | ---- | M] (Sonic Focus, Inc.) -- C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe

PRC - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) -- C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe

PRC - [2006/12/13 21:02:08 | 000,134,808 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\VPTray.exe

PRC - [2006/12/13 21:01:50 | 001,962,136 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe

PRC - [2006/12/13 21:01:38 | 000,030,872 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe

PRC - [2006/12/07 20:25:24 | 000,107,112 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe

PRC - [2006/12/07 20:25:06 | 000,107,624 | ---- | M] (Symantec Corporation) -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe

========== Modules (SafeList) ==========

MOD - [2010/03/22 23:42:02 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\lhorton\Desktop\OTL.exe

MOD - [2009/04/11 01:28:18 | 000,450,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\comdlg32.dll

MOD - [2007/10/19 13:19:10 | 000,109,080 | ---- | M] (Logitech Inc.) -- C:\Program Files (x86)\Common Files\LogiShrd\LVMVFM\LVPrcInj.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2009/09/24 20:26:26 | 001,142,272 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\FntCache.dll -- (FontCache)

SRV:64bit: - [2009/04/11 02:11:27 | 000,252,928 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\SysNative\umrdp.dll -- (UmRdpService)

SRV:64bit: - [2009/04/11 02:11:14 | 000,604,672 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\SysNative\cscsvc.dll -- (CscService)

SRV:64bit: - [2009/04/11 02:11:04 | 001,149,440 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\wbengine.exe -- (wbengine)

SRV:64bit: - [2008/05/06 11:56:08 | 002,601,848 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)

SRV:64bit: - [2008/01/19 03:06:50 | 000,383,544 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

SRV:64bit: - [2008/01/19 03:00:52 | 000,195,584 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\appmgmts.dll -- (AppMgmt)

SRV:64bit: - [2008/01/19 03:00:17 | 000,689,152 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\SysNative\fxssvc.exe -- (Fax)

SRV:64bit: - [2007/10/19 13:20:42 | 000,171,032 | ---- | M] (Logitech Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)

SRV:64bit: - [2007/10/19 13:18:36 | 000,182,296 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcS64)

SRV:64bit: - [2007/10/19 13:17:04 | 000,255,000 | ---- | M] (Logitech Inc.) [Auto | Running] -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVCSer64.exe -- (LVCOMSer)

SRV:64bit: - [2007/06/06 18:41:54 | 000,089,088 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\SysNative\AEADISRV.EXE -- (AEADIFilters)

SRV - [2010/01/07 16:07:10 | 000,236,368 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2010/01/05 10:48:16 | 000,271,856 | ---- | M] (Turbine, Inc.) [Auto | Running] -- C:\Program Files (x86)\Turbine\Turbine Download Manager - Lamannia\TurbineMessageService.exe -- (PublicPreviewTurbineMessageService)

SRV - [2010/01/05 10:48:16 | 000,218,608 | ---- | M] (Turbine, Inc.) [On_Demand | Running] -- C:\Program Files (x86)\Turbine\Turbine Download Manager - Lamannia\TurbineNetworkService.exe -- (PublicPreviewTurbineNetworkService)

SRV - [2009/12/16 22:02:16 | 000,045,056 | ---- | M] (Intuit) [Auto | Running] -- c:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe -- (QBCFMonitorService)

SRV - [2009/12/03 20:46:39 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2009/10/21 12:33:38 | 000,316,664 | ---- | M] (Valve Corporation) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Steam\SteamService.exe -- (Steam Client Service)

SRV - [2009/10/20 16:27:34 | 000,057,344 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files (x86)\VMware\VMware Server\tomcat\bin\Tomcat6.exe -- (VMwareServerWebAccess)

SRV - [2009/10/20 16:22:06 | 000,399,920 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\SysWOW64\vmnat.exe -- (VMware NAT Service)

SRV - [2009/10/20 16:21:56 | 000,326,192 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Windows\SysWOW64\vmnetdhcp.exe -- (VMnetDHCP)

SRV - [2009/10/20 16:21:20 | 000,322,096 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\VMware\VMware Server\vmware-hostd.exe -- (VMwareHostd)

SRV - [2009/10/20 16:21:20 | 000,121,392 | ---- | M] (VMware, Inc.) [Auto | Running] -- C:\Program Files (x86)\VMware\VMware Server\vmware-authd.exe -- (VMAuthdService)

SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)

SRV - [2009/09/22 13:40:36 | 000,884,736 | ---- | M] () [Auto | Running] -- C:\Users\lhorton\AppData\Local\TVersity\Media Server\MediaServer.exe -- (TVersityMediaServer)

SRV - [2009/07/23 22:10:38 | 000,061,440 | ---- | M] (Intuit Inc.) [On_Demand | Stopped] -- c:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe -- (QBFCService)

SRV - [2009/03/29 23:39:54 | 000,089,920 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_64)

SRV - [2008/10/25 11:44:08 | 000,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)

SRV - [2008/10/16 19:31:12 | 000,906,752 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)

SRV - [2008/09/19 03:03:58 | 000,065,536 | ---- | M] (PostgreSQL Global Development Group) [Auto | Running] -- C:\Program Files (x86)\PostgreSQL\8.3\bin\pg_ctl.exe -- (pgsql-8.3)

SRV - [2007/10/25 16:27:54 | 000,266,240 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)

SRV - [2007/10/18 12:31:54 | 000,098,328 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)

SRV - [2007/01/04 16:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation) [Auto | Running] -- C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe -- (Viewpoint Manager Service)

SRV - [2006/12/13 21:01:50 | 001,962,136 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)

SRV - [2006/12/13 21:01:38 | 000,030,872 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Symantec AntiVirus\DefWatch.exe -- (DefWatch)

SRV - [2006/12/07 20:25:06 | 000,107,624 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)

SRV - [2006/12/07 20:25:06 | 000,107,624 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)

SRV - [2006/11/02 08:34:14 | 000,000,000 | ---D | M] [unknown | Stopped] -- C:\Windows\SysWOW64\Msdtc -- (MSDTC)

SRV - [2006/11/02 01:35:15 | 000,060,994 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vds.mof -- (vds)

SRV - [2006/11/02 01:35:15 | 000,055,846 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vss.mof -- (VSS)

SRV - [2006/10/31 13:32:09 | 002,541,248 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_2.EXE -- (LiveUpdate)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/01/07 16:07:06 | 000,022,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\SysNative\drivers\mbam.sys -- (MBAMProtector)

DRV:64bit: - [2009/12/11 08:14:44 | 000,834,544 | ---- | M] (Duplex Secure Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\SysNative\Drivers\sptd.sys -- (sptd)

DRV:64bit: - [2009/10/20 16:23:48 | 000,076,336 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\vmx86.sys -- (vmx86)

DRV:64bit: - [2009/10/20 16:23:44 | 000,030,256 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\vmnetuserif.sys -- (VMnetuserif)

DRV:64bit: - [2009/10/20 16:23:36 | 000,065,072 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\vmci.sys -- (vmci)

DRV:64bit: - [2009/10/20 16:22:54 | 000,038,448 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\hcmon.sys -- (hcmon)

DRV:64bit: - [2009/10/20 16:21:10 | 000,038,960 | ---- | M] (VMware, Inc.) [Kernel | Auto | Running] -- C:\Windows\SysNative\DRIVERS\vmnetbridge.sys -- (VMnetBridge)

DRV:64bit: - [2009/10/20 16:21:10 | 000,020,016 | ---- | M] (VMware, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\vmnetadapter.sys -- (VMnetAdapter)

DRV:64bit: - [2009/09/30 19:51:42 | 000,046,592 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)

DRV:64bit: - [2009/05/18 14:17:08 | 000,034,152 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\GEARAspiWDM.sys -- (GEARAspiWDM)

DRV:64bit: - [2009/04/11 02:15:30 | 000,160,744 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\fvevol.sys -- (fvevol)

DRV:64bit: - [2009/04/11 00:39:34 | 000,098,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)

DRV:64bit: - [2009/04/10 23:56:24 | 000,460,800 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\csc.sys -- (CSC)

DRV:64bit: - [2009/02/24 19:35:44 | 000,255,552 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\mcdbus.sys -- (mcdbus)

DRV:64bit: - [2008/11/21 03:15:54 | 000,029,184 | ---- | M] (Juniper Networks) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\dsNcAdX64.sys -- (dsNcAdpt)

DRV:64bit: - [2008/07/01 18:05:31 | 000,033,344 | ---- | M] (LogMeIn, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\hamachi.sys -- (hamachi)

DRV:64bit: - [2008/05/06 10:43:36 | 000,004,608 | ---- | M] (RealVNC Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\vncmirror.sys -- (vncmirror)

DRV:64bit: - [2008/02/08 11:26:45 | 000,006,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\IntelDH64.sys -- (IntelDH64)

DRV:64bit: - [2008/01/19 02:09:56 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\serscan.sys -- (StillCam)

DRV:64bit: - [2007/12/15 11:15:29 | 000,156,008 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\SYMEVENT64x86.SYS -- (SymEvent)

DRV:64bit: - [2007/12/06 10:51:00 | 000,391,680 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\yk60x64.sys -- (yukonx64)

DRV:64bit: - [2007/10/19 13:16:08 | 001,599,896 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\LVcKap64.sys -- (LVcKap64)

DRV:64bit: - [2007/10/11 18:58:28 | 000,030,232 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\LVPr2M64.sys -- (LVPr2M64)

DRV:64bit: - [2007/10/11 18:58:16 | 002,055,192 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\LVMVDrv.sys -- (LVMVDrv)

DRV:64bit: - [2007/09/13 20:40:34 | 000,060,184 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WmXlCore.sys -- (WmXlCore)

DRV:64bit: - [2007/09/13 20:40:26 | 000,015,768 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WmVirHid.sys -- (WmVirHid)

DRV:64bit: - [2007/09/13 20:40:08 | 000,034,456 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\WmFilter.sys -- (WmFilter)

DRV:64bit: - [2007/09/13 20:40:00 | 000,022,040 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\WmBEnum.sys -- (WmBEnum)

DRV:64bit: - [2007/08/07 14:48:37 | 000,032,712 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\ElbyCDIO.sys -- (ElbyCDIO)

DRV:64bit: - [2007/07/29 13:51:02 | 000,070,656 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\jraid.sys -- (JRAID)

DRV:64bit: - [2007/07/19 07:15:12 | 000,432,640 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\ADIHdAud.sys -- (ADIHdAudAddService)

DRV:64bit: - [2007/05/11 17:31:02 | 003,612,704 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\DRIVERS\lvuvc64.sys -- (LVUVC64) QuickCam for Notebooks Pro(UVC)

DRV:64bit: - [2007/05/11 17:30:50 | 000,050,208 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\LVUSBS64.sys -- (LVUSBS64)

DRV:64bit: - [2007/02/15 19:57:06 | 000,040,648 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\Drivers\ElbyCDFL.sys -- (ElbyCDFL)

DRV:64bit: - [2006/11/22 19:17:10 | 000,426,392 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\Drivers\SRTSPL64.SYS -- (SRTSPL)

DRV:64bit: - [2006/11/22 19:17:10 | 000,394,600 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysNative\Drivers\SRTSP64.SYS -- (SRTSP)

DRV:64bit: - [2006/11/22 19:17:10 | 000,030,104 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysNative\Drivers\SRTSPX64.SYS -- (SRTSPX)

DRV:64bit: - [2006/11/02 00:28:10 | 000,273,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HdAudio.sys -- (HdAudAddService)

DRV:64bit: - [2006/10/31 18:23:42 | 000,015,680 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysNative\DRIVERS\ASACPI.sys -- (MTsensor)

DRV:64bit: - [2006/02/07 06:53:22 | 000,008,704 | ---- | M] (JMicron ) [Kernel | Boot | Running] -- C:\Windows\SysNative\DRIVERS\JGOGO.sys -- (JGOGO)

DRV - [2010/02/16 04:00:00 | 001,742,896 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20100319.003\ex64.sys -- (NAVEX15)

DRV - [2010/02/16 04:00:00 | 000,116,272 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20100319.003\eng64.sys -- (NAVENG)

DRV - [2009/08/27 03:00:00 | 000,475,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys -- (eeCtrl)

DRV - [2009/08/27 03:00:00 | 000,132,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)

DRV - [2009/02/24 19:35:44 | 000,255,552 | ---- | M] (MagicISO, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\mcdbus.sys -- (mcdbus)

DRV - [2007/12/15 01:26:42 | 000,001,088 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\wbem\mpsdrv.mof -- (mpsdrv)

DRV - [2007/12/14 23:19:25 | 000,000,000 | ---D | M] [Kernel | System | Running] -- C:\Windows\CSC -- (CSC)

DRV - [2007/02/15 19:57:06 | 000,040,648 | ---- | M] (SlySoft, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\ElbyCDFL.sys -- (ElbyCDFL)

DRV - [2007/02/07 13:27:46 | 000,014,104 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | Boot | Running] -- C:\Windows\SysWOW64\speedfan.sys -- (speedfan)

DRV - [2006/11/22 19:17:10 | 000,426,392 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysWOW64\drivers\srtspl64.sys -- (SRTSPL)

DRV - [2006/11/22 19:17:10 | 000,394,600 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\SysWOW64\drivers\srtsp64.sys -- (SRTSP)

DRV - [2006/11/22 19:17:10 | 000,030,104 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\SysWOW64\drivers\srtspx64.sys -- (SRTSPX)

DRV - [2006/11/02 08:22:54 | 000,492,000 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\Wdf01000.sys -- (Wdf01000)

DRV - [2006/09/18 16:36:40 | 000,003,066 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\SysWOW64\wbem\tcpip.mof -- (Tcpip)

DRV - [2006/04/20 17:42:02 | 000,081,920 | ---- | M] (Elaborate Bytes AG) [Kernel | System | Running] -- C:\Windows\SysWOW64\ElbyCDIO.dll -- (ElbyCDIO)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2

IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: VMwareVMRC@vmware.com:2.5.0.122581

FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.4.20081105

FF - HKLM\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn2 [2010/03/15 09:30:36 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/02/01 10:09:45 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/02/01 10:09:37 | 000,000,000 | ---D | M]

[2010/02/01 10:09:53 | 000,000,000 | ---D | M] -- C:\Users\lhorton\AppData\Roaming\Mozilla\Extensions

[2010/03/17 10:12:41 | 000,000,000 | ---D | M] -- C:\Users\lhorton\AppData\Roaming\Mozilla\Firefox\Profiles\br65wqck.default\extensions

[2010/02/05 21:56:32 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\lhorton\AppData\Roaming\Mozilla\Firefox\Profiles\br65wqck.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/03/17 08:51:57 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\lhorton\AppData\Roaming\Mozilla\Firefox\Profiles\br65wqck.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}

[2010/02/16 16:59:39 | 000,000,000 | ---D | M] -- C:\Users\lhorton\AppData\Roaming\Mozilla\Firefox\Profiles\br65wqck.default\extensions\VMwareVMRC@vmware.com

[2010/02/01 10:09:37 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions

[2003/12/19 11:58:34 | 000,057,344 | ---- | M] (Playnet Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\NPplaynet.dll

O1 HOSTS File: ([2009/12/03 21:11:43 | 000,000,792 | ---- | M]) - C:\Windows\SysNative\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 activate.adobe.com

O1 - Hosts: ::1 localhost

O2:64bit: - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 9\DLLx64\SnagitBHO64.dll (TechSmith Corporation)

O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg64.dll (Google Inc.)

O2 - BHO: (SnagIt Toolbar Loader) - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files (x86)\TechSmith\Snagit 9\SnagitBHO.dll (TechSmith Corporation)

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.

O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)

O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_06\bin\ssv.dll (Sun Microsystems, Inc.)

O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)

O2 - BHO: (HP Smart BHO Class) - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O3:64bit: - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 9\DLLx64\SnagitIEAddin64.dll (TechSmith Corporation)

O3 - HKLM\..\Toolbar: (Snagit) - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files (x86)\TechSmith\Snagit 9\SnagitIEAddin.dll (TechSmith Corporation)

O3 - HKLM\..\Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No CLSID value found.

O3:64bit: - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files (x86)\DAEMON Tools Toolbar\DTToolbar64.dll File not found

O4:64bit: - HKLM..\Run: [Launch LCDMon] C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe (Logitech Inc.)

O4:64bit: - HKLM..\Run: [Launch LGDCore] C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe (Logitech Inc.)

O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\Windows\SysNative\NvCpl.DLL (NVIDIA Corporation)

O4:64bit: - HKLM..\Run: [start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe (Logitech Inc.)

O4:64bit: - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)

O4 - HKLM..\Run: [ccApp] C:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)

O4 - HKLM..\Run: [CloneCDTray] C:\Program Files (x86)\SlySoft\CloneCD\CloneCDTray.exe (SlySoft, Inc.)

O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()

O4 - HKLM..\Run: [LogitechCommunicationsManager] C:\Program Files (x86)\Common Files\LogiShrd\LComMgr\Communications_Helper.exe ()

O4 - HKLM..\Run: [LogitechQuickCamRibbon] C:\Program Files (x86)\Logitech\QuickCam\Quickcam.exe ()

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [MRIPEUndo] D:\mri.exe File not found

O4 - HKLM..\Run: [soundMAXPnP] C:\Program Files (x86)\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)

O4 - HKLM..\Run: [soundTray] C:\Program Files (x86)\Analog Devices\SoundMAX\SoundTray.exe (Sonic Focus, Inc.)

O4 - HKLM..\Run: [Turbine Download Manager Tray Icon] C:\Program Files (x86)\Turbine\Turbine Download Manager - Lamannia\TurbineDownloadManagerIcon.exe (Turbine, Inc.)

O4 - HKLM..\Run: [vptray] C:\Program Files (x86)\Symantec AntiVirus\VPTray.exe (Symantec Corporation)

O4 - HKCU..\Run: [Aim6] File not found

O4 - HKCU..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe (Nero AG)

O4 - HKCU..\Run: [FBackup Scheduler] File not found

O4 - HKCU..\Run: [igndlm.exe] C:\Program Files (x86)\Download Manager\DLM.exe (IGN Entertainment)

O4 - Startup: C:\Users\lhorton\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MagicDisc.lnk = C:\Program Files (x86)\MagicDisc\MagicDisc.exe (MagicISO, Inc.)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideFastUserSwitching = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSaveSettings = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFind = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 149

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableClock = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_06\bin\ssv.dll (Sun Microsystems, Inc.)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)

O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6\ICQ.exe (ICQ, Inc.)

O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files (x86)\ICQ6\ICQ.exe (ICQ, Inc.)

O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)

O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files (x86)\VMware\VMware Server\vsocklib.dll (VMware, Inc.)

O10:64bit: - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files (x86)\VMware\VMware Server\vsocklib.dll (VMware, Inc.)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files (x86)\Bonjour\mdnsNSP.dll (Apple Computer, Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\Program Files (x86)\VMware\VMware Server\vsocklib.dll (VMware, Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\Program Files (x86)\VMware\VMware Server\vsocklib.dll (VMware, Inc.)

O13 - gopher Prefix: missing

O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)

O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)

O16 - DPF: {B94C2238-346E-4C5E-9B36-8CC627F35574} Reg Error: Key error. (VMware Remote Console Plug-in 2.5.0.00000)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1

O18:64bit: - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found

O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found

O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)

O18 - Protocol\Handler\intu-help-qb3 {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - C:\Program Files (x86)\Intuit\QuickBooks 2010\HelpAsyncPluggableProtocol.dll (Intuit, Inc.)

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)

O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)

O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)

O22:64bit: - SharedTaskScheduler: {E31004D1-A431-41B8-826F-E902F9D95C81} - Windows DreamScene - C:\Windows\SysNative\DreamScene.dll (Microsoft Corporation)

O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/08/07 10:55:38 | 000,000,060 | R--- | M] () - E:\Autorun.inf -- [ CDFS ]

O33 - MountPoints2\{a3b76ebd-22e1-11dd-9f54-001d60bccccf}\Shell\AutoRun\command - "" = F:\BOOTEX\thumbcache_131.exe -- File not found

O33 - MountPoints2\{a3b76ebd-22e1-11dd-9f54-001d60bccccf}\Shell\explore\command - "" = F:\BOOTEX\thumbcache_131.exe -- File not found

O33 - MountPoints2\{a3b76ebd-22e1-11dd-9f54-001d60bccccf}\Shell\open\command - "" = F:\.\\BOOTEX\thumbcache_131.exe -- File not found

O33 - MountPoints2\{c0c27298-ab25-11dc-a307-001d60bccccf}\Shell - "" = AutoRun

O33 - MountPoints2\{c0c27298-ab25-11dc-a307-001d60bccccf}\Shell\AutoRun\command - "" = E:\autorun.exe -- File not found

O33 - MountPoints2\{cb40eaaf-02b6-11df-a3ac-001d60bccccf}\Shell - "" = AutoRun

O33 - MountPoints2\{cb40eaaf-02b6-11df-a3ac-001d60bccccf}\Shell\AutoRun\command - "" = E:\ScrabbleAutorun.exe -- [2009/09/04 10:46:48 | 000,330,168 | R--- | M] (TODO: <Company name>)

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found

O35:64bit: - HKLM\..comfile [open] -- "%1" %*

O35:64bit: - HKLM\..exefile [open] -- "%1" %*

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*

O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/03/22 23:42:01 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Users\lhorton\Desktop\OTL.exe

[2010/03/20 22:01:52 | 000,000,000 | ---D | C] -- C:\ProgramData\Scrabble2009

[2010/03/20 21:57:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Ubisoft

[2010/03/20 21:49:48 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW

[2010/03/17 10:11:37 | 000,000,000 | ---D | C] -- C:\ProgramData\WinZip

[2010/03/17 10:11:30 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\WinZip

[2010/03/17 09:05:41 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys

[2010/03/17 09:05:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware

[2010/03/15 09:44:33 | 000,000,000 | ---D | C] -- C:\Users\lhorton\Documents\My Scans

[2010/03/15 09:36:49 | 000,000,000 | ---D | C] -- C:\ProgramData\WEBREG

[2010/03/15 09:32:14 | 000,000,000 | ---D | C] -- C:\Users\lhorton\AppData\Roaming\HP

[2010/03/15 09:32:12 | 000,000,000 | ---D | C] -- C:\Users\lhorton\AppData\Local\HP

[2010/03/15 09:29:54 | 000,000,000 | ---D | C] -- C:\ProgramData\HP Product Assistant

[2010/03/15 09:27:44 | 000,000,000 | ---D | C] -- C:\Windows\hpoj6500e709

[2010/03/15 09:25:51 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\HP

[2010/03/15 09:25:50 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Hewlett-Packard

[2010/03/15 09:25:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Hewlett-Packard

[2010/03/15 09:24:40 | 000,362,328 | ---- | C] (Hewlett-Packard) -- C:\Windows\SysNative\hpzids40.dll

[2010/03/15 09:24:40 | 000,362,328 | ---- | C] (Hewlett-Packard) -- C:\hpzids40.dll

[2010/03/15 09:24:39 | 000,131,072 | ---- | C] (Hewlett-Packard Company) -- C:\Windows\SysNative\hpf3l082.dll

[2010/03/15 09:24:06 | 001,416,704 | ---- | C] (Hewlett-Packard Co.) -- C:\Windows\SysNative\hpwtiop4.dll

[2010/03/15 09:24:06 | 000,970,240 | ---- | C] (Hewlett-Packard) -- C:\Windows\SysNative\hpwwiax5.dll

[2010/03/15 09:24:06 | 000,540,672 | ---- | C] (Hewlett-Packard) -- C:\Windows\SysNative\hppldcoi.dll

[2010/03/15 09:24:06 | 000,508,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\difxapi.dll

[2010/03/15 09:24:06 | 000,488,960 | ---- | C] (Hewlett-Packard Co.) -- C:\Windows\SysNative\hpovst11.dll

[2010/03/15 09:23:32 | 000,000,000 | -H-D | C] -- C:\Config.Msi

[2010/03/15 09:23:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\HP

[2010/03/15 09:22:56 | 000,000,000 | ---D | C] -- C:\ProgramData\HP

[2010/03/11 04:06:57 | 000,032,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\nshhttp.dll

[2010/03/11 04:06:57 | 000,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\nshhttp.dll

[2010/03/11 04:06:52 | 000,033,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\httpapi.dll

[2010/03/11 04:06:51 | 000,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\httpapi.dll

[2010/03/03 09:42:02 | 000,000,000 | ---D | C] -- C:\Users\lhorton\Desktop\640-822 ICND1

[2010/02/24 05:58:43 | 000,538,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secproc_isv.dll

[2010/02/24 05:58:43 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\secproc_isv.dll

[2010/02/24 05:58:43 | 000,471,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\secproc.dll

[2010/02/24 05:58:42 | 000,539,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secproc.dll

[2010/02/24 05:58:41 | 000,600,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RMActivate_isv.exe

[2010/02/24 05:58:41 | 000,599,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RMActivate.exe

[2010/02/24 05:58:41 | 000,413,696 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RMActivate_ssp_isv.exe

[2010/02/24 05:58:41 | 000,409,600 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\RMActivate_ssp.exe

[2010/02/24 05:58:40 | 000,526,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RMActivate_isv.exe

[2010/02/24 05:58:40 | 000,518,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RMActivate.exe

[2010/02/24 05:58:40 | 000,347,136 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RMActivate_ssp.exe

[2010/02/24 05:58:40 | 000,346,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\RMActivate_ssp_isv.exe

[2010/02/24 05:58:40 | 000,160,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secproc_ssp_isv.dll

[2010/02/24 05:58:40 | 000,160,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\secproc_ssp.dll

[2010/02/24 05:58:40 | 000,152,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\secproc_ssp_isv.dll

[2010/02/24 05:58:39 | 000,460,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\msdrm.dll

[2010/02/24 05:58:39 | 000,332,288 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\msdrm.dll

[2010/02/24 05:58:39 | 000,152,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\secproc_ssp.dll

[2010/02/24 05:58:37 | 001,927,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\gameux.dll

[2010/02/24 05:58:36 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\SysWow64\GameUXLegacyGDFs.dll

[2010/02/24 05:58:36 | 001,696,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\gameux.dll

[2010/02/24 05:58:36 | 000,032,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\Apphlpdm.dll

[2010/02/24 05:58:36 | 000,028,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysWow64\Apphlpdm.dll

[2010/02/24 05:58:35 | 004,240,384 | ---- | C] (Microsoft) -- C:\Windows\SysNative\GameUXLegacyGDFs.dll

[6 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/22 23:45:44 | 004,718,592 | -HS- | M] () -- C:\Users\lhorton\ntuser.dat

[2010/03/22 23:42:02 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Users\lhorton\Desktop\OTL.exe

[2010/03/22 23:41:41 | 000,000,524 | ---- | M] () -- C:\Windows\tasks\Malwarebytes' Scheduled Scan for lhorton.job

[2010/03/22 23:30:07 | 000,000,422 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{6BC3DA50-84A4-4C7D-AB7E-5519BDA26929}.job

[2010/03/22 23:24:00 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

[2010/03/22 23:20:18 | 000,003,680 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0

[2010/03/22 23:20:18 | 000,003,680 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0

[2010/03/22 20:46:16 | 000,004,533 | ---- | M] () -- C:\Windows\SysWow64\tversity.cookies

[2010/03/22 14:52:10 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job

[2010/03/22 02:00:00 | 000,000,510 | ---- | M] () -- C:\Windows\tasks\Malwarebytes' Scheduled Update for lhorton.job

[2010/03/22 01:24:00 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job

[2010/03/20 22:06:22 | 000,797,952 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI

[2010/03/20 22:06:22 | 000,669,074 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat

[2010/03/20 22:06:22 | 000,130,960 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat

[2010/03/20 21:52:11 | 000,000,976 | ---- | M] () -- C:\Users\lhorton\AppData\Local\7F68A003.il

[2010/03/20 21:52:11 | 000,000,488 | ---- | M] () -- C:\Users\lhorton\AppData\Local\IndexIE_7F68A003.il

[2010/03/20 21:47:12 | 003,895,855 | ---- | M] () -- C:\Users\lhorton\Desktop\ComboFix.exe

[2010/03/17 20:19:40 | 000,002,059 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk

[2010/03/17 10:15:41 | 000,012,420 | ---- | M] () -- C:\Users\lhorton\Desktop\attach.zip

[2010/03/17 10:11:49 | 000,001,930 | ---- | M] () -- C:\Users\Public\Desktop\WinZip.lnk

[2010/03/17 10:11:49 | 000,001,864 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

[2010/03/17 09:22:56 | 000,056,597 | ---- | M] () -- C:\ProgramData\nvModes.001

[2010/03/17 09:21:36 | 000,056,597 | ---- | M] () -- C:\ProgramData\nvModes.dat

[2010/03/17 09:20:12 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT

[2010/03/17 09:20:05 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat

[2010/03/17 09:18:29 | 000,524,288 | -HS- | M] () -- C:\Users\lhorton\ntuser.dat{1e8414f1-96b2-11dd-a671-001d60bccccf}.TMContainer00000000000000000001.regtrans-ms

[2010/03/17 09:18:29 | 000,065,536 | -HS- | M] () -- C:\Users\lhorton\ntuser.dat{1e8414f1-96b2-11dd-a671-001d60bccccf}.TM.blf

[2010/03/17 09:18:27 | 005,922,513 | -H-- | M] () -- C:\Users\lhorton\AppData\Local\IconCache.db

[2010/03/17 09:18:20 | 000,000,020 | ---- | M] () -- C:\Users\lhorton\defogger_reenable

[2010/03/17 09:17:47 | 000,050,477 | ---- | M] () -- C:\Users\lhorton\Desktop\Defogger.exe

[2010/03/17 09:05:44 | 000,000,882 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/03/17 09:04:07 | 467,035,136 | ---- | M] () -- C:\Users\lhorton\Desktop\kroeschell.pst

[2010/03/17 08:51:53 | 000,001,758 | ---- | M] () -- C:\Users\lhorton\Desktop\CCleaner.lnk

[2010/03/17 08:47:57 | 000,002,557 | ---- | M] () -- C:\Users\lhorton\Desktop\HiJackThis.lnk

[2010/03/15 09:32:28 | 000,186,562 | ---- | M] () -- C:\Windows\hpwins23.dat

[2010/03/15 09:32:03 | 000,000,371 | ---- | M] () -- C:\Windows\win.ini

[2010/03/15 09:30:49 | 000,002,036 | ---- | M] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[2010/03/15 09:29:43 | 000,001,252 | ---- | M] () -- C:\Users\Public\Desktop\HP Solution Center.lnk

[2010/03/15 09:29:29 | 000,002,094 | ---- | M] () -- C:\Users\Public\Desktop\Shop for HP Supplies.lnk

[2010/03/15 02:00:04 | 000,000,508 | ---- | M] () -- C:\Windows\tasks\fba_Picture Backup.job

[2010/03/09 09:43:17 | 000,000,346 | ---- | M] () -- C:\Users\lhorton\Computer-Repair-Now.Com.QBW.ND

[2010/03/09 09:43:16 | 008,200,192 | R--- | M] () -- C:\Users\lhorton\Computer-Repair-Now.Com.QBW

[2010/03/09 09:43:16 | 003,670,016 | R--- | M] () -- C:\Users\lhorton\Computer-Repair-Now.Com.QBW.TLG

[2010/03/05 14:26:18 | 000,002,613 | ---- | M] () -- C:\Users\Public\Desktop\TurboTax 2009.lnk

[2010/02/26 22:26:32 | 000,105,208 | ---- | M] () -- C:\Users\lhorton\AppData\Local\GDIPFONTCACHEV1.DAT

[2010/02/25 04:26:09 | 002,315,344 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT

[6 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/20 21:47:10 | 003,895,855 | ---- | C] () -- C:\Users\lhorton\Desktop\ComboFix.exe

[2010/03/17 10:14:58 | 000,012,420 | ---- | C] () -- C:\Users\lhorton\Desktop\attach.zip

[2010/03/17 10:11:49 | 000,001,930 | ---- | C] () -- C:\Users\Public\Desktop\WinZip.lnk

[2010/03/17 10:11:49 | 000,001,864 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

[2010/03/17 09:18:19 | 000,000,020 | ---- | C] () -- C:\Users\lhorton\defogger_reenable

[2010/03/17 09:18:10 | 000,050,477 | ---- | C] () -- C:\Users\lhorton\Desktop\Defogger.exe

[2010/03/17 09:05:49 | 000,000,524 | ---- | C] () -- C:\Windows\tasks\Malwarebytes' Scheduled Scan for lhorton.job

[2010/03/17 09:05:46 | 000,000,510 | ---- | C] () -- C:\Windows\tasks\Malwarebytes' Scheduled Update for lhorton.job

[2010/03/17 09:05:44 | 000,000,882 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk

[2010/03/15 09:30:49 | 000,002,036 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

[2010/03/15 09:29:43 | 000,001,252 | ---- | C] () -- C:\Users\Public\Desktop\HP Solution Center.lnk

[2010/03/15 09:29:29 | 000,002,094 | ---- | C] () -- C:\Users\Public\Desktop\Shop for HP Supplies.lnk

[2010/03/15 09:23:05 | 000,186,562 | ---- | C] () -- C:\Windows\hpwins23.dat

[2010/03/15 09:22:48 | 000,001,847 | ---- | C] () -- C:\Windows\hpwmdl23.dat

[2010/01/29 09:41:36 | 000,000,090 | ---- | C] () -- C:\Windows\QBChanUtil_Trigger.ini

[2009/11/24 09:34:55 | 000,000,594 | -HS- | C] () -- C:\Windows\SysWow64\WinXPsys4.4.DLL

[2009/11/09 11:54:27 | 000,000,854 | -HS- | C] () -- C:\Windows\SysWow64\FTPAP.2.2.DLL

[2009/11/06 11:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\SysWow64\xlive.dll.cat

[2009/11/03 21:47:23 | 000,000,613 | -HS- | C] () -- C:\Windows\SysWow64\FTPAP.2x.DLL

[2009/08/18 14:33:06 | 000,117,248 | ---- | C] () -- C:\Windows\SysWow64\EhStorAuthn.dll

[2009/08/18 14:32:15 | 000,368,640 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll

[2009/08/15 21:21:05 | 001,868,390 | ---- | C] () -- C:\Users\lhorton\AppData\Local\dd_NET_Framework35_x64_MSI60BB.txt

[2009/08/15 21:20:09 | 000,223,134 | ---- | C] () -- C:\Users\lhorton\AppData\Local\dd_depcheck_NETFX_EXP_35.txt

[2009/08/15 21:19:27 | 000,002,054 | ---- | C] () -- C:\Users\lhorton\AppData\Local\uxeventlog.txt

[2009/08/15 21:19:27 | 000,000,002 | ---- | C] () -- C:\Users\lhorton\AppData\Local\dd_dotnetfx35error.txt

[2009/08/15 21:19:26 | 000,410,024 | ---- | C] () -- C:\Users\lhorton\AppData\Local\dd_dotnetfx35install.txt

[2009/07/23 07:51:14 | 000,000,332 | ---- | C] () -- C:\Windows\WPE PRO.INI

[2009/07/10 14:27:39 | 000,000,095 | ---- | C] () -- C:\Users\lhorton\AppData\Local\fusioncache.dat

[2009/06/01 05:43:00 | 000,056,597 | ---- | C] () -- C:\ProgramData\nvModes.001

[2009/06/01 05:42:22 | 000,056,597 | ---- | C] () -- C:\ProgramData\nvModes.dat

[2009/03/30 19:13:31 | 000,000,552 | ---- | C] () -- C:\Users\lhorton\AppData\Local\d3d8caps.dat

[2009/02/23 15:35:42 | 000,811,584 | ---- | C] () -- C:\Windows\SysWow64\PerfStringBackup.INI

[2009/01/31 23:39:54 | 000,000,680 | ---- | C] () -- C:\Users\lhorton\AppData\Local\d3d9caps.dat

[2008/12/30 20:48:59 | 000,000,036 | ---- | C] () -- C:\Windows\webica.ini

[2008/11/27 16:30:21 | 000,000,073 | ---- | C] () -- C:\Windows\MediaManager.INI

[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelTraditionalChinese.dll

[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSwedish.dll

[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSpanish.dll

[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelSimplifiedChinese.dll

[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelPortugese.dll

[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelKorean.dll

[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelJapanese.dll

[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelGerman.dll

[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\Windows\SysWow64\AgCPanelFrench.dll

[2008/08/26 17:37:48 | 000,007,680 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll

[2008/08/26 17:37:48 | 000,000,547 | ---- | C] () -- C:\Windows\SysWow64\ff_vfw.dll.manifest

[2008/08/25 21:55:59 | 000,000,761 | ---- | C] () -- C:\Windows\m3jp2k.ini

[2008/08/25 21:55:59 | 000,000,714 | ---- | C] () -- C:\Windows\m3jpeg.ini

[2008/08/25 21:55:59 | 000,000,702 | ---- | C] () -- C:\Windows\mmtvmj.ini

[2008/08/25 21:55:57 | 000,019,968 | ---- | C] () -- C:\Windows\SysWow64\cpuinf32.dll

[2008/08/25 21:55:56 | 000,152,064 | ---- | C] () -- C:\Windows\SysWow64\unrar.dll

[2008/08/25 21:55:54 | 000,761,856 | ---- | C] () -- C:\Windows\SysWow64\xvidcore.dll

[2008/08/16 09:24:25 | 000,000,151 | ---- | C] () -- C:\Windows\PhotoSnapViewer.INI

[2008/06/28 22:38:43 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini

[2008/06/28 21:29:18 | 000,043,520 | ---- | C] () -- C:\Windows\SysWow64\CmdLineExt03.dll

[2008/06/10 13:01:04 | 000,000,067 | ---- | C] () -- C:\Windows\Easy Avi Divx Xvid to DVD Burner.INI

[2008/06/05 08:58:26 | 000,197,912 | ---- | C] () -- C:\Windows\SysWow64\physxcudart_20.dll

[2008/03/21 09:04:43 | 000,060,124 | ---- | C] () -- C:\Windows\SysWow64\tcpmon.ini

[2008/02/27 19:34:05 | 000,200,704 | ---- | C] () -- C:\Windows\SysWow64\teulKit.dll

[2008/02/02 09:39:59 | 000,001,667 | ---- | C] () -- C:\ProgramData\hpzinstall.log

[2008/01/18 08:21:29 | 000,000,145 | -H-- | C] () -- C:\Windows\SysWow64\CTLSW.INI

[2008/01/18 08:21:29 | 000,000,142 | ---- | C] () -- C:\Windows\SysWow64\SWCTL.DLL

[2008/01/14 21:10:40 | 000,070,144 | ---- | C] () -- C:\Users\lhorton\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2007/12/15 11:00:22 | 000,000,171 | ---- | C] () -- C:\Windows\QUICKEN.INI

[2007/12/15 09:56:50 | 000,000,041 | -HS- | C] () -- C:\ProgramData\.zreglib

[2007/12/15 09:27:00 | 000,000,976 | ---- | C] () -- C:\Users\lhorton\AppData\Local\7F68A003.il

[2007/12/15 09:27:00 | 000,000,488 | ---- | C] () -- C:\Users\lhorton\AppData\Local\IndexIE_7F68A003.il

[2007/12/14 23:37:01 | 000,016,982 | ---- | C] () -- C:\Windows\Ascd_log.ini

[2007/12/14 23:36:47 | 000,016,673 | ---- | C] () -- C:\Windows\Ascd_tmp.ini

[2007/12/14 23:36:38 | 000,010,288 | ---- | C] () -- C:\Windows\SysWow64\drivers\ASUSHWIO.SYS

[2007/12/14 23:34:25 | 000,001,460 | ---- | C] () -- C:\Users\lhorton\AppData\Local\d3d9caps64.dat

[2007/12/11 17:33:14 | 000,000,416 | ---- | C] () -- C:\Windows\SysWow64\dtu100.dll.manifest

[2007/12/11 17:33:14 | 000,000,416 | ---- | C] () -- C:\Windows\SysWow64\dpl100.dll.manifest

[2006/03/06 11:41:02 | 000,073,728 | ---- | C] () -- C:\Windows\SysWow64\AMV_DecDLL.dll

[2004/09/16 14:26:40 | 000,012,634 | ---- | C] () -- C:\Windows\SysWow64\drivers\ADFUUD.SYS

========== Alternate Data Streams ==========

@Alternate Data Stream - 594 bytes -> C:\Windows\SysWOW64:WinXPsys44

@Alternate Data Stream - 594 bytes -> C:\Windows\System32:WinXPsys44

@Alternate Data Stream - 508 bytes -> C:\ProgramData\TEMP:05EE1EEF

@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:0CFF5F08

< End of report >

lehorton · March 23, 2010

extras.txt

OTL Extras logfile created on: 3/22/2010 11:42:57 PM - Run 1

OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\lhorton\Desktop

64bit-Windows Vista Ultimate Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation

Internet Explorer (Version = 7.0.6002.18005)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 41.00% Memory free

8.00 Gb Paging File | 6.00 Gb Available in Paging File | 70.00% Paging File free

Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)

Drive C: | 698.63 Gb Total Space | 225.94 Gb Free Space | 32.34% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

Drive E: | 225.16 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: LOU001

Current User Name: lhorton

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Include 64bit Scans

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %* File not found

cmdfile [open] -- "%1" %* File not found

comfile [open] -- "%1" %* File not found

exefile [open] -- "%1" %* File not found

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %* File not found

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1" File not found

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S File not found

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Directory [TVersity] -- "C:\Users\lhorton\AppData\Local\TVersity\Media Server\GUILaunch.exe" -type "folder" -url "%1" -title "" -tags "" ()

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]

batfile [open] -- "%1" %*

cmdfile [open] -- "%1" %*

comfile [open] -- "%1" %*

cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)

exefile [open] -- "%1" %*

helpfile [open] -- Reg Error: Key error.

htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)

htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)

inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)

piffile [open] -- "%1" %*

regfile [merge] -- Reg Error: Key error.

scrfile [config] -- "%1"

scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)

scrfile [open] -- "%1" /S

txtfile [edit] -- Reg Error: Key error.

Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1

Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)

Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)

Directory [TVersity] -- "C:\Users\lhorton\AppData\Local\TVersity\Media Server\GUILaunch.exe" -type "folder" -url "%1" -title "" -tags "" ()

Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)

Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"AntiVirusOverride" = 1

"AntiSpywareOverride" = 0

"FirewallOverride" = 1

"VistaSp1" = F6 C2 F5 B4 62 8B C8 01 [binary data]

"VistaSp2" = 82 47 BB 9F 73 52 CA 01 [binary data]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-2953424730-1274824779-2026891871-1000]

"EnableNotifications" = 0

"EnableNotificationsRef" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusOverride" = 0

"FirewallOverride" = 0

"UpdatesDisableNotify" = 0

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

"oobe_av" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

"DisableNotifications" = 0

"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]

"DisableNotifications" = 0

"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"C:\Program Files (x86)\Ubisoft\Scrabble2009\ScrabblePCR.exe" = C:\Program Files (x86)\Ubisoft\Scrabble2009\ScrabblePCR.exe:*:Enabled:ScrabblePCR -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"C:\Program Files (x86)\Ubisoft\Scrabble2009\ScrabblePCR.exe" = C:\Program Files (x86)\Ubisoft\Scrabble2009\ScrabblePCR.exe:*:Enabled:ScrabblePCR -- ()

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{13DA6618-87E7-42D7-901B-7BD537A2F2CA}" = rport=80 | protocol=6 | dir=out | app=c:\program files (x86)\common files\intuit\update service\intuitupdateservice.exe |

"{1B8596D3-45C3-4E85-8F20-6315F0494CFF}" = rport=2177 | protocol=17 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{322F519F-4E4F-47AE-B1BB-59E32AA15A36}" = rport=2177 | protocol=6 | dir=out | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{3CB978E0-F805-4FBF-A1E1-F2CCBDF72A5F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

"{4934D38D-592A-4391-9F95-16650C51E186}" = rport=80 | protocol=6 | dir=out | app=c:\program files (x86)\common files\intuit\update service\intuitupdater.exe |

"{4CC79589-1331-4021-B3CA-CD9BBB67FD01}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{506C0375-CA12-4FF2-8FAB-8F88CF55AB07}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |

"{626620BC-AAA8-4247-AA01-F81D0D54243C}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 |

"{79014BE5-284C-42EE-BD4D-283463151F3B}" = lport=10243 | protocol=6 | dir=in | app=system |

"{894ECE3D-F5A1-4E2D-A71B-3829CC7941EE}" = lport=2177 | protocol=6 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

"{9E152C09-2CE8-4FD1-94AC-A717583DDA44}" = rport=10243 | protocol=6 | dir=out | app=system |

"{A6FD4D05-49B1-4A18-9FD1-B87CE5C25C1D}" = lport=2869 | protocol=6 | dir=in | app=system |

"{A7E49486-07E1-4114-8FCB-4ED69E127286}" = lport=2869 | protocol=6 | dir=in | app=system |

"{C2070DE6-7893-4351-B59F-9C506522950F}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

"{C30DBC8A-7D2D-4AB1-ACE5-CE3338DA711D}" = lport=2869 | protocol=6 | dir=in | app=system |

"{C71A744A-D8AD-4FA4-AC84-0E0E66F9CABE}" = rport=427 | protocol=17 | dir=in | svc=hpslpsvc | app=c:\windows\system32\svchost.exe |

"{DDDB2E1F-B716-44F5-8183-12CD50A7D5F3}" = lport=2177 | protocol=17 | dir=in | svc=qwave | app=%systemroot%\system32\svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

"{0855FA06-50F7-49D9-9E76-2CE467FE5353}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |

"{1440A5F1-51EF-4287-AD3F-6F94E66C1CF4}" = protocol=6 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |

"{14632BFA-5474-4B32-951D-1E83B1ECA81A}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{1898CFB3-76C3-45D0-B2CC-8E92A7C40661}" = protocol=6 | dir=in | app=c:\users\lhorton\appdata\local\tversity\media server\mediaserver.exe |

"{18AB04D4-18A3-40F3-90F7-DAA8A0ED7306}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |

"{1A74C15D-3010-4469-ACD6-7C90C5DF255A}" = protocol=17 | dir=in | app=c:\program files (x86)\utorrent\utorrent.exe |

"{1FA8CBE9-F09E-4A9B-AAFA-934447E53094}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqkygrp.exe |

"{239B7545-F081-4363-B14B-D4C248C5DD9C}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{280E0A35-AB7C-4EE0-A818-CDF4FE5FFF59}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{28AF9A70-E1E2-4B1C-98A4-26335BF0DAC9}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqste08.exe |

"{2A5F43D5-BBDF-4436-A5BE-A092439B4646}" = protocol=6 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{2B43F742-571D-48A5-A64A-B1D8ABD4B394}" = protocol=6 | dir=out | app=system |

"{2C8D49DE-0F09-40AA-BE83-7B6D69570DFC}" = protocol=6 | dir=in | app=c:\program files (x86)\turbotax\deluxe 2007\32bit\ttax.exe |

"{2CDD5D33-3A10-4EA4-AB6A-2B511F481FC3}" = protocol=6 | dir=in | app=c:\program files (x86)\turbine\turbine download manager - lamannia\turbinenetworkservice.exe |

"{2F092190-C2A1-402D-B332-2287B3E555FB}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{32ED272F-6E9E-4CA2-83CE-B1B876413E53}" = protocol=6 | dir=in | app=c:\program files (x86)\turbine\turbine download manager - lamannia\turbinenetworkservice.exe |

"{33078CC3-28F2-419C-8856-4A5C05ED8503}" = protocol=6 | dir=in | app=c:\users\lhorton\appdata\roaming\firewall.exe |

"{364FBE88-8734-4837-8587-2599652999D1}" = protocol=6 | dir=in | app=c:\program files (x86)\vmware\vmware server\vmware-authd.exe |

"{389E3895-7870-4BA9-BEB9-183FEAF13A55}" = protocol=17 | dir=in | app=c:\users\lhorton\appdata\roaming\firewall.exe |

"{38F77EEC-FC26-476C-A983-87DC6888FC32}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |

"{3A14660F-AA43-4C29-9C01-79CBE962B3DF}" = protocol=17 | dir=in | app=c:\program files (x86)\vmware\vmware server\vmware-authd.exe |

"{3A83A5B6-0F71-4094-BB26-F368E8A48432}" = protocol=17 | dir=in | app=c:\users\lhorton\appdata\local\tversity\media server\mediaserver.exe |

"{3AC8360F-EB32-4FC2-A22C-5F0B4DF6F65D}" = protocol=17 | dir=in | app=c:\program files (x86)\stardock games\sins of a solar empire\sins of a solar empire.exe |

"{3B09047E-1693-4871-87EC-CB339DCCB64C}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{3D03EA30-62A5-403D-9673-3CA5A8B1CA47}" = protocol=6 | dir=in | app=c:\program files (x86)\common files\aol\loader\aolload.exe |

"{3E2285A1-EE60-4CCE-9BA2-7D82E62E9C0F}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hposid01.exe |

"{40209A66-AB17-472E-BF64-3959083F872C}" = dir=in | app=c:\program files (x86)\windows live\messenger\livecall.exe |

"{40224144-F21A-402E-833F-F9D09A05E6FD}" = protocol=17 | dir=in | app=c:\program files (x86)\aim6\aim6.exe |

"{43D40595-35FC-42A6-9D13-B5A567D5DDFA}" = protocol=17 | dir=in | app=c:\program files (x86)\cyanide\blood bowl\bb.exe |

"{443BCC6E-8147-4EF7-A41D-2EDB1314729D}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{45203B42-0AEB-46C3-AD72-48E6473BBAF2}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpzwiz01.exe |

"{4ADB3927-C2CD-486F-ABC0-CEC2F60462F8}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |

"{4B962FDE-C3C3-404A-9C6B-3BD4A5729A3F}" = dir=in | app=c:\program files (x86)\windows live\messenger\livecall.exe |

"{4E7E0DB7-C4DE-4273-A7F5-2158236E00C6}" = protocol=6 | dir=in | app=c:\program files (x86)\common files\symantec shared\ccapp.exe |

"{4ECE216B-8610-4CF5-95F5-BEFE0617B2CC}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{50F4AA34-3900-4222-9214-8536D82ACD9B}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{578F76DD-2119-4091-89D3-D5250BBD0F1C}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmplayer.exe |

"{59452EBE-392C-4FB0-88DF-978A9C9DBDD6}" = protocol=6 | dir=in | app=c:\program files (x86)\stardock games\sins of a solar empire\sins of a solar empire.exe |

"{5B44A311-E027-43EA-93F7-A8A94177FF95}" = protocol=17 | dir=in | app=c:\program files (x86)\common files\adobe\cs4servicemanager\cs4servicemanager.exe |

"{5C34CFE7-6DBD-42D9-BD22-E3C4FF61BF6B}" = protocol=6 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |

"{5C7F39B7-55CE-40E7-AC07-CFAEF3EB35ED}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hposfx08.exe |

"{5DE5D61E-61CD-44CD-95D5-B8770E904E64}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |

"{60123345-556C-4F31-B719-117D9DE85FAA}" = protocol=6 | dir=in | app=c:\program files (x86)\common files\adobe\cs4servicemanager\cs4servicemanager.exe |

"{607DF6CB-5C84-4437-9D40-0DEA53BB2178}" = protocol=17 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{6BE0EE41-5A53-4F20-8D97-52CADCE7BCD8}" = protocol=17 | dir=in | app=c:\program files (x86)\turbine\turbine download manager - lamannia\turbinenetworkservice.exe |

"{6FCEF575-08A1-4558-8CD1-130B6F262F99}" = protocol=17 | dir=in | app=c:\program files (x86)\common files\symantec shared\ccapp.exe |

"{71082F3F-DE21-4DEB-8150-843480AF26FB}" = protocol=6 | dir=out | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{731DF5B9-4B09-4A8D-8690-ACF897D9DD2C}" = protocol=17 | dir=in | app=c:\program files (x86)\cyanide\blood bowl\autorun\exe\autorun.exe |

"{73BA06C3-2A10-4FA6-92D3-5F317A4A8A13}" = protocol=6 | dir=in | app=c:\program files (x86)\turbine\turbine download manager - lamannia\turbinemessageservice.exe |

"{75054958-8E84-4364-80D5-665222843B98}" = protocol=6 | dir=in | app=c:\program files (x86)\ubisoft\scrabble2009\scrabblepcr.exe |

"{75F1236E-986F-4F0E-B9EF-3C96FB86BF6A}" = protocol=6 | dir=in | app=c:\program files (x86)\itunes\itunes.exe |

"{820C7405-3EE7-4E07-A683-6F4B6AC5A20C}" = protocol=17 | dir=in | app=c:\program files (x86)\ubisoft\scrabble2009\scrabblepcr.exe |

"{8339D456-2782-4027-A519-0E9EAD47DAB0}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |

"{86350ADB-C1CF-4FC5-BCD6-E1D4AD8C2EDA}" = protocol=6 | dir=in | app=c:\program files (x86)\cyanide\blood bowl\bb.exe |

"{8E0016AC-299F-45FC-BEF8-234B8912B31C}" = dir=in | app=c:\program files (x86)\windows live\messenger\msnmsgr.exe |

"{90EE8AC6-D6F9-46FA-8C23-D61C683D8688}" = protocol=17 | dir=in | app=c:\program files (x86)\turbotax\deluxe 2007\32bit\ttax.exe |

"{922C5A97-5D06-4D58-97C8-347457FB23A7}" = protocol=17 | dir=in | app=c:\program files (x86)\turbine\turbine download manager - lamannia\turbinemessageservice.exe |

"{94327CBC-DED1-4AA1-A94A-FA50B637EB98}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |

"{99E16C13-BF69-4B48-B9B7-05403EDB08FB}" = protocol=17 | dir=in | app=c:\program files (x86)\vmware\vmware server\vmware-hostd.exe |

"{9B0F3543-5F40-40C4-B16B-DA4949E5E02D}" = protocol=17 | dir=in | app=c:\program files (x86)\itunes\itunes.exe |

"{9B72ABA2-1DCA-4EF2-AF25-DC630CFAEF13}" = protocol=17 | dir=in | app=c:\program files (x86)\yahoo!\messenger\yahoomessenger.exe |

"{9C52E3A3-D335-4150-B39D-279247A0D04A}" = protocol=6 | dir=in | app=c:\program files (x86)\cyanide\blood bowl\autorun\exe\autorun.exe |

"{9E620023-F91C-4E49-AC7F-50A0C17C3D4F}" = protocol=6 | dir=in | app=c:\program files (x86)\aim6\aim6.exe |

"{A49C452E-A885-4DDA-BD35-690243069F30}" = protocol=17 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |

"{AC2820C7-9945-4E1C-8356-B0C739C898E6}" = protocol=17 | dir=in | app=c:\program files (x86)\yahoo!\messenger\yserver.exe |

"{AC59EC80-9B75-46DE-A531-B19D307E7E5C}" = dir=in | app=c:\users\lhorton\appdata\local\temp\hp\oj6500ve709_full_12_en\setup\hpznui40.exe |

"{AC7F1CE6-9FC6-4280-8DAB-50BBE4E1CAF1}" = protocol=6 | dir=in | app=c:\program files (x86)\turbotax\deluxe 2007\32bit\updatemgr.exe |

"{ADB91AAC-B427-4B59-B5DD-E0EE028A6FFA}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\onenote.exe |

"{B0E4ABCF-7C0C-4513-A3EB-FBD0AF0FDF26}" = protocol=17 | dir=in | app=%programfiles(x86)%\windows media player\wmplayer.exe |

"{B25C5E00-A6A1-44AA-8A61-B3B6A95BBA27}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe |

"{B3AF4237-4257-4555-9DC0-E4B78275EA5F}" = protocol=17 | dir=in | app=c:\program files (x86)\turbine\turbine download manager - lamannia\turbinemessageservice.exe |

"{B7F2C286-F126-49E6-A39B-07002A8FF596}" = protocol=17 | dir=in | app=c:\program files (x86)\turbine\turbine download manager - lamannia\turbinenetworkservice.exe |

"{B96ABEB2-0C24-4D79-BC9B-7197AE0F20F3}" = protocol=17 | dir=in | app=%programfiles%\windows media player\wmpnetwk.exe |

"{BA3FF9FE-4988-4B09-926C-1EFB4C6CAAA5}" = protocol=6 | dir=in | app=c:\program files (x86)\microsoft office\office12\groove.exe |

"{BED53EAF-C5B1-4B62-87EB-663BEA278159}" = protocol=6 | dir=in | app=c:\program files (x86)\turbine\turbine download manager - lamannia\turbinemessageservice.exe |

"{C8AFECD7-DDD7-4B36-B10C-460D8D5B4B19}" = protocol=6 | dir=in | app=c:\program files (x86)\symantec antivirus\rtvscan.exe |

"{CE82D61B-0CA1-4CDE-89B5-5CBF3004FFFD}" = protocol=6 | dir=out | app=%programfiles%\windows media player\wmpnetwk.exe |

"{D053B90D-896F-4EEE-B160-46A5E36B77FB}" = dir=in | app=c:\program files (x86)\skype\phone\skype.exe |

"{D2B1D8B6-B147-44D3-8D9D-6FEE7C8ABE69}" = dir=in | app=c:\program files (x86)\hp\digital imaging\bin\hpofxm08.exe |

"{D5CEBDB8-D782-4133-918C-F05B8EF5F6A4}" = protocol=6 | dir=in | app=c:\program files (x86)\vmware\vmware server\vmware-hostd.exe |

"{D94DDB24-72D7-40E8-BA0C-724ED52EA4B4}" = protocol=6 | dir=in | app=c:\program files (x86)\yahoo!\messenger\yserver.exe |

"{DA6542D1-EE96-48EA-AF75-A905DE8860B3}" = protocol=17 | dir=in | app=c:\program files (x86)\bonjour\mdnsresponder.exe |

"{E062E4FA-505A-4508-A400-D54011D8AB6E}" = protocol=17 | dir=out | app=%programfiles%\windows media player\wmplayer.exe |

"{E353C68C-94CA-4BA4-8315-BE98AA5DB957}" = protocol=17 | dir=in | app=c:\program files (x86)\symantec antivirus\rtvscan.exe |

"{F2627A0C-3340-4CFD-802B-F590BCD90692}" = protocol=17 | dir=in | app=c:\program files (x86)\common files\aol\loader\aolload.exe |

"{FAD24F4B-8895-412B-B3F4-7728E8B1AA8A}" = protocol=17 | dir=in | app=c:\program files (x86)\turbotax\deluxe 2007\32bit\updatemgr.exe |

"{FAF9424D-DC04-43F5-A489-F0C768D76FEF}" = protocol=6 | dir=in | app=c:\program files (x86)\yahoo!\messenger\yahoomessenger.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{071c9b48-7c32-4621-a0ac-3f809523288f}" = Microsoft Visual C++ 2005 Redistributable (x64)

"{1B285B8A-161F-4ACE-86D7-89EF0775EDCB}" = Microsoft Diagnostics and Recovery Toolset 6.0

"{5759E649-E281-46C2-BB4B-50413623DCDF}" = iTunes

"{68451E5C-0A9C-4D5C-8D06-6E296242E908}" = 64 Bit HP CIO Components Installer

"{6AE1CCC4-E49F-4107-BBCA-7B5984F47AE1}" = Network64

"{7E69263C-626D-4C56-9CA1-3522D79FEB7F}" = Logitech Gaming Software 5.01

"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007

"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007

"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007

"{906BDDA8-9E8F-45B7-8520-36F7961FD65D}" = Logitech GamePanel Software 2.02

"{9EFC40E3-5F31-4F75-8445-286273F74D8E}" = Apple Mobile Device Support

"{A8D232A5-667B-44C5-AF79-BDFADBFD013B}" = Symantec AntiVirus Win64

"{AF2CB1FE-FD46-4D85-8C63-5C46E825E177}" = Logitech QuickCam

"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053

"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1

"{DAE239CE-EB9D-4EB3-B0D4-528D6BAA48FD}" = Bonjour

"{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}" = Ventrilo Client for Windows x64

"{FA0F0A01-4631-4161-A6C2-948BF694382E}" = HP Officejet 6500 E709 Series

"HP Document Manager" = HP Document Manager 2.0

"HP Imaging Device Functions" = HP Imaging Device Functions 12.0

"HP Smart Web Printing" = HP Smart Web Printing

"HP Solution Center & Imaging Support Tools" = HP Solution Center 12.0

"HPExtendedCapabilities" = HP Customer Participation Program 12.0

"HPOCR" = OCR Software by I.R.I.S. 12.0

"lvdrivers_11.50" = Logitech QuickCam Driver Package

"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1

"NVIDIA Drivers" = NVIDIA Drivers

"RealVNC_is1" = VNC Enterprise Edition E4.4.0

"Shop for HP Supplies" = Shop for HP Supplies

"UltSounds" = Windows Sound Schemes

"VNCMirror_is1" = VNC Mirror Driver 1.8.0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable

"{03A7C57A-B2C8-409b-92E5-524A0DFD0DD3}" = Status

"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam

"{04AF207D-9A77-465A-8B76-991F6AB66245}" = Adobe Help Viewer CS3

"{06A9E630-DBA6-4D92-9DE7-A235AA6496C7}" = QuickBooks

"{0700E22B-A422-40A5-BD20-04BF618CA0F9}" = QuickBooks Pro 2010

"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis

"{087A66B8-1F0F-4a8d-A649-0CFE276AA7C0}" = WebReg

"{08B32819-6EEF-4057-AEDA-5AB681A36A23}" = Adobe Bridge Start Meeting

"{0C34B801-6AEC-4667-B053-03A67E2D0415}" = Apple Application Support

"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup

"{0F540431-A6EB-461D-8E7F-5E25FE4FAF25}" = My POS

"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4

"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4

"{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}" = Adobe WinSoft Linguistics Plugin

"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate

"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR

"{1C4551A6-4743-4093-91E4-1477CD655043}" = NVIDIA PhysX

"{1D46A3A0-B37D-423A-91C2-101A49E2FF80}" = Ventrilo Server

"{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}" = Adobe ExtendScript Toolkit 2

"{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}" = Skype

screen317 · March 27, 2010

Hi,

My apologies for the delay.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
@Alternate Data Stream - 594 bytes -> C:\Windows\SysWOW64:WinXPsys44
@Alternate Data Stream - 594 bytes -> C:\Windows\System32:WinXPsys44
@Alternate Data Stream - 508 bytes -> C:\ProgramData\TEMP:05EE1EEF
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:0CFF5F08

:Commands
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Update MBAM, run a Quick Scan, and see if the ADS detections are still present.

-screen317

lehorton · March 29, 2010

Log is below. After this I ran an updated Malwarebytes scan and the process appears to have been eliminated.

Thanks for your help.

All processes killed

========== OTL ==========

ADS C:\Windows\SysWOW64:WinXPsys44 deleted successfully.

Unable to delete ADS C:\Windows\System32:WinXPsys44 .

ADS C:\ProgramData\TEMP:05EE1EEF deleted successfully.

ADS C:\ProgramData\TEMP:0CFF5F08 deleted successfully.

========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->Flash cache emptied: 41 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

->Flash cache emptied: 0 bytes

User: lhorton

->Temp folder emptied: 336243489 bytes

->Temporary Internet Files folder emptied: 12114220 bytes

->Java cache emptied: 20592695 bytes

->FireFox cache emptied: 38620256 bytes

->Google Chrome cache emptied: 0 bytes

->Flash cache emptied: 54455 bytes

User: Owner

User: postgres

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: postgres.LOU001

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 853440 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32 (64bit) .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 2431193 bytes

%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 32902 bytes

RecycleBin emptied: 1024643703 bytes

Total Files Cleaned = 1,369.00 mb

OTL by OldTimer - Version 3.1.37.3 log created on 03272010_233942

Files\Folders moved on Reboot...

C:\Users\lhorton\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

C:\Users\lhorton\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H9GNMD0F\iframe[1].htm moved successfully.

C:\Users\lhorton\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6DDCWKA9\index[1].htm moved successfully.

File move failed. C:\Windows\S0EB4C08D.tmp scheduled to be moved on reboot.

File\Folder C:\Windows\temp\vmware-SYSTEM\manifest.txt.1003954004 not found!

File\Folder C:\Windows\temp\hsperfdata_LOU001$\2720 not found!

Registry entries deleted on Reboot...

screen317 · March 30, 2010

Great. Let's check the Registry for any traces of the infection.

Download this Registry Search by Bobbi Flekman, save it, and extract regsearch.exe to the Desktop. You will use it in a moment.

Doubleclick regsearch.exe to start it. In the top window, enter WinXPsys44 as the search string on the first line. Make sure all the option boxes are checked, and click "Ok". Notepad will be opened with text in it (the file will be saved to the Desktop as well as RegSearch.txt). Post this text in your next reply.

screen317 · April 26, 2010

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

WinXPsys44 (Rootkit.ADS) Removal

Recommended Posts

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Link to post

Share on other sites

Recently Browsing 0 members

Important Information