Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP64 Trojan.Patched issue. Am I screwed for using this OS?


  • This topic is locked This topic is locked
17 replies to this topic

#1 Lightfeather

Lightfeather

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 29 September 2010 - 09:42 AM

So, I'm using XP64. Probably not one of my better ideas but it's served me well thus far. A few weeks ago I noticed I was having some unusual game crashes and other oddities that my husband wasn't suffering from so after running spybot search and destroy, Malwarebytes and Avast! Virus scanner only to have them all come up empty handed with regular scans I decided to run sfc /scannow to see if I had any messed up files. As the scan progressed Malwarebytes live protection started getting hits as things were accessed, however it was unable to do anything about them. Completely denied. Here's the log:

03:46:50 (null) DETECTION C:\WINDOWS\SYSTEM32\DRIVERS\CDROM.SYS Trojan.Patched QUARANTINE
03:46:50 (null) DETECTION C:\WINDOWS\SYSTEM32\DRIVERS\CDROM.SYS Trojan.Patched DENY
03:46:50 (null) DETECTION C:\windows\system32\drivers\cdrom.sys Trojan.Patched DENY
03:46:50 (null) DETECTION C:\windows\system32\drivers\cdrom.sys Trojan.Patched DENY
03:46:51 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 2
03:51:14 (null) DETECTION C:\WINDOWS\SYSTEM32\DRIVERS\CDROM.SYS Trojan.Patched DENY
03:51:14 (null) DETECTION C:\WINDOWS\SYSTEM32\DRIVERS\CDROM.SYS Trojan.Patched DENY
03:51:14 (null) DETECTION C:\windows\system32\drivers\cdrom.sys Trojan.Patched DENY
03:51:14 (null) DETECTION C:\windows\system32\drivers\cdrom.sys Trojan.Patched DENY
04:35:04 (null) DETECTION C:\WINDOWS\system32\drivers\beep.sys Fake.Beep.sys QUARANTINE
04:35:04 (null) DETECTION C:\WINDOWS\system32\drivers\beep.sys Fake.Beep.sys DENY
04:35:05 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 2
04:35:13 (null) DETECTION C:\WINDOWS\system32\dllcache\beep.sys Fake.Beep.sys QUARANTINE
04:35:14 (null) DETECTION C:\WINDOWS\system32\drivers\beep.sys Fake.Beep.sys DENY
04:35:14 (null) DETECTION C:\WINDOWS\system32\drivers\beep.sys Fake.Beep.sys DENY
04:35:14 (null) DETECTION C:\WINDOWS\system32\drivers\beep.sys Fake.Beep.sys DENY
04:35:14 (null) DETECTION C:\WINDOWS\system32\dllcache\beep.sys Fake.Beep.sys DENY
04:35:14 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 3
04:36:33 (null) DETECTION C:\WINDOWS\system32\drivers\cdrom.sys Trojan.Patched DENY
04:36:33 (null) DETECTION C:\WINDOWS\system32\drivers\cdrom.sys Trojan.Patched DENY
04:36:37 (null) DETECTION C:\WINDOWS\system32\dllcache\cdrom.sys Trojan.Patched QUARANTINE
04:36:38 (null) DETECTION C:\WINDOWS\system32\drivers\cdrom.sys Trojan.Patched DENY
04:36:38 (null) DETECTION C:\WINDOWS\system32\drivers\cdrom.sys Trojan.Patched DENY
04:36:38 (null) DETECTION C:\WINDOWS\system32\drivers\cdrom.sys Trojan.Patched DENY
04:36:38 (null) DETECTION C:\WINDOWS\system32\dllcache\cdrom.sys Trojan.Patched DENY
04:36:38 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 3
04:42:43 (null) DETECTION C:\WINDOWS\system32\drivers\modem.sys Trojan.Patched QUARANTINE
04:42:43 (null) DETECTION C:\WINDOWS\system32\drivers\modem.sys Trojan.Patched DENY
04:42:44 (null) DETECTION C:\WINDOWS\system32\drivers\modem.sys Trojan.Patched DENY
04:42:44 (null) DETECTION C:\WINDOWS\system32\drivers\modem.sys Trojan.Patched DENY
04:42:44 (null) DETECTION C:\WINDOWS\system32\drivers\modem.sys Trojan.Patched DENY
04:42:44 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 2
04:46:03 (null) DETECTION C:\WINDOWS\system32\dllcache\setup.exe Trojan.Dropper QUARANTINE
04:46:03 (null) DETECTION C:\WINDOWS\system32\dllcache\setup.exe Trojan.Dropper DENY
04:46:04 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 3
04:47:05 (null) DETECTION C:\WINDOWS\system32\termsrv.dll Trojan.Patched DENY
04:47:05 (null) DETECTION C:\WINDOWS\system32\termsrv.dll Trojan.Patched DENY
04:47:05 (null) DETECTION C:\WINDOWS\system32\termsrv.dll Trojan.Patched DENY
04:47:05 (null) DETECTION C:\WINDOWS\system32\termsrv.dll Trojan.Patched DENY
04:47:05 (null) DETECTION C:\WINDOWS\system32\termsrv.dll Trojan.Patched DENY

I honestly don't know what Trojan.Patched is or how it's affecting my machine but if I can get rid of it without formatting and reinstalling I'd appreciate it. I tried to follow the directions in the post "what to do before you start a thread" but unfortunately after backing up my stuff and getting to step two where I had to run dds.scr I got the message that it wasn't compatible with my OS. After further research on the issue I've come to find that most of the programs developed to deal with this issue won't work with my OS. What's a girl to do? Rot with the infection? D=

I've already started moving over important files and documents to my non-OS hard drive in the event that I have to bomb this one, but I'd like to see if there's anything that can be done before throwing the baby out with the bathwater.

Help me Bleepingcomputer-wan-kenobi! You're my only hope!

Now my machine locks up shortly after the startup. Malwarebytes loads before the firewall and virus scanner do and it displays a message that states "Malwarebytes Antimalware had detected a malicious process attempting to start and has blocked the execution attempt. Please select an option below."

Unfortunately the entire machine is unresponsive so I can't move past that point.

EDIT: Posts merged ~BP

Edited by Budapest, 29 September 2010 - 04:36 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 04 October 2010 - 05:48 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Lightfeather

Lightfeather
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 04 October 2010 - 06:42 PM

OTL Reports:


OTL logfile created on: 10/4/2010 4:09:18 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Lightfeather\Desktop
64bit-Windows Server 2003 Service Pack 2 (Version = 5.2.3790) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 76.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 100.00 Gb Total Space | 61.92 Gb Free Space | 61.93% Space Free | Partition Type: NTFS
Drive D: | 179.48 Gb Total Space | 86.76 Gb Free Space | 48.34% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 279.47 Gb Total Space | 31.53 Gb Free Space | 11.28% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FEATHERPC
Current User Name: Lightfeather
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/10/04 15:56:52 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lightfeather\Desktop\OTL.exe
PRC - [2010/09/20 22:40:50 | 000,977,976 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Lightfeather\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2009/11/24 15:51:40 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/11/24 15:51:35 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/11/24 15:51:21 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/11/24 15:48:48 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/11/24 15:43:56 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2008/06/11 22:43:26 | 000,640,376 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2007/04/23 04:00:00 | 000,077,824 | ---- | M] () -- C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
PRC - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) -- C:\Program Files (x86)\Canon\CAL\CALMAIN.exe
PRC - [2003/06/19 23:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) -- C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe


========== Modules (SafeList) ==========

MOD - [2010/10/04 15:56:52 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lightfeather\Desktop\OTL.exe
MOD - [2009/11/24 15:50:32 | 000,139,264 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\AhJsctNs.dll
MOD - [2008/07/25 12:17:20 | 000,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
MOD - [2008/07/25 12:17:20 | 000,558,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll
MOD - [2007/04/23 04:00:00 | 000,045,568 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\SetPoint\x86\lgscroll.dll
MOD - [2007/02/18 11:24:12 | 001,051,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\wow64_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_5FA17F4E\comctl32.dll
MOD - [2007/02/18 11:05:42 | 000,098,304 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\msscript.ocx
MOD - [2007/02/18 11:05:38 | 000,177,152 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\msctfime.ime
MOD - [2007/02/18 11:05:22 | 000,797,184 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\comres.dll
MOD - [2005/03/25 05:00:00 | 000,178,688 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\SysWOW64\wbem\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\xmlprov.dll -- (xmlprov)
SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\wzcsvc.dll -- (WZCSVC)
SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\wuauserv.dll -- (wuauserv)
SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\advapi32.dll -- (Wmi)
SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\mspmsnsv.dll -- (WmdmPmSN)
SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\ups.exe -- (UPS)
SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\tlntsvr.exe -- (TlntSvr)
SRV:64bit: - File not found [Auto | Stopped] -- C:\WINDOWS\SysNative\smlogsvc.exe -- (SysmonLog)
SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\srsvc.dll -- (srservice)
SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\SCardSvr.exe -- (SCardSvr)
SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\sessmgr.exe -- (RDSessMgr)
SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\services.exe -- (PlugPlay)
SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\nvsvc64.exe -- (nvsvc)
SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\ntmssvc.dll -- (NtmsSvc)
SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\netdde.exe -- (NetDDEdsdm)
SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\netdde.exe -- (NetDDE)
SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\mnmsrvc.exe -- (mnmsrvc)
SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\msgsvc.dll -- (Messenger)
SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\imapi.exe -- (ImapiService)
SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\w3ssl.dll -- (HTTPFilter)
SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\services.exe -- (Eventlog)
SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\ersvc.dll -- (ERSvc)
SRV:64bit: - File not found [Auto | Running] -- C:\WINDOWS\SysNative\dmserver.dll -- (dmserver)
SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\dmadmin.exe -- (dmadmin)
SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\clipsrv.exe -- (ClipSrv)
SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\cisvc.exe -- (CiSvc)
SRV:64bit: - File not found [On_Demand | Stopped] -- C:\WINDOWS\SysNative\appmgmts.dll -- (AppMgmt)
SRV:64bit: - File not found [Disabled | Stopped] -- C:\WINDOWS\SysNative\alrsvc.dll -- (Alerter)
SRV:64bit: - [2010/06/01 20:47:28 | 003,427,024 | ---- | M] (Agnitum Ltd.) [Auto | Running] -- C:\Program Files\Agnitum\Outpost Firewall Pro\acs.exe -- (acssrv)
SRV:64bit: - [2009/11/24 15:51:35 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV:64bit: - [2009/11/24 15:51:21 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV:64bit: - [2009/11/24 15:48:48 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV:64bit: - [2009/11/24 15:43:56 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV:64bit: - [2008/12/31 13:15:02 | 001,287,944 | ---- | M] (Raxco Software, Inc.) [On_Demand | Stopped] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe -- (PD91Engine)
SRV:64bit: - [2008/12/31 13:14:58 | 001,103,624 | ---- | M] (Raxco Software, Inc.) [Auto | Running] -- C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe -- (PD91Agent)
SRV - [2010/04/29 15:39:34 | 000,304,464 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Disabled | Stopped] -- C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/09/08 15:26:36 | 000,651,720 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/10/16 19:31:12 | 000,906,752 | ---- | M] (Hewlett-Packard Co.) [Auto | Running] -- C:\Program Files (x86)\HP\Digital Imaging\bin\HPSLPSVC64.DLL -- (HPSLPSVC)
SRV - [2008/07/25 11:13:44 | 000,046,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2007/02/17 00:44:20 | 000,077,312 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\pchsvc.dll -- (helpsvc)
SRV - [2006/10/18 20:05:24 | 000,913,408 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files (x86)\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/03/30 09:15:44 | 000,096,341 | ---- | M] (Canon Inc.) [Auto | Running] -- C:\Program Files (x86)\Canon\CAL\CALMAIN.exe -- (CCALib8)
SRV - [2005/03/25 05:00:00 | 000,162,816 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\SysWOW64\iasrecst.dll -- (IASJet)
SRV - [2003/06/19 23:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe -- (MDM)


========== Driver Services (SafeList) ==========

DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\wpdusb.sys -- (WpdUsb)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\wdmaud.sys -- (wdmaud)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\update.sys -- (Update)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\sysaudio.sys -- (sysaudio)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\swmidi.sys -- (swmidi)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\serscan.sys -- (StillCam)
DRV:64bit: - File not found [File_System | Boot | Running] -- C:\WINDOWS\SysNative\DRIVERS\sr.sys -- (sr)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\splitter.sys -- (splitter)
DRV:64bit: - File not found [File_System | System | Running] -- C:\WINDOWS\SysNative\drivers\SandBox64.sys -- (SandBox)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\Rtenic64.sys -- (RTLE8023x64) Realtek 10/100/1000 PCI-E NIC Family NDIS XP(x64)
DRV:64bit: - File not found [Kernel | System | Running] -- C:\WINDOWS\SysNative\DRIVERS\redbook.sys -- (redbook)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\raspti.sys -- (Raspti)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\ptilink.sys -- (Ptilink)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\psched.sys -- (PSched)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\Drivers\pcouffin.sys -- (pcouffin)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\nv4_mini.sys -- (nv)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\nic1394.sys -- (NIC1394)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\Monft64.sys -- (Monfilt64)
DRV:64bit: - File not found [File_System | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\mbam.sys -- (MBAMProtector)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\LMouFilt.Sys -- (LMouFilt)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\LHidFilt.Sys -- (LHidFilt)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\L8042Kbd.sys -- (L8042Kbd)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\kmixer.sys -- (kmixer)
DRV:64bit: - File not found [Kernel | System | Running] -- C:\WINDOWS\SysNative\DRIVERS\ipsec.sys -- (IPSec)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\ipinip.sys -- (IpInIp)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\ip6fw.sys -- (Ip6Fw)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\RTKHDA64.SYS -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV:64bit: - File not found [Kernel | System | Running] -- C:\WINDOWS\SysNative\DRIVERS\imapi.sys -- (imapi)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\msgpc.sys -- (Gpc)
DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\DRIVERS\ftdisk.sys -- (Ftdisk)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\ENTECH64.sys -- (ENTECH64)
DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\drivers\dmload.sys -- (dmload)
DRV:64bit: - File not found [Kernel | Boot | Running] -- C:\WINDOWS\SysNative\drivers\dmio.sys -- (dmio)
DRV:64bit: - File not found [Kernel | Disabled | Stopped] -- C:\WINDOWS\SysNative\drivers\dmboot.sys -- (dmboot)
DRV:64bit: - File not found [Kernel | Auto | Running] -- C:\WINDOWS\SysNative\DRIVERS\CdaD10BA.sys -- (CdaD10BA)
DRV:64bit: - File not found [Kernel | Auto | Running] -- C:\WINDOWS\SysNative\DRIVERS\CdaC15BA.sys -- (CdaC15BA)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\audstub.sys -- (audstub)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\DRIVERS\atmarpc.sys -- (Atmarpc)
DRV:64bit: - File not found [File_System | Auto | Running] -- C:\WINDOWS\SysNative\DRIVERS\aswFsBlk.sys -- (aswFsBlk)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\Filt\ASWFilt64.dll -- (ASWFilt)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\arp1394.sys -- (Arp1394)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\Ambft64.sys -- (Ambfilt64)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\drivers\afwcore.sys -- (afwcore)
DRV:64bit: - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\SysNative\DRIVERS\afw.sys -- (afw)
DRV:64bit: - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SysNative\drivers\aec.sys -- (aec)
DRV - [2009/07/14 03:51:04 | 000,020,544 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2005/03/25 05:00:00 | 000,033,792 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\SysWow64\mnmdd.dll -- (mnmdd)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-383100233-600781294-3655315945-1002\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/
IE - HKU\S-1-5-21-383100233-600781294-3655315945-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.netflix.com/WiHome"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2.2
FF - prefs.js..extensions.enabledItems: {a7c6cf7f-112c-4500-a7ea-39801a327e5f}:1.0.9
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {992791ee-61dc-7b98-a8fd-dc49b7deeee9}:3.4.1
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.7.1.3

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/07/26 16:51:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/10/03 14:50:54 | 000,000,000 | ---D | M]

[2009/08/11 10:31:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lightfeather\Application Data\Mozilla\Extensions
[2010/09/20 20:39:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lightfeather\Application Data\Mozilla\Firefox\Profiles\rjjlrr6b.default\extensions
[2010/09/20 20:39:05 | 000,000,000 | ---D | M] (WebMail Notifier) -- C:\Documents and Settings\Lightfeather\Application Data\Mozilla\Firefox\Profiles\rjjlrr6b.default\extensions\{37fa1426-b82d-11db-8314-0800200c9a66}
[2010/09/17 08:23:15 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\Lightfeather\Application Data\Mozilla\Firefox\Profiles\rjjlrr6b.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2010/09/20 20:39:05 | 000,000,000 | ---D | M] (TryAgain) -- C:\Documents and Settings\Lightfeather\Application Data\Mozilla\Firefox\Profiles\rjjlrr6b.default\extensions\{992791ee-61dc-7b98-a8fd-dc49b7deeee9}
[2010/06/28 21:02:53 | 000,000,000 | ---D | M] (FireFTP) -- C:\Documents and Settings\Lightfeather\Application Data\Mozilla\Firefox\Profiles\rjjlrr6b.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
[2010/08/06 14:33:09 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Lightfeather\Application Data\Mozilla\Firefox\Profiles\rjjlrr6b.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/09/05 07:43:26 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Lightfeather\Application Data\Mozilla\Firefox\Profiles\rjjlrr6b.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/11/07 13:53:28 | 000,001,594 | ---- | M] () -- C:\Documents and Settings\Lightfeather\Application Data\Mozilla\Firefox\Profiles\rjjlrr6b.default\searchplugins\dictionary---referencecom.xml
[2009/11/07 13:53:31 | 000,001,546 | ---- | M] () -- C:\Documents and Settings\Lightfeather\Application Data\Mozilla\Firefox\Profiles\rjjlrr6b.default\searchplugins\thesaurus---referencecom.xml
[2010/10/03 14:51:00 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/10/03 14:51:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/07/17 05:00:04 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

Hosts file not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKU\S-1-5-21-383100233-600781294-3655315945-1002\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4:64bit: - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4:64bit: - HKLM..\Run: [AlcWzrd] C:\WINDOWS\ALCWZRD.EXE (RealTek Semicoductor Corp.)
O4:64bit: - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4:64bit: - HKLM..\Run: [KernelFaultCheck] File not found
O4:64bit: - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\SysNative\NvCpl.DLL File not found
O4:64bit: - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\SysNative\NvMcTray.DLL File not found
O4:64bit: - HKLM..\Run: [nwiz] File not found
O4:64bit: - HKLM..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe (Agnitum Ltd.)
O4:64bit: - HKLM..\Run: [OutpostMonitor] C:\Program Files\Agnitum\Outpost Firewall Pro\op_mon.exe (Agnitum Ltd.)
O4:64bit: - HKLM..\Run: [RTHDCPL] File not found
O4:64bit: - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [GEST] File not found
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\.DEFAULT..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found
O4 - HKU\S-1-5-18..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found
O4 - HKU\S-1-5-19..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found
O4 - HKU\S-1-5-20..\RunOnce: [tscuninstall] C:\WINDOWS\SysWow64\tscupgrd.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe (Logitech Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-383100233-600781294-3655315945-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8:64bit: - Extra context menu item: &ieSpell Options - C:\Program Files (x86)\ieSpell\iespell.dll (Red Egg Software)
O8:64bit: - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Check &Spelling - C:\Program Files (x86)\ieSpell\iespell.dll (Red Egg Software)
O8:64bit: - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8:64bit: - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8:64bit: - Extra context menu item: Lookup on Merriam Webster - C:\Program Files (x86)\ieSpell\Merriam Webster.HTM ()
O8:64bit: - Extra context menu item: Lookup on Wikipedia - C:\Program Files (x86)\ieSpell\wikipedia.HTM ()
O8 - Extra context menu item: &ieSpell Options - C:\Program Files (x86)\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Check &Spelling - C:\Program Files (x86)\ieSpell\iespell.dll (Red Egg Software)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files (x86)\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Lookup on Merriam Webster - C:\Program Files (x86)\ieSpell\Merriam Webster.HTM ()
O8 - Extra context menu item: Lookup on Wikipedia - C:\Program Files (x86)\ieSpell\wikipedia.HTM ()
O9:64bit: - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9:64bit: - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra Button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files (x86)\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files (x86)\ieSpell\iespell.dll (Red Egg Software)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files (x86)\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1247558903247 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1254612404546 (MUWebControl Class)
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab (NVIDIA Smart Scan)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18:64bit: - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp - No CLSID value found
O18:64bit: - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wia {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\SysNative\wiascr.dll File not found
O18 - Protocol\Handler\belarc {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files (x86)\Belarc\Advisor\System\BAVoilaX.dll (Belarc, Inc.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files (x86)\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files (x86)\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18:64bit: - Protocol\Filter\application/octet-stream {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18:64bit: - Protocol\Filter\application/x-complus {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O18:64bit: - Protocol\Filter\application/x-msdownload {1E66F26B-79EE-11D2-8710-00C04F79ED0D} - File not found
O20:64bit: - AppInit_DLLs: (c:\progra~1\agnitum\outpos~1\wl_hoo~1.dll) - c:\Program Files\Agnitum\Outpost Firewall Pro\wl_hook64.dll (Agnitum Ltd.)
O20:64bit: - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: UIHost - (%SystemRoot%\system32\logonui.exe) - C:\WINDOWS\SysNative\logonui.exe File not found
O20:64bit: - HKLM Winlogon: VMApplet - (Control_RunDLL "sysdm.cpl") - File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: System - (lsass.exe) - File not found
O20:64bit: - Winlogon\Notify\crypt32chain: DllName - crypt32.dll - File not found
O20:64bit: - Winlogon\Notify\cryptnet: DllName - cryptnet.dll - File not found
O20:64bit: - Winlogon\Notify\cscdll: DllName - cscdll.dll - File not found
O20:64bit: - Winlogon\Notify\dimsntfy: DllName - dimsntfy.dll - File not found
O20:64bit: - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found
O20:64bit: - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found
O20:64bit: - Winlogon\Notify\sclgntfy: DllName - sclgntfy.dll - File not found
O20:64bit: - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found
O20:64bit: - Winlogon\Notify\termsrv: DllName - Reg Error: Key error. - File not found
O20:64bit: - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\ScCertProp: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\Schedule: DllName - wlnotify.dll - File not found
O20 - Winlogon\Notify\SensLogn: DllName - WlNotify.dll - File not found
O20 - Winlogon\Notify\wlballoon: DllName - wlnotify.dll - File not found
O21:64bit: - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINDOWS\SysNative\stobject.dll File not found
O21:64bit: - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\SysNative\WPDShServiceObj.dll File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Lightfeather\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Lightfeather\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28:64bit: - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/07/14 00:41:41 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2008/09/10 14:41:54 | 000,000,000 | ---- | M] () - F:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (PDBoot.exe) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 90 Days ==========

[2010/10/04 15:56:52 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Lightfeather\Desktop\OTL.exe
[2010/10/03 14:51:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/10/03 14:51:15 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2010/09/29 06:24:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lightfeather\Desktop\BURN OFF
[2010/09/28 02:42:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Calibre2
[2010/09/28 00:14:21 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Lightfeather\Recent
[2010/09/26 22:37:44 | 000,000,000 | R--D | C] -- C:\32788R22FWJFW
[2010/08/14 21:40:37 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Lightfeather\Application Data\SecuROM
[2010/08/14 21:40:35 | 000,178,800 | ---- | C] (Sony DADC Austria AG.) -- C:\WINDOWS\SysWow64\CmdLineExt_x64.dll
[2010/08/14 14:48:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lightfeather\Application Data\Spore
[2010/08/14 14:31:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Lightfeather\Desktop\SNAPFISH PHOTOS
[2009/07/14 15:10:49 | 000,082,816 | ---- | C] (VSO Software) -- C:\Documents and Settings\Lightfeather\Application Data\pcouffin.sys
[2 C:\WINDOWS\SysWow64\*.tmp files -> C:\WINDOWS\SysWow64\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 90 Days ==========

[2010/10/04 16:00:00 | 000,001,006 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-383100233-600781294-3655315945-1002UA.job
[2010/10/04 15:56:52 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Lightfeather\Desktop\OTL.exe
[2010/10/04 14:59:18 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/10/04 14:59:16 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/10/04 01:17:53 | 009,961,472 | -H-- | M] () -- C:\Documents and Settings\Lightfeather\NTUSER.DAT
[2010/10/04 01:17:53 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Lightfeather\ntuser.ini
[2010/10/03 15:39:17 | 000,001,908 | ---- | M] () -- C:\WINDOWS\diagwrn.xml
[2010/10/03 15:39:17 | 000,001,908 | ---- | M] () -- C:\WINDOWS\diagerr.xml
[2010/10/02 16:45:50 | 000,000,423 | ---- | M] () -- C:\Documents and Settings\Lightfeather\Application Data\Microsoft\Internet Explorer\Quick Launch\Guild Wars.lnk
[2010/09/30 11:51:40 | 000,002,525 | ---- | M] () -- C:\Documents and Settings\Lightfeather\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Word.lnk
[2010/09/29 18:46:28 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/09/29 18:41:13 | 000,144,384 | ---- | M] () -- C:\Documents and Settings\Lightfeather\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/29 11:00:04 | 000,000,954 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-383100233-600781294-3655315945-1002Core.job
[2010/09/29 07:25:17 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Lightfeather\defogger_reenable
[2010/09/29 06:42:20 | 000,000,749 | ---- | M] () -- C:\Documents and Settings\Lightfeather\Application Data\Microsoft\Internet Explorer\Quick Launch\calibre - E-book management.lnk
[2010/09/28 11:42:09 | 000,000,423 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Guild Wars.lnk
[2010/09/23 21:01:48 | 000,002,549 | ---- | M] () -- C:\Documents and Settings\Lightfeather\Desktop\Google Chrome.lnk
[2010/09/23 21:01:48 | 000,002,315 | ---- | M] () -- C:\Documents and Settings\Lightfeather\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/09/23 03:48:13 | 000,059,308 | ---- | M] () -- C:\Documents and Settings\Lightfeather\My Documents\sigh.jpg
[2010/09/08 12:41:13 | 000,034,304 | ---- | M] () -- C:\Documents and Settings\Lightfeather\My Documents\Medical interview letter.doc
[2010/09/01 08:46:22 | 000,022,528 | ---- | M] () -- C:\Documents and Settings\Lightfeather\Desktop\Book.doc
[2010/08/14 21:40:35 | 000,178,800 | ---- | M] (Sony DADC Austria AG.) -- C:\WINDOWS\SysWow64\CmdLineExt_x64.dll
[2010/08/12 14:25:31 | 000,541,912 | ---- | M] () -- C:\WINDOWS\SysWow64\PerfStringBackup.INI
[2 C:\WINDOWS\SysWow64\*.tmp files -> C:\WINDOWS\SysWow64\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/10/03 15:35:16 | 000,001,908 | ---- | C] () -- C:\WINDOWS\diagwrn.xml
[2010/10/03 15:35:16 | 000,001,908 | ---- | C] () -- C:\WINDOWS\diagerr.xml
[2010/10/02 16:45:50 | 000,000,423 | ---- | C] () -- C:\Documents and Settings\Lightfeather\Application Data\Microsoft\Internet Explorer\Quick Launch\Guild Wars.lnk
[2010/09/29 07:25:17 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Lightfeather\defogger_reenable
[2010/09/29 06:42:20 | 000,000,749 | ---- | C] () -- C:\Documents and Settings\Lightfeather\Application Data\Microsoft\Internet Explorer\Quick Launch\calibre - E-book management.lnk
[2010/09/28 11:42:09 | 000,000,423 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Guild Wars.lnk
[2010/09/23 03:46:39 | 000,059,308 | ---- | C] () -- C:\Documents and Settings\Lightfeather\My Documents\sigh.jpg
[2010/09/08 12:41:13 | 000,034,304 | ---- | C] () -- C:\Documents and Settings\Lightfeather\My Documents\Medical interview letter.doc
[2010/09/06 09:01:47 | 000,002,549 | ---- | C] () -- C:\Documents and Settings\Lightfeather\Desktop\Google Chrome.lnk
[2010/07/05 12:32:23 | 000,000,000 | R--- | C] () -- C:\Documents and Settings\Lightfeather\Application Data\egImG.txt
[2010/06/24 15:51:54 | 000,682,288 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/05/14 23:53:02 | 000,622,196 | ---- | C] () -- C:\Documents and Settings\Lightfeather\Application Data\farm.bmp
[2010/04/23 18:30:18 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2010/04/23 18:30:17 | 000,881,664 | ---- | C] () -- C:\WINDOWS\SysWow64\xvidcore.dll
[2010/04/23 18:30:17 | 000,205,824 | ---- | C] () -- C:\WINDOWS\SysWow64\xvidvfw.dll
[2010/04/23 18:30:16 | 000,085,504 | ---- | C] () -- C:\WINDOWS\SysWow64\ff_vfw.dll
[2010/04/23 18:30:16 | 000,000,547 | ---- | C] () -- C:\WINDOWS\SysWow64\ff_vfw.dll.manifest
[2010/01/14 17:43:33 | 000,327,168 | ---- | C] () -- C:\WINDOWS\SysWow64\cutil32.dll
[2009/11/23 23:27:08 | 000,000,262 | ---- | C] () -- C:\WINDOWS\{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}_WiseFW.ini
[2009/11/07 02:23:37 | 000,001,467 | ---- | C] () -- C:\Documents and Settings\Lightfeather\Application Data\settings.dat
[2009/11/07 01:50:22 | 000,541,912 | ---- | C] () -- C:\WINDOWS\SysWow64\PerfStringBackup.INI
[2009/08/01 00:25:25 | 000,010,752 | ---- | C] () -- C:\WINDOWS\SysWow64\BASSMOD.dll
[2009/07/17 13:38:19 | 000,144,384 | ---- | C] () -- C:\Documents and Settings\Lightfeather\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/07/15 11:48:43 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/07/14 15:11:14 | 000,000,034 | ---- | C] () -- C:\Documents and Settings\Lightfeather\Application Data\pcouffin.log
[2009/07/14 15:10:49 | 000,099,384 | ---- | C] () -- C:\Documents and Settings\Lightfeather\Application Data\inst.exe
[2009/07/14 15:10:49 | 000,007,859 | ---- | C] () -- C:\Documents and Settings\Lightfeather\Application Data\pcouffin.cat
[2009/07/14 15:10:49 | 000,001,167 | ---- | C] () -- C:\Documents and Settings\Lightfeather\Application Data\pcouffin.inf
[2009/07/14 13:39:48 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/07/14 03:56:06 | 000,002,263 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/07/14 02:35:19 | 000,000,760 | ---- | C] () -- C:\Documents and Settings\Lightfeather\Application Data\setup_ldm.iss
[2005/03/25 05:00:00 | 001,278,464 | ---- | C] () -- C:\WINDOWS\SysWow64\quartz.dll
[2005/03/25 05:00:00 | 000,733,696 | ---- | C] () -- C:\WINDOWS\SysWow64\qedwipes.dll
[2005/03/25 05:00:00 | 000,512,512 | ---- | C] () -- C:\WINDOWS\SysWow64\qedit.dll
[2005/03/25 05:00:00 | 000,498,742 | ---- | C] () -- C:\WINDOWS\SysWow64\dxmasf.dll
[2005/03/25 05:00:00 | 000,396,288 | ---- | C] () -- C:\WINDOWS\SysWow64\encdec.dll
[2005/03/25 05:00:00 | 000,385,536 | ---- | C] () -- C:\WINDOWS\SysWow64\qdvd.dll
[2005/03/25 05:00:00 | 000,355,112 | ---- | C] () -- C:\WINDOWS\SysWow64\msjetoledb40.dll
[2005/03/25 05:00:00 | 000,279,040 | ---- | C] () -- C:\WINDOWS\SysWow64\qdv.dll
[2005/03/25 05:00:00 | 000,276,992 | ---- | C] () -- C:\WINDOWS\SysWow64\sbe.dll
[2005/03/25 05:00:00 | 000,199,168 | ---- | C] () -- C:\WINDOWS\SysWow64\ir32_32.dll
[2005/03/25 05:00:00 | 000,192,512 | ---- | C] () -- C:\WINDOWS\SysWow64\qcap.dll
[2005/03/25 05:00:00 | 000,114,688 | ---- | C] () -- C:\WINDOWS\SysWow64\msencode.dll
[2005/03/25 05:00:00 | 000,072,704 | ---- | C] () -- C:\WINDOWS\SysWow64\amstream.dll
[2005/03/25 05:00:00 | 000,062,464 | ---- | C] () -- C:\WINDOWS\SysWow64\mciqtz32.dll
[2005/03/25 05:00:00 | 000,061,440 | ---- | C] () -- C:\WINDOWS\SysWow64\devenum.dll
[2005/03/25 05:00:00 | 000,016,896 | ---- | C] () -- C:\WINDOWS\SysWow64\tsd32.dll
[2005/03/25 05:00:00 | 000,014,336 | ---- | C] () -- C:\WINDOWS\SysWow64\msdmo.dll
[2005/03/25 05:00:00 | 000,004,126 | ---- | C] () -- C:\WINDOWS\SysWow64\msdxmlc.dll
[2002/10/15 15:54:04 | 000,165,376 | ---- | C] () -- C:\WINDOWS\SysWow64\unrar.dll

========== LOP Check ==========

[2010/07/05 12:17:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Agnitum
[2009/09/04 11:51:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
[2010/10/03 14:41:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/07/24 23:34:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\vsosdk
[2009/07/15 13:11:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WhiteCap (Holiday Edition)
[2010/01/05 16:49:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Wowhead
[2010/08/11 16:18:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lightfeather\Application Data\.purple
[2009/08/19 15:11:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lightfeather\Application Data\Acreon
[2010/09/28 05:55:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lightfeather\Application Data\calibre
[2010/06/05 19:31:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lightfeather\Application Data\Faerie Solitaire
[2009/07/14 16:09:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lightfeather\Application Data\gtk-2.0
[2009/08/04 01:22:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lightfeather\Application Data\ieSpell
[2009/07/14 02:31:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lightfeather\Application Data\Leadertech
[2009/12/24 04:45:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lightfeather\Application Data\LucasArts
[2010/06/14 04:51:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lightfeather\Application Data\runic games
[2010/08/14 14:49:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Lightfeather\Application Data\Spore
[2010/10/04 01:17:56 | 000,032,504 | ---- | M] () -- C:\WINDOWS\Tasks\SchedLgU.Txt

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 150 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D2F2F703
< End of report >



OTL Extras logfile created on: 10/4/2010 4:09:18 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Lightfeather\Desktop
64bit-Windows Server 2003 Service Pack 2 (Version = 5.2.3790) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

4.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 76.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 100.00 Gb Total Space | 61.92 Gb Free Space | 61.93% Space Free | Partition Type: NTFS
Drive D: | 179.48 Gb Total Space | 86.76 Gb Free Space | 48.34% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 279.47 Gb Total Space | 31.53 Gb Free Space | 11.28% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: FEATHERPC
Current User Name: Lightfeather
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-383100233-600781294-3655315945-1002\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 File not found
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l File not found
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office10\msohtmed.exe" /p %1 (Microsoft Corporation)
InternetShortcut [print] -- "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1

========== System Restore Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"427:UDP" = 427:UDP:*:Enabled:SLP_Port(427)
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"427:UDP" = 427:UDP:*:Enabled:SLP_Port(427)
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found
"E:\setup\HPZnui40.exe" = E:\setup\HPZnui40.exe:*:Enabled:hpznui40.exe -- File not found
"C:\Program Files (x86)\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files (x86)\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found
"E:\setup\HPZnui40.exe" = E:\setup\HPZnui40.exe:*:Enabled:hpznui40.exe -- File not found
"C:\Program Files (x86)\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files (x86)\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found
"E:\setup\HPZnui40.exe" = E:\setup\HPZnui40.exe:*:Enabled:hpznui40.exe -- File not found
"C:\Program Files (x86)\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files (x86)\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files (x86)\Steam\Steam.exe" = C:\Program Files (x86)\Steam\Steam.exe:*:Enabled:Steam -- File not found
"C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"D:\Steam\Steam.exe" = D:\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"D:\Steam\steamapps\common\sid meier's civilization iv\Civilization4.exe" = D:\Steam\steamapps\common\sid meier's civilization iv\Civilization4.exe:*:Enabled:Sid Meier's Civilization IV -- (Firaxis Games)
"D:\Steam\steamapps\common\sid meier's civilization iv beyond the sword\Beyond the Sword\Civ4BeyondSword.exe" = D:\Steam\steamapps\common\sid meier's civilization iv beyond the sword\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization IV: Beyond the Sword -- (Firaxis Games)
"D:\Steam\steamapps\common\torchlight\Torchlight.exe" = D:\Steam\steamapps\common\torchlight\Torchlight.exe:*:Enabled:Torchlight -- (Runic Games, Inc.)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- File not found
"E:\setup\HPZnui40.exe" = E:\setup\HPZnui40.exe:*:Enabled:hpznui40.exe -- File not found
"C:\Program Files (x86)\HP\Digital Imaging\bin\hpfcCopy.exe" = C:\Program Files (x86)\HP\Digital Imaging\bin\hpfcCopy.exe:*:Enabled:hpfccopy.exe -- (Hewlett-Packard)
"C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe" = C:\Program Files (x86)\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Ventrilo\Ventrilo.exe" = C:\Program Files\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- (Flagship Industries, Inc.)
"C:\Program Files (x86)\Steam\Steam.exe" = C:\Program Files (x86)\Steam\Steam.exe:*:Enabled:Steam -- File not found
"C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"D:\Steam\Steam.exe" = D:\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"D:\Steam\steamapps\common\sid meier's civilization iv\Civilization4.exe" = D:\Steam\steamapps\common\sid meier's civilization iv\Civilization4.exe:*:Enabled:Sid Meier's Civilization IV -- (Firaxis Games)
"D:\Steam\steamapps\common\sid meier's civilization iv beyond the sword\Beyond the Sword\Civ4BeyondSword.exe" = D:\Steam\steamapps\common\sid meier's civilization iv beyond the sword\Beyond the Sword\Civ4BeyondSword.exe:*:Enabled:Sid Meier's Civilization IV: Beyond the Sword -- (Firaxis Games)
"D:\Steam\steamapps\common\torchlight\Torchlight.exe" = D:\Steam\steamapps\common\torchlight\Torchlight.exe:*:Enabled:Torchlight -- (Runic Games, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{2B6EC03E-6FA0-4D7C-9CCE-1B03819AB613}" = PerfectDisk 2008 Professional
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{68451E5C-0A9C-4D5C-8D06-6E296242E908}" = 64 Bit HP CIO Components Installer
"{6AE1CCC4-E49F-4107-BBCA-7B5984F47AE1}" = Network64
"{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}" = Microsoft Visual C++ 2005 Redistributable (x64)
"{8220EEFE-38CD-377E-8595-13398D740ACE}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17
"{9B1A8F3D-8059-43FB-A7AE-4F2C21F0AAF2}" = KhalInstallWrapper
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{B6E3757B-5E77-3915-866A-CCFC4B8D194C}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053
"{BA8DF709-6BAB-4092-91E0-4D67EFC12A98}" = HP Photosmart C6300 All-In-One Driver 12.0 Rel .4
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"{EEB3F6BB-318D-4CE5-989F-8191FCBFB578}" = Ventrilo Client for Windows x64
"Agnitum Outpost Firewall Pro_is1" = Outpost Firewall Pro 7.0
"Better File Rename_is1" = Better File Rename 5.5
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows x64
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Display Control Panel" = NVIDIA Display Control Panel
"NVIDIA Drivers" = NVIDIA Drivers
"NVIDIA nView Desktop Manager" = NVIDIA nView Desktop Manager
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows x64 Service Pack" = Windows XP Service Pack 2
"WMFDist11-64" = Windows Media Format 11 runtime
"wmp11-64" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{1B779CC7-5F25-29B3-5150-AF44A6201033}" = Nero 7 Demo
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java™ 6 Update 21
"{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}" = Logitech SetPoint
"{360EDFB0-EAA2-012B-AD16-000000000000}" = TurboTax 2009 wcaiper
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = Logitech Registration
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5DA8F6CD-C70E-39D8-8430-3D9808D6BD17}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7F3AD00A-1819-4B15-BB7D-08B3586336D7}" = 3DMark06
"{88D18C5E-5113-4A1E-8EC9-2B7E24688A14}" = PS_AIO_04_C6300_Software_Min
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}" = CDDRV_Installer
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{9CCCFD9C-248F-47FE-9496-1680E3E5C163}" = Scan
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = iSEEK AnswerWorks English Runtime
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{AC13BA3A-336B-45a4-B3FE-2D3058A7B533}" = Toolbox
"{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Français, Deutsch
"{AC76BA86-1033-F400-7760-000000000004}{AC76BA86-1033-F400-7760-000000000004}" = Adobe Acrobat 9 Pro - English, Français, Deutsch
"{AC76BA86-7AD7-1033-7B44-A91000000001}" = Adobe Reader 9.1.3
"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B851F257-706E-427E-879A-20A296E98B5D}" = calibre
"{BE3497CB-7278-4526-8918-9A3FD77AE790}}_is1" = iTeddy File Converter v. 0.2
"{BEE64C14-BEF1-4610-8A68-A16EAA47B882}" = Futuremark SystemInfo
"{C05D8CDB-417D-4335-A38C-A0659EDFD6B8}" = The Sims™ 3
"{C9BED750-1211-4480-B1A5-718A3BE15525}" = REALTEK GbE & FE Ethernet PCI-E NIC Driver
"{DEA314C4-0929-4250-BC92-98E4C105F28D}" = NVIDIA PhysX
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Aspell English Dictionary_is1" = Aspell English Dictionary-0.50-2
"avast!" = avast! Antivirus
"Belarc Advisor" = Belarc Advisor 8.1
"CAL" = Canon Camera Access Library
"CameraWindowDVC5" = Canon Camera Window DC_DV 5 for ZoomBrowser EX
"CameraWindowDVC6" = Canon Camera Window DC_DV 6 for ZoomBrowser EX
"Canon G.726 WMP-Decoder" = Canon G.726 WMP-Decoder
"Canon MOV Decoder" = Canon MOV Decoder
"Canon MOV Encoder" = Canon MOV Encoder
"CCleaner" = CCleaner
"EOS Utility" = Canon Utilities EOS Utility
"GNU Aspell_is1" = GNU Aspell 0.50-3
"GTK 2.0" = GTK+ Runtime 2.14.7 rev a (remove only)
"Guild Wars" = Guild Wars
"HijackThis" = HijackThis 2.0.2
"ieSpell" = ieSpell
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.9.0 (Full)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MovieEditTask" = Canon MovieEdit Task for ZoomBrowser EX
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"OpenAL" = OpenAL
"PC Wizard 2010_is1" = PC Wizard 2010.1.92
"PhotoStitch" = Canon Utilities PhotoStitch
"Pidgin" = Pidgin
"QuicktimeAlt_is1" = QuickTime Alternative 2.9.0
"RAW Image Task" = Canon RAW Image Task for ZoomBrowser EX
"RemoteCaptureTask" = Canon RemoteCapture Task for ZoomBrowser EX
"SolveigMM AVI Trimmer" = SolveigMM AVI Trimmer
"Steam App 3900" = Sid Meier's Civilization IV
"Steam App 41500" = Torchlight
"Steam App 8800" = Sid Meier's Civilization IV: Beyond the Sword
"The Ultimate Troubleshooter" = The Ultimate Troubleshooter
"TurboTax 2009" = TurboTax 2009
"WinRAR archiver" = WinRAR archiver
"WMV9_VCM" = Microsoft Windows Media Video 9 VCM
"ZoomBrowser EX" = Canon Utilities ZoomBrowser EX
"ZoomBrowser EX Memory Card Utility" = Canon ZoomBrowser EX Memory Card Utility

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-383100233-600781294-3655315945-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 11/14/2009 2:19:17 AM | Computer Name = FEATHERPC | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://w52.slashkey.com/facebook/farm/ajax...e=en_US&fb_
failed, 0000A413.

[ Application Events ]
Error - 9/8/2010 11:20:02 PM | Computer Name = FEATHERPC | Source = Application Error | ID = 1000
Description = Faulting application launcher.exe, version 2.1.1.1569, faulting module
launcher.exe, version 2.1.1.1569, fault address 0x000a26f8.

Error - 9/16/2010 3:10:37 AM | Computer Name = FEATHERPC | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
gcswf32.dll, version 10.1.82.76, fault address 0x00182eef.

Error - 9/20/2010 11:44:37 PM | Computer Name = FEATHERPC | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
chrome.dll, version 6.0.472.62, fault address 0x00ae8707.

Error - 9/22/2010 4:07:55 AM | Computer Name = FEATHERPC | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting
module unknown, version 0.0.0.0, fault address 0x024381dc.

Error - 9/28/2010 3:41:55 AM | Computer Name = FEATHERPC | Source = PD91Engine | ID = 19
Description = Unable to move file C:\Documents and Settings\Lightfeather\Local Settings\Application
Data\Google\Chrome\User Data\Default\Thumbnails-journal after many attempts. Skipping
file.

Error - 9/28/2010 3:42:45 AM | Computer Name = FEATHERPC | Source = PD91Engine | ID = 19
Description = Unable to move file C:\Program Files\Agnitum\Outpost Firewall Pro\modules.0
after many attempts. Skipping file.

Error - 9/29/2010 11:07:04 AM | Computer Name = FEATHERPC | Source = Application Error | ID = 1000
Description = Faulting application chrome.exe, version 0.0.0.0, faulting module
gcswf32.dll, version 10.1.85.3, fault address 0x00375d86.

Error - 9/29/2010 5:36:37 PM | Computer Name = FEATHERPC | Source = VSS | ID = 8211
Description =

Error - 10/3/2010 5:01:32 PM | Computer Name = FEATHERPC | Source = VSS | ID = 8211
Description =

Error - 10/3/2010 5:09:04 PM | Computer Name = FEATHERPC | Source = VSS | ID = 8211
Description =

[ System Events ]
Error - 10/3/2010 5:02:44 PM | Computer Name = FEATHERPC | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 10/3/2010 5:02:44 PM | Computer Name = FEATHERPC | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 10/3/2010 5:02:44 PM | Computer Name = FEATHERPC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD aswSP aswTdi Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SandBox Tcpip

Error - 10/3/2010 5:09:46 PM | Computer Name = FEATHERPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 10/3/2010 5:09:54 PM | Computer Name = FEATHERPC | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 10/3/2010 5:10:10 PM | Computer Name = FEATHERPC | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the AFD service which failed to
start because of the following error: %%31

Error - 10/3/2010 5:10:10 PM | Computer Name = FEATHERPC | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 10/3/2010 5:10:10 PM | Computer Name = FEATHERPC | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 10/3/2010 5:10:10 PM | Computer Name = FEATHERPC | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 10/3/2010 5:10:10 PM | Computer Name = FEATHERPC | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD aswSP aswTdi Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SandBox Tcpip


< End of report >


#4 Lightfeather

Lightfeather
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 04 October 2010 - 06:53 PM

Rootkit Unhooker throws an error:

Error loading driver, NTSTATUS code: 0xC000036B

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 05 October 2010 - 08:36 AM

Hi, can you please upload a few of the files you mentioned in your initial post to http://www.virustotal.com

Please post me the results.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 Lightfeather

Lightfeather
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 05 October 2010 - 06:37 PM

I've done that with cdrom.sys and termsrv.dll and out of the forty something odd scanners that picked them apart, not a single one found anything. I'm afraid these may be false positives but if they are, they are scary false positives. Others have reported these same hits over at malwarebytes but the answers are conflicting. For some, they are infected, and for others... there is no sign of infection.

My computer isn't acting terrible. I've noticed a little personality in one of the games I play, like being unable to swap characters directly from the character screen, instead having to log out of the game and log back in completely before picking a new character... but I seriously doubt that issue could be caused by anything that malwarebytes is reporting.

I will try a couple of others and post the actual logs.

/EDIT: entered modem.sys for analysis and got the same result. I think malwarebytes on access scanner is throwing false positives for these files.

File name: modem.sys
Submission date: 2010-10-05 23:48:48 (UTC)
Current status: finished
Result: 0/ 43 (0.0%)

Edited by Lightfeather, 05 October 2010 - 07:01 PM.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 06 October 2010 - 06:56 AM

It looks like you may be right. Can you please launch MBAM, update it and then run a full scan?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 Lightfeather

Lightfeather
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 06 October 2010 - 01:18 PM

Database version: 4756
Fingerprints loaded: 280987


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4756

Windows 5.2.3790 Service Pack 2
Internet Explorer 8.0.6001.18702

10/6/2010 11:04:27 AM
mbam-log-2010-10-06 (11-04-27).txt

Scan type: Full scan (C:\|)
Objects scanned: 236594
Time elapsed: 35 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-----------------------------------------------------------------------

The program finds nothing when scanned, however on the protection tab, when I activate the protection module that provides on access protection I get the results that were posted in my first post. At first the only two things that would trigger was cdrom.sys and termsrv.dll, usually when launching the curse updater, a program that manages and updates world of warcraft addons. I have since uninstalled it after malwarebytes would trigger every time it loaded. Concerned that there was something even more malicious hiding, I typed sfc /scannow in the run window to see what would pop up. As each protected file was scanned, malwarebytes triggered on each of the items I posted at the top of this page. That report was created after one sfc /scannow with malwarebytes protection module running.

In addition, when the protection module is set to start protecting upon windows boot, the OS will hang and I'll have to restart and boot into safemode to prevent the module from loading with windows. Since malwarebytes seems to have conflicting reports on similarly posted results such as my own, I thought I'd come here to find out if I was actually infected.

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 06 October 2010 - 02:30 PM

Hi, since I am not sure what to think of this, I asked for some feedback. I will reply back ASAP. My apologies for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 10 October 2010 - 05:15 AM

Hi, I am sorry for the delay.

Can you please upload the files here -->http://www.bleepingcomputer.com/submit-malware.php?channel=105

Please post a note here once done.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 17 October 2010 - 07:13 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Lightfeather

Lightfeather
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 17 October 2010 - 04:24 PM

Sorry I took so long to get back to you.

I uploaded:

...system32\beep.sys
...system32\cdrom.sys
...system32\modem.sys
...dllcashe\cdrom.sys

I was unable to locate:

...dllcache\setup.exe
...system32\termsrv.dll

They are not at the address specified. The only thing I've done in the time between our last communication was use The Ultimate Troubleshooter v4.92 to stop TermService from running at all since its description led me to believe I wouldn't need it at all. There is no reason at all for any remote desktop access on this machine ever.

The description of what termservice is from the ultimate troubleshooter:

"If you do not want this server or PC to ever accept remote connections via Remote Desktop then set the Startup Mode of this service to Disabled on the Services tab. In all other cases leave this service on its default setting of Manual - Windows will automatically start it if you configure Remote Desktop/Terminal Services on this PC or server."

Since disabling it it appears the system file associated with it has gone away. It appeared to be a legitimate windows file. I have no idea about setup.exe though. There's a setup50.exe in the folder but nothing that's just setup.exe

Edited by Lightfeather, 17 October 2010 - 04:32 PM.


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 18 October 2010 - 02:33 AM

Are the patched files still being detected at this point?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Lightfeather

Lightfeather
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:06:23 PM

Posted 18 October 2010 - 06:42 AM

Just ran sfc /scannow with Malwarebytes Anti-Malware protection module running. (database version: 4869) Log is as follows:


04:14:50 (null) MESSAGE Protection started successfully
04:14:53 (null) ERROR IP protection failed: PfMakeLog failed with error code 122
04:14:57 (null) MESSAGE Database updated successfully
04:18:50 (null) DETECTION C:\WINDOWS\system32\drivers\beep.sys Fake.Beep.sys QUARANTINE
04:18:50 (null) DETECTION C:\WINDOWS\system32\drivers\beep.sys Fake.Beep.sys DENY
04:18:51 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 2
04:18:55 (null) DETECTION C:\WINDOWS\system32\dllcache\beep.sys Fake.Beep.sys QUARANTINE
04:18:55 (null) DETECTION C:\WINDOWS\system32\drivers\beep.sys Fake.Beep.sys DENY
04:18:55 (null) DETECTION C:\WINDOWS\system32\drivers\beep.sys Fake.Beep.sys DENY
04:18:55 (null) DETECTION C:\WINDOWS\system32\drivers\beep.sys Fake.Beep.sys DENY
04:18:55 (null) DETECTION C:\WINDOWS\system32\dllcache\beep.sys Fake.Beep.sys DENY
04:18:56 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 3
04:20:26 (null) DETECTION C:\WINDOWS\system32\drivers\cdrom.sys Trojan.Patched QUARANTINE
04:20:26 (null) DETECTION C:\WINDOWS\system32\drivers\cdrom.sys Trojan.Patched DENY
04:20:27 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 2
04:20:28 (null) DETECTION C:\WINDOWS\system32\dllcache\cdrom.sys Trojan.Patched QUARANTINE
04:20:28 (null) DETECTION C:\WINDOWS\system32\drivers\cdrom.sys Trojan.Patched DENY
04:20:28 (null) DETECTION C:\WINDOWS\system32\drivers\cdrom.sys Trojan.Patched DENY
04:20:28 (null) DETECTION C:\WINDOWS\system32\drivers\cdrom.sys Trojan.Patched DENY
04:20:28 (null) DETECTION C:\WINDOWS\system32\dllcache\cdrom.sys Trojan.Patched DENY
04:20:29 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 3
04:27:10 (null) DETECTION C:\WINDOWS\system32\drivers\modem.sys Trojan.Patched QUARANTINE
04:27:10 (null) DETECTION C:\WINDOWS\system32\drivers\modem.sys Trojan.Patched DENY
04:27:11 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 2
04:27:11 (null) DETECTION C:\WINDOWS\system32\drivers\modem.sys Trojan.Patched DENY
04:27:11 (null) DETECTION C:\WINDOWS\system32\drivers\modem.sys Trojan.Patched DENY
04:27:11 (null) DETECTION C:\WINDOWS\system32\drivers\modem.sys Trojan.Patched DENY
04:30:51 (null) DETECTION C:\WINDOWS\system32\dllcache\setup.exe Trojan.Dropper QUARANTINE
04:30:51 (null) DETECTION C:\WINDOWS\system32\dllcache\setup.exe Trojan.Dropper DENY
04:30:52 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 3
04:32:03 (null) DETECTION C:\WINDOWS\system32\termsrv.dll Trojan.Patched QUARANTINE
04:32:03 (null) DETECTION C:\WINDOWS\system32\termsrv.dll Trojan.Patched DENY
04:32:04 (null) DETECTION C:\WINDOWS\system32\termsrv.dll Trojan.Patched DENY
04:32:04 (null) DETECTION C:\WINDOWS\system32\termsrv.dll Trojan.Patched DENY
04:32:04 (null) DETECTION C:\WINDOWS\system32\termsrv.dll Trojan.Patched DENY
04:32:04 (null) ERROR Quarantine failed: UtilityReadFile failed with error code 2

However, since the only thing that's detecting these, and only with on access protection and not with the regular scanner, is malwarebytes, this leads me to believe the detection is false. I've also not really noticed anything horrible with the computer. If Trojan.Patched is doing something, it's doing it with me being none the wiser. The IP protection failed is new though.

Edited by Lightfeather, 18 October 2010 - 06:43 AM.


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:04:23 AM

Posted 18 October 2010 - 07:09 AM

Please try this also.

KASPERSKY ONLINE SCAN
-----------------------------------
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users