[beerman]

Hello GTG!

Unfortunately need your expert help again. I have a Windows XP laptop that has been overtaken by the FBI Moneypack screen and I am not able to do anything, even in Safe Mode. Sorry I can't get any logs out or run any programs. Hope you can help!

[Advertisements]

Hello and welcome to Geeks to Go. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.

Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.

Do you have another computer from which you can burn a CD? If so, please try the following:


Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Insert the flash drive with FRST on it
• Locate the flash drive and run FSRT
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[Buddierdl]

Hello and welcome to Geeks to Go. I am sorry that you are having troubles with your computer and will try my best to help you. I know that being infected is very frustrating, but I will be here to help you through the whole process of cleaning. Removing malware can be difficult and complicated and will most likely take many steps, so please stick with me until I have declared your computer clean. I always recommend printing my instructions before following them in case you cannot keep this webpage open. Please be sure to alway follow all steps exactly as they are written and let me know what happens each time. Stop and ask if something unexpected happens or if you are unsure of how to proceed.

Please respect my volunteered time and stay with me until I declare your computer clean. If you are going to be delayed for a while, please let me know.

Do you have another computer from which you can burn a CD? If so, please try the following:


Please print these instruction out so that you know what you are doing

• Download OTLPENet.exe to your desktop
• Download Farbar Recovery Scan Tool and save it to a flash drive.
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
• Reboot your system using the boot CD you just created.
  Note : If you do not know how to set your computer to boot from CD follow the steps here
• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads
• Your system should now display a Reatogo desktop.
  Note : as you are running from CD it is not exactly speedy
• Insert the flash drive with FRST on it
• Locate the flash drive and run FSRT
• The tool will start to run.
  
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[beerman]

Seem to be having an issue booting to the CD. It runs for a bit and then sits idle with a blinking white cursor on a black screen. I have been waiting about 15 minutes. Does it take longer than that? There is no CD drive or hard drive activity.

[Buddierdl]

Did you set the computer to boot from CD in BIOS? Did you get any message like "Press any key to boot from CD?"

Can you give me the model number for your computer?

[beerman]

I did set it to boot from CD. I did not get such a message. The computer is a Dell Latitude D830 laptop. I think I will try to re-burn a new CD.

[beerman]

Burning another CD worked. Applying your instructions now.

[beerman]

Here you go. That is a pretty slick tool.

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-05-2013
Ran by SYSTEM on 15-05-2013 11:07:20
Running from D:\
Microsoft Windows XP (X86) OS Language: English(US)
Internet Explorer Version 8
Boot Mode: Recovery
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and Addition.txt log.

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe [159744 2007-04-15] (Alps Electric Co., Ltd.)
HKLM\...\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [100888 2007-10-09] (Logitech Inc.)
HKLM\...\Run: [] [x]
HKLM\...\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe [1245184 2008-02-22] (Dell Inc.)
HKLM\...\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe [92160 2007-09-10] (Wave Systems Corp.)
HKLM\...\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe [218424 2007-09-14] (Wave Systems Corp.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe [2498560 2009-10-07] (Dell Inc.)
HKLM\...\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe [282624 2006-11-02] (Knowles Acoustics)
HKLM\...\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup [221184 2004-07-27] (InstallShield Software Corporation)
HKLM\...\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start [81920 2004-07-27] (InstallShield Software Corporation)
HKLM\...\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [1116920 2006-08-17] (Roxio)
HKLM\...\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [124200 2007-09-17] (CyberLink Corp.)
HKLM\...\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [623992 2008-10-14] (Adobe Systems Inc.)
HKLM\...\Run: [Acrobat Speed Launch] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe" [45936 2008-10-15] (Adobe Systems Incorporated)
HKLM\...\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe [405504 2007-05-10] (SigmaTel, Inc.)
HKLM\...\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START [65536 2007-07-31] ( TOSHIBA CORPORATION)
HKLM\...\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE [x]
HKLM\...\Run: [Acrobat Synchronizer] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe" [738968 2007-05-11] (Adobe Systems Incorporated)
HKLM\...\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [115560 2011-03-19] (Symantec Corporation)
HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" [254696 2011-06-09] (Sun Microsystems, Inc.)
HKLM\...\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot [296056 2012-01-16] (RealNetworks, Inc.)
HKLM Groop Policy restriction on software: %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* <====== ATTENTION
HKLM\...\Winlogon: [System]
Winlogon\Notify\gemsafe: C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll [X]
Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
HKU\gwasson\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
HKU\gwasson\...\Run: [Push Client] "C:\Documents and Settings\gwasson\Local Settings\Application Data\ATT Connect\Participant\pull.exe" [x]
HKU\gwasson\...\Winlogon: [Shell] C:\Documents and Settings\gwasson\Application Data\i.ini,explorer.exe <==== ATTENTION
HKU\nmengos\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [x]
Lsa: [Authentication Packages] msv1_0 wvauth
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
ShortcutTarget: Bluetooth Manager.lnk -> C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
ShortcutTarget: Digital Line Detect.lnk -> C:\Program Files\Digital Line Detect\DLG.exe (Avanquest Software )
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SetPoint.lnk
ShortcutTarget: SetPoint.lnk -> C:\Program Files\SetPoint\SetPoint.exe (Logitech Inc.)
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll (Microsoft Corporation)

========================== Services (Whitelisted) =================

S2 ASFIPmon; C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe [79432 2006-12-19] (Broadcom Corporation)
S2 ccEvtMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2011-03-19] (Symantec Corporation)
S2 ccSetMgr; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [108392 2011-03-19] (Symantec Corporation)
S3 LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [3093880 2010-02-17] (Symantec Corporation)
S3 MSSQL$MSSMLBIZ; c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [29293408 2010-12-10] (Microsoft Corporation)
S3 NICCONFIGSVC; C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe [475136 2008-02-22] (Dell Inc.)
S3 SecureStorageService; C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe [486400 2007-08-31] (Wave Systems Corp.)
S2 SmcService; C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe [1881368 2011-03-19] (Symantec Corporation)
S4 SNAC; C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE [349512 2011-03-19] (Symantec Corporation)
S2 STacSV; C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\StacSV.exe [94208 2007-05-10] (SigmaTel, Inc.)
S2 Symantec AntiVirus; C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe [1831024 2011-03-19] (Symantec Corporation)
S2 tcsd_win32.exe; C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe [1552384 2007-11-08] ()
S2 TdmService; C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe [737280 2007-09-07] (Wave Systems Corp.)
S2 Wave UCSPlus; C:\WINDOWS\system32\dllhost.exe [5120 2008-04-13] (Microsoft Corporation)
S3 WaveEnrollmentService; C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe [192512 2007-09-13] (Wave Systems Corp.)
S2 wltrysvc; C:\Windows\System32\bcmwltry.exe [2232320 2009-10-07] (Dell Inc.)
S2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]

==================== Drivers (Whitelisted) ====================

S1 APPDRV; C:\Windows\SYSTEM32\DRIVERS\APPDRV.SYS [16128 2005-08-12] (Dell Inc)
S3 b57w2k; C:\Windows\System32\DRIVERS\b57xp32.sys [160256 2007-02-16] (Broadcom Corporation)
S2 BASFND; C:\Program Files\Broadcom\ASFIPMon\BASFND.sys [10480 2006-12-19] (Broadcom Corporation)
S3 BCM43XX; C:\Windows\System32\DRIVERS\bcmwl5.sys [2649216 2009-10-07] (Broadcom Corporation)
S3 COH_Mon; C:\WINDOWS\system32\Drivers\COH_Mon.sys [23888 2011-03-19] (Symantec Corporation)
S3 DXEC01; C:\Windows\System32\drivers\dxec01.sys [97536 2006-11-02] (Knowles Acoustics)
S1 eeCtrl; C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [376480 2013-01-03] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [106656 2012-08-09] (Symantec Corporation)
S3 guardian2; C:\Windows\System32\Drivers\oz776.sys [62208 2007-11-28] (O2Micro)
S3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows ® Server 2003 DDK provider)
S3 HSFHWAZL; C:\Windows\System32\DRIVERS\HSFHWAZL.sys [211200 2007-12-02] (Conexant Systems, Inc.)
S3 HSF_DPV; C:\Windows\System32\DRIVERS\HSF_DPV.sys [989952 2007-12-02] (Conexant Systems, Inc.)
S3 LMouFilt; C:\Windows\System32\DRIVERS\LMouFilt.Sys [32280 2007-10-09] (Logitech, Inc.)
S3 NAVENG; C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130509.004\NAVENG.SYS [93296 2013-05-07] (Symantec Corporation)
S3 NAVEX15; C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130509.004\NAVEX15.SYS [1603824 2013-05-07] (Symantec Corporation)
S0 PBADRV; C:\Windows\System32\DRIVERS\PBADRV.sys [26608 2007-09-07] (Dell Inc)
S1 SPBBCDrv; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [421424 2011-03-19] (Symantec Corporation)
S1 SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [283184 2011-03-19] (Symantec Corporation)
S3 SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [320944 2011-03-19] (Symantec Corporation)
S1 SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [43696 2011-03-19] (Symantec Corporation)
S3 STHDA; C:\Windows\System32\drivers\sthda.sys [1222840 2007-05-10] (SigmaTel, Inc.)
S3 SymEvent; C:\WINDOWS\system32\Drivers\SYMEVENT.SYS [124976 2011-05-11] (Symantec Corporation)
S3 SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [26416 2011-03-19] (Symantec Corporation)
S1 SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [188080 2011-03-19] (Symantec Corporation)
S3 WaveFDE; C:\Windows\System32\DRIVERS\WaveFDE.sys [18176 2007-09-06] (Windows ® Codename Longhorn DDK provider)
S2 WavxDMgr; C:\Windows\System32\DRIVERS\WavxDMgr.sys [161280 2007-09-10] (Wave Systems Corp.)
S4 Abiosdsk; No ImagePath
S4 Atdisk; No ImagePath
S1 Changer; No ImagePath
S1 lbrtfdc; No ImagePath
S1 PCIDump; No ImagePath
S3 PDCOMP; No ImagePath
S3 PDFRAME; No ImagePath
S3 PDRELI; No ImagePath
S3 PDRFRAME; No ImagePath
S4 Simbad; No ImagePath
S3 WDICA; No ImagePath
S1 WS2IFSL;

==================== NetSvcs (Whitelisted) ===================


==================== One Month Created Files and Folders ========

2013-05-15 11:07 - 2013-05-15 11:07 - 00000000 ____D C:\FRST
2013-05-09 15:07 - 2013-05-13 10:29 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
2013-05-09 13:58 - 2013-05-13 10:32 - 00065156 ____A C:\Windows\jucxhe.isa
2013-05-09 13:58 - 2013-05-13 10:32 - 00050371 ____A C:\Windows\gsfoe.xuy
2013-05-09 13:58 - 2013-05-09 13:59 - 00051805 ____A C:\Windows\dbiq.doi
2013-05-09 13:58 - 2013-05-09 13:58 - 00275293 ____A C:\Windows\civhxb.nqu
2013-05-09 13:58 - 2013-05-09 13:58 - 00204158 ____A C:\Windows\kvcp.rum
2013-05-09 13:58 - 2013-05-09 13:58 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\xdus
2013-05-09 13:53 - 2013-05-09 15:06 - 00022956 ____A C:\Windows\jfykvs.oqy
2013-05-09 13:53 - 2013-05-09 13:53 - 00161280 ____A (Ahead Software AG) C:\Documents and Settings\gwasson\Desktop\ibec.tmp
2013-05-07 11:08 - 2013-05-07 11:08 - 00000000 __SHD C:\Documents and Settings\LocalService\IETldCache
2013-05-06 15:11 - 2013-05-06 15:11 - 00274315 ____A C:\Documents and Settings\gwasson\Desktop\Walmart Pabst Operation Homefront.pptx
2013-04-24 11:26 - 2013-04-24 11:26 - 00392192 ____A C:\Windows\System32\C4dll.dll
2013-04-24 11:26 - 2013-04-24 11:26 - 00210944 ____A C:\Windows\System32\Msvcrt10.dll
2013-04-22 14:39 - 2013-04-22 14:39 - 04921366 ____A C:\Documents and Settings\gwasson\Desktop\Harley.zip

==================== One Month Modified Files and Folders ========

2013-05-15 11:07 - 2013-05-15 11:07 - 00000000 ____D C:\FRST
2013-05-13 10:39 - 2010-01-08 18:41 - 00000178 __ASH C:\Documents and Settings\gwasson\ntuser.ini
2013-05-13 10:39 - 2004-08-11 18:13 - 01966497 ____A C:\Windows\WindowsUpdate.log
2013-05-13 10:36 - 2004-08-11 18:07 - 00595844 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-13 10:32 - 2013-05-09 13:58 - 00065156 ____A C:\Windows\jucxhe.isa
2013-05-13 10:32 - 2013-05-09 13:58 - 00050371 ____A C:\Windows\gsfoe.xuy
2013-05-13 10:32 - 2010-01-08 18:41 - 00000062 __ASH C:\Documents and Settings\gwasson\Local Settings\desktop.ini
2013-05-13 10:32 - 2004-08-11 18:00 - 00002206 ____A C:\Windows\System32\wpa.dbl
2013-05-13 10:31 - 2004-08-11 18:20 - 00032554 ____A C:\Windows\SchedLgU.Txt
2013-05-13 10:31 - 2004-08-11 18:20 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
2013-05-13 10:31 - 2004-08-11 18:20 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
2013-05-13 10:31 - 2004-08-11 18:20 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-13 10:31 - 2004-08-11 18:09 - 00000216 ____A C:\Windows\wiadebug.log
2013-05-13 10:29 - 2013-05-09 15:07 - 00000664 ____A C:\Windows\System32\d3d9caps.dat
2013-05-13 10:29 - 2013-03-22 07:58 - 00000420 ____A C:\Windows\Tasks\RNUpgradeHelperLogonPrompt_gwasson.job
2013-05-13 10:29 - 2012-02-09 22:49 - 00000000 ____D C:\MDT
2013-05-13 10:29 - 2011-01-17 17:17 - 00000282 ____A C:\Windows\Tasks\RealUpgradeLogonTaskS-1-5-21-962395197-4016970835-1205081151-1228.job
2013-05-13 10:29 - 2011-01-17 17:16 - 00000884 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-13 10:29 - 2010-01-08 18:41 - 00000000 ____A C:\Documents and Settings\gwasson\Local Settings\Application Data\WavXMapDrive.bat
2013-05-13 10:15 - 2004-08-11 18:11 - 00000000 ____D C:\Windows\Registration
2013-05-13 10:14 - 2008-04-19 18:19 - 00000000 ____D C:\Documents and Settings\NetworkService\Local Settings\Application Data\NTRU Cryptosystems
2013-05-13 10:14 - 2004-08-11 18:09 - 00000049 ____A C:\Windows\wiaservc.log
2013-05-09 15:06 - 2013-05-09 13:53 - 00022956 ____A C:\Windows\jfykvs.oqy
2013-05-09 15:04 - 2010-01-08 18:11 - 00000120 ____A C:\Windows\System32\config\netlogon.ftl
2013-05-09 15:01 - 2004-08-11 18:02 - 00000000 ____D C:\Windows\security
2013-05-09 14:13 - 2011-01-17 17:16 - 00000888 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-09 13:59 - 2013-05-09 13:58 - 00051805 ____A C:\Windows\dbiq.doi
2013-05-09 13:58 - 2013-05-09 13:58 - 00275293 ____A C:\Windows\civhxb.nqu
2013-05-09 13:58 - 2013-05-09 13:58 - 00204158 ____A C:\Windows\kvcp.rum
2013-05-09 13:58 - 2013-05-09 13:58 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\xdus
2013-05-09 13:53 - 2013-05-09 13:53 - 00161280 ____A (Ahead Software AG) C:\Documents and Settings\gwasson\Desktop\ibec.tmp
2013-05-09 13:46 - 2013-02-19 15:02 - 00000000 ____D C:\Documents and Settings\gwasson\Desktop\SSA 2013 Live Spring Resets I
2013-05-08 13:56 - 2013-03-18 10:07 - 00000000 ____D C:\Documents and Settings\gwasson\Desktop\SSA 2013 Live Spring Rests II
2013-05-08 13:56 - 2013-02-21 09:46 - 00000000 ____D C:\Documents and Settings\gwasson\Desktop\SSA 2013 Spring Resets
2013-05-08 13:25 - 2011-08-24 15:15 - 00000000 ____D C:\Documents and Settings\gwasson\Desktop\Walmart
2013-05-08 13:25 - 2011-08-24 15:10 - 00000000 ____D C:\Documents and Settings\gwasson\Desktop\Speedway
2013-05-08 13:25 - 2011-08-24 15:06 - 00000000 ____D C:\Documents and Settings\gwasson\Desktop\Months
2013-05-08 13:23 - 2013-01-15 12:17 - 00000000 ____D C:\Documents and Settings\gwasson\Desktop\Brock Green Sheets
2013-05-08 13:21 - 2011-08-24 15:29 - 00000000 ____D C:\Documents and Settings\gwasson\Desktop\Circle K
2013-05-07 15:54 - 2011-01-17 17:17 - 00000290 ____A C:\Windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-962395197-4016970835-1205081151-1228.job
2013-05-07 11:08 - 2013-05-07 11:08 - 00000000 __SHD C:\Documents and Settings\LocalService\IETldCache
2013-05-07 11:08 - 2010-01-15 14:09 - 00000000 ____D C:\Program Files\Common Files\JDA
2013-05-07 10:31 - 2013-03-22 07:58 - 00000410 ____A C:\Windows\Tasks\ReclaimerUpdateXML_gwasson.job
2013-05-07 10:17 - 2010-05-20 14:29 - 00002325 ____A C:\Documents and Settings\gwasson\Desktop\Space Planning.lnk
2013-05-07 07:18 - 2010-01-08 18:45 - 00002515 ____A C:\Documents and Settings\gwasson\Desktop\Microsoft Office Word 2007.lnk
2013-05-06 15:11 - 2013-05-06 15:11 - 00274315 ____A C:\Documents and Settings\gwasson\Desktop\Walmart Pabst Operation Homefront.pptx
2013-05-06 15:07 - 2010-01-08 18:45 - 00002483 ____A C:\Documents and Settings\gwasson\Desktop\Microsoft Office PowerPoint 2007.lnk
2013-05-02 16:12 - 2013-02-27 14:40 - 00000000 ____D C:\Documents and Settings\gwasson\Desktop\014 CINCINNATI VALIDATION PACKAGE
2013-05-01 06:16 - 2013-03-22 07:58 - 00000414 ____A C:\Windows\Tasks\ReclaimerUpdateFiles_gwasson.job
2013-04-30 16:01 - 2013-02-26 15:39 - 00000000 ____D C:\Documents and Settings\gwasson\Desktop\April 2013
2013-04-30 14:36 - 2013-03-21 08:07 - 00000000 ____D C:\Documents and Settings\gwasson\Desktop\May 2013
2013-04-24 11:26 - 2013-04-24 11:26 - 00392192 ____A C:\Windows\System32\C4dll.dll
2013-04-24 11:26 - 2013-04-24 11:26 - 00210944 ____A C:\Windows\System32\Msvcrt10.dll
2013-04-24 09:58 - 2010-01-08 18:45 - 00002473 ____A C:\Documents and Settings\gwasson\Desktop\Microsoft Office Excel 2007.lnk
2013-04-23 10:38 - 2004-08-11 18:11 - 00065332 ____A C:\Windows\wmsetup.log
2013-04-22 14:39 - 2013-04-22 14:39 - 04921366 ____A C:\Documents and Settings\gwasson\Desktop\Harley.zip
2013-04-22 08:00 - 2010-02-16 16:50 - 00000000 ____D C:\Program Files\WebEx
2013-04-19 14:52 - 2011-08-24 15:04 - 00000000 ____D C:\Documents and Settings\gwasson\Desktop\Chain Conference Calls
2013-04-18 09:56 - 2013-04-12 15:56 - 00002977 ____A C:\Documents and Settings\gwasson\Desktop\myAT&T v9.0.lnk

Other Malware:
===========
C:\Documents and Settings\gwasson\Application Data\i.ini

==================== Known DLLs (Whitelisted) ============


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe => MD5 is legit
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points (XP) =====================

RP: -> 2013-05-07 11:20 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP999

RP: -> 2013-05-07 11:08 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP998

RP: -> 2013-05-07 11:08 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP997

RP: -> 2013-05-07 11:06 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP996

RP: -> 2013-05-07 11:05 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP995

RP: -> 2013-05-07 11:02 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP994

RP: -> 2013-05-07 11:01 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP993

RP: -> 2013-05-07 10:15 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP992

RP: -> 2013-05-06 15:42 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP991

RP: -> 2013-05-03 08:50 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP990

RP: -> 2013-05-02 08:36 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP989

RP: -> 2013-04-30 16:19 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP988

RP: -> 2013-04-29 14:28 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP987

RP: -> 2013-04-26 11:57 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP986

RP: -> 2013-04-25 10:11 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP985

RP: -> 2013-04-24 09:46 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP984

RP: -> 2013-04-22 12:12 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP983

RP: -> 2013-04-19 10:34 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP982

RP: -> 2013-04-18 10:31 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP981

RP: -> 2013-04-16 12:58 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP980

RP: -> 2013-04-15 12:06 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP979

RP: -> 2013-04-12 15:56 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP978

RP: -> 2013-04-12 13:02 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP977

RP: -> 2013-04-11 12:07 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP976

RP: -> 2013-04-10 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP975

RP: -> 2013-04-09 15:59 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP974

RP: -> 2013-04-05 12:32 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP973

RP: -> 2013-04-04 12:20 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP972

RP: -> 2013-04-01 15:37 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP971

RP: -> 2013-03-28 16:17 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP970

RP: -> 2013-03-27 16:15 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP969

RP: -> 2013-03-26 13:24 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP968

RP: -> 2013-03-25 10:40 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP967

RP: -> 2013-03-22 03:00 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP966

RP: -> 2013-03-21 13:16 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP965

RP: -> 2013-03-20 13:11 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP964

RP: -> 2013-03-19 13:11 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP963

RP: -> 2013-03-18 09:23 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP962

RP: -> 2013-03-15 08:57 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP961

RP: -> 2013-03-14 08:16 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP960

RP: -> 2013-03-13 09:13 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP959

RP: -> 2013-03-11 15:28 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP958

RP: -> 2013-03-04 13:35 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP957

RP: -> 2013-03-01 15:37 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP956

RP: -> 2013-02-28 14:48 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP955

RP: -> 2013-02-27 14:16 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP954

RP: -> 2013-02-26 13:21 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP953

RP: -> 2013-02-25 11:14 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP952

RP: -> 2013-02-23 19:43 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP951

RP: -> 2013-02-22 13:12 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP950

RP: -> 2013-02-21 13:04 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP949

RP: -> 2013-02-19 12:54 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP948

RP: -> 2013-02-18 10:38 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP947

RP: -> 2013-02-15 10:44 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP946

RP: -> 2013-02-14 09:05 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP945

RP: -> 2013-02-13 12:07 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP944

RP: -> 2013-02-12 11:49 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP943

RP: -> 2013-02-11 10:16 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP942

RP: -> 2013-05-09 13:27 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1003

RP: -> 2013-05-07 14:24 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1002

RP: -> 2013-05-07 14:07 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1001

RP: -> 2013-05-07 11:23 - 028672 _restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1000


==================== Memory info ===========================

Percentage of memory in use: 12%
Total physical RAM: 2037.9 MB
Available physical RAM: 1773.91 MB
Total Pagefile: 1868.61 MB
Available Pagefile: 1805.73 MB
Total Virtual: 2047.88 MB
Available Virtual: 1993.54 MB

==================== Drives ================================

Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
Drive c: () (Fixed) (Total:111.7 GB) (Free:56.5 GB) NTFS ==>[Drive with boot components (Windows XP)]
Drive d: (PKBACK# 001) (Removable) (Total:0.24 GB) (Free:0.05 GB) FAT
Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows XP) (Size: 112 GB) (Disk ID: 41AB2316)
Partition 1: (Not Active) - (Size=86 MB) - (Type=DE)
Partition 2: (Active) - (Size=112 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (Size: 246 MB) (Disk ID: C3072E18)
Partition 1: (Active) - (Size=246 MB) - (Type=04)

==================== End Of Log ============================

Thanks again for your help.

[Buddierdl]

Please copy the attached file to your flash drive and boot the computer from the CD again.


Run FRST and press the Fix button just once and wait. The tool will make a log on the flashdrive (Fixlog.txt) please post it in your next reply.

Your computer should be able to boot normally now. If so, please run the following scan:


Download aswMBR.exe to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan



On completion of the scan click save log, save it to your desktop and post in your next reply

Attached Files

•  fixlist.txt   858bytes   355 downloads

[beerman]

You are correct, after the fix the computer booted fine. I cannot, however, enable the internal NIC.

Anyway, here are the logs:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 13-05-2013
Ran by SYSTEM at 2013-05-16 11:14:06 Run:1
Running from D:\
Boot Mode: Recovery

==============================================

HKEY_USERS\gwasson\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell => Value deleted successfully.
C:\Windows\jucxhe.isa => Moved successfully.
C:\Windows\gsfoe.xuy => Moved successfully.
C:\Windows\dbiq.doi => Moved successfully.
C:\Windows\civhxb.nqu => Moved successfully.
C:\Windows\kvcp.rum => Moved successfully.
C:\Documents and Settings\All Users\Application Data\xdus => Moved successfully.
C:\Windows\jfykvs.oqy => Moved successfully.
C:\Documents and Settings\gwasson\Desktop\ibec.tmp => Moved successfully.
C:\Documents and Settings\gwasson\Application Data\i.ini => Moved successfully.

==== End of Fixlog ====


aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-16 11:29:05
-----------------------------
11:29:05.937 OS Version: Windows 5.1.2600 Service Pack 3
11:29:05.937 Number of processors: 2 586 0xF0D
11:29:05.937 ComputerName: 64FW3G1 UserName: gwasson
11:29:06.484 Initialize success
11:29:27.000 AVAST engine download error: 0
11:29:41.437 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
11:29:41.437 Disk 0 Vendor: WDC_WD1200BEVS-75UST0 01.01A01 Size: 114473MB BusType: 3
11:29:41.625 Disk 0 MBR read successfully
11:29:41.625 Disk 0 MBR scan
11:29:41.625 Disk 0 Windows XP default MBR code
11:29:41.625 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 86 MB offset 63
11:29:41.640 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 114376 MB offset 176715
11:29:41.640 Disk 0 scanning sectors +234420480
11:29:41.703 Disk 0 scanning C:\WINDOWS\system32\drivers
11:30:02.625 Service scanning
11:30:23.796 Modules scanning
11:30:30.406 Disk 0 trace - called modules:
11:30:30.453 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
11:30:30.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a56eab8]
11:30:30.453 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a598030]
11:30:30.453 Scan finished successfully
11:41:12.937 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
11:41:13.015 The log file has been saved successfully to "E:\aswMBR.txt"


Thanks.

[Buddierdl]

You are correct, after the fix the computer booted fine. I cannot, however, enable the internal NIC.

So you cannot connect the computer to the internet? Does it give you any error message when you try to enable it?


Let's look at an OTL log.



Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Please check the box next to Scan All Users.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

[beerman]

I have not been able to reply with the logs included. Looks like I get blocked by your site. This is a test reply without the logs.

[beerman]

For whatever reason I cannot reply with the logs pasted into the reply. Can I attach instead?

[Buddierdl]

Yes you can attach them or use something like Dropbox to upload them with a share link. I will contact admin to see what it causing the server to reject the logs.

[beerman]

Yea, very strange. I was getting a 403 error, whatever that means. Anyway, the logs are attached.

Thanks.


OTL logfile created on: 5/16/2013 11:59:45 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\gwasson\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.33 Gb Available Physical Memory | 66.88% Memory free
3.84 Gb Paging File | 3.38 Gb Available in Paging File | 88.18% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 111.70 Gb Total Space | 54.51 Gb Free Space | 48.80% Space Free | Partition Type: NTFS
Drive E: | 245.27 Mb Total Space | 44.95 Mb Free Space | 18.32% Space Free | Partition Type: FAT

Computer Name: 64FW3G1 | User Name: gwasson | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/05/16 10:58:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\gwasson\Desktop\OTL.exe
PRC - [2012/01/16 16:01:49 | 000,296,056 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Real\RealPlayer\Update\realsched.exe
PRC - [2011/04/27 13:30:14 | 000,966,944 | ---- | M] (AT&T Inc.) -- C:\Documents and Settings\gwasson\Local Settings\Application Data\ATT Connect\Participant\pull.exe
PRC - [2011/03/19 21:29:02 | 001,459,528 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
PRC - [2011/03/19 21:29:02 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe
PRC - [2011/03/19 21:29:02 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
PRC - [2011/03/19 21:29:00 | 001,881,368 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
PRC - [2011/03/19 21:29:00 | 001,831,024 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
PRC - [2008/10/14 22:38:56 | 000,623,992 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
PRC - [2008/04/19 18:41:07 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/02/22 13:43:38 | 001,245,184 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/12/03 11:03:54 | 000,679,936 | ---- | M] (Logitech Inc.) -- C:\Program Files\SetPoint\SetPoint.exe
PRC - [2007/11/08 23:50:10 | 001,552,384 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
PRC - [2007/10/09 09:09:06 | 000,100,888 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.exe
PRC - [2007/09/17 12:56:08 | 000,124,200 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
PRC - [2007/09/14 11:53:16 | 000,218,424 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
PRC - [2007/09/10 10:55:04 | 000,092,160 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
PRC - [2007/09/07 18:29:04 | 000,737,280 | ---- | M] (Wave Systems Corp.) -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
PRC - [2007/07/31 23:10:04 | 000,065,536 | ---- | M] ( TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\ItSecMng.exe
PRC - [2007/07/30 23:54:38 | 002,158,592 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
PRC - [2007/05/10 11:23:50 | 000,094,208 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\DellXPM_5515v131\WDM\stacsv.exe
PRC - [2007/05/10 11:22:32 | 000,405,504 | ---- | M] (SigmaTel, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe
PRC - [2007/04/15 22:49:16 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\hidfind.exe
PRC - [2007/04/15 22:49:08 | 000,159,744 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2007/04/15 22:49:08 | 000,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApMsgFwd.exe
PRC - [2007/04/15 22:49:08 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe
PRC - [2006/12/19 15:21:48 | 000,079,432 | ---- | M] (Broadcom Corporation) -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
PRC - [2006/12/18 16:22:14 | 000,278,528 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
PRC - [2006/11/02 15:05:50 | 000,282,624 | ---- | M] (Knowles Acoustics) -- C:\WINDOWS\system32\KADxMain.exe
PRC - [2006/10/27 21:13:48 | 000,270,336 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
PRC - [2006/08/23 14:11:38 | 000,069,632 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
PRC - [2006/08/17 10:00:00 | 001,116,920 | ---- | M] (Roxio) -- C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
PRC - [2006/02/24 18:03:40 | 000,106,496 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtKbd.exe
PRC - [2006/01/24 00:14:10 | 000,069,632 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
PRC - [2004/07/27 17:50:04 | 000,503,808 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe


========== Modules (No Company Name) ==========

MOD - [2013/02/14 10:08:05 | 000,212,992 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\d7ee03714420b252415b952d40ef59e4\System.ServiceProcess.ni.dll
MOD - [2013/02/14 09:28:48 | 012,433,920 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ba12e418b906593b7c9c18f971f36bf9\System.Windows.Forms.ni.dll
MOD - [2013/01/09 12:03:19 | 000,998,400 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Management\1a6f9e23985e3159e6dd9827fd81c2fd\System.Management.ni.dll
MOD - [2013/01/09 12:02:45 | 000,771,584 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\d7a2248a76f0e94d56c92c5bf96f5175\System.Runtime.Remoting.ni.dll
MOD - [2013/01/09 11:59:10 | 005,450,752 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\fe025743210c22bea2f009e1612c38bf\System.Xml.ni.dll
MOD - [2013/01/09 11:58:52 | 001,593,856 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\7782f356a838c403b4a8e9c80df5a577\System.Drawing.ni.dll
MOD - [2013/01/09 11:53:53 | 007,977,984 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\aeac298c43c77d8860db8e7634d9f2eb\System.ni.dll
MOD - [2013/01/09 11:53:13 | 011,492,352 | ---- | M] () -- C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\eab2340ead8e1a84bdf1a87868659979\mscorlib.ni.dll
MOD - [2011/04/27 13:22:58 | 000,031,744 | ---- | M] () -- C:\Documents and Settings\gwasson\Local Settings\Application Data\ATT Connect\Participant\IwRegVC90.dll
MOD - [2011/04/21 11:10:40 | 000,418,304 | ---- | M] () -- C:\Documents and Settings\gwasson\Local Settings\Application Data\ATT Connect\Participant\exchndl.dll
MOD - [2009/10/07 16:01:34 | 000,143,360 | ---- | M] () -- C:\WINDOWS\system32\preflib.dll
MOD - [2009/10/07 16:01:14 | 000,757,760 | ---- | M] () -- C:\WINDOWS\system32\bcm1xsup.dll
MOD - [2008/02/22 13:45:06 | 000,098,304 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll
MOD - [2007/11/08 23:49:06 | 000,004,608 | ---- | M] () -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\TspPopup_ENU.dll
MOD - [2007/09/10 10:53:26 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\wxvault.dll
MOD - [2006/08/18 14:17:36 | 000,056,056 | ---- | M] () -- C:\WINDOWS\system32\DLAAPI_W.DLL
MOD - [2005/10/13 14:53:36 | 000,090,223 | ---- | M] () -- C:\Program Files\Dell\QuickSet\preflibcl.dll
MOD - [2005/07/22 22:30:20 | 000,065,536 | ---- | M] () -- C:\WINDOWS\system32\TosCommAPI.dll
MOD - [2004/07/20 18:04:02 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\TosBtHcrpAPI.dll


========== Services (SafeList) ==========

SRV - [2011/03/19 21:29:02 | 000,349,512 | ---- | M] (Symantec Corporation) [Disabled | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC)
SRV - [2011/03/19 21:29:02 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr)
SRV - [2011/03/19 21:29:02 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr)
SRV - [2011/03/19 21:29:00 | 001,881,368 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService)
SRV - [2011/03/19 21:29:00 | 001,831,024 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus)
SRV - [2010/02/17 10:53:18 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2008/04/19 18:41:07 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Running] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/02/22 13:40:20 | 000,475,136 | ---- | M] (Dell Inc.) [On_Demand | Stopped] -- C:\Program Files\Dell\QuickSet\NicConfigSvc.exe -- (NICCONFIGSVC)
SRV - [2008/01/11 18:50:16 | 000,030,312 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/11/08 23:50:10 | 001,552,384 | ---- | M] () [Auto | Running] -- C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe -- (tcsd_win32.exe)
SRV - [2007/09/13 15:31:44 | 000,192,512 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe -- (WaveEnrollmentService)
SRV - [2007/09/07 18:29:04 | 000,737,280 | ---- | M] (Wave Systems Corp.) [Auto | Running] -- C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe -- (TdmService)
SRV - [2007/08/31 18:39:18 | 000,486,400 | ---- | M] (Wave Systems Corp.) [On_Demand | Stopped] -- C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe -- (SecureStorageService)
SRV - [2007/05/10 11:23:50 | 000,094,208 | ---- | M] (SigmaTel, Inc.) [Auto | Running] -- C:\Program Files\Sigmatel\C-Major Audio\DellXPM_5515v131\WDM\stacsv.exe -- (STacSV)
SRV - [2006/12/19 15:21:48 | 000,079,432 | ---- | M] (Broadcom Corporation) [Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe -- (ASFIPmon)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\gwasson\LOCALS~1\Temp\aswMBR.sys -- (aswMBR)
DRV - [2013/05/07 07:19:10 | 001,603,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20130509.004\NAVEX15.SYS -- (NAVEX15)
DRV - [2013/05/07 07:19:10 | 000,093,296 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\VirusDefs\20130509.004\NAVENG.SYS -- (NAVENG)
DRV - [2013/01/03 09:04:18 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2012/08/09 08:26:56 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2011/05/11 14:41:38 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2011/03/19 21:29:02 | 000,320,944 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\srtspl.sys -- (SRTSPL)
DRV - [2011/03/19 21:29:02 | 000,283,184 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\srtsp.sys -- (SRTSP)
DRV - [2011/03/19 21:29:02 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\srtspx.sys -- (SRTSPX)
DRV - [2011/03/19 21:28:58 | 000,421,424 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv)
DRV - [2011/03/19 21:28:58 | 000,188,080 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI)
DRV - [2011/03/19 21:28:58 | 000,026,416 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV)
DRV - [2011/03/19 21:28:58 | 000,023,888 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\COH_Mon.sys -- (COH_Mon)
DRV - [2009/10/07 16:01:32 | 002,649,216 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\BCMWL5.SYS -- (BCM43XX)
DRV - [2007/12/02 19:26:22 | 000,989,952 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/12/02 19:26:20 | 000,731,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2007/12/02 19:26:20 | 000,211,200 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2007/11/28 17:18:24 | 000,062,208 | ---- | M] (O2Micro) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\oz776.sys -- (guardian2)
DRV - [2007/10/09 09:09:02 | 000,032,280 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2007/10/09 09:09:00 | 000,032,152 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2007/09/10 10:55:00 | 000,161,280 | ---- | M] (Wave Systems Corp.) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\WavxDMgr.sys -- (WavxDMgr)
DRV - [2007/09/07 10:57:14 | 000,026,608 | ---- | M] (Dell Inc) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PBADRV.sys -- (PBADRV)
DRV - [2007/09/06 10:18:40 | 000,018,176 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\WaveFDE.sys -- (WaveFDE)
DRV - [2007/06/11 15:25:00 | 000,041,856 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2007/05/24 15:27:00 | 000,064,000 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2007/05/10 11:24:34 | 001,222,840 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2007/04/24 14:20:00 | 000,113,920 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (tosrfbd)
DRV - [2007/04/15 22:49:08 | 000,132,608 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2007/03/01 17:53:00 | 000,073,728 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Tosrfhid.sys -- (Tosrfhid)
DRV - [2007/02/16 16:46:00 | 000,160,256 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/12/19 15:21:52 | 000,010,480 | ---- | M] (Broadcom Corporation) [Kernel | Auto | Running] -- C:\Program Files\Broadcom\ASFIPMon\BASFND.sys -- (BASFND)
DRV - [2006/11/20 18:55:00 | 000,036,480 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (tosrfbnp)
DRV - [2006/11/02 13:32:32 | 000,097,536 | ---- | M] (Knowles Acoustics) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dxec01.sys -- (DXEC01)
DRV - [2006/10/10 20:33:00 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2006/08/18 14:18:08 | 000,009,400 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResM.SYS -- (DLADResM)
DRV - [2006/08/18 14:17:46 | 000,035,096 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABMFSM.SYS -- (DLABMFSM)
DRV - [2006/08/18 14:17:44 | 000,097,848 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/08/18 14:17:44 | 000,094,648 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/08/18 14:17:42 | 000,026,008 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/08/18 14:17:40 | 000,032,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/08/18 14:17:38 | 000,104,472 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/08/18 14:17:38 | 000,014,520 | ---- | M] (Roxio) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/08/11 11:35:18 | 000,012,920 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2006/08/11 11:35:16 | 000,028,184 | ---- | M] (Roxio) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_M.SYS -- (DLARTL_M)
DRV - [2005/08/12 18:50:46 | 000,016,128 | ---- | M] (Dell Inc) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\APPDRV.SYS -- (APPDRV)
DRV - [2005/07/11 19:58:00 | 000,003,712 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Toshidpt.sys -- (toshidpt)
DRV - [2005/01/06 14:42:00 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080419
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.co...html?channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080419
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.co...g}&sourceid=ie7


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080419
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080419
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080419
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080419
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-962395197-4016970835-1205081151-1228\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080419
IE - HKU\S-1-5-21-962395197-4016970835-1205081151-1228\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.co...html?channel=us
IE - HKU\S-1-5-21-962395197-4016970835-1205081151-1228\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co...html?channel=us
IE - HKU\S-1-5-21-962395197-4016970835-1205081151-1228\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co...=us&ibd=3080419
IE - HKU\S-1-5-21-962395197-4016970835-1205081151-1228\..\SearchScopes,DefaultScope = {F80EE0A3-8161-4042-BFF2-4BFD6DCA7A97}
IE - HKU\S-1-5-21-962395197-4016970835-1205081151-1228\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/...Box&FORM=IE8SRC
IE - HKU\S-1-5-21-962395197-4016970835-1205081151-1228\..\SearchScopes\{F80EE0A3-8161-4042-BFF2-4BFD6DCA7A97}: "URL" = http://www.google.co...1I7RNRN_enUS415
IE - HKU\S-1-5-21-962395197-4016970835-1205081151-1228\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.1.13: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.1.13: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=15.0.1.13: c:\program files\real\realplayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.135\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/01/16 16:02:12 | 000,000,000 | ---D | M]


========== Chrome ==========

CHR - homepage: http://www.google.com
CHR - homepage: http://www.google.com
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\20.0.1132.57\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\20.0.1132.57\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\20.0.1132.57\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Browser\nppdf32.dll
CHR - plugin: Java Deployment Toolkit 6.0.290.11 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U29 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: RealNetworks™ Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: RealPlayer™ HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = c:\program files\real\realplayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprpjplug.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.115\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprjplug.dll
CHR - Extension: YouTube = C:\Documents and Settings\gwasson\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Documents and Settings\gwasson\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Documents and Settings\gwasson\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\
CHR - Extension: Gmail = C:\Documents and Settings\gwasson\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Telephony Toolbar Services) - {431A60E6-675F-4b9f-B3F0-66E0FECC8B34} - C:\Program Files\evolve\evolve Assistant Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll (BroadSoft® Australia Pty Ltd)
O2 - BHO: (Telephony Toolbar Call Control) - {8F1FF1A7-C048-4d6b-B052-56E42CE427CB} - C:\Program Files\evolve\evolve Assistant Toolbar\bin\BW_Assistant_Enterprise_IE_CC.dll (BroadSoft® Australia Pty Ltd)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (Telephony Toolbar Call Control) - {6F6690B9-C5DB-4F08-8833-F2EF4DEE956B} - C:\Program Files\evolve\evolve Assistant Toolbar\bin\BW_Assistant_Enterprise_IE_CC.dll (BroadSoft® Australia Pty Ltd)
O3 - HKLM\..\Toolbar: (Telephony Toolbar Services) - {F10D927F-D3DF-4734-98AB-DD258253F5FD} - C:\Program Files\evolve\evolve Assistant Toolbar\bin\BW_Assistant_Enterprise_IE_S.dll (BroadSoft® Australia Pty Ltd)
O3 - HKU\S-1-5-21-962395197-4016970835-1205081151-1228\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Acrobat Speed Launch] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Synchronizer] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc.)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe (Knowles Acoustics)
O4 - HKLM..\Run: [Kernel and Hardware Abstraction Layer] C:\WINDOWS\KHALMNPR.Exe (Logitech Inc.)
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE (Logitech Inc.)
O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RoxioDragToDisc] C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe (Roxio)
O4 - HKLM..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe (Wave Systems Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\program files\real\realplayer\update\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe (Wave Systems Corp.)
O4 - HKU\S-1-5-21-962395197-4016970835-1205081151-1228..\Run: [Push Client] C:\Documents and Settings\gwasson\Local Settings\Application Data\ATT Connect\Participant\pull.exe (AT&T Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk = C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe (TOSHIBA CORPORATION.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SetPoint.lnk = C:\Program Files\SetPoint\SetPoint.exe (Logitech Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-962395197-4016970835-1205081151-1228\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &Dial - C:\Program Files\evolve\evolve Assistant Toolbar\conf\dialIE.htm ()
O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://vpn-cdc.krog...SetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.5
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Dayton.Local
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{30B387BC-3A11-4C86-9D30-EF538EC7F02A}: DhcpNameServer = 10.0.0.5
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\gemsafe: DllName - (C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll) - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll (Gemplus)
O24 - Desktop WallPaper: C:\Documents and Settings\gwasson\My Documents\My Pictures\Bonbright B.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\gwasson\My Documents\My Pictures\Bonbright B.bmp
O30 - LSA: Authentication Packages - (wvauth) - C:\WINDOWS\System32\wvauth.dll (Wave Systems Corp.)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/11 18:15:00 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/05/16 11:59:21 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\gwasson\Desktop\OTL.exe
[2013/05/16 11:28:57 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Documents and Settings\gwasson\Desktop\aswMBR.exe
[2013/05/15 11:07:09 | 000,000,000 | ---D | C] -- C:\FRST
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/05/16 11:21:29 | 000,493,724 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2013/05/16 11:21:29 | 000,091,578 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2013/05/16 11:19:08 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\gwasson\Local Settings\Application Data\WavXMapDrive.bat
[2013/05/16 11:18:46 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/05/16 11:18:46 | 000,000,282 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-962395197-4016970835-1205081151-1228.job
[2013/05/16 11:18:45 | 000,000,420 | ---- | M] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_gwasson.job
[2013/05/16 11:18:42 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/05/16 11:16:21 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/05/16 11:16:13 | 2136,961,024 | -HS- | M] () -- C:\hiberfil.sys
[2013/05/16 10:58:18 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\gwasson\Desktop\OTL.exe
[2013/05/16 10:27:44 | 004,745,728 | ---- | M] (AVAST Software) -- C:\Documents and Settings\gwasson\Desktop\aswMBR.exe
[2013/05/13 10:29:30 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/05/09 14:13:00 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/05/07 15:54:00 | 000,000,290 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-962395197-4016970835-1205081151-1228.job
[2013/05/07 10:31:02 | 000,000,410 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_gwasson.job
[2013/05/07 10:17:11 | 000,002,325 | ---- | M] () -- C:\Documents and Settings\gwasson\Desktop\Space Planning.lnk
[2013/05/07 07:18:33 | 000,002,515 | ---- | M] () -- C:\Documents and Settings\gwasson\Desktop\Microsoft Office Word 2007.lnk
[2013/05/06 15:07:03 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\gwasson\Desktop\Microsoft Office PowerPoint 2007.lnk
[2013/05/06 15:05:50 | 000,070,777 | ---- | M] () -- C:\Documents and Settings\gwasson\Desktop\May Playbook MI OH 6.pdf
[2013/05/01 06:16:02 | 000,000,414 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateFiles_gwasson.job
[2013/04/24 11:26:22 | 000,392,192 | ---- | M] () -- C:\WINDOWS\System32\C4dll.dll
[2013/04/24 11:26:22 | 000,210,944 | ---- | M] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2013/04/24 09:58:39 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\gwasson\Desktop\Microsoft Office Excel 2007.lnk
[2013/04/22 14:39:37 | 004,921,366 | ---- | M] () -- C:\Documents and Settings\gwasson\Desktop\Harley.zip
[2013/04/18 09:56:49 | 000,002,977 | ---- | M] () -- C:\Documents and Settings\gwasson\Desktop\myAT&T v9.0.lnk
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/05/16 11:16:13 | 2136,961,024 | -HS- | C] () -- C:\hiberfil.sys
[2013/05/09 15:07:10 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2013/05/06 15:05:50 | 000,070,777 | ---- | C] () -- C:\Documents and Settings\gwasson\Desktop\May Playbook MI OH 6.pdf
[2013/04/24 11:26:22 | 000,392,192 | ---- | C] () -- C:\WINDOWS\System32\C4dll.dll
[2013/04/24 11:26:22 | 000,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2013/04/22 14:39:27 | 004,921,366 | ---- | C] () -- C:\Documents and Settings\gwasson\Desktop\Harley.zip
[2012/02/16 12:07:27 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/12/23 18:48:20 | 000,007,680 | ---- | C] () -- C:\Documents and Settings\gwasson\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/01/08 18:41:15 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\gwasson\Local Settings\Application Data\WavXMapDrive.bat
[2010/01/08 18:40:56 | 000,011,062 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol

========== ZeroAccess Check ==========

[2004/08/11 18:21:56 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 20:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 08:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 20:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >

Attached Files

•  OTL.Txt   84.21KB   304 downloads
•  Extras.Txt   60.27KB   333 downloads

[Buddierdl]

It was a problem with the security settings in the server and should be fixed now. While I look over your logs, could you please answer this question regarding the NIC:

So you cannot connect the computer to the internet? Does it give you any error message when you try to enable it?