[Closed] LSASS.EXE application error

By freshtag
Nov 7, 2012
Topic Status:
Not open for further replies.
  1. I have a desktop running Windows XP Pro W/SP3 that will not boot. It give an error of LSASS.exe Application Error when it starts up and when you click on OK it just reboots. I am unable to boot into any Safe Mode option. Restart with last known configuration does nothing as well. I am able to boot with a bootable CD to see if it will even load. I have tried to use a Windows XP disc to repair the install but it gives me a BSOD after loading all the files and before it starts up. Looking for any help possible. I know there was a lsass.exe virus at one time and not sure if this is it or not. Thanks in advance.
  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hello, and welcome to TechSpot.


    [​IMG] Please see here for the board rules and other FAQ.

    Please feel free to introduce yourself, after you follow the steps below to get started.

    Information
    • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by a malware removal helper.
    • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
    • If you have already asked for help somewhere, please post the link to the topic you were helped.
    • We try our best to reply quickly, but for any reason we do not reply in two days, please reply to this topic with the word BUMP!
    • Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

    OTLPE + Farbar Recovery Scan Tool

    • Download OTLPENet.exe to your desktop
    • Download Farbar Recovery Scan Tool and save it to a flash drive.
    • Ensure that you have a blank CD in the drive
    • Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
    • Reboot your system using the boot CD you just created.
    Note : If you do not know how to set your computer to boot from CD follow the steps here
    • As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads [​IMG]
    • Your system should now display a Reatogo desktop.
    Note : as you are running from CD it is not exactly speedy
    • Insert the flash drive with FRST on it
    • Locate the flash drive and run FSRT
    • The tool will start to run.
    [​IMG]
    • When the tool opens click Yes to disclaimer.
    • Press Scan button. It will do its scan and save a log on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log (FRST.txt) on the flash drive, please post log in your next reply.
  3. freshtag

    freshtag Newcomer, in training Topic Starter Posts: 36

    Here is the FRST log:
    ---------------------------------------------------------------------------------------------------------------------

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-11-2012
    Ran by SYSTEM at 08-11-2012 07:54:22
    Running from E:\
    Microsoft Windows XP (X86) OS Language: English(US)
    The current controlset is ControlSet003
    ==================== Registry (Whitelisted) ===================
    HKLM\...\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray [888832 2008-07-17] (Analog Devices, Inc.)
    HKLM\...\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [487424 2008-03-04] (Lenovo Group Limited)
    HKLM\...\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1040384 2009-04-22] (Analog Devices, Inc.)
    HKLM\...\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor [393216 2010-07-13] (Lenovo Group Limited)
    HKLM\...\Run: [PWRAGD] C:\PROGRA~1\ThinkPad\UTILIT~1\DPMHost.exe [72256 2010-07-19] ()
    HKLM\...\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe [20480 2001-07-25] ()
    HKLM\...\Run: [Mouse Suite 98 Daemon] ICO.EXE [x]
    HKLM\...\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon [x]
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [x]
    HKLM\...\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [85160 2009-06-17] (Elaborate Bytes AG)
    HKLM\...\Run: [VMM Mode Selection] C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe [43520 2011-02-14] ()
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKLM\...\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey [333376 2011-11-15] (McAfee, Inc.)
    HKLM\...\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE [215360 2011-09-14] (McAfee, Inc.)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
    HKU\Administrator\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\Administrator.039-PC1160\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\awat6898\...\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [x]
    HKU\ctdrk039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\ctdrk039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\ctmaj039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\ctmaj039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\Default User\...\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [x]
    HKU\iscrs039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\iscrs039\...\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe [45056 2005-04-29] ()
    HKU\ismjj039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\jcoll4511\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\jcoll4511\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\LocalService\...\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" [4167376 2005-05-12] (Microsoft Corporation)
    HKU\LocalService\...\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [x]
    HKU\NetworkService\...\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" [4167376 2005-05-12] (Microsoft Corporation)
    HKU\NetworkService\...\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [x]
    HKU\rhud2803\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\rhud2803\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\rhud2803\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-09-14] (Google Inc.)
    HKU\trjlk039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\trjlk039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\trjmg039\...\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [x]
    HKU\trjrh039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\trjrh039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\whbab039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\whdjg039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\whdjg039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\whjxp039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\whjxp039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\whjxp039\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-09-14] (Google Inc.)
    HKU\whlat039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\whlat039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\whlmd039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\whtss039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\whtss039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
    Tcpip\Parameters: [DhcpNameServer] 10.39.64.201 10.201.19.179
    ==================== Services (Whitelisted) ===================
    2 CcmExec; C:\WINDOWS\system32\CCM\CcmExec.exe [764768 2009-09-18] (Microsoft Corporation)
    2 DWMRCS; C:\Windows\System32\DWRCS.EXE -service [241688 2010-04-07] (DameWare Development LLC)
    2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
    2 McAfee SiteAdvisor Enterprise Service; "C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe" [222528 2009-12-14] (McAfee, Inc.)
    2 McAfeeFramework; "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart [132672 2011-11-15] (McAfee, Inc.)
    2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [166024 2012-07-17] (McAfee, Inc.)
    2 McTaskManager; "C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe" [209760 2011-09-14] (McAfee, Inc.)
    2 mfevtp; "C:\WINDOWS\system32\mfevtps.exe" [148520 2012-07-17] (McAfee, Inc.)
    2 NovacomD; C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe [33792 2010-01-12] (Palm)
    2 Power Manager DBC Service; C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [68160 2010-07-19] ()
    3 smstsmgr; C:\WINDOWS\system32\CCM\TSManager.exe /service [246624 2009-09-18] (Microsoft Corporation)
    3 SSI Client Installer; C:\WINDOWS\system32\SCInstallerNT.exe [512000 2012-05-08] (Scalable Software, Inc.)
    2 SUService; "C:\Program Files\Lenovo\System Update\SUService.exe" [28672 2009-06-12] (Lenovo Group Limited)
    2 TVT Scheduler; "C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe" [1122304 2008-03-04] (Lenovo Group Limited)
    2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2054680 2008-07-21] (Intel Corporation)
    2 Wdworkstation; C:\WINDOWS\system32\wdnpsvc.exe [58672 2005-02-15] (NetManage Incorporated)
    3 FontCache3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [x]
    2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
    4 NetTcpPortSharing; "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [x]
    2 SSI Survey Client; c:\Program Files\Scalable Software\Survey\SSI Survey Client\SurveyClientNT.EXE [x]
    ==================== Drivers (Whitelisted) ====================
    3 COAX; C:\Windows\System32\Drivers\COAX.sys [18424 2005-02-15] (NetManage Incorporated)
    3 DwMirror; C:\Windows\System32\DRIVERS\DamewareMini.sys [3712 2007-02-07] (DameWare Development, LLC)
    1 dwvkbd; C:\Windows\System32\DRIVERS\dwvkbd.sys [26624 2007-02-15] (DameWare)
    3 e1kexpress; C:\Windows\System32\DRIVERS\e1k5132.sys [149600 2008-10-24] (Intel Corporation)
    3 EL90X; C:\Windows\System32\DRIVERS\el90xnd5.sys [153631 2001-08-17] (3Com Corporation)
    1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [26024 2009-12-17] (Elaborate Bytes AG)
    3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows (R) Server 2003 DDK provider)
    0 iastor86; C:\Windows\System32\Drivers\iastor86.sys [327192 2009-04-20] (Intel Corporation)
    3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [119968 2012-07-17] (McAfee, Inc.)
    3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [180072 2012-07-17] (McAfee, Inc.)
    3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [59288 2012-07-17] (McAfee, Inc.)
    0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [461864 2012-07-17] (McAfee, Inc.)
    3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87808 2012-07-17] (McAfee, Inc.)
    1 mfetdi2k; C:\Windows\System32\drivers\mfetdi2k.sys [89624 2012-07-17] (McAfee, Inc.)
    3 MRXWDRDR; C:\Windows\System32\drivers\mrxwdnp.sys [267056 2005-02-15] (NetManage Incorporated)
    3 NAL; \??\C:\WINDOWS\system32\Drivers\iqvw32.sys [30816 2008-10-07] (Intel Corporation )
    3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [16768 2006-09-14] (Primax Electronics Ltd.)
    3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [14592 2006-10-14] (Primax Electronics Ltd.)
    3 prepdrvr; \??\C:\WINDOWS\system32\CCM\prepdrv.sys [20848 2009-09-18] (Microsoft Corporation)
    3 RMBS; C:\Windows\System32\Drivers\RMBS.sys [17828 2005-02-15] (NetManage Incorporated)
    3 SenFiltService; C:\Windows\System32\drivers\Senfilt.sys [8704 2009-04-22] (Analog Devices, Inc.)
    3 silabenm; C:\Windows\System32\DRIVERS\silabenm.sys [47176 2012-01-13] (Silicon Laboratories)
    3 silabser; C:\Windows\System32\DRIVERS\silabser.sys [58112 2012-01-13] (Silicon Laboratories)
    3 smsmdd; C:\Windows\System32\DRIVERS\smsmdm.sys [12448 2008-10-20] (Microsoft Corporation)
    3 TPM; C:\Windows\System32\DRIVERS\tpm.sys [18048 2008-02-10] (Winbond Electronics Corp.)
    3 TWXWD; C:\Windows\System32\Drivers\TWXWD.sys [26964 2005-02-15] (NetManage Incorporated)
    2 WDHLLKNL; C:\Windows\System32\Drivers\WDHLLKNL.sys [4784 2005-02-15] (NetManage Incorporated)
    4 Abiosdsk; [x]
    4 abp480n5; [x]
    4 adpu160m; [x]
    4 Aha154x; [x]
    4 aic78u2; [x]
    4 aic78xx; [x]
    4 AliIde; [x]
    4 amsint; [x]
    4 asc; [x]
    4 asc3350p; [x]
    4 asc3550; [x]
    4 Atdisk; [x]
    4 cd20xrnt; [x]
    1 Changer; [x]
    4 CmdIde; [x]
    4 Cpqarray; [x]
    4 dac2w2k; [x]
    4 dac960nt; [x]
    4 dpti2o; [x]
    4 hpn; [x]
    1 i2omgmt; [x]
    4 i2omp; [x]
    4 ini910u; [x]
    4 IntelIde; [x]
    1 lbrtfdc; [x]
    3 mfeavfk01; [x]
    1 mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys [x]
    4 mraid35x; [x]
    1 PCIDump; [x]
    3 PDCOMP; [x]
    3 PDFRAME; [x]
    3 PDRELI; [x]
    3 PDRFRAME; [x]
    4 perc2; [x]
    4 perc2hib; [x]
    4 ql1080; [x]
    4 Ql10wnt; [x]
    4 ql12160; [x]
    4 ql1240; [x]
    4 ql1280; [x]
    1 RCHelp; [x]
    4 Simbad; [x]
    4 Sparrow; [x]
    4 symc810; [x]
    4 symc8xx; [x]
    4 sym_hi; [x]
    4 sym_u3; [x]
    4 TosIde; [x]
    4 ultra; [x]
    3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [x]
    4 ViaIde; [x]
    3 WDICA; [x]
    ==================== NetSvcs (Whitelisted) ===================

    ==================== One Month Created Files and Folders ========
    2012-11-06 11:37 - 2012-11-06 11:37 - 00104742 ____A C:\OTL.Txt
    2012-11-06 04:02 - 2012-11-06 04:02 - 00001661 ____N C:\rescue-system_scan.log
    2012-11-02 11:03 - 2012-11-02 11:03 - 00007896 ____A C:\Windows\KB2724197.log
    2012-11-02 11:03 - 2012-11-02 11:03 - 00000000 __HDC C:\Windows\$NtUninstallKB2724197$
    2012-10-26 05:48 - 2012-10-26 05:48 - 00002272 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2012-10-25 17:16 - 2012-10-25 17:16 - 00000000 ____D C:\Program Files\CleanUp!
    2012-10-25 05:59 - 2012-10-25 05:59 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
    2012-10-18 07:39 - 2012-10-18 07:39 - 00023552 ____A C:\Documents and Settings\rhud2803\My Documents\10-17-12 po close log.xls

    ==================== One Month Modified Files and Folders ========
    2012-11-08 07:53 - 2012-11-08 07:53 - 00000000 ____D C:\FRST
    2012-11-06 11:37 - 2012-11-06 11:37 - 00104742 ____A C:\OTL.Txt
    2012-11-06 04:02 - 2012-11-06 04:02 - 00001661 ____N C:\rescue-system_scan.log
    2012-11-05 06:49 - 2011-08-10 05:22 - 00000428 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{FCAF0E76-02E6-4990-8072-D7632F31EE30}.job
    2012-11-05 06:48 - 2012-05-07 23:17 - 00054156 ___AH C:\Windows\QTFont.qfn
    2012-11-05 06:48 - 2012-04-27 09:46 - 00000062 __ASH C:\Documents and Settings\rhud2803\Local Settings\desktop.ini
    2012-11-05 06:48 - 2012-03-21 08:16 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cd0764c7317587.job
    2012-11-05 06:48 - 2010-09-28 15:47 - 00034551 ____A C:\Documents and Settings\All Users\Application Data\SCD.LOG
    2012-11-05 06:48 - 2010-09-28 15:47 - 00001848 ____A C:\Documents and Settings\All Users\Application Data\SSIHistory.dat
    2012-11-05 06:48 - 2009-04-21 09:35 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
    2012-11-05 06:48 - 2009-04-21 09:35 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
    2012-11-05 06:48 - 2009-04-21 09:35 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-11-05 06:48 - 2009-04-21 09:32 - 01544067 ____A C:\Windows\WindowsUpdate.log
    2012-11-05 06:48 - 2009-04-21 09:30 - 00000816 ____A C:\Windows\System32\config\netlogon.ftl
    2012-11-05 06:48 - 2009-04-21 04:24 - 00000159 ____A C:\Windows\wiadebug.log
    2012-11-05 06:48 - 2009-04-21 04:24 - 00000049 ____A C:\Windows\wiaservc.log
    2012-11-05 06:48 - 2004-08-04 06:00 - 00002206 ____A C:\Windows\System32\wpa.dbl
    2012-11-05 03:36 - 2009-04-21 04:18 - 00000245 _RASH C:\boot.ini
    2012-11-02 13:34 - 2009-04-21 09:35 - 00031916 ____A C:\Windows\SchedLgU.Txt
    2012-11-02 13:33 - 2012-04-27 09:46 - 00000278 ___SH C:\Documents and Settings\rhud2803\ntuser.ini
    2012-11-02 13:32 - 2012-03-21 08:16 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cd0764c73d6112.job
    2012-11-02 13:27 - 2012-04-18 02:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-11-02 13:10 - 2012-04-30 11:24 - 00000000 ____D C:\Documents and Settings\rhud2803\Local Settings\Application Data\Deployment
    2012-11-02 12:29 - 2012-04-27 09:45 - 00002521 ____A C:\Documents and Settings\rhud2803\Desktop\Microsoft Office Outlook 2003.lnk
    2012-11-02 12:29 - 2009-04-21 04:22 - 00617894 ___AC C:\Windows\System32\PerfStringBackup.INI
    2012-11-02 12:26 - 2012-04-12 15:16 - 00000000 ____D C:\Windows\ccmhealth
    2012-11-02 12:26 - 2010-07-15 10:33 - 00000463 ___AC C:\Windows\smscfg.ini
    2012-11-02 11:04 - 2011-02-09 21:42 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2012-11-02 11:03 - 2012-11-02 11:03 - 00007896 ____A C:\Windows\KB2724197.log
    2012-11-02 11:03 - 2012-11-02 11:03 - 00000000 __HDC C:\Windows\$NtUninstallKB2724197$
    2012-11-02 11:03 - 2009-04-21 11:21 - 00000000 ___HD C:\Windows\$hf_mig$
    2012-11-02 11:03 - 2009-04-21 04:23 - 01627306 ___AC C:\Windows\iis6.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 01471375 ___AC C:\Windows\FaxSetup.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00721113 ___AC C:\Windows\ocgen.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00693077 ___AC C:\Windows\tsoc.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00501995 ___AC C:\Windows\comsetup.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00454422 ___AC C:\Windows\msmqinst.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00302791 ___AC C:\Windows\ntdtcsetup.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00258887 ___AC C:\Windows\netfxocm.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00102081 ___AC C:\Windows\MedCtrOC.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00081724 ___AC C:\Windows\ocmsn.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00074648 ___AC C:\Windows\tabletoc.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00073965 ___AC C:\Windows\msgsocm.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00001374 ____A C:\Windows\imsins.log
    2012-11-02 07:45 - 2012-04-27 09:45 - 00000000 ____D C:\Documents and Settings\rhud2803\My Documents\PO Close log
    2012-11-02 05:52 - 2012-04-27 09:46 - 00009422 _RASH C:\Documents and Settings\rhud2803\ntuser.pol
    2012-11-02 05:49 - 2009-04-21 04:16 - 00000000 ____D C:\Windows\security
    2012-11-01 06:00 - 2011-04-05 23:46 - 00000000 __SHD C:\Windows\CSC
    2012-10-31 05:52 - 2010-10-08 16:22 - 00000278 __ASH C:\Documents and Settings\whjxp039\ntuser.ini
    2012-10-30 20:59 - 2010-10-08 16:22 - 00000062 _ASHC C:\Documents and Settings\whjxp039\Local Settings\desktop.ini
    2012-10-26 05:48 - 2012-10-26 05:48 - 00002272 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2012-10-25 17:22 - 2010-09-28 15:11 - 00000000 ___HD C:\Windows\System32\dwrcssft
    2012-10-25 17:16 - 2012-10-25 17:16 - 00000000 ____D C:\Program Files\CleanUp!
    2012-10-25 06:00 - 2009-04-21 09:31 - 00023352 ___AC C:\Windows\wmsetup.log
    2012-10-25 05:59 - 2012-10-25 05:59 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
    2012-10-25 05:59 - 2009-04-21 04:22 - 00342781 ____A C:\Windows\setupapi.log
    2012-10-25 05:59 - 2009-04-21 04:22 - 00003261 ____A C:\Windows\setupact.log
    2012-10-24 05:54 - 2012-04-18 02:07 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-10-24 05:54 - 2012-02-25 05:37 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl
    2012-10-18 07:39 - 2012-10-18 07:39 - 00023552 ____A C:\Documents and Settings\rhud2803\My Documents\10-17-12 po close log.xls
    2012-10-16 15:07 - 2010-10-08 16:22 - 00009422 _RASH C:\Documents and Settings\whjxp039\ntuser.pol
    2012-10-12 06:11 - 2009-07-23 09:02 - 00000000 ____D C:\QUARANTINE
    ==================== Known DLLs (Whitelisted) =================

    ==================== Bamital & volsnap Check =================
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points (XP) =====================
    RP: -> 2012-11-02 11:02 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP531
    RP: -> 2012-11-02 06:54 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP530
    RP: -> 2012-11-01 06:49 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP529
    RP: -> 2012-10-30 16:12 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP528
    RP: -> 2012-10-29 15:17 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP527
    RP: -> 2012-10-25 19:13 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP526
    RP: -> 2012-10-24 18:44 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP525
    RP: -> 2012-10-23 18:42 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP524
    RP: -> 2012-10-22 18:19 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP523
    RP: -> 2012-10-21 18:13 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP522
    RP: -> 2012-10-19 12:08 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP521
    RP: -> 2012-10-18 12:03 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP520
    RP: -> 2012-10-17 10:49 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP519
    RP: -> 2012-10-16 07:59 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP518
    RP: -> 2012-10-15 06:23 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP517
    RP: -> 2012-10-10 20:35 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP516
    RP: -> 2012-10-09 19:52 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP515
    RP: -> 2012-10-07 19:38 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP513
    RP: -> 2012-10-05 11:01 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP512
    RP: -> 2012-10-04 23:14 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP511
    RP: -> 2012-10-03 14:53 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP509
    RP: -> 2012-10-02 14:09 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP508
    RP: -> 2012-10-01 12:35 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP507
    RP: -> 2012-09-30 09:12 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP506
    RP: -> 2012-09-29 08:57 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP505
    RP: -> 2012-09-27 18:55 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP503
    RP: -> 2012-09-26 17:16 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP501
    RP: -> 2012-09-24 18:22 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP499
    RP: -> 2012-09-23 16:41 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP498
    RP: -> 2012-09-21 11:02 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP497
    RP: -> 2012-09-20 22:52 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP496
    RP: -> 2012-09-19 22:48 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP495
    RP: -> 2012-09-18 21:43 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP494
    RP: -> 2012-09-17 20:40 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP493
    RP: -> 2012-09-16 20:33 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP492
    RP: -> 2012-09-15 19:22 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP491
    RP: -> 2012-09-14 19:10 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP490
    RP: -> 2012-09-13 18:36 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP489
    RP: -> 2012-09-12 17:23 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP488
    RP: -> 2012-09-11 16:29 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP487
    RP: -> 2012-09-10 15:57 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP486
    RP: -> 2012-09-09 15:15 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP485
    RP: -> 2012-09-06 16:53 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP484
    RP: -> 2012-09-05 15:45 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP483
    RP: -> 2012-09-04 15:05 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP482
    RP: -> 2012-09-03 13:22 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP481
    RP: -> 2012-09-02 12:22 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP480
    RP: -> 2012-09-01 11:22 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP479
    RP: -> 2012-08-31 10:52 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP478
    RP: -> 2012-08-30 06:15 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP477
    RP: -> 2012-08-28 17:36 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP476
    RP: -> 2012-08-27 17:00 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP475
    RP: -> 2012-08-26 16:26 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP474
    RP: -> 2012-08-23 21:48 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP473
    RP: -> 2012-08-22 21:13 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP472
    RP: -> 2012-08-21 21:09 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP471
    RP: -> 2012-08-20 20:58 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP470
    RP: -> 2012-08-19 20:26 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP469
    RP: -> 2012-08-18 18:25 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP468
    RP: -> 2012-08-17 17:25 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP467
    RP: -> 2012-08-16 17:12 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP466
    RP: -> 2012-08-15 16:19 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP465
    RP: -> 2012-08-14 15:53 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP464
    RP: -> 2012-08-13 15:18 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP463
    RP: -> 2012-08-12 15:18 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP462
    RP: -> 2012-08-09 16:27 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP461
    RP: -> 2012-08-08 16:13 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP460
    RP: -> 2012-08-07 15:25 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP459
    RP: -> 2012-08-06 15:02 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP458
    RP: -> 2012-08-05 14:56 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP457

    ==================== Memory info ===========================
    Percentage of memory in use: 14%
    Total physical RAM: 1884.1 MB
    Available physical RAM: 1616.15 MB
    Total Pagefile: 1715.73 MB
    Available Pagefile: 1654.84 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2002.18 MB
    ==================== Partitions =============================
    1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
    2 Drive c: () (Fixed) (Total:232.88 GB) (Free:200.25 GB) NTFS ==>[Drive with boot components (Windows XP)]
    3 Drive d: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
    4 Drive e: () (Removable) (Total:1.91 GB) (Free:1.9 GB) FAT
    5 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 233 GB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 233 GB 1024 KB
    =========================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 233 GB Healthy
    =========================================================
    ==================== End Of Log ============================
  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Good. :)

    Open OTL in OTLPE, please. Press Quick Scan, save the log, and post in your next reply. :)
  5. freshtag

    freshtag Newcomer, in training Topic Starter Posts: 36

    Here is the OTL log file:
    -----------------------------------------------------------------------------------------------------------------------------------------------------------------

    OTL logfile created on: 11/8/2012 11:23:17 AM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 82.00% Memory free
    2.00 Gb Paging File | 2.00 Gb Available in Paging File | 95.00% Paging File free
    Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 232.88 Gb Total Space | 200.25 Gb Free Space | 85.99% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet003

    ========== Win32 Services (SafeList) ==========

    SRV - [2012/10/24 05:54:35 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
    SRV - [2012/07/17 11:02:11 | 000,148,520 | ---- | M] (McAfee, Inc.) [Auto] -- C:\WINDOWS\System32\mfevtps.exe -- (mfevtp)
    SRV - [2012/07/17 11:02:10 | 000,166,024 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe -- (McShield)
    SRV - [2012/05/08 13:03:31 | 000,090,112 | ---- | M] (Scalable Software, Inc.) [Auto] -- C:\Program Files\Scalable Software\Survey\SSI Survey Client\surveyclientnt.exe -- (SSI Survey Client)
    SRV - [2012/05/08 12:59:09 | 000,512,000 | ---- | M] (Scalable Software, Inc.) [On_Demand] -- C:\WINDOWS\system32\SCInstallerNT.exe -- (SSI Client Installer)
    SRV - [2011/11/15 16:06:00 | 000,132,672 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
    SRV - [2011/09/14 20:08:00 | 000,209,760 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
    SRV - [2010/07/19 13:27:36 | 000,068,160 | ---- | M] () [Auto] -- C:\Program Files\ThinkPad\Utilities\PWMDBSVC.exe -- (Power Manager DBC Service)
    SRV - [2010/04/07 11:12:04 | 000,241,688 | ---- | M] (DameWare Development LLC) [Auto] -- C:\WINDOWS\System32\DWRCS.EXE -- (DWMRCS)
    SRV - [2010/01/12 10:07:44 | 000,033,792 | ---- | M] (Palm) [Auto] -- C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe -- (NovacomD)
    SRV - [2009/12/14 17:28:42 | 000,222,528 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe -- (McAfee SiteAdvisor Enterprise Service)
    SRV - [2009/09/18 04:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) [Auto] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
    SRV - [2009/09/18 04:00:00 | 000,246,624 | ---- | M] (Microsoft Corporation) [On_Demand] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
    SRV - [2009/06/12 10:55:48 | 000,028,672 | ---- | M] (Lenovo Group Limited) [Auto] -- C:\Program Files\Lenovo\System Update\SUService.exe -- (SUService)
    SRV - [2008/07/21 15:46:28 | 002,054,680 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe -- (UNS) Intel(R)
    SRV - [2008/07/21 15:46:16 | 000,174,616 | ---- | M] (Intel Corporation) [Auto] -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS) Intel(R)
    SRV - [2007/09/26 17:34:46 | 000,644,408 | ---- | M] (Lenovo Group Limited) [Auto] -- C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe -- (ThinkVantage Registry Monitor Service)
    SRV - [2005/02/15 17:24:42 | 000,058,672 | ---- | M] (NetManage Incorporated) [Auto] -- C:\WINDOWS\system32\wdnpsvc.exe -- (Wdworkstation)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (USBAAPL)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | System] -- -- (mferkdk)
    DRV - File not found [Kernel | On_Demand] -- -- (mfeavfk01)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - [2012/07/17 11:02:11 | 000,461,864 | ---- | M] (McAfee, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2012/07/17 11:02:11 | 000,089,624 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
    DRV - [2012/07/17 11:02:11 | 000,087,808 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
    DRV - [2012/07/17 11:02:10 | 000,180,072 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2012/07/17 11:02:10 | 000,119,968 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
    DRV - [2012/07/17 11:02:10 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2012/01/13 09:45:36 | 000,047,176 | R--- | M] (Silicon Laboratories) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\silabenm.sys -- (silabenm)
    DRV - [2012/01/13 09:45:35 | 000,058,112 | R--- | M] (Silicon Laboratories) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\silabser.sys -- (silabser)
    DRV - [2011/02/21 17:37:45 | 000,229,208 | ---- | M] (Microsoft Corporation) [Kernel | System] -- C:\WINDOWS\system32\drivers\VMM.sys -- (vmm)
    DRV - [2009/09/18 04:00:00 | 000,020,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
    DRV - [2009/04/22 17:04:18 | 000,008,704 | ---- | M] (Analog Devices, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (SenFiltService)
    DRV - [2009/04/20 16:36:18 | 000,327,192 | ---- | M] (Intel Corporation) [Kernel | Boot] -- C:\WINDOWS\System32\drivers\iastor86.sys -- (iastor86)
    DRV - [2008/10/24 10:32:24 | 000,149,600 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\e1k5132.sys -- (e1kexpress) Intel(R)
    DRV - [2008/10/20 20:08:06 | 000,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)
    DRV - [2008/10/07 23:23:04 | 000,030,816 | ---- | M] (Intel Corporation ) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\iqvw32.sys -- (NAL)
    DRV - [2008/03/28 12:42:12 | 000,040,832 | ---- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI) Intel(R)
    DRV - [2008/02/10 17:49:10 | 000,018,048 | ---- | M] (Winbond Electronics Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tpm.sys -- (TPM)
    DRV - [2007/02/19 00:56:46 | 000,021,376 | ---- | M] (Lenovo (United States) Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\psadd.sys -- (psadd)
    DRV - [2007/02/15 06:00:00 | 000,026,624 | ---- | M] (DameWare) [Kernel | System] -- C:\WINDOWS\system32\drivers\dwvkbd.sys -- (dwvkbd)
    DRV - [2007/02/07 06:00:00 | 000,003,712 | ---- | M] (DameWare Development, LLC) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\DamewareMini.sys -- (DwMirror)
    DRV - [2007/01/29 07:20:34 | 000,059,280 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\VMNetSrv.sys -- (VPCNetS2)
    DRV - [2006/11/02 07:00:08 | 000,039,368 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\winusb.sys -- (WinUSB)
    DRV - [2006/10/14 09:56:46 | 000,014,592 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PELUSBLF.SYS -- (pelusblf)
    DRV - [2006/09/14 10:48:58 | 000,016,768 | ---- | M] (Primax Electronics Ltd.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\PELMOUSE.SYS -- (pelmouse)
    DRV - [2005/02/15 17:49:18 | 000,004,784 | ---- | M] (NetManage Incorporated) [Kernel | Auto] -- C:\WINDOWS\System32\drivers\WDHLLKNL.SYS -- (WDHLLKNL)
    DRV - [2005/02/15 17:38:28 | 000,026,964 | ---- | M] (NetManage Incorporated) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\TwxWD.sys -- (TWXWD)
    DRV - [2005/02/15 17:24:40 | 000,267,056 | ---- | M] (NetManage Incorporated) [File_System | On_Demand] -- C:\WINDOWS\System32\drivers\mrxwdnp.sys -- (MRXWDRDR)
    DRV - [2005/02/15 16:57:50 | 000,018,424 | ---- | M] (NetManage Incorporated) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\coax.sys -- (COAX)
    DRV - [2005/02/15 16:54:06 | 000,017,828 | ---- | M] (NetManage Incorporated) [Kernel | On_Demand] -- C:\WINDOWS\System32\drivers\rmbs.sys -- (RMBS)
    DRV - [2001/08/17 12:11:02 | 000,153,631 | ---- | M] (3Com Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\el90xnd5.sys -- (EL90X)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========



    IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator.039-PC1160_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\Administrator.039-PC1160_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\Administrator_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = cx039a.na.sysco.net:80

    IE - HKU\awat6898_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

    IE - HKU\ctdrk039_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\ctdrk039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\ctdrk039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\ctdrk039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\ctdrk039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\ctmaj039_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\ctmaj039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\ctmaj039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\ctmaj039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\ctmaj039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\icymm039_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\icymm039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\icymm039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\icymm039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\icymm039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\iscrs039_ON_C\Software\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://encrypted.google.com/ [binary data]
    IE - HKU\iscrs039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\iscrs039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\iscrs039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\iscrs039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\ismjj039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\ismjj039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\ismjj039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\ismjj039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\jcoll4511_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\jcoll4511_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\jcoll4511_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\jcoll4511_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\jcoll4511_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\LocalService_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

    IE - HKU\mbas9764_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\mbas9764_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\mbas9764_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\mbas9764_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\NetworkService_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

    IE - HKU\rhud2803_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\rhud2803_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\rhud2803_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\rhud2803_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\rhud2803_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\svc_iowa_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\svc_iowa_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\svc_iowa_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\svc_iowa_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\svc_iowa_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80


    IE - HKU\trjlk039_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\trjlk039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    IE - HKU\trjlk039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\trjlk039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\trjlk039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\trjmg039_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\trjmg039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\trjmg039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\trjmg039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\trjmg039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\trjrh039_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\trjrh039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\trjrh039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\trjrh039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\trjrh039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\whbab039_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\whbab039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\whbab039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\whbab039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\whbab039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\whdjg039_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\whdjg039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\whdjg039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\whdjg039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\whdjg039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\whjxp039_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\whjxp039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\whjxp039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\whjxp039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\whjxp039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\whlat039_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\whlat039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\whlat039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\whlat039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\whlat039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\whlmd039_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\whlmd039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\whlmd039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\whlmd039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\whlmd039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    IE - HKU\whtss039_ON_C\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.sysco.com
    IE - HKU\whtss039_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.sysco.com
    IE - HKU\whtss039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
    IE - HKU\whtss039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.sysco.net;dw.sysco.com;go.sysco.com;vpn.sysco.com;etools.sysco.com;ecmcs.*;ecm.*;myoffice.*;mysysco.*;ms247*;update.nai.com;vpncc.sysco.com;gotest.sysco.com;marketmover.sysco.com;<local>
    IE - HKU\whtss039_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=cx039a.na.sysco.net:80;https=cx039a.na.sysco.net:80;ftp=cx039a.na.sysco.net:80

    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor Enterprise\ [2011/09/30 10:00:49 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files\Common Files\McAfee\SystemCore [2012/11/02 12:26:27 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2004/08/04 06:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20120717110310.dll (McAfee, Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll (Google Inc.)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
    O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [Mouse Suite 98 Daemon] C:\WINDOWS\System32\ico.exe (TPMX Electronics Ltd.)
    O4 - HKLM..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe ()
    O4 - HKLM..\Run: [PWRAGD] C:\Program Files\ThinkPad\Utilities\DPMHost.EXE ()
    O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
    O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
    O4 - HKLM..\Run: [SunJavaUpdateSched] File not found
    O4 - HKLM..\Run: [VMM Mode Selection] C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe ()
    O4 - HKU\.DEFAULT..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\Communicator.exe (Microsoft Corporation)
    O4 - HKU\iscrs039_ON_C..\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe ()
    O4 - HKU\LocalService_ON_C..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\Communicator.exe (Microsoft Corporation)
    O4 - HKU\NetworkService_ON_C..\Run: [Communicator] C:\Program Files\Microsoft Office Communicator\Communicator.exe (Microsoft Corporation)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Administrator.039-PC1160_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\Administrator_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\awat6898_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\ctdrk039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\ctmaj039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\icymm039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\iscrs039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\ismjj039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\jcoll4511_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\mbas9764_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\NetworkService_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\rhud2803_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\svc_iowa_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\trjlk039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\trjmg039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\trjrh039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\whbab039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\whdjg039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\whjxp039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\whlat039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\whlmd039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\whtss039_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.microsoft.com/sites/production/ieawsdc32.cab (Microsoft Office Template and Media Control)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
    O16 - DPF: {3D3B42C2-11BF-4732-A304-A01384B70D68} http://picasaweb.google.com/s/v/70.11/uploader2.cab (UploadListView Class)
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.7.cab (DLM Control)
    O16 - DPF: {57F867E0-774E-488B-A93C-856BEA66668F} https://www.xatanet.net/XataNet/XATA XML Core.cab (XataXMLCore.XMLCore)
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1279203156799 (WUWebControl Class)
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1279203116892 (MUWebControl Class)
    O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab (DLC Class)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {8EC5D5F5-4D7D-435F-A578-A08B2F47A8D3} https://www.xatanet.net/XataNet/XATA Trip Control.cab (XataClientCacheVer Class)
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab (Reg Error: Key error.)
    O16 - DPF: {B8B4778E-2B10-44BE-A9BB-F20EDC5C48C8} http://survey.na.sysco.net/SSISurvey/applet/SSIWrapper.cab (Grid Class)
    O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.39.64.201 10.201.19.179
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.sysco.net
    O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor Enterprise\McIEPlg.dll (McAfee, Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
    O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2009/04/21 09:33:45 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = comfile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/11/08 07:53:24 | 000,000,000 | ---D | C] -- C:\FRST
    [2012/10/25 17:16:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\whjxp039\Start Menu\Programs\CleanUp!
    [2012/10/25 17:16:39 | 000,000,000 | ---D | C] -- C:\Program Files\CleanUp!
    [2010/09/10 13:24:27 | 000,004,096 | ---- | C] ( ) -- C:\WINDOWS\System32\IGFXDEVLib.dll
    [49 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [34 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2012/11/06 10:04:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/11/05 06:49:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{FCAF0E76-02E6-4990-8072-D7632F31EE30}.job
    [2012/11/05 06:48:59 | 000,001,848 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\SSIHistory.dat
    [2012/11/05 06:48:51 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
    [2012/11/05 06:48:31 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore1cd0764c7317587.job
    [2012/11/05 06:48:10 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/11/05 03:36:51 | 000,000,245 | RHS- | M] () -- C:\boot.ini
    [2012/11/02 13:32:08 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA1cd0764c73d6112.job
    [2012/11/02 13:27:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
    [2012/11/02 12:29:58 | 000,514,364 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
    [2012/11/02 12:29:58 | 000,092,940 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
    [2012/11/02 12:29:22 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\rhud2803\Desktop\Microsoft Office Outlook 2003.lnk
    [2012/11/02 12:26:50 | 000,000,463 | ---- | M] () -- C:\WINDOWS\smscfg.ini
    [2012/11/02 05:52:05 | 000,009,422 | RHS- | M] () -- C:\Documents and Settings\rhud2803\ntuser.pol
    [2012/10/26 05:48:11 | 000,002,272 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2012/10/25 05:59:46 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
    [2012/10/16 15:07:36 | 000,009,422 | RHS- | M] () -- C:\Documents and Settings\whjxp039\ntuser.pol
    [49 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [34 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]
  6. freshtag

    freshtag Newcomer, in training Topic Starter Posts: 36

    ========== Files Created - No Company Name ==========

    [2012/10/26 05:48:11 | 000,002,272 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2012/10/25 05:59:46 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
    [2012/05/02 14:15:19 | 000,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
    [2012/04/27 09:46:36 | 000,009,422 | RHS- | C] () -- C:\Documents and Settings\rhud2803\ntuser.pol
    [2012/04/25 13:23:11 | 000,009,422 | RHS- | C] () -- C:\Documents and Settings\ctdrk039\ntuser.pol
    [2012/04/12 15:16:28 | 000,034,848 | ---- | C] () -- C:\WINDOWS\smsrsgen.dll
    [2012/03/13 08:48:37 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
    [2012/02/09 12:40:32 | 000,006,528 | RHS- | C] () -- C:\Documents and Settings\mbas9764\ntuser.pol
    [2012/01/31 22:04:10 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\eSTsnmp.dll
    [2011/08/31 20:49:23 | 000,009,422 | RHS- | C] () -- C:\Documents and Settings\jcoll4511\ntuser.pol
    [2011/08/15 20:36:48 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2011/07/22 03:57:00 | 000,008,283 | ---- | C] () -- C:\Documents and Settings\whdjg039\Local Settings\Application Data\{7446C7F7-7105-41C6-980A-D29A89E35564}
    [2011/07/04 20:49:21 | 000,009,422 | RHS- | C] () -- C:\Documents and Settings\svc_iowa\ntuser.pol
    [2011/07/03 03:57:00 | 000,008,283 | ---- | C] () -- C:\Documents and Settings\whtss039\Local Settings\Application Data\{15D27790-F79E-46AD-9BE7-0069074CC8FD}
    [2011/07/02 03:57:00 | 000,008,283 | ---- | C] () -- C:\Documents and Settings\whtss039\Local Settings\Application Data\{73911F2B-B3EF-44AC-A43E-AD86E6438CF8}
    [2011/06/07 20:06:39 | 000,009,422 | RHS- | C] () -- C:\Documents and Settings\trjlk039\ntuser.pol
    [2011/04/07 15:05:51 | 000,009,422 | RHS- | C] () -- C:\Documents and Settings\ctmaj039\ntuser.pol
    [2011/03/17 20:39:37 | 000,010,090 | RHS- | C] () -- C:\Documents and Settings\whdjg039\ntuser.pol
    [2011/02/20 10:44:59 | 000,009,422 | RHS- | C] () -- C:\Documents and Settings\trjmg039\ntuser.pol
    [2010/12/27 07:51:37 | 000,009,422 | RHS- | C] () -- C:\Documents and Settings\whlmd039\ntuser.pol
    [2010/12/01 17:58:23 | 000,005,120 | ---- | C] () -- C:\Documents and Settings\iscrs039\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/10/13 09:43:18 | 000,008,406 | RHS- | C] () -- C:\Documents and Settings\icymm039\ntuser.pol
    [2010/10/08 16:22:27 | 000,009,422 | RHS- | C] () -- C:\Documents and Settings\whjxp039\ntuser.pol
    [2010/10/03 17:22:58 | 000,008,406 | RHS- | C] () -- C:\Documents and Settings\whbab039\ntuser.pol
    [2010/09/28 15:47:11 | 000,001,848 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\SSIHistory.dat
    [2010/09/28 14:47:47 | 000,009,422 | RHS- | C] () -- C:\Documents and Settings\trjrh039\ntuser.pol
    [2010/09/28 14:40:49 | 000,009,422 | RHS- | C] () -- C:\Documents and Settings\whtss039\ntuser.pol
    [2010/09/28 14:32:39 | 000,009,422 | RHS- | C] () -- C:\Documents and Settings\whlat039\ntuser.pol
    [2010/09/28 14:31:09 | 000,006,528 | RHS- | C] () -- C:\Documents and Settings\ismjj039\ntuser.pol
    [2010/09/27 16:06:48 | 000,303,104 | ---- | C] () -- C:\WINDOWS\System32\eST3snm.dll
    [2010/09/10 13:24:27 | 000,000,151 | ---- | C] () -- C:\WINDOWS\System32\GfxUI.exe.config
    [2010/09/10 13:23:31 | 000,012,812 | ---- | C] () -- C:\WINDOWS\System32\Setup2k.ini
    [2010/09/10 13:23:31 | 000,000,318 | ---- | C] () -- C:\WINDOWS\System32\presetup.ini
    [2010/09/10 13:23:30 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\PELCPEXT.DLL
    [2010/09/10 13:23:30 | 000,032,010 | ---- | C] () -- C:\WINDOWS\System32\PelCPExt.ini
    [2010/09/10 13:23:30 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\FSRremoC.DLL
    [2010/09/10 13:23:30 | 000,020,480 | ---- | C] () -- C:\WINDOWS\System32\FSRremoS.EXE
    [2010/07/15 10:33:06 | 000,000,463 | ---- | C] () -- C:\WINDOWS\smscfg.ini
    [2010/07/15 09:39:16 | 000,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
    [2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
    [2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\WINDOWS\System32\OGAEXEC.exe
    [2009/07/23 09:36:44 | 000,000,279 | ---- | C] () -- C:\WINDOWS\ehncfg32.INI
    [2009/07/21 13:17:09 | 000,035,392 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE
    [2009/04/21 12:06:05 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\uninscpw.exe
    [2009/04/21 11:12:05 | 000,000,598 | ---- | C] () -- C:\WINDOWS\ODBC.INI
    [2009/04/21 09:36:28 | 000,006,528 | RHS- | C] () -- C:\Documents and Settings\iscrs039\ntuser.pol
    [2009/04/21 09:34:55 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2009/04/21 09:31:43 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2009/04/21 04:22:59 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2009/04/21 04:19:31 | 000,982,224 | ---- | C] () -- C:\WINDOWS\System32\igkrng500.bin
    [2009/04/21 04:19:31 | 000,439,336 | ---- | C] () -- C:\WINDOWS\System32\igcompkrng500.bin
    [2009/04/21 04:18:36 | 000,317,152 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
    [2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
    [2008/04/14 05:55:28 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
    [2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
    [2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
    [2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
    [2006/12/31 07:57:08 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2004/08/04 06:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2004/08/04 06:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2004/08/04 06:00:00 | 000,514,364 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2004/08/04 06:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2004/08/04 06:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2004/08/04 06:00:00 | 000,092,940 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2004/08/04 06:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2004/08/04 06:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2004/08/04 06:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2004/08/04 06:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
    [2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
    [2002/02/27 11:41:28 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\nsldappr32v50.dll
    [2002/02/27 11:41:26 | 000,139,264 | ---- | C] () -- C:\WINDOWS\System32\nsldap32v50.dll
    [2002/02/27 11:41:26 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\nsldapssl32v50.dll

    ========== LOP Check ==========

    [2009/07/21 15:58:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator.039-PC1160\Application Data\DesktopPwrMgr
    [2009/07/21 13:28:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\DesktopPwrMgr
    [2011/04/07 15:06:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ctdrk039\Application Data\DesktopPwrMgr
    [2011/04/07 15:23:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ctdrk039\Application Data\NetManage
    [2011/05/20 11:35:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ctdrk039\Application Data\Windows Search
    [2011/04/07 15:06:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ctmaj039\Application Data\DesktopPwrMgr
    [2011/04/07 15:23:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ctmaj039\Application Data\NetManage
    [2011/05/20 11:35:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ctmaj039\Application Data\Windows Search
    [2010/10/25 13:48:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\icymm039\Application Data\DesktopPwrMgr
    [2010/10/25 13:50:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\icymm039\Application Data\NetManage
    [2010/10/12 20:40:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\iscrs039\Application Data\CanuckSoftware
    [2009/07/23 09:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\iscrs039\Application Data\DesktopPwrMgr
    [2011/03/15 22:25:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\iscrs039\Application Data\GARMIN
    [2011/02/08 22:29:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\iscrs039\Application Data\Gradkell Systems, Inc
    [2011/07/29 00:28:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\iscrs039\Application Data\ieSpell
    [2010/11/28 19:52:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\iscrs039\Application Data\ImgBurn
    [2009/04/21 11:55:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\iscrs039\Application Data\NetManage
    [2010/09/10 13:50:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\iscrs039\Application Data\Windows Desktop Search
    [2010/10/07 19:53:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\iscrs039\Application Data\Windows Search
    [2010/09/28 14:31:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ismjj039\Application Data\DesktopPwrMgr
    [2011/08/31 20:49:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jcoll4511\Application Data\DesktopPwrMgr
    [2011/09/02 14:40:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jcoll4511\Application Data\NetManage
    [2012/02/01 18:53:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jcoll4511\Application Data\Windows Desktop Search
    [2011/09/18 22:09:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\jcoll4511\Application Data\Windows Search
    [2012/02/09 12:41:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\mbas9764\Application Data\DesktopPwrMgr
    [2011/04/07 15:06:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\rhud2803\Application Data\DesktopPwrMgr
    [2011/04/07 15:23:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\rhud2803\Application Data\NetManage
    [2011/05/20 11:35:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\rhud2803\Application Data\Windows Search
    [2012/08/08 06:27:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\rhud2803\Application Data\Xerox
    [2011/07/04 20:50:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\svc_iowa\Application Data\DesktopPwrMgr
    [2011/06/07 20:07:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\trjlk039\Application Data\DesktopPwrMgr
    [2009/07/23 09:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\trjrh039\Application Data\DesktopPwrMgr
    [2009/07/23 09:44:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\trjrh039\Application Data\ImgBurn
    [2009/04/21 11:55:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\trjrh039\Application Data\NetManage
    [2010/09/10 13:50:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\trjrh039\Application Data\Windows Desktop Search
    [2010/09/29 05:14:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\trjrh039\Application Data\Windows Search
    [2010/10/03 17:23:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whbab039\Application Data\DesktopPwrMgr
    [2010/12/17 00:44:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whbab039\Application Data\NetManage
    [2010/10/08 16:23:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whdjg039\Application Data\DesktopPwrMgr
    [2011/01/06 00:06:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whdjg039\Application Data\NetManage
    [2010/10/08 16:23:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whjxp039\Application Data\DesktopPwrMgr
    [2011/01/06 00:06:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whjxp039\Application Data\NetManage
    [2011/03/20 16:45:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whjxp039\Application Data\Windows Search
    [2009/07/23 09:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whlat039\Application Data\DesktopPwrMgr
    [2009/07/23 09:44:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whlat039\Application Data\ImgBurn
    [2009/04/21 11:55:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whlat039\Application Data\NetManage
    [2010/09/10 13:50:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whlat039\Application Data\Windows Desktop Search
    [2010/10/11 10:44:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whlat039\Application Data\Windows Search
    [2010/12/27 07:52:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whlmd039\Application Data\DesktopPwrMgr
    [2010/12/27 07:52:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whlmd039\Application Data\NetManage
    [2010/12/27 07:52:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whlmd039\Application Data\Windows Desktop Search
    [2010/12/27 07:52:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whlmd039\Application Data\Windows Search
    [2009/07/23 09:00:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whtss039\Application Data\DesktopPwrMgr
    [2009/07/23 09:44:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whtss039\Application Data\ImgBurn
    [2009/04/21 11:55:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whtss039\Application Data\NetManage
    [2010/09/10 13:50:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whtss039\Application Data\Windows Desktop Search
    [2010/09/30 18:07:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\whtss039\Application Data\Windows Search
    [2010/12/20 17:44:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AR System
    [2010/09/28 14:28:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GroupPolicy
    [2009/04/21 11:55:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NetManage
    [2010/09/28 15:47:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Scalable Software
    [2010/10/10 22:16:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\XataNetClientCache
    [2011/01/16 18:18:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2010/09/10 13:23:06 | 000,000,306 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job
    [2012/11/05 06:49:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{FCAF0E76-02E6-4990-8072-D7632F31EE30}.job

    ========== Purity Check ==========


    < End of report >
  7. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

  8. freshtag

    freshtag Newcomer, in training Topic Starter Posts: 36

    I ran the scan and it has found malicious software.
    object:
    ment/cache/6.0/24/4c458618-421ea785.vir//json/Parser/class
    Trogjan program:
    Exploit.Java.CVE-2012-0840.dx

    my options are:
    1. disinfection is not possible - Reason: write not supported
    2. delete archive - Archive file will be deleted
    3. skip (recommended) - Do not perform any action

    Which options should I pick? just wanted to make sure before I selcect one. Thanks.
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Delete archive. Let me know if computer can function...
  10. freshtag

    freshtag Newcomer, in training Topic Starter Posts: 36

    I deleted it. Also FYI, full file path was:
    C:/Documents and Settings/jcoll4511/Application Data/Sun/Java/Deployment/cache/6.0/24/4c458618-421ea785.vir//json/Parser/class

    no other issues found. and scan is complete.
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    How is the computer working right now? Can it boot? Will it stay running?
  12. freshtag

    freshtag Newcomer, in training Topic Starter Posts: 36

    Still get the lsass.exe error when I start the computer.
    It states:
    lsass.exe system error
    An invalid parameter was passed to a service or function.

    Click ok and computer reboots and does the same thing again. I get this error before the login screen shows.
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Farbar Recovery Scan Tool x64 SEARCH

    • Open FRST, like you've done before, type in the text lsass.exe in to the "Search:" text box. Then, press the Search file(s) button.
    • When done searching, FRST makes a log, Search.txt, on the C:\ drive or on your flash drive.
    • Type exit in the Command Prompt window and reboot the computer normally
    • FRST will make a log on the flash drive, search.txt logfile, please copy and paste the log in your reply.
     
  14. freshtag

    freshtag Newcomer, in training Topic Starter Posts: 36

    Farbar Recovery Scan Tool (x86) Version: 07-11-2012
    Ran by SYSTEM at 2012-11-13 10:31:48
    Running from E:\
    ================== Search: "lsass.exe" ===================
    C:\WINDOWS\system32\lsass.exe
    [2008-04-14 05:42] - [2008-04-14 05:42] - 0013312 ____A (Microsoft Corporation) bf2466b3e18e970d8a976fb95fc1ca85
    C:\WINDOWS\system32\dllcache\lsass.exe
    [2008-04-14 05:42] - [2008-04-14 05:42] - 0013312 ___AC (Microsoft Corporation) bf2466b3e18e970d8a976fb95fc1ca85
    === End Of Search ===
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Doesn't seem infected. Let's do the following:

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system


    Run FRST within OTLPE and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  16. freshtag

    freshtag Newcomer, in training Topic Starter Posts: 36

    Sorry it took me so long to post back to you.

    FRST log:
    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 07-11-2012
    Ran by SYSTEM at 2012-11-19 08:00:54 Run:1
    Running from E:\
    ==============================================
    Could not restore SAM hive from Restore Point.
    Could not restore SECURITY hive from Restore Point.
    Could not restore Software hive from Restore Point.
    Could not restore System hive from Restore Point.
    Could not restore Default hive from Restore Point.
    ==== End of Fixlog ====

    I am still getting the lsass.exe error when I restart the computer. It still will not go into the login screen. I get the same popup and when you click on OK it just restarts.
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Please download MBRFix. Save and extract its contents to the desktop. Once extracted, there will be three files in the folder. Copy just the MBRFix application to the USB drive.

    Also download the attached fixlist.txt and save it to the flash drive.

    Now please enter System Recovery Options and select "Command Prompt".

    Run FRST and press the Fix button just once and wait.

    The tool will make a log on the flashdrive (Fixlog.txt) please post its contents in your reply. It will also produce another file, MBRDUMP.txt, on the flash drive that although it may look a text file, it is a hex file. You must attach this report on your reply instead of posting its contents.

    Attached Files:

  18. freshtag

    freshtag Newcomer, in training Topic Starter Posts: 36

    Where do I find the System Recovery Options "Command Prompt"? Is this when the computer starts up and under Safemode? or is this from the OTLPE disk. I'm a little confused.
  19. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    My apologies. I was working with another user at the same time with the exact same issue as you. Yes, go to OTLPE first, then do the FRST stuff as described.
  20. freshtag

    freshtag Newcomer, in training Topic Starter Posts: 36

    Here is the new log file.

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 07-11-2012
    Ran by SYSTEM at 2012-11-20 08:07:26 Run:2
    Running from E:\
    ==============================================
    MBRDUMP.txt is made successfully.
    ==== End of Fixlog ====

    Attached Files:

  21. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Let me see a new log from FRST please. :)
  22. freshtag

    freshtag Newcomer, in training Topic Starter Posts: 36

    Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 07-11-2012 (ATTENTION: FRST version is 14 days old)
    Ran by SYSTEM at 21-11-2012 09:43:34
    Running from E:\
    Microsoft Windows XP (X86) OS Language: English(US)
    The current controlset is ControlSet003
    ==================== Registry (Whitelisted) ===================
    HKLM\...\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray [888832 2008-07-17] (Analog Devices, Inc.)
    HKLM\...\Run: [TVT Scheduler Proxy] C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe [487424 2008-03-04] (Lenovo Group Limited)
    HKLM\...\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe [1040384 2009-04-22] (Analog Devices, Inc.)
    HKLM\...\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor [393216 2010-07-13] (Lenovo Group Limited)
    HKLM\...\Run: [PWRAGD] C:\PROGRA~1\ThinkPad\UTILIT~1\DPMHost.exe [72256 2010-07-19] ()
    HKLM\...\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe [20480 2001-07-25] ()
    HKLM\...\Run: [Mouse Suite 98 Daemon] ICO.EXE [x]
    HKLM\...\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon [x]
    HKLM\...\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" [x]
    HKLM\...\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s [85160 2009-06-17] (Elaborate Bytes AG)
    HKLM\...\Run: [VMM Mode Selection] C:\Program Files\HTC\ModeSelection\VMMModeSelection.exe [43520 2011-02-14] ()
    HKLM\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKLM\...\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey [333376 2011-11-15] (McAfee, Inc.)
    HKLM\...\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE [215360 2011-09-14] (McAfee, Inc.)
    HKLM\...\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [919008 2012-07-27] (Adobe Systems Incorporated)
    HKU\Administrator\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\Administrator.039-PC1160\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\awat6898\...\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [x]
    HKU\ctdrk039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\ctdrk039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\ctmaj039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\ctmaj039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\Default User\...\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [x]
    HKU\iscrs039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\iscrs039\...\Run: [TouchFreeze] C:\Program Files\TouchFreeze\TouchFreeze.exe [45056 2005-04-29] ()
    HKU\ismjj039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\jcoll4511\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\jcoll4511\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\LocalService\...\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" [4167376 2005-05-12] (Microsoft Corporation)
    HKU\LocalService\...\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [x]
    HKU\NetworkService\...\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" [4167376 2005-05-12] (Microsoft Corporation)
    HKU\NetworkService\...\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [x]
    HKU\rhud2803\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\rhud2803\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\rhud2803\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-09-14] (Google Inc.)
    HKU\trjlk039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\trjlk039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\trjmg039\...\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N [x]
    HKU\trjrh039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\trjrh039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\whbab039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\whdjg039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\whdjg039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\whjxp039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\whjxp039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\whjxp039\...\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2012-09-14] (Google Inc.)
    HKU\whlat039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\whlat039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\whlmd039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    HKU\whtss039\...\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [15360 2008-04-14] (Microsoft Corporation)
    HKU\whtss039\...\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [77824 2012-05-07] (Apple Computer, Inc.)
    Winlogon\Notify\WgaLogon: WgaLogon.dll (Microsoft Corporation)
    Tcpip\Parameters: [DhcpNameServer] 10.39.64.201 10.201.19.179
    ==================== Services (Whitelisted) ===================
    2 CcmExec; C:\WINDOWS\system32\CCM\CcmExec.exe [764768 2009-09-18] (Microsoft Corporation)
    2 DWMRCS; C:\Windows\System32\DWRCS.EXE -service [241688 2010-04-07] (DameWare Development LLC)
    2 Eventlog; C:\Windows\System32\services.exe [110592 2009-02-06] (Microsoft Corporation)
    2 McAfee SiteAdvisor Enterprise Service; "C:\Program Files\McAfee\SiteAdvisor Enterprise\McSACore.exe" [222528 2009-12-14] (McAfee, Inc.)
    2 McAfeeFramework; "C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart [132672 2011-11-15] (McAfee, Inc.)
    2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [166024 2012-07-17] (McAfee, Inc.)
    2 McTaskManager; "C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe" [209760 2011-09-14] (McAfee, Inc.)
    2 mfevtp; "C:\WINDOWS\system32\mfevtps.exe" [148520 2012-07-17] (McAfee, Inc.)
    2 NovacomD; C:\Program Files\Palm, Inc\novacom\x86\novacomd.exe [33792 2010-01-12] (Palm)
    2 Power Manager DBC Service; C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE [68160 2010-07-19] ()
    3 smstsmgr; C:\WINDOWS\system32\CCM\TSManager.exe /service [246624 2009-09-18] (Microsoft Corporation)
    3 SSI Client Installer; C:\WINDOWS\system32\SCInstallerNT.exe [512000 2012-05-08] (Scalable Software, Inc.)
    2 SUService; "C:\Program Files\Lenovo\System Update\SUService.exe" [28672 2009-06-12] (Lenovo Group Limited)
    2 TVT Scheduler; "C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe" [1122304 2008-03-04] (Lenovo Group Limited)
    2 UNS; C:\Program Files\Common Files\Intel\Privacy Icon\UNS\UNS.exe [2054680 2008-07-21] (Intel Corporation)
    2 Wdworkstation; C:\WINDOWS\system32\wdnpsvc.exe [58672 2005-02-15] (NetManage Incorporated)
    3 FontCache3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [x]
    2 JavaQuickStarterService; "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" [x]
    4 NetTcpPortSharing; "c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" [x]
    2 SSI Survey Client; c:\Program Files\Scalable Software\Survey\SSI Survey Client\SurveyClientNT.EXE [x]
    ==================== Drivers (Whitelisted) ====================
    3 COAX; C:\Windows\System32\Drivers\COAX.sys [18424 2005-02-15] (NetManage Incorporated)
    3 DwMirror; C:\Windows\System32\DRIVERS\DamewareMini.sys [3712 2007-02-07] (DameWare Development, LLC)
    1 dwvkbd; C:\Windows\System32\DRIVERS\dwvkbd.sys [26624 2007-02-15] (DameWare)
    3 e1kexpress; C:\Windows\System32\DRIVERS\e1k5132.sys [149600 2008-10-24] (Intel Corporation)
    3 EL90X; C:\Windows\System32\DRIVERS\el90xnd5.sys [153631 2001-08-17] (3Com Corporation)
    1 ElbyCDIO; C:\Windows\System32\Drivers\ElbyCDIO.sys [26024 2009-12-17] (Elaborate Bytes AG)
    3 HDAudBus; C:\Windows\System32\DRIVERS\HDAudBus.sys [144384 2008-04-13] (Windows (R) Server 2003 DDK provider)
    0 iastor86; C:\Windows\System32\Drivers\iastor86.sys [327192 2009-04-20] (Intel Corporation)
    3 mfeapfk; C:\Windows\System32\drivers\mfeapfk.sys [119968 2012-07-17] (McAfee, Inc.)
    3 mfeavfk; C:\Windows\System32\drivers\mfeavfk.sys [180072 2012-07-17] (McAfee, Inc.)
    3 mfebopk; C:\Windows\System32\drivers\mfebopk.sys [59288 2012-07-17] (McAfee, Inc.)
    0 mfehidk; C:\Windows\System32\drivers\mfehidk.sys [461864 2012-07-17] (McAfee, Inc.)
    3 mferkdet; C:\Windows\System32\drivers\mferkdet.sys [87808 2012-07-17] (McAfee, Inc.)
    1 mfetdi2k; C:\Windows\System32\drivers\mfetdi2k.sys [89624 2012-07-17] (McAfee, Inc.)
    3 MRXWDRDR; C:\Windows\System32\drivers\mrxwdnp.sys [267056 2005-02-15] (NetManage Incorporated)
    3 NAL; \??\C:\WINDOWS\system32\Drivers\iqvw32.sys [30816 2008-10-07] (Intel Corporation )
    3 pelmouse; C:\Windows\System32\DRIVERS\pelmouse.sys [16768 2006-09-14] (Primax Electronics Ltd.)
    3 pelusblf; C:\Windows\System32\DRIVERS\pelusblf.sys [14592 2006-10-14] (Primax Electronics Ltd.)
    3 prepdrvr; \??\C:\WINDOWS\system32\CCM\prepdrv.sys [20848 2009-09-18] (Microsoft Corporation)
    3 RMBS; C:\Windows\System32\Drivers\RMBS.sys [17828 2005-02-15] (NetManage Incorporated)
    3 SenFiltService; C:\Windows\System32\drivers\Senfilt.sys [8704 2009-04-22] (Analog Devices, Inc.)
    3 silabenm; C:\Windows\System32\DRIVERS\silabenm.sys [47176 2012-01-13] (Silicon Laboratories)
    3 silabser; C:\Windows\System32\DRIVERS\silabser.sys [58112 2012-01-13] (Silicon Laboratories)
    3 smsmdd; C:\Windows\System32\DRIVERS\smsmdm.sys [12448 2008-10-20] (Microsoft Corporation)
    3 TPM; C:\Windows\System32\DRIVERS\tpm.sys [18048 2008-02-10] (Winbond Electronics Corp.)
    3 TWXWD; C:\Windows\System32\Drivers\TWXWD.sys [26964 2005-02-15] (NetManage Incorporated)
    2 WDHLLKNL; C:\Windows\System32\Drivers\WDHLLKNL.sys [4784 2005-02-15] (NetManage Incorporated)
    4 Abiosdsk; [x]
    4 abp480n5; [x]
    4 adpu160m; [x]
    4 Aha154x; [x]
    4 aic78u2; [x]
    4 aic78xx; [x]
    4 AliIde; [x]
    4 amsint; [x]
    4 asc; [x]
    4 asc3350p; [x]
    4 asc3550; [x]
    4 Atdisk; [x]
    4 cd20xrnt; [x]
    1 Changer; [x]
    4 CmdIde; [x]
    4 Cpqarray; [x]
    4 dac2w2k; [x]
    4 dac960nt; [x]
    4 dpti2o; [x]
    4 hpn; [x]
    1 i2omgmt; [x]
    4 i2omp; [x]
    4 ini910u; [x]
    4 IntelIde; [x]
    1 lbrtfdc; [x]
    3 mfeavfk01; [x]
    1 mferkdk; \??\C:\Program Files\McAfee\VirusScan Enterprise\mferkdk.sys [x]
    4 mraid35x; [x]
    1 PCIDump; [x]
    3 PDCOMP; [x]
    3 PDFRAME; [x]
    3 PDRELI; [x]
    3 PDRFRAME; [x]
    4 perc2; [x]
    4 perc2hib; [x]
    4 ql1080; [x]
    4 Ql10wnt; [x]
    4 ql12160; [x]
    4 ql1240; [x]
    4 ql1280; [x]
    1 RCHelp; [x]
    4 Simbad; [x]
    4 Sparrow; [x]
    4 symc810; [x]
    4 symc8xx; [x]
    4 sym_hi; [x]
    4 sym_u3; [x]
    4 TosIde; [x]
    4 ultra; [x]
    3 USBAAPL; C:\Windows\System32\Drivers\usbaapl.sys [x]
    4 ViaIde; [x]
    3 WDICA; [x]
    ==================== NetSvcs (Whitelisted) ===================

    ==================== One Month Created Files and Folders ========
    2012-11-08 07:53 - 2012-11-08 07:53 - 00000000 ____D C:\FRST
    2012-11-06 11:37 - 2012-11-08 11:25 - 00104400 ____A C:\OTL.Txt
    2012-11-06 04:02 - 2012-11-06 04:02 - 00001661 ____N C:\rescue-system_scan.log
    2012-11-02 11:03 - 2012-11-02 11:03 - 00007896 ____A C:\Windows\KB2724197.log
    2012-11-02 11:03 - 2012-11-02 11:03 - 00000000 __HDC C:\Windows\$NtUninstallKB2724197$
    2012-10-26 05:48 - 2012-10-26 05:48 - 00002272 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2012-10-25 17:16 - 2012-10-25 17:16 - 00000000 ____D C:\Program Files\CleanUp!
    2012-10-25 05:59 - 2012-10-25 05:59 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_00_00.Wdf

    ==================== One Month Modified Files and Folders ========
    2012-11-12 05:00 - 2012-11-12 01:59 - 00000000 ___AD C:\Kaspersky Rescue Disk 10.0
    2012-11-08 11:25 - 2012-11-06 11:37 - 00104400 ____A C:\OTL.Txt
    2012-11-08 07:53 - 2012-11-08 07:53 - 00000000 ____D C:\FRST
    2012-11-06 04:02 - 2012-11-06 04:02 - 00001661 ____N C:\rescue-system_scan.log
    2012-11-05 06:49 - 2011-08-10 05:22 - 00000428 ___AH C:\Windows\Tasks\User_Feed_Synchronization-{FCAF0E76-02E6-4990-8072-D7632F31EE30}.job
    2012-11-05 06:48 - 2012-05-07 23:17 - 00054156 ___AH C:\Windows\QTFont.qfn
    2012-11-05 06:48 - 2012-04-27 09:46 - 00000062 __ASH C:\Documents and Settings\rhud2803\Local Settings\desktop.ini
    2012-11-05 06:48 - 2012-03-21 08:16 - 00000882 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore1cd0764c7317587.job
    2012-11-05 06:48 - 2010-09-28 15:47 - 00034551 ____A C:\Documents and Settings\All Users\Application Data\SCD.LOG
    2012-11-05 06:48 - 2010-09-28 15:47 - 00001848 ____A C:\Documents and Settings\All Users\Application Data\SSIHistory.dat
    2012-11-05 06:48 - 2009-04-21 09:35 - 00000062 __ASH C:\Documents and Settings\NetworkService\Local Settings\desktop.ini
    2012-11-05 06:48 - 2009-04-21 09:35 - 00000062 __ASH C:\Documents and Settings\LocalService\Local Settings\desktop.ini
    2012-11-05 06:48 - 2009-04-21 09:35 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
    2012-11-05 06:48 - 2009-04-21 09:32 - 01544067 ____A C:\Windows\WindowsUpdate.log
    2012-11-05 06:48 - 2009-04-21 09:30 - 00000816 ____A C:\Windows\System32\config\netlogon.ftl
    2012-11-05 06:48 - 2009-04-21 04:24 - 00000159 ____A C:\Windows\wiadebug.log
    2012-11-05 06:48 - 2009-04-21 04:24 - 00000049 ____A C:\Windows\wiaservc.log
    2012-11-05 06:48 - 2004-08-04 06:00 - 00002206 ____A C:\Windows\System32\wpa.dbl
    2012-11-05 03:36 - 2009-04-21 04:18 - 00000245 _RASH C:\boot.ini
    2012-11-02 13:34 - 2009-04-21 09:35 - 00031916 ____A C:\Windows\SchedLgU.Txt
    2012-11-02 13:33 - 2012-04-27 09:46 - 00000278 ___SH C:\Documents and Settings\rhud2803\ntuser.ini
    2012-11-02 13:32 - 2012-03-21 08:16 - 00000886 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA1cd0764c73d6112.job
    2012-11-02 13:27 - 2012-04-18 02:07 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
    2012-11-02 13:10 - 2012-04-30 11:24 - 00000000 ____D C:\Documents and Settings\rhud2803\Local Settings\Application Data\Deployment
    2012-11-02 12:29 - 2012-04-27 09:45 - 00002521 ____A C:\Documents and Settings\rhud2803\Desktop\Microsoft Office Outlook 2003.lnk
    2012-11-02 12:29 - 2009-04-21 04:22 - 00617894 ___AC C:\Windows\System32\PerfStringBackup.INI
    2012-11-02 12:26 - 2012-04-12 15:16 - 00000000 ____D C:\Windows\ccmhealth
    2012-11-02 12:26 - 2010-07-15 10:33 - 00000463 ___AC C:\Windows\smscfg.ini
    2012-11-02 11:04 - 2011-02-09 21:42 - 00000000 ____D C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2012-11-02 11:03 - 2012-11-02 11:03 - 00007896 ____A C:\Windows\KB2724197.log
    2012-11-02 11:03 - 2012-11-02 11:03 - 00000000 __HDC C:\Windows\$NtUninstallKB2724197$
    2012-11-02 11:03 - 2009-04-21 11:21 - 00000000 ___HD C:\Windows\$hf_mig$
    2012-11-02 11:03 - 2009-04-21 04:23 - 01627306 ___AC C:\Windows\iis6.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 01471375 ___AC C:\Windows\FaxSetup.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00721113 ___AC C:\Windows\ocgen.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00693077 ___AC C:\Windows\tsoc.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00501995 ___AC C:\Windows\comsetup.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00454422 ___AC C:\Windows\msmqinst.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00302791 ___AC C:\Windows\ntdtcsetup.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00258887 ___AC C:\Windows\netfxocm.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00102081 ___AC C:\Windows\MedCtrOC.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00081724 ___AC C:\Windows\ocmsn.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00074648 ___AC C:\Windows\tabletoc.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00073965 ___AC C:\Windows\msgsocm.log
    2012-11-02 11:03 - 2009-04-21 04:23 - 00001374 ____A C:\Windows\imsins.log
    2012-11-02 07:45 - 2012-04-27 09:45 - 00000000 ____D C:\Documents and Settings\rhud2803\My Documents\PO Close log
    2012-11-02 05:52 - 2012-04-27 09:46 - 00009422 _RASH C:\Documents and Settings\rhud2803\ntuser.pol
    2012-11-02 05:49 - 2009-04-21 04:16 - 00000000 ____D C:\Windows\security
    2012-11-01 06:00 - 2011-04-05 23:46 - 00000000 __SHD C:\Windows\CSC
    2012-10-31 05:52 - 2010-10-08 16:22 - 00000278 __ASH C:\Documents and Settings\whjxp039\ntuser.ini
    2012-10-30 20:59 - 2010-10-08 16:22 - 00000062 _ASHC C:\Documents and Settings\whjxp039\Local Settings\desktop.ini
    2012-10-26 05:48 - 2012-10-26 05:48 - 00002272 ____A C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2012-10-25 17:22 - 2010-09-28 15:11 - 00000000 ___HD C:\Windows\System32\dwrcssft
    2012-10-25 17:16 - 2012-10-25 17:16 - 00000000 ____D C:\Program Files\CleanUp!
    2012-10-25 06:00 - 2009-04-21 09:31 - 00023352 ___AC C:\Windows\wmsetup.log
    2012-10-25 05:59 - 2012-10-25 05:59 - 00000000 ___AH C:\Windows\System32\Drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
    2012-10-25 05:59 - 2009-04-21 04:22 - 00342781 ____A C:\Windows\setupapi.log
    2012-10-25 05:59 - 2009-04-21 04:22 - 00003261 ____A C:\Windows\setupact.log
    2012-10-24 05:54 - 2012-04-18 02:07 - 00696760 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerApp.exe
    2012-10-24 05:54 - 2012-02-25 05:37 - 00073656 ____A (Adobe Systems Incorporated) C:\Windows\System32\FlashPlayerCPLApp.cpl

    ==================== Known DLLs (Whitelisted) =================

    ==================== Bamital & volsnap Check =================
    C:\Windows\explorer.exe => MD5 is legit
    C:\Windows\System32\winlogon.exe => MD5 is legit
    C:\Windows\System32\svchost.exe => MD5 is legit
    C:\Windows\System32\services.exe => MD5 is legit
    C:\Windows\System32\User32.dll => MD5 is legit
    C:\Windows\System32\userinit.exe => MD5 is legit
    C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
    ==================== EXE ASSOCIATION =====================
    HKLM\...\.exe: exefile => OK
    HKLM\...\exefile\DefaultIcon: %1 => OK
    HKLM\...\exefile\open\command: "%1" %* => OK
    ==================== Restore Points (XP) =====================
    RP: -> 2012-11-02 11:02 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP531
    RP: -> 2012-11-02 06:54 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP530
    RP: -> 2012-11-01 06:49 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP529
    RP: -> 2012-10-30 16:12 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP528
    RP: -> 2012-10-29 15:17 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP527
    RP: -> 2012-10-25 19:13 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP526
    RP: -> 2012-10-24 18:44 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP525
    RP: -> 2012-10-23 18:42 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP524
    RP: -> 2012-10-22 18:19 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP523
    RP: -> 2012-10-21 18:13 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP522
    RP: -> 2012-10-19 12:08 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP521
    RP: -> 2012-10-18 12:03 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP520
    RP: -> 2012-10-17 10:49 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP519
    RP: -> 2012-10-16 07:59 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP518
    RP: -> 2012-10-15 06:23 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP517
    RP: -> 2012-10-10 20:35 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP516
    RP: -> 2012-10-09 19:52 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP515
    RP: -> 2012-10-07 19:38 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP513
    RP: -> 2012-10-05 11:01 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP512
    RP: -> 2012-10-04 23:14 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP511
    RP: -> 2012-10-03 14:53 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP509
    RP: -> 2012-10-02 14:09 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP508
    RP: -> 2012-10-01 12:35 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP507
    RP: -> 2012-09-30 09:12 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP506
    RP: -> 2012-09-29 08:57 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP505
    RP: -> 2012-09-27 18:55 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP503
    RP: -> 2012-09-26 17:16 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP501
    RP: -> 2012-09-24 18:22 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP499
    RP: -> 2012-09-23 16:41 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP498
    RP: -> 2012-09-21 11:02 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP497
    RP: -> 2012-09-20 22:52 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP496
    RP: -> 2012-09-19 22:48 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP495
    RP: -> 2012-09-18 21:43 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP494
    RP: -> 2012-09-17 20:40 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP493
    RP: -> 2012-09-16 20:33 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP492
    RP: -> 2012-09-15 19:22 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP491
    RP: -> 2012-09-14 19:10 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP490
    RP: -> 2012-09-13 18:36 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP489
    RP: -> 2012-09-12 17:23 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP488
    RP: -> 2012-09-11 16:29 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP487
    RP: -> 2012-09-10 15:57 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP486
    RP: -> 2012-09-09 15:15 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP485
    RP: -> 2012-09-06 16:53 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP484
    RP: -> 2012-09-05 15:45 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP483
    RP: -> 2012-09-04 15:05 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP482
    RP: -> 2012-09-03 13:22 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP481
    RP: -> 2012-09-02 12:22 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP480
    RP: -> 2012-09-01 11:22 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP479
    RP: -> 2012-08-31 10:52 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP478
    RP: -> 2012-08-30 06:15 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP477
    RP: -> 2012-08-28 17:36 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP476
    RP: -> 2012-08-27 17:00 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP475
    RP: -> 2012-08-26 16:26 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP474
    RP: -> 2012-08-23 21:48 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP473
    RP: -> 2012-08-22 21:13 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP472
    RP: -> 2012-08-21 21:09 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP471
    RP: -> 2012-08-20 20:58 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP470
    RP: -> 2012-08-19 20:26 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP469
    RP: -> 2012-08-18 18:25 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP468
    RP: -> 2012-08-17 17:25 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP467
    RP: -> 2012-08-16 17:12 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP466
    RP: -> 2012-08-15 16:19 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP465
    RP: -> 2012-08-14 15:53 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP464
    RP: -> 2012-08-13 15:18 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP463
    RP: -> 2012-08-12 15:18 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP462
    RP: -> 2012-08-09 16:27 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP461
    RP: -> 2012-08-08 16:13 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP460
    RP: -> 2012-08-07 15:25 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP459
    RP: -> 2012-08-06 15:02 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP458
    RP: -> 2012-08-05 14:56 - 032768 _restore{01ED8483-F5BF-4A03-910A-F8B9F6E9C566}\RP457

    ==================== Memory info ===========================
    Percentage of memory in use: 14%
    Total physical RAM: 1884.1 MB
    Available physical RAM: 1612.95 MB
    Total Pagefile: 1715.73 MB
    Available Pagefile: 1653.42 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 2003.18 MB
    ==================== Partitions =============================
    1 Drive b: (RAMDisk) (Fixed) (Total:0.06 GB) (Free:0.06 GB) NTFS
    2 Drive c: () (Fixed) (Total:232.88 GB) (Free:200.12 GB) NTFS ==>[Drive with boot components (Windows XP)]
    3 Drive d: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
    4 Drive e: () (Removable) (Total:1.91 GB) (Free:1.52 GB) FAT
    5 Drive x: (ReatogoPE) (CDROM) (Total:0.43 GB) (Free:0 GB) CDFS
    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 233 GB 0 B
    Partitions of Disk 0:
    ===============
    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 233 GB 1024 KB
    =========================================================
    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: Yes
    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 C NTFS Partition 233 GB Healthy
    =========================================================
    ==================== End Of Log ============================
  23. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    FRST Fixlist

    Please run the following:

    Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system


    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

    Now restart, let it boot normally and tell me how it went.
  24. freshtag

    freshtag Newcomer, in training Topic Starter Posts: 36

    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 07-11-2012
    Ran by SYSTEM at 2012-11-23 10:17:43 Run:3
    Running from E:\
    ==============================================
    Could not restore SAM hive from Restore Point.
    Could not restore SECURITY hive from Restore Point.
    Could not restore Software hive from Restore Point.
    Could not restore System hive from Restore Point.
    Could not restore Default hive from Restore Point.
    ==== End of Fixlog ====


    The computer still will not boot. I get the lsass.exe error still and when you click OK it just reboots.
  25. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.