Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: IRP Hook?


(!)

Schle2's Avatar
Schle2 Schle2 is offline
Member with 64 posts.
THREAD STARTER
 
Join Date: Aug 2004
Location: Allentown, PA USA
Experience: show me and I can do it
02-Oct-2012, 02:26 PM #1
IRP Hook?
Hello,

Yesterday while browsing online Prevx 3.0 warned of a potential threat. I closed the browser and everything seemed fine. Prevx, however, kept wanting to scan my computer. Normally Previx takes a minute or 2 to run a scan but this time, after almost 10 minutes, it was still scanning but with no progress on the progress bar. I clicked cancel and Prevx said it was aborting the scan but that kept hanging too. I ended up having to manually shut down the computer. Upon reboot, the PC started properly but I could not really do anything as the computer kept freezing. In safe mode I was able to run AVG Free but with no threats. After several reboots (both normal and safe mode) I was able to run Spybot in normal mode, again the results were clean. However, upon every reboot, Prevx was showing it was still scanning and every time it was hanging and continued to hang upon cancel scan. The PC would start up fine in normal mode and I could access folders but could not open and Word or Excel Docs in the folders. I could not open a browser or Outlook. Finally earlier today after several more reboots, for a reason unbeknownst to me, the computer stared up just fine, outlook opened, I could access all files, and get online. I checked Prevx then again and it said last scan was run 10 minutes ago, took the normal 2 minutes or so, and was clean. Since then everything has been working just fine.

I did run AVG Free scan then and had 1 warning for IRP Hook,\driver\atapi driverStartIO->0x85c5be2. I have seen false positives for rootkits before with AVG so I don't know if my computer is OK now or not. I have not, and will not, reboot or shut down until I know, just to be safe.

Note I use AVG Free. The Prevx 3.0 was installed years ago and I no longer have a paid subscription for it. The only reason it remains on my machine is that I cannot uninstall it. There is no unistall feature and even Revo could not do it.

Could Prevx have just messed up and I am OK? Or do I really have a rootkit problem?

I am running Windows XP SP3 on a DELL Dimension E521.

All required logs are below and attached.

Please let me know what I should do, if anything. Please let me know if you need more info.

Your help is greatly appreciated.

Thanks,
Schle2

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:33:57 PM, on 10/2/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\bubtydvw\bubtydvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AVG\AVG2012\avgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Kirk Nagle\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=5061227
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SafeOnline BHO - {69D72956-317C-44bd-B369-8E44D4EF9801} - C:\WINDOWS\system32\PxSecure.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe -update activex
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://commercebank.webex.com/clien...ex/ieatgpc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\ocmapihk.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\bubtydvw\bubtydvw.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - file:///C:/Documents%20and%20Settings/Kirk%20Nagle/My%20Documents/My%20Music%20%26%20Pictures/My%20Pictures/simpsn4.gif
O24 - Desktop Component 1: (no name) - file:///C:/Documents%20and%20Settings/Kirk%20Nagle/My%20Documents/My%20Music%20%26%20Pictures/My%20Pictures/mvr.jpg

--
End of file - 9563 bytes

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Kirk Nagle at 14:35:24 on 2012-10-02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.490 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\bubtydvw\bubtydvw.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AVG\AVG2012\avgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\REGSVR32.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil11e_ActiveX.exe -update activex
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [<NO NAME>]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\audibl~1.lnk - c:\program files\audible\bin\AudibleDownloadHelper.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\PGPlsp.dll
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://commercebank.webex.com/client/T27LC/webex/ieatgpc.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AD56B1C2-4136-48DC-AA2F-F579D1FBD202} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: c:\windows\system32\ocmapihk.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 31952]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-12-8 32008]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 237408]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 301920]
R1 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-12-8 76696]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 CSIScanner;CSIScanner;c:\program files\bubtydvw\bubtydvw.exe [2010-12-15 6416120]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2012-7-5 374184]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2012-6-8 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-7-20 47640]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-24 24652]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-12-8 26096]
S?2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-8-13 5167736]
S3 MusCAudio;MusCAudio;c:\windows\system32\drivers\MusCAudio.sys [2008-10-29 23096]
S3 MusCVideo;MusCVideo;c:\windows\system32\drivers\MusCVideo.sys [2008-10-29 3768]
S3 TucbAudio;TucbAudio;c:\windows\system32\drivers\TucbAudio.sys [2008-10-29 23096]
S3 TucbVideo;TucbVideo;c:\windows\system32\drivers\TucbVideo.sys [2008-10-29 3768]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2012-09-10 12:57:38 -------- d-sh--w- c:\documents and settings\kirk nagle\IECompatCache
2012-09-07 12:57:53 -------- d-sh--w- c:\documents and settings\kirk nagle\PrivacIE
2012-09-07 12:54:05 -------- d-sh--w- c:\documents and settings\kirk nagle\IETldCache
2012-09-07 12:44:53 -------- d-----w- c:\windows\ie8updates
2012-09-07 12:40:05 -------- dc-h--w- c:\windows\ie8
2012-09-07 12:35:32 521728 ------w- c:\windows\system32\dllcache\jsdbgui.dll
2012-09-07 12:34:07 6144 ------w- c:\windows\system32\dllcache\iecompat.dll
2012-09-07 12:34:01 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2012-09-07 12:33:57 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2012-09-07 12:33:56 247808 ------w- c:\windows\system32\dllcache\ieproxy.dll
.
==================== Find3M ====================
.
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ------w- c:\windows\system32\html.iec
2012-08-24 19:43:18 301920 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-07-26 07:21:30 237408 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-05 22:10:02 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-07-05 22:09:54 52128 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2012-07-05 22:09:46 30624 ----a-w- c:\windows\system32\LMIport.dll
2012-07-05 22:09:44 87456 ----a-w- c:\windows\system32\LMIinit.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x85C5B2E2
user != kernel MBR !!!
.
============= FINISH: 14:46:53.78 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-10-02 15:04:26
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 rev.
Running: bt3vjj6z.exe; Driver: C:\DOCUME~1\KIRKNA~1\LOCALS~1\Temp\kxtdapog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAllocateVirtualMemory [0xF1102F60]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xF1102AF0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xF1102B40]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDebugActiveProcess [0xF1102F10]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteKey [0xF1102810]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteValueKey [0xF11028D0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDuplicateObject [0xF1103180]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0xB98A5004]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0xB98A50D4]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB98A4D76]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenSection [0xF1102CD0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xF1103320]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xF1102BE0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xF1102AA0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetValueKey [0xF11029B0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSystemDebugControl [0xF1102E80]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB98A4E1E]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB98A4EBA]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB98A4F56]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6D65360, 0x2456AE, 0xE8000020]
? C:\DOCUME~1\KIRKNA~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[304] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 039D7B40 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\WINDOWS\Explorer.EXE[304] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 039D7090 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\WINDOWS\Explorer.EXE[304] USER32.dll!SetWindowTextW 7E42960E 5 Bytes JMP 039D7800 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02C97940 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] ntdll.dll!NtCreateSection 7C90D17E 5 Bytes JMP 02C97A60 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 02C978D0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] ntdll.dll!NtOpenSection 7C90D62E 5 Bytes JMP 02C97B00 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 02C97B40 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] kernel32.dll!CreateThread 7C8106D7 5 Bytes JMP 02C97090 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] kernel32.dll!OutputDebugStringA 7C85AD4C 5 Bytes JMP 02C97D60 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] ADVAPI32.dll!CredEnumerateW 77E18099 7 Bytes JMP 02C96FB0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!PostMessageW 7E418CCB 5 Bytes JMP 02C96ED0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!PostThreadMessageW 7E4277B8 5 Bytes JMP 02C92740 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!PostThreadMessageA 7E4277C5 5 Bytes JMP 02C92720 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AB5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendMessageW 7E42929A 5 Bytes JMP 02C96AA0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SetWindowTextW 7E42960E 5 Bytes JMP 02C97800 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!PostMessageA 7E42AAFD 5 Bytes JMP 02C96E90 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendMessageTimeoutW 7E42CDAA 5 Bytes JMP 02C96D20 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendNotifyMessageW 7E42D64F 5 Bytes JMP 02C96C90 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendMessageCallbackW 7E42D6DB 5 Bytes JMP 02C96DC0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendMessageA 7E42F3C2 5 Bytes JMP 02C969D0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendMessageTimeoutA 7E42FB6B 5 Bytes JMP 02C96CD0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E725F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7191 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E7062 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E70C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendNotifyMessageA 7E453948 5 Bytes JMP 02C96C50 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E72C2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E7126 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] USER32.dll!SendMessageCallbackA 7E46B129 5 Bytes JMP 02C96D70 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E75C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] WS2_32.dll!sendto 71AB2F51 5 Bytes JMP 02C92890 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] WS2_32.dll!WSASocketW 71AB404E 7 Bytes JMP 02C92950 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 02C928D0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02C92910 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] WS2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 02C92850 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] WININET.dll!HttpSendRequestW 3D94FACE 5 Bytes JMP 02C927C0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] WININET.dll!HttpSendRequestA 3D95EEA1 5 Bytes JMP 02C92760 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] WININET.dll!InternetWriteFile 3D9A6116 5 Bytes JMP 02C92790 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] WININET.dll!HttpSendRequestExA 3D9BA6DA 5 Bytes JMP 02C92820 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] WININET.dll!HttpSendRequestExW 3D9BA733 5 Bytes JMP 02C927F0 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1196] CRYPT32.dll!CryptUnprotectData 77A8BAF0 7 Bytes JMP 02C96F30 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E725F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E7191 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E71FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E7062 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E70C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E72C2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1404] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E7126 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1408] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 001A3D1B
.text C:\WINDOWS\System32\svchost.exe[1408] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4}
.text C:\WINDOWS\System32\svchost.exe[1408] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 001A4608
.text C:\WINDOWS\System32\svchost.exe[1408] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 001A4669
.text C:\WINDOWS\System32\svchost.exe[1408] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 001A46D9
.text C:\WINDOWS\System32\svchost.exe[1408] USER32.dll!IsWindowVisible 7E429E3D 5 Bytes JMP 001A470C
.text C:\WINDOWS\System32\svchost.exe[1408] USER32.dll!MessageBoxIndirectW 7E4664D5 6 Bytes [33, C0, 40, C2, 04, 00] {XOR EAX, EAX; INC EAX; RET 0x4}
.text C:\WINDOWS\System32\svchost.exe[1408] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 001A4872
.text C:\WINDOWS\System32\svchost.exe[1408] ole32.dll!CoGetClassObject 77515205 5 Bytes JMP 001A4848
.text C:\WINDOWS\System32\svchost.exe[1408] WS2_32.dll!GetAddrInfoW 71AB2899 5 Bytes JMP 001A456A
.text C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE[2512] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 30F52DF0 C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll (Microsoft Office 2003 component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5276] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 30F52DF0 C:\Program Files\Common Files\Microsoft Shared\office11\mso.dll (Microsoft Office 2003 component/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Udfs \UdfsCdRom DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Udfs \UdfsDisk DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 85C5B2E2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 85C5B2E2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 85C5B2E2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 85C5B2E2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 85C5B2E2
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 85C5B2E2

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp pxrts.sys (Prevx Realtime Security/Prevx)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp pxrts.sys (Prevx Realtime Security/Prevx)

Device \FileSystem\Fastfat \Fat B5DCED20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{46816BA2-05F1-8E48-086B-7A57E06F816B}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{46816BA2-05F1-8E48-086B-7A57E06F816B}@ianodokknbnmaciigh 0x6A 0x61 0x61 0x6B ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{46816BA2-05F1-8E48-086B-7A57E06F816B}@haholedfjcbhgmik 0x6B 0x61 0x65 0x6B ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C497D99D-B213-16F8-5A3D-09131ED050E8}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C497D99D-B213-16F8-5A3D-09131ED050E8}@iaolcoakhjemlgikap 0x6A 0x61 0x6C 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C497D99D-B213-16F8-5A3D-09131ED050E8}@haemaogmokhamhib 0x6B 0x61 0x68 0x68 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C497D99D-B213-16F8-5A3D-09131ED050E8}@haknklpgnigjdcah 0x61 0x61 0x00 0x7E
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C497D99D-B213-16F8-5A3D-09131ED050E8}@haknklpgiipelkhg 0x61 0x61 0x00 0x7E

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Schle2's Avatar
Schle2 Schle2 is offline
Member with 64 posts.
THREAD STARTER
 
Join Date: Aug 2004
Location: Allentown, PA USA
Experience: show me and I can do it
04-Oct-2012, 08:18 AM #2
bump
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,923 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
04-Oct-2012, 08:45 AM #3
you definitely have a problem & malware is running according to the logs


Delete any existing version of ComboFix you have sitting on your desktop
Please read and follow all these instructions very carefully
Do not edit or remove any information or user names etc, otherwise we cannot fix the problem. If you insist on editing out anything then I will close the topic & refuse to offer any help.

Download ComboFix from Hereto your Desktop.
As you download it rename it to username123.exe


**Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer**
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus and anti-malware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results" or stop combofix running at all
  • Click on THIS LINK to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again after combofix has finished
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running
Double click on renamed combofix.exe & follow the prompts.
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.Read HERE why we disable autoruns

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

Please tell us if it has cured the problems or if there are any outstanding issues

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot is due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in next reply please...


Strong Warning:

I have frequently found that combofix & other tools will not work, when Prevx is installed and active
If you cannot uninstall prevx then we might be forced to consider format & reinstal lof operating system

Use the appropriate PrevX unistall tool from here http://info.prevx.com/removaltool.asp
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | How to protect yourself and other Security Advice
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
Schle2's Avatar
Schle2 Schle2 is offline
Member with 64 posts.
THREAD STARTER
 
Join Date: Aug 2004
Location: Allentown, PA USA
Experience: show me and I can do it
04-Oct-2012, 09:15 AM #4
Thanks Derek. I will get rid of Prevx and follow your instructions. I will post back when this is completed.
Mark
Schle2's Avatar
Schle2 Schle2 is offline
Member with 64 posts.
THREAD STARTER
 
Join Date: Aug 2004
Location: Allentown, PA USA
Experience: show me and I can do it
04-Oct-2012, 10:06 AM #5
Hi Derek,

I was able to unistall Prevx. I closed all browsers and programs and disabled AVG. I literally renamed the combofix.exe to username123.exe (I hope I was not supposed to put in the 'real user name"123. When I ran the executable it started to run fine. It did say it would take about 10 minutes but could easily double for badly infected computers. After about 8-9 minutes I was up to Completed Stage 48. Another 15 minutes has gone by but no additional progress has been made. There is a blinking 'cursor' underneath the last entry of Completed Stage 48. Should I close and try again? Or something else?

Thanks,
Mark
Schle2's Avatar
Schle2 Schle2 is offline
Member with 64 posts.
THREAD STARTER
 
Join Date: Aug 2004
Location: Allentown, PA USA
Experience: show me and I can do it
04-Oct-2012, 10:38 AM #6
Hi Derek,

After about an hour, ComboFix never got past stage 48. I closed. I did nothing else. I don't know if I can simply try running ComboFix again or if something else must be done first.

Please advise.

Thanks,
Mark
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,923 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
04-Oct-2012, 11:08 AM #7
just leave combofix running when that cursor is blinking
in some infections , it can over 2 or even 3 hours to do a full run & clean up

now just reboot & run combofix again & do not interfere with it, just walk away & have a cup of coffee or whatever & check occasionaly on it, BUT don't worry if it is still scanning in 3 hours or so with this infection. Make sure AVG is disabled peoperly as well or that will block some stages of combofix. It is often better to unisntall AVG when dealing with difficult infections
Schle2's Avatar
Schle2 Schle2 is offline
Member with 64 posts.
THREAD STARTER
 
Join Date: Aug 2004
Location: Allentown, PA USA
Experience: show me and I can do it
04-Oct-2012, 11:21 AM #8
got it Derek.

Originallly I disabled AVG for 15 minutes only (bleeping computer advice). Maybe the problem was that AVG turned back on and messed up the ComboFix.

I am not sure whether I can try again now or if I might have to wait until later today. Either way I will post the log once I have that.

Thanks again.
Mark
Schle2's Avatar
Schle2 Schle2 is offline
Member with 64 posts.
THREAD STARTER
 
Join Date: Aug 2004
Location: Allentown, PA USA
Experience: show me and I can do it
05-Oct-2012, 10:21 AM #9
Hi Derek.

I rebooted and tried running ComboFix again and just let it go. After about 30 minutes it was still at completed stage 48. I left the computer alone. This morning (about 17 hours later) I checked and it made no further progess; still was sitting at completed stage 48.

Can I run ComboFix in safe mode? Everytime I reboot now I get different results. Every time is boots up normally but sometimes I have the recover active desktop screen - somtimes not. Either way I can open folders such as my documents or my computer. However I cannot access any files anywhere. I cannot get online either. In processes in the task manager I can see that Explorer, Excel, Word, etc (whatever I tried to use) is listed as active processes. Ending those processes and trying again does nothing. The computer will recognize that a flash drive or something was inserted into a USB port but I cannot access that. I can access an external hard drive while in safe mode. Safe mode boots up just fine. I did backup everything important and even items not so important so I am not too worried about losing anything.

I cannot get AVG 2010 Free to uninstall by the way. I tried add/remove programs, Revo, and the force uninstall program from AVG. I don't know if AVG is what is keeping ComboFix from completing its scan or if my computer is just that bad.

What do you suggest? ComboFix is safe mode, some other program, wiping out the hard drive and reinstalling everything, or maybe just buying a new hard drive and load everything on that.?.

Please let me know what you think.

Thanks much.
Mark
Schle2's Avatar
Schle2 Schle2 is offline
Member with 64 posts.
THREAD STARTER
 
Join Date: Aug 2004
Location: Allentown, PA USA
Experience: show me and I can do it
05-Oct-2012, 10:50 AM #10
hi again.

I successfully uninstalled AVG finally with the removal tool. I started up again in normal mode and everything is working again, finally. I can open Word, Outlook, IE, etc. I am sure my problem is not solved yet though.

My instinct is to try running ComboFix again now but I am leaving well enough alone for the time being.

Please let me know your thoughts on what to do next.

Thanks again,
Mark
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,923 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
05-Oct-2012, 11:39 AM #11
I would try combofix again
there are defintely malware files & entries in teh dds log that we need to fix
Schle2's Avatar
Schle2 Schle2 is offline
Member with 64 posts.
THREAD STARTER
 
Join Date: Aug 2004
Location: Allentown, PA USA
Experience: show me and I can do it
09-Oct-2012, 10:12 AM #12
Hi Derek.

I tried running ComboFix again this morning and it again stalled after completed stage 48. I rebooted and tried again with the same result. I believe this is 4 or 5 times now that ComboFix stalled after completed stage 48. I did wait very long to make sure it really stalled and was not just still running.

Should I try this and then try ComboFix again? (can starting 'fresh' help?)

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click START then RUN
* Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

Or is there something else I should try.

At this point I am not sure what to do any longer.

Please advise.

Thanks,
Mark
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,923 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
09-Oct-2012, 01:51 PM #13
uninstall combofix

then

Download OTScanIt.exe to your Desktop
  • Close any open browsers.
  • If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
  • Double-click on OTS.exe to start the program.
  • Now on the toolbar at the top select "Scan all users" then click the Run Scan button
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file
If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.
Schle2's Avatar
Schle2 Schle2 is offline
Member with 64 posts.
THREAD STARTER
 
Join Date: Aug 2004
Location: Allentown, PA USA
Experience: show me and I can do it
16-Oct-2012, 07:43 AM #14
Hi Derek,
I apologize for the delay in getting back to you. I finally had the chance to uninstall ComboFix and run OTS. Here is the log.

Please let me know...

thanks,
Mark

Code:
OTS logfile created on: 10/16/2012 8:29:20 AM - Run 1
OTS by OldTimer - Version 3.1.47.2     Folder = C:\Documents and Settings\Kirk Nagle\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
 
958.00 Mb Total Physical Memory | 620.00 Mb Available Physical Memory | 65.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 90.00% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 145.75 Gb Total Space | 116.86 Gb Free Space | 80.18% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: DRA02
Current User Name: Kirk Nagle
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
 
[Processes - Safe List]
ots.exe -> C:\Documents and Settings\Kirk Nagle\Desktop\OTS.exe -> [2012/10/16 07:53:48 | 000,646,656 | ---- | M] (OldTimer Tools)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
hpzipm12.exe -> C:\WINDOWS\system32\HPZipm12.exe -> [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP)
viewmgr.exe -> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe -> [2007/01/04 17:38:18 | 000,112,336 | ---- | M] (Viewpoint Corporation)
viewpointservice.exe -> C:\Program Files\Viewpoint\Common\ViewpointService.exe -> [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation)
realplay.exe -> C:\Program Files\Real\RealPlayer\realplay.exe -> [2006/12/27 12:45:02 | 000,026,112 | ---- | M] (RealNetworks, Inc.)
stsystra.exe -> C:\WINDOWS\stsystra.exe -> [2006/08/15 04:00:20 | 000,282,624 | ---- | M] (SigmaTel, Inc.)
corel photo downloader.exe -> C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe -> [2006/08/14 15:20:26 | 000,462,336 | ---- | M] (Corel, Inc.)
pgpserv.exe -> C:\WINDOWS\system32\PGPserv.exe -> [2006/04/05 12:28:50 | 000,073,728 | ---- | M] (PGP Corporation)
dmxlauncher.exe -> C:\Program Files\Dell\Media Experience\DMXLauncher.exe -> [2005/10/05 04:12:00 | 000,094,208 | ---- | M] ()
dlactrlw.exe -> C:\WINDOWS\system32\DLA\DLACTRLW.EXE -> [2005/09/08 06:20:00 | 000,122,940 | ---- | M] (Sonic Solutions)
 
[Modules - No Company Name]
nvapi.dll -> C:\WINDOWS\system32\nvapi.dll -> [2006/08/23 13:12:38 | 000,196,608 | ---- | M] ()
xmltok.dll -> C:\Program Files\HP\Digital Imaging\bin\crm\xmltok.dll -> [2005/10/20 11:36:08 | 000,077,824 | R--- | M] ()
xmlparse.dll -> C:\Program Files\HP\Digital Imaging\bin\crm\xmlparse.dll -> [2005/10/20 11:36:08 | 000,065,536 | R--- | M] ()
dmxlauncher.exe -> C:\Program Files\Dell\Media Experience\DMXLauncher.exe -> [2005/10/05 04:12:00 | 000,094,208 | ---- | M] ()
pdfmonnt.dll -> C:\WINDOWS\system32\pdfmonnt.dll -> [2001/10/29 01:42:30 | 000,116,224 | ---- | M] ()
 
[Win32 Services - Safe List]
(LMIMaint) LogMeIn Maintenance Service [Auto | Stopped] ->  -> File not found
(HidServ) Human Interface Device Access [Disabled | Stopped] ->  -> File not found
(Pml Driver HPZ12) Pml Driver HPZ12 [Auto | Running] -> C:\WINDOWS\system32\HPZipm12.exe -> [2007/08/09 03:27:52 | 000,073,728 | ---- | M] (HP)
(Viewpoint Manager Service) Viewpoint Manager Service [Auto | Running] -> C:\Program Files\Viewpoint\Common\ViewpointService.exe -> [2007/01/04 17:38:08 | 000,024,652 | ---- | M] (Viewpoint Corporation)
(PGPserv) PGPserv [Auto | Running] -> C:\WINDOWS\system32\PGPserv.exe -> [2006/04/05 12:28:50 | 000,073,728 | ---- | M] (PGP Corporation)
(SymWSC) SymWMI Service [Auto | Stopped] -> C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe -> [2004/11/02 17:59:50 | 000,316,544 | ---- | M] (Symantec Corporation)
 
[Driver Services - Safe List]
(LMIRfsClientNP) LMIRfsClientNP [File_System | Disabled | Stopped] -> C:\WINDOWS\System32\LMIRfsClientNP.dll -> [2012/07/05 18:10:02 | 000,083,392 | ---- | M] (LogMeIn, Inc.)
(LMIRfsDriver) LogMeIn Remote File System Driver [File_System | Auto | Running] -> C:\WINDOWS\system32\drivers\LMIRfsDriver.sys -> [2012/06/08 12:06:24 | 000,047,640 | ---- | M] (LogMeIn, Inc.)
(pxkbf) pxkbf [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\pxkbf.sys -> [2011/09/20 23:55:48 | 000,026,096 | ---- | M] (Prevx)
(TucbVideo) TucbVideo [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\TucbVideo.sys -> [2008/10/24 11:21:16 | 000,003,768 | ---- | M] (Windows (R) 2000 DDK provider)
(TucbAudio) TucbAudio [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\TucbAudio.sys -> [2008/10/24 11:21:14 | 000,023,096 | ---- | M] (Windows (R) Codename Longhorn DDK provider)
(MusCVideo) MusCVideo [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\MusCVideo.sys -> [2008/10/24 11:16:46 | 000,003,768 | ---- | M] (Windows (R) 2000 DDK provider)
(MusCAudio) MusCAudio [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\MusCAudio.sys -> [2008/10/24 11:16:44 | 000,023,096 | ---- | M] (Windows (R) Codename Longhorn DDK provider)
(ASCTRM) ASCTRM [Kernel | Auto | Running] -> C:\WINDOWS\System32\drivers\asctrm.sys -> [2006/12/27 12:45:04 | 000,008,552 | ---- | M] (Windows (R) 2000 DDK provider)
(STHDA) SigmaTel High Definition Audio CODEC [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\sthda.sys -> [2006/08/15 04:00:18 | 001,171,464 | ---- | M] (SigmaTel, Inc.)
(bcm4sbxp) Broadcom 440x 10/100 Integrated Controller XP Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\bcm4sbxp.sys -> [2006/08/14 07:29:44 | 000,044,544 | ---- | M] (Broadcom Corporation)
(nvatabus) nvatabus [Kernel | Boot | Stopped] -> C:\WINDOWS\system32\drivers\nvatabus.sys -> [2006/08/05 08:00:40 | 000,105,344 | ---- | M] (NVIDIA Corporation)
(AmdK8) AMD Processor Driver [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\AmdK8.sys -> [2006/06/18 22:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices)
(PGPdisk) PGPdisk [Kernel | Auto | Running] -> C:\WINDOWS\System32\drivers\PGPdisk.sys -> [2006/04/05 12:39:40 | 000,217,600 | ---- | M] (PGP Corporation)
(PGPwded) PGPwded Storage Filter Service [Kernel | Boot | Running] -> C:\WINDOWS\System32\drivers\PGPwded.sys -> [2006/04/05 12:36:04 | 000,136,192 | ---- | M] (PGP Corporation)
(PGPsdkDriver) PGPsdkDriver [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\PGPsdk.sys -> [2006/04/05 12:35:46 | 000,038,912 | ---- | M] (PGP Corporation)
(DLAUDFAM) DLAUDFAM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -> [2005/09/08 06:20:00 | 000,094,332 | ---- | M] (Sonic Solutions)
(DLAUDF_M) DLAUDF_M [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -> [2005/09/08 06:20:00 | 000,087,036 | ---- | M] (Sonic Solutions)
(DLAIFS_M) DLAIFS_M [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -> [2005/09/08 06:20:00 | 000,086,524 | ---- | M] (Sonic Solutions)
(DLABOIOM) DLABOIOM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLABOIOM.SYS -> [2005/09/08 06:20:00 | 000,025,628 | ---- | M] (Sonic Solutions)
(DLAOPIOM) DLAOPIOM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -> [2005/09/08 06:20:00 | 000,014,684 | ---- | M] (Sonic Solutions)
(DLAPoolM) DLAPoolM [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLAPoolM.SYS -> [2005/09/08 06:20:00 | 000,006,364 | ---- | M] (Sonic Solutions)
(DLADResN) DLADResN [File_System | Auto | Running] -> C:\WINDOWS\system32\DLA\DLADResN.SYS -> [2005/09/08 06:20:00 | 000,002,496 | ---- | M] (Sonic Solutions)
(DLACDBHM) DLACDBHM [File_System | System | Running] -> C:\WINDOWS\system32\drivers\DLACDBHM.SYS -> [2005/08/25 13:16:52 | 000,005,628 | ---- | M] (Sonic Solutions)
(DLARTL_N) DLARTL_N [File_System | System | Running] -> C:\WINDOWS\system32\drivers\DLARTL_N.SYS -> [2005/08/25 13:16:16 | 000,022,684 | ---- | M] (Sonic Solutions)
(Sentinel) Sentinel [Kernel | Auto | Stopped] -> C:\WINDOWS\System32\Drivers\SENTINEL.SYS -> [1999/07/20 06:38:00 | 000,073,216 | ---- | M] ()
(Sntnlusb) Sntnlusb [Kernel | Auto | Stopped] -> C:\WINDOWS\System32\Drivers\SNTNLUSB.SYS -> [1999/07/20 06:38:00 | 000,008,128 | R--- | M] (Rainbow Technologies Inc.)
 
[Registry - Safe List]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Search\\"Default_Page_URL" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061227 -> 
HKEY_LOCAL_MACHINE\: Search\\"Start Page" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061227 -> 
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: Main\\"Default_Page_URL" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061227 -> 
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: Main\\"Default_Page_URL" -> www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=5061227 -> 
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 0 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\] > -> -> 
HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\: Main\\"Start Page" -> http://www.msn.com/ -> 
HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\: "ProxyEnable" -> 0 -> 
HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\: "ProxyOverride" -> *.local -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
HKLM\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF} -> C:\PROGRAM FILES\AVG\AVG2012\FIREFOX\DONOTTRACK\ -> 
< FireFox Extensions [User Folders] > -> 
< HOSTS File > ([2010/12/14 13:01:11 | 000,000,027 | ---- | M] - 1 lines) -> C:\WINDOWS\system32\drivers\etc\hosts -> 
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} [HKLM] ->  [AVG Do Not Track] -> File not found
{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{5CA3D70E-1895-11CF-8E15-001234567890} [HKLM] -> C:\WINDOWS\system32\DLA\DLASHX_W.DLL [DriveLetterAccess] -> [2005/09/08 06:20:00 | 000,110,652 | ---- | M] (Sonic Solutions)
{69D72956-317C-44bd-B369-8E44D4EF9801} [HKLM] -> C:\WINDOWS\system32\PxSecure.dll [SafeOnline BHO] -> [2011/09/20 23:55:50 | 000,071,880 | ---- | M] (Prevx)
{CA6319C0-31B7-401E-A518-A07C3DB8F777} [HKLM] -> C:\Program Files\BAE\BAE.dll [CBrowserHelperObject Object] -> [2006/11/17 05:46:38 | 000,098,304 | ---- | M] (Dell Inc.)
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\ -> 
WebBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{472734EA-242A-422B-ADF8-83D1E48CC825}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
WebBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"" ->  [] -> File not found
"Corel Photo Downloader" -> C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe [C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe] -> [2006/08/14 15:20:26 | 000,462,336 | ---- | M] (Corel, Inc.)
"DLA" -> C:\WINDOWS\system32\DLA\DLACTRLW.EXE [C:\WINDOWS\System32\DLA\DLACTRLW.EXE] -> [2005/09/08 06:20:00 | 000,122,940 | ---- | M] (Sonic Solutions)
"DMXLauncher" -> C:\Program Files\Dell\Media Experience\DMXLauncher.exe [C:\Program Files\Dell\Media Experience\DMXLauncher.exe] -> [2005/10/05 04:12:00 | 000,094,208 | ---- | M] ()
"NeroFilterCheck" -> C:\WINDOWS\system32\NeroCheck.exe [C:\WINDOWS\system32\NeroCheck.exe] -> [2001/07/09 11:50:42 | 000,155,648 | ---- | M] (Ahead Software Gmbh)
"NvCplDaemon" -> C:\WINDOWS\System32\NvCpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> [2006/08/23 13:12:40 | 007,630,848 | ---- | M] (NVIDIA Corporation)
"NvMediaCenter" -> C:\WINDOWS\System32\NvMcTray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> [2006/08/23 13:12:42 | 000,086,016 | ---- | M] (NVIDIA Corporation)
"nwiz" -> C:\WINDOWS\System32\nwiz.exe [nwiz.exe /install] -> [2006/08/23 13:12:46 | 001,617,920 | ---- | M] ()
"RealTray" -> C:\Program Files\Real\RealPlayer\RealPlay.exe [C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER] -> [2006/12/27 12:45:02 | 000,026,112 | ---- | M] (RealNetworks, Inc.)
"SigmatelSysTrayApp" -> C:\WINDOWS\stsystra.exe [stsystra.exe] -> [2006/08/15 04:00:20 | 000,282,624 | ---- | M] (SigmaTel, Inc.)
< Administrator Startup Folder > -> C:\Documents and Settings\Administrator\Start Menu\Programs\Startup -> 
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup -> 
< Kirk Nagle Startup Folder > -> C:\Documents and Settings\Kirk Nagle\Start Menu\Programs\Startup -> 
< LogMeInRemoteUser Startup Folder > -> C:\Documents and Settings\LogMeInRemoteUser\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"HonorAutoRunSetting" ->  [1] -> File not found
\\"NoCDBurning" ->  [0] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDrives" ->  [0] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL
\Advanced\Folder\Hidden\SHOWALL\\"CheckedValue" ->  [1] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [145] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
\\"NoDriveTypeAutoRun" ->  [323] -> File not found
\\"NoDriveAutoRun" ->  [67108863] -> File not found
\\"NoDrives" ->  [0] -> File not found
HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Advanced\Folder\Hidden\SHOWALL
\Advanced\Folder\Hidden\SHOWALL\\"CheckedValue" ->  [1] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16}:{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} [HKLM] ->  [Button: AVG Do Not Track] -> File not found
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}:Exec [HKLM] -> C:\Program Files\AIM\aim.exe [Button: AIM] -> [2005/08/05 16:08:26 | 000,067,160 | ---- | M] (America Online, Inc.)
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] ->  [Reg Error: Value error.] -> File not found
CmdMapping\\"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}" [HKLM] -> C:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 16:08:26 | 000,067,160 | ---- | M] (America Online, Inc.)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] ->  [Reg Error: Value error.] -> File not found
CmdMapping\\"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}" [HKLM] -> C:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 16:08:26 | 000,067,160 | ---- | M] (America Online, Inc.)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] ->  [Reg Error: Value error.] -> File not found
CmdMapping\\"{38E51477-DDB4-4aed-9D61-D0C193E10749}" [HKLM] ->  [Reg Error: Key error.] -> File not found
CmdMapping\\"{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}" [HKLM] -> C:\Program Files\AIM\aim.exe [AIM] -> [2005/08/05 16:08:26 | 000,067,160 | ---- | M] (America Online, Inc.)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\] > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{01A88BB1-1174-41EC-ACCB-963509EAE56B} [HKLM] -> http://support.dell.com/systemprofiler/SysPro.CAB [SysProWmi Class] -> 
{02BCC737-B171-4746-94C9-0D8A0B2C0089} [HKLM] -> http://office.microsoft.com/sites/production/ieawsdc32.cab [Microsoft Office Template and Media Control] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab [Java Plug-in 1.6.0_26] -> 
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} [HKLM] -> http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab [Reg Error: Key error.] -> 
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab [Reg Error: Key error.] -> 
{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab [Java Plug-in 1.6.0_26] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab [Java Plug-in 1.6.0_26] -> 
{E06E2E99-0AA1-11D4-ABA6-0060082AA75C} [HKLM] -> https://commercebank.webex.com/client/T27LC/webex/ieatgpc.cab [GpcContainer Class] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 192.168.1.1 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{AD56B1C2-4136-48DC-AA2F-F579D1FBD202}\\DhcpNameServer -> 192.168.1.1   (Broadcom 440x 10/100 Integrated Controller) -> 
< AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs -> 
*AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls -> 
C:\WINDOWS\system32\ocmapihk.dll -> C:\WINDOWS\system32\ocmapihk.dll -> [2006/04/05 12:38:34 | 000,049,152 | ---- | M] (PGP Corporation)
*MultiFile Done* -> -> 
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\WINDOWS\system32\userinit.exe -> C:\WINDOWS\system32\userinit.exe -> [2008/04/13 20:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
LMIinit -> C:\WINDOWS\System32\LMIinit.dll -> [2012/07/05 18:09:44 | 000,087,456 | ---- | M] (LogMeIn, Inc.)
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
"C:\Program Files\America Online 9.0\waol.exe" ->  [C:\Program Files\America Online 9.0\waol.exe:*:Enabled:AOL] -> File not found
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe" ->  [C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL] -> File not found
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ->  [C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL] -> File not found
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"C:\Documents and Settings\Kirk Nagle\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe" -> C:\Documents and Settings\Kirk Nagle\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe [C:\Documents and Settings\Kirk Nagle\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe:*:Enabled:Octoshape add-in for Adobe Flash Player] -> [2009/08/13 10:11:01 | 000,319,488 | ---- | M] (Octoshape ApS)
"C:\Program Files\AIM\aim.exe" -> C:\Program Files\AIM\aim.exe [C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger] -> [2005/08/05 16:08:26 | 000,067,160 | ---- | M] (America Online, Inc.)
"C:\Program Files\AVG\AVG10\avgmfapx.exe" ->  [C:\Program Files\AVG\AVG10\avgmfapx.exe:*:Enabled:AVG Installer] -> File not found
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2004/08/11 18:15:00 | 000,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006_Classes\<key>\shell\[command]\command -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = comfile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_USERS\S-1-5-21-3923854485-620774870-3467045905-1006\SOFTWARE\Classes\<extension>\ -> 
.exe [@ = exefile] -> "%1" %* -> 
 
 
[Files/Folders - Created Within 30 Days]
 username123 -> C:\username123 -> [2012/10/16 08:14:25 | 000,000,000 | --SD | C]
 OTS.exe -> C:\Documents and Settings\Kirk Nagle\Desktop\OTS.exe -> [2012/10/16 07:53:45 | 000,646,656 | ---- | C] (OldTimer Tools)
 Recent -> C:\Documents and Settings\Kirk Nagle\Recent -> [2012/10/12 16:13:44 | 000,000,000 | RH-D | C]
 NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2012/10/04 10:26:26 | 000,060,416 | ---- | C] (NirSoft)
 New Folder -> C:\Documents and Settings\Kirk Nagle\Desktop\New Folder -> [2012/10/02 12:37:44 | 000,000,000 | ---D | C]
 Macromedia -> C:\Documents and Settings\LocalService\Application Data\Macromedia -> [2012/10/02 09:25:33 | 000,000,000 | ---D | C]
 Adobe -> C:\Documents and Settings\LocalService\Application Data\Adobe -> [2012/10/02 09:25:33 | 000,000,000 | ---D | C]
 
[Files/Folders - Modified Within 30 Days]
 Symantec NetDetect.job -> C:\WINDOWS\tasks\Symantec NetDetect.job -> [2012/10/16 08:28:33 | 000,000,422 | ---- | M] ()
 wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2012/10/16 08:28:20 | 000,002,206 | ---- | M] ()
 nvapps.xml -> C:\WINDOWS\System32\nvapps.xml -> [2012/10/16 08:28:08 | 000,081,191 | ---- | M] ()
 bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2012/10/16 08:28:02 | 000,002,048 | --S- | M] ()
 hiberfil.sys -> C:\hiberfil.sys -> [2012/10/16 08:28:00 | 1005,047,808 | -HS- | M] ()
 OTS.exe -> C:\Documents and Settings\Kirk Nagle\Desktop\OTS.exe -> [2012/10/16 07:53:48 | 000,646,656 | ---- | M] (OldTimer Tools)
 Microsoft Office Word 2003 (2).lnk -> C:\Documents and Settings\Kirk Nagle\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Word 2003 (2).lnk -> [2012/10/12 16:13:49 | 000,002,515 | ---- | M] ()
 Microsoft Office Excel 2007.lnk -> C:\Documents and Settings\Kirk Nagle\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Excel 2007.lnk -> [2012/10/11 15:19:57 | 000,002,491 | ---- | M] ()
 9 C:\Documents and Settings\Kirk Nagle\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Kirk Nagle\Local Settings\Temp\*.tmp -> 
 16 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp -> 
 
[Files - No Company Name]
 hiberfil.sys -> C:\hiberfil.sys -> [2012/10/16 08:28:00 | 1005,047,808 | -HS- | C] ()
 dt.dat -> C:\Documents and Settings\Kirk Nagle\Local Settings\Application Data\dt.dat -> [2012/08/10 10:31:06 | 000,027,520 | ---- | C] ()
 iacenc.dll -> C:\WINDOWS\System32\iacenc.dll -> [2012/02/16 10:05:07 | 000,003,072 | ---- | C] ()
 winscp.rnd -> C:\Documents and Settings\Kirk Nagle\Application Data\winscp.rnd -> [2011/12/12 16:38:38 | 000,000,600 | ---- | C] ()
 d3d9caps.dat -> C:\WINDOWS\System32\d3d9caps.dat -> [2011/02/20 20:46:25 | 000,000,664 | ---- | C] ()
 hitmanpro35.sys -> C:\WINDOWS\System32\drivers\hitmanpro35.sys -> [2011/02/10 10:51:15 | 000,016,968 | ---- | C] ()
 housecall.guid.cache -> C:\Documents and Settings\Kirk Nagle\Local Settings\Application Data\housecall.guid.cache -> [2010/12/08 10:45:51 | 000,000,036 | ---- | C] ()
 start -> C:\Documents and Settings\Kirk Nagle\Application Data\start -> [2010/11/29 14:09:49 | 000,000,006 | ---- | C] ()
 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Kirk Nagle\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2010/11/24 17:35:53 | 000,004,608 | ---- | C] ()
 
[Alternate Data Streams]
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
@Alternate Data Stream - 121 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,923 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
16-Oct-2012, 08:01 AM #15
nothing showing wrong there

Run tdss killer from http://support.kaspersky.com/viruses...?qid=208280684

let it cure anything it fnds ( except SPTD.SYS or anything detected as UnsignedFile.Multi.Generic, which should be ignored) & then reboot

post back with its log

By default, the utility outputs the log into system disk (it is usually the disk with installed operating system, C:\) root folder.
Logs have names like: UtilityName.Version_Date_Time_log.txt.
E.g. C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑